Security in mobile communications using j2me

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.



The advancements in wireless networks paved way for enormous changes in mobile devices, standards, middleware, network implementations, etc. Smaller and lighter mobile device development has been witnessed on account of digital chip technology. Individuals can connect to internet, at anytime & from almost any place through mobile devices, advancement in wireless technology especially in mobile cellular technology which supports packet data transmission. Cellular mobile devices like mobile phones, Personal Digital Assistants (PDAs), laptops, pagers are used by nearly 2 billion cellular subscribers around the world, among which 130 million are 3G users. Sooner or later the need for secured and authenticated transmission of data arises. Mobile banking, corporate server accesses, online mobile stock trading, etc could be the areas in demand. Applications must be authenticated before getting downloaded into a mobile device and mobile network infrastructure also has a key role in rendering security support to such applications in network layer. Encryption is an imperative tool for secured communications and Cryptography is the maths that designs encryption and authentication algorithms. Most of these algorithms are categorized either into symmetric-key scheme or asymmetric-key scheme. But, encryption fails to avoid intervention and modification of data on communication channels. It can only assure communication channels free from data hacking. Message Authentication Code (MAC) is adapted to ensure integrity of messages. Hence, security is very imperative aspect for mobile telecommunications to survive in this IT relam.

Mobile devices are de-facto devices for communication pushing traditional wired communication. As users are increasing for mobile communication, it is necessary to have appropriate security standards for the customers. The project develops a security framework which can be deployed in mobile communication. Mobile industries will find this project feasible and add on to their organization. The document we present with the project will give a lead in further enhancement in quality and security of mobile communications.

1.1 Mobile Security:

Security is must in the happening world of mobile internet. On-device data control, confidentiality in data and privileged access to data are the 3 key aspects of mobile security. Safeguarding messaged against hackers is data confidentiality. Regarding network security restricted and controlled access to applications through communication medium form the aspect of privileged data access. Unauthorized access to data stored on mobile devices (like private keys, passwords, etc) can be hindered if strong encryption policy is in place.


For applications with several value-added services, serveral HTTPS connections are joined together which could compromise security at connecting nodes. Even public key certificates for such connections is an overhead.


Applications like online mobile stock trading / multilevel transaction approvals, which require part of the communication to be open, need no connection-oriented security. Besides, authenticating the stock quotes and signatures need higher attention. Encrypting entire content imposes unneccesary processing.

For applications having special security and performance requirements, HTTPS is not very flexible:

HTTPS is not compliant key exchange or handshake methods of data encryption. For instance, clients authenticating themselves is not required. 265-bit symmetric key security encryption might not be ensured.

Lot of interactions happen between mobile applications and back end servers, for data extractions and organizing customized user displays on the mobile devices. User authentication and authorization mechanisms vary from one service provider to another. Each of them require a unique way of user sign on, wherein HTTPS is not useful.

To fulfill the aforementioned mobile security aspects, developers must gain programmatic access to cryptography related algorithms that are packages in APIs. These APIs provides the developers with secure content rather than mere data connections inside the mobile environment. And the security methods for secure content are almost alwaysapplieintheapplicationlayeronly.

Mobile phones & PDAs are the most used devices in the cellular network. Third party cryptographic tools can be employed in case of failure of OS / platform supporting cryptography algorithms. Few mobile cryptography packages whose support is restricted to a particular OS or platform are as follows: MS CAPI for Windows CE, Sexuroty and Trust Service API, .NET compact framework. And those which fall under third party packages are BouncyCastleAPIetc.

Mobile Banking Application:

This system is aimed to give a better out look to the user interfaces and to implement all the banking transactions like

  • Supply of Account Information
  • New Account Creations
  • Deposits
  • Withdraws
  • Loans
  • Check References
  • Check Reference of Loans
  • Close Accounts
  • Report Generations
  • Administration

1.1 Scope of the project:

With the proliferation in the mobile communications, the security levels of the communication should also be enhanced.

This thesis focuses on the limitations of the existing security interfaces available for mobile application development and I come up with an enhanced framework for secured communication in a mobile network. I implement the framework in J2ME because of its facilities for MID development.

1.2 Security Standards:

In order to provide sufficient security in the mobile application environment proper security standards which include algorithms, cryptographic techniques, API's and encryption techniques have to be applied. Widely used mobile communication security standards are the AES algorithms, API's like Bouncy Castle Provider API and cryptographic techniques like Elliptical Curve cryptography (ECC) and password-based encryption (PBE) techniques, these mobile security standards also have some limitations and also the enhancements to make in this project are described.

1.3 Supply Of account Information:

The account information service will provide customers a summary of their accounts. The customers can get details of each account, a snapshot of the balances, a record of payment and transfers made, whenever they require.

In addition to displaying the account balance information, the clients would get a warning when the account balance falls below the minimum limit. Bank decides this limit.

The customers will also be provided account statements and transaction reports based on any user-defined criteria. Moreover, this system will make tracking of transactions easy, the User would be able to get details of the various transactions based on the Account number, the transaction date, the period of the transaction, and so on.

1.3.1 New Account Creation:

Whenever a new customer comes, this system facilitates to create an account in his name. The customer must provide information regarding the type of account he wants to open, amount of deposit, his address and reference of the person who already has an account in the bank.

