Study of Mobile Sms Security Issues and Techniques

The use of mobile devices has increased rapidly over the years, particularly, during the last decade. These wireless devices were initially started as devices to store personal information. Short message service (SMS) will play an important role in the future business areas, which are popularly known as m-commerce, mobile banking, governmental use, and daily life communication. Furthermore, SMS has become a popular wireless service throughout the world as it facilitates a user to be in touch with any mobile phone subscriber anywhere in the world, instantaneously and without any hassle (Grillo et al., 2008; Zhang et al., 2005).

Unprotected communication channels pose serious security vulnerabilities. Thus, it is importantly pertinent that both the mobile applications and the mobile operators must apply some reliable protective techniques to avoid these assailable vulnerabilities. This used to protect the mobile subscribers from the undesirable communication attacks during the SMS transmission. It can be provided in the network base (transport layer) or in the application base (mobile application) (Tiejun et al., 2008). This section reviews and describes the security mechanisms used for protecting the SMS transmission besides analyzing this mechanisms based on the security requirements comparing with the mobile performance capability. Beside, describes on how this mechanism can be applied to avoid the security concerns. There are twotypes of techniques that can be applied in differentways as mentioned (application layer and networklayer). This paper focuses on the application layertechniques, which are considered as the current SMSresearch issues since it is under the researchers’control and development.

Several challenges have to be over comed for widedeployment in the mobile systems. These challengesinclude a complexity (difficulty) management ofapplying PKI mechanisms to the limited devicescapability during the deployment process in the largescale heterogeneous mobile system (Seema et al.,2004). As known PKI technology is a kind ofasymmetric cryptography techniques, which dependson high intensive computationally of generating keys,and that makes them less suitable for devices oflimited size and processing power, such as, mobilephones (Dankers et al., 2002). In simple terms, if themobile user likes to use the PKI mechanisms, theseshould have the full support for the PKI features which require a high mobile capability (Cai et al., 2005).Currently, all the mobile devices have limitedcomputational capabilities and a limited power supplysince they are depending on batteries, thus, traditional PKI quite unsuitable for these existing devices (Lee etal., 2007). It is obvious that, mobile devices must have the high power capability to implement the PKIfunctions, beside owns associated capacity. That willprovide a huge effort for the authentication process,

Available online at www.ignited.in Page 2

and can lead to a significant achievement of higher levels of security. However, due of resources in the mobile devices, the PKI implementation consider as a serious drawback for the mobile devices application. Thus, the relationship between the high security requirements and the mobile performance is inversely proportional, as the PKI provides a high security level for protecting the SMS transmission; however, at the same time it decreases the mobile performance. Moreover, the server architecture mobile securitysystems user has to get the mobile network operator or the service provider’s approval as it still depends onthe services of the mobile network operator or theservice provider. Furthermore, the overhead cost ofcommunication is increased due to the users’ need toaccess to the servers in many cases, such as,uploading and downloading the cryptographic keys.Researchers do not expect that the mobile operatorswill provide the security services to the transmitteddata through the SMS service for individuals, at leastnot in the near future. Additionally, in the currentmobile systems, some applications based on the PKIhave already been installed. They can satisfy thesecurity requirements through the use of the X.509 asthe certificate standards. Although the mobile PKI fulfills all the securityrequirements, it is still unsuccessful to provideheterogeneous PKI standards for other mobile devices(Leung et al., 2003). Furthermore, different certificatestandards from different Certificate Authorities (CA),(vendors), are considered as overheads for the mobileapplications. Therefore, mobile applications have toproceed with different verification processing functionsfor different PKI certificate standards. In addition, any modification on the server side must also be madeapplicable to the user’s mobile application. For

Available online at www.ignited.in Page 3

example, changing or upgrading the certificate standards means upgrading of the mobile application process. Thus, the mobile application has to deal with any new certificate standards, as the current PKI cannot maintain integrity between the standards.

