Feb 19, 2015 - cheap and accessible ways of exchanging text messages using .... paradigm that provides signcryption (i.e., digital signature combined with.
SMSCrypto: A Lightweight Cryptographic Framework for Secure SMS Transmission Geovandro C. C. F. Pereira∗, Mateus A. S. Santos, Bruno T. de Oliveira, Marcos A. Simplicio Jr., Paulo S. L. M. Barreto, C´ıntia B. Margi, Wilson V. Ruggiero {geovandro,mateus,btrevizan,mjunior,pbarreto,cbmargi,wilson}@larc.usp.br Department of Computer and Digital Systems Engineering (PCS), Escola Polit´ecnica, University of S˜ ao Paulo (POLI-USP). Av. Prof. Luciano Gualberto, trav. 3, n 158 05508-900 S˜ ao Paulo (SP), Brazil.
Abstract Despite the continuous growth in the number of smartphones around the globe, Short Message Service (SMS) still remains as one of the most popular, cheap and accessible ways of exchanging text messages using mobile phones. Nevertheless, the lack of security in SMS prevents its wide usage in sensitive contexts such as banking and health-related applications. Aiming to tackle this issue, this paper presents SMSCrypto, a framework for securing SMSbased communications in mobile phones. SMSCrypto encloses a tailored selection of lightweight cryptographic algorithms and protocols, providing encryption, authentication and signature services. The proposed framework is implemented both in Java (target at JVM-enabled platforms) and in C (for constrained SIM Card processors) languages, thus being suitable for a wide range of scenarios. In addition, the signature model adopted does not require an on-line infrastructure and the inherent overhead found in the Public Key Infrastructure (PKI) model, facilitating the development of secure SMS-based applications. We evaluate the proposed framework on a real phone and on SIM Card-comparable microcontroller. Keywords: cryptography, SMS, security, elliptic curve cryptosystems 2010 MSC: 11T71, 94A60, 14G50 ∗
Corresponding author. Phone: +55–11–3091–9759.
Preprint submitted to Journal of Systems and Software
February 19, 2015
1. Introduction Despite the advances in the mobile industry toward 3G communication, SMS messages are still widely used by mobile user all around the world. Indeed, according to the International Telecommunication Union (ITU) [27], the number of transmitted SMS worldwide reached 6.1 trillion in 2010, which translates to an estimated revenue of U$ 812.000 every minute. In the same year, SMS was responsible for 63.9% of the revenue with mobile messaging services, by far surpassing alternatives such as MMS (Multimedia Messaging Service), mobile e-mail and mobile IM (Instant Messaging) [43]. Based on these numbers and in the fact that these figures continue to grow [27], it is reasonable to consider that SMS will remain as a huge source of revenue for the mobile industry for years to come. A large portion of this growth stems from the fact that SMS is nowadays used by a wide range of consumer mobile applications rather than only personal communications. This includes applications with recognized impact on consumers and industry players such as money transfer and mobile payment [48]. On the other hand, the widespread use of SMS in such scenarios also raises security concerns, since many of these applications handle highly sensitive information. Therefore, in order to prevent (or at least minimize) misuse, security services such as confidentiality, integrity and authenticity of the messages exchanged are essential. Unfortunately, however, the SMS specification [1] was not conceived with security features in mind. In this context, relying on the underlying mobile network’s security services could be an option, but experience shows that widely deployed mobile infrastructures such as GSM (Global System for Mobile communications) suffer from serious vulnerabilities [10].The more recent UMTS (Universal Mobile Telecommunications System) standard solves many of the issues with GSM, but some security concerns still exist [13] regarding the robustness of its underlying cipher [17, 23] and its backward compatibility with GSM [3]. Even if such vulnerabilities are solved, robust end-to-end security would still be necessary in order to prevent malicious activities such as phishing [54] and unauthorized access to information stored in clear inside the mobile operator’s database [29] or in the user’s own device. Such concerns motivate the construction of an additional security layer on top of the mobile network infrastructure providing the services required by security-demanding 2
applications. In addition to robustness, such layer must be capable of taking advantage of characteristics inherent to the underlying infrastructure such as mobility, efficiency and low cost. When developing SMS-oriented applications for mobile phones, one can either use the device’s own microprocessor or the one provided inside its Subscriber Identity Module (SIM) card chip. Using the latter is usually a more difficult task due to its highly constrained nature both in terms of memory and processing power: a traditional SIM card is equipped with a 8-bit or 16-bit processor operating at 5-15 MHz as well as a 64-128 KiB EEPROM [7, Table 10.3], while its RAM capacity is commonly below 10 KiB [24]. Nonetheless, SIM cards can be considered a natural environment for deploying security services. This stems from the fact that it is much more difficult to recover secret information from a securely-built SIM chip than from the device’s flash memory. Therefore, any robust security framework should also be suitable for deployment in SIM cards if its widespread adoption is to be expected. On the other hand, a straightforward approach of using RSA [44] for data encryption and digital signature in the Public Key Infrastructure (PKI) model is largely unsuitable: not only RSA would take too long to run even for modest key sizes (e.g., 1024 bits) and result in quite large signatures per SMS, but the PKI model would incur the burden of transmitting large certificates (about 2–4 KiB, equivalent from 15 to 30 SMS) for public key validation. For this reason, more adequate alternatives are necessary. Our contribution in this paper is the design of SMSCrypto, a security framework especially tailored for protecting SMS-based applications. Unlike many proposals found in the literature, SMSCrypto not only includes lightweight algorithms based on Elliptic Curve Cryptography (ECC) [25] in order to overcome the need of auxiliary storage/processing devices, but also provides protocols in the certificateless Baek, Safavi-Naini and Susilo (BSS) model [9] that avoids the need of a full-fledged PKI. The efficiency of the solution is evaluated through benchmarks on real platforms. The remainder of this paper is organized as follows. Section 2 discusses the related work. Section 3 describes alternatives to the PKI model, motivating our choice for the certificateless BSS model. Section 4 details the SMSCrypto framework as well as the motivation behind the selection of cryptographic solutions. Our benchmark results on a typical mobile phone SIM card is presented in section 5. We present our conclusions in section 6.
