which permits secure transmission of data through ... provide secure information transmission between .... cal security that should the SD card be lost, it will.
Secure communication between lightweight computing devices over the internet Michael Jenkin and Patrick Dymond Department of Computer Science, York University 4700 Keele St., North York, Ontario, Canada (416) 736-5053 (jenkin,dymond)@cs.yorku.ca
Abstract The advent of light, low-power handheld compute devices such as Windows CE, PalmTM and Handspring, is changing the way in which mobile users interact with their home o�ce. These devices can be connected to the Internet through both physical and wireless connections, and sensitive data transferred to and from these devices are subject to interception by a third party. Real-time encryption/decryption of data in handheld computers is complicated by the limited computing power available in these devices. In this paper we describe a method for secure transmission of data between remote handheld devices and other users (including other handheld devices) on the Internet. The system relies on one-time-pad technology which is ideally suited for handheld computing. The process of encrypting/decrypting data requires very little computation, and the generation of the random pads can be accomplished outside of the handheld devices. A prototype system is described which permits secure transmission of data through IR, radio Ethernet, or physical connection.
1 Introduction Light, low-power handheld compute devices such such as Windows CE devices, PalmTM and Handspring are changing the way in which mobile users interact with each other and the of ce. These devices provide for high connectivity with other users through the Internet. For
example, the PalmTM VIIx connects to the Internet via a wireless connection relying on Cellular Digital Packet (CDPD) technology, while the PalmTM Mobile Internet Kit provides a mechanism by which PalmTM devices can connect to the Internet through a modem or cellular phone. Windows CE devices provide a similar wide range of network access technologies. As users move from highpower laptops and workstations to these lower power devices, security becomes an important concern for users. Consider the situation in which a central o�ce wishes to connect to a collection of mobile users in the eld each of which is connecting via a PalmTM or Windows CE device through the Internet, possibly using cellular phone or some other wireless technology. How can this group of users ensure that their communications are secure? Although a number of potential approaches to providing security exist for traditional compute devices connected to the Internet, these lightweight devices typically lack the computing power required by these security mechanisms. For example, a PalmTM 505 { perhaps the most powerful PalmTM device currently available { relies on the Motorola Dragonball VZ running at 33 Mhz. Although it would be possible to operate secure communications mechanisms such as SSH or SHTTP between a 33 Mhz PalmTM and other users on the Internet, the associated computation would tax the device beyond useability. In the main, existing cryptography systems rely on the exchange of keys which are used to encrypt
and decrypt the information exchange. Once these keys have been exchanged each side must perform reasonably complex mathematical operations on the data stream before transmitting the data. The basic approach is vulnerable to interception and decoding by a third party that could potentially record the message stream and then search through the keyspace for the keys being used. Should the key be discovered the entire datastream is available for view by a third party. This is the fundamental concern with existing internet security systems: If a third-party can deduce the secret key, either through some aw in the algorithm or implementation, then the entire communication can be extracted. In contrast to these methods, in this paper we propose using one-time pad technology to provide secure information transmission between lightweight computers connected to the internet. As a cryptographic technique, one-time pads (OTP's) have long been understood to provide optimal security for data transmission. Furthermore, encoding and decoding can be performed very e�ciently, basically requiring only the exclusive or'ing of two streams of bits, which makes them ideal for use on lightweight, low-power compute devices such as PalmTM or Windows CE devices. In the past, pad generation and distribution were the main di�culties involved in the use of one-time pads (see [4] for an introduction to cryptography in general). In this paper we are concerned solely with adapting Web technology to make use of one-time pads, rather than proposing cryptographic techniques for the generation of OTP's. This latter task is an active area of research in cryptology, and many techniques have been investigated for generating unbiased random sequences from biased ones, for amplifying a given number of random bits and for generating pseudorandom sequences (i.e. sequences which cannot be distinguished from truly random ones in polynomial time.) See Rivest [2] for a survey of these issues. In the following we assume that pad generation is provided via some external mechanism. Many such mechanisms are available. For example, the pads can be generated by recording background
noise from some random source. We assume that pad distribution is accomplished via some nonweb-based technique, such as having the pads recorded on a portable cartridge which is then distributed to the users. For example, the new PalmTM 500 and 505 models accept expansion cards providing up to 256Mbyte of extra memory to the base memory of the device. Obviously physical pad security is an important issue, but for our purposes we envision the pad medium being physically received by the user from the provider at the central location and remaining in the physical possession of each mobile user over a long interval. In a one-time pad system, the one-time pad itself must be as long as the sum of all the messages encrypted/decrypted with it. While this posed an almost insurmountable problem in many cases in the past, current technology allows storage of signi cant amounts of data on very small-format devices. Once the pad has been entirely used, a new pad must be obtained, again requiring physical contact (or some other secure transfer method.) We begin by reviewing the concept and cryptographic properties of a one-time pad and then demonstrate how one-time pads can be integrated within PalmTM devices and on workstations to provide secure communication between lightweight, low-power devices and other users on the internet.
