Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 6854612, 16 pages
https://doi.org/10.1155/2018/6854612
Research Article

UPPGHA: Uniform Privacy Preservation Group Handover Authentication Mechanism for mMTC in LTE-A Networks

1School of Cyber Engineering, State Key Laboratory of Integrated Service Network, Xidian University, Xi’an, China
2School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore
3State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

Correspondence should be addressed to Jin Cao; moc.621@798joac

Received 27 July 2017; Revised 2 January 2018; Accepted 18 January 2018; Published 28 February 2018

Academic Editor: Tom Chen

Copyright © 2018 Jin Cao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Machine Type Communication (MTC), as one of the most important wireless communication technologies in the future wireless communication, has become the new business growth point of mobile communication network. It is a key point to achieve seamless handovers within Evolved-Universal Terrestrial Radio Access Network (E-UTRAN) for massive MTC (mMTC) devices in order to support mobility in the Long Term Evolution-Advanced (LTE-A) networks. When mMTC devices simultaneously roam from a base station to a new base station, the current handover mechanisms suggested by the Third-Generation Partnership Project (3GPP) require several handover signaling interactions, which could cause the signaling load over the access network and the core network. Besides, several distinct handover procedures are proposed for different mobility scenarios, which will increase the system complexity. In this paper, we propose a simple and secure uniform group-based handover authentication scheme for mMTC devices based on the multisignature and aggregate message authentication code (AMAC) techniques, which is to fit in with all of the mobility scenarios in the LTE-A networks. Compared with the current 3GPP standards, our scheme can achieve a simple authentication process with robust security protection including privacy preservation and thus avoid signaling congestion. The correctness of the proposed group handover authentication protocol is formally proved in the Canetti-Krawczyk (CK) model and verified based on the AVISPA and SPAN.

1. Introduction

Machine Type Communication (MTC), also known as Machine to Machine (M2M), can realize intelligent and interactive seamless connection among people, machine, and system via wireless communication technologies. The purpose of the MTC technology is to enable all of machineries and equipment networking and communication ability, which is a main way of the Internet of Things (IoT) applications. The MTC technology has been commercialized in Europe, South Korea, Japan, and so on, which are mainly used in security monitoring, mechanical services and maintenance business, public transport system, fleet management, industrial automation, city information, and so on. With a widely range of potential applications [1], it has been actively developed and enhanced by many standards forums and organizations including IEEE, ETSI, 3GPP, and 3GPP2. In particular, 3GPP is becoming increasingly active in this area with several work items defined on MTC, especially for Long Term Evolution Release 10 named as LTE-Advanced (LTE-A) [2].

Compared with other wireless networks, the LTE-A network has a higher capacity and lower transmission delay and thus can provide higher data rate and better coverage and extensibility for the real-time mobile MTC applications. Therefore, the LTE-A network can be served as an ideal platform for the MTC technology to provide strong support for the development of MTC. However, the emergence of MTC technology has brought new challenges for the LTE-A network. Different from traditional Human to Human (H2H) terminals, the MTC devices (MDs) will lead to a variety of different requirements including lower energy consumption and better security due to its characteristics of unsupervised. In addition, the number of MTC devices is rapidly increasing, MTC market analysis forecasts 50 billion machines are expected to use wired or wireless communication technologies by the year 2020 [3]. Moreover, the analysis results show that the number of MDs is connected to a single base station in 2020 to be anywhere from 10000 to 100000 [4]. Therefore, it will bring huge loads on wireless access networks and LTE-A core network [5] when sea of MDs concurrently connects to the LTE-A network. It is particularly acute when a large number of MDs simultaneously move away from the current base station to a new base station. For example, for a large number of goods transported on a freight train, some relevant sensor devices could be deployed in each car of goods to monitor the states of the goods in the transportation. A large number of surveillance cameras, temperature and humidity sensors, and smoke detectors could also be deployed on the train to perform different functions. A large number of monitoring and sensor terminals equipped with the people and vehicles participated in marathon, cycling, car rally game, and so on, are used to track the body functions, the performance of the vehicles, and so on. These devices need to support the real-time communication between the side of the road, other vehicles, or remote servers. In this mobility scenario, frequent handover signaling interaction not only causes the signaling load on the access network and core network, but also increases the terminal energy consumption. The current handover methods suggested by the 3GPP committee require each MD independently to execute the same handover authentication process as the common User Equipment (UE) [6], which results in several security vulnerabilities described as follows:(i)The current handover mechanisms need several rounds of signaling interaction [7, 8] and complex handover key management mechanism [911], which are not suitable for a group of energy limited MDs to achieve seamless handovers in mobility scenarios.(ii)Owing to the support of many new types of base stations such as Home eNodeB (HeNB), eNB, and Relay Nodes (RNs), 3GPP committee [7, 8] has addressed distinct handover procedures for different scenarios, such as the handovers between eNBs, between HeNBs, between a HeNB and an eNB, and the inter-MME handovers when the base stations are managed by different MMEs, which will increase the overall system complexity.(iii)Since some base stations such as HeNB and RNs can be easily owned by third parties, a robust mutual authentication between MDs and base stations is required in handover process to withstand several protocol attacks such as impersonation attacks, Man-in-the-Middle (MitM) attacks, and replay attacks [1215].(iv)Due to lack of user identity and location privacy preservation, an attacker can easily trace a special MD’s movement locus. Therefore, a fast and secure privacy preservation handover authentication scheme for a large number of MDs is required to ensure the continuity of MTC applications in the LTE-A networks.

In this paper, taking the advantage of the novel multisignature and AMAC techniques, we propose a new uniform privacy preservation group handover authentication protocol for mMTC within E-UTRAN in LTE-A networks (UPPGHA), which can be applied to all of mobility scenarios in LTE-A networks. Compared with the current 3GPP standards and other related schemes, our scheme can not only largely reduce the signaling cost and thus avoid network congestions, but also provide robust security and privacy protection. By the scheme, a mass of MDs is initialized to form a MTC group and choose a group leader [16]. When the MTC group moves to the coverage of the target eNB , the can simultaneously authenticate the MTC group by checking the multisignature and AMAC generated by the group leader on behalf of all the group members and derives a distinct session key for each MD.