3
2. Related Work Cryptographic schemes for securing SMS-based communications on a GSM network are not too uncommon in the literature. However, most of the existing security framework proposals targets implementations to the mobile phone processor itself, a common strategy for avoiding resource limitation issues intrinsic to commercially available SIM card devices. This is the case of [5, 32], which propose the use of RSA and PKI and thus display large overheads in terms of memory, processing and SMS usage both for digital signatures and public key validation. Wu and Tan [55] adopt a similar approach, but avoid using the SMS channel for key validation by considering that the parties have already exchanged public keys securely by some other means. Another workaround for PKI that sacrifices usability is given in [20], which proposes that users register themselves on a web site before they start exchanging secure SMS. The literature also displays more drastic (and thus expensive) measures for securing SMS in an efficient manner. One example is presented in [26], which discusses some modifications on the original GSM specifications. Another common strategy is the adoption of an auxiliary device with better computational capabilities, such as a SIM card empowered by a co-processor and additional storage space for private keys [45] or a Java-based SIM card [28]. The search for more efficient solutions is illustrated in recent works such as [2], which evaluates cryptographic algorithms in the context of SMS-based applications and shows that ECC is a promising approach. This comes with little surprise, since such algorithms have already been used successfully in works such as [53]. Nonetheless, the advantages brought by ECC in [53] are somewhat counter-balanced by the overheads resulting from its adoption of the PKI model; moreover, this solution recommends the creation and distribution of certificates by a central Key Generating Server that is able to perform key escrow. In comparison, the SMSCrypto framework provides lightweight algorithms and protocols that are not only suitable for implementation in regular SIM cards but also allow the establishment of a secure and escrow-less communication without the need of an always-online server. 3. Background There are today many alternatives to the PKI model. Among them, Identity-Based (IB) cryptography, initially introduced by Shamir [47] in an 4
attempt to mitigate the burden of a PKI, is probably one of the most used. The advantage of an IB cryptosystem is the fact that public keys are free to be chosen; therefore, by selecting the users’ identities as their own public keys, one can avoid the need for certificates altogether. On the other hand, the private keys are not chosen by the users but issued by a trusted authority called Key Generation Center (KGC) or Trust Authority (TA). Therefore, the original IB model has the drawback of implicitly establishing a key escrow mechanism, since the KGC has the ability to recover confidential information from any user and can thus impersonate them at will. Certificateless (CL) cryptography [4] was introduced to address the key escrow issue while avoiding the use of certificates and the need for a PKI. This paradigm has been adopted in many solutions for mobile scenarios such as Ad Hoc Networks and MANETs [33, 56, 31]. The principle behind the CL formulation is to partition the private key into two components: a partial IB key (generated by the KGC and thus subject to escrow) and one conventional non-certified partial key (unknown to the KGC). One important feature of CL is the “encryption into the future”, which allows users to publish their public keys for utilization even before they obtain the partial IB key from the KGC, albeit the latter is required subsequently for decrypting those messages. The CL approach combines features of IB and conventional certificate-based cryptography, and indeed a number of CL encryption schemes derived from identity-based encryption (IBE) have been proposed [21]. Nevertheless, recent works [21, 35] show an undesirable intrinsic problem found in schemes based upon the original CL formulation [4]: the Denial of Decryption (DoD) attack [21, Section 2.7]. Basically, the DoD consists of an attacker that publishes a false public key on behalf of an honest user A and then encourages other users to employ the false key when encrypting messages to A, preventing those messages to be decrypted. As a result, honest users may lose confidence in the system and even abandon it out of frustration. Self-Certified (SC) schemes have also the property of splitting the private key into two components as in CL schemes, thus preventing key escrow. The main difference when compared to CL is that SC has no “encryption into the future” property, therefore does not suffer from DoD attacks. In this case, users have to obtain the partial IB private key from a KGC-like entity before generating and publishing public keys. In the SMSCrypto framework, we adopt the BSS model, a slightly modified formulation of CL by Baek et al. [9], which does not suffer from DoD attacks and avoids the limitations of a full-fledged PKI and also of IBE. 5
More specifically, we employ the CL-based protocol BDCPS [11], which to the best of our knowledge is one of the most efficient solutions following this paradigm that provides signcryption (i.e., digital signature combined with encryption [57]). 4. The SMSCrypto Framework This framework aims to provide end-to-end security for different SMS application scenarios, in which this feature is useful. Figure 1 illustrates a scenario where the framework is applied, establishing a secure channel for a user-to-user communication, and ensuring their privacy. Figure 1 also shows secure communication between user and application server, or service provider, type of case that usually is more critical, such as in financial transactions. Each entity has a unique ID, which could be, for example, their own phone number. They all know a third party in which they trust for defining system security parameters, but it should not be allowed to eavesdrop any conversation or participate in the process after a setup procedure. We call this third party a semi-trusted entity or a Ticket Booth for reasons that will become clearer along the discussion. In what follows, we describe the building blocks of the SMSCrypto security framework for SMS-based applications, describing its setup by users and the security functionalities provided.
