+ All Categories
Home > Documents > Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on...

Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on...

Date post: 09-Apr-2020
Category:
Upload: others
View: 5 times
Download: 0 times
Share this document with a friend
11
Securing Mobile Phone Calls with Identity-Based Cryptography Matthew Smith, Christian Schridde, Bj ¨ orn Agel, Bernd Freisleben Department of Mathematics and Computer Science, University of Marburg Hans-Meerwein-Str. 3, D-35032 Marburg, Germany {matthew, schriddc, agel, freisleb}@informatik.uni-marburg.de Abstract. In this paper, an identity-based key agreement system and its im- plementation for mobile telephony in GSM and UMTS networks is presented. The use of telephone numbers as public keys allows the system to piggyback much of the security overhead for key management to the existing GSM or UMTS infrastructure. The proposed approach offers solutions to the prob- lems of multi-domain key generation, key distribution, multi-domain pub- lic parameter distribution and inter-domain key agreement. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping on a call is easy, even for non-governmental forces. Since the encryption schemes in GSM (2G) and UMTS (3G) only encrypt calls between the mobile phone and the base station, an attacker positioned any- where in the network between the two base stations can usually intercept calls without great difficulty. Furthermore, since GSM base stations are not authenti- cated, an attacker can pose as a base station and intercept phone calls in the vicinity. Due to backwards compatibility and UMTS coverage issues, most UMTS devices allow network fallback to GSM, opening up UMTS devices to the same man-in- the-middle attacks that afflict GSM networks. While it is possible to implement end-to-end encryption of mobile phone calls based on a Public Key Infrastructure (PKI), the complexity of setting up and us- ing a PKI is prohibitive, especially since many users of mobile phones are not well versed in cryptographic procedures and are quickly overwhelmed when con- fronted with public and private keys, certificates, signatures and revocation lists. Identity-based cryptography (IBC) promises to offer an approach to end-to-end encryption for mobile telephone calls in which the telephone numbers of the call participants are used as the public keys to secure the communication channel, thus making the cryptographic security procedure as easy as making a telephone call. The use of telephone numbers as public keys has two major benefits. Firstly, since the caller knows the number to be called, the caller also automatically knows the public key and does not need a separate public key look-up or certification in- frastructure. Secondly, telephone numbers are easy to understand and users are confident in using them, such that there is no need to educate users to understand the link between a telephone number, a public key and/or its certificate, thus sig- nificantly lowering the complexity threshold of phone call encryption. Several solutions have been proposed which allow multiple identity private key generator (ID-PKGs) to interoperate [1–3], but these systems require either co- operation between the ID-PKGs or a hierarchical approach with a trusted party at the top. Both of these approaches are difficult to use in the area of mobile telephony due to organizational difficulties and conflicting business interests. As demon- strated by approaches based on a Certificate Authority (CA), there will always be
Transcript
Page 1: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

Securing Mobile Phone Calls with Identity-BasedCryptography

Matthew Smith, Christian Schridde, Bjorn Agel, Bernd Freisleben

Department of Mathematics and Computer Science, University of MarburgHans-Meerwein-Str. 3, D-35032 Marburg, Germany

{matthew, schriddc, agel, freisleb}@informatik.uni-marburg.de

Abstract. In this paper, an identity-based key agreement system and its im-plementation for mobile telephony in GSM and UMTS networks is presented.The use of telephone numbers as public keys allows the system to piggybackmuch of the security overhead for key management to the existing GSM orUMTS infrastructure. The proposed approach offers solutions to the prob-lems of multi-domain key generation, key distribution, multi-domain pub-lic parameter distribution and inter-domain key agreement. The feasibilityof the approach is illustrated by presenting experimental results based on aSymbian implementation running on N95-1 and N82-1 Nokia smartphones.

1 Introduction

In mobile phone networks, eavesdropping on a call is easy, even for non-governmentalforces. Since the encryption schemes in GSM (2G) and UMTS (3G) only encryptcalls between the mobile phone and the base station, an attacker positioned any-where in the network between the two base stations can usually intercept callswithout great difficulty. Furthermore, since GSM base stations are not authenti-cated, an attacker can pose as a base station and intercept phone calls in the vicinity.Due to backwards compatibility and UMTS coverage issues, most UMTS devicesallow network fallback to GSM, opening up UMTS devices to the same man-in-the-middle attacks that afflict GSM networks.