1.3.2 Deposits:

All sort of banking deposits need to be implemented in the system. The user needs to enter the information like account number, pin number and the amount.

1.3.3 Withdraw:

All sort of banking withdraws need to be implemented in the system. The user needs to enter the information like account number, pin number and the amount. The system must maintain the minimum amount for each account.

1.3.4 Loans:

This system should allow the user to apply for different types of loans. When a person is applying for a loan, he/she should provide the information of account number, pin number, loan type, amount, document number that they are placing as a surety and a reference of other person who is having an account in that bank.

1.3.5 Check References:

Whenever a user is going to create a new account, the user should provide a reference of a person who already has an account in the bank. The referee should approve that reference request. This module facilitates the referee to approve that type of requests.

1.3.6 Check references of loans:

Whenever a user is going to apply for a loan, the user should provide a reference of a person who already has an account in the bank in addition to the other information. The referee should approve that loan reference request. This module facilitates the referee to approve that type of requests.

This system should allow the user to make a request for closing of account in the bank. Here the user must specify the account number and the reason for closing of account.

1.3.7 Report Generation:

Reports are very essential for the banking organization. It needs to generate different reports of banking information from the stored information. These reports can be stored as soft copies in the system for future use.

1.4 Maintenance and Administration:

This module consists of all the administration parts like approvals and closing of accounts.These approvals include approval of new account, loan, deposits and withdrawals made by different users and the processing of accounts closing also comes under this part.

This module will provide an easy and simple method of updating information related to deposits and withdrawals in the bank records. It includes:

  • Creating new accounts and account numbers with access codes. Through these access codes, customers will interact. These access numbers will be unique and confidential.
  • Maintaining separate tables that will store data
  • Various transactions done by the customer
  • Requests for stopping the payment
  • Generating customized reports that will display the customer transactions

1.5 Customer Interface:

This module will provide an easy method to users to manage the accounts. When they run the application they will be required to fill in the login name and password.

Here, the options offered to the User are:

  • Balances: They will able to view the current status of their accounts.
  • Statements: They will get a detailed reported of the transaction carried out during a specified period.
  • Transfers: this will be related to the transfer of money from various accounts of the customer. The User can get a detailed report of various transfers.
    • Stop payment: this option will allow Users to fill in details regarding a payment or transfer of funds, they want to stop.

Mobilebanking Information security issues:

2.1The operation ofmobilebanking:

A mobile banking system possesses a mobile banking unit and data processing kiosk, usually a mainframe computer performing transactions and data storage activities. These systems have a few terminals like multimedia enquiry stations, deposit machines and ATMs. Mobile banking system has built a strong foundation for customized, customer-based financial services which employs various wireless channels of communication.An issue in security varies from one technology to other. Since the time of its origin, network financial services have been the sole target all kinds of crimes in technology.

Mobile operator & handset users' zone, and mobile operator & banking system zone are the 2 security zones in mobile banking. Hacking, virus attacks like information security troubles prevailinmobilebankingsystemsaswell.

Wireless communication information security related to mobile banking are as shown below:

Loss, leakage and distortion of information:

Information transfer in mobile banking world happens through wireless networks. Wireless data network functioning require radios that takes in digital data (0s and 1s), perform modulation and convert them into radio signals. On the other end, these radio signals are received, demodulated and converted back to digital data. Many radio operations happen without interfering among themselves, a feature termed as coexistence. Present wireless technology gives very less number of tools to protect wireless data transmissions. Banking transactions are confidential and may be lost, leaked or distorted through daily transaction devices. Attackers might compromise confidential information through network overlapping and installing acceptable electromagnetic devices to gather, delete, edit and damage some of the important data of authorized users.


With mobile devices and unstable transmission channels, incomplete communications happen. Customer sending messaged from an area of poor wireless signal coverage often encounter either incomplete or failure of data transfer. Apart from this, low electricity backup in mobile devices leads to incomplete banking transactions.


Attackers send pool of irrelevant messages by acquiring the SMS gateway loopholes. They interfere mobile banking systems and the alter the services, induce malfunctions to degrade the response time of the system. All these acts trouble legitimate mobile banking users.

Virus attacks

The possibility of virus attacks is greater in mobile banking than in network banking. Erstwhile virus attacks were just able to malfunction the mobile phone and delete the data from it. But now much more can be affected in a wireless network. There are many factors which aggravate the effect of virus. One of them is that though the mobile phone is in wireless network, the virus sent in its network can infect fixed network terminals. The next point is that generally wireless networks do not have the provision for tackling the virus attacks. It is hard to use antivirus softwares in mobiles taking in to account the power consumption. Virus can spread through the bluetooth also and not only through the Operating System of the mobile phone according to the findings of Russian experts who were first to do that. Through bluetooth the virus can send the files to the other phones with in the bluetooth radius.

The Mobile Banking Information Security Protection Methods

By learning all the above points, we can say that security issues in mobile banking differs a lot from network banking and moreover mobile banking is more challenging in terms of security. So, we should be using new security mechanisms which are different from network banking. The next part will tell about protection tools in mobile banking.

