Need Urgent help with this project?
With the increasing use of extensive IT and Telecommunication systems for sensitive or safety-critical applications, the matter of IT and Telecommunication security is becoming more important. For the computer system, and its related applications, including data, to be trustworthy, it must be secured. This project covers all aspects of Computer System security. This project equally understudied the security of data as it affects mobile systems vis-à-vis Global System for Mobile Telecommunications (GSM). The existing security algorithms in the GSM network were understudied and critical flaws found in them that cannot guarantee the security and confidentiality of user’s data during communication session. This poses a great threat in sensitive and safety-critical environments such as financial institutions, Military, Educational, or even in espionage establishments such as State Secret Services (SSS) and security establishments. This Masters project finally proffered solution to these flaws found in GSM security system by adopting a software-based approach. A computer-based program was written in JAVA programming language to provide end-to-end data (SMS only) encryption in two-way communication using compatible MIDP mobile phones or other portable communication devices.
CHAPTER ONE INTRODUCTION
1.0 Background to the Study
The term security lacks meaning until one has defined what is to be secured and for whom. Likewise, security is difficult to comprehend without a potential threat. Mobile phones for third-generation mobile systems (3G) have several security stakeholders for which the mobile platform must provide security services. Moreover, the potential threats may differ from stakeholder to stakeholder.
The first class of security stakeholders, users, expects that mobile phones will offer secure and reliable communication – that is, they assume their phones can be trusted to handle sensitive tasks, such as e-commerce transactions. The main threats to this class of stakeholders are malicious software, such as viruses and Trojans, or weak or misbehaving security mechanisms. The second class of stakeholders, mobile network operators, relies on phone network identification mechanisms (related to billing capability) and networkrelated software.
Criminal-minded users or hostile software must not be allowed to circumvent these mechanisms.
Operators thus require that the integrity of software can be guaranteed when the mobile phone is in operation. They also want to be certain that users cannot break SIM lock mechanisms.
A third class of security stakeholders, content providers, wants to be paid for the content
(music, pictures, videos and software) that users download. It also wants to know that users cannot (mis)use their phones to illegally copy or distribute content. This is where digital rights management (DRM) functions come into play. However, DRM mechanisms alone cannot provide all necessary security. To provide a DRM solution that meets content provider requirements, the mobile phone platform must contain security functions that guarantee secure execution and code integrity.
Security is usually measured in terms of a set of basic aspects :
- integrity, - authentication and - authorization.
Confidentiality is ensuring that the data is hidden from those that are not supposed to see it.
Confidentiality of data is achieved by cryptographically transforming original data, often called, plaintext, into cipher text, which hides the content of plaintext. This operation is realized as a parameterized transformation that keeps the controlling parameter secret.
The controlling parameter is often called a key. The transformation is called encryption. With a key it is easy to perform the inverse transform or decryption. Without the key, decryption would be difficult.
Integrity is about ensuring that data has not been replaced or modified without authorization during transport or storage. This is achieved using cryptographic transforms and a key. Additional information must also be added to the plaintext to verify its
Authentication is the procedure by which a unit (the claimant) convinces another unit (the verifier) of its (correct) identity. Authentication is different from authorization, which is the process of giving a person or entity permission to do or have access to something.
Non-repudiation is ensuring that someone who sent a message does not deny that he is the one that sent it by using security processes such as digital signature.
There are two major classes of cryptographic mechanisms: symmetric and asymmetric. In symmetric mechanisms, the same key is used for encryption and decryption. Examples of symmetric confidentiality mechanisms are
• block ciphers, such as DES and AES; and
• stream ciphers, such as the GSM A1, A2 and A3 algorithms.
Integrity is often protected using symmetric mechanisms. Integrity-protection algorithms are also called message authentication codes (MAC). The most popular MAC is the HMAC algorithm. Because the key in symmetric mechanisms can be used to decrypt content, it must be kept secret from all but legitimate users of the encryption scheme.
Asymmetric mechanisms use separate pairs of keys for encryption transform and decryption transform. The public key can be made publicly available, but the private key must never be revealed. Asymmetric mechanisms are typically used for distributing keys (for example, a symmetric key) or for digital signing purposes. A public key can be used to encrypt a symmetric key, which in turn, can only be decrypted by the legitimate receiver using the corresponding private key. A private key may also be used to digitally sign data. The signature can be verified by anyone who knows the corresponding public key. The RSA scheme is widely known example of an asymmetric cryptographic
A lot of research works have been done already in this regard; and it has been proved that most if not all the existing algorithms being employed by GSM companies as security measures have been broken. Equally the smart-card in GSM phones , SIM card can be cloned and as such more research need to be done to protect sensitive and critical data where GSM technologies are employed.
