[attachment=3430]

EMBEDDED SECURITY USING PUBLIC KEY CRYPTOGRAPHY IN MOBILE PHONES
ABSTRACT
As mobile networks expand their bandwidth, mobile phones, as with any other Internet device, become substantially exposed to Internet security vulnerabilities. Since mobile phones are becoming popular and widely distributed, they are increasingly used for financial transactions and related electronic commerce. Consequently, they will feature applications that also demand adequate security functions. In this regard, the prevailing security system in wired networks could be extended to wireless networks as well. There are many schemes for enforcing security, of which, the most efficient is the public key infrastructure (PKI), employing public key cryptography. Extension of PKI to wireless networks demands for a modification of the existing technologies. In this paper, we propose an idea for implementing public key cryptography in mobile phones, by means of a comprehensive design, with due consideration for the hardware aspects as well. Public key cryptography deals with a secure way of encrypting documents, by the use of public and private keys. PKI, of which public key cryptography forms the essential part, ensures more protection and privacy than the existing methods like IDs and passwords. A mobile phone with public key cryptography capabilities can also act as an authentication device for access-control systems, based on the challenge-response mechanism. Introducing a highly advanced security concept such as PKI to the wireless Internet will facilitate the rapid market adoption of secure, web-based transaction and authentication services such as mobile banking, mobile brokerage and mobile payment. The freedom of the wire free world combined with the security and authentication made possible by PKI will change the face of commerce for businesses and consumers alike.

---

Presented By:
vinoth_kct5
udaya_sathish
ADDRESS: P.VINOTH KUMAR,
17/6, HUDCO COLONY,
PEELAMEDU,
COIMBATORE-641004.