2 Encryption using a one-time pad The One-Time Pad cryptography technique is old, and was used during the First World War by Gilbert Vernam[1]. This technique is the only known provably secure encryption scheme in the information-theoretic sense of Shannon [3]. It is based on the concept of using a long stream of random letters (or bits) to modify the plaintext message one letter (bit) at a time. Both the sender and the receiver must have a copy of the same pad and both work through the message one letter at a time. Suppose that the sender has a sequence of bits text(i) that are to be transmitted. The sender and the receiver exchange, through some secure mech-
anism, a pad of random bits pad(i) so that both sender and receiver have the same pad. To transmit a message to the receiver, the sender encrypts the plaintext text(i) obtaining the encrypted message message(i) as
message(i) = pad(i) XOR text(i) and transmits the encrypted message to the receiver. The receiver can recover the plaintext by re-applying the pad and obtains the plaintext as
text(i) = message(i) XOR pad(i): One-time pads have a number of advantages over traditional cryptography systems. They are extremely computationally e�cient both in terms of encryption and decryption. They are also unbreakable under the assumption that 1. The pad is truly random, 2. The pad is never reused, and 3. The pad is secret to the two parties. It is also interesting to note that breaking part of the message does not provide any advantage in term of breaking the rest of the message. There is no decrypting key to guess. The primary disadvantage with using a onetime only pad is that the pad must be as large as the message to be transmitted. While this has inhibited the use of one-time pads until now, recently we have seen a signi cant increase in the number of bits which can be e�ciently stored, and easily transported and made available to a mobile user's computer. For example, a recordable CD can store a pad of over ve billion bits. The bits of the pad may only be used once, but with this many bits, many messages could be received using the same pad, by keeping track of the bits which have already been used for all previous messages and starting the next message immediately after this point. This point is referred to as the o�set below. Although re-writable CD's or DVD-RAM's can be an e�ective storage medium for large onetime pads, for shorter messages an even more portable storage medium exists. Found in many
Figure 1: One-time pad hardware. A Palm505 handheld is used to do the encryption and decryption. One-time pads are stored on a SD card inserted into the unit. SD cards provide up to 256MB of storage. portable digital devics such as audio players, digital still cameras, digital video comeras, handheld PCs and cell phones, SD - secure digital - cards can hold a signi cant amount of information using a very small form factor. Figure 1 shows a Palm505 which can accept expansion SD memory cards. The card is 32mmx24mmx2.1mm. SD Cards compy with the Secure Digital Music Initiative (SDMI) standard which provides some physical security that should the SD card be lost, it will be di�cult to read the card using an unauthorized device. The SD memory card is su�ciently compact that it can be stored in a wallet and could hold a large number of bits making up one or more one time pads. Readers/writers for SD memory cards are also available from a number of manufacturers for PCs which simpli es the generation and distribution of one-time pads. Currently 16MB, 32MB, and 64MB SD cards are available. 256MB cards have been announced. Of course it is also possible to store one-time pads within the storage of a Palm or Windows CE machine, however storing the pad on an externial
media such as the SD memory card provides for convenience and some possible added security as the loss of the unit does not necessarily result in the loss of the pad, and the card itself provides limited security against unauthorized access.