While it is possible to implement end-to-end encryption of mobile phone callsbased on a Public Key Infrastructure (PKI), the complexity of setting up and us-ing a PKI is prohibitive, especially since many users of mobile phones are notwell versed in cryptographic procedures and are quickly overwhelmed when con-fronted with public and private keys, certificates, signatures and revocation lists.

Identity-based cryptography (IBC) promises to offer an approach to end-to-endencryption for mobile telephone calls in which the telephone numbers of the callparticipants are used as the public keys to secure the communication channel, thusmaking the cryptographic security procedure as easy as making a telephone call.The use of telephone numbers as public keys has two major benefits. Firstly, sincethe caller knows the number to be called, the caller also automatically knows thepublic key and does not need a separate public key look-up or certification in-frastructure. Secondly, telephone numbers are easy to understand and users areconfident in using them, such that there is no need to educate users to understandthe link between a telephone number, a public key and/or its certificate, thus sig-nificantly lowering the complexity threshold of phone call encryption.

Several solutions have been proposed which allow multiple identity privatekey generator (ID-PKGs) to interoperate [1–3], but these systems require either co-operation between the ID-PKGs or a hierarchical approach with a trusted party atthe top. Both of these approaches are difficult to use in the area of mobile telephonydue to organizational difficulties and conflicting business interests. As demon-strated by approaches based on a Certificate Authority (CA), there will always be

Page 2: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

competing organizations offering the same service for the same protocol (e.g. sign-ing RSA public keys) without wanting to cooperate on the corporate level. Thus,to successfully deploy IBC in mobile telephony, the IBC system must be able tocope with the real world network issues, such as allow competing organizationsto operate their ID-PKG independently of other ID-PKGs, roaming and changingproviders while still enabling cross-domain execution of the IBC protocols for theircustomers.

In this paper, a new multi-domain identity-based key agreement system is in-troduced which focuses on the issues to be solved when implementing IBC formobile telephony. The proposed approach is realized using standard telephonenumbers as public keys with multiple security domains (i.e. mobile telephonyproviders). It utilizes the mathematics also used in the traditional Diffie-Hellman[4] key agreement and Rivest-Shamir-Adleman (RSA) [5] public key cryptographyapproaches. Solutions to the problems of multi-domain key generation, key distri-bution, multi-domain public parameter distribution and inter-domain key agree-ment are presented.

The paper is organized as follows. Section 2 presents the problem statement.Section 3 gives an overview of the proposed identiy-based key agreement proto-col. Section 4 addresses real world problems occuring during the implementation.Section 6 discusses related work. Section 7 concludes the paper and outlines areasfor future research.

2 Problem Statement

In GSM networks, communication between a mobile system (MS) (i.e. a mobilephone) and a base transceiver station (BTS) is encrypted using the A5 [6] crypto-graphic protocol. Due to design flaws, A5 is vulnerable to cryptoanalysis such thathackers can eavesdrop on the communication. Updates to the A5 protocol havebeen proposed to hinder further attacks, and the UMTS standard has replaced A5by a more secure (and open) protocol, making cryptographic attacks less of a con-cern.

Fig. 1. IMSI Catcher Attack

A simpler attack is to subvert the communication setup before encryption. Toallow a MS to authenticate itself to the network provider, it gets a subscriber au-thentication key (SAK). The SAK is stored both on the SIM card of the MS andin the Home Location Register (HLR) of the provider. The BTS are connected to a