3.1 Implementation of data Encryption

Until now the security mechanism has been applied at the transaction layer. But in mobile banking this is not enough as it needs confidential, secure information to be used, like Password and PIN. We can overcome this by using Encryption technology which is also used in GSM which is nothing but a wireless transmission basis. Firstly, for a strong security encryption we need a large storage capacity and a good computing power which obviously cannot be made available in mobiles as they have low operational capacity. Good encryption mechanisms can be used in internet banking which have powerful computers and in that way achieve safety. To achieve higher safety but with less computing power of the encryption, mobiles will have to use two algorithms AES and ECC which are symmetric and asymmetric respectively. This increases the encryption and decryption speed simultaneously ensuring the data security. This can be done by encrypting the wireless transmission data with AES after which the encryption key makes use of ECC to encrypt. So, when the cryptograph gets attacked, it directs to the AES 128. If hackers try to attack the ECC's session key, they will end up with the problem of ECDLP. Moreover there is not much value getting and using the session key because it works only one time. Also the key management of this algorithm is very small which improves the security by decreasing the volume of key management. These two algorithms are said to be the best and effective algorithms known.

System and Data Integrity

Data integrity can be ensured by constant monitoring of the data transmission process and failure of records. The data loses its integrity because of the viruses and other malicious infections on equipments like carrier channel, gateways, and servers. The broken data caused in the transmission should be processed with tools which avoid this non-integrity. This can be done by making use of suitable provisions like firewalls, rapid recovery and intrusion detection which will ensure security of the data too. These tools must be in position to test the code's integrity which in turn assures the entire mobile banking system's integrity.

3.3 Identity Authentication

Authentication plays an important role in defense as it is the ground for other security tools in mobile banking. Customer will have to sign an agreement with bank for establishing customer identification information, phone numbers, and password protection techniques as required for customer authentication. There are chances that hackers access bank passwords and valuable information as they are easy to remember and also the possibility of loss of mobile in open environment. This needs a dynamic authentication system which has been developed by South Korea. This system DAS4M is based on WIPI mobile platform. In this, the characters are displayed on the screen, according to which we have to use equivalent figures on the keyboard which will replace the password. Thus learning dynamic password system and other mechanisms from network banking consequently improves security of mobile banking.

3.4 Digital Signature

Data authentication can be done by using digital signature. Digital signature mechanism also uses algorithms.RSA algorithm which uses integer factorization and ECC algorithm which uses elliptic curve discrete algorithm problem. This algorithm is as efficient as ECC in safety and computing speed. Especially ECC level of security is suitable for mobile banking. This can be said because of the following points: RSA uses complicated computing and slow encryption. ECC uses low speed computing and high level security. Its storage is also small. ECC will be able to finish the same work with less computation. The performance of RSA with 1024 key length is equal to ECC with 160 key length. This makes ECC more appropriate for mobile banking. In china mobile banking application uses the digital signature which is embedded in STK card. The RSA key along with Hash functions is embedded in to STK card to get the digital signature. So far in e-government and e-commerce ECC is made use of, and in future it will be used in mobile banking security system also.

3.5 WPKI

Key and certificate management platform system standards are used in e-commerce PKI security mechanism. Based on these standards WPKIï¼Ë†Wireless Public Key Infrastructure) is developed so that it satisfies the wireless network authentication and encryption requirements.It makes use of optimized ECCand compression X.509 digital certificates. It ensures data integrity, user authentication, data on transmission and non-repudiation of transactions which sum up to entire information security effectively as it uses a trusted third party organizations' Certification Center and public key certificate management to ascertain user's identity.

From the name itself we can say that WPKI is optimization of PKI. But there are certain restrictions like the size of IETF PKIX certification format and reduction of storage space of certificates caused due to 100 B Elliptic Curve Crypto system.WPKI uses ECC based public key system and use one pair to match other's key. The public key in digital certificate of receiver is used by the sender while delivering a message. For decryption the own private key of recipient is used. So, the information is completely reached to their destinations. The user's risk in transaction eradicated by using WPKI in mobile banking, as it ensures authenticity, data integrity

and identity of transactions. Further advancement of technology in WPKI, its interoperability with PKI will be achieved. Also the handling difficulty of WPKI certification and the data length will be reduced. This consequently creating better security in mobile banking environment.




The existing system consisted of files with literally no file security standards like Bouncy castle system. Bouncy castle API was to be implemented due to the following factors against which several security measures had to be taken up:

  • Reading or tapping data of the bank
  • Manipulating and modifying data
  • The Illegal use of files.
  • Corrosion of data files.
  • Alteration of data transmission.
  • Disturbance of the operation of equipment or systems.

The main issue of (1) is secrecy and confidentiality. Confidentiality has always played an important in diplomatic and military matters. Often Information must store or transferred from one place to another without being exposed to an opponent or enemy. Key management is also related to Confidentiality. This deals with generating, distributing and storing keys.

Items (2-4) are primarily concerned with reliability. Often the expression integrity is used as a measure of genuineness of data. Also Computer files and networks must be protected against intruders and Unauthorized.

Items (5-6) are a different aspect of the security of the information, its continuity. Here the data must be protected against deliberate disruption during its transmission and storage.




Java language was developed by James Gosling and his team at sun micro systems and released formally in 1995. Its former name is oak. The Java Development Kit 1.0(JDK1.0) was released in the year 1996. To popularize java and is freely available on Internet.


