This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
"Security In Mobile Communications Using J2ME: Using Cryptography For Secure Communication In Mobile Devices"
The advancements in wireless networks paved way for enormous changes in mobile devices, standards, middleware, network implementations, etc. Smaller and lighter mobile device development has been witnessed on account of digital chip technology. Individuals can connect to internet, at anytime & from almost any place through mobile devices, advancement in wireless technology especially in mobile cellular technology which supports packet data transmission. Cellular mobile devices like mobile phones, Personal Digital Assistants (PDAs), laptops, pagers are used by nearly 2 billion cellular subscribers around the world, among which 130 million are 3G users. Sooner or later the need for secured and authenticated transmission of data arises. Mobile banking, corporate server accesses, online mobile stock trading, etc could be the areas in demand. Applications must be authenticated before getting downloaded into a mobile device and mobile network infrastructure also has a key role in rendering security support to such applications in network layer. Encryption is an imperative tool for secured communications and Cryptography is the maths that designs encryption and authentication algorithms. Most of these algorithms are categorized either into symmetric-key scheme or asymmetric-key scheme. But, encryption fails to avoid intervention and modification of data on communication channels. It can only assure communication channels free from data hacking. Message Authentication Code (MAC) is adapted to ensure integrity of messages. Hence, security is very imperative aspect for mobiletelecommunicationstosurviveinthisitrealm.
Mobile devices are de-facto devices for communication pushing traditional wired communication. As users are increasing for mobile communication, it is necessary to have appropriate security standards for the customers. The project develops a security framework which can be deployed in mobile communication. Mobile industries will find this project feasible and add on to their organization. The document we present with the project will give a lead in further enhancement in quality and security of mobile communications.
Security is must in the happening world of mobile internet. On-device data control, confidentiality in data and privileged access to data are the 3 key aspects of mobile security. Safeguarding messaged against hackers is data confidentiality. Regarding network security restricted and controlled access to applications through communication medium form the aspect of privileged data access. Unauthorized access to data stored on mobile devices (like private keys, passwords, etc) can be hindered if strong encryption policy is in place.
Server and client should be directly connected:
For applications with several value-added services, serveral HTTPS connections are joined together which could compromise security at connecting nodes. Even public key certificates for such connections is an overhead.
Applications like online mobile stock trading / multilevel transaction approvals, which require part of the communication to be open, need no connection-oriented security. Besides, authenticating the stock quotes and signatures need higher attention. Encrypting entire content imposes unneccesary processing.
For applications having special security and performance requirements, HTTPS is not very flexible:
HTTPS is not compliant key exchange or handshake methods of data encryption. For instance, clients authenticating themselves is not required. 265-bit symmetric key security encryptionmightnotbeensured.
Lot of interactions happen between mobile applications and back end servers, for data extractions and organizing customized user displays on the mobile devices. User authentication and authorization mechanisms vary from one service provider to another. Each of them require a unique way of user sign on, wherein HTTPS is not useful.
To fulfill the aforementioned mobile security aspects, developers must gain programmatic access to cryptography related algorithms that are packages in APIs. These APIs provides the developers with secure content rather than mere data connections inside the mobile environment. And the security methods for secure content are almost alwaysapplieintheapplicationlayeronly.
Mobile phones & PDAs are the most used devices in the cellular network. Third party cryptographic tools can be employed in case of failure of OS / platform supporting cryptography algorithms. Few mobile cryptography packages whose support is restricted to a particular OS or platform are as follows: MS CAPI for Windows CE, Sexuroty and Trust Service API, .NET compact framework. And those which fall under third party packagesareBouncyCastleAPIetc.
Mobile Banking Application:
This system is aimed to give a better out look to the user interfaces and to implement all the banking transactions like
- Supply of Account Information
- New Account Creations
- Check References
- Check Reference of Loans
- Close Accounts
- Report Generations
Scope Of The Project:
With the proliferation in the mobile communications, the security levels of the communication should also be enhanced.
This thesis focuses on the limitations of the existing security interfaces available for mobile application development and I come up with an enhanced framework for secured communication in a mobile network. I implement the framework in J2ME because of its facilities for MID development.
In order to provide sufficient security in the mobile application environment proper security standards which include algorithms, cryptographic techniques, APIs and encryption techniques have to be applied. Widely used mobile communication security standards are the AES algorithms, APIs like Bouncy Castle Provider API and cryptographic techniques like Elliptical Curve cryptography (ECC) and password-based encryption (PBE) techniques, these mobile security standards also have some limitations and also the enhancements to make in this project are described.
Supply Of Account Information:
The account information service will provide customers a summary of their accounts. The customers can get details of each account, a snapshot of the balances, a record of payment and transfers made, whenever they require.
In addition to displaying the account balance information, the clients would get a warning when the account balance falls below the minimum limit. Bank decides this limit.
The customers will also be provided account statements and transaction reports based on any user-defined criteria. Moreover, this system will make tracking of transactions easy, the User would be able to get details of the various transactions based on the Account number, the transaction date, the period of the transaction, and so on.
New Account Creation:
Whenever a new customer comes, this system facilitates to create an account in his name. The customer must provide information regarding the type of account he wants to open, amount of deposit, his address and reference of the person who already has an account in the bank.
All sort of banking deposits need to be implemented in the system. The user needs to enter the information like account number, pin number and the amount.
All sort of banking withdraws need to be implemented in the system. The user needs to enter the information like account number, pin number and the amount. The system must maintain the minimum amount for each account.
This system should allow the user to apply for different types of loans. When a person is applying for a loan, he/she should provide the information of account number, pin number, loan type, amount, document number that they are placing as a surety and a reference of other person who is having an account in that bank.