Our contributions made in this paper can be summarized up as follows:(1)We proposed a simple handover authentication process to achieve mutual authentication and key agreement between multiple MDs and the target eNB simultaneously.(2)By our solution, the network congestion incurred by frequent handover for mass of MDs can be avoided in the LTE-A networks.(3)The proposed scheme not only has been formally validated by both the CK model and the formal verification tool AVISPA and SPAN to show its security against various malicious attacks, but also can provide robust security protection including privacy preservation and traceability.

Compared with the conference version [17] which merely provides mutual authentications and key agreements between mMTC devices and eNB and does not give the detailed security analysis and performance evaluation, we not only identify a few distinctive security requirements in group handover authentication protocol and achieve the identity privacy preservation and traceability in new design, but also formally verify the proposed new protocol by employing the CK model and formal verification tool AVISPA and SPAN and analyze in detail the performance of our proposed protocol compared with the newest works in terms of signaling cost, communication cost and computational cost. In addition, we still give the performance analysis under unknown attacks and point out that our new scheme outperforms other schemes even if there are some unknown attacks.

The reminder of this paper is organized as follows. In Sections 2 and 3, we review the related work and introduce the MTC network architecture, respectively. In Section 4, the proposed scheme is presented in detail. The security analysis and the performance evaluation on our scheme are presented in Sections 5 and 6. Finally, we drew the conclusion of the paper in Section 7.

2. Related Works

Until now, there are only few research works on the handover authentication process for a large number of devices in wireless networks [1821]. 3GPP TR 33.868 [6] has proposed a MD grouping method for congestion avoidance. By this method, a huge number of MDs can construct a MTC group to handle easily. It is very suitable for mass of MDs in mobility scenarios in the LTE-A networks. However, it is only applied to the communications between MDs and the MTC server without consideration of handover security in the current 3GPP standard.

Fu et al. [18] have proposed a new group-based handover authentication scheme with privacy protection in the mobile WiMAX network. By the scheme, a lot of UEs can form a handover group. By performing a handover authentication process, the target base station (TBS) acquires all the details of the handover group member’s security context from the serving base stations (SBS) when the first UE of the same handover group moves to the TBS. Then, the TBS can directly authenticate the rest of the UEs in the same handover group without the Extensible Authentication Protocol (EAP) and Security Context Transfer phases. Thus, the scheme can reduce the handover signaling cost in the mobile WiMAX networks. However, the scheme in [18] incurs the authentication traffic between BSs, which is not fit in with the LTE-A networks due to the lack of direct interface between the eNBs and the HeNBs in the intra-MME handover and inter-MME handover processes.

Lai et al. [19] have proposed a secure and efficient group roaming scheme for MTC between 3GPP and WiMAX networks. By adopting the certificateless aggregate signature technique, the MME/ASN-GW can simultaneously trust a large number of MDs in the handover process and obtains an independent session key with each MD. Thus, the scheme can largely reduce the signaling cost and provide robust security protection. However, it is designed for 3GPP-WiMAX interworking architecture, which is not feasible for the LTE-A network. In addition, the scheme brings a lot of computational costs due to the pairing operations.

For inter-E-UTRAN group mobility, the group-based anonymity handover authentication scheme is proposed in [20]. By the scheme in [20], when the first MTC device in the MTC handover group leaves from the current eNB to the target eNB, the current eNB or the current MME transmits all of the handover group members’ security contexts to the target eNB or the MME controlling the target eNB. Then, the target eNB can authenticate the rest of the MTC devices in the MTC handover group locally. However, this scheme still incurs a lot of signaling cost and communication cost and inherits the vulnerabilities of security context transfer (SCT) mechanism. In addition, it cannot achieve the mutual authentication and the traceability of MDs. Subsequently, Kong et al. present a secure handover session key management mechanism for a group on-board UEs via mobile relay in LTE-A networks [21]. By the scheme in [21], each on-board UE generates the session key with the connected Donor eNB (DeNB) and sends the encrypted session key by using the MME’s public key to the mobile relay node (MRN). Then the MRN employs the proxy reencryption mechanism to reencrypt the encrypted session key and sends the reencrypted result to the DeNB. Finally, the DeNB decrypts the session key with its private key without contacting the MME. This scheme can achieve forward and backward key separations and withstand collusion between the MRN and the DeNB. However, it brings a lot of computational costs due to the use of pairing operations and cannot achieve the mutual authentication between the MRN and the DeNB.

3. Preliminary

3.1. MTC Network Architecture

As shown in Figure 1, a large number of MDs can communicate with the MTC server via the LTE-A network domain in the MTC network architecture. The LTE-A network allows the following two types of connections to the MTC server(s): the MTC server located within the operator domain with the control by the LTE-A network and the MTC server outside the operator domain without the control by the LTE-A network. The LTE-A network domain consists of the Evolved-Universal Terrestrial Radio Access Network (E-UTRAN) and Evolved Packet Core (EPC). The EPC is comprised of a MME and a Serving Gateway (SGW) and a Packet Data Network Gateway (PDN GW) together with a Home Subscriber Server (HSS). The E-UTRAN consists of several types of base stations including eNodeB (eNB), Home eNodeB (HeNB), and Relay Node (RN). HeNB is a low-power access point and is typically installed by a subscriber in the residence or a small office to improve the indoor coverage. It can connect to the EPC with S1 interface over the Internet via a broadband backhaul. Each eNB or HeNB can communicate with another with an X2 interface and can access to the MMEs/S-GWs with a S1 interface. E-UTRAN also supports relaying by having a Relay Node (RN) wirelessly connect to an eNB serving the RN, known as Donor eNB (DeNB). The DeNB provides X2 and S1 proxy functionality between the RN and other eNBs or MME/S-GWs, respectively. Similar to the common UE, there are mainly three different mobility scenarios when a large number of MDs move from a HeNB/RN/eNB to a new HeNB/RN/eNB, including the handovers between two MMEs (called inter-MME handover), the handovers between an eNB/RN/HeNB and another base station, both of which are managed by the same MME without an X2 interface (called intra-MME handover), and the handovers between an eNB/RN/HeNB and another base station with an X2 interface (called X2-based handover) [7, 8]. Since the current handover mechanisms suggested by 3GPP committee [7, 8] need several signaling interactions, they result in the severe signaling congestions in the E-UTRAN and the EPC when a huge number of MDs handover to the new eNB concurrently. In addition, different mobility scenarios need to execute the distinct handover processes, which may increase the overall system complexity.