Page 3: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

Base Station Controller (BSC) that in turn is connected to a Mobile Switching Cen-ter (MSC) and a Visitor Location Register (VLR). These in turn are connected to theHLR and the Authentication Center (AuC) that give access to the SAK of the MS.During the authentication process, a 128-bit random number is generated whichusing the A3 [7] is combined with the SAK to create a 32-bit authentication keycalled SRES. The SRES key is then sent to the BTS. The SRES key is then comparedto the SRES* key that is computed by the AuC of the provider also using the A3algorithm and the HLR SAK. If the two values match, the MS is authenticated andmay join the network. The BTS does not authenticate itself to the MS. This opensup the possibility of a Man-in-the-Middle (MITMA) attack. Using an IMSI catcher[8], an attacker can pose as a BTS and intercept calls in the vicinity by broadcastinga strong base station signal. Figure 1 shows the procedure. MS are programmed toconnect to the strongest BTS signal, thus if the IMSI catcher has the strongest signalthey serve their current BTS connection (1) and will connect to the IMSI catcher (2)no questions asked (3). Since the BTS is also responsible for selecting the securitymechanism, the IMSI catcher can then force the MS to turn off or select an insecureencryption algorithm (4) and thus allow the MITMA to operate. The downside tothis attack is that the IMSI catcher cannot function as a real BTS since it is not con-nected to the main phone network and must forward calls using its own MS andSIM (5). However, since the SIM in the IMSI catcher cannot register itself as thetarget SIM (due to the authentication of the MS), the attacked MS is not registeredat any BTS and is not reachable while it is connected to the IMSI catcher. Thus, onlyoutgoing calls can be intercepted, since the network cannot reach the attacked MS.Furthermore, the IMSI catcher is not a targeted attack. It affects all MS in its vicin-ity all of which are not reachable while they are connected to the IMSI catcher andwhose calls would need to be forwarded if the IMSI catcher is not to become no-ticeable. While this attack should not be taken lightly, there are some real worldproblems in its execution.

A much simpler attack is enabled by cost saving measures in common practicewhen setting up base stations. Since connecting all BTS to a secured wired networkis costly, BTS can also be connected to the main network via a directed microwavelink. This microwave signal is sent without encryption and can easily be inter-cepted, giving an attacker clear text access to all calls going via this link withoutleaving a physical trace. But even a wired connection is not safe if an attacker iswilling to apply a physical tap to the line. These link taps are particularly relevantsince they can be used without affecting the rest of the network and thus cannotbe easily detected. They also allow a large number of calls to be tapped simulta-neously. For instance, a BTS located near a firm, government building or celebrityhouse can be tapped, thus, making all mobile calls made to and from that locationavailable to the attacker. Since the equipment needed to execute such a tap is be-coming more portable and cheaper at a rapid rate, this kind of attack will rapidlygain in relevance.

To prevent the above attacks, end-to-end protection of phone calls is required.However, the solution must be able to be deployed in a multi-organization en-vironment and be usable by non-tech savvy users. As stated in the introduction,conventional PKI based solutions are too complex both for the network providersand for the users. A simple approach is required which can be implemented by net-work providers independently of each other and which does not introduce addedcomplexity for end users. In the next section, an algorithm will be presented thatfulfills these requirements. The algorithm allows two MS to perform a session key-agreement over an unsecured channel and between different providers using tele-phone numbers as public keys. Using the created session key, a symmetric encryp-tion of all call data can be performed. The algorithm prevents MITMA attacks andoffers perfect forward security.

Page 4: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

3 Algorithms

3.1 Algorithmic Overview

The identity-based key agreement protocol SSF (Secure Session Framework) con-sists of four main algorithms: Setup, Extract, Build SIK, and Compute.

3.2 Key Agreement

The Setup algorithm (Fig. 2) is executed by the ID-PKG. This part of the key agree-ment protocol is only performed once and creates both the master secrets P and Qas well as the public parameters.

Setup - The Setup algorithm is executed by the ID-PKG.Input: k ∈ NStep 1: Choose an arbitrary integer R > 1 from Z+.Step 2: Generate two primes, P and Q, of bit length k with the following properties:1. The prime factorization of (P−1) contains a large prime P′

2. The prime factorization of (Q−1) contains a large prime Q′

3. gcd(ϕ(PQ),R) = 1, where ϕ(·) is the Totient Function.Step 3: Compute the product N = PQStep 4: Choose a generator G of a subgroup G of ZN whose order contains at least one ofthe primes P′ or Q′ such that the Computational Diffie Hellman Assumption (CDHA) [9]holds in G.Step 5: Choose a cryptographic collision-resistant hash function H : {0,1}∗→ ZN.Output: PSP = (N,G,R,H(·)), SP = {P,Q}

Fig. 2. Setup algorithm

Public, Shared Parameters. The public, shared parameters (PSP) of a domain D ofthe key agreement protocol SSF is the quadruple PSP = (N,G,R,H(·)).

The Extract algorithm (Fig. 3) creates the identity key (i.e. the private key) for agiven identity. This algorithm is executed by the ID-PKG. If all IDs are known andthe range is not too big (e.g. a Class B or C subnet of the Internet), it is possible toexecute this step for all IDs offline, and the master secrets can then be destroyed, ifrequired.

