A Solution of Secure User-to-SP Messaging Using Identity-Based Cryptography

INTRODUCTION

Mobile telecommunication handsets and networks are developing rapidly in recent years. At the end of 2009, the worldwide number of mobile users was over 4.3 billion people (GSM World, 2010). Short Message Service (SMS) is a store-and-forward, easy to use and low cost service. While it is mainly used for the personal communications, it has also been used in applications where the other party is an information system, such as remote control of the apparatus (Werff et al., 2005), m-banking and m-payment (Dukićand Katić, 2005). It is popular used for data bearer/service within GSM, CDMA and other cellular networks and will be more popular in the future.

The GSM with the greatest worldwide number of users suffers from many security problems (Siddique and Amir, 2006). In the GSM, only the airway traffic between the Mobile Station (MS) and the Base Transceiver Station (BTS) is optionally encrypted with a weak and broken stream cipher (A5/1 or A5/2) (Toorani and Shirazi, 2008). The GSM network access security uses A3/A8 (COMP128 actually used in GPRS) authentication algorithm to authenticate each Subscriber Interface Module (SIM) card which attempts to connect to the GSM network and it depends on a shared secret key between SIM card and the GSM Authentication Center (AUC), the secret key is embedded into the SIM card during manufacture and it is also securely replicated into the AUC (Zhao et al., 2008). Transmission of the short messages between SMSC and phone is via the Signaling System Number 7 (SS7) within the GSM Mobile Application Part (MAP) framework. The problem with GSM MAP is that it is an unencrypted protocol allowing employees within the mobile operator’s network that has access to SS7 network to eavesdrop or modify SMS messages (Hassinen, 2003). The SMS messaging has some extra security vulnerabilities due to its store-and forward feature and the problem of fake SMS that can be conducted via the Internet. When a user is roaming, the SMS content passes through different networks and perhaps the Internet that exposes it to various vulnerabilities and attacks (Toorani and Shirazi, 2008).

To exploit the popularity of SMS as a secure business bearer protocol, it is necessary to enhance its functionalities to offer the security services such as confidentiality, integrity, authentication and non-repudiation. However, such requirements are not provided by the traditional SMS messaging (Toorani and Shirazi, 2008).

In some literatures, most solutions use symmetric key cryptography or public key certificate cryptography to provide secure messaging. Toorani and Shirazi (2008) provided an elliptic curve-based public key solution to build secure application layer protocol as a secure bearer in the m-payment systems, but it has some disadvantages such as store, grant and maintenance of certificates. Zhao et al. (2008) proposed a solution for secure messaging channel using identity-based cryptography. It does not require a large storage on mobile terminal side and provides end-to-end security. But it is short of an availability authentication mechanism before exchanging secure message with each other. Croft and Olivier (2005) made use of an approximated one-time pad scheme to encrypt SMS messages between two mobile phones, it has limitation in this mechanism. It does not ensure end-to-end encryption because there is a decryption occurring within the mobile network so that another one-time pad can be created for the receiving phone to decrypt the message. Because the message is required to be decrypted within the mobile network, there is a dependency on the network infrastructure. Ratshinanga et al. (2004) proposed a secure SMS protocol which uses public and symmetric key cryptography and password authentication strategy. In terms of the cryptographic algorithms, they use 1024-bit RSA for the public key algorithm and 128 bit AES/CTR for symmetric key and block cipher mode algorithm and SHA-1 for the hash algorithm. It needs more computation on mobile terminal.

IDENTITY-BASED CRYPTOGRAPHY

Identity-based cryptography:
Identity-Based Cryptography (IBC) is a form of public key cryptography for which the public key can be an arbitrary including email address, phone number and username. The concept was first introduced by Shamir (1984). The IBC can be classified into: Identity Based Encryption (IBE), Identity Based Signature (IBS) and Identity Based Authenticated Key Agreement protocol. After the concept was first suggested, IBS schemes were sooner founded, but IBE scheme remained a more challenging problem. Based on properties of pairings of a bilinear map on elliptic curves was suggested, which is the first fully functional, efficient and provably secure identity-based encryption scheme (Boneh and Franklin, 2001).

