# Secure End To End Short Messaging Computer Science Essay

**Published:** **Last Edited:**

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract-Short Message Service (SMS) is popularly used and will be more popular in the future. However, the security of SMS and is still a problem. There is no end-to-end security (including integrity, confidentiality, authentication, and no-repudiation) in these services. This hinders service providers to provide some services that require communication of high-level security. There have been some solutions proposed for this issue in literature, but these are not suitable for end-to-end communication. This paper evaluates RSA, ELGamal and Elliptic curve encryption techniques using random SMS messages of various sizes to measure their encryption and decryption time. The experimental results are presented to show the effectiveness of each algorithm and to choose the most suitable algorithm for SMS encryption.

I. INTRODUCTION

Mobile communication handsets and networks are developing rapidly in recent years. While GSM as a representative of 2nd generation (2G) systems has proven successful, 3rdgeneration (3G) systems (including W-CDMA, CDMA2000, TD-CDMA/TD-SCDMA) are burgeoning. These new technologies have brought many conveniences to our life and in some way changed the life style of modern people, although there are also some criticisms against this change.

Booming market of mobile telecommunication brings both opportunity and competition in this area. In countries where mobile telecommunication industry is not very developed, operators mainly focus on gaining market share and making money from voice traffic; while in countries with developed mobile telecommunication industry, such as Europe, the competition in voice traffic became too tough and made the profit margin thinner. Operators are moving to the fatter-margin wireless data business, and aiming at improving Average Revenue Per User (ARPU) or Value-added Service (VAS) revenues. Messaging service, especially Short Message Service (SMS), is a popular VAS in countries with developed mobile communication networks and established uniform technical standards.

A typical messaging service involves a Service Provider (SP), a mobile network operator and mobile users (with mobile terminals). A mobile user needs to subscribe to the service first, and can then receive messages or interact with the SP Messaging users can also communicate with each other. All messages are processed and sent by the Short Message Service Center (SMSC) of the mobile network as in figure 1. Current messaging systems provide only point-to-point authentication and confidentiality mechanism from SP to SMSC and SMSC to mobile terminals (MT). There is no end-to-end security from SP to mobile users and from MT to MT. Beginning from the design phase of SMS, messages were intended for sending on sensitive information in a GSM network, therefore in its implementation security considerations were not catered for .

Figure 1.SMS system architecture. Rather than communicating directly with the various

SMSCs, content providers go through a message aggregator. The message aggregator

uses the SMPP to maintain connections with carrier networks.

All messages are sent via SMSC, thus SMSC is always able to see the messages transmitted. The messages are written into Call Detail Record (CDR) files. These messages are not encrypted, and can be easy target for criminals. People working in the service operator or a hacker who gets into the operator network can read the message contents. This is a Security weakness for messaging service in mobile networks, and may lead to failure of provisioning services that need high level end-to-end security. For example, a bank may hope to setup online banking service whereby its customers may pay their bills and check balance of their accounts via SMS. However, the transaction data and account information may be released to a third party. If knowing the security weakness, a mobile user is not willing to send his credit card information to a SP (even if SP is the bank) or to another user (even if the other user is trusted).

II. BACKGROUND

Security of Mobile Networks and Messaging

There are practical messaging services already in use that have taken some measures for security. Most of these messaging services rely on mobile network access security and Internet security technologies. The GSM authentication center (AUC) is used to authenticate each Subscriber Interface Module (SIM) card that attempts to connect to the GSM network. The authentication of the SIM depends on a shared secret key between SIM card and the AUC called Ki. This secret key is embedded into the SIM card during manufacture, and it is also securely replicated into the AUC. GSM network access security usesA3/A8 (COMP128 actually used in GPRS) authentication algorithm and A5 encryption algorithm. Transmission of the short messages between SMSC and phone is via the Signaling System Number 7 (SS7) within the GSM MAP (Mobile Application Part) framework. The problem with GSM MAP is that it is an unencrypted protocol allowing employees within the mobile operator's network that has access to SS7 network to eavesdrop or modify SMS messages [1]. The only encryption involved during transmission is the encryption between the base transceiver station and the mobile terminal. Transmission from SP to SMSC normally is protected by SSL/TLS using public-key certificate (PKC) cryptography. Technologies used in mobile networks and Internet do not cover each other. Thus, there is no end-to-end security. Even worse, some of the currently popularly used algorithms in mobile networks are already broken. 3GPP has developed the MILENAGE algorithm set and KASUMI cryptographic core to replace the broken ones [2], [3].However, much of the work with the UMTS access architecture has been focused on backward compatibility with GSM/GPRS. From a security point of view, backward compatibility with a system with weaker security is very undesirable but dictated by commercial reality [4].