Figure 1: MTC network architecture.
3.2. Multisignature and Aggregate Message Authentication Code

In 1983, the multisignature scheme was firstly proposed by Itakura and Nakamura [22], in which a lot of signers can cooperate to sign the same message and any verifier can verify the validity of the multisignature. Subsequently, Hwang and Lee [23] proposed a novel ElGamal-like multisignature scheme using self-certified public keys. By this scheme, the self-certified approach has been adopted to provide more secrecy against the active and impersonation attacks compared with identity-based and certificate-based approach. The analysis result shows that the scheme [23] can provide robust security protection with ideal efficiency.

Katz and Lindell [24] firstly proposed the notion of aggregate message authentication codes (AMACs), in which multiple MAC tags generated by different senders on multiple different messages can be aggregated into a shorter tag and only the recipient who shares a distinct key with each sender can verify the validity of the aggregate tag.

3.3. Canetti-Krawczyk (CK) Model

The CK model is a famous model for proving the security of authentication and key agreement protocols [25]. It captures a large class of practical attacks and desirable security properties, such as the impersonation attack and man-in-the-middle attack. In CK model, there is an adversary who has been completely controlled over the network and tries to break the privacy of the session key or the authentication of the players. The security of the protocol in CK model is completed by a game between the and the user. can get access to the sessions and interact with them via the queries. There are the following queries that can perform:(i)Corrupt : can get the private key of a user using this query.(ii)Session key reveal : this query returns the session key between and .(iii)Session state reveal : this query returns all the internal state information of associated with a particular session with .(iv)Hash : given a value to this query, a random value is output. All of the queries and the answers of Hash are stored in a list.(v)Test : this query aims at capturing the privacy of the session key. After several queries, should choose a session as the test session. The query is answered as follows: one flips a coin ; if it outputs the session key to ; if , it outputs a random value to . This query can be issued only to a session where the session key, session state, and corrupt queries have not been requested and it can be issued only once.

In order to simplify the construction and proof of key agreement protocols, two adversarial models are defined in CK model: the unauthenticated adversarial model (UM) and the authenticated adversarial model (AM). The UM corresponds to the real world where the adversary completely controls the network in use and may modify or create messages from any party to any other party. The AM is an ideal version of the UM where the adversary can choose whether or not to deliver a message, but if a message is delivered, it must have been created by the honest users without alteration. In this way, authentication mechanisms can be separated from key agreement mechanisms by proving the key agreement secure in the AM and then applying an authenticator to the key agreement messages so that the new protocol is secure in the UM.

Definition 1. A key agreement protocol is called SK-secure if the following properties are hold for any adversary in the AM: (1) protocol satisfies the property that if two uncorrupted parties complete matching sessions and then both of them output the same key; (2) the probability that correctly guesses the bit is no more than 1/2 plus a negligible fraction in the security parameter.

Theorem 2. Let be a SK-secure key agreement protocol in the AM, and let be a secure authenticator which translates messages in the AM into messages in the UM. Then, is a SK-secure key agreement protocol in the UM [25].

4. Proposed Scheme: UPPGHA

Before the proposed scheme is described, we firstly give some basic assumptions for our scheme. We consider the MTC mobility scenarios, such as a large number of surveillance cameras, temperature, and humidity sensors, and smoke detectors are deployed on the train to perform different functions, where massive of MDs travel through the same eNBs at the same train or vehicles and can form a MTC group in device initialization process. MDs support multiple communication technologies both mobile broadband technology such as mobile WiMAX and WCDMA/LTE/LTE-A, and local area networking technology including Bluetooth, ZigBee, and UWB, and other coming technologies such as power line communications (PLC) [26]. Due to the merits of low power, high capacity, broadcast, and robust security, ZigBee technology has been widely used in IoTs or sensor networks. In this paper, it is assumed that MDs support both the LTE-A and ZigBee communication.

In this section, we propose a new uniform privacy preservation group handover authentication mechanism (UPPGHA) when the MTC group moves from the source eNB/RN/HeNB to the target eNB/RN/HeNB. By our scheme, the HeNBs, the eNBs, and the RNs are collectively referred to as the eNBs. In fact, the proposed scheme is to achieve the following four security goals:(1)Mutual authentication: to mutually authenticate the MTC group and the target eNB simultaneously after a handover with low signaling cost and communication cost.(2)Session key agreement: to derive a secure session key between each MD in the MTC group and the target eNB, respectively, after the successful authentication.(3)Identity privacy preservation: to achieve MD’ identity and location anonymity and unlinkability in group handover authentication process. User anonymity means that the identities of MDs and the group identity should be hidden and the attacker cannot disclose real identities of MDs even if the eNB has been compromised. Unlinkability means that even if several different communication session messages between the same MD and eNB have been collected, the MD should still not be traceable and linkable.(4)Traceability: to reveal the MD’s real identity and trace the MD by the HSS under the controversial scenarios.

Our scheme starts with the initial authentication phase for preparing a handover. Then, the MTC group and the target eNB implement the uniform privacy preservation group handover authentication phase to achieve the above four goals. In the uniform privacy preservation group handover authentication phase, the target eNB can authenticate the whole MTC group simultaneously based on the novel techniques, multisignature, and aggregate message authentication code (AMAC). The specific process is described in detail as follows. The notations used in the scheme are defined in Table 1.

Table 1: Definition of notations of our scheme.
4.1. Initial Authentication Phase

In this phase, a MTC group will be constructed by a mass of MTC devices (MDs) and an identity of the MTC group, GID, will be embedded into MDs in the device initialization process according to the specification made by 3GPP committee [16]. The same MTC group will exist in the same area and/or have the same MTC features and/or belong to the same MTC user. A group leader of the group will be also chosen in device initialization process based on the communication capability, communication link quality, storage status, and battery status of each MD. When each MD in the MTC group registers to the network, it performs an initial full authentication process with a MME and HSS and then obtains its private key and self-verified public key from Key Generate Center (KGC). The eNBs have the same function as the MDs to obtain these private keys and self-verified public keys after expiration time. The KGC can be integrated with the HSS, which has preestablished secure channels with the HSS by using the network domain security (NDS)/IP [27]. This phase can be described as follows. Here, KGC computes where and are two random secret prime integers and constructs the key pair satisfying . Then, it selects a generator with the maximal order in the and two Hash functions and . Finally, it publishes the master public key and the system parameters and keeps the master secret key secret.