---

INTRODUCTION
In today's world, where the Internet has become the way of life, transactions in commerce are extensively carried over the Internet. These include banking, payments, financial transactions and other commerce related operations. This has lead to the introduction of a new concept known as e-commerce. E-commerce is an electronic way of conducting transactions in finance, banking and payments across the Internet. This rapidly expanding system is plagued by the crippling problem of network security. Security forms the backbone of the world of commerce. A data transfer session across the network may be interfered in the ways described below.
¢ Eavesdropping - the information privacy is compromised without altering the information itself. Eavesdropping may imply that someone has recorded or intercepted sensitive information (e.g. credit card numbers, confidential business negotiations).
¢ Tampering - the information is altered or replaced and then sent on to the recipient (e.g. change of an order or commercial contract transmitted).
¢ Impersonation - the information is passed from or to a person pretending to be someone else (this is called spoofing, e.g. by using a false E-mail address or web site), or a person who misrepresents himself (e.g. a site pretends to be a books store, while it really just collects payments without providing the goods...).
This situation is being tackled and many solutions have been proposed and implemented for ensuring security in networks. All these methods are based on the idea of cryptography, which is a special branch of applied mathematics. Cryptography deals with the manipulation of the data, to produce a garbled or
scrambled message which is then sent across the network as encrypted data. The data may be received by the correct person and decrypted to produce the original message. The most widely sought after method is PKI (Public Key Infrastructure), which is implemented using Public Key Cryptography. A PKI is expected to offer its users the following benefits:
¢ Encryption - allows concealing information transmitted between two parties. The sender encrypts the information and then sends it, and the receiver decrypts the information before reading it. The information in transit is unintelligible to an eavesdropper.
¢ Integrity (tamper detection) - allows the recipient of information to verify that a third party has no altered the information in transit.
¢ Authentication - allows a receiver of information to verify the origin of information.
¢ Non-repudiation - prevents the sender of information from claiming at a later time that he/she never sent the information.
PKI (PUBLIC KEY INFRASTRUCTURE)
As explained above, PKI is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet, where such features cannot otherwise be readily provided. PKI facilities can, however be used just as easily for information exchanged over private networks, including corporate internal networks. PKI can also be used to deliver cryptographic keys between users (including devices such as servers) securely, and to facilitate other cryptographically delivered security services.
Public Key Cryptography is the concept used in PKI. This concept makes use of what is known as a public key and a private key. The public key is the key which is made public i.e. it is freely available and known to all people those wish to send a message to the recipient. The private key is a key which is maintained secretly by the recipient. The concept of Public Key Cryptography is elucidated in the following section.
A PKI consists of the following sections:
Certificate:
A public key certificate is used for authentication and secure exchange of information on the Internet, extranets and intranets. The issuer and signer of the certificate are known as a certification authority (CA), described below. The entity being issued the certificate is the subject of the certificate.
A public key certificate is a digitally signed statement that binds the value of a public key to the identity of the subject (person, device, or service) that holds the corresponding private key. By signing the certificate, the CA attests that the private key associated with the public key in the certificate is in the possession of the subject named in the certificate.
Certificates are issued for a variety of functions, including Web user authentication, Web server authentication, secure e-mail, IP Security and code signing. They can also be issued from one CA to another in order to establish a certification hierarchy. The common format for certificates in use today is defined by the ITU-T X.509version3 international standard.
Certification Authority:
A certification authority (CA) is an entity to issue certificates to an individual, a computer, or any other requesting entity. A CA accepts a certificate request verifies the requester's information and then uses its private key to apply
its digital signature to the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a PKI.
CA Policy:
A CA issues certificates to requesters based on a set of established criteria. The set of criteria that a CA uses when processing certificate requests (and issuing certificates, revoking certificates, and publishing CRLs) is referred to a CA Policy.
Rooted CA Hierarchies:
A hierarchy of CAs is built using a root CA certificate, and then intermediate CAs with each CA issuing certificates to subordinate CAs. The chain terminates when a CA issues a certificate to an end entity (a user).
Registration:
Registration is the process by which subjects make themselves known to a CA. Registration can be implicit in the act of making the request for a certificate, or accomplished through another trusted entity.
Certificate Revocation:
Certificates have a specified lifetime, but they can be revoked for a number of reasons such as, key compromise, CA compromise etc...
PUBLIC KEY CRYPTOGRAPHY
Cryptography is a special branch of applied mathematics which deals with the procedure for securing data and protecting it by means of converting it into a format which is scrambled to anyone who intercepts it midway. The
original data is converted to unintelligible data by means of a code or a key and is transmitted across the network. At the receiving end, however, the recipient has the key to decode the garbled message and retrieve its contents. The methods in use today include, public key cryptography, symmetric cryptography, hash algorithms. The most effective of these is the public key cryptography, which uses two separate keys, namely, the public key and the private key. In public-key encryption, the public key can be passed openly between the parties or published in a public repository, but the related private key remains private. Data encrypted with the public key can be decrypted only using the private key. Data encrypted with the private key can be decrypted only using the public key.
Like symmetric-key cryptography, public-key cryptography also has a number of types of algorithms. However, symmetric key and public-key algorithms are not designed in similar ways. Different public-key algorithms, on the other hand, work in very dissimilar ways and are therefore not interchangeable.
Generally public key cryptography is not used as the lone method for encryption. Public-key algorithms are complex mathematical equations using very
large numbers. Their primary limitation is that they provide relatively slow forms of cryptography. In practice, they are typically used only at critical points, such as for exchanging a symmetric key between entities or for signing a hash of a message (a hash is a fixed-size result obtained by applying a one-way mathematical function, called a hash algorithm, to data). Using other forms of cryptography, such as symmetric-key cryptography, in combination with public-key cryptography optimizes performance. Public-key encryption provides an efficient method to send someone the secret key that was used when a symmetric encryption operation was performed on a large amount of data. Public-key algorithms can be combined with hash algorithms to produce digital signatures.