B. SMS Taping

The attacker can tap an SMS in different places.SMS tapping from radio broadcast, when SMS is sent or received from a mobile phone to base transceiver station (BTS), is not easy. Transmission from a mobile phone to BTS is encrypted using the A5 algorithm. The attack on A5 algorithm is known, but for the realization is necessary to analyze large volume of transferred data. If the attacker has an access to the BTS or other parts of the GSM network, then the tapping is easy. The operator can always read all sent SMSs. Even though it would likely be a relatively complex to hack into the operator systems from an external source to obtain the content of an SMS messages, but finding of staff privileged to look at the SMS messages and persuading them to reveal the contents is easier. The tapping can be realized in a mobile phone too. We can find the tapping programs in the market today. These programs re-send received and sent SMS to an attacker's number. The program is hidden after installation. This program can be even uninstalled remotely, when the phone receives an SMS in a proper format [5].The attacker can tap an SMS, but also send a fake SMS. Today, you can send SMS with arbitrarily phone number of the sender. It is possible to prepay this service on certain websites [6].

III. SMS ENCRYPTION: LIMATATIONS AND REQUIRMENT

Encryption can be classified into two categories symmetric and asymmetric. Symmetric encryption is the process where a single key is used for both encryption and decryption. Asymmetric encryption uses two related keys, one for encryption and the other for decryption. One of the keys can be announced to the public as the public key and the other kept secret as the private key. The major disadvantage of symmetric encryption is the key distribution that is mostly done through a third party. Key distribution through third party can negate the essence of encryption if the key compromised by the third party [7]. Every SMS contains 140 bytes effective data so this should take in any encryption type as a limitation in encryption process.

Many companies deal with securing of mobile communication today. Calls, SMS and data stored in mobile phone memory have to be secured. The applications are written for the most widespread programming platforms for mobile devices. Common model for SMS securing is to use asymmetric cryptography. For SMS encryption, there is commonly used the symmetric algorithm AES. AES demands small computing power, therefore, applications can be written for the most widespread programming platform Java Platform, Micro Edition. The disadvantage of this model is the need for exchange of encryption keys via a secured channel [8].The second option is to use an asymmetric cryptography, where the public key is distributed. The public key can also be known by an attacker. Asymmetric cryptography can provide confidentiality, integrity and authentication information such asymmetric cryptography, but also provides a non- repudiation. Unfortunately, asymmetric cryptography is demanding the computing power. Applications using the asymmetric cryptography must be written for the devices with more computing power.

A. Programming Platforms for Mobile Phones

All modern mobile phones allow to start and to run a user program. The market offers the following programming platforms for mobile phones now.

1. Java ME

Java Micro Edition (Java ME) is developed by Sun Microsystems. Almost all mobile phones include this programming platform. Unfortunately, the standard API is quite poor to use advanced features (such as VoIP). Code program is running on a virtual machine. This concept is hardware independent, but its computing power may not be sufficient for some applications (such as asymmetric cryptography).Common mobile phones with Java ME use MIDP profile. This profile uses CLDC configuration, which requires hardware with processor 16bit/16MHz, therefore this cannot ensure right run in all phones.

2. Windows Mobile

Windows Mobile is developed by Microsoft. Windows Mobile is built on Microsoft Win32 API. Supported devices are Smartphone, portable multimedia player or PDA. Graphical user interface (GUI) is close to classical Windows GUI.

3. Symbian OS

Symbian OS is developed by Nokia and others. It is used for smartphones. Symbian OS is the leading OS in the "smart mobile device" market. It offers a good support for developers and porting standard POSIX libraries in Open C project.

