Cyber Security for GSM Data Protection

Cyber Security for GSM Data Protection

Chapter One

Aims and Objectives of the Project

The aims and objectives for the project are as follows:

To understudy how GSM works with respect to various security algorithms inbuilt into
To understudy all the existing GSM cryptographic algorithms and exposetheir strengths and shortcomings
To proffer solution to the shortcomings inherent in original encryption algorithms found in GSM technologies by using software-based approach to develop a MIDlet program in JAVA that can be used to further secure and protect user’s sensitive and critical data (SMS only) using Bouncy Castle JAVA cryptographic Application Programming Interface (API).
To test run the security JAVA MIDlet software program in compatible Mobile Information Device Profile (MIDP) phones or mobile devices engaged in end- to-end GSM data communication

CHAPTER TWO

REVIEW OF RELATED LITERATURE

This chapter presents a general background to the thesis and covers the theoretical basis of the research area and past research done on the subject.

Computer and Cyber Security

Introduction

The biggest challenge facing the whole world now in the area of application and use of computer and computer-related resources is the issue of security. Governments of many countries spend billions of dollars to procure and maintain computer and IT resources for use in various government ministries, agencies and parastatals. Private sector establishments like financial, research institutions, industrial firms, etc. deploy huge amount of fund in the procurement and installation of computer and IT resources and yet if care is not taken to address the critical concern of myriads of security threats that now exist everywhere and every time, all these huge capital expenditure will amount to exercise in futility. The importance of security of computer resources: data, hardware, software, telecommunication bandwidth and information cannot be overemphasized. Concerted and coordinated efforts must therefore be made by all tiers of governments of world economies to confront and address the monster threatening the successful application of computer and its resources towards the realisation of computerisation goal of every economy.

Computer Security is usually measured in terms of a set of basic aspects [1]:

confidentiality,
integrity,
authentication and
authorization
Non-repudiation

Confidentiality is ensuring that the data is hidden from those that are not supposed to see it.

Confidentiality of data is achieved by cryptographically transforming original data, often called, plaintext, into cipher text, which hides the content of plaintext. This operation is realized as a parameterized transformation that keeps the controlling parameter secret. The controlling parameter is often called a key. The transformation is called encryption. With a key it is easy to perform the inverse transform or decryption. Without the key, decryption would be difficult.

Integrity is about ensuring that data has not been replaced or modified without authorization during transport or storage. This is achieved using cryptographic transforms and a key. Additional information must also be added to the plaintext to verify its integrity.

Authentication is the procedure by which a unit (the claimant) convinces another unit (the verifier) of its (correct) identity. Authentication is different from authorization, which is the process of giving a person or entity permission to do or have access to something.

Non-repudiation is ensuring that someone who sent a message does not deny that he is the one that sent it by using security processes such as digital signature.

There are two major classes of cryptographic mechanisms: symmetric and asymmetric. In symmetric mechanisms, the same key is used for encryption and decryption. Examples of symmetric confidentiality mechanisms are

block ciphers, such as DES and AES;and
stream ciphers, such as the GSM A1, A2 and A3

Integrity is often protected using symmetric mechanisms. Integrity-protection algorithms are also called Message Authentication Codes (MAC). The most popular MAC is the HMAC algorithm. Because the key in symmetric mechanisms can be used to decrypt content, it must be kept secret from all but legitimate users of the encryption scheme.

Asymmetric mechanisms use separate pairs of keys for encryption transform and decryption transform. The public key can be made publicly available, but the private key must never be revealed. Asymmetric mechanisms are typically used for distributing keys (for example, a symmetric key) or for digital signing purposes. A public key can be used to encrypt a symmetric key, which in turn, can only be decrypted by the legitimate receiver using the corresponding private key. A private key may also be used to digitally sign data. The signature can be verified by anyone who knows the corresponding public key. The RSA scheme is widely known example of an asymmetric cryptographic algorithm [1].

Computer and IT Security Domain Safety

Safety deals with protection against unintentional physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types of undesired consequences of system failures.

Typical design methods:

Fail-Safe: in case of failure, fallback into a safe (usually static)state
Fault-Tolerance: In case of failure, continue operation on reduced QoS level (graceful degradation)

CHAPTER THREE

METHODOLOGY AND SYSTEM ANALYSIS

Methodology

From the research and analysis carried out in Chapter 2 of the study on the existing GSM security algorithms meant to provide security services for user’s data, it is very clear that the possibility of an attacker breaking any of them is very easy. Most of the security algorithms meant to protect user data (SMS, Voice, Service etc.) during communication have been broken, so for one to use GSM communication that is required in a sensitive and mission critical environment where confidentiality of data is paramount, there must be extra need to further protect such data.