Figure 1: Deployment scenario for SMSCrypto
6
4.1. Bootstrapping security with BDCPS A straightforward way of bootstrapping a secure communication is to simply establish a common secret in an offline manner (e.g., in person) and then employ symmetric cryptographic algorithms. Even though the SMSCrypto framework gives support for such method, it also allows users to establish a secure communication using public key cryptography. Before two users can communicate securely using the latter approach, however, they must first validate each other’s public keys. Instead of adopting the usual strategy of downloading and transmitting certificates, in SMSCrypto this task is performed using the certificateless BSS scheme BDCPS [11]. Differently from PKI, which requires an online and fully trusted CA, BDCPS considers a semi-trusted entity called Ticket Booth1 . This entity only generates “tickets” with which the users can sign their conventional public keys, a process that is required only once per user (e.g., upon registration into the system). More specifically, the BDCPS scheme involves the public parameters params = (λ, n, G1 , G2 , GT , e, P, Q, g, hx , h0 , h1 , h2 , h3 , Ppub ), where: λ is a system-defined security parameter n is a 2λ-bit prime number (G1 , G2 , GT ) are bilinear map groups of order n e : G1 × G2 → GT is a efficiently computable, non-degenerate pairing algorithm P ∈ G1 , Q ∈ G2 and g = e(P, Q) ∈ GT are generators of G1 , G2 and GT , respectively hx : {0, 1}∗ × Z∗n → Z∗n , h0 : G2T × {0, 1}∗ → Z∗n , h1 : GT × {0, 1}∗ → Z∗n , h2 : GT → {0, 1}∗ , and h3 : (GT × {0, 1}∗ )3 → Z∗n are hash functions Ppub = sP ∈ G1 is the Ticket Booth’s public key generated from this R
entity’s secret master key s ← Z∗n 1
The Ticket Booth is commonly called KGC (Key Generation Center) in the literature for historical reasons. We avoid this nomenclature, however, because this entity does not generate actual keys, but rather “tickets” for validating the secret keys generated by users.
7
With those public parameters, users can compute an identity-based public/private key pair as follows (see Figure 2): 1. From a chosen password pwd and a random value salt, user A computes the secret value xA ← hx (pwd, salt) 2. A then computes a partial public key yA as yA ← g xA ∈ GT , which is sent to the Ticket Booth along with A’s own identifier IDA ∈ {0, 1}∗ . 3. The Ticket Booth computes QA ← (h1 (yA , IDA ) + s)−1 Q ∈ G2 , A’s identity-based partial private key, which acts as a “ticket” for validating A’s complete private key (unknown to the Ticket Booth). A can ascertain the consistency of the ticket by verifying that e(h1 (yA , IDA )P + Ppub , QA ) = g. 4. A uses (xA , QA ) ∈ Z∗n × G2 as his/her complete private key pair. The corresponding public key is then set to the triple (yA , hA , TA ) ∈ GT × Z∗n × G2 , where hA ← h0 (g uA , yA , IDA ) and TA ← (uA − xA hA )QA for a random uA ∈ Z∗n picked by A. For an underlying pairing-friendly elliptic curve where G1 has order n ≈ 2 and embedding degree k, G2 is the twist of correct order (a multiple of n) and twist degree d, and the group GT if defined over a larger field Fpk , the storage taken by a public key is therefore k lg n + lg n + (k/d) lg n = 2(k(1 + 1/d) + 1)λ bits. For instance, an MNT4 curve [37] has k = 4 and d = 2, hence a public key based on an MNT4 curve would take 14λ bits, while a BN curve [12] has k = 12 and d = 6, hence a corresponding public key would take 30λ bits at the same security level λ. Figure 2 illustrates the interactions between the cell phone and the Ticket Booth in order to set the user’s public key. The result of this bootstrap process is that any entity can verify A’s complete public key (yA , hA , TA ) by computing rA ← e(h1 (yA , IDA )P + Ppub , TA )yAhA and then checking that yA has order n (i.e. yA 6= 1 but yAn = 1) and that h0 (rA , yA , IDA ) = hA . Figure 3 shows this process. Figure 2 emphasizes that the ticket, denoted as QA , must be sent through a secure channel. Considering that the semi-trusted entity has already the user’s public value, denoted as yA , it could use a conventional public key encryption scheme to establish the secure channel, since the user has a private key component related to its partial public key yA . One interesting characteristic of this BDCPS-based process is that it bounds a user-dependent information (the password pwd, used to generate 2λ
8
Figure 2: Bootstrapping security with BDCPS in SMSCrypto
xA ) with a device-dependent information (the securely-delivered ticket QA ). Therefore, if the application built upon SMSCrypto locally persists QA but always requires the user to enter his/her password for computing xA , an attacker that steals the device would still be unable to impersonate the real user. A similar behavior could obviously be achieved in a regular PKI if the user’s private key is password-encrypted, but the fact that BDCPS does so at the cost of a single hash makes it a quite elegant solution. 4.2. Cryptography services After security bootstrapping, applications making use of the SMSCrypto framework can choose among the following services when exchanging messages: encryption only, authentication only, authenticated encryption or signcryption. Unfortunately, many off-the-shelf algorithms for providing such services, even standardized ones, have their drawbacks. In particular, the standard parameters for the GCM, an authenticated encryption algorithm, as defined by NIST have been shown [46] to be far weaker than expected, and succumb to several kinds of attacks against its authentication proper9
Figure 3: Validation of a user’s public key
ties. Besides, even if secure variants of GCM are adopted according to the guidelines in [46], its efficiency in constrained platforms is quite uninviting [52]. For this reason, the proposed framework relies on handpicked solutions, both generic and dedicated, that are not only provably secure but, as shown in [52], can also attain better performance results for the particular scenario where our proposal naturally resides than would be possible with many of the existing alternatives. As a result following choices were made: Encryption only – Provides data confidentiality by means of a block cipher operating in the CTR (Counter Mode) mode [15]. This operating mode is advantageous for use in constrained platforms because it is length-preserving (i.e., ciphertexts have the same length as the corresponding plaintexts) and it requires only the underlying cipher’s encryption algorithm, yielding a more compact code. On the other hand, it requires a non-repeating Initialization Vector (IV) for each key used; since IVs are sent along with the encrypted message, they should be sufficiently small not to limit the amount of payload in each SMS and large enough to remain unique during the whole key lifetime. The cipher adopted in the framework is the widely used AES (Advanced Encryption Standard) block cipher [19]. Authentication only – Provides data integrity and authenticity. It
10
