ABSTRACT
Short Message Service (SMS) is one of the most used mobile data services. It is utilized in wide range of applications including information delivery, remote operation of appliances, online purchases/banking transactions. However, some of these applications require that the underlying messaging protocol must guarantee secure communication; which traditional SMS cannot provide. State of the art approach to adding security to SMS messaging involves the use of asymmetric cryptography, supported by Public Key Infrastructure (PKI) for addressing public key verification/validation issues inherent in asymmetric-based cryptosystems. Despite PKI’s good features, its key validation mechanism has potential for delay and high resource requirements; making it not appropriate for use in resource-constrained environments like mobile phones. Thus, this work aims to develop an asymmetric-based secure mobile messaging application (dubbed “ProSMS”) with improved efficiency during key validation when compared to PKI. A hybrid of symmetric (Twofish), asymmetric (RSA) and Hash function (SHA256) ciphers is implemented to add secure communication requirements to SMS messaging using J2ME programming. These security features were added to traditional SMS messaging with minimal overheads as indicated by the very low (< 1s) runtime requirements of the cryptographic
processes. A new approach to public key verification/validation; dubbed SMS-Based Public Key Cryptography (SB-PKC) and earlier PKI were also implemented in the developed application in order to compare their key validation requirements. A major step used to differentiate SB-PKC from PKI is the elimination of the need for frequent request for keys’ validity status information by users. The efficiency during key validation in SB-PKC was shown to improve over what is obtainable in PKI; (i) 40ms latency in SB-PKC as against 5000ms in PKI, the significance of which is that usability is improved as higher latency in wireless communication is known to hamper usability. (ii) 143 bytes and 472 bytes of request and response data sizes respectively are required in PKI as against 0 and 202 bytes data required in SB-PKC, the significance of which is that bandwidth-use optimization is higher in SB-PKC than in PKI. The test device used to arrive at these results is Tecno T9 mobile device.
TABLE OF CONTENTS
TITLE PAGE ……………………………………………………………………………………………………………….. ii
DECLARATION …………………………………………………………………………………………………………. iii
CERTIFICATION ……………………………………………………………………………………………………….. iv
DEDICATION ……………………………………………………………………………………………………………… v
ACKNOWLEDGEMENTS ………………………………………………………………………………………….. vi
ABSTRACT ………………………………………………………………………………………………………………… vii
TABLE OF CONTENTS ……………………………………………………………………………………………. viii
LIST OF FIGURES …………………………………………………………………………………………………….. xii
LIST OF PLATES ……………………………………………………………………………………………………… xiii
LIST OF TABLES ……………………………………………………………………………………………………… xiv
LIST OF ABBREVIATIONS ………………………………………………………………………………………. xv
CHAPTER ONE: INTRODUCTION
1.1 Background ……………………………………………………………………………………………………………… 1
1.2 Problem Statement …………………………………………………………………………………………………….. 6
1.3 Aim and Objectives …………………………………………………………………………………………………… 6
1.4 Methodology …………………………………………………………………………………………………………….. 7
1.5 Significant Contributions………………………………………………………………………….8
1.6 Dissertation Organization …………………………………………………………………………………………… 8
CHAPTER TWO: LITERATURE REVIEW
2.1 Introduction ……………………………………………………………………………………………………………… .9
2.2 Review of Fundamental Concepts ……………………………………………………………………………. …9
2.2.1 Cryptography….……………………………………………………………………………..9
2.2.1.1 Symmetric Cryptography……………………………………………………………………………9
ix
2.2.1.2 Asymmetric Cryptography……………………………………………………………………….10
2.2.2 PKV Schemes………………………………………………………………………………15
2.2.2.1 Explicit Schemes………………………………………………………………………….15
2.2.2.2 Implicit Schemes…………………………………………………………………………22
2.2.3 Robust PKV Schemes………………………………………………………………………26
2.3 Review of Similar Works…………………………………………………………………….27
2.4 Summary …………………………………………………………………………………….34
CHAPTER THREE: MATERIAL AND METHODS
3.1 Introduction …………………………………………………………………………………………………………….. 36
3.2 Materials …………………………………………………………………………………….36
3.2.1 Materials Used…………………..…………………………………………………………36
3.2.2 Installation and Configuration………………………………………………………………38
3.3 Method……………………………………………………………………………………….39
3.3.1 Selection of an Appropriate Cryptosystem Type……………………………………………39
3.3.2 Selection of Appropriate Ciphers ……………….…………………………………………40
3.3.2.1 Selection of a Symmetric Cryptographic Cipher……………………………………………….40
3.3.2.2 Selection of an Asymmetric Cryptographic Cipher…………………………………………..40
3.3.2.3 Selection of Hash Function………………………………………………………………………40
3.3.3 Development of A Communication Protocol ……………………………………………..40
3.3.4 Development of Codes For Secure SMS Messaging ………………………………………41
3.3.4.1 Required (Major) Interfaces………………………………………………………………………42
x
3.3.4.2 Cryptographic Processes…………………………………………………………………………46
3.3.4.3 Data Storage using Record Management Store (RMS)………………………………………51