Let be the MTC group members; each executes the following procedure when it first registers to the network.

4.1.1.

It is assumed that the Evolved Packet System Authentication and Key Agreement (EPS-AKA) [9] is implemented in the initial full authentication process. After the AKA, according to the scheme in [23], chooses a random number as his secret key and computes . Then, it sends the private/public key request message with its identity , group ID GID, and encrypted by the session key between and the HSS/KGC to the HSS/KGC via the MME. Here the session key is derived between and the HSS/KGC after the AKA.

4.1.2.

After the receipt of the private/public key request message from each , the HSS/KGC executes the following operations for :(1)Choose random numbers and then calculate a set of unlinkable temporal group identities when the first MD in the MTC group registers to the network.(2)Choose random numbers and then calculate a set of unlinkable temporal identities for .(3)Calculate as ’s temporal public keys.(4)When all of the private/public key request messages from all individuals in the MTC group have been received, the HSS/KGC computes the set of group temporal public key for each temporal group identity (). Then, the encrypted by the is sent to each . In addition, the HSS/KGC establishes and stores an identity list for MTC group as shown in Table 2 in its database.

Table 2: Identity list for MTC group.

Each eNB executes the same procedure as that of the in the initial full authentication phase unavoidable. After the eNB is verified successfully, the eNB chooses a random key as his secret key and computes and then sends to the HSS/KGC, which are encapsulated in the last message of Internet Key Exchange Protocol Version 1 (IKEv1) or IKEv2-based [27] device authentication and sent to the corresponding eNB securely. After the receipt of the message including and , the HSS/KGC derives the eNB’s public key and sends it to the eNB securely.

In our proposed scheme, all of public keys in our proposed scheme are generated and maintained by HSS/KGC. Once the suspicion of the validity of the public key, MD or eNB can directly send the public key verification request message to the HSS/KGC to request to determine the validity of the public key.

4.2. Uniform Privacy Preservation Group Handover Authentication Phase

In this phase, the group handover authentication for all of MDs in the MTC group is accomplished when the MTC group moves away from the source eNB () to the target eNB () simultaneously. In order to ensure that the whole MTC group securely hands over to the same , we take the advantage of the multisignature scheme [23] and the AMAC scheme [24] to achieve the mutual authentication and key agreement between the MTC group and the . As shown in Figure 2, it works as follows. Here let .

Figure 2: Uniform privacy preservation group handover authentication phase.

Step 1. When the MTC group moves into the coverage of the , each executes the following procedure:(1)Choose a random number and compute , then pick an unused temporal identity and corresponding temporal group identity , and broadcast , , and to other MDs in the MTC group including the group leader (). Note that this step can be preexecuted before the MTC group hands off to the .(2)Upon the receipt of all of from other MDs, compute and , then calculate , and send to the , where is Network Access Identifier of .

Step 2. Upon the receipt of all of , the computes and sends the authentication request message with to the .

Step 3. Upon the receipt of the authentication request message from the , the works as follows:(1)Check if is valid and then verify by computing and . If the verification succeeds, the authenticates the whole MTC group and jumps to (2). Otherwise, it sends an authentication failure message to the .(2)Choose a new random number and compute and then calculate .(3)Send the authentication response message with to the . Then compute the session key for each in the MTC group to guarantee the subsequent communication.

Step 4. After the authentication response message from the , the broadcasts this message to other MDs in the MTC group.

Step 5. Upon the receipt of the message from the , each executes the following process:(1)Check . If the verification succeeds, the trusts the and jumps to (2). Otherwise, it sends an authentication failure message to the via the .(2)Compute the session key and .(3)Finally, send the to the to confirm the agreement.

Step 6. Upon the receipt of all of from the MTC group, the derives and sends it to .

Step 7. After the receiving the , the verifies . If the verification succeeds, the confirms agreement with each .

4.3. Identity Tracking Phase

In order to track the MTC group, after the trusts the MTC group, it transmits the temporal identities and the temporal group identity to the HSS/KGC via the MME. Upon the receipt of the message, the HSS/KGC searches its database to find the corresponding and executes the following operations to obtain the real group identity of the MTC group.

Once the has been derived, the MTC group will be tracked and determined by the HSS/KGC. If the HSS/KGC needs to further know real identity of each MD in the MTC group, it can find related and calculate

5. Security Evaluation

In this section, the formal security analysis in CK model and the formal verification tool AVISPA and SPAN are conducted to show that our proposed protocols can work correctly to achieve robust security properties.

5.1. Security Analysis

Multi-Decisional Diffie-Hellman (M-DDH) Problem [28]. Define a Multi-Diffie-Hellman (M-DH) and a Random Multi-Diffie-Hellman (RM-DH) distributions of size as and . An polynomial time adversary cannot distinguish whether a tuple is from or from with a probability higher than a negligible value.

Our scheme satisfies the following security properties.

Mutual Authentication and Key Agreement in CK Model. In our proposed UPPGHA, the HSS/KGC can ensure a mutual authentication between the MTC group and the based on the technique of multisignature and ElGamal signature. To be authenticated by the , each MD in the MTC group generates the signature by using its private key, and then the multisignature is obtained by summing all the signatures from the MTC group, which will be verified by the use of the self-verified group public key generated by the HSS and the HSS’s private key. After performing the mutual authentication, each MD and negotiate a distinct session key using the DH algorithm based on the Discrete Logarithm Problem (DLP) to protect the communication over air interface between the and each MD in the MTC group. Moreover, the AMAC technique is applied to guarantee the session key agreement between each MD and .

Actually, as shown in the UPPGHA, our trick is employing a signature scheme to authenticate the random value and . Then employing this signature (authenticator), we can transform a protocol which is SK-secure in the AM into a protocol which is SK-secure in the UM. Based on this idea, we divide the proof of the authentication and key agreement into two parts. Firstly, we prove that the adversary in the AM cannot correctly guess the bit in the test session with the property no more than 1/2 plus a negligible fraction. Secondly, we use a secure signature-based authenticator to transform the protocol in the AM to a secure protocol in UM.