4. Others

To this group belong Linux on Mobile, AppleiPhone, Google Android and others. They have very small market share in mobile phones. These platforms are supported only by few types of mobile phones.

B. Requirements on the Encryption Application

The main requirement for an application is securing the confidentiality of the information sent in the SMS. Security should be sufficiently strong with the characteristics of modern cryptographic systems, but not overly annoying users. Users need not physically meet and/or have not a secure channel for the encryption keys distribution. We used the asymmetric cryptography for encryption. Public keys can be distributed through some less safe medium. The certificates are used for preventing of spurious fake public key. Generated certificate can be used as a request for the signing by certification authority. Certification authority can save and distribute certificate with a public key, for example, through a web interface. Our application doesn't support communication with the certification authority. The user has to download and upload certificates in mobile phone himself. The private key cannot be sent via SMS. We secured the SMS also against substitution with a fake SMS. This is realized through digital signing of the SMS.

Encrypted algorithm must fulfill the following conditions:

ï€ ï€ asymmetric algorithm

ï€ ï€ encryption

ï€ ï€ digital signature

ï€ ï€ modern - not security through obscurity

ï€ ï€ can work with output of less than 1,120 bits (140bytes - the size of an SMS)

ï€ ï€ should not unnecessarily waste place

ï€ ï€ must be safe for short text encryption

ï€ ï€ no additional hardware for encryption, only software solution.

C. RELATED WORK

In the literature, many authors have used different encryption techniques to provide confidentiality to SMS transmitted messages. Some of these works are presented in this section. In a study by Lisonek and Drahansky [9], it was explained that RSA encryption scheme could provide security for less than 1120 bits of SMS, if a suitable padding scheme is used .Toolani and Shirazi[10] have proposed an SMS protocol that uses ECDLP to provide confidentiality for SMS m-payment system. Zhaoet al [11] in their study, explains the use of identity-based cryptography in securing mobile messaging. Harb et al[12] has provided the use of 3DES session's key in securing SMS. Garza-Saldana and Diaz-Perez in their study [13] explained how symmetric encryption could provide confidentiality to SMS mobile payment protocol.

Most of these works are symmetric key encryption techniques. Owning to this, we perform an evaluation of three asymmetric encryption techniques, this is done in order to find the most suitable asymmetric encryption technique for securing SMS transmitted messages.

IV. ALGORITHM DESCRIPTIONS

This section introduces and describes each algorithms mode of operation.

A. RSA cryptosystem

Ron Rivets, Adi Shamir and Leonard Adleman described RSA encryption scheme in 1978. RSA uses modular arithmetic. RSA mode of operation can be described as follows. Choose two large prime numbers p and q; calculate their product and the to totient of their product as shown in (1)

(1)

An integer e is chosen, which must satisfy (2), where gcd stands for the greatest common divisor.

(2)

An integer d is then calculated using (3).

(3)

The public key is {e, n} and the private key is {d, n}. In order to encrypt a message M, we compute the cipher text as indicated in (4).

(4)

To decrypt the cipher text, we compute (5) to produce the message M.

(5)

B. ELGamal cryptosystem

Taher ELGamal described ELGamal encryption scheme in 1985. ELGamal is defined over a cyclic group G of order p. It uses discrete logarithms. ELGamal's mode of operation can be described as follows [14].Choose a prime numbers p, a generator g, and an integer pr. y is calculated from (6).

(6)

The public key is {p, g, and y} and the private key is pr .To encrypt a message M, an integer k is chosen and the cipher text {a, b} is calculated from (7).

(7)

To decrypt, the M is calculated using (8).

(8)

C. Elliptic curve cryptosystem

Neal Koblitz and Victor Miller independently proposed Elliptic curve encryption scheme in 1985.Elliptic curve uses discrete logarithm over finite field [15]. Prime curve over finite field Zp uses a cubic equation of the form of (9), with a, b satisfying (10).

(9)

Where a, b, x and y takes integer values between 0 to p -1.

(10)

The mode of operation of Prime curve over Zp, can be described as follows. Choose a prime p, curve coefficient, b, an integer pr and a generator G which is a point on the curve with x and y coordinate. G is multiplied by pr as indicated in (11) to produce pu.

