This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Abstract- Public Key Infrastructure (PKI) is considered to be the most appropriate solution for achieving the secure mobile SMS transmission and end to end mobile communications. This paper presents a lightweight PKI approach which works by applying new technology. It plays the role of an interface for PKI services, remove the existing complexity and increase the reliability of the mobile SMS application.
Keywords-component; SMS security, mobile PKI , xml security, ECC.
The main purpose of the SMS is to deliver text messages from a mobile device to another and, it provides many services to our everyday lives, but is it considered save and secure when sensitive information is transmitted using the normal SMS services?. Many possible attacks of SMS can arise, hence, it is critical to prevent the content from being illegally intercepted/interrupted by illegitimate sources as well as to ensure the origin of the message from the legitimate sender . Therefore, one of the most important challenges for the mobile communication industry is to ensure that the mobile services are properly used and not open to abuse .
SMS does not have any built-in vetting procedure for authenticating the text or providing security for the data/text transmitted . It is obvious that most of the SMS applications for the mobile devices are designed and developed without taking into account the security aspects .
Although the mobile PKI is considered as one of the best mechanisms to provide for secure SMS communication, it is not widely deployed mainly due to the high mobile PKI requirements, which are higher than that for the normal mobile device. SMS security concerns and other challenges, such as, confidentiality, integrity, authentication and non- repudiation between the mobile communication parties can be addressed by adhering to the PKI standard. However traditional mobile PKI package has not been successfully over a large distribution.
Although Mobile PKI plays import role to secure the mobile environment, however, on their route to achieve the main PKI objectives, there are still many challenges pertaining to the limited computing power and certificate vendors' integration in the mobile devices. A drawback of public key techniques is that they are computationally very intensive, which makes them less suitable for devices of limited size and processing power, such as mobile phones . In simple description, if the mobile user would like to use the PKI mechanisms should be full support to the PKI features, this we can be called PKI complexity.
Due to mobile power supply limitations, problem will arise during the verification procedures for the whole PKI certificates and storing all the other partners' certificates, as both processes consume a lot of power. therefore, PKI unsuitable for use since a lot of power is needed to process all the PKI functions . The PKI requires a mobile device with good power supply in order to meet the main security requirements. Although PKI fulfils the mobile security requirements, it non-successes to provide a heterogeneous PKI certificate standards for other mobile devices. Heterogeneous standards means support different PKI standard at the same time from different PKI vendors . Fig 1 shows the difficulty of mobile PKI certificate standards.
Different PKI standard from different vendors
The limitations of the PKI are difficult to overcome completely, particularly, in the mobile applications because all the complex PKI functions are at the client's side. A new problem arises due of limited mobile resources. Therefore, the current research stage focuses on trying to find solution for the mobile PKI challenges, which include limited computing capacity on mobile devices for PKI-based end-to-end secure transactions and PKI certificate vendor's standardization .
Table 1 Summarize part of the mobile security and PKI contribution for achieving secure mobile communication.
XML is considered to jump over this hurdles to provide secure appliaction .It can propose as a ligthweiget interfece in the front end for accessing PKI [between the mobile device and PKI server]. Fig 2 shows the proposed soulation main components.
Mobile Pki Proposed Solution
Difficult to develop in real life because it depends on using two SIM cards.
Devices can use only the x.509 standard. This is because the x.509 is considered as a certificate internet standards
Has to deal with the mobile server provider and suitable for large commercial organizations.
Can not provide secure communication between two mobile devices.
Cannot fulfill all security requirements such as integrity, authentication and non repudiation.
Cannot provide end-to-end security requirements.
Sender and receiver must previously agree on the password and PKI mentioned but not used.
Mobile devices have to be compatible with the GSM mobile service provider network because it provides encryption scheme.
System uses symmetric key cryptography which has key distribution problem, and does not provide end-to-end security between two devices.
Mobile device must download the certificate from the M-PKI directly and then store the certificate inside the mobile device to perform the verification process this incurs high power consumption besides having memory limitation problem.
Proposed Soluation Components
The middlewarae or interface server based on using XML Key Management Specificataion (XKMS) . It prosposed by VeriSign and others for distributing and registration public key and work very well with xml encryption and xml signature . This paper indentifies the need of the XKMS in mobile PKI application to minimize the complexity of the client deployment and separte the client implementation by transferring the opertaions to trusting service which plays as a middleware or interface between the PKI Server and mobile appliaction. Fig 3 shows the relation between the traditional mobile PKI and our proposed architecture.
According to Fig 3 step 1 presents the normal traditional PKI and steps 2, 3 explain how the XKMS mobile can obtain his certificate, therefore, both of traditional mobile PKI and the mobile XKMS (proposed solution) can obtain the certificate but through different ways. Coming steps are related to above figure for explain both traditional mobile PKI (step 1) and our proposed mobile XKMS solution (step 2, 3).
Step 1: The PKI client can be connected to PKI's server directly for Registartion , validation and obtaining the PKI certificate -This process can be complicate due the some mobile limition stated in section II, beside mobile client should support PKI features -
Step 2: Mobile XKMS clinet can be connected to the PKI server via the third trust server (proposed middleware server)
Step 3: XKMS Trust server (middleware server) acting as middleware and interface to keep away from failing in mobile deployment trap.