Whenever a user is going to create a new account, the user should provide a reference of a person who already has an account in the bank. The referee should approve that reference request. This module facilitates the referee to approve that type of requests.
Check References Of Loans:
Whenever a user is going to apply for a loan, the user should provide a reference of a person who already has an account in the bank in addition to the other information. The referee should approve that loan reference request. This module facilitates the referee to approve that type of requests.
This system should allow the user to make a request for closing of account in the bank. Here the user must specify the account number and the reason for closing of account.
Reports are very essential for the banking organization. It needs to generate different reports of banking information from the stored information. These reports can be stored as soft copies in the system for future use.
Maintenance And Administration:
This module consists of all the administration parts like approvals and closing of accounts. These approvals include approval of new account, loan, deposits and withdrawals made by different users and the processing of accounts closing also comes under this part.
This module will provide an easy and simple method of updating information related to deposits and withdrawals in the bank records. It includes:
- Creating new accounts and account numbers with access codes. Through these access codes, customers will interact. These access numbers will be unique and confidential.
- Maintaining separate tables that will store data
- Various transactions done by the customer
- Requests for stopping the payment
- Generating customized reports that will display the customer transactions
This module will provide an easy method to users to manage the accounts. When they run the application they will be required to fill in the login name and password.
Here, the options offered to the User are:
- Balances: They will able to view the current status of their accounts.
- Statements: They will get a detailed reported of the transaction carried out during a specified period.
- Transfers: this will be related to the transfer of money from various accounts of the customer. The User can get a detailed report of various transfers.
- Stop payment: this option will allow Users to fill in details regarding a payment or transfer of funds, they want to stop.
The operation of mobile banking:
A mobile banking system possesses a mobile banking unit and data processing kiosk, usually a mainframe computer performing transactions and data storage activities. These systems have a few terminals like multimedia enquiry stations, deposit machines and ATMs. Mobile banking system has built a strong foundation for customized, customer-based financial services which employsvariouswirelesschannelsofcommunication. An issue in security varies from one technology to other. Since the time of its origin, network financial services have been the sole targetallkindsofcrimesintechnology.
Mobile operator & handset users' zone, and mobile operator & banking system zone are the 2 security zones in mobile banking. Hacking, virus attacks like information security troubles prevailinmobilebankingsystemsaswell.
Wireless communication information security related to mobile banking are as shown below:
Loss, leakage and distortion of information:
Information transfer in mobile banking world happens through wireless networks. Wireless data network functioning require radios that takes in digital data (0s and 1s), perform modulation and convert them into radio signals. On the other end, these radio signals are received, demodulated and converted back to digital data. Many radio operations happen without interfering among themselves, a feature termed as coexistence. Present wireless technology gives very less number of tools to protect wireless data transmissions. Banking transactions are confidential and may be lost, leaked or distorted through daily transaction devices. Attackers might compromise confidential information through network overlapping and installing acceptable electromagnetic devices to gather, delete, edit and damage some of the important data of authorized users.
With mobile devices and unstable transmission channels, incomplete communications happen. Customer sending messaged from an area of poor wireless signal coverage often encounter either incomplete or failure of data transfer. Apart from this, low electricity backup in mobile devices leads to incomplete banking transactions.
Service attack denial:
Attackers send pool of irrelevant messages by acquiring the SMS gateway loopholes. They interfere mobile banking systems and the alter the services, induce malfunctions to degrade the response time of the system. All these acts trouble legitimate mobile banking users.
The possibility of virus attacks is greater in mobile banking than in network banking. Erstwhile virus attacks were just able to malfunction the mobile phone and delete the data from it. But now much more can be affected in a wireless network. There are many factors which aggravate the effect of virus. One of them is that though the mobile phone is in wireless network, the virus sent in its network can infect fixed network terminals. The next point is that generally wireless networks do not have the provision for tackling the virus attacks. It is hard to use antivirus softwares in mobiles taking in to account the power consumption. Virus can spread through the bluetooth also and not only through the Operating System of the mobile phone according to the findings of Russian experts who were first to do that. Through bluetooth the virus can send the files to the other phones with in the bluetooth radius.
The Mobile Banking Information Security Protection Methods
By learning all the above points, we can say that security issues in mobile banking differs a lot from network banking and moreover mobile banking is more challenging in terms of security. So, we should be using new security mechanisms which are different from network banking. The next part will tell about protection tools in mobile banking.
Implementation Of Data Encryption
Until now the security mechanism has been applied at the transaction layer. But in mobile banking this is not enough as it needs confidential, secure information to be used, like Password and PIN. We can overcome this by using Encryption technology which is also used in GSM which is nothing but a wireless transmission basis. Firstly, for a strong security encryption we need a large storage capacity and a good computing power which obviously cannot be made available in mobiles as they have low operational capacity. Good encryption mechanisms can be used in internet banking which have powerful computers and in that way achieve safety. To achieve higher safety but with less computing power of the encryption, mobiles will have to use two algorithms AES and ECC which are symmetric and asymmetric respectively. This increases the encryption and decryption speed simultaneously ensuring the data security. This can be done by encrypting the wireless transmission data with AES after which the encryption key makes use of ECC to encrypt. So, when the cryptograph gets attacked, it directs to the AES 128. If hackers try to attack the ECCs session key, they will end up with the problem of ECDLP. Moreover there is not much value getting and using the session key because it works only one time. Also the key management of this algorithm is very small which improves the security by decreasing the volume of key management. These two algorithms are said to be the best and effective algorithms known.
System And Data Integrity
Data integrity can be ensured by constant monitoring of the data transmission process and failure of records. The data loses its integrity because of the viruses and other malicious infections on equipments like carrier channel, gateways, and servers. The broken data caused in the transmission should be processed with tools which avoid this non-integrity. This can be done by making use of suitable provisions like firewalls, rapid recovery and intrusion detection which will ensure security of the data too. These tools must be in position to test the codes integrity which in turn assures the entire mobile banking systems integrity.