Theorem 3. The UPPGHA protocol without a signature-based authenticator is SK-secure in the AM provided that M-DDH problem is hard and is a random oracle.

Proof. In the AM, each sends its random value to the and then the transmits these to the . Then, send a random value to each MD. After that the session key between and each is computed as . We assume that a polynomial time adversary can guess the output of a test session query with a nonnegligible advantage in the AM (correctly computed the session key), that is, , then we can solve the M-DDH problem.
We simulate the protocol for the adversary and make use of to solve the M-DDH problem. Suppose there are MDs and an in the communication and the th session of MDs and are expressed as and . We can answer all of the queries asked by since we initialize all of the participants. The proof is in the random oracle model which means the output of the Hash function is random. In the simulation, all of the Hash value must be obtained from a Hash query. So if can win the game and correctly guess the bit in the test session, he needs to compute the session key between and and ask the Hash query with these values . Firstly, we exclude the collisions on the transcripts since if a collision occurs can get the session by the corrupt query. According to the birthday paradox, we can bound the probability by where denotes the number of sessions and is the security parameter. We then continue to simulate the protocol. We choose a bit , if we choose a tuple from M-DH set. Otherwise, we randomly choose a tuple from RM-DH set. Then, we choose one session as the test session and imbed these into the protocol instead of the values in and . If performs the test query, then a value chosen from M-DH or RM-DH will be returned. Suppose that the test session is exactly the session we chose, the probability of this event is . As aforementioned, if succeeds in guessing in the test session and then he must have computed the DH value from and . In such case, we can solve the M-DDH problem either. So the probability of solving the M-DDH is where denotes the number of the Hash queries (we need to check which Hash query was asked in the test session from one of queries). Actually, as we know the probability of solving M-DDH problem is a negligible value [28]. Here we denote this probability as . Then we can obtain , where is a negligible value. So we conclude Theorem 3.

The security of the UPPGHA protocol in the AM is proved, then we show the signature-based authenticator is a secure authenticator. As shown in [23], the signature scheme we used is based on factorization (FAC) and discrete logarithm (DL) assumptions. Under the integer factorization and DL assumptions, the signature proposed in [23] is a secure signature. So using this authenticator we can conclude that the proposed protocol is SK-secure in the UM.

Replay Attack Resistance. Our proposed UPPGHA can withstand the replay attack by the use of the random numbers ( and ). Whenever the MTC group moves into the coverage of the , both of the random numbers are updated on each MD and the . Thus, all session keys are freshly obtained based on these values to resist against this type of attacks.

Impersonation Attack and Man-in-the-Middle (MitM) Attack Resistance. Since the session keys are established based on the DH problem by our scheme, a MitM adversary could not derive the session keys by the use of the public values from the communication channel between each and the . It is infeasible to forge a valid multisignature and an ElGamal signature to deceive or each without the secret keys of or each . Therefore, our scheme can not be exposed to the impersonation attacks. Furthermore, taking the advantage of the multisignature, all of MDs in the MTC group sign the same message including the same temporal group identity and all of group member’s temporal identities, and the can validate the signatures from the group members. Thus, other legal MDs who do not belong the MTC group can not masquerade the MTC group members to deceive the or the EPC by signing the same message.

Insider Attack and DoS Attack Resistance. By our proposed UPPGHA, each MD in the MTC group derives a distinct session key with the . Without the correct secret random values of the , any other MDs in the MTC group can not obtain the legal session key of the and thus can not masquerade the to deceive the or the EPC. Therefore, our scheme can defend the insider attack by the MTC group members. In addition, the can authenticate each by verifying the signature for the same message from , and thus any attacker can not make DoS attacks to the eNB and the EPC by computing a lot of invalid signatures.

Identity Privacy Preservation. By our proposed UPPGHA, the set of temporal identities of a MD, temporal group identities and temporal group public keys are derived instead of the real identities and transmitted securely to each MD in initial full authentication phase. Since the temporal identity of each MD and the temporal group identity are generated by using the unknown random number, any attacker or eNBs cannot reveal the MD’s real identity and real group identity. In addition, a new temporal identity of each MD and a new temporal group identity are selected and used in each group handover authentication process; any adversary cannot link the temporal identities by eavesdropping the communication channel between the MTC group and . Furthermore, the temporal group public key is generated by using the random number and temporal group identity and is updated in each group handover authentication process; any adversary cannot derive the value . Thus, anyone except the HSS/KGC cannot trace the MTC groups movement trail.

Traceability. Under dispute scenarios, the HSS/KGC can reveal the real identity of the MTC group according to the temporal identity by using the stored random number and its privacy key. Therefore, once a signature is in dispute or other controversial incidents happen, the HSS/KGC who had assigned temporal identities to the real identity of the MTC group is able to trace the MTC group.

Signaling Congestion Resistance. By our scheme, the signaling congestion can be avoided in terms of low signaling overhead and fast verification. On the one hand, a large number of handover request messages from the MTC group will be aggregated into a single request message by a group leader and then the single handover request message is sent to the . In addition, the only calculates a signature and sends it to the group leader via a single signaling message. Moreover, our scheme provides a simple authentication process only with 3-handshake between the and the without contacting any other third party such as MME and HSS. Thus, it can largely reduce the signaling cost and thus avoid the signaling overload. On the other hand, the can simultaneously authenticate a group of MDs by adopting the technique of the multisignature and AMAC and quickly create the session keys with the MTC group. Therefore, it can alleviate the burden of the and ensure the QoS requirement of the MTC users without the restriction of handover requests.

We also give a security comparison between our scheme and other similar handover authentication protocols in Table 3.

Table 3: Security comparison.
5.2. AVISPA and SPAN

Due to the openness of the wireless communication channel, the intruder can intercept and store the messages on the channel, replay old messages, analyze and modify messages as far as it knows the required keys, and send any new messages that it composed to whoever at its will, impersonating other agents. This type of attack is commonly regarded as Dolev-Yao (DY) attack. In this paper, we examine various security properties of the proposed scheme by the AVISPA [29] and the SPAN [30], which analyze protocols under the assumptions of perfect cryptography, and the communication channel is under the control of a DY intruder. The AVISPA employs the High-Level Protocol Specification Language (HLPSL) to specify the security protocols and their security properties and utilizes four back-end tools to check the security of protocols, which include On-the-Fly Model-Checker (OFMC), Constraint-Logic-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). In addition, SPAN provides a graphical user interface for the protocol designer to easily interact with AVISPA capabilities.