Java is loosely based on C++ syntax, and is meant to be Object-Oriented Structure of java is midway between an interpreted and a compiled language. The Java compiler compiles Java programs into Byte Codes that are secure and portable across different platforms. These byte codes are essentially instructions encapsulated in single type, to what is known as a java virtual machine (JVM), which resides in standard browser.

Jvm verifies these byte codes when downloaded by the browser for integrity. Jvms available for almost all OS. JVM converts these byte codes into machine specific instructions at runtime.


  • Java is object-oriented language and supports encapsulation, inheritance, polymorphism and dynamic binding, but does not support multiple inheritances. Everything in java is an object except some primitive data types.
  • Java is portable architecture neutral that is java programs once compiled can be executed on any machine that is enabled.
  • JAVA is distributed in its approach and used for Internet programming.
  • Java is robust, secured, high performing and dynamic in nature.
  • Java language supports the concept of multithreading. There for different parts of the program can be executed at the same time


Java is strongly associated with Internet and known as Internet programming language. Internet users can use java to create applet programs and run them locally using java enabled browser search as hot java. Applets can be downloaded from remote machine via Internet and run it on local machine.


World Wide Web is an open-ended information retrieval system designed to be used in the distributed environment. This system contains web pages that provide both information and controls. We can navigate to a new web page in any direction. This is made possible worth HTML java was meant to be used in distributed environment such as Internet. So java could be easily incorporated into the web system and is capable of supporting animation graphics, games and other special effect. The web has become more dynamic and interactive with support of java. We can run a java program on remote machine over Internet with the support of web.


Java environment includes a large no. Of tools, which is part of the system known as java development kit (JDK) and hundreds of classes, methods, and interfaces grouped into packages forms part of java standard library (JSL).


Java architecture provides a portable, robust, high performing environment for development. Java provides portability by compiling the byte codes for the java virtual machine, which are then interpreted on each platform by the runtime environment. Java also provides stringent compile and runtime checking and automatic memory management in order to ensure solid code.


When we compile the code, java compiler creates machine code (byte code) for a hypothetical machine called java virtual machine (Jvm). The Jvm will execute the byte code and overcomes the issue of portability. The code is written and compile for one machine and interpreted all other machines. This machine is called as java virtual machine (JVM).


  • Dynamic down loading applets (small application programs);
  • Elimination of flatware phenomenon that is providing those features of a product that user needs at a time. The remaining features of a product can remain in the server.
  • Changing economic model of the software
  • Up-to-date software availability
  • Supports network entire computing
  • Supports CORBA & DCOM


Servlets provide a Java(TM)-based solution used to address the problems currently associated with doing server-side programming, including inextensible scripting solutions, platform-specific APIs, and incomplete interfaces.

Servlets are objects that conform to a specific interface that can be plugged into a Java-based server. Servlets are to the server-side what applets are to the client-side -- object byte codes that can be dynamically loaded off the net. They differ from applets in that they are faceless objects (without graphics or a GUI component). They serve as platform-independent, dynamically loadable, pluggable helper byte code objects on the server side that can be utilized to dynamically extend server-side functionality.


Servlet is a technology that is designed to be implemented as part of various types of servers supporting different protocols. Servletsrun on request/response oriented servers. For example, a servlet can take data from a HTML form filled by a client and then update the data in the database by applying the business logic.

Servlets can be embedded in many different servers because the servlet API, which you use to write servlets, assumes nothing about the server's environment or protocol. Servlets have become most extensively used within HTTP servers; many web servers support the Servlet API.


Servlets are an effective substitution for CGI scripts. They use APIs which are platform specific to the programming on the server-side. It is easier Than CGI script to run and also to write.So use of the servlets can handle HTTP client requests. For example, have servlets process data Posted over HTTPS by using an HTML form, including the purchase order or credit card data. The servlet like this could be part of an order-entry and processing system, working with product and inventory databases, and perhaps an on-line payment system.


Here are a few more of the many applications for servlets:

  • Allowing collaboration between people. A servlet can handle multiple requests at the same time as, and can synchronize requests.
  • Forwarding requests:Severeal servers can share the load to maintain balance by forwarding requests to those servers and servlets reflecting the same content. So, according to the type of task and organisational boundaries, a logical service can be divided among different servers.


The javax.servlet package gives the interfaces and classes for writing servlets. The architecture of this package is explained below.


Servlet interface is a specification of servlet method prototypes. To use these methods, a servlet must provide an implementation for these methods.This is generally done by extending any class like HttpServlet which implements the servlet interface.

The servlet interface contains only the prototype specifications o the methods but not the implementation. While developing a servlet, The classes which provide implementation to it will write the code for that methods.


When a client sends a call to the servlet, two objects are sent:

  • ServletRequest: This object contains request data to be sent to the server from client.
  • ServletResponse: This contains response data to be sent bto the client from the server.
  • These are nothing but the names of the interfaces in the package called javax.servlet.

4.9.6 The “ServletRequest” Interface:

Through this interface, a servlet class can access:

  • Parameter names sent by client, the client's protocol and the host names and server names involved in the request process.
  • The input stream used to get the clients' data like HTTP GET and POST methods which are part of the application protocol of the client.
  • Interfaces that extend ServletRequest interface permit the servlet to retrieve more protocol-specific data. For example, the HttpServletRequest interface includes methods for accessing HTTP-specific header information. The ServletResponse Interface:

The ServletResponse interface gives the servlet methods for replying to the client.