Authentication plays an important role in defense as it is the ground for other security tools in mobile banking. Customer will have to sign an agreement with bank for establishing customer identification information, phone numbers, and password protection techniques as required for customer authentication. There are chances that hackers access bank passwords and valuable information as they are easy to remember and also the possibility of loss of mobile in open environment. This needs a dynamic authentication system which has been developed by South Korea. This system DAS4M is based on WIPI mobile platform. In this, the characters are displayed on the screen, according to which we have to use equivalent figures on the keyboard which will replace the password. Thus learning dynamic password system and other mechanisms from network banking consequently improves security of mobile banking.
Data authentication can be done by using digital signature. Digital signature mechanism also uses algorithms.RSA algorithm which uses integer factorization and ECC algorithm which uses elliptic curve discrete algorithm problem. This algorithm is as efficient as ECC in safety and computing speed. Especially ECC level of security is suitable for mobile banking. This can be said because of the following points: RSA uses complicated computing and slow encryption. ECC uses low speed computing and high level security. Its storage is also small. ECC will be able to finish the same work with less computation. The performance of RSA with 1024 key length is equal to ECC with 160 key length. This makes ECC more appropriate for mobile banking. In china mobile banking application uses the digital signature which is embedded in STK card. The RSA key along with Hash functions is embedded in to STK card to get the digital signature. So far in e-government and e-commerce ECC is made use of, and in future it will be used in mobile banking security system also.
Key and certificate management platform system standards are used in e-commerce PKI security mechanism. Based on these standards WPKI(Wireless Public Key Infrastructure) is developed so that it satisfies the wireless network authentication and encryption requirements. It makes use of optimized ECCand compression X.509 digital certificates. It ensures data integrity, user authentication, data on transmission and non-repudiation of transactions which sum up to entire information security effectively as it uses a trusted third party organizations Certification Center and public key certificate management to ascertain users identity.
From the name itself we can say that WPKI is optimization of PKI. But there are certain restrictions like the size of IETF PKIX certification format and reduction of storage space of certificates caused due to 100 B Elliptic Curve Crypto system.WPKI uses ECC based public key system and use one pair to match others key. The public key in digital certificate of receiver is used by the sender while delivering a message. For decryption the own private key of recipient is used. So, the information is completely reached to their destinations. The users risk in transaction eradicated by using WPKI in mobile banking, as it ensures authenticity, data integrity
and identity of transactions. Further advancement of technology in WPKI, its interoperability with PKI will be achieved. Also the handling difficulty of WPKI certification and the data length will be reduced. This consequently creating better security in mobile banking environment.
Security for bank database:
3. Project Analysis
The existing system consisted of files with literally no file security standards like Bouncy castle system. Bouncy castle API was to be implemented due to the following factors against which several security measures had to be taken up:
1. Reading or tapping data of the bank
2. Manipulating and modifying data
3. The Illegal use of files.
4. Corrosion of data files.
5. Alteration of data transmission.
6. Disturbance of the operation of equipment or systems.
The main issue of (1) is secrecy and confidentiality. Confidentiality has always played an important DSA I diplomatic and military matters. Often Information must store or transferred from one place to another without being exposed to an opponent or enemy. Key management is also related to Confidentiality. This deals with generating, distributing and storing keys.
Items (2-4) are primarily concerned with reliability. Often the expression integrity is used as a measure of genuineness of data. Also Computer files and networks must be protected against intruders and Unauthorized.
Items (5-6) are a different aspect of the security of the information, its continuity. Here the data must be protected against deliberate disruption during its transmission and storage.
Implementing Bouncy Castle API:
4. Overview Of Java
History Of Java:
Java language was developed by James Gosling and his team at sun micro systems and released formally in 1995. Its former name is oak. The Java Development Kit 1.0(JDK1.0) was released in the year 1996. To popularize java and is freely available on Internet.
Overview Of Java:
Java is loosely based on C++ syntax, and is meant to be Object-Oriented Structure of java is midway between an interpreted and a compiled language. The Java compiler compiles Java programs into Byte Codes that are secure and portable across different platforms. These byte codes are essentially instructions encapsulated in single type, to what is known as a java virtual machine (JVM), which resides in standard browser.
Jvm verifies these byte codes when downloaded by the browser for integrity. Jvms available for almost all OS. JVM converts these byte codes into machine specific instructions at runtime.
Features Of Java:
- Java is object-oriented language and supports encapsulation, inheritance, polymorphism and dynamic binding, but does not support multiple inheritances. Everything in java is an object except some primitive data types.
- Java is portable architecture neutral that is java programs once compiled can be executed on any machine that is enabled.
- JAVA is distributed in its approach and used for Internet programming.
- Java is robust, secured, high performing and dynamic in nature.
- Java language supports the concept of multithreading. There for different parts of the program can be executed at the same time
Java And Internet:
Java is strongly associated with Internet and known as Internet programming language. Internet users can use java to create applet programs and run them locally using java enabled browser search as hot java. Applets can be downloaded from remote machine via Internet and run it on local machine.
Java And World Wide Web:
World Wide Web is an open-ended information retrieval system designed to be used in the distributed environment. This system contains web pages that provide both information and controls. We can navigate to a new web page in any direction. This is made possible worth HTML java was meant to be used in distributed environment such as Internet. So java could be easily incorporated into the web system and is capable of supporting animation graphics, games and other special effect. The web has become more dynamic and interactive with support of java. We can run a java program on remote machine over Internet with the support of web.