(11)

The private key is pr and the public key can be denoted as (12).

(12)

In order to encrypt a message M, the message is mask as a point with x and y coordinate, an integer k is chosen and the cipher text can be computed using formula in (13).

(13)

To decrypt, M is computed from (14) and the mask is reversed to produce the message.

(14)

V. PERFORMANCE COMPARISONS

This section presents the security analysis of the three algorithms and their performance analysis in SMS encryption.

1. Security analysis

The security of asymmetric cryptosystems is based on hard mathematical problems, such as integer factorization, finite field discrete logarithm and Elliptic curve discrete logarithm [14]. RSA security that is based on integer factorization depends on the computational difficulty of factoring large prime numbers. Sub exponential algorithms can be used to solve this integer factorization, if large prime numbers are not used. ELGamal security depends on the computational difficulty of discrete logarithms in finite field. Sub exponential algorithm can also solve this discrete logarithm, if large field size is not used [16]. Elliptic curve security depends on computational difficulty of discrete logarithms; known method of solving this problem is full exponential run time. The absence of sub exponential algorithm for Elliptic curve means that as mall key size can be used to achieve high security [17].According to the National Institute of Standards and Technology (NIST) guideline on security strength comparison [18], Elliptic curve of smaller key sizes offers equivalent security compare to RSA and ELGamal of larger key sizes. Table 1 presents the NIST security comparison for algorithms of various key sizes.

Table 1: Algorithm security strength comparison

## Security bits

## RSA

## ELGamal

## Elliptic

80

1024

1024

160

112

2048

2048

224

128

3072

3072

256

192

7680

7680

384

256

15360

15360

512

As shown in Table 1, Elliptic curve of 160 and 224bits key sizes offer equivalent security as compared with1024 and 2048 bits key sizes for RSA and ELGamal. For proper presentation of these, Elliptic curve's key sizes of corresponding security strength as compared with that of RSA and ELGamal is given in Fig 1. It can be seen in Fig. 2 that RSA and ELGama1 of equal key sizes offers same security strength. It can also be seen that key sizes increases with an increase in security bits.

Figure 2: Security strength comparison

The NIST recommendation for algorithm security lifetime [19] as shown in Table 2 indicates that RSA and ELGamal of 1024 bits key sizes can offer security up till the end of 2010 as compared with Elliptic curve of 160bits key size.

Table 2: Algorithm security lifetime comparison

## Security life time

## RSA

## ELGamal

## Elliptic

2010

1024

1024

160

2030

2048

2048

224

Beyond 2030

3072

3072

256

Beyond 2030

7680

7680

384

Beyond 2030

15360

15360

512

It can also be seen in Table 2 that, a reasonable security can be achieved in 2030, if 224 bits key size of Elliptic curve is employed as with RSA and ELGamal of 2048key sizes. A representation of key sizes of various algorithms with their corresponding security lifetime is given in Fig 2. Fig. 2 illustrates that RSA and ELGama1of equal key sizes have same security lifetime. It can also be seen from Fig. 2 that key sizes increases with an increase in security gap. Elliptic curve offers up to 512bits key size after 2030, providing a significant reduction in key size, this reduction can be crucial in SMS environment where very large key size is not possible due to the low processing power of mobile phone.

Figure 3: Security lifetime comparison.

2. Experimental Results

In this study, a J2ME (Java 2 Micro Edition) WMA(Wireless Messaging API) application [20] was developed for evaluating three asymmetric encryption techniques. This application was tested on a ARM9processor mobile phone running at 219 MHz speed, with JIT type of JVM and 10 MB internal Memory. The performance data were collected by applying different key sizes on the phone to get the key generation time for various algorithms. Random SMS messages were also applied to measure the encryption and decryption time for different key sizes of various algorithms. Key generation time is the time taken to generate a key pair. For each key size of same algorithm, five test runs were performed and the average was calculated using the formula in (15). The results are tabulated in Table 3.

is the consecutive key generation time and is the average key generation time.

