Title:

SHORT MESSAGE SERVICE (SMS) SECURITY SOLUTION FOR MOBILE DEVICES

Introduction
A. BACKGROUND
Short Message Service (SMS) is a text message service that enables users to send short messages to other users on the Global System for Mobile communication (GSM) network. SMS uses a store-and-forward mechanism similar to SMTP mail service. Instead of mail servers, SMS Centers (SMSC) are used to store the SMS messages before they are forwarded to the mobile user's service provider or another SMSC. Although the network connections between the SMSC and nodes in a GSM network are usually protected by Virtual Private Network (VPN) tunnels, the SMS messages are stored unencrypted at the SMSC. This means that employees of SMSC operators, or others who can hack into the system, can view all the SMS messages passing through the SMSC. Many SMSCs also retain a copy of the SMS messages for audit, billing and dispute resolution purposes [1]. If an attacker manages to compromise the SMSC, the attacker can also read the SMS traffic. One of the more high profile victims of such an attack in recent years was England football captain David Beckham, whose SMS exchange with his personal assistant Rebecca Loos was intercepted and published in a tabloid [2]. Two employees from European phone operator mmO2 were dismissed for helping their friend obtain copies of his girlfriends SMS messages [3].

B. STATEMENT OF PROBLEM
Encryption provides a means of protecting sensitive communications over a public network but it imposes overhead in terms of additional computing. Mobile devices are generally faced with constraints on computational power and battery life. These constraints impose limits on the amount of encryption operations that can be performed without seriously affecting the usability of the device. Therefore, symmetric encryption is commonly used in mobile devices because of its efficiency relative to asymmetric encryption, such as PKI. That is why most current commercial SMS encryption solutions use password-based symmetric encryption. Passwords are used as a key distribution mechanism to synchronize the encryption keys. However, the use of passwords reduces the

strength of the cipher to the strength of the password when open algorithms, such as Data Encryption Standard (DES) or Advanced Encryption Standard (AES), are used. The onus is on the user to select a strong password. Although asymmetric encryption offers the additional advantage of simple key distribution and strong encryption, asymmetric encryption is not used because it is computationally demanding. However, mobile devices have experienced dramatic improvements in computing speeds and memory capacity, matching those of desktop computers a few years ago. Advances have also been made in battery technology and the energy efficiency of components, thereby extending the operating life of mobile devices. Given these developments, it remains to be shown whether or not modern devices are still limited in their ability to harness the advantages of asymmetric encryption to secure messages like SMS.

C. SCOPE OF RESEARCH
This thesis focuses on the use of encryption to secure SMS messages. The encryption requirements of voice traffic and other data traffic will not be discussed. The characteristics of different encryption schemes and their performance on a modern mobile device are presented. The properties of SMS were assessed with respect to their impact on encryption selection. Based on the measurement results, a suitable encryption scheme for SMS is selected, and deployed. A typical application is used to validate the selection.

D. RESEARCH OBJECTIVES
1. Primary Research Question
The primary research objective is to compare the performances of different encryption schemes on a modern mobile device and determine a suitable scheme, or combination of schemes, for protecting SMS messages. The aim is to determine if there are better ways of protecting SMS messages than just using symmetric encryption, thereby alleviating the constraints imposed on encryption use by the difficulties of symmetric key management.

2. Subsidiary Research Questions

Based on actual measurements, it will be possible to determine the overhead, such as power consumption, timing, and transmission, associated with encryption operations for different schemes. With this information, it may be possible to devise combinations of encryption schemes to meet different security requirements for different applications. E. RESEARCH METHODOLOGY The research comprises of two major areas, namely the comparison of different encryption schemes and the identification and deployment of a selected scheme. The available encryption schemes will be studied and compared based on their security properties and characteristics through literature research. The properties of SMS will be studied in detail to understand its characteristics and to determine security requirements. The comparison of the performance of different encryption schemes will be done using results from actual measurements. An experiment will be set up to measure the power consumption, timing overhead and transmission overheads associated with encryption. Conclusions can then be drawn taking into consideration these factors. 4 The demonstration application selected to validate the choice of encryption is a Secure Chat application based on SMS. The application was chosen because it has practical applications and is demanding in terms of real time user interactivity.

F. THESIS ORGANIZATION
The remainder of the thesis is organized as follows. Chapter II provides an overview of the security issues surrounding SMS, from the GSM infrastructure to the mobile device. This Chapter also highlights some applications where the security of the SMS is of paramount importance if it is to be used as a delivery mechanism in the application. Chapter III discusses the issues surrounding the use of encryption in mobile devices. It highlights some of the key considerations when choosing a suitable encryption scheme. The results of an experiment to measure some of the performance metrics are also discussed in this Chapter. Chapter IV describes the Secure Chat demonstration application that was developed to show how SMS messages can be secured using encryption. Chapter V concludes the thesis and provides recommendations for further research in this area.

Eto link neng. http://edocs.nps.edu/npspubs/scholarly/theses/2006/Dec/06Dec_Ng_Yu.pdf