3 Implementing one-time only pads Here we discuss an actual implementation of a highly compact and portable one-time pad system which utilizes standard insecure mail streams (POP3, SMTP) for transmission through the internet, and which permits encoding/decoding of secure messages on either workstations or on lowpower devices such as a Palm or Windows CE device. Here we describe the implementation for the Palm handheld computer device. The implementation for the workstation application is quite similar. In the SD card implementation described below, the bits of the pad are stored on a SD card or within the main memory of the Palm. The existing one-time pad is available to the application as a Palm database (a le on the workstation implementation). The pads consist of a header, a pad identi er, and an o�set to the next valid bit in the pad. The pad identi er is used to identify which pad was used to encrypt a given text so that if decryption is attempted with an incorrect pad, the user can be warned and the correct pad used instead. To use the pad for coding or decoding, the message plaintext is converted to cyphertext by exclusive-or-ing its bits with an equal number of bits from the pad. More precisely the signi cant bits from each byte of the plaintext message are xor'ed with an equal number of bits of the pad starting at position offset. After the one-time pad bits are used they are erased, to prevent any possibility of re-use. To recover the plaintext the decoder must use the same bits read from the same place on his copy of the same one-time pad. In order to simplfy transmission and storage of the encrypted text, the 8 bit datastream is encoded as a 7 bit stream. A header and trailer is added to the encrypted text to ensure that text is
(a) Plaintext
(b) Encrypted Figure 2: One-time pad in operation on a workstation. (a) shows the plaintext before encryption. (b) shows encrypted text. In order to simplfy transmission and storage of the encrypted text, the 8 bit datastream is encoded as a printable 7 bit stream. A header and trailer is added to the encrypted text to ensure that text is not lost in transmission. The header also includes the pad o�set for decryption and the identi cation number of the pad used for encryption.
not lost in transmission. The header also includes the pad o�set for decryption and the identi cation number of the pad used for encryption. Figure 2 shows the workstation implementation of the onetime only pad. Figure 2(a) shows the pad with the plaintext in view. Figure 2(b) shows the pad with the encrypted and 7 bit encoded text displayed. Note the header and footer which mark the encrypted text and also code the o�set and encryption pad identi cation number. Users cut and paste (using the standard Palm or workstation cut and paste methods) between the standard mail environment and the encryption/decryption one-time pad application. The one-time pad application encrypts or decrypts the 7-bit datastream, and when encrypting, converts the message into an appropriate format so that it can be decrypted automatically. The computational load is extremely low. Encryption involves exclusive or'ing the data stream and providing some minor formatting to make the resulting datastream printable. Decryption involves converting the printable datastream to an 8-bit stream and again exclusive or'ing the data. In both cases the used part of the pad is overwritten with zeros.
4 Discussion This paper describes a privacy scheme for le distribution on the world-wide web based on onetime pads. This mechanism provides for the encryption of data and for decryption of this information within the standard unsecured mail environment. Each user is assigned a unique one-time pad, and pages are encrypted/decrypted via a simple program executing within the Palm or on a workstation. the server. Although the individual pads can be stored on any writable media, the advent of secure, compact high-density storage media such as SD cards which can be accepted by standard readers for workstation and within the Palm unit itself, provides an almost ideal media for reasonably short (64Mbyte) pads. SD cards are very small, easily transportable, and interface devices (readers) for
them exist using a variety of interface technologies including USB and PC CARD formats. One-time pads can also be used to provide an e�cient secure solution to the problem of key exchange for other cryptographic systems. Given the cryptographic strength of one-time pads, the low computational cost to decrypt/decrypt data, and the portability of SD storage media, one-time only pads are likely to nd useful application in secure e-commerce and other commercial communications in which secure transmission of data is essential and in which the computational power available to encrypt/decrypt data is limited.
References [1] D. Kahn. The Codebreakers. MacMillan, New York, 1967. [2] R.L. Rivest. Cryptography. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, pages 719{755. the MIT Press/Elsevier, 1990. [3] C.E. Shannon. Communication theory of secrecy systems. Bell System tech. J., 28:657{ 715, 1949. [4] S. Singh. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor Books, 2000.