uses a block-cipher based Message Authentication Code (MAC) for generating a message and key-dependent tag appended to each SMS message. The tag size can be configured by the application, but it should be at least 8 bytes in order to prevent attacks [38, Appendix A]; nevertheless, since the payload shares the limited SMS space with the authentication tags, the latter should not be too large. Two MAC options are available in the framework: CMAC [38], probably the most widely used block cipher-based MAC algorithm in the world and a NIST recommendation; and Marvin [50], a more recent solution especially designed for resource-constrained platforms and whose security has been formally analyzed in [51]. The first is more recommended for compatibility with existing hardware and software, while the latter may be an interesting alternative due to its slightly better performance and compactness (as further discussed in section 5). In any case, the underlying block cipher is AES. Authenticated encryption – Provides data confidentiality, integrity and authenticity from a block-cipher based scheme for AuthenticatedEncryption with Associated Data (AEAD) [18]; more precisely, it is possible to encrypt part of the message, leave another part in plaintext (the “associated data”), and then authenticate both parts altogether. In this case, both a non-repeating IV and an authentication tag are appended to the message, incurring a larger overhead if their sizes are not appropriately chosen. Two AEADs are available, namely: EAX [14], a general purpose AEAD combining CMAC for authentication and CTR mode for encryption, which displays provable security; and LetterSoup [50], a scheme designed for platforms with limited resources, which combines Marvin and the LFSRC (Linear Feedback Shift Register Counter) encryption mode and whose security was also formally analyzed in [51]. Again, the underlying block cipher is AES. Signcryption – Provides data confidentiality, integrity and authenticity without prior exchange of symmetric keys. If A wants to securely send a message m ∈ {0, 1}∗ to another user B after verification of each other’s keys, they can use the following algorithms from BDCPS 2 : 2
We point out here the correction of a typo on the original BDCPS [11], already corrected in [41, Appendix B], namely on step 4 of Signcrypt and step 2 of Unsigncrypt.
11
Signcrypt: for a random u ∈ Z∗n , generates the signcryptogram (c, h, z) ∈ {0, 1}∗ × Z2n by means of the following operations 1. 2. 3. 4.
r ← yBu c ← h2 (r) ⊕ m h ← h3 (r, m, yA , IDA , yB , IDB ) z ← u − xA h
Unsigncrypt: recovers m from the signcryptogram (c, h, z) as follows 1. 2. 3. 4. 5.
checks that h, z ∈ Z∗n r ← yAh·xB yBz m ← h2 (r) ⊕ c v ← h3 (r, m, yA , IDA , yB , IDB ) accepts m iff v = h
The most suitable choice depends not only on the application’s needs in terms of security services (confidentiality, integrity and authenticity) but also on how much overhead is acceptable. For example, signcryption does not require the setup of a symmetric key between two parties before they start communicating, unlike the other services; on the other hand, this service is more processing-intensive and also leads to a higher space occupation in the SMS messages, leaving less space for the application’s payload. Therefore, the application can use signcryption all the time or, as in many conventional systems, employ signcrypted messages for encapsulating symmetric keys only at the beginning of the communication, and then use those shared keys from that point on. In some scenarios, it may even be advantageous to ask the interested parties to manually set the symmetric keys from the application’s interface instead of setting them up by means of the BDCPS protocol. In any case, by providing this wide range of services the SMSCrypto framework remains flexible enough for covering the needs of such diverse scenarios. 4.3. Limitations It is relevant to note that the original version of BDCPS does not provide the full non-repudiation feature of digital signatures. For instance, it can be argued that this feature can be obtained producing a variant of BDCPS by combining it with other protocols in literature like the SEG protocol [34], and it has been subject of additional research by some of the authors herein. 12
4.4. Implementation considerations As previously stated, the SMSCrypto framework aims to be lightweight enough for implementation on SIM cards. Nevertheless, at the same time it must be flexible enough for deployment in the mobile phone as well, ensuring its wider applicability (e.g., by service providers who have no access to the SIM cards or prefer not to use its capabilities). For this reason, the framework was implemented both in Java and C languages: the former version is intended to be deployed in J2ME-enabled phones, while the latter is targeted at SIM cards. Actually, deploying the framework in SIM cards has at least one advantage in terms of security, namely that all the cryptographic material can be kept inside the SIM card itself, preventing attackers from accessing it even if the device’s memory is somehow compromised. In comparison, if one wishes to provide a similar (albeit not equivalent) security level with the Java implementation, the cryptographic material must be securely persisted (e.g., encrypted with a password-derived key). Moreover, SIM cards can be moved from one device to another without any data loss. Given the particularities of each approach, we expect both to be useful depending on the target application. Finally, for a matter of simplicity and to ensure a small code size, the configuration of which type of function will be available in the framework should preferably be made at compilation time. 5. Performance analysis We now present our benchmark results regarding the SMSCrypto framework functionalities. The main metrics considered are number of SMS messages required, the CPU processing time and the memory usage per operation. The experiments were performed on a Java-enabled mobile phone (Nokia 5530 [39]) as well as on a microcontroller whose computational capabilities resemble those of a low capacity SIM card. The real microcontroller used is the ATmega 128L [8], which is available in the MICAz [36] wireless sensor device. The technical specifications of each device are shown in Tables 1 and 2, respectively. The code developed for the ATMega 128L processor was written in C, while we used Java for developing the algorithms that run on the Nokia 5530 phone’s internal processor. During our measurements, we collected 1000 samples for the symmetric schemes and 50 samples for the public key scheme, namely the BDCPS protocol. A 90% confidence level
13
was chosen for all the experiments in order to obtain the confidence interval. Confidence intervals less than 1% of the average were considered negligible. CPU Count Hardware CPU type Hardware CPU clock rate SDRAM memory
Single ARM 11 434 MHz 128 MiB
Table 1: Technical data of the Nokia 5530 cell phone [39]
Hardware CPU type Processor Hardware CPU clock rate RAM memory Flash memory
AVR ATmega 128L 8-bit 8 MHz 4 KiB 128 KiB
“Traditional SIM Card” 8- or 16-bit 5-15 MHz below 10 KiB 64-128 KiB
Table 2: Technical data of the ATmega 128L platform [8] compared with a traditional SIM Card [7, 24]
5.1. Symmetric Algorithms Table 3 presents the communication overhead of an SMS message transmitted using the symmetric algorithms for confidentiality and authentication. In this scenario, the IV and authentication tag added by the security mechanisms are the sole source of communication overhead, which represent at most 22.8% of the SMS message size. The space overhead can be modified in accordance with the application requirements.