In the research work, software based approach will be used to further strengthen the security algorithms embedded in GSM Technologies.

This project will attempt to reduce the security lapses noticed in the existing security algorithms of GSM platforms by increasing the security of data (SMS only) during GSM communication session. A software program, a JAVA MIDlet for Micro 2 platform Micro Edition (J2ME) will be developed using Bouncy Castle JAVA Cryptographic Application Programming Interface inside Java Wireless Toolkit for J2ME IDE to further provide protection of sensitive Short Message Service (SMS) data during communication. Bouncy Castle API contains quite a lot of GSM cryptographic algorithms that can be combined in a MIDlet application to further secure a GSM data such as SMS.

CHAPTER FOUR

SYSTEM DESIGN AND DEVELOPMENT

Introduction

SecureSMS is Java application which is built in an object-oriented platform. It is made up of 6 classes and modules. Because of this Top-down design approach has been adopted for the design and development of this project.

The project was designed and developed using JAVA programming language which is widely adopted for Object oriented projects. Moreover, JAVA is the defacto programming language for millions of portable and embedded devices in the market place.

NetBeans 6.8 Integrated Development Environment (IDE) was used to develop the project in JAVA 2 Platform for Micro Edition (J2ME). The security program is tested using the inbuilt JAVA™ SDK 3.0 Emulator and subsequently deployed to actual compatible mobile phones.

CHAPTER FIVE:

SYSTEM IMPLEMENTATION

This chapter covers the system implementation: the deployment and test-running of the completed secureSMS JAVA MIDlet program developed in Chapter Four of this thesis. The secureSMS JAVA MIDlet was developed (built, compiled, preverified, run and tested) in NETBEANS 6.8 IDE. The program is equally deployed and tested in actual MIDP 2.0 compatible devices using Nokia 2700 Classic, Nokia 2720a fold and Nokia 3110 Classic mobile phones. Equally any other compatible MIDP 2.0 mobile phone could be used for actual implementation of the project.

Software Implementation

For the system i.e. the secure SMS JAVA MIDlet program meant to add additional security to SMS data engaged in an end-to-end communication session, the compiled, pre-verified and obfuscated JAVA file secureSMS.JAR and the accompanying .JAD files created in Chapter Four will first of all be deployed in any of the following platforms using Nokia PC Suite for the respective MIDP 2.1 compatible mobile phones:

CHAPTER SIX:

DISCUSSIONS, SUMMARY & CONCLUSION

Discussions

SecureSMS JAVA MIDlet security program worked to expectations going from the results obtained in section 5.2.2 of this thesis report. The program, according to expectations worked in a Sun JAVA Standard Emulator as well as in the real MIDP 2.0 compatible mobile devices. The secureSMS security program made encryption of SMS data engaged in an SMS end-to-end communication session possible at the Sender’s end and equally permitted the SMS data to be decrypted and viewed by the Receiver at the other end provided the Receiver entered the exact private key(secret password) used by the Sender to encrypt and send the SMS data. It therefore means that without the possession of the private key (secret password), anyone that intercepts the SMS data cannot decrypt and read the content of the SMS message. So, the SMS data is protected from man-in-middle Over the Air (OTA) Interception and eavesdropping.

Project Summary

Thorough research work was carried out on the GSM Security model of GSM Operators and it was very clear that most, if not all, of the GSM Security algorithms have been cracked and compromised. Therefore, there is cogent need to develop other ways of protecting user’s GSM data, especially in situations where confidentiality and privacy are paramount.

This research project tried in that direction by developing a security solution in JAVA programming to protect users’ confidential and private SMS data.

Equally, the objectives set out at the beginning of this research work have been achieved and they are outlined in section 6.3 of this research report.

Summary of Achievement

This research carried out in the Master thesis achieved the following set objectives:

Research and Analysis of the GSMnetwork
Research and Analysis of the GSM Security model andarchitecture
Research of the existing GSM security algorithms : A3, A5, A8 and COMP128
Analysis of the strengths and weaknesses of these
Design and implementation of a security software solution in JAVA programming language to protect and secure user’s privacy and sensitiveGSM data engaged in an end-to-end SMS communication

The following findings were made during the research work:

That the GSM security algorithms implemented by most GSM operators worldwide, Nigeria inclusive, are done in secrecy and most of them have leaked out and subsequently cracked or
That a lot attacks have been carried out by attackers to determine the strengths of these algorithms and it was discovered that these algorithms are weak and therefore cannot protect user’s data especially in sensitive, safety and mission- critical
That there is need for additional work to be done to further secure user’s data during communication session

The secure SMS JAVA MIDlet program developed in the thesis in Chapters 3 and 4 have been tested and solved this problem especially in the protection of user’s SMS data.