Extract - The Extract algorithm is executed by the ID-PKG.Input: PSP, SP, IDLet ID be a given identity. The algorithm computes dID ≡H(ID)1/R (mod N). The integerdID is called the identity key and is given to the entity EID.Ouput: dID

Fig. 3. Extract algorithm

The Build SIK algorithm (Fig. 4) is executed by the devices taking part in thekey agreement.

The random integer rID is generated with a secure number generator to makerID unpredictable. The private identity key is used in combination with this ran-domly chosen integer and the generator in such a way that it is not possible to

Page 5: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

Build SIK - The Build SIK algorithm is executed by the entity EIDInput: PSP, dIDStep 1: Choose a random integer rID from Z+.Step 2: Compute SIKID ≡ GrID ·dID (mod N).SIKID is the SIK (session initiation key) for the identity string ID that belongs to entity EID.Output: SIKID

Fig. 4. Build SIK algorithm

extract the identity key from the SIK. This is due to the fact that the multiplicationsare performed in the ring ZN and the result set of a division in the ring ZN is solarge that the extraction of the identity key is infeasible. The SIK is then sent overan unsecured channel to the other party and vice versa. The SIK must be greaterthan zero to prevent a trivial replacement attack where an attacker replaces theSIKs with zero which in turn would make the session key zero as well. Any otherreplacement attacks lead to invalid session keys.

The final step of the key agreement process is the computation of the sessionkey using the Compute algorithm (Fig. 5) which is executed by the devices takingpart in the key agreement. By applying the inverse of the hash value of the op-posite’s identity, the involved identity key is canceled out. Only if both endpointaddresses match their identity keys, a valid session key is created.

Compute - The Compute algorithm is executed when two parties are performing a keyagreement.Input for EID1

: EID2, PSP, SIKID2 , rID1

Input for EID2: EID1

, PSP, SIKID1 , rID2

When EID1receives the session initiation key from EID2

, it calculates(SIKR

2 ·H(ID2)−1)rID1 ≡ ((GrID2 ·dID2)R ·H(ID2)−1)rID1 ≡ GRrID1 rID2 ≡ S mod N

When EID2receives the session initiation key from EID1

, it calculates(SIKR

1 ·H(ID1)−1)rID2 ≡ ((GrID1 ·dID1)R ·H(ID1)−1)rID2 ≡ GRrID1 rID2 ≡ S mod N

Output: H(S), the common session key for EID1and EID2

.

Fig. 5. Compute algorithm

The key distribution system proposed by Okamoto[10] extracts its identity in-formation in a similar manner as in our scheme, but does not address the case ofkey agreement between different domains.

3.3 Key Agreement Between Different Domains

The ID-PKG determines the public, shared parameters, and all entities that receivetheir identity key for their IDs from this generator can establish a key agreementamong each other. In practice, it is very unlikely that all phones will receive theiridentity key from the same security domain, since this would imply the existenceof a third party trusted by all with a secure communication link to all devices.Since telephone network providers are in charge of managing the MS informationof their customers autonomously, it is desirable that they also manage the securityinformation autonomously, meaning that they must be allowed to operate their

Page 6: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

own ID-PKG without having to cooperate with other providers. The managementinfrastructure, such as HLRs and AuC, can then simply be extended by the re-quired additional data.

We now show how cross-domain key agreement can be achieved such that onlythe public parameters must be distributed (which will be discussed in section 4).Each device only needs a single identity key, and the ID-PKGs do not need toagree on common parameters or participate in any form of hierarchy. In the follow-ing, we assume without loss of generality, that there are two domains D1 and D2.Their public parameters are (N1,G1,R1,H1(·)) and (N2,G2,R2,H2(·)), respectively.Every parameter can be chosen independently. The case that (R2,ϕ(N1)) > 1 or(R1,ϕ(N2)) > 1 is not critical, since no R-th roots must be computed regarding theother domain’s modulus. The two moduli N1 and N2 were chosen according to therequirements stated in the Setup algorithm, i.e. the computation of discrete loga-rithms is infeasible in ZN1 and ZN2 , respectively. Consequently, an algorithm suchas the Pohlig-Hellman algorithm [11] cannot be applied and Pollard’s P− 1 fac-toring algorithm [12] will not be a threat. Thus, a random non-trivial integer hasa large order in ZN1N2 with an overwhelming probability, and the computation ofdiscrete logarithms is infeasible in ZN1N2 .

