We Rank the Best on Research Projects

CYBER SECURITY FOR GSM DATA PROTECTION

Dept: COMPUTER ENGINEERING File: Word(doc) Chapters: 1-5 Views:

Abstract

With the increasing use of extensive IT and Telecommunication systems for sensitive or safety-critical applications, the matter of IT and Telecommunication security is becoming more important. For the computer system, and its related applications, including data, to be trustworthy, it must be secured. This project covers all aspects of Computer System security. This project equally understudied the security of data as it affects mobile systems vis-à-vis Global System for Mobile Telecommunications (GSM). The existing security algorithms in the GSM network were understudied and critical flaws found in them that cannot guarantee the security and confidentiality of user’s data during communication session. This poses a great threat in sensitive and safety-critical environments such as financial institutions, Military, Educational, or even in espionage establishments such as State Secret Services (SSS) and security establishments. This Masters project finally proffered solution
1.0 Background to the Study

The term security lacks meaning until one has defined what is to be secured and for

whom. Likewise, security is difficult to comprehend without a potential threat. Mobile

phones for third-generation mobile systems (3G) have several security stakeholders for

which the mobile platform must provide security services. Moreover, the potential threats

may differ from stakeholder to stakeholder.

The first class of security stakeholders, users, expects that mobile phones will offer secure

and reliable communication – that is, they assume their phones can be trusted to handle

sensitive tasks, such as e-commerce transactions. The main threats to this class of

stakeholders are malicious software, such as viruses and Trojans, or weak or misbehaving

security mechanisms. The second class of stakeholders, mobile network operators, relies

on phone network identification mechanisms (related to billing capability) and networkrelated software.

Criminal-minded users or hostile software must not be allowed to circumvent these

mechanisms.

Operators thus require that the integrity of software can be guaranteed when the mobile

phone is in operation. They also want to be certain that users cannot break SIM lock

mechanisms.

A third class of security stakeholders, content providers, wants to be paid for the content

(music, pictures, videos and software) that users download. It also wants to know that

2

users cannot (mis)use their phones to illegally copy or distribute content. This is where

digital rights management (DRM) functions come into play. However, DRM mechanisms

alone cannot provide all necessary security. To provide a DRM solution that meets

content provider requirements, the mobile phone platform must contain security functions

that guarantee secure execution and code integrity.

Security is usually measured in terms of a set of basic aspects [1]:

– confidentiality,

– integrity,

– authentication and

– authorization.

– Non-repudiation

Confidentiality is ensuring that the data is hidden from those that are not supposed to see

it.

Confidentiality of data is achieved by cryptographically transforming original data, often

called, plaintext, into cipher text, which hides the content of plaintext. This operation is

realized as a parameterized transformation that keeps the controlling parameter secret.

The controlling parameter is often called a key. The transformation is called encryption.

With a key it is easy to perform the inverse transform or decryption. Without the key,

decryption would be difficult.

Integrity is about ensuring that data has not been replaced or modified without

authorization during transport or storage. This is achieved using cryptographic transforms

and a key. Additional information must also be added to the plaintext to verify its

integrity.

3

Authentication is the procedure by which a unit (the claimant) convinces another unit

(the verifier) of its (correct) identity. Authentication is different from authorization, which

is the process of giving a person or entity permission to do or have access to something.

Non-repudiation is ensuring that someone who sent a message does not deny that he is the

one that sent it by using security processes such as digital signature.

There are two major classes of cryptographic mechanisms: symmetric and asymmetric. In

symmetric mechanisms, the same key is used for encryption and decryption. Examples of

symmetric confidentiality mechanisms are

• block ciphers, such as DES and AES; and

• stream ciphers, such as the GSM A1, A2 and A3 algorithms.

Integrity is often protected using symmetric mechanisms. Integrity-protection algorithms

are also called message authentication codes (MAC). The most popular MAC is the

HMAC algorithm. Because the key in symmetric mechanisms can be used to decrypt

content, it must be kept secret from all but legitimate users of the encryption scheme.

Asymmetric mechanisms use separate pairs of keys for encryption transform and

decryption transform. The public key can be made publicly available, but the private key

must never be revealed. Asymmetric mechanisms are typically used for distributing keys

(for example, a symmetric key) or for digital signing purposes. A public key can be used

to encrypt a symmetric key, which in turn, can only be decrypted by the legitimate

4

receiver using the corresponding private key. A private key may also be used to digitally

sign data. The signature can be verified by anyone who knows the corresponding public

key. The RSA scheme is widely known example of an asymmetric cryptographic

algorithm.

A lot of research works have been done already in this regard; and it has been proved that

most if not all the existing algorithms being employed by GSM companies as security

measures have been broken. Equally the smart-card in GSM phones , SIM card can be

cloned and as such more research need to be done to protect sensitive and critical data

where GSM technologies are employed.

This Masters thesis focuses on ways through which sensitive user’s data can be further

protected (especially short message services (SMS)) against threat by malicious and

criminally-minded users. Equally, all other areas of Information and System security are

equally researched by the project.

1.1 Aims and Objectives of the Project

The aims and objectives for the project are as follows:

– To understudy how GSM works with respect to various security algorithms

inbuilt into it.