Java environment includes a large no. Of tools, which is part of the system known as java development kit (JDK) and hundreds of classes, methods, and interfaces grouped into packages forms part of java standard library (JSL).
Java architecture provides a portable, robust, high performing environment for development. Java provides portability by compiling the byte codes for the java virtual machine, which are then interpreted on each platform by the runtime environment. Java also provides stringent compile and runtime checking and automatic memory management in order to ensure solid code.
Java Virtual Machine:
When we compile the code, java compiler creates machine code (byte code) for a hypothetical machine called java virtual machine (Jvm). The Jvm will execute the byte code and overcomes the issue of portability. The code is written and compile for one machine and interpreted all other machines. This machine is called as java virtual machine (JVM).
Paradigm Of Java:
Dynamic down loading applets (small application programs);
Elimination of flatware phenomenon that is providing those features of a product that user needs at a time. The remaining features of a product can remain in the server.
Changing economic model of the software
Up-to-date software availability
Supports network entire computing
Supports CORBA & DCOM
Introduction To Servlets:
Servlets provide a Java(TM)-based solution used to address the problems currently associated with doing server-side programming, including inextensible scripting solutions, platform-specific APIs, and incomplete interfaces.
Servlets are objects that conform to a specific interface that can be plugged into a Java-based server. Servlets are to the server-side what applets are to the client-side -- object byte codes that can be dynamically loaded off the net. They differ from applets in that they are faceless objects (without graphics or a GUI component). They serve as platform-independent, dynamically loadable, pluggable helper byte code objects on the server side that can be utilized to dynamically extend server-side functionality.
What Is A Servlet?
Servlets are the modules that extend request/response-oriented servers, such as Java-enabled web servers. For example, a servlet might be responsible for taking data in an HTML order-entry form and applying the business logic used to update the company's order database.
Servlets can be embedded in many different servers because the servlet API, which you use to write servlets, assumes nothing about the server's environment or protocol. Servlets have become most extensively used within HTTP servers; many web servers support the Servlet API.
Use The Servlets Instead Of Cgi Scripts!
Servlets are an effective substitution for CGI scripts. They gives the way to generate dynamic documents that is both easier to write and faster to run. Servlets also deal with the problem of doing server-side programming with platform-specific APIs: they are developed with the Java Servlet API, a standard Java extension. So use of the servlets can handle HTTP client requests. For example, have servlets process data Posted over HTTPS by using an HTML form, including the purchase order or credit card data. The servlet like this could be part of an order-entry and processing system, working with product and inventory databases, and perhaps an on-line payment system.
Other Uses For Servlets:
Here are a few more of the many applications for servlets:
Allowing collaboration between people. A servlet can handle multiple requests at the same time as, and can synchronize requests.
Forwarding requests. Servlets can forward the requests to other servers and servlets. Thus servlets can be used to balance the load among several servers that reflect the same content, and to partition a single logical service over several servers, according to task type or organizational boundaries.
Architecture Of The Servlet Package:
The javax.servlet package gives the interfaces and classes for writing servlets. The architecture of this package is explained below.
The Servlet Interface:
The central abstraction in the Servlet API is the Servlet interface. All the servlets implement this interface, either directly or, more commonly, by extending a class that implements it such as HttpServlet.
The Servlet interface declares, but it does not implement, methods that manage the servlet and its communications with the clients. Servlet writers offer some or all of these methods when developing a servlet.
When a servlet accepts a call from a client, it receives two objects:
- ServletRequest, which encapsulates the communication from the client to the server.
- ServletResponse, which encapsulates the communication from servlet back to client.
- The ServletRequest and the ServletResponse are interfaces defined by the javax.servlet package.
The Servlet Request Interface:
The ServletRequest interface allows the servlet access to:
- Information such as the names of the parameters passed in by the client, the protocol (scheme) being used by the client, and the names of the remote host that made the request and the server that received it.
- The input stream and ServletInputStream. The Servlets use the input stream to get data from clients that use application protocols such as the HTTP POST and PUT methods.
Interfaces that extend ServletRequest interface permit the servlet to retrieve more protocol-specific data. For example, the HttpServletRequest interface includes methods for accessing HTTP-specific header information.
The Servlet Response Interface:
The ServletResponse interface gives the servlet methods for replying to the client. It:
- Permits the servlet to set the content length and MIME type of the reply.
- Offers an output stream, ServletOutputStream, and a Writer through which the servlet can send the reply data.
The interfaces that extend the ServletResponse interface provide the servlet more protocol-specific capabilities. For example, the HttpServletResponse interface includes methods that permit the servlet to manipulate HTTP-specific header information of the request.
Additional Capabilities Of HTTP Servlets:
The classes and interfaces described above make up a basic Servlet. HTTP servlets have some other objects that provide session-tracking capabilities. The servlet writer can use these APIs to maintain state between the servlet and the client that perseveres across multiple connections during some time period. HTTP servlets also have objects that provide the support for cookies. The servlet writer utilizes the cookie API to save data with the client and to receive this data.
5. Research Methodology:
- Finding resources for previous security frameworks in Wireless (Mobile) and wired Communications.
- Analyzing and comparing the frameworks to find their drawbacks and features.
- Proposing a framework (maybe combination of previous frameworks) to put down the initiative for the new application.
- Having discussion, meeting and chat with the mentor of the project at regular intervals.
- Learning J2ME as a part of development process.
- Improving relevant technical knowledge by reading books and also, with the help of the internet.
- Having discussion, meeting and chats with Engineers to increase mobile security knowledge to do this project.
- Deploying and testing the framework by loading the program in to a mobile and find the results in real time.
- Analyzing the results and concluding accordingly.
Protection of agent:
Protection of this application can be provided by following countermeasures.