Table 3: Key generation time in milliseconds

## Key size

## RSA

## ELGamal

## Elliptic

160

951

406

2437

224

1237

830

4449

256

1957

895

6451

512

16863

15946

40317

1024

76498

68773

318574

## ï€

Table 3 indicates that key generation time and key sizes are related. The rise in key size, leads to an increase in key generation time. Considering that Elliptic curve of lower key size as shown in Fig. 1 offers equivalent security compared to RSA and ELGamal of higher key sizes. We can say that Elliptic curve have a lower key generation time compared to RSA and ELGamal of equivalent security key strength. In order to attain a reasonable level of security, higher key size will be required after 2030 as shown in Fig. 2. The key generation time for RSA and ELGamal after 2030 will be very large and might be inapplicable to SMS, putting Elliptic curve at an advantage over RSA and ELGamal in key generation process. Encryption time is the time taken to process SMS plaintext into cipher text. For each key size of same algorithm, random SMS message of different bit sizes was encrypted. The average of the encryption time is calculated using the formula in (16) and the results are tabulated in Table 4.

ei is the consecutive encryption time and Et is the average encryption time.

Table 4: Encryption time in milliseconds

## Key size

## RSA

## ELGamal

## Elliptic

160

18

2816

2696

224

28

5842

6268

256

37

7098

8242

512

258

29388

57236

1024

2013

140979

411558

Table 4 indicates that encryption time and key size are related. The rise in key size increases the encryption time. ELGamal have a high encryption time compared to Elliptic curve and RSA of equivalent security strength. The security level of ELGamal after 2010 requires a higher key size as shown in Fig 2. Hence one may suggest that SMS encryption using ELGamal algorithm will not be applicable after 2030.

Decryption time is the time taken to process cipher text back to plaintext. The previously encrypted SMS messages were decrypted. The average of the decryption

time is calculated using the formula in (17) and the results are tabulated in Table 5.

di is the consecutive decryption time and Dt is the average decryption time.

Table 5: Decryption time in milliseconds

## Key size

## RSA

## ELGamal

## Elliptic

160

10

18

1292

224

28

27

2907

256

37

37

3932

512

259

194

27034

1024

1024

1107

198823

It can be seen from Table 5 that there is no significant difference in the decryption time of 1024 bits key size for RSA and ELGamal as compared to 160 bits key size for Elliptic curve, which are of equivalent security strength as shown in Table 1. The lower key generation time for Elliptic curve of equivalent security as compared to RSA and ELGamal has made it a better option. If key size becomes too high, it will not be practical on SMS encryption. A 159-bit size message was chosen at random in order to analyze the cipher text bits size in SMS encryption. The corresponding encrypted bits for different key sizes are tabulated in Table 6. These result shows that encrypted messages usually gets larger than the original messages. Considering that SMS can only send up to1120 bit of message at a time. Large key size encrypted messages get as large as three times the original messages, leading to additional cost in sending SMS encrypted messages. Since Elliptic curve uses a smaller key size to achieve high security, it is the most cost effective algorithm for SMS encryption as compared with RSA and ELGamal.

Table 6: SMS bit size after encryption

## Algorithm

## Key size

## Cipher bit

## No. of SMS

RSA

256

614

1

ELGamal

256

1222

2

Elliptic

256

789

1

RSA

512

1230

2

ELGamal

512

1230

2

Elliptic

512

1635

2

RSA

1024

2470

3

ELGamal

1024

2470

3

Elliptic

1024

3198

3

VI. CONCLUSIONS

This paper examines the security of RSA, ELGamal and Elliptic curve. Their performance evaluation in securing SMS shows that key generation, encryption and decryption time increases with an increase in key size. Large key size algorithms are not suitable for SMS encryption due to small memory and low computational power of mobile phones. Elliptic curve's ability of providing high security with smaller key size makes it very useful in resource-limited device such as mobile phone. This has put Elliptic curve at an advantage over the RSA and ELGamal in SMS encryption. In the course of this work, we realize that encrypted message usually get larger than the original message leading to excessive charges in sending SMS encrypted message. In our future work, data compression will be introduced on the encrypted messages; this will reduce it bit size. Thereby reducing the additional cost incurred in sending SMS encrypted messages.