– To understudy all the existing GSM cryptographic algorithms and expose their

strengths and shortcomings

– To proffer solution to the shortcomings inherent in original encryption

algorithms found in GSM technologies by using software-based approach to

5

develop a MIDlet program in JAVA that can be used to further secure and

protect user’s sensitive and critical data (SMS only) using Bouncy Castle

JAVA cryptographic Application Programming Interface (API).

– To test run the security JAVA MIDlet software program in compatible Mobile

Information Device Profile (MIDP) phones or mobile devices engaged in endto-end GSM data communication session.

1.2 Justification for the Study

Mobile phones are used on a daily basis by hundreds of millions of users, over radio

links. Unlike a fixed phone, which offers some level of physical security (i.e. physical

access is needed to the phone line for listening in), with a radio link, anyone with a

receiver is able to passively monitor the airwaves.

Mobile phones are equally used in several sensitive and mission critical environment e.g.

financial, military, educational e.t.c. where integrity and privacy of data need not be

compromised.

Therefore it is highly important that reasonable technological security measures are taken

to ensure the privacy of user’s phone calls and text messages (and data), as well to prevent

unauthorized use of the service being run by the mobile phone applications.

1.3 Scope of the Project

This study will cover:

– the data security in Global System Mobile Communication (GSM); all the existing

security algorithms will be analysed and their strengths and weaknesses

highlighted.

6

– Software will be used to solidify where weaknesses exist in the GSM data using a

MIDlet JAVA program developed in Bouncy Castle Java cryptographic API. Therefore,

a software program will be written in JAVA programming language to improve the

security features of GSM data where integrity of user’s data are critical and need not be

compromised. This Master’s project will focus on developing a software application that

will protect user’s Short Message Service (SMS) data only.

1.4 Limitations of the Project

1. This application can only be implemented on Java-enabled phone which

supports Mobile Information Device Profile (MIDP) 2.0.

2. Both the sender and recipient have to install the security software: secureSMS

software application in their mobile phones in order to implement the solution

and send and read encrypted and secure SMS.

3. The two people engaged in a two-way communication must switch on their

mobile phones to be able to send and receive the secure SMS data.

4. The application does not have a Record Management Store facility yet, so the

mobile phones cannot store the sent and received SMS data for future

reference.

5. The security application can only work in an environment where Global System

for Mobile Telecommunication (GSM) or Universal Mobile Telecommunications System

(UMTS) network is available and cannot work yet on CDMA (Code Division for

Multiple Access) network.

7

1.5 Block Diagram overview of the Project Stages

The block diagrams of the Research and Project stages are depicted below:

Fig 1.1. The Block diagram of the Research and Project Stages

STAGE 1

Research and analysis of

GSM technologies and GSM Data Security and existing GSM

Security algorithms

STAGE 2

Software development

– Development of a MIDlet JAVA computer program to further strengthen GSM

data (SMS only) using Bouncy Castle JAVA Cryptographic API in NetBeans IDE

STAGE 3

Implementation of 2 programs developed in JAVA

Test-running, Deployment and implementation of the programs

developed in STAGE 3 above

8

1.6 Project Report Organisation

This master thesis report is structured as follows:

Chapter 1, Background Information: This chapter gives general background

information on security in Computer System, Information System and Security of data in

GSM data and the problems inherent in them.

The chapter also captures the Aims and Objectives of the research project, the

Justification for embarking on the research project on Information and GSM data security

a well as the objectives and scope of the study.

Chapter 2, Literature Review: Various relevant literature and facts that pertain to the

subject study: GSM technologies and GSM data security are highlighted. Also

highlighted are the Java data security technologies that are employed in the project to

strengthen the deficiencies noted in existing GSM security.

Chapter 3, Methodology & System Analysis: To provide further security for data in

mobile devices in combination of existing encryption algorithms inbuilt in GSM mobile

devices during communication session (SMS), a MIDlet JAVA program is written

developed with BouncyCastle cryptographic Application Programming Interface (API).

This chapter highlights more of ins and outs of the JAVA technologies used in this

project.

Chapter 4, System Design and Development: This chapter handles the full program

design for the development of the security program to protect user’s GSM SMS data

9

using JAVA programming language and NETBEANS 6.8 Integrated Development

Environment.

Chapter 5, System Implementation: This chapter handles full testing, running,

deployment and implementation of the two programs written in Chapter 4 above to use to

strengthen the existing GSM algorithms and to provide simulation exercise for the

existing GSM security algorithms. The JAVA MIDlet secure SMS program is deployed

using Cable to PC as well as Over the Air (OTA) communication running on compatible

MIDP 2.0 Nokia phones such as Nokia 2700 Classic to implement the solution.

Chapter 6, Summary and Conclusion: A synopsis of the achieved goals of the

implementations is shown. Problems encountered in the project and the way out of them

are equally highlighted. Furthermore, recommendation for future work on the project is

given and finally this chapter gives a concluding remark on the project.

References cover all the cited works of other people used in this Master thesis.

Appendix A: Covers the program sources codes for the project

Appendix B: Covers used GSM and other acronyms and their full meaning