  • Using this interface the MIME type and content length of the reply can be set.
  • The reply data is sent using a writer,output stream and ServletOutputStream Offers an output stream, ServletOutputStream.

Using this interface, a servlet can be provided with protocol-specific capabilities.For example, a header information which is specific to HTTP can be manipulated by HttpServletResponse as it contains methods to do it.

4.9.7 HTTP Servlets:

The classes and interfaces mentioned above form a basic servlet. But HTTP Servlets provide additional features like session-tracking using some other objects . the servlet and the client maintain state between them as the servlet witer uses this API. During some time period, this state is persevered across several connections. HTTP servlets also have objects that provide the support for cookies. Cookie API is used by servlet writer. It uses this API to make the client save the data and receive the data to the server.

Reasons to pick J2ME:

The following reasons can answer why I have chosen J2ME for my project:

  • The processing power of the java phone to process the data locally
  • Portability and compatibility of java code
  • The ability of encrypting only the necessary data using differential security policy on the client
  • Encryption operations according to the content and sensitivity of the network
  • Advantage of J2ME is it can operate over the WAP.

Now days, many mobile devices recognize the Java ME standard.

There are many configurations in Java ME standard some are like Connected Limited Device Configuration (CLDC) and a profile like the Mobile Information Device Profile (MIDP), And at least one of them is used in Java ME standard. For some specific areas of functionality the Java ME provides optional packages. All payment transactions from a mobile device can be considered as a mobile payments. The payments from mobile phones, credit card or smart card can be account based systems that we interested in. there are two parties involved in mobile payments they are customer and a financial service, usually a bank.

Consider the transactions are taking place over the mobile network. And the existing wireless network's infrastructure and protocols does not require modifications, because, the security architecture proposed on application layer is self-regulating of the lower layers'.


5. Research Methodology:

  • Finding resources for previous security frameworks in Wireless (Mobile) and wired Communications.
  • Analyzing and comparing the frameworks to find their drawbacks and features.
  • Proposing a framework (maybe combination of previous frameworks) to put down the initiative for the new application.
  • Having discussion, meeting and chat with the mentor of the project at regular intervals.
  • Learning J2ME as a part of development process.
  • Improving relevant technical knowledge by reading books and also, with the help of the internet.
  • Having discussion, meeting and chats with Engineers to increase mobile security knowledge to do this project.
  • Deploying and testing the framework by loading the program in to a mobile and find the results in real time.
  • Analyzing the results and concluding accordingly.

5.1 Protection of agent:

Protection of this application can be provided by following countermeasures.

5.1.1 Authentication:

Before accepting an incoming request, you want to know the sender details. In this case, you need authenticate the application. This process includes the verification of the developer who created the application or before sending the request to some host you may wish to authenticate the host and what its credentials are.

Authentication of user: the user needs to authenticate himself to a given server. Public-key encryption or a password can be used for this purpose.

Authentication of host: before a server starts to communicate with another host or user, it needs to know with whom it is communicating.

Authentication of code: before executing an incoming application, the host needs to know who created the application. Digital signatures are typically used for this purpose.

Authentication of application: before executing an incoming application, the server needs to know who is responsible for this agent or who its owner is.

5.1.2 Integrity:

To rely on an application, one has to make sure that no one has known with its code and data. Checking the integrity of the application is the technique we use to make sure that no manipulation is done with its code and data.

5.1.3 Confidentiality:

An application may carry confidential information that should be readable only by intended server or application. Such information should be kept secret form other servers and applications.

5.1.4 Authorization:

Authorization or access control is the way to specify and enforce an application's capability to access information or to use services provided by a server.

5.1.5 Cryptography:

Protection of the private data of the user: The private data may include account information or card information, which can be changed or used inappropriately by the remote host which is executing a mobile-banking application. By using the conventional technique of symmetric-key cryptography where the private data of the user, which is the e-money or account details that it is carrying, is sent in the encrypted form. This encrypted private data will remain intact until its secret keys are compromised. This is done by combining Bouncy castle API with Password based encryption.

Protection of the results generated by the server: When mobile-banking executes on some host, it may produce some data that may be confidential to the owner. That result can be used or altered by the same host where it is producing the results. This kind of attack is prevented by using symmetric as well as asymmetric keys. Where the result created by user is first encrypted using the symmetric key or secret key which is produced on the remote host and then this secret key is encrypted afterwards using asymmetric key . Then these two encrypted data is sent back to the owner, the encrypted key and the encrypted results. This data is decrypted back at the owner's application. This way the security of the results can be achieved.

Protection of the application itself on remote host: this is an approach in which code is changed so that, it becomes hard to understand, but performs the same function as the original program.

Problems regarding cryptography packages in mobile environment:

Conventional cryptography packages bind numerous algorithm related functions in a single set of API specific methods. Most of these methods have complex algorithm selection criteria needed to set up multiple parameters in the selection of mode of operation. Thus, application is tightly coupled to the cryptography implementation by the developers, which is in contrast with the seperation of concerns policy. This in turn spawns critical problems leading to increased degree of misuse of API methods by the developers. Mobile devices possess limited resources like CPU speed, size of memory, persistent storage; that is why several mobile cryptographic packages are subclasses of the desktop counterpart. Mobile APIs being lightweight in nature do not have useful initialisationandauthenticationmethodswithinthem.