This Masters thesis focuses on ways through which sensitive user’s data can be further protected (especially short message services (SMS)) against threat by malicious and criminally-minded users. Equally, all other areas of Information and System security are equally researched by the project.
1.1 Aims and Objectives of the Project
The aims and objectives for the project are as follows:
- To understudy how GSM works with respect to various security algorithms
inbuilt into it.
- To understudy all the existing GSM cryptographic algorithms and expose their strengths and shortcomings
- To proffer solution to the shortcomings inherent in original encryption algorithms found in GSM technologies by using software-based approach to develop a MIDlet program in JAVA that can be used to further secure and protect user’s sensitive and critical data (SMS only) using Bouncy Castle JAVA cryptographic Application Programming Interface (API).
- To test run the security JAVA MIDlet software program in compatible Mobile Information Device Profile (MIDP) phones or mobile devices engaged in endto-end GSM data communication session.
1.2 Justification for the Study
Mobile phones are used on a daily basis by hundreds of millions of users, over radio links. Unlike a fixed phone, which offers some level of physical security (i.e. physical access is needed to the phone line for listening in), with a radio link, anyone with a receiver is able to passively monitor the airwaves.
Mobile phones are equally used in several sensitive and mission critical environment e.g. financial, military, educational e.t.c. where integrity and privacy of data need not be compromised.
Therefore it is highly important that reasonable technological security measures are taken to ensure the privacy of user's phone calls and text messages (and data), as well to prevent unauthorized use of the service being run by the mobile phone applications.
1.3 Scope of the Project
This study will cover:
- the data security in Global System Mobile Communication (GSM); all the existing security algorithms will be analysed and their strengths and weaknesses highlighted.
- Software will be used to solidify where weaknesses exist in the GSM data using a MIDlet JAVA program developed in Bouncy Castle Java cryptographic API. Therefore, a software program will be written in JAVA programming language to improve the security features of GSM data where integrity of user’s data are critical and need not be compromised. This Master’s project will focus on developing a software application that will protect user’s Short Message Service (SMS) data only.
1.4 Limitations of the Project
1. This application can only be implemented on Java-enabled phone which supports Mobile Information Device Profile (MIDP) 2.0.
2. Both the sender and recipient have to install the security software: secureSMS software application in their mobile phones in order to implement the solution and send and read encrypted and secure SMS.
3. The two people engaged in a two-way communication must switch on their mobile phones to be able to send and receive the secure SMS data.
4. The application does not have a Record Management Store facility yet, so the mobile phones cannot store the sent and received SMS data for future reference.
5. The security application can only work in an environment where Global System for Mobile Telecommunication (GSM) or Universal Mobile Telecommunications System
(UMTS) network is available and cannot work yet on CDMA (Code Division for Multiple Access) network.
1.5 Project Report Organisation
This master thesis report is structured as follows:
Chapter 1, Background Information: This chapter gives general background information on security in Computer System, Information System and Security of data in GSM data and the problems inherent in them.
The chapter also captures the Aims and Objectives of the research project, the Justification for embarking on the research project on Information and GSM data security a well as the objectives and scope of the study.
Chapter 2, Literature Review: Various relevant literature and facts that pertain to the subject study: GSM technologies and GSM data security are highlighted. Also highlighted are the Java data security technologies that are employed in the project to strengthen the deficiencies noted in existing GSM security.
Chapter 3, Methodology & System Analysis: To provide further security for data in mobile devices in combination of existing encryption algorithms inbuilt in GSM mobile devices during communication session (SMS), a MIDlet JAVA program is written developed with BouncyCastle cryptographic Application Programming Interface (API). This chapter highlights more of ins and outs of the JAVA technologies used in this
Chapter 4, System Design and Development: This chapter handles the full program design for the development of the security program to protect user’s GSM SMS data using JAVA programming language and NETBEANS 6.8 Integrated Development
Chapter 5, System Implementation: This chapter handles full testing, running, deployment and implementation of the two programs written in Chapter 4 above to use to strengthen the existing GSM algorithms and to provide simulation exercise for the existing GSM security algorithms. The JAVA MIDlet secure SMS program is deployed using Cable to PC as well as Over the Air (OTA) communication running on compatible
MIDP 2.0 Nokia phones such as Nokia 2700 Classic to implement the solution.
Chapter 6, Summary and Conclusion: A synopsis of the achieved goals of the implementations is shown. Problems encountered in the project and the way out of them are equally highlighted. Furthermore, recommendation for future work on the project is given and finally this chapter gives a concluding remark on the project.
References cover all the cited works of other people used in this Master thesis. Appendix A: Covers the program sources codes for the project
Appendix B: Covers used GSM and other acronyms and their full meaning.