3.3.4.4 Port for Receiving SMS…………………………………………………………………………..52
3.3.4.5 Auto-launch Capability…………………………………………………………………………..53
3.3.4.6 Summary Implementation of the Secure Messaging Aspect of the Mobile Application….54
3.3.5 The Proposed SB-PKC PKV Scheme………………………………………………………57
3.3.6 Implementation of Pertinent Parts of the SB-PKC Scheme………………………………63
3.3.6.1 Development of the codes to enable key registration with PKA…………………………….63
3.3.6.2 Development of the codes to enable Public Key Verification Request (PKVR)…………..66
3.3.6.3 Development of the codes for receiving response to PKVR…………………………………66
3.3.7 Testing (Simulation) of the Application’s Functionalities……………………………….66
3.3.8 Testing (On Real Device) of the Application’s Functionalities……………………………67
3.3.8.1 Test on Secure SMS Messaging…………………………………………………………………67
3.3.8.2 Test on SB-PKC Scheme……………………………………………………………………………68
3.3.9 Development of Codes for Public Key Validation using PKI …………………………….70
3.3.9.1 PKI (OCSP) Test …………………………………………………………………………………70
3.3.10 Validation by Comparison between PKI and SB-PKC…………………………………..71
3.3.10.1 Basis for Comparison…………………………………………………………………………….71
CHAPTER FOUR: RESULTS AND DISCUSSIONS
4.1 Introduction …………………………………………………………………………………………………….. …….73
4.2 Developed Application’s Performance Based on Objective One……………………………73
xi
4.3 Developed Application’s Performance Based on Objective Three…………………………74
4.4 Summary …………………………………………………………………………………….77
CHAPTER FIVE: CONCLUSION AND RECOMMENDATIONS
5.1 Introduction …………………………………………………………………………………………………………….. 78
5.2 Conclusion ……………………………………………………………………………………………………………… 78
5.3 Limitations ……………………………………………………………………………………………………………… 79
5.4 Recommendations for Further Works …………………………………………………………………………. 79
REFERENCES ……………………………………………………………………………………………………………. 80
APPENDIX A: ProSMS Source Code…………………………………………………………..85
CHAPTER ONE
INTRODUCTION
1.1 Background
Distributed networks like the internet and the telephone are indispensible tools in today’s world. They play important roles in connecting peoples from near and far distant places. However, their use posses a security threat because they allow considerable amount of anonymity, the consequence of which is that peoples’ identities can be stolen and the data passing through them can be maliciously used (Noroozi et al., 2014). A very popular and widely deployed distributed network is the Global Service for Mobile Communications (GSM). With its inception in Europe in 1991, GSM has seen widespread adoption all over the globe. GSM has revolutionized mobile communication, becoming the default global standard for mobile communications with over 90% market share, operating in over 210 countries and territories and connecting over 6.8 billion people as at first quarter of 2014 (Isabona, 2014; Azubuike and Obiefuna 2014). Some of GSM services include voice call, data transmission including internet access, Short Message Service (SMS) etc. SMS, the most widely used mobile data service is a mechanism for delivery of short messages over telecommunication networks. It is a global wireless service that enables the transmission of alphanumeric messages between mobile subscribers, originally designed as part of GSM, but now available on a wide range of network standards. SMS messaging is accomplished via a store-and-forward mechanism (Toorani and Beheshti, 2008). Figure 1.1 is a block diagram of main network elements of the GSM architecture illustrating the flow of SMS from one user to another.
2
Figure 1.1: Basic Network Elements of SMS Messaging (Gupta, n.d.)
The SME (Short Message Entity) is the messaging software embedded in a mobile station (MS) that handles the sending and receiving of SMS. From a MS, an SMS is sent (and received) via a radio link communication through the Base Station System (BSS) whose basic functionality is transmission of voice and data traffic signals to and from a MS. This is the only part where encryption is optionally applied using very weak A5/1 and A5/2 cryptographic ciphers (Saxena and Payal, 2011; Toorani and Beheshti, 2008). The message is then routed to an appropriate Mobile Switching Centre MSC; the entity responsible for switching connections between mobile stations or between mobile stations and the fixed network. Thereafter, the SMS is further routed to the Short Message Center SMC or Short Message Service Center SMSC which is the entity responsible for the store-and-forward feature of SMS messaging. The SMS is now forwarded to an appropriate MSC that currently serves the recipient MS using routing information (about the current position of the receiving MS) from Home Location Register HLR. Depending on whether the message is intra-network or inter-networks, it may involve the Gateway MSC (GMSC). The GMSC is a mobile network’s point of contact with other networks. The visitor location register (VLR), like the HLR, is a database that contains subscribers’ temporary information. The MSC uses this information to service visiting subscribers.