Nowadays most identity-based cryptosystems are built on Elliptic Curve Cryptography (EEC). Compared to RSA, EEC is more efficient in general. For example, Chang and Stebila (2002) showed that for a security level of 2048-bit RSA, ECC outperformed RSA in every aspects; for a security level of 1024-bit RSA, ECC outperformed RSA in scenarios such as in mobile telecommunication networks. Compared to traditional PKI, identity-based cryptography also saves storage and transmission of public keys and certificates, which is especially attractive for devices used in mobile telecommunication networks.

Bilinear pairings:
A bilinear map is denoted ê: G₁xG₁→G₂ between two cyclic groups G₁, G₂ of order q for some large prime q, where G₁ is the group of points of an elliptic curve over F_p and G₂ is a subgroup of . A cryptographic bilinear map utilizes its properties of bilinear, non-degeneration and computability (Dutta et al., 2004; Baek et al., 2004):

•	Bilinear: ê(aP, bQ) = ê(P, Q)ab for P, Q ε G1and a, b ε Z*q
•	Non-degenerate: is an element of order q and in fact a generator of G2. In other words, ê (P, P) ε ≠ 1
•	Computable: Given P, Q ε G1 there is an efficient algorithm to compute ê(P, Q)

Why choosing identity-based cryptography:
Basically, there are three alternatives to use for a solution of secure messaging system. Each of them has its advantages and disadvantages.

Symmetric key cryptography:
The keys are short and the algorithms are highly efficient, these are particularly suitable for mobile devices. However, the SP needs to maintain n pairs of keys if there are n users. Each user needs to maintain a key with the SP.

Public Key Certificate (PKC) cryptography:
Mature algorithms such as RSA exist for the PKC system and an infrastructure for grant and maintenance of certificates has come into existence. However, this cryptography requires much computational and storage resources to calculate and store public/private keys. A mobile device may not be able to provide the required services. Furthermore, the SP needs to maintain n certificates if there are n users. Each user needs to maintain a certificate of the SP.

Identity-Based Cryptography (IBC):
The computational resource requirement is comparable to PKC for the same size of keys. However, it requires shorter keys to obtain the same security level as compared to the size of the key for traditional PKC cryptography. Moreover, it does not require extra transmission and storage of public keys. The SP needs to maintain n keys if there are n users. Each user needs to maintain nothing for the SP.

According to the analysis above, we can see that the PKC cryptography is not suitable for secure messaging, because of their much computational and storage resources to calculate and store public/private keys and the symmetric key cryptography is not suitable for it too, because it does not meet the secure requirement of integrity, authentication and non-repudiation etc. The advantage of identity-based cryptography is that there is no need to propagate public keys before communication and thus there is no need to store the keys as well. Therefore, we choose identity-based cryptography in present solution.

SOLUTION SYSTEM SETUP

Identity:
In GSM, the primary user identity is the International Mobile Subscriber Identity (IMSI) number. Note that the IMSI number is not the subscriber number (the so-called MSISDN number). The MSISDN number is a telephone number with full international prefix and is associated with the IMSI number in the operative databases. The MSISDN numbers are public information, while the IMSI number is intended for the system’s internal identification and routing purposes. Each SP has a unique short number that is publicly known to mobile users (Zhao et al., 2008). For a mobile user we choose his MSISDN (for a SP, we choose the short number) as the identity to be used in identity-based cryptography, because the receiver’s number is known to the sender whenever sending a message to a receiver and the sender’s number is known to a receiver whenever a message is received.

System parameters:
In the identity-based cryptography, the user’s public key is easily calculated from his identity, while a user’s private key can be calculated for him by a trusted authority, called Private Key Generator (PKG). The identity-based cryptography needs a setup phase in which system parameters are built and distributed to its users. These parameters include system public key, master key, private key of each user and algorithms to be used for hash, encryption and decryption.

In the setup stage, the PKG specifies a group G₁ generated by and the bilinear pairing ê: G₁xG₁→G₂. It also specifies hash functions to map variable identity strings to points in G₁ and chooses hash functions H₁: G₂→0, 1}^l, where l denotes the length of a plaintext and . The PKG then picks a master key s uniformly at random from and computes a public key P_pub = sP. For a mobile user or SP, when they give their identity (MSISDN or a short number) string IDε{0, 1}* to PKG, the cryptographic scheme builds an initial private key d_ID as d_ID = sQ_ID where Q_ID = G(ID). Then the mobile user or SP gets its private key d_ID and the system parameters paras = (G₁, G₂, ê, l, P, P_pub, G, H₁, H₂) from the PKG (Fig. 1).