Although this review paper details all security concerns of GSM systems and mobile devices during the SMStransmission, but it does not mention the techniqueswhich could be used to secure GSM architecture. Thisis because we have already introduced the securitytechniques in application layer to provide end to endsecurity and protection.

Presently, there are two directions for enhancing thePKI limitations, such as, a high power capabilitydemand as mentioned earlier. Firstly, install themiddleware server (with suitable requirement) betweenthe mobile devices and the PKI server. Thismiddleware can shield the mobile devices from the PKIcomplexities and precedes some on the PKI mobileoperation on behalf of the mobile, such as, verifyingand storing the mobile certificate to reduce the mobilepower consumption. The XML Key ManagementSpecification (XKMS) can be the main structure for that middleware (Inc, 2002; Kangasharju et al., 2005;Nguyen and Ivar, 2008; Weerasinghe et al., 2006). The XKMS can be a good solution for the client’s (mobiledevice) deployment limitation and resolving differentvendor’s problem in the mobile PKI M-PKIimplementation for the security of the end-to-end SMStransmission. Figure 16 demonstrates the installationof the middleware server base on the XKMStechnology. Secondly, provide or create a directcommunication (No certificate authority) between themobile devices can be also a solution, as we havementioned that the main duty of the certificate authority is authenticating the communication user, therefore,

Available online at www.ignited.in Page 4

the main challenge is how we can ensure the authentication (Al-bakri et al., 2010).

SMS is an integral part of mobile communication and SMS security is undoubtedly useful and interesting but yet a challenging issue to consider. It holds great potential in applications related to businesses, government bodies as well as in military. This paper reviews the SMS security by outlining the different security issues related to SMS systems and the mechanisms used to overcome these issues during the entire SMS transmission circle from the mobile source to the final mobile destination. Based on the author’s experience, it is apparent that PKI provides high level security to protect SMS during transmission because it resolve and avoids most of the issues related to SMS security. However, it decreases the mobile performance as it requires high mobile power capability to apply the PKI process. Alternative methods should be offered to improve the mobile PKI usage in a mobile environment.

• Anuar NB, Kuen LN, Zakaria O, Gani A, Wahab AWA (2008). GSM mobile SMS/MMS using public key infrastructure: m-PKI. WSEAS Trans. Comput., 7: 1219-1229.

• Asokan N, Niemi V,Nyberg K (2005). Man-in-the-middle in tunnelled authentication protocols. pp. 28-41.

• Asvial M, Sirat D, Susatyo B (2008). Design and Analysis of Anti Spamming SMS to Prevent Criminal Deception and Billing Froud: Case TELKOM FLEXI.

• Aziz Q (2006). Payments through Mobile Phone. Emerging Technologies, 2006. ICET '06. International Conference on. pp. 50-52.

• Cai L, Yang X, Chen C (2005). Design and implementation of a serveraided PKI service (SaPKI). pp. 859-864.

• Chanson ST, Cheung TW (2001). Design and implementation of a PKIbased end-to-end secure infrastructure for mobile E-Commerce. World Wide Web. 4: 235-253.

• Chikomo K, Chong MK, Arnab A, Hutchison A (2006). Security of mobile banking. University of Cape Town, South Africa, Tech. Rep., Nov.

1:

• Croft NJ, Olivier MS (2005). Using anapproximated one-time pad to secure shortmessaging service (SMS). pp. 71-76.

• Dankers J, Garefalakis T, Schaffelhofer R,Wright T (2002). Public key infrastructure inmobile systems. Elect. Communi. Eng. J.,14:180- 190.

• De Paula R, Ding X, Dourish P, Nies K, Pillet B,Redmiles D, Ren J,Rode J (2005). Twoexperiences designing for effective security. p.34.

• Diffie W, Hellman M (1976). New directions incryptography. IEEE Transactions oninformation Theory. 22: 644-654.

• Ekdahl P, Johansson T (2001). Another attackon A5/1 [GSM stream cipher], 49(1): 284-289.

• Forsberg D (2007). Use Cases of ImplicitAuthentication and Key Establishment withSender and Receiver ID Binding. pp. 1-8.