Encryption only Auth only Encryption + Auth
Overhead |IV| ≤ 16 |tag| ≤ 16 |IV| + |tag| ≤ 32
Payload 124 124 108
Max Overhead 11.4 % 11.4 % 22.9 %
Table 3: Communication overhead (bytes) of an SMS message for the symmetric algorithms. The overhead consists of the initialization vector (IV) and/or the authentication tag
Table 4 presents the memory usage of the symmetric algorithms on ATMega 128L. The results show that the algorithms are suitable even to a 14
ROM RAM
CTR 1862 275
Marvin 2034 281
CMAC 1896 278
LS 2204 277
EAX 2546 282
Table 4: Memory usage of the symmetric algorithms on ATMega 128L
SIM Card, since the most expensive one is the EAX, which consumes 2.5 KiB of ROM and 282 bytes of RAM. Figure 4 shows the performance of the symmetric algorithms on the Nokia 5530 for different message lengths, ranging from 32 to 320 bytes, i.e., 2 to 20 AES blocks; regarding the AEAD schemes, 10 bytes of the entire message are considered to be associated data. As the number of blocks of the input message increases, the processing time increases proportionally, as expected. Nonetheless, for all the schemes, the encryption and/or authentication of messages of 320 bytes would still require less than 1 millisecond. Figure 4 also shows that Marvin and LetterSoup slightly outperform CMAC and EAX, respectively. The results obtained also reveal a better performance of the AEAD schemes when compared to the encryption and authentication algorithms applied separately: LetterSoup took 0.5 milliseconds to process a 320-byte message, while processing with the other algorithms added up to 0.8 milliseconds. Figure 5 presents the results of the symmetric algorithms on the ATmega 128L microprocessor. The algorithms are also efficient on that platform, taking no more than 100 milliseconds for processing a message of 320 bytes. Once again Marvin and LetterSoup were faster than CMAC and EAX, respectively. The LetterSoup AEAD scheme was at least as efficient as any other combination of encryption and authentication, although the same did not apply to the EAX scheme. 5.2. Signcryption The choice of a signcryption scheme is justified by the fact that an integrated method for encrypting and signing messages is more efficient than applying encryption and signing separately. The efficiency improvement may reside in the processing time, bandwidth occupation, key management, or any combination thereof; or it may be simply a robust way to combine the two primitives so as to avoid deleterious interactions. Our C language implementation uses RELIC, which stands for “RELIC is an Efficient LIbrary for Cryptography” [30] and was designed for use in constrained devices. This library has been optimized for elliptic curve arith15
Figure 4: Performance of symmetric algorithms on Nokia 5530
metic operations [6, 40] and is coded in both C and Assembly languages. RELIC is flexible in the sense that users can fine-tune security (e.g., the size of the curves) and performance (e.g., the usage of pre-computation tables) parameters before compilation to the target platform. For our Java implementation, we were able to analyze two pairing libraries: SMSPairings3 and BNPairings4 . The reason for measuring both libraries is that each of them is more appropriated for different ranges of security level, namely at most 80-bit and 80–128-bit, respectively, which means that one can adopt the more suitable for the resources available on the target device and the security desired. In order to provide different ranges of security level they are supported by different families of elliptic curves and pairing functions. SMSPairings is based upon MNT4 curves [37]. By the other hand, the BNPairings library is based upon BN curves [22, 16, 49] and presents better gains for higher security levels on pairing computation. The work in [42] gives good results for implementors, and provides breaking speed records in software for an important pairing function. Compared to the solution proposed in [5], for the same security level of 3 4
code.google.com/p/secure-sms/source/browse/SMSPairings code.google.com/p/bnpairings/
16
Figure 5: Performance of symmetric algorithms on ATmega 128L
RSA-1024 (λ = 80 bits), the size of the complete public key in our framework is 14 ∗ λ = 14 ∗ 80 = 140B (for a MNT4 curve) or 30 ∗ λ = 30 ∗ 80 = 300B (for a BN curve) while using RSA, as proposed in [5], a complete public key costs about 2KiB (the size of a certificate containing the key). Given that an SMS message has only 140 bytes available, our solution requires one (or three) SMS messages while the cost in [5] and similar RSA-based solutions is at least 15 SMS messages. Table 5 illustrates the comparison of some involved sizes. Parameter Public Key Private Key
RSA [5] 2 KiB 128 B
BDCPS/MNT4 140 B 32 B
BDCPS/BN 300 B 20 B
Table 5: Comparison between RSA and BDCPS for 80 bits of security
Table 6 shows the benchmark results obtained using the RELIC, SMSPairings and BNPairings libraries for typical operations needed in the protocol. The most expensive operation is the Public Key Validation due to the computation of the pairing algorithm; nonetheless, it is executed by the users only once, when they authenticate themselves. After that, cheaper operations such as signcrypt and unsigncrypt dominate the processing time. 17