3
SMS’ simplicity, ease of use and a host of other factors have encouraged its growth among users (Pujitha and Mallu, 2013). The total number of SMS exchanged worldwide globally between the year 2007 and 2010 tripled, from an estimated 1.8 trillion to 6.1 trillion; approximately 200 000 SMS messages are sent every second (Rao, 2011; Statista 2015). And by first quarter of 2014, about 30 billion SMS messages were sent in UK alone (Statista, 2015). These SMS exchanges are used in a wide variety of applications across many areas of human endeavors; Governance, education, enlightenment etc. The increased use of SMS has also witnessed its use in the exchange of sensitive information that requires some level of security that is not available in SMS messaging. A good example is the use of SMS for online purchases and banking transactions. A very obvious limitation here is that the communicated SMS (transaction) is not confidential; (1) Network providers have access to copies of all SMS transmitted, (2) intruders can read these SMS when they are in possession (as a result of theft, lost of mobile device etc.) of a user’s mobile phone. SMS has also been found to be very useful for sending control information. A good example is the use of SMS for communicating control (sensitive) signals for operating equipments as used in Khiyal et al., (2009) for remotely operating appliances. The limitation here is that these appliances need assurance that the received SMS is sent from the desired device (authentication) and that the received SMS has not been changed in transit (integrity). Suresh et al., (2014) documents popular instances of compromise of SMS security. Traditional SMS messaging is not originally designed for exchanging sensitive information like these, thus it lacks secure communication requirements. Therefore, if SMS must be used for exchanging sensitive information, secure communication features must be added. One of the ways that this can been done is via cryptography.
4
Cryptography is one of the most popular tools used today for ensuring data security on potentially insecure platforms like the GSM network and its services like SMS. Cryptography is applied on these networks to enable secure communication requirement of; (i) confidentiality (to ensure the exchanged information is not divulged to unauthorized entities, (ii) integrity (to ensure the exchanged information is not altered in transit), (iii) authentication (to ensure that the communicating entities are “true”, so that impersonation is not possible and (iv) non-repudiation (to ensure that a sending entity cannot falsely deny a message that originates from it (Schneier, 1996). Cryptography comes in two flavors; symmetric and asymmetric cryptography (Public Key Cryptography or PKC). While symmetric cryptography can provide confidentiality and integrity functionalities, asymmetric cryptography can provide all the four secure communication requirements (Lisonek and Drahansky 2008). However, PKC suffers a major drawback; Identity binding; how to prove that the public key component of a PKC key pair is genuine. This has been an open problem since the concept of asymmetric cryptography was developed (Gutmann 2013; Lee et al., 2011; Toorani 2011; Yuan, 2004; Stallings, 2004; Schneier, 1996). Public Key Verification (PKV) schemes are used as support systems to help prove the genuineness or otherwise of users’ public keys in a PKC environment. Over the years, a number of PKV schemes have emerged. Examples include Public Key Infrastructure (PKI), Web of Trust (WoT), Identity-Based Public Key Cryptography (ID-PKC), etc. The most popular PKV scheme in use is the PKI (Wiesner, 2013). Despite the advantages of PKI over the other PKV schemes, PKI has the following shortcomings;
1. Key Validation is delay-ridden (high latency) and thus affects usability (Stark et al., 2012).
5
High latency is inherent in PKI’s key validation process because, it utilizes chatty protocol, where Relying Parties (RPs) or users have to make request for a key’s validity status to a Trusted Third Party (TTP) Server and wait for a response. RPs or users are required to regularly check, on a real time basis, if the status of a key (belonging to another user that secure communication is to be established with) has changed at a particular time before the key can be used. The fact that this check is done on a real time basis, implies there is potential for delays (from the CA servers) or outright denial of service during peak hours or when the servers have technical issues (Gutmann, 2013). This is further compounded with network connectivity issues of the client device as at the time of the request. Mobile phone network connectivity is particularly susceptible to large irregularities and fluctuations (Kumar et al., 2013).