In the following, an entity EID1 from D1 wants to communicate with EID2 fromD2. The algorithm for cross-domain key extension is shown in Fig. 6.

Cross-Domain Key Extension (from the view of participant EID1)

Executes: Query rPSP, Extend IK and Build eSIKInput: PSP1, PSP2, dID1

Step 1: Calculate the common, shared, public parameters: PSP1,2 = (N1 ·N2,G1 ·G2,R1 ·R2,H2(·)).Step 2: Use the Chinese-Remainder Theorem to calculate the integer dID1 :

dID1 ≡ dID1 mod N1 and dID1 ≡ 1 mod N2

Step 3: Use the Chinese-Remainder Theorem to calculate the integer H1(ID):

H1(ID1)≡ H1(ID1)R2 mod N1 and H1(ID1)≡ 1 mod N2

Step 4: Build eSIK via eSIK(1,2)ID1≡ (G1 ·G2)rID1 dID1 mod N1N2

Output: eSIK(1,2)ID1

, the cross-domain session initiation key.

Fig. 6. Cross-Domain Key Extension algorithm

In step 1 of the cross-domain key agreement algorithm, the common sharedpublic parameters are the element-wise product of both sets of domain parame-ters. In step 2, entity EID1 extends its identity key using the Chinese-RemainderTheorem. In step 3, entity EID1 extends its hash identifier also using the Chinese-Remainder Theorem. The procedure for entity EID2 is analog, only the indiceschange from 1 to 2. Key agreement is then performed using the extension of theoriginal algorithm shown in Fig. 7. For a more information on the SSF protocol,the reader is referred to [13].

4 Implementation Issues

In the following, several issues for deploying the proposed system in practice arediscussed. It will be shown how the public parameters and the identity keys are

Page 7: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

Cross-Domain: Compute SK algorithmInput for EID1

: ID2, PSP(1,2), eSIK(1,2)ID2

, rID1 , H2(ID2)

Input for EID2: ID1, PSP(1,2), eSIK(1,2)

ID1, rID2 , H1(ID1)

When EID1receives the session initiation key from EID2

, it calculates(((G1 ·G2)rID2 dID2)

R1·R2 H2(ID2)−1)rID1 ≡ (G1 ·G2)R1R2rID1 rID2 ≡ S mod (N1 ·N2)

When EID2receives the session initiation key from EID1

, it calculates(((G1 ·G2)rID1 dID1)

R1·R2 H1(ID1)−1)rID2 ≡ (G1 ·G2)R1R2rID1 rID2 ≡ S mod (N1 ·N2)

Output: S, the common session key for EID1and EID2

Fig. 7. Cross-Domain Compute SK algorithm

distributed in multi-provider scenarios and how telephone number expiry is han-dled. One of the important issues of any multi-organizational cryptographic sys-tem is the distribution of the public parameters and keys. It should be noted that amain requirement is to try to minimize the number of global distribution steps infavor of local distribution steps, since this distributes the workload and reduces therisk of a global compromise. In a scenario with N providers, each with M customerswhere M >> N, we have N ·M customers in total. This means that N ·M private/i-dentity keys need to be distributed. In a PKI, in the worst case in which everybodywants to communicate with everybody else, (N ·M− 1) · (N ·M) public keys needto be exchanged and managed. In our system, only the public parameters of the Nproviders need to be exchanged. This reduces the number of transfers from N ·Mlocal and (N ·M− 1) · (N ·M) global transfers to N ·M local transfers and only Nglobal transfers, and since M >> N, this is a large saving. Even using traditionalkey distribution mechanisms, our system offers a significant saving compared to aPKI in key escrow mode. In the following, further optimizations of the distributionprocess which are possible due to the network centric approach of our solution willbe suggested.