Since multiple MDs can independently achieve the authentication and derive its session key with the , there is no communication between them except that the group leader. In order to simplify the analysis, our scheme includes three roles , (i.e., ), and and five messages which are described as follows:(1)ACCESS REQ: (2)AGGREGATION REQ: (3)ACCESS RES: , (4)ACCESS REP: (5)AGGREGATION REP:

HLPSL has a formal semantics based on Lamport’s Temporal Logic of Actions (TLA) [31], which is a state-of-the-art model analyzer that enumerates the reachable states in a finite-state model and checks that invariance properties hold in each of these states. Due to the limited space, we only give the state transition relations of three roles in our model as shown in Figure 3, where we neglect the specific formal description of our scheme.

Figure 3: The state transition relations of our model.

By our scheme, our security goals are to achieve the mutual authentication between the MTC group and the eNB and security session key establishment between each MD and the eNB. As shown in Algorithm 1, we specify the security goals of our proposed scheme using AVISPA.

Algorithm 1: Analysis goals of the model.

Finally, we employ the OFMC and CL-AtSe to verify that the proposed scheme maintains its security objectives even under various attacks. The outputs of the model checking results by using SPAN in OFMC and CL-AtSe are shown in Figures 4 and 5, respectively. According to Figures 4 and 5, we can conclude that our scheme can achieve the security goals and withstand various attacks including MitM attacks, impersonation attacks, and replay attacks under the test of AVISPA and SPAN using the OFMC back-end and CL-AtSe back-end.

Figure 4: Results reported by the OFMC back-end in SPAN.
Figure 5: Results reported by the ATSE back-end in SPAN.

6. Performance Evaluation

In this section, we firstly analyze the performance of the proposed UPPGHA by comparing it with the current LTE-A handover mechanisms in [7, 8] and other related schemes [1821] in terms of the signaling cost, the communication cost, and the computational cost. Then, we evaluate the situation when there are some attacks in execution of protocols. It is assumed that there are MDs in the MTC group.

6.1. Signaling Cost

On the signaling cost, we mainly evaluate our scheme by comparing with the schemes [7, 8, 1821] in terms of the number of signaling messages. According to distinct mobility scenarios, the LTE-A handover mechanisms [7, 8] and the GAHAP [20] can be divided into three different handover processes, X2-based handover (HO), intra-MME HO, and inter-MME HO, respectively. For the scheme in [18], when the first MD moves into the coverage of the target eNB, the source eNB contacts with the target eNB and transmits all of security context information for the MTC group to the target eNB, and then the target eNB can directly perform the mutual authentication with other group members only with two-handshake without the involvement of the source eNB. For the scheme in [19], taking the advantage of broadcasting and aggregation to design the signaling message, the number of signaling messages for the group is only for the roaming phase. For the scheme in [21], due to the use of proxy mechanism, when on-board UEs hand off the target DeNB, the target DeNB can directly obtain the session key with the UEs without the involvement of the MME. According to the number of signaling messages, we obtain a comparison of the signaling cost shown as the second row of Table 4. Since both the signaling cost and the communication cost of the scheme in [20] are much better than these in the LTE-A handover mechanisms [7, 8], which has been given in the scheme in [20], Figure 6 only shows the analysis results for the signaling cost with the increasing of the number of MDs by comparing our scheme with the schemes in [1821]. According to the Figure 6, the signaling cost of each handover process by our scheme is much better than that by the schemes in [18, 20, 21], while the scheme in [19] has better performance on the signaling cost than our scheme. However, the scheme in [19] is used to the vertical handover process for 3GPP-WiMAX interworking architecture, which is not feasible to the horizontal handover within E-UTRAN in LTE-A networks. In addition, there is no confirmation message from the MDs to the MME in the scheme in [19]. In such case the MME cannot determine whether the MD has completed the handover authentication process and obtained the session key, which may incur DoS attacks to the network. Thus, based on an overall consideration of efficiency and security, our scheme has a good performance on the signaling cost compared with other schemes.

Table 4: Comparison of related schemes.
Figure 6: Comparison of the number of signaling messages.
6.2. Communication Overhead

On the communication overhead, let the transmission cost incurred by delivering an authentication packet between the MME and the MD be one unit, the cost between the MDs and the group leader be unit, the cost between the MD and the eNB be unit, the cost between the eNBs be unit, and the cost between MMEs be unit, respectively. Since the MME locates far away from the eNB, the cost unit is in the range . Generally, the costs and are also lower than 1 unit. In addition, since the distance between MDs is not more than 100 meters, the cost unit is far less than unit. In fact, the distance between MDs and that between MMEs in the EPC are relatively fixed, while the distance between eNBs and that between the MD and the eNB change greatly due to the different deployment of the eNBs. In order to facilitate analysis, we set and . The comparison of the communication cost has been shown as the third row of Table 4. Figure 7 shows the analysis results for the communication cost. From the Figure 7, the communication cost of our scheme is much lower than that of the schemes in [18, 20, 21], which is similar to that of the scheme in [19].

Figure 7: Comparison of communication cost.
6.3. Computational Cost

In this section, we analyze the computational cost of our scheme by comparing with the scheme in [19] and the scheme in [21]. We only consider the cost of the following operations including a modular exponentiation , a point multiplication , and a pairing operation , while other operations such as point addition and one-way Hash function will be ignored. According to the time costs of the primitive cryptography operations presented by the scheme in [10], the comparison of the computational cost in the reference schemes is shown in Table 5. According to the Table 5, the computational cost of each MD by our scheme is much less than that by the scheme in [21], which is slightly larger than that by the scheme [19]. That is because the operation cost of modular exponentiation adopted by our scheme is slightly greater than that of point multiplication used by the scheme in [19]. Figure 8 shows the analysis results for the computational cost of the MME or the eNB. From the Figure 8, the computational overhead of the eNB by our scheme is much less than that by the scheme in [19] and the scheme in [21] with the increase of MDs.