The static RAM used by the C code is also listed on Table 6, as important parameter given that the underlying platform has a strict limitation of 4KiB RAM memory. For the Java implementation, memory is not a problem since many MiB are typically embedded in Java-enabled mobiles phones. We note that both implementations of the protocol – C and Java – considered the same security level of 80 bits, equivalent to RSA-1024. Moreover, and even though Java implementations are usually slower than those created using the C language, the former implementation ends up being more efficient because the phone processor is 50 times faster than the ATmega 128L. Operation Public Key Validation Signcrypt Unsigncrypt Static RAM
C + Assembly ATMega128L 4.4 s 1.5 s 3.0 s 1.7 KiB
SMSPairings Nokia 5530 2.66 s 0.32 s 0.47 s NA
BNPairings Nokia 5530 1.60 s 0.99 s 2.08 s NA
Table 6: Experiments of different BDCPS implementations for 80 bits of security
Table 7 presents the communication overhead for the BDCPS scheme. The signcryptogram is comprised by the triple (c, h, z), where c is the resulting ciphertext and the other elements are part of the signature. The communication overhead for an SMS message is the size of h and z, representing 40 bytes out of 140 bytes. # of SMS Messages 1 2
Max. Payload |c| 100 240
Overhead |h| |z| 20 20 20 20
Total 140 280
Table 7: Communication overhead (bytes) of an SMS message for the BDCPS scheme
The results presented above are quite promising when compared with prior work. For instance, Lee et al. [32] computed RSA and ECDSA signature generation and verification processes on a mobile phone equipped with a 13.5 MHz processor and 2 MiB of RAM memory. The RSA signature generation cost was 7 seconds while BDCPS signcryption requires only 1.5 second (see Table 6) on an 8 MHz microcontroller having 4KiB of RAM. In addition, signcryption also comprises the encryption process. The ECDSA 18
signature generation does display a better performance than RSA, but it is not as fast as the BDCPS if we consider the difference between the testbed platforms, since it takes 1.2 second to process. Other results for ECDSA on resource constrained platforms can be found in [58]. In this case, signature generation takes more than 3 seconds on a Sony Ericsson Z800 Emulator. 6. Conclusion Aiming to tackle the increasing security needs of SMS-based applications, this paper proposes SMSCrypto, a SMS-oriented security framework that provides confidentiality, integrity and authentication services in an efficient manner. SMSCrypto adopts cryptographic algorithms and protocols especially suitable for resource-constrained platforms, comprising conventional and special-purpose symmetric solutions as well as ECC-based public-key protocols for reducing key sizes while ensuring high security levels. This framework used the certificateless BSS security model [9], relying on an entity called Ticket Booth that provides key validation tickets for users, so that they can authenticate each other independently of any underlying PKI. To the best of our knowledge this is the first SMS security framework implementing digital signatures with no additional hardware or storage requirements, and with a small SMS bandwidth occupation fingerprint. Indeed, our benchmark results both on a Java-enabled mobile phone and on a resource-constrained microcontroller show that SMSCrypto outperforms many similar-purpose proposals. As such, its adoption should enable the development and deployment of a wide variety of security-sensitive applications based on the almost ubiquitous SMS infrastructure. For future work, we recall the addition of the non-repudiation property on BDCPS protocol, or yet to include more efficient protocols satisfying that property into the framework. We also mention the possibility for designing e-cash applications, in order to expand solutions for mobile transactions over SMS. Acknowledgments This work was partially supported by the Brazilian National Council for Scientific and Technological Development (CNPq) under research productivity grant 303163/2009-7 and universal research grant 482342/2011-0, and also by the S˜ao Paulo Research Foundation (FAPESP) under grants 2010/02909-8 and 2010/16163-8. 19
References [1] 3GPP2, 2005. C.S0015-B v2.0 – Short Message Service (SMS) for Wideband Spread Spectrum Systems. URL http://www.3gpp2.org/public_html/specs/CS0015-0.pdf [2] Agoyi, M., Seral, D., 2010. SMS security: An asymmetric encryption approach. In: 6th International Conference on Wireless and Mobile Communications (ICWMC). pp. 448–452. [3] Ahmadian, Z., Salimi, S., Salahi, A., 2010. Security enhancements against UMTS-GSM interworking attacks. Computer Networks 54 (13), 2256–2270. [4] Al-Riyami, S. S., Paterson, K. G., 2003. Certificateless public key cryptography. In: Advanced in Cryptology – Asiacrypt 2003. Vol. 2894 of Lecture Notes in Computer Science. Springer, pp. 452–473. [5] Albuja, J. P., Carrera, E. V., 2009. Trusted SMS Communication on Mobile Devices. Brazilian Computing Society. [6] Aranha, D. F., L´opez, J., Oliveira, L. B., Dahab, R., 2009. Efficient implementation of elliptic curves on sensor nodes. In: Conference on Hyperelliptic curves, discrete Logarithms, Encryption, etc (CHiLE 2009). [7] Asif, S. Z., 2011. Next Generation Mobile Communications Ecosystem. John Wiley and Sons. [8] Atmel, 2011. Atmel microcontroller revision 2467XS. http://www. atmel.com/dyn/resources/prod_documents/2467s.pdf. [9] Baek, J., Safavi-Naini, R., Susilo, W., 2005. Certificateless public key encryption without pairing. In: Information Security Conference – ISC 2005. Vol. 3650 of Lecture Notes in Computer Science. Springer, pp. 134–148. [10] Barkan, E., Biham, E., Keller, N., 2003. Instant ciphertext-only cryptanalysis of GSM encrypted communication. Springer-Verlag, pp. 600– 616.
