ABSTRACT:
Short
Message Service (SMS) still represents the most used mobile messaging service.
SMS messages are used in many different application fields, even in cases where
security features, such as authentication and confidentiality between the communicators
must be ensured. Unfortunately, the SMS technology does not provide a built-in
support for any security feature.
This work presents SEESMS
(Secure Extensible and Efficient SMS), a software framework written in Java
which allows two peers to exchange encrypted and digitally signed SMS messages.
The communication between peers is secured by using public key cryptography.
The key-exchange process is implemented by using a novel and simple security
protocol which minimizes the number of SMS messages to use. SEESMS supports the
encryption of a communication channel through the ECIES and the RSA algorithms.
The identity validation of the contacts involved in the communication is
implemented through the RSA, DSA and ECDSA signature schemes. SEESMS is able to
certify the phone number of the peers using the framework. Additional
cryptosystems can be coded and added to SEESMS as plug-ins. Special attention
has been devoted to the implementation of an efficient framework in terms of
energy consumption and execution time. This efficiency is obtained in two
steps.
First, all the cryptosystems
available in the framework are implemented using mature and fully optimized
cryptographic libraries. Second, an experimental analysis was conducted to
determine which combination of cryptosystems and security parameters were able
to provide a better trade-off in terms of speed/security and energy
consumption. This experimental analysis has also been useful to expose some
serious performance issues affecting the cryptographic libraries which are
commonly used to implement security features on mobile devices.
PROPOSED SYSTEM:
Two are the major security vulnerabilities affecting SMS based communication: the lack of confidentiality during the transmission of a message and the absence of a standard way to certify the identity of the user (or at least his phone number) who sent the message. These vulnerabilities originate from the protocol used to exchange SMS messages and from the infrastructures used to implement it. There are currently several proposals, mostly coming from the scientific research, about how to secure SMS messages. Some of these proposals require security to be injected at the protocol level. Instead, most of them consist of software frameworks which can be installed on mobile phones and/or on the SIM cards in order to implement security features.
PROJECT
DOMAIN DESCRIPTION:
There
have been several proposals up to now to secure SMS based communications on a
GSM network. A first category of contributions tries to address these problems
by changing the original GSM specifications in order to introduce security
features. This is the case, for example, of the proposal presented by Hossain
et al. in which argues for a modification of the GSM protocol at the transport
level to achieve confidentiality between mobile equipment (ME) and the GSM base
station (BS) connected to it. The advantage of this approach, if followed, is
that it would be able to inject security features at infrastructural level,
thus allowing strengthening the entire communication network. However, it is
unlikely that these proposals will be implemented and widely adopted in the
near future, mostly because of the technical difficulties arising from the
implementation of structural changes in well established network architecture
like the GSM one.
A
second category of contributions to secure SMS communication— which is becoming
viable because of the increasing diffusion of ME with advanced computational
capabilities — introduces security features through the implementation of
security schemes at the application level. The resulting software frameworks
can be categorized according to the place where the application implementing
the security scheme, and their cryptographic keys, are stored. The first
possibility is to locate the application and its keys in a programmable SIM
card used by the ME. This solution is adopted by systems like the one developed
by Rongyu et al. in or by the IPCS Group with the IPCryptSIM
Sending
or receiving SMS messages is a common habit for most of the people using a
cellular phone? The general expectations are that mobile equipment should be
able to promptly send and receive a message with almost no delay. The way of
sending and receiving secure SMS messages could change this habit since it
involves processing incoming / outcoming secure messages which may be of
several seconds.
Thus,
the efficiency of these systems is almost as important as the security they
guarantee. Moreover, the efficiency of a system for guaranteeing secure SMS
messages is heavily influenced by the same ingredients which govern its own
security: in other words, the cryptosystems and the security parameters it
uses. The user should be given the possibility to choose to trade part of the
security of a system with shorter response times, and vice-versa. Moreover,
such a customization should be allowed on a per-message basis, because the same
user might need to send messages, even to the same recipient, with different
levels of security. As a matter of fact, all the systems for sending secure SMS
messages presented so far in literature are bound to a particular cryptosystem.
While this choice simplifies their development, it may have a negative effect
on their ability to meet the requirements of the users.