Before accepting an incoming request, you want to know the sender details. In this case, you need authenticate the application. This process includes the verification of the developer who created the application or before sending the request to some host you may wish to authenticate the host and what its credentials are.
Authentication of user: the user needs to authenticate himself to a given server. Public-key encryption or a password can be used for this purpose.
Authentication of host: before a server starts to communicate with another host or user, it needs to know with whom it is communicating.
Authentication of code: before executing an incoming application, the host needs to know who created the application. Digital signatures are typically used for this purpose.
Authentication of application: before executing an incoming application, the server needs to know who is responsible for this agent or who its owner is.
To rely on an application, one has to make sure that no one has known with its code and data. Checking the integrity of the application is the technique we use to make sure that no manipulation is done with its code and data.
An application may carry confidential information that should be readable only by intended server or application. Such information should be kept secret form other servers and applications.
Authorization or access control is the way to specify and enforce an applications capability to access information or to use services provided by a server.
Protection of the private data of the user: The private data may include account information or card information, which can be changed or used inappropriately by the remote host which is executing a mobile-banking application. By using the conventional technique of symmetric-key cryptography where the private data of the user, which is the e-money or account details that it is carrying, is sent in the encrypted form. This encrypted private data will remain intact until its secret keys are compromised. This is done by combining Bouncy castle API with Password based encryption.
Protection of the results generated by the server: When mobile-banking executes on some host, it may produce some data that may be confidential to the owner. That result can be used or altered by the same host where it is producing the results. This kind of attack is prevented by using symmetric as well as asymmetric keys. Where the result created by user is first encrypted using the symmetric key or secret key which is produced on the remote host and then this secret key is encrypted afterwards using asymmetric key . Then these two encrypted data is sent back to the owner, the encrypted key and the encrypted results. This data is decrypted back at the owners application. This way the security of the results can be achieved.
Protection of the application itself on remote host: this is an approach in which code is changed so that, it becomes hard to understand, but performs the same function as the original program.
Problems regarding cryptography packages in mobile environment:
Conventional cryptography packages bind numerous algorithm related functions in a single set of API specific methods. Most of these methods have complex algorithm selection criteria needed to set up multiple parameters in the selection of mode of operation. Thus, application is tightly coupled to the cryptography implementation by the developers, which is in contrast with the seperation of concerns policy. This in turn spawns critical problems leading to increased degree of misuse of API methods by the developers. Mobile devices possess limited resources like CPU speed, size of memory, persistent storage; that is why several mobile cryptographic packages are subclasses of the desktop counterpart. Mobile APIs being lightweight in nature do not have useful initialisationandauthenticationmethodswithinthem.
Algorithms like .NET compact framework, CAPI for Pocket PC are not always handy in mobile cryptography package leading to unavailability of few cryptography features. For instance, lack of support for MAC in Secure and Trust Service API causes developers to search for other methods around the APIs to implement the missing features.
The way cryptography algorithms are implemented in the packages define the complexity in the API. Many of such contemporary packages are implemented with algorithms that involve multiple initialization options that are often misused by developers. Initializing default vectors with blank byte arrays, generation of secret keys using pseudo-random numbers are some of the examples. Presuming that external APIs can hide the difficulties on applying cryptography from the developer, if any internal modules were implemented with low standards, the whole system's security would go in vain. Mere deployment of key algorithms like AES will not serve the purpose of ensuring security for a software deliverable. To add on it, cryptography needs to be implemented with utmost care and attention. One should not oversee the cryptography fundamentals (mentioned below) that are the best pratices (independent of the enviroment in which they are applied) :
For mobile cryptographic packages, strong fundamentals is not often applied inside them and usage of limited methods outside the API increase the complexity. These 2 characteristics make mobile cryptography packages more vulnerable when compared with that of desktops.
Developers must be cognizant of the aftermaths on applying cryptographic functions with input parameters from trusted resources.
Cryptography packages in mobile environment must adhere a few parameters:
Mobile devices are essentially responsive in nature. CPU-specific tasks and asymmetric algorithms must be handled at acceptable speeds.
A mobile device contains only 100 kilobytes of storage. But, most cryptography packages demand megabytes of data. Hence, size is a key consideration while implementingthecryptographyinmobiledevices.
The objective of mobile device cryptography packages is to provide robust security schemes which come from the selection of reliable algorithms. Password-oriented encryption, digital signatures, symmetric & asymmetric keys should be implemented.
Cryptography package APIs which en-capsule multilayer abstraction and inheritance features support a wider pool of algorithms. But, as the complexity of the APIs increases, thelevelsofadoptionofthesamedecreases.
Keys for various algorithms must be matched and identified at both the ends of the communication channel. The key pairs are generated before hand, on the server side and sent to the mobile device, as asymmetric key generation is bit slow process in mobile devices. Measures should be taken to make the entire process of serialization and key generationiseasyandsecure.
Based on this research, we have developed a mobile cryptography package using Bouncy castle API framework. This applies secured cryptography in mobile devices apart from keepingasimpleAPI.
- Jed 1.4, Jsdk2.0
- ODBC Drivers installed
- JDBC Drivers installed
- Web Logic Server 7.0
- Oracle 8i or later
- Windows 2000
- Personal computer with P IV processor
- 2.1 GB hard disk space
- 64 MB RAM
The following conclusions were made about the system after the detailed study of the system:
The following factors explain the technical feasibility of the system:
1. Flexibility: Usage of JAVA for the algorithm development ensured that flexibility would be guaranteed.
2. Ease of use: With networking concepts kept in mind, ease of use was an important factor. Complexities could occur at stages, but ensuring transparent operations was necessary.