20
[11] Barreto, P. S. L. M., Deusajute, A. M., de Souza Cruz, E., Pereira, G. C. F., da Silva, R. R., 2008. Toward efficient certificateless signcryption from (and without) bilinear pairings. In: The Brazilian Symposium on Information and Computer System Security (SBSeg). http://sbseg2008.inf.ufrgs.br/proceedings/data/pdf/ st03_03_artigo.pdf. [12] Barreto, P. S. L. M., Naehrig, M., 2006. Pairing-friendly curves of prime order. In: Selected Areas in Cryptography – SAC’2005. Vol. 3897 of Lecture Notes in Computer Science. Springer, Santa Fe, New Mexico (USA), pp. 319–331. [13] Becher, M., Freiling, F., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C., 2011. Mobile security catching up? Revealing the nuts and bolts of the security of mobile devices. In: IEEE Symposium on Security and Privacy (SP). pp. 96–111. [14] Bellare, M., Rogaway, P., Wagner, D., February 2004. The EAX mode of operation: A two-pass authenticated-encryption scheme optimized for simplicity and efficiency. In: Fast Software Encryption - FSE’04. pp. 389–407, http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf. [15] Bellovin, S., Blaze, M., 2001. Cryptographic modes of operation for the internet. Second NIST Workshop on Modes of Operation, citeseer. ist.psu.edu/bellovin01cryptographic.html. [16] Benger, N., Scott, M., 2010. Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Proceedings of the Third international conference on Arithmetic of finite fields. Springer-Verlag, pp. 180–195, http://dl.acm.org/citation.cfm?id= 1893732.1893752. [17] Biham, E., Dunkelman, O., Keller, N., 2005. A related-key rectangle attack on the full KASUMI. In: ASIACRYPT’05. pp. 443–461. [18] Black, J., 2005. Authenticated encryption. http://www.cs.ucdavis. edu/~rogaway/classes/227/fall03/ae.pdf. [19] Daemen, J., Rijmen, V., 2002. The Design of Rijndael: AES – The Advanced Encryption Standard. Springer, Heidelberg, Germany. 21
[20] De Santis, A., Castiglione, A., Cattaneo, G., Cembalo, M., Petagna, F., Petrillo, U., 2010. An extensible framework for efficient secure SMS. In: Complex, Intelligent and Software Intensive Systems (CISIS), 2010 International Conference on. pp. 843–850. [21] Dent, A. W., 2008. A survey of certificateless encryption schemes and security models. Int. J. Inf. Sec. 7 (5), 349–377, http://dx.doi.org/ 10.1007/s10207-008-0055-0. [22] Devegili, A. J., Scott, M., Dahab, R., 2007. Implementing cryptographic pairings over Barreto-Naehrig curves. In: Pairing-Based Cryptography – Pairing 2007. Vol. 4575 of Lecture Notes in Computer Science. Springer, Tokyo, Japan, pp. 197–207. [23] Dunkelman, O., Keller, N., Shamir, A., 2010. A practical-time relatedkey attack on the KASUMI cryptosystem used in GSM and 3G telephony. In: Advances in Cryptology – CRYPTO 2010. Vol. 6223 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, pp. 393– 410. Fact Sheet: [24] EM-Microelectronic, 2012. TG360 16b 16-bit high performances flash smart card IC. http://www.emmicroelectronic.com/webfiles/Product/Smartcard/EMTG36016b-FS.pdf. [25] Hankerson, D., Menezes, A., Vanstone, S., 2003. Guide to Elliptic Curve Cryptography. Springer-Verlag New York, Inc., Secaucus, NJ, USA. [26] Hossain, A., Jahan, S., Hussain, M., Amin, M., Shah Newaz, S., 2008. A proposal for enhancing the security system of short message service in GSM. In: Anti-counterfeiting, Security and Identification, 2008. ASID 2008. 2nd International Conference on. pp. 235 –240. [27] International Telecommunication Union, January 2011. THE WORLD IN 2010. http://www.itu.int/ITU-D/ict/material/ FactsFigures2010.pdf. [28] IPCS GROUP, Online visited on Jan 2011. IPCryptSim SMS encryption. http://www.ipcslive.com/pdf/IPCSSMS.pdf.