4.1 Distribution of Shared, Public Parameters

Like most other IBC approaches, our system also uses shared public parameters.In a single domain scenario, the distribution of the public parameters is not aproblem. However, if each network provider runs its own ID-PKG, the number ofpublic parameters and the binding between public parameters and identity keysbecomes more complex. As stated above, this distribution problem is still muchsmaller than the distribution problem for traditional public keys where each en-tity has its own public key that needs to be distributed. Of course, traditional PKItechnology can be used to distribute the public parameters, but a more suitablesolution is to integrate the public parameters into the GSM/UMTS lookup mech-anism and carry the information over the SS7 [14] protocol. Since there already islookup functionality to locate the HLR of a MS and the current location of the MS,a flag can be attached to the request message, stating that the public parametersof the MS should be sent piggybacked to the response. The flag is used, since thepublic parameters only need to be queried for the very first call to a MS of a par-ticular provider. All subsequent calls to the same or other MS of the same providerdo not need a further public parameter lookup. In the case of UMTS, this is rea-sonably secure since the BTS must authenticate itself to the MS and thus an activeMITMA is prevented that could otherwise tamper with the public parameters. Thepassive MITMAs still possible with UMTS are not a danger to the transfer of thepublic parameters since they are public anyway. In the case of GSM, this form of

Page 8: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

public parameter distribution holds the risk of an attacker with an IMSI catcherreplacing the public parameters with his own on the first call made to a providerby a MS. However, this attack only works on the very first call ever placed to aprovider and will be detected as soon as the MS calls someone else at the sameprovider after the attack due to a public parameter mismatch. To summarize, thisform of public parameter distribution is not a problem in UMTS networks and ifthe slight security risk in GSM networks is unacceptable, a traditional CA basedsigning approach can be added to prevent tampering with the public parameters.

4.2 Distribution of the Identity Keys

The most critical element in all IBEs or PKIs in key escrow mode is the distributionof the identity keys (private keys) and the prevention of identity misbinding. In amobile phone scenario, identity keys can be placed on the SIM card during manu-facturing. Since the deployment process of SIM cards is already set up to includesensitive personal information, adding the identity key to the SIM is not difficult.If there is no requirement for key expiration, this is most likely the best solution,since the identity key is never transmitted over a public network and thus the riskof compromise is minimized. However, if a more flexible online system is required,the novel structure of the presented algorithm allows this as well. If the public pa-rameters of the provider for a MS can be placed on the SIM during manufacturing,the presented system offers a secure way to transmit identity keys securely over aninsecure network. When a MS first connects the the network, it requests its iden-tity key from its home provider. Since this message exchange is security critical,the messages must be protected. To this end, the client creates a session key that isencrypted using the public parameter N (N can be used in the same way as an RSApublic key) of the provider. The session key can only be decrypted by the providerwho then uses the session key to encrypt the identity key of the MS using AES, andsends it to the client. Since even an active MITMA cannot compromise this mes-sage exchange, because it is not in possession of the P and Q to decrypt the sessionkey, the transfer of the identity key is secure. This novel online distribution of iden-tity keys allows key expiration (see below) to be implemented without a significantoverhead, since no further security infrastructure or out-of-band communicationis required.

The algorithm implemented for this approach is shown in Fig. 8.

Identity Key Request and Submit.Input: PSP ∈ NStep 1 (EID): Choose an arbitrary integer w from Z+.Step 2 (EID): Compute c≡ wR (mod N).Step 3 (EID): Send c to ID-PKG.Step 4 (ID-PKG): Compute D≡ R−1 (mod ϕ(N))Step 5 (ID-PKG): Compute cD ≡ w (mod N).Step 6 (ID-PKG): C← AESenc(w,dIDA).Step 7 (ID-PKG): Send C to entity EID.Step 8 (EID): dIDA ← AESdec(w,C)Output: dIDA

Fig. 8. Identity Key Request and Submit algorithm

Page 9: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

(a)

512-Bit Modulus

bitsize of rIDR

3 17 513 6553764-Bit 38 45 47 51128-Bit 86 86 82 92256-Bit 156 166 161 167512-Bit 324 335 318 325

(b)

1024-Bit Modulus

bitsize of rIDR

3 17 513 6553764-Bit 161 174 172 180128-Bit 305 316 316 311256-Bit 620 618 629 625512-Bit 1219 1237 1240 1244

(c)

2048-Bit Modulus

bitsize of rIDR

3 17 513 6553764-Bit 622 670 670 700

128-Bit 1192 1186 1208 1169256-Bit 2320 2421 2334 2435512-Bit 4577 4559 4582 4575

(d)

4096-Bit Modulus

bitsize of rIDR

3 17 513 6553764-Bit 2354 2485 2566 2680

128-Bit 4586 4594 4734 4842256-Bit 8813 9280 9153 9100512-Bit 17641 18514 17497 17749