Algorithms like .NET compact framework, CAPI for Pocket PC are not always handy in mobile cryptography package leading to unavailability of few cryptography features. For instance, lack of support for MAC in Secure and Trust Service API causes developers to search for other methods around the APIs to implement the missing features.

The way cryptography algorithms are implemented in the packages define the complexity in the API. Many of such contemporary packages are implemented with algorithms that involve multiple initialization options that are often misused by developers. Initializing default vectors with blank byte arrays, generation of secret keys using pseudo-random numbers are some of the examples. Presuming that external APIs can hide the difficulties on applying cryptography from the developer, if any internal modules were implemented with low standards, the whole system's security would go in vain. Mere deployment of key algorithms like AES will not serve the purpose of ensuring security for a software deliverable. To add on it, cryptography needs to be implemented with utmost care and attention. One should not oversee the cryptography fundamentals (mentioned below) that are the best pratices (independent of the enviroment in which they are applied) :






For mobile cryptographic packages, strong fundamentals is not often applied inside them and usage of limited methods outside the API increase the complexity. These 2 characteristics make mobile cryptography packages more vulnerable when compared with that of desktops.

Developers must be cognizant of the aftermaths on applying cryptographic functions with input parameters from trusted resources.

Cryptography packages in mobile environment must adhere a few parameters:


Mobile devices are essentially responsive in nature. CPU-specific tasks and asymmetric algorithms must be handled at acceptable speeds.


A mobile device contains only 100 kilobytes of storage. But, most cryptography packages demand megabytes of data. Hence, size is a key consideration while implementingthecryptographyinmobiledevices.


The objective of mobile device cryptography packages is to provide robust security schemes which come from the selection of reliable algorithms. Password-oriented encryption, digital signatures, symmetric & asymmetric keys should be implemented.


Cryptography package APIs which en-capsule multilayerabstraction and inheritance features support a wider pool of algorithms. But, as the complexity of the APIs increases, thelevelsofadoptionofthesamedecreases.


Keys for various algorithms must be matched and identified at both the ends of the communication channel. The key pairs are generated before hand, on the server side and sent to the mobile device, as asymmetric key generation is bit slow process in mobile devices. Measures should be taken to make the entire process of serialization and key generationiseasyandsecure.

Based on this research, we have developed a mobile cryptography package using Bouncy castle API framework. This applies secured cryptography in mobile devices apart from keepingasimpleAPI.


  • Jed 1.4, Jsdk2.0
  • ODBC Drivers installed
  • JDBC Drivers installed
  • Web Logic Server 7.0
  • Oracle 8i or later
  • Windows 2000
  • DeckIt


  • Personal computer with P IV processor
  • 2.1 GB hard disk space
  • 64 MB RAM

The following conclusions were made about the system after the detailed study of the system:

5.4 Technical feasibility:

The following factors explain the technical feasibility of the system:

  • Flexibility: Usage of JAVA for the algorithm development ensured that flexibility would be guaranteed.
  • Ease of use: With networking concepts kept in mind, ease of use was an important factor. Complexities could occur at stages, but ensuring transparent operations was necessary.
  • Ease of upgrade: The system support room for improvement.
  • Simplicity: The system is simple in nature.

5.5 Economical feasibility:

This algorithm was best suited on any operating system that was available in the Company and using JAVA to implement the algorithm.

Keeping the economical feasibility in mind, it was decided that working on a platform that is already existing and suited for file programming would be economical for the development of the project.

5.6 The Main Objective:

  • Creating the bank data base.
  • Implementing the algorithm
  • Encryption
  • Decryption

5.7 Implementation:

The security concern in mobile communication will be on high priority while using in mobile banking, mobile electronic purchases, so I would like to do implementation, which is done to show the various aspects of security in mobile agents. By taking an example of mobile banking agent application we will be discuss the various security concerns it may face while travelling from server to remote host to complete the transaction.

5.7.1 Implementation of Mobile Banking Application:

With the example of mobile Banking application, when the user tries to do a bank transaction, the different types of security concerns the application may prone to. Some facts which are considered here are

  • Consider an application of mobile banking where mobile agents help in doing bank transactions on the behalf of their owner.
  • Here we have to set an itinerary of an banks, it consists of all the banks where the agent is supposed to move, one after other or you can say the path of the agent where it has to proceed to get its work done.
  • When the agent finds a desired host bank where it can do its transaction cost, it will come back to the owner with the information about the bank host.
  • Here our application is made cautious and prepared if a host turns out to be compromised, then how it will protect its private data, protects the results it is going to produce on remote host and finally how it will protect itself.


Data flow diagram is a structure analysis tool that is used for graphical representation of Data processes through any organization. The data flow approach emphasis on the logic underlying the system, by using combination of only 4 symbols. It follows the top down approach of development. A full description of a system actually consists of set of DFD s, which comprises of various levels. And initial over view model is exploded lower level diagrams that show additional feature of the system. Further each process can be broken down into a more detailed DFD. This occurs repeatedly until sufficient details are described.