Problems encountered and solutions

During the course of this Masters Research work, a lot of problems were encountered:

I had a lot of difficulty implementing a secure SMS data using one of JAVA inbuilt JAVA Cryptography Extension (JCE) classes SATSA API. SATSA API is very difficult to program; luckily I had an easy way through an alternative JCE classes, Bouncy Castle API, which was used to encrypt and decrypt the SMS
I also encountered some problems during obfuscation of the JAR file after compilation and pre-verification using Proguard. I corrected the problem by modifying the proguard code and adjusting the proguard obfuscation level to the highest.
I encountered a lot of problems using different versions of the Development tools: NETBEANS. I eventually settled with NETBEANS 6.8 which delivered the anticipated

Another problem encountered was to secure Voice data over the air. This is very difficult to accomplish. In fact, in many JAVA forums on the internet, it was claimed that it is not possible to encrypt and decrypt Voice over the air except one does that for Voice data using VOIP (Voice Over Internet Protocol) but I still believe that it can be done; afterall an Israeli company has done that already for military application and they are selling the software on the website www.gold-lock.com for around $500. I eventually settled on programming a security solution for SMS only.

Recommendations

I recommend that further research work be done to encrypt Voice data over the air and not necessarily the clamoured VOIP approach, because most voice data involve over the air
I also recommend that the secureSMS MIDlet solution be improved upon and deployed and used in very important sectors in Nigeria economy where the security of user data is of utmost importance such as Nigerian Police, Nigerian Army, Nigerian Navy, Nigerian Air force, State Security Services (SSS), Nigeria Defence Academy and other security outfits in the country. Equally, financial sector like Banks, finance institutions, Educational Institutions are not left The project can be improved upon to cater for the security needs of e-commerce applications of sectors like finance and import/export. Citizens desiring privacy and confidentiality in their data communication should also use this secureSMS Solution.

Suggestions for further improvements

Further research work can be done to improve on the secure SMS MIDlet program.

This security solution does not have a storage facility(Record Management System, RMS) because of time-constraint for the development of the Effort can be made in this direction by future researchers in Nigeria to develop this area so as to allow users of the software solution store SMS sent and received using this security solution.

Effort can still be made to find ways to combine more than one cryptographic algorithms to make cracking the security algorithms a hard
Further research work can be geared in direction of GSM voice

Conclusion

The importance of the security of GSM data: SMS, Voice, Service etc. cannot be over- emphasized in this IT age where GSM communication is used by over 85 million people only in Nigeria alone. GSM has become the basic means of communication today; millions of people rely on GSM backbone to conduct businesses, maintain relationships and shape their life in many ways. The confidentiality and privacy of their dealings and communication must be guaranteed and not compromised. Sensitive and mission-critical GSM data must be protected from the hands of criminal-minded individuals as this thesis tried to achieve.

More work need to be done to protect the confidentiality and privacy of GSM data of subscribers, especially subscribers in highly critical and sensitive environments.

Therefore, all stake holders must put hands on deck to ensure that these objectives are realised.

REFERENCES

Christian Gehrmann and Per Stahl. “Mobile Platform Security,” in Erricsson Review 2, pg.1,2006.
Thomas Strang. WS2007/2008. Lecture, Topic: “Programming MobileDevices, Security Aspects.” University of Pg 15,18,19,20.
Purushothan Kothapalli. “Secure Storage of Encryption” Masters Thesis, University of Linkoping, Sweden, May 2007.
Ali Abbas, Abdulmotaleb El Saddik and Ali MiriGESTS. “State of the Art Security Taxonomy of Internet Security: Threats and Countermeasures.” International Trans. Computer Science and Engr. Vol.19,
Dieter Gollman. Computer Security. New York, NY, USA: John Willey and Sons, August
Alex Noordergraaf. “How Hackers Do It: Tricks, Tools, and Techniques.” [Online].Available:http://pdf.textfiles.com/security/816-4816-10.pdf, 2002 [March 28, 2010].

Related Topics:

Other Topics