• Garza-Saldana JJ, Daz-Pérez A (2008). AState of Security for SMS on Mobile Devices,Electronics, Robotics and AutomotiveMechanics Conference, CERMA '08. 4(5):110-115.

• Grillo A, Lentini A, Me G, Italiano GF (2008).Transaction oriented text messaging withTrusted-SMS. pp. 485-494.

• Guthery S, Kehr R, Posegga J. (2000). How toTurn a GSM SIM into a Web Server. p. 209.

• Gutmann P (2004). Simplifying public keymanagement. Comput., 37: 101-103.

• Hassinen M (2006). Java based public keyinfrastructure for sms messaging. Informationand Communication Technologies, 2006.ICTTA'06. 2nd. 1:

• Hassinen M, Hyppönen K, Haataja K (2006). Anopen, PKI-based mobile payment system.Emerging Trends in Information andCommunication Security, pp. 86-100.

 Inc VS (2002). Trust Assertion XMLInfrastructure. p. 45.

Available online at www.ignited.in Page 5

• Islam S, Ajmal F (2009). Developing and implementing encryption algorithm for addressing GSM security issues.Emerging Technologies, 2009. ICET 2009. International Conference. pp. 358-361.

• Jøsang A, Zomai MA, Suriadi S (2007). Usability and privacy in identity management architectures. p. 152.

• Jumaat NB, Zakaria O, Gani A (2008). GSM Mobile SMS/MMS using Public Key Infrastructure: M–PKI. WSEAS Trans. Comput., 7: 1219- 1229.

• Lam KY, Chung SL, Gu M, Sun JG (2003). Lightweight security for mobile commerce transactions. Comput. Commun., 26: 2052-2060.

• Lison KD, Drahanský M (2008). SMS Encryption for Mobile Communication. SECTECH '08 Proceedings of the International Conference on Security Technology, pp. 198-201.

• Lu CC, Tseng SY (2002). Integrated design of AES (Advanced Encryption Standard) encrypter and decrypter. pp. 277-285.

• Meyer U, Wetzel S (2004b). On the impact of GSM encryption and manin-the-middle attacks on the security of interoperating GSM/UMTS networks. Personal, Indoor and Mobile Radio Communications, 2004.

• PIMRC 2004. 15th IEEE Int. Symposium on. 4: 2876-2883.

• Moore T, Kosloff T, Keller J, Manes G, Shenoi S (2002). Signaling system 7 (SS7) network security, 2(3): 496-499.

• Nah FFH, Siau K, Sheng H (2005). The value of mobile applications: a utility company study. Commun. ACM, 48:90.

• Pesonen L (1999). Gsm interception. lecture notes, Helsinki University of technology, Lauri. Pesonen@ iki. Fi, pp. 1-9.

• Pitoura E,Samaras G (1998). Data management for mobile computing, pp. 1-11.

• Quirke J (2004). Security in the GSM system. AusMobile, May, pp. 1- 26.

• Ratshinanga H, Lo J, Bishop J (2004). ASecurity Mechanism for Secure SMSCommunication. pp. 1-6.

• Schneier B. (2005). Two-factor authentication:too little, too late. Communications of the ACM.48: 136.

• Sengar H, Wijesekera D, Jajodia S (2005).Authentication and integrity intelecommunication signaling network, pp. 163-170.

• J2ME-enabled mobile devices. Computer andInformation Sciences- ISCIS 2004935-944, pp.935-944.

• Toorani M, Shirazi B, Asghar A (2008). LPKI-aLightweight Public Key Infrastructure for themobile environments. pp. 162-166.

• Wilson S (2005). The importance of PKI today.China ommunications. p. 15. Wu S, Tan C(2009).

• High Security Communication Protocol forSMS. pp. 53-56.

• Zhao S, Aggarwal A, Liu S (2008). BuildingSecure User-to-user Messaging in MobileTelecommunication Networks. pp. 24-26.