Mobile PKI vs mobile XKMS (proposed soulation)
Fig 4 describes a brief description of the whole the proposed methodology. There are three main steps should be follow by mobile application for achieving secure SMS transmission, all the steps mentioned in the below figure as a numbers.
Step 1: Registration process: the mobile application should register his public key for creating his certificate by Certificate Authority (CA).
Step 2: Obtain partner Certificate: before the mobile send SMS, should obtain the communication partner certificate to get the public key before applying the cryptography process for SMS messages.
Step 3: Exchange secure SMS: after obtaining the public key, the mobile sender can apply the cryptographic algorithm using receiver public key which already obtained in step 2.
proposed solaution framework
The main contribution of this paper is reducing the PKI process in the mobile application during obtaining the PKI certificate for the authenticating the commutation party's before send SMS message. This can be achieving by installing middleware server to shield the mobile application from the heavy PKI process as mentioned in section II. Fig 5 presents the steps for obtaining the certificate. Therefore, mobile application should go through the coming steps for obtaining the communication partner certificate.
Step 1 : inquiry the receiver's public key using his unique mobile number
Step 2 : Forward mobile request to the PKI server through HTTP
Step 3: return the x509 certificate if valid and available.
Step 4 : parsing and return key value - public key via in the secure SOAP message tags
Today, XML is used to protect information. Therefore, implementation of the XML Security model will improve the quality, reliability and security of the mobile services. XML signatures are standard for applying digital signatures in the XML data format, and they make it feasible to authenticate and protect the integrity of the data in XML and web transactions. As widely known, the concept of digital signature is not new and the whole document must be signed. XML security, however, allows us to sign only on specific tags (only the public key) or on a portion of the document, instead of the whole document. By providing a means to sign a part of the document, XML signature syntax will show the relationship between the cryptographic signature algorithms and the XML documents. .
This is one of the advantages of using XML security, because by converting PKI certificates to XML documents, the operation will allocate all the certificate fields inside different XML tags. Subsequently, it will only sign the public key tag instead of the whole certificate. As a result, the generated signature size will be smaller than the signature of the whole document, when compared to signatures produced by using asymmetric key cryptography algorithms. Moreover, XML supports simultaneous multiple signatures inside one document.
obtaining the partner certificate
Elliptic Curve Cryptography for securing SOAP message:
Elliptic Curve Digital Signature (ECDSA) is used for signing the XML tags, that it generates the ECDSA keys very fast in comparison to RSA key generation, especially in the mobile environment. Furthermore, the key size of ECDSA is shorter than the RSA key size (192 of ECDSA provides the same security level as 1024 in RSA generate). Moreover, the ECDSA signature size is smaller than that in other asymmetric cryptographic algorithms .Therefore, by using ECDSA, it can generate two parts of the intended digital signature to increase the security requirements before inserting the signatures inside different XML tags and then imbedded inside one SOAP message.
Result AND Discussion
Fig 6 illustrates the time during the different sending stages (obtaining the receiver public key, Encrypt the SMS content, Signing the encrypted SMS).
Sending SMS time (MS)
Fig 7 illustrates the time during the different receiving stages (obtaining the sender public key, Decrypt the SMS content, verify the Signed SMS).
Recieving SMS time (MS)
This section is meant to evaluate the proposed solution against the mobile PKI mechanism. The evaluation based on the security requirement, time performance, mobile memory consumption and certificate integration ability. The mobile PKI result based on research conducted and published by FSKTM, UM .
Table 2 shows the security parameters which are require to provide secure SMS transmission in both mobile PKI and the new proposed solution (M-XKMS).
+ XML tags
It is clear that, the M-XKMS proposed solution provide same security level offered by implementing PKI in mobile environment .This because the new proposed solution is not replacement for the mobile PKI, but borrow all the mobile PKI security features and reduce the mobile complexity (no need to full support).
Fig 8 shows the time consumption (ms) during the sending SMS operation (obtain public key + sign SMS + Encrypt SMS Content) - in both M-PKI case and our new proposed solution (M-XKMS).
Fig 9 shows the time consumption (ms) during the receiving SMS operation (obtain public key + Decrypt SMS + Verifying SMS Content) - in both M-PKI case and our new proposed solution (M-XKMS).
Mobile PKI vs M-XKMS- Sending SMS
Mobile PKI vs M-XKMS- Reciveing SMS
From above digram. the PKI time performance is better because our new proposed based on installing middleware server between the mobile PKI (mobile device) and PKI server. However, it shelters the mobile device from verifying and storing the PKI certificate which they consider high operation due to the mobile limited recourses. Now the mobile client free totally from any is underlying PKI.
Mobile storage consumption
In mobile PKI case, after client request his partner certificate, he/she must store or save that certificate after the verification process (normal certificate size is 607 byte). However in the new proposed scenario, after requesting the partner certificate, the requested certificate stores inside the middleware server and just pass the public key (1024 bits - RSA key size) inside secure XML tags (SOAP envelope).
This research presents the design and development of M-XKMS - Mobile XML key management specification - as a solution for PKI client's (mobile device) deployment limitation. An interface between the mobile PKI's device and the Certificate authority (CA) was developed to simplify the complexity of the mobile PKI by transferring part of the tasks to our proposed middleware server.