5.8.1Customer DFD:--

  • Account Creation
  • Loans
  • Transfer Amount
  • ChequeBook
  • Closing Account

DFD symbols:


It defines a source (originator) or destination of system data.


It indicates data flow-data in motion. It is a pipeline through which the information flows.

Circle or Bubble:

It represents a process that transforms incoming data flow(s) to outgoing data flow(s).

Open Rectangle:

It is a data store-data at rest, or a temporary repository of data.

5.8.2 Phase 1: Context Level:

Level - 1: User Registration

Level - 2: User Login

Level - 3: User Deposit Details

Level - 4: User Withdrawal Information

Level - 5: User Balance Enquiry

Level - 6: User Transaction Details

Level - 7: Apply Loan

Level - 8: Closing Account

Level - 9: Get Account Info,

Level-10.User Approval

5.8.3 Phase 2: Level 1: Check Reference and Create Account Level 2: Check Amount and Deduct Amount

5.8.4 E - R DIAGRAM:


Data dictionary consists of description of all the data used in the system. It consists of logical characteristics of current systems data stores including name, description, aliases, contents and organization. Data dictionary serves as the basis for identifying database requirements during system design. Data dictionary is a catalog, a depositary of the elements in the system.

The data dictionary is used to manage the details in the large system, to communicate a common meaning for all system elements, to document the future of the system, to locate errors and omission in the system. Data dictionary contains two types of descriptions for the data flowing through the system attributes and tables. Attributes are grouped together to make up the tables. The most fundamental data level is attributes tables are a Set of data items, data related to one another and that collectively describes a component in the system.

The description of the attributes consists of data names, data descriptions, aliases, and length and data values. The description of data structures consists sequence relationship, selection relationship, iteration relationship and operational relationship.

Table 1: User Table

Field Name

Field Type

Field Size



















Table 2: ATM

Field Name

Field Type

Field Size

























Table 3: Transaction

Field Name

Field Type

Field Size


















Table 4: Loans

Field Name

Field Type

Field Size



























Table 5: Close Account

Field Name

Field Type

Field Size












5.10 Techniques used to handle Specific security concerns:

5.10.1 Symmetric cryptography:

This technique employs one key for encryption process as well as decryption process. Here we have used Advanced Encryption Standard (AES) which is one of the most significant algorithms, required for implementation of symmetric key cryptography. The AES key is a sequence of bits with predetermined length. We have used here AES key of 128 bits in length.

Advanced Encryption Standard:

In the year 2001, Rijndael cipher was chosen as AES. It's creators were Joan Daemon and Vincent Rijmen. So, based on these names it was named Rindael. NIST conducted a competition in 1997 to ask for proposals for the best fit ciphers of AES from the cryptographic community. The criteria for evaluation were memory requirements, flexibility,hardware and software suitability, computational efficiency and security.

NIST specification for the cipher is that it shoulf be syymmetric and the block size should be 128-bits and the lengths of support keys must be 128,192 and 256-bits. Atlast, rijndael was selected as the AES from the five finalists of the total 15 proposals received. MARS, Serpent,RC6 and Twofish were the remaining finalists. AES uses mathematical operations but not Fiestel construct. The operations used are permutations, XORs,substitutions. It has multiple rounds. The key size decides the number of rounds. the next rounds after the first one will be similar. AES allows efficient implementation on both the environments software and hardware as it operates on a byte level.

If we consider the AES one round operation, in the first step we XOP the 16 byte plain text input with the round key. In the next step or process each byte of the 16bytes is used like an index into an S-box table which maps the inputs to outputs which are bith 8-bit.

All the S-boxes are same. In the next two processes i.e., shift row and mix column, the bytes are arranged as 4 groups which contain 4 bytes each. These are mixed within a liner mixing function. In linear mixing, each out bit of the function is the XOR of many input bits.

This was found based on the following figures. The atack on 6 rounds was first demonstrated by the designers of AES. The attacks were the improved to handle

8 rounds for 192-bit keys, 7 rounds for 128-bit keys and also 9 rounds for 256 bit keys during the selection process. Thus leaving security margin of 3 to 5 rounds.So, we can say 70% of cipher is covered in the possible most effective attack.

A simple algebraic structure can be used to represent the encryption function in AES. This has become another concern for AES whocse impact may lead to a mathematical study for secret key recovery. Courtois found a method of attacking AES which involves a technique named XSL. This attack is theoritical till now because the amount of work it requires is more than the computation capability which today's technologies offer. This attack can be improved further in future.

5.10.2 Asymmetric cryptography:

It is also called as public-key cryptography; this technique employs different key for encryption process as well as decryption process. The user who is familiar with the encryption key of an asymmetric cryptography can encrypt messages, but is not able to get the decryption key and will not be able to decode the messages which have been encoded.

RSA is an algorithm for public-key cryptography.RSA uses a public-private key set; a message encoded by public key could be decodes by private key and the other also in the same way.

5.10.3 Message digest: It is a hash algorithm which obtains predetermined length bytes from the input text. Any alteration in the input text will vary the output bytes. MD5 and SHA1 are the most frequently used message digest algorithms.