Table 5: Comparison of computational cost.
Figure 8: Comparison of the computational cost of the eNB by our scheme.
6.4. Performance Analysis under Unknown Attacks

Our scheme can withstand several known attacks described in detail above, which cannot impact on the execution of our protocol. However, when there are unknown attacks or uncertain attacks, and we do not determine when or whether the unknown/uncertain attacks occur in execution of protocol, our scheme may be interrupted. In this section, we will evaluate this situation. Since we have no idea when or whether the unknown attacks happen in the execution of the protocol, step where the unknown attack happens is completely random; that is, the probability of unknown attack happened in step is , where is the total number of the signaling messages in one execution of protocol. Owing to the space limitations, we elaborate the communication overhead of our scheme under unknown attacks compared with other related schemes, and other performance evaluations under unknown attacks are similar to that of the communication overhead. Here, an impact ratio is defined to evaluate the impact degree of communication overhead under attacks for one success execution of protocol. In addition, we define two parameters: represents the total communication overhead before the attack happens in step and shows that the total communication overhead for one success execution of protocol with no attack. The impact ratio is shown as follows:

The comparison of IR for related schemes is given in Table 6. Figure 9 shows the analysis result of the influence rate () of the one authentication process of existing schemes. According to Figure 9, the impact degree of our scheme is similar to the scheme in [18], which is much less than that of other schemes. In addition, our scheme can simultaneously achieve the authentication for a group of MDs in one success execution of protocol while the LTE schemes [7, 8], the scheme in [18], the scheme in [20], and the scheme in [21] can only provide one-by-one authentication. Therefore, our scheme outperforms other schemes even if there are some unknown attacks.

Table 6: Comparison of related schemes.
Figure 9: Comparison of IR on communication cost.

7. Conclusion and Future Work

In the mobile MTC applications supported by the LTE-A networks, frequent handover signaling interaction not only causes the signaling load on the access network and core network, but also increases the terminal energy consumption. When a good deal of MTC devices simultaneously roams from a base station to a new base station, it is particularly serious. In this paper, we have proposed a simple and secure uniform group-based handover authentication scheme for a large number of MTC devices based on the multisignature and AMAC techniques, which is to fit in with all of the mobility scenarios in the LTE-A networks. Our analysis results show that our scheme can not only provide a simple authentication process with robust security protection, but also largely reduce the signaling costs and communication costs and thus avoid signaling congestion.

Since the next generation networks (5G) will be designed to meet stringent latency, high connection density, and high concurrent access requirements, the design of the security and efficient access and handover authentication for massive devices in LTE-A cellular networks and future 5G is the key challenge to achieve future cellular applications security. In our future work, we will consider more practical access and handover authentication mechanism in LTE-A/5G networks based on symmetric cryptography for massive devices with resource limited under the scenarios that they belong to the same group and there is no correlation, respectively.

Abbreviations

3GPP:Third-Generation Partnership Project
MTC:Machine Type Communication
M2M:Machine to Machine
mMTC:Massive MTC
LTE-A:Long Term Evolution-Advanced
UE:User Equipment
MD:MTC device
:MTC group leader
AMAC:Aggregate message authentication code
EPC:Evolved Packet Core
E-UTRAN:Evolved-Universal Terrestrial Radio Access Network
MME:Mobility Management Entity
S-GW:Serving Gateway
PDN GW:Packet Data Network Gateway
RN:Relay Node
UM/AM:Unauthenticated/authenticated adversarial model
HSS:Home Subscriber Server
eNB/HeNB:eNodeB/Home eNB
EPS-AKA:Evolved Packet System Authentication and Key Agreement
PLC:Power line communication
KGC:Key Generate Center
NDS:Network domain security
AVISPA:Automated Validation of Internet Security Protocols and Applications
SPAN:ANimator for AVISPA
HLPSL:High-Level Protocol Specification Language
OFMC:On-the-Fly Model-Checker
CL-AtSe:Constraint-Logic-based Attack Searcher
SATMC:SAT-based Model-Checker
TA4SP:Tree Automata based on Automatic Approximations for the Analysis of Security Protocol.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported by National Key R&D Program of China (2016YFB0800703), the National Natural Science Foundation of China (nos. 61772404 and U1401251), the Natural Scientific Basic Research Program Funded by Shaanxi Province of China (2017JM6029), and China 111 Project (no. B16037).