3. Ease of upgrade: The system support room for improvement.
4. Simplicity: The system is simple in nature.
5.5 Economical feasibility:
This algorithm was best suited on any operating system that was available in the Company and using JAVA to implement the algorithm.
Keeping the economical feasibility in mind, it was decided that working on a platform that is already existing and suited for file programming would be economical for the development of the project.
5.6 The Main Objective:
1. Creating the bank data base.
2. Implementing the algorithm
The security concern in mobile communication will be on high priority while using in mobile banking, mobile electronic purchases, so I would like to do implementation, which is done to show the various aspects of security in mobile agents. By taking an example of mobile banking agent application we will be discuss the various security concerns it may face while travelling from server to remote host to complete the transaction.
5.7.1 Implementation of Mobile Banking Application:
With the example of mobile Banking application, when the user tries to do a bank transaction, the different types of security concerns the application may prone to. Some facts which are considered here are
1. Consider an application of mobile banking where mobile agents help in doing bank transactions on the behalf of their owner.
2. Here we have to set an itinerary of an banks, it consists of all the banks where the agent is supposed to move, one after other or you can say the path of the agent where it has to proceed to get its work done.
3. When the agent finds a desired host bank where it can do its transaction cost, it will come back to the owner with the information about the bank host.
4. Here our application is made cautious and prepared if a host turns out to be compromised, then how it will protect its private data, protects the results it is going to produce on remote host and finally how it will protect itself.
Data flow diagram is a structure analysis tool that is used for graphical representation of Data processes through any organization. The data flow approach emphasis on the logic underlying the system, by using combination of only 4 symbols. It follows the top down approach of development. A full description of a system actually consists of set of DFD s, which comprises of various levels. And initial over view model is exploded lower level diagrams that show additional feature of the system. Further each process can be broken down into a more detailed DFD. This occurs repeatedly until sufficient details are described.
- Account Creation
- Transfer Amount
- Closing Account
It defines a source (originator) or destination of system data.
It indicates data flow-data in motion. It is a pipeline through which the information flows.
Circle or Bubble:
It represents a process that transforms incoming data flow(s) to outgoing data flow(s).
It is a data store-data at rest, or a temporary repository of data.
Data dictionary consists of description of all the data used in the system. It consists of logical characteristics of current systems data stores including name, description, aliases, contents and organization. Data dictionary serves as the basis for identifying database requirements during system design. Data dictionary is a catalog, a depositary of the elements in the system.
The data dictionary is used to manage the details in the large system, to communicate a common meaning for all system elements, to document the future of the system, to locate errors and omission in the system. Data dictionary contains two types of descriptions for the data flowing through the system attributes and tables. Attributes are grouped together to make up the tables. The most fundamental data level is attributes tables are a Set of data items, data related to one another and that collectively describes a component in the system.
The description of the attributes consists of data names, data descriptions, aliases, and length and data values. The description of data structures consists sequence relationship, selection relationship, iteration relationship and operational relationship.
This technique employs one key for encryption process as well as decryption process. Here we have used Advanced Encryption Standard (AES) which is one of the most significant algorithms, required for implementation of symmetric key cryptography. The AES key is a sequence of bits with predetermined length. We have used here AES key of 128 bits in length.
It is also called as public-key cryptography; this technique employs different key for encryption process as well as decryption process. The user who is familiar with the encryption key of an asymmetric cryptography can encrypt messages, but is not able to get the decryption key and will not be able to decode the messages which have been encoded.
RSA is an algorithm for public-key cryptography.RSA uses a public-private key set; a message encoded by public key could be decodes by private key and the other also in the same way.
Message digest: It is a hash algorithm which obtains predetermined length bytes from the input text. Any alteration in the input text will vary the output bytes. MD5 and SHA1 are the most frequently used message digest algorithms.
A digital signature is an illustration of data created by the senders private key that is utilized for validating the uniqueness of the sender of the data. It is used for maintaining the original document unaltered during the communication. A digital signature can be implemented on any sort of message; such that the receiver can be confident of the sender's identity and that the message is delivered without being unaltered.
In this DSA, as the asymmetric algorithm is much time consuming than the symmetric algorithm. The o RSA is used to transfer the symmetric key and sign the data, and large part of the data is encoded using a symmetric algorithm. First create a RSA asymmetric public/private key set this is to be created and exported offline in the Java environment then export and import the public/private key set for which we have to do this method by saving all the parameters into a file. Now it will create an AES key which is 128 bit as done in the code and we will transfer the AES symmetric key along with the RSA encode and decode functionality for the server to encode the message to send and the client to decode the AES key.
Finally, along with the encoded data using the data we will send the cipher (the encrypted data) and the digital signature to the server and we will decode the encrypted data with the help of AES key and finally validate the authenticity of the data and identity by verifying the digital signature. In this way we create a powerful and flexible approach to deal with the security concerns in mobile applications. In this project, we initiated implementation of security using the symmetric encoding/decoding, asymmetric encoding/decoding, message digest and signatures.
1. Coming to the AES algorithm there are No key rotation/updates the same static pre-shared master key (PSK) must be mutual with all clients before they are allowed to associate with the WLAN. The AES protocol makes no condition for automatically generating new master keys
2. AES is not backwards compatible with every Wi-Fi hardware. Making it hard to deploy as it needs additional hardware upgrade.
3. Bouncy castle provides lot of encryption algorithms and using it for AES, if you want to use a provider other than Bouncy Castle, it involves code changes. But this was the fasted way to get the system running without error. And the likelihood of us ever replacing Bouncy Castle is small enough that I can live with code changes.
4. Elliptical Curve cryptography (ECC) is mathematically more subtle than RSA or SDL being complex to explain/justify to the client.