When user A sends a secure SMS message to user B (A or B can be the SP), it encrypts and authenticates the message as follows:

Fig. 1:	Distribute private key and system parameters

•	A first generates the public key QB o f user B, QB = G(IDB), IDB is the MSISDN or short number of user B
•	A encrypts the message Mε{0, 1}l and outputs the cipher text C as C = (U, V) = (rP, M⊕H1(ê (QB, Ppub)r)), where r is chosen at random from
•	A signs the message with its own private key dA and outputs the signature S as: S = (U; V) = (rQA, (r+H2 (C, U))dA), where r is chosen at random from . The encrypted message C and signature S are put into the payload field of the SMS packet M' =<C, S>, then sending M' to receiver B

At the receiver B’s side, the message is verified and decrypted as follows:

•	B first generates the public key QA of user A, QA = G(IDA), the IDA is the MSISDN or short number of sender derived from the packet header
•	B verifies the validity of A's signature S = (U; V) by checking whether . If so, the message is processed further, otherwise, discard the message
•	For the received message C = (U; V), B decrypts it by computing , dB is a private key of user B

Implement and use of the system:
We designed and implemented a secure user-to-SP SMS messaging system according to the solution for one police business information system in 2008 at Shanghai. The architecture of system as Fig. 2 shows. It includes secure mobile terminal, GSM modem, secure gateway, database server and application servers. The secure gateway sends or receives secure message from or to secure mobile terminal by using GSM modem.

The secure mobile terminal installed an add-on Message Management Toolkit which developed with Java 2 Micro Edition (J2ME). It includes user’s private key, system parameters and some functions such as encryption, decryption, fragments and reassembles of messages and system setting etc. The Message

Fig. 2:	The architecture of system

Fig. 3:	The work flow of secure mobile terminal sending message

Management Toolkit does not change the traditional message input/output interfaces in the mobile terminal, but is built on top of them. It is like a new message management interface, where by the user receives and sends all messages. The user chooses an option to read or send a secure message or plain text message. On the SP side, a corresponding application runs on the secure gateway, the application encrypts all messages before sending to GSM modem and decrypts all messages coming from GSM modem. The secure gateway provides services to application servers by web services.

Figure 3 shows the work flow of the secure mobile terminal sending message. Figure 4 shows the work flow of the secure mobile terminal receiving message. On the SP side, the secure gateway has a corresponding work flow. In all this communication, the network operator has an access to only the encrypted text. Anyone who has intercepted the traffic, both from the air, or by getting into the network operators network, will also see only the encrypted messages and cannot get the clear text.

Fig. 4:	The work flow of secure mobile terminal receiving message

DISCUSSION ABOUT SECURITY OF THIS SYSTEM

In present solution, it selects MSISDN numbers as identity and deploys elliptic curves and a symmetric encryption algorithm. It has great computational and storage advantages over the traditional Public Key Certificate (PKC) cryptography while simultaneously providing the most feasible security services such as confidentiality, integrity, authentication and non-repudiation, etc.
Hereunder, some security attributes of the solution are briefly described.

Confidentiality:
"The confidentiality is completely resided in the secrecy of session key since the system uses a strong block cipher. The session key differs for different sessions and is derived from the private keys of the participants. The Unknown Key-Share (UKS) attack is thwarted because the identifier of sender is involved in derivation of session key. There are only two ways to defeat the confidentiality: finding the private key of receiver, or having both of the private key of sender and randomly integer r. Deducing the corresponding r of R is generally in deposit of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) that is computationally infeasible with the chosen domain parameters.

Authentication:
The implicit authentication is provided as the receiver verifies the signature.

Integrity:
The hash value of message, concatenated with some variable parameters is involved in the signature generation. The integrity is guaranteed by the security attributes of the deployed hash function and also the unforgeability of the signature.

on-repudiation and unforgeability:
It is computationally infeasible to forge the signature of the sender without having her private key.

The solution provides confidentiality, authentication, integrity and non-repudiation, etc. security attributes. It effectively prevents the some attacks previously available on SMS such as identity impersonation, message forgery and tampering.