2. It has high overhead (recurrent internet roundtrips for key validation (which also implies recurrent battery, CPU, memory etc. use) and significant storage space requirements (Medani et al., 2011)
PKI’s chatty protocol approach to validation-check implies a regular use of clients device’s resources like battery, CPU, memory, bandwidth etc. for this operation; these resources are comparatively smaller on mobile devices. Furthermore, their use in this way constitutes a waste, when the outcome of any two consecutive instances of revocation-check (or validation-check) is the same. Thus, this work implemented a PKC-based secure mobile messaging application. An improved approach to PKV is also implemented to improve the efficiency during key validation by minimizing the latency and high overhead requirements.
6
1.2 Problem Statement
Recent works on SMS vulnerabilities have been in the direction of applying asymmetric (PKC) cryptographic ciphers as they can afford all the four secure communication requirements. However, identity binding problem inherent in PKC-based solution has not been properly addressed in the context of the resource-constrained nature of the typical mobile phone environment. Many works that attempt addressing the identity binding problem in this area of research (SMS/mobile environment) have simply “dumped” the PKI-based solution as used in the wired environment. PKI-based solutions for SMS are not optimized for mobile environments; the use of digital certificates requires large storage space, long (and recurrent) time processing (during certificate/key revocation-check) and substantial (and recurrent) bandwidth/internet connectivity requirements, and consequently inefficient use of mobile phones’ limited resources (Medani et al., 2011; Sharma, 2009). In the light of these, there is need for an alternative PKV scheme whose latency and other overheads for key validation are lower than in PKI. The scheme in addition to requiring lower resources for key validation should not sacrifice any of the good features of PKI. This is what this work is set out to achieve.
1.3 Aim and Objectives
The aim of this work is to develop a PKC-based secure SMS messaging mobile application that utilizes a PKV scheme, which in comparison with PKI has a comparatively lower latency and overhead costs during key validation and yet does not sacrifice any of the good features of PKI. To achieve this aim, the following objectives have been set;
I. Develop J2ME codes to create a PKC-based mobile SMS messaging application (ProSMS) with all secure communication requirements of confidentiality, integrity, authentication and non-repudiation.
7
II. Propose (and implement) an improved PKV scheme to be used for identity binding in the developed mobile application (ProSMS) and
III. Compare the resource-cost requirements during key validation in the improved PKV scheme with that of the PKI.
1.4 Methodology
The following methodology was adopted in carrying out this research:
1. Selection of an appropriate cryptosystem design based on which type can provide all the four secure communication requirements.
2. Selection of appropriate ciphers/algorithms based on (1) above and other pertinent parameters like security etc.
3. Development of a communication protocol based on (2) that enables secure SMS communication on mobile phones.
4. Development of the codes (SMS app) to implement the communication protocol in (3). Take run time requirements of the cryptographic processes to evaluate the added overhead cost.
5. Propose the SB-PKC PKV Scheme detailing its actors and their relationships.
6. Implementation of pertinents parts of the SB-PKC by writing programming codes. Take public key validation requirements data for the SB-PKC scheme.
7. Development of codes to implement public key validation using PKI (via OCSP). Take public key validation requirements data for the PKI scheme.
8. Testing (simulation) of the application’s functionalities.
9. Testing (on real device) of the application’s functionalities.
10. Validate by comparing public key validation requirements of SB-PKC and PKI.
8
1.5 Significant Contributions
The significant contributions derivable from this work are as follows:
1) Development of a hybrid cryptosystem for secure SMS messaging that utilizes session keys, in the manner used in the popular secure e-mail clients like PGP; where encryption key (symmetric) is only used once per message, the asymmetric key is used for secure key exchange purpose and users themselves are responsible for the generation of all their keys.
2) Experimental measurement of the average latency that mobile phone users experience during key validation processs under PKI scheme. It was found that, it takes an average of 5000ms to obtain key validation information.
3) Proposal and Development of a PKV scheme with comparatively (over PKI) lower latency and overhead requirements during key validation. The latency experienced during public key validation in the improved scheme is 40ms as against 5000ms in PKI. Furthermore, the scheme reduced to the minimum (0), number of internet roundtrips requirements, thus conserving bandwidth and other associated resources like battery consumption, etc.
1.6 Dissertation Organization
The general introduction has been presented in Chapter One. The remaining chapters are structured as follows: A detailed review of the relevant literature and pertinent fundamental concepts are presented in Chapter Two. Chapter Three discusses the methodology adopted in achieving the set objectives. The results obtained were analyzed and discussed in Chapter Four. Chapter Five presents the conclusion and recommendations for further work. Quoted references and Appendices are also provided at the end of the dissertation.
9
IF YOU CAN'T FIND YOUR TOPIC, CLICK HERE TO HIRE A WRITER»