5. Elliptical Curve cryptography (ECC) offer keys with smaller size.
6. Password based encryption can only provide strong authentication but weak in security in encryption.
1. Combination of password based encryption with bouncy castle provider for key store will enhance the security to high level for smaller devices like mobile, PDAs.
2. The combination includes user authentication and encryption. The key store is the keys generated by scrambling the password of the user instead of bouncy castle key store.
3. Key store is known to sender and receiver as they know the password early before they start communicating. So no processing for key generation and thus reduces encryption time too.
4. Key length depends on password length and the attacker even doesnt know the key length, in this way we can increase the security standard during the mobile communication.
6. System Testing:
System Integration And Testing:
The proposed system is tested parallel with the software effort that consists of its own phases of analysis, implementation, testing and maintenance
Unit testing comprises the set of tests performed by an individual programmer prior to integration of the unit into a large system.
Coding and debugging -> Unit testing -> Integration testing
There are four categories of tests should be performed.
- Functional Testing
- Performance Testing
- Stress Testing
- Structure testing
Function test cases involve exercising the code with the nominal input values for which the expected results are known, as well as boundary values maximum.
Performance testing determines the amount of execution spent in various parts of the unit program throughput, response time and device utilization by the program unit.
Stress tests are those tests designing to initially break the unit.
Structure tests are con concerned with exercising the internal logic of a program and traversing particular execution path.
Establishing a test completion criterion is another difficulty encountered in the unit testing of real programs. Unit testing includes.
- Statement Converge
- Branch Converge
- Logical path Converge
Using Statement Converge programmer attempts to find a set of test cases that will execute each statement in a program at least once.
Using Branch Converge as the test completion criterion the programmer attempts to find a set of cases that will execute each branching statement in each direction at least once.
Logical Path Converge acknowledges that the order in which the branches are executed during a test is an important factor in determining the test outcome.
Integration testing is of three types:
Bottom up Integration
Top down Integration
Bottom up integration testing consists of unit testing followed by system testing. Unit testing has the goal of testing individual modules in the system. Subsystem testing is concerned with verifying the operation of the interfaces between modules in the sub systems.
System Testing is concerned with subtleties in the interfaces, decision logic, and control flow recovery procedure, throughput, capacity and timing characteristics.
Top down integration starts with the main routine and one or two immediately subordinate routines in the system structure, Top down integration requires the use of program stubs to simulate the effect of lower level routines that are called by those being tested.
Top down method has the fallowing advantages:
- System integration is distributed through the implementation phase.
- Top-level interfaces are tested first and most often.
- The top-level routine provides a natural test harness for lower level routines.
- Errors are localized to the new modules and interfaces that are being added.
Sandwich integration is predominately top down, but bottom up techniques are used on some modules and sub system. This mix alleviates many of the problems encountered in pure top down and retains the advantages of the top down integration at the subsystem and system level.
This Mobile Banking system is implemented for fulfilling all the client requirements. This system provides the user to make secure transactions through mobile. The interfaces designed for the system is very user friendly and attractive. It has successfully implemented the banking transactions like new accounts, deposits, withdraws, money transfers, cheque book issues, stop payments successfully as per the client requirement.
The system has successfully passed the testing at the development site and is under the testing phase in the presence of the client. The system is waiting for the client response. As the applications are executing the resources locally they exhibit high performance. So instead of fetching the data remotely, they process the data locally after reaching therere. The application efficiently uses low bandwidth, high authentication techniques and secured communication channels. As the agents are processing the data locally after reaching the remote host, it uses less bandwidth as the bandwidth is saved from the alleviating unnecessary remote calls. It efficiently works on error prone communication system.
Ability to operate individually, so they move themselves to the position where they can find the services they need to perform the execution securely. Ability to assess on their own and can migrate in the network to effectively execute the tasks given to it. Network computing is basically varied, from both the perspectives hardware as well as software. Application can work in any system where the application platform is installed. So any hardware can support the execution of application where the application platform can be installed. As the applications can evaluate themselves and can react dynamically, it helps making the system more robust and fault-tolerant, where the application can move to another host if the present host has failed.
Future Scope Of The Project:
This project is having a broad future scope as it can be extended to provide services to the customers on line. This system can be implemented for online transactions without the intervention of the authority. If it is done so the customer can access his account status from anywhere in the world, He can transfer money from his account to another account without going to the bank physically. He can request for the stop payments through the mobile. In other words the future scope is to provide the service through the mobile.
1. D.F. Ferraiolo and D.R. Kuhn (1992) "DSA Based Access Control" 15th National Computer Security Conf. Oct 13-16, 1992, pp. 554-563. HTML PDF - the original paper that evolved into the NIST RBAC model.
2. "An Introduction to DSA Based Access Control" NIST CSL Bulletin on RBAC (December, 1995) HTML Text
3. D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, DSA Based Access Control (book), Artech House, 2003, 2nd Edition, 2007.
4. D. Ferraiolo, J. Cugini, R. Kuhn, "DSA Based Access Control: Features and Motivations," (HTML) Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995. - extends 1992 model.
5. D.R. Kuhn, "Mutual Exclusion of DSAs as a Means of Implementing Separation of Duty in DSA-Based Access Control Systems" Second ACM Workshop on DSA-Based Access Control. 1997 PDF - defines necessary and sufficient conditions for safe separation of duty.
6. R. Chandramouli, R. Sandhu, "DSA Based Access Control Features in Commercial Database Management Systems", 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia. Best Paper Award! PDF - survey of RBAC implementations.
7. S. Gavrila, J. Barkley, "Formal Specification for DSA Based Access Control User/DSA and DSA/DSA Relationship Management" (1998), Third ACM Workshop on DSA-Based Access Control. PDF Postscript
8. D.R. Kuhn. "DSA Based Access Control on MLS Systems without Kernel Changes" Third ACM Workshop on DSA Based Access Control, October 22-23, 1998. PDF Postscript - how to simulate RBAC on MAC systems.