References

  1. 3rd Generation Partnership Project, “Technical Specification Group Radio Access Network; Study on RAN Improvements for Machine-type Communications (Rel 11),” Tech. Rep., 2011, 3GPP TR 37.868 V12.0.0. View at Google Scholar
  2. I. F. Akyildiz, D. M. Gutierrez-Estevez, R. Balakrishnan, and E. Chavarria-Reyes, “LTE-advanced and the evolution to beyond 4G (B4G) systems,” Physical Communication, vol. 10, pp. 31–60, 2014. View at Publisher · View at Google Scholar · View at Scopus
  3. N. Nikaein and S. Krea, “Latency for Real-Time Machine-to-Machine Communication in LTE-Based System Architecture,” in Proceedings of Sustainable Wireless Technologies Wireless Conference, pp. 1–6, 2011.
  4. A. Zanella, M. Zorzi, A. F. Dos Santos et al., “M2M massive wireless access: challenges, research issues, and ways forward,” in Proceedings of the IEEE Globecom Workshops (GC Wkshps '13), pp. 151–156, USA, December 2013. View at Publisher · View at Google Scholar · View at Scopus
  5. J. Cao, M. Ma, and H. Li, “A group-based authentication and key agreement for MTC in LTE networks,” in Proceedings of the IEEE Global Communications Conference (GLOBECOM '12), pp. 1017–1022, Anaheim, Calif, USA, December 2012. View at Publisher · View at Google Scholar · View at Scopus
  6. 3rd Generation Partnership Project, “Technical Specification Group Services and System Aspects; Security Sspects of Machine-Type Communications (Rel 12),” Tech. Rep., 2014, 3GPP TR 33.868 V12.1.0. View at Google Scholar
  7. 3rd Generation Partnership Project, “Technical Specification Group Services and System Aspects; General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Rel 14),” Tech. Rep., 2016, 3GPP TS 23.401 V14.0.0. View at Google Scholar
  8. 3rd Generation Partnership Project, “Technical Specification Group Radio Access Network,” Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; (Rel 13), 2016, 3GPP TS 36.300 V13.4.0. View at Google Scholar
  9. 3rd Generation Partnership Project, “Technical Specification Group Service and System Aspects,” 3GPP System Architecture Evolution (SAE); Security architecture (Rel 13), 2016, 3GPP TS 33.401 V13.3.0. View at Google Scholar
  10. J. Cao, H. Li, M. Ma, Y. Zhang, and C. Lai, “A simple and robust handover authentication between HeNB and eNB in LTE networks,” Computer Networks, vol. 56, no. 8, pp. 2119–2131, 2012. View at Publisher · View at Google Scholar · View at Scopus
  11. D. Forsberg, “LTE key management analysis with session keys context,” Computer Communications, vol. 33, no. 16, pp. 1907–1915, 2010. View at Publisher · View at Google Scholar · View at Scopus
  12. 3rd Generation Partnership Project, “Technical Specification Group Service and System Aspects,” Security of H(e)NB; (Rel 8), 2009, 3GPP TR 33.820 V8.3.0. View at Google Scholar
  13. C.-K. Han, H.-K. Choi, and I.-H. Kim, “Building femtocell more secure with improved proxy signature,” in Proceedings of the 2009 IEEE Global Telecommunications Conference, GLOBECOM 2009, USA, December 2009. View at Publisher · View at Google Scholar · View at Scopus
  14. H. Nicanfar, J. Hajipour, F. Agharebparast, P. TalebiFard, and V. C. M. Leung, “Privacy-preserving handover mechanism in 4G,” in Proceedings of the 1st IEEE International Conference on Communications and Network Security, CNS 2013, pp. 373-374, USA, October 2013. View at Publisher · View at Google Scholar · View at Scopus
  15. J. Cao, M. Ma, H. Li, Y. Zhang, and Z. Luo, “A survey on security aspects for LTE and LTE-A networks,” IEEE Communications Surveys & Tutorials, vol. 16, no. 1, pp. 283–302, 2014. View at Publisher · View at Google Scholar · View at Scopus
  16. 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Service Requirements for Machine-Type Communications (MTC) (Rel 13), 3GPP TS 22.368 V13.1.0, Dec. 2014.
  17. J. Cao, H. Li, M. Ma, and F. Li, “UGHA: Uniform group-based handover authentication for MTC within E-UTRAN in LTE-A networks,” in Proceedings of the IEEE International Conference on Communications, ICC 2015, pp. 7246–7251, UK, June 2015. View at Publisher · View at Google Scholar · View at Scopus
  18. A. Fu, S. Lan, B. Huang, Z. Zhu, and Y. Zhang, “A novel group-based handover authentication scheme with privacy preservation for mobile WiMAX networks,” IEEE Communications Letters, vol. 16, no. 11, pp. 1744–1747, 2012. View at Publisher · View at Google Scholar · View at Scopus
  19. C. Lai, H. Li, R. Lu, R. Jiang, and X. Shen, “SEGR: A secure and efficient group roaming scheme for machine to machine communications between 3GPP and WiMAX networks,” in Proceedings of the 2014 1st IEEE International Conference on Communications, ICC 2014, pp. 1011–1016, Australia, June 2014. View at Publisher · View at Google Scholar · View at Scopus
  20. J. Cao, H. Li, and M. Ma, “GAHAP: A group-based anonymity handover authentication protocol for MTC in LTE-A networks,” in Proceedings of the IEEE International Conference on Communications, ICC 2015, pp. 3020–3025, UK, June 2015. View at Publisher · View at Google Scholar · View at Scopus
  21. Q. Kong, R. Lu, S. Chen, and H. Zhu, “Achieve Secure Handover Session Key Management via Mobile Relay in LTE-Advanced Networks,” IEEE Internet of Things Journal, vol. 4, no. 1, pp. 29–39, 2017. View at Publisher · View at Google Scholar · View at Scopus
  22. K. Itakura and K. Nakamura, “A public-key cryptosystem suitable for digital multisignatures,” NEC Research and Development, vol. 71, pp. 1–8, 1983. View at Google Scholar · View at Scopus
  23. S.-J. Hwang and Y.-H. Lee, “Repairing ElGamal-like multi-signature schemes using self-certified public keys,” Applied Mathematics and Computation, vol. 156, no. 1, pp. 73–83, 2004. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus
  24. J. Katz and A. Y. Lindell, “Aggregate Message Authentication Codes,” in Topics in Cryptology CT-RSA, pp. 155–169, Springer Berlin Heidelberg, Berlin, Heidelberg, 2008. View at Publisher · View at Google Scholar
  25. R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and their use for building secure channels,” in Advances in Cryptology EUROCRYPT, vol. 2045 of Lecture Notes in Comput. Sci., pp. 453–474, Springer, Berlin, 2001. View at Publisher · View at Google Scholar · View at MathSciNet
  26. K.-R. Jung, A. Park, and S. Lee, “Machine-Type-Communication (MTC) device grouping algorithm for congestion avoidance of MTC oriented LTE network,” Communications in Computer and Information Science, vol. 78, pp. 167–178, 2010. View at Publisher · View at Google Scholar · View at Scopus
  27. 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network Domain Security (NDS); IP network layer security (Rel 13), 3GPP TS 33.210 V13.0.0, Dec. 2015.
  28. E. Bresson, O. Chevassut, and D. Pointcheval, “Dynamic group Diffie-Hellman key exchange under standard assumptions,” in Advances in Cryptology—EUROCRYPT, vol. 2332 of Lecture Notes in Comput. Sci., pp. 321–336, Springer, Berlin, 2002. View at Publisher · View at Google Scholar · View at MathSciNet
  29. AVISPA v1.1 User Manual, 2006.
  30. Y. Glouche, T. Genet, O. Heen, and O. Courtay, “A Security Protocol Animator Tool for AVISPA,” ARTIST2 Workshop on Security Specification and Verification of Embedded Systems, 2006. View at Google Scholar
  31. L. Lamport, “Specifying Systems,” in The TLA+ Language and Tools for Hardware and Software Engineers, Addison-Wesley Publishing Company, 2002. View at Google Scholar