The NIST standardised Secure Hash Algorithm was published in 1992 as FIPS PUB 180. It was designed by NSA. In 1995, FIPS PUB 180-1 was issued as a revised version.FIPS PUB 180-2 was issued as the current revised version in February 2004. Algorithms which come under SHA: SHA-1, SHA-256, SHA-384 and SHA-512. Among these, SHA-512 and SHA-384 are not recommended for mobile devices because of heavy computations.

In SHA family, the mostly used algorithm of current times is SHA-1. It produces a 160-bits digest by taking input message of size less than 264 bits. Where as, SHA-256 produces a 256-bits digest by taking the same input size. There is a possibility of getting two messages with same digest is when SHA-1 operations are of order 280 and SHA-256 operations are of order 2128. Without using brute force, an attack on SHA-1 detected collisions in 269 hash operations. This leads to find them also in SHA-1 in a 264 complexity. In future SHA-256 will have to be used in our research as SHA-1 is likely to be phsed out by NIST by 2010 because of attacks and technology advances.

Extensive cryptanalysis is not done on SHA-256, SHA-384 and SHA-512 and they are new cryptographic algorithms.

Other One-way Hash Functions

SHA-0 and other hash algorithms like MD4 and MD5 are more inclined to collision attacks. Moreover it is mentioned that the same technique used on SHA-1 can also be used on MD5 which clearly increases the collision probability from 2-37 to 2-32.

5.10.4 Digital signature:

A digital signature is an illustration of data created by the sender's private key that is utilized for validating the uniqueness of the sender of the data. It is used for maintaining the original document unaltered during the communication. A digital signature can be implemented on any sort of message; such that the receiver can be confident of the sender's identity and that the message is delivered without being unaltered.

In this DSA, as the asymmetric algorithm is much time consuming than the symmetric algorithm. The o RSA is used to transfer the symmetric key and sign the data, and large part of the data is encoded using a symmetric algorithm. First create a RSA asymmetric public/private key set this is to be created and exported offline in the Java environment then export and import the public/private key set for which we have to do this method by saving all the parameters into a file. Now it will create an AES key which is 128 bit as done in the code and we will transfer the AES symmetric key along with the RSA encode and decode functionality for the server to encode the message to send and the client to decode the AES key.

Finally, along with the encoded data using the data we will send the cipher (the encrypted data) and the digital signature to the server and we will decode the encrypted data with the help of AES key and finally validate the authenticity of the data and identity by verifying the digital signature. In this way we create a powerful and flexible approach to deal with the security concerns in mobile applications. In this project, we initiated implementation of security using the symmetric encoding/decoding, asymmetric encoding/decoding, message digest and signatures.

The DSA is used by a signatory to produce a digital signature on data and by a verifier to confirm the authenticity of the signature. Each signatory has one public key and one private key. The private key is used in the signature creation process and the public key is used in the signature confirmation process. For signature generation and verification, the data which is referred to as a message is reduced by means of the Secure Hash Algorithm specified in FIPS YY.Is used in banking application. An opponent, who does not know the private key of the signatory, cannot generate the correct signature of the signatory. In other words, signatures cannot be copied. However, by using the signatory's public key,

Anyone can verify a correctly signed message in the bank.

A means of associating public and private key pairs to the corresponding users is needed. That is, there must be a binding of a user's identity and the user's public key. This binding may be certified by a mutually believable party. For example, a certifying authority could sign credentials containing a user's public key and identity to form a certificate.

Systems for certifying credentials and distributing certificates are ahead of the scope of this standard. NIST intends to publish separate document on certifying credentials and the distributing of certificated.

The DSA algorithm makes use of the following parameters:

  • p = a prime modulus, where 2L-1 < p < 2L for 512 = < L = <1024 and L a multiple of 64
  • q = a prime divisor of p - 1, here 2159 < q < 2160
  • g = h(p-1)/q mod p, where h is any integer with 1 < h < p - 1 such that h(p-1)/q mod p > 1 (g has order q mod p)
  • x = a randomly or pseudo randomly produced integer with 0 < x < q
  • y = gx mod p
  • k = a randomly or pseudo randomly produced integer with 0 < k < q

The integer's p, q, and g can be public and can be common to a group of users. A user's private and public keys are x and y, respectively. They are normally unchanging for a period of time. Parameters x and k are used for signature production only, and must be kept secret. Parameter k must be regenerated for each and every signature.

Parameters p and q shall be generated as specified in Appendix 2, or using other FIPS accepted security methods. Parameters x and k shall be generated as specified in Appendix 3, or using other FIPS permitted security methods.

Comparison between the Algorithms:

In mobile phonesthe encryption time is downwards during key generation. So the RSA algorithm is hard to deploy even in latest mobile phones. Encrypt message digest running time using pin-num by AES based public key algorithm is 280 ms, this is very less than RSA and 3DES and adequate to mobile client. This can be seen in below graph.

Also, memory consumption in three RSA, 3DES and AES algorithms is tested in same scenario for client functionality phase. All these three are based on public key infrastructure. And it is clear that the RSA key algorithm is using more memory to run the process. And that is clear from the above graph

So, it is clear that the 3DES and RSA algorithms have less performance in client functionality on mobile device like NOKIA N72 - GPRS enabled device. And from the above graph we came to know that for encrypting the data AES algorithm used a very less computation time and memory. And with different security mechanisms the implemented system has performance impact when considering various security indexes, and so higher the performance impact becomes more secured network. Hence 3DES and RSA