9. J. Barkley, C. Beznosov, Uppal, "Supporting Relationships in Access Control using DSA Based Access Control", Fourth ACM Workshop on DSA-Based Access Control (1999). Postscript
10. R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for DSA Based Access Control: Towards a Unified Standard," Proceedings, 5th ACM Workshop on DSA Based Access Control, July 26-27, 2000, Berlin, pp.47-63. - Initial proposal for the current INCITS 359-2004 RBAC standard.
11. W.A. Jansen, "Inheritance Properties of DSA Hierarchies," 21st National Information Systems Security Conference, October 6-9, 1998, Crystal City, Virginia. Postscript PDF - analyzes permission inheritance in RBAC.
12. R. Chandramouli,"Business Process Driven Framework for defining an Access Control Service based on DSAs and Rules", 23rd National Information Systems Security Conference, 2000. PDF
13. W.A. Jansen, "A Revised Model for DSA Based Access Control", NIST-IR 6192, July 9, 1998 Postscript PDF
14. Slide Presentation from DOE Security Research Workshop III, (Barkley, 1998). PowerPoint
15. Slide Presentation Summarizing RBAC Projects Postscript
16. "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for RBAC Security Product" (SETA Corporation, 1996). Postscript
17. J. Barkley, "Implementing DSA Based Access Control Using Object Technology", First ACM Workshop on DSA-Based Access Control (1995). HTML Postscript
1. J.F. Barkley, A.V. Cincotta, "Managing DSA/Permission Relationships Using Object Access Types", Third ACM Workshop on DSA Based Access Control (1998). HTML
2. "A Resource Access Decision Service for CORBA-based Distributed Systems" (Beznosov, Deng, Blakley, Burt, Barkley, 1999), ACSAC (Annual Computer Security Applications Conference). Postscript
3. S. Wakid, J.F. Barkley, M.Skall, "Object Retrieval and Access Management in Electronic Commerce", IEEE Communications Magazine, September 1999. HTML
4. R.Chandramouli, "Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks" - 5th ACM workshop on DSA-based Access Control, July 26-27, 2000, Berlin, Germany. - PDF
5. R.Chandramouli, Specification and Validation of Enterprise Access Control Data for Conformance to Model and Policy Constraints, 7th World Multi-conference on Systemics, Cybernetics and Informatics (SCI 2003). Best Paper Award! PDF
6. D.F. Ferraiolo, J. Barkley, D.R. Kuhn, "A DSA Based Access Control Model and Reference Implementation within a Corporate Intranet", ACM Transactions on Information Systems Security, Volume 1, Number 2, February 1999. PDF Postscript
7. D.F. Ferraiolo, J. Barkley,"Specifying and Managing DSA-Based Access Control within a Corporate Intranet" (1997), Second ACM Workshop on DSA-Based Access Control. PDF Postscript
8. J. Barkley, A.V. Cincotta, D.F. Ferraiolo, S. Gavrila,, D.R. Kuhn, "DSA Based Access Control for the World Wide Web", 20th National Computer Security Conference (1997). PDF Postscript
9. "DSA Based Access Control for the World Wide Web" Slide Presentation Postscript
10. J. Barkley, D.R. Kuhn, L. Rosenthal, M. Skall, A.V. Cincotta, "DSA-Based Access Control for the Web", CALS Expo International & 21st Century Commerce 1998: Global Business Solutions for the New Millennium (1998). HTML
1. Wireless operational security By John W Rittinghouse and James F Ransome Elesaviour Digital press
2. Enterprise J2ME: Developing java mobile application By Michael Juntao Yuan
3. Cryptography and network security by Kahate
4. Mobile and wireless network security and privacy by S. Kami Makki
5. Lightweight security for mobile commerce transactions Computer Communications, Volume 26, Issue 18, December 2003, Pages 2052-2060 Kwok-Yan Lam, Siu-Leung Chung, Ming Gu, Jia-Guang Sun
6. Secured Information Flow for Asynchronous Sequential Processes Electronic Notes in Theoretical Computer Science, Volume 180, and Issue 1, 12 June 2007, Pages 17-34 Isabelle Attali, Denis Caromel, Ludovic Henrio, and Felipe Luna Del Aguila.
7. Mobile communication security controllers an evaluation paper Information Security Technical Report, Volume 13, Issue 3, August 2008, Pages 173-192 Keith E. Mayes, Konstantinos Markantonakis
8. A brief history of mobile communication in Europe Telematics and Informatics, Volume 24, Issue 3, August 2007, Pages 164-179 Theo Dunnewijk, Staffan Hultn.
9. A framework for security analysis of mobile wireless networks Theoretical Computer Science, Volume 367, Issues 1-2, 24 November 2006, Pages 203-227 Sebastian Nanz, Chris Hankin.
10. Authentication in a layered security approach for mobile ad hoc networks Computers & Security, Volume 26, Issue 5, August 2007, Pages 373-380 Nikos Komninos, Dimitrios D. Vergados, Christos Douligeris.
11. Mobile Security and Privacy Network Security Desk Reference, 2008, Pages 211-261 James Joshi, Saurabh Bagchi, Bruce S. Davie, Adrian Farrel, Bingrui Foo, Vijay K. Garg, Matthew W. Glause, Gaspar Modelo-Howard, Prashant Krishnamurthy, Pete Loshin, James D. McCabe, Lionel M. Ni, Larry L. Peterson, Rajiv Ramaswami, Kumar N. Sivarajan, Eugene H. Spafford, George Varghese, Yu-Sung Wu, Pei Zheng.