A digital signature is a means for originators of a message, file, or other digitally encoded information to bind their identity to”that is, provide a signature for”the information. The process of digitally signing information entails transforming the information, together with some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments to help secure electronic commerce transactions by providing verification that the individual sending the message really is who he or she claims to be, and by confirming that the message received is identical to the message sent. The most common used public-key algorithm is the RSA algorithm.
The public-key exchange of a symmetric coding takes place as described below.
¢ The sender obtains the public key of the recipient.
¢ The sender creates a random secret key (the single key used in symmetric-key encryption).
¢ The sender uses the secret key with a symmetric algorithm to convert the plaintext data into cipher text data.
¢ The sender uses the recipient's public key to transform the secret key into
cipher text secret key.
¢ The sender sends the cipher text data and cipher text secret key to the recipient.
¢ The recipient converts the cipher text secret key into plaintext using the private key of the recipient.
¢ The recipient converts the cipher text data into plaintext using the plaintext secret key.
OUR PROPOSAL:
EXTENSION OF PKI TO WIRELESS ENVIRONMENT
Public key techniques have been adopted in many areas of information technology, including network security, operating systems security, application data security and Digital Rights Management (DRM). The benefits of extending PKI to mobile phones are secure browsing, mobile payment authentication, access control, digital signatures on mobile transactions to name a few.
The access media\carrier to the mobile device changes in the case of wireless PKI. This calls for some changes to be made to the existing PKI. A PKI is considered wireless when the front- end devices are wireless. The back-end of these connections into wired networks such as the Internet. The basic structure of a wireless PKI is given below.
The wireless network shown above provides a solution for integrating PKI with existing wireless networks. The network shown is shown in greater detail in the following pages. A trusted third party or certification authority is brought into the network and the certification, key validation, etc.. are accomplished by the CA. Theoretically the mobile network, service\content provider and the trusted third party are enough to complete the process, but practically there are many obstacles to overcome.
Mobile devices are handicapped in the way that they have less powerful CPUs, less memory, restricted power consumption, smaller displays, and diverse input devices compared to their immobile counterparts in the network. They must be able to
o o o
Generate and register keys Manage end-user mobile identities Encrypt and decrypt messages
o o o
Receive, verify, store, and send certificates Receive, verify, store, and send digitally signed data Create and sign data
Ordinary mobile phones do not have sufficient memory and processing power to perform the above mentioned functions. Because of this, the need arises to include "network agents" that take care of some of these tasks. The verification of certificates must be done by the network agents. Keys can be generated and maintained by the network agents. They must also be capable of encrypting and decrypting messages and transmitting them across the network. The whole solution boils down to the idea that the mobile device must at least be able to perform a digital signature function in order to permit the establishment of a wireless PKI. Network agents can perform all other PKI-related tasks (e.g. data validation, archiving, or certificate delivery).
A definite standard must be followed while distributing PKI-related tasks among mobile devices and network agents. This standard must be followed by all mobile device providers and the software providers.
There are two methods for implementing wireless PKI in mobile phones. One way is to design new mobile phones with the following capabilities.
o Hardware modules that accelerate asymmetric and symmetric encryption algorithms.
o Cryptographic firmware library that provides access to the asymmetric, symmetric as well as hash algorithms. Implementation should be standard compliant.
o A software package that adds support for a wide range of applications, such as digital signature, certificate verification.
o A set of software modules for handling all complementary aspects of PKI, such as certificates handling, PIN handling, and secure key storage.
o Software implementation of the most commonly used security protocols, making use of the hardware-accelerated encryption algorithms.
o High-level PKI-based applications (e.g. challenge-response token application).
A hierarchical diagram of the above mentioned architecture is given
below.
The other method is to introduce external devices which do not change the existing hardware of the mobile phones, but which include the above mentioned aspects. A removable smart card incorporates the above mentioned functionality.
It should also extend support to specific predefined functions. Alternatively software-based packages functioning on the limited processing power and system resources of the mobile device can be used to provide security in wireless networks.
The second method is the most suitable for existing mobile technology and adapts to the limitations of today's mobile phones. New software packages are being developed for incorporating the above mentioned features.
-PPLH: -Th/ii
OERVCE PROVIDER
t- :E :T-TKN
¦;ERTIF N
.".UTHO Rn"Y
The network structure explained previously is depicted below with more details.
C.-J [i r.l-.MUF.-J&TUPEP
PROPOSED ARCHITECTURE
The setting up of the network is given below.
1. The card manufacturer creates PKI enabled SIM cards. In addition to the normal process, public and private key pairs have to be generated.
2. The private key is securely stored away on the SIM card and the public key has to be forwarded to the Certification Authority.
3. The SIMs are distributed to the customers.
4. When the customer finally applies for digital signature, a registration process is started and a notification is sent to the CA, to create a certificate from the pre-stored public key associated with the user's SIM.
5. The new certificate is published through the directory of the Certification Authority.
6. In order to complete the registration, the signing functionality on the SIM is unblocked and a signing PIN (S-PIN) is assigned to the customer.
Now the network incorporates all the required functions and applications for PKI. When a mobile user wishes to access the internet and conduct some transactions across the Internet, the system goes through the following steps.
1. The application sends a request to sign certain data to the security gateway at the operator.
2. The request is converted into executable SMS byte code that can be interpreted by a plug-in on the handset and is sent to the user.
3. The user gets a request on his handset and now must enter his S¬PIN in order to allow the phone to digitally sign the incoming data.
4. The signed data is returned to the verification system at the operator. This requests the matching public key certificate of the SIM that should have signed the data and uses it to verify the signature.
5. Finally, a response is created whether the signing was successful or not and is returned to the application server.
CONCLUSION:
In this paper concepts of PKI and public key cryptography were discussed. A novel way for incorporating PKI in the wireless network was proposed with a design of the architecture. Various aspects were discussed and a detailed description of the working of such a network is given without delving deeply into the hardware details. The opportunities of a secure wire free environment, where all transactions can take place, are multiple and varied. The most important aspect is that of security. If implemented, this technology could open the doors for a world where protection and privacy could be reinstated, in a way never imagined before.
REFERENCES:
1. Mobile cellular telecommunications by William C.Y. Lee
2. Mobile communication engineering by William C.Y. Lee
3. Cryptography and its applications by Peter Gutmann.