22
[29] Khozooyi, N., Tahajod, M., Khozooyi, P., 2009. Security in mobile governmental transactions. In: Computer and Electrical Engineering, 2009. ICCEE ’09. Vol. 2. pp. 168–172. [30] Laborat´orio de Criptografia Aplicada do Instituto de Computa¸ca˜o da Universidade de Campinas, 2010. Efficient library for cryptography (RELIC). http://code.google.com/p/relic-toolkit/. [31] Lee, P. H.-J., Narayan, S., Udaya, P., 2008. Secure communication in mobile ad hoc network using efficient certificateless encryption. In: SECRYPT’08. pp. 306–311. [32] Lee, Y., Lee, J., Song, J., 2007. Design and implementation of wireless PKI technology suitable for mobile phone in mobile-commerce. Computer Communications 30 (4), 893 – 903. [33] Li, F., Shirase, M., Takagi, T., 2008. Key management using certificateless public key cryptography in ad hoc networks. In: Proceedings of the IFIP International Conference on Network and Parallel Computing. Springer-Verlag, pp. 116–126, http://dx.doi.org/10.1007/ 978-3-540-88140-7_11. [34] Libert, B., 2006. New secure applications of bilinear maps in cryptography. PhD Thesis, Universit¨ı¿½ Catholique de Louvain, Belgium. [35] Liu, J. K., Au, M. H., Susilo, W., 2007. Self-generated-certificate public key cryptography and certificateless signature/encryption scheme in the standard model: extended abstract. In: Proceedings of the 2nd ACM symposium on Information, computer and communications security. ASIACCS ’07. ACM, New York, NY, USA, pp. 273–283, http: //doi.acm.org/10.1145/1229285.1266994. [36] MEMSIC, 2012. 6020-0065-05 Rev A, MICAz Datasheet. http://www.memsic.com/products/wireless-sensor-networks/wirelessmodules.html. [37] Miyaji, A., Nakabayashi, M., Takano, S., 2001. New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals E84-A (5), 1234–1243.
23
[38] NIST, May 2005. Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication. National Institute of Standards and Technology, U.S. Department of Commerce, http://csrc.nist.gov/publications/PubsSPs.html. [39] Nokia Corporation, January 2012. Detailed specifications for the Nokia 5530 XpressMusic. http://www.nokia.com/ph-en/products/phone/ nokia-5530-xpressmusic/specifications/. [40] Oliveira, L., Scott, M., Lopez, J., Dahab, R., 2008. TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks. In: Networked Sensing Systems, 2008. INSS 2008. 5th International Conference on. pp. 173–180. [41] Pereira, G. C. C. F., 2011. Parametriza¸ca˜o e otimiza¸c˜ao de criptografia de curvas el´ıpticas amig´aveis a emparelhamentos. MSc Thesis, Escola Polit´ecnica, Universidade de S˜ao Paulo, S˜ao Paulo. [42] Pereira, G. C. C. F., Simplicio Jr, M. A., Naehrig, M., Barreto, P. S. L. M., 2011. A family of implementation-friendly BN elliptic curves. Journal of Systems and Software 84, 1319–1326. [43] PortioResearch, January 2011. Mobile messaging futures 2011-2015: Analysis and growth forecasts for mobile messaging markets worldwide. http://www.portioresearch.com/MMF11-15.html. [44] Rivest, R., Shamir, A., Adleman, L., 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (2), 120–126. [45] Rongyu, H., Guolei, Z., Chaowen, C., Hui, X., Xi, Q., Zheng, Q., 2009. A PK-SIM card based end-to-end security framework for SMS. Comput. Stand. Interfaces 31, 629–641, http://portal.acm.org/citation. cfm?id=1530904.1531179. [46] Saarinen, M.-J. O., 2012. Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Fast Software Encryption – FSE 2012. Vol. 7549 of Lecture Notes in Computer Science. Springer, pp. 216–225.
24
[47] Shamir, A., 1984. Identity based cryptosystems and signature schemes. In: Advances in Cryptology – Crypto’84. Vol. 196 of Lecture Notes in Computer Science. Springer, pp. 47–53. [48] Shen, S., Hart, T. J., Ingelbrecht, N., Zimmermann, A., Ekholm, J., Jones, N., Edwards, J., Frank, A., October 2009. Dataquest insight: The top 10 consumer mobile applications in 2012. http://www.gartner. com/DisplayDocument?ref=clientFriendlyUrl&id=1205513. [49] Shirase, M., 2010. Barreto-Naehrig curve with fixed coefficient. IACR ePrint Archive, report 2010/134, http://eprint.iacr.org/2010/134. [50] Simplicio Jr, M. A., Barbuda, P. d. F. F. S., Barreto, P. S. L. M., Carvalho, T. C. M. B., Margi, C. B., 2009. The Marvin message authentication code and the LetterSoup authenticated encryption scheme. Security and Communication Networks 2, 165–180, doi://10.1002/sec.66. [51] Simplicio Jr, M. A., Barreto, P. S. L. M., 2012. Revisiting the security of the Alred design and two of its instances: Marvin and LetterSoup. To appear in IEEE Transactions on Information Theory. [52] Simplicio Jr, M. A., de Oliveira, B. T., Margi, C. B., Barreto, P. S., Carvalho, T. C., N¨aslund, M., 2012. Survey and comparison of message authentication solutions on wireless sensor networks. Ad Hoc Networks, (in press). URL http://www.sciencedirect.com/science/article/pii/ S1570870512001606 [53] Toorani, M., Beheshti Shirazi, A., 2008. SSMS – a secure SMS messaging protocol for the m-payment systems. In: IEEE Symposium on Computers and Communications (ISCC 2008). pp. 700–705. [54] van der Merwe, A., Seker, R., Gerber, A., 2005. Phishing in the system of systems settings: mobile technology. In: IEEE International Conference on Systems, Man and Cybernetics. Vol. 1. pp. 492–498. [55] Wu, S., Tan, C., 2009. A high security framework for SMS. In: Biomedical Engineering and Informatics, 2009. BMEI’09. 2nd International Conference on. pp. 1–6.
25
[56] Zhang, Z., Susilo, W., Raad, R., 2008. Mobile ad-hoc network key management with certificateless cryptography. In: Signal Processing and Communication Systems, 2008. ICSPCS 2008. 2nd International Conference on. pp. 1–10. [57] Zheng, Y., 1997. Digital signcryption or how to achieve cost(signature & encryption)