Table 1. Performance Measurements (milliseconds)

4.3 Key Expiration

Another practical issue of mobile phone call encryption is the fact that telephonenumbers are reused. In a PKI or CA based solution, this creates several problems,since the central PKI must be updated or the CA must be contacted to resign pub-lic keys as the MS swap telephone numbers. Certificate Revocation Lists can beused to accomplish this, however the solutions tend to become quite complex. Inparticular, public key caching mechanisms can lead to problems. In the presentedidentity-based solution, natural key expiration techniques can be used to cope withtelephone number reuse. Boneh et al. [15] showed how keys can be given a lifetime,which allows natural expiration of the identity key. This is done by the internalconcatenation of the ID, in our case the telephone number, with a date. The sametechnique can be used in our solution. Thus, when a customer releases a telephonenumber and it is reused, the next customer will have a different identity key basedon the current date. Since telephone number reuse is time-delayed in any case, thistime frame can be used as the key lifetime to ensure that each successive ownerlies in a new lifetime slot. With the techniques introduced in this paper, a frequentautomatic in-band key distribution can be safely executed and thus key renewal isfar less of a problem. Additionally, key expiration also reduces the risk of identitykey theft, since the attack window is restricted to a small time interval.

5 Experimental Results

In this section, experimental results of the presented identity-based cryptographicsecurity solution for mobile phone key agreement are presented. The experimentswere run on a Nokia N82-1 and a Nokia N95-1 both with an ARM-11 CPU with330 MHz running Symbian 9.2 FP1.

Both the performance of the key agreement and the ensuing symmetric AESencryption were measured. To gain a robust mean, all experiments were performed100 times. For the key agreement, the following parameters were examined: themodulus - with N = 512, 1024, 2048 and 4096 Bit, the random exponent - with rID= 64, 128, 256 and 512 Bit and the chosen public parameter R = {3, 17, 513, 65537}.

Page 10: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

The numbers chosen for R were selected to give an overview of the performanceof the algorithm based on the size of R. R can be chosen arbitrarily by the ID-PKGaccording to the setup algorithm (Step 2.3). Each of the following tables containsthe mean time for the key agreement operations of the 100 trial runs computedusing a fixed modulus with rID and R in the rows and columns.

It is evident from the tables that the main contribution to the computationaltime is the modulus and the random exponent. The public random number R se-lected by the provider does not have a significant effect due to the fact that thecomputational time of the algorithm depends on the number of 1′s in the binaryrepresentation of the number and the used random numbers all contain two bi-nary 1′s. The random number R is not security critical for R > 3. While the timeneeded for key agreement using a 4096-bit modulus and a 512-bit random expo-nent is too long for current devices, key agreement with a 2048-bit modulus and128 or 256-bit random exponents has acceptable run times. Once a session key hasbeen established, a symmetric encryption of the call using AES 256 is executed. Theencoding block was set to 4096 Byte which contains at least 256 ms (depending onthe compression) of audio data. On the N95-1 and N82-2 it only takes an averageof 24.1 ms to encrypt the block, so the phones can easily cope with the real timeencryption of the voice data.

6 Related Work

Kumar et al. [16] present an IBC based approach to mutual authentication andkey agreement for GSM networks. Unlike our proposal, Kumar et al. use the IMSInumber as the public identity key. The security of the protocol relies on a securechannel to the HLR and VLR (Phase 1, Steps 2 and 3). Both these design decisionhave drawbacks. Firstly, using the IMSI as the public key means the users musttrust the infrastructure to show them the correct binding between telephone num-ber and IMSI number, since most users do not know their own IMSI, let alone theIMSI of other users. Secondly, the communication channels between the MS andthe HLR and VLR are not considered to be secure and must be handled by thepresented solution.

There are other approaches such as the Cryptophone [17] that applies the ZFone[18] VoIP security mechanism to mobile phones. ZFone executes a standard Diffie-Helmann key agreement (which is vulnerable to an active MITMA), but then dis-plays a hash of the generated session key to both users. One user must then readout the hash to the other user, who can then see if the key agreement was com-promised, since if a MITMA attack has taken place, the hash values are different.While preventing simple MITMAs, the ZFone solution is somewhat cumbersome,since users must read out hash values to each other. It also does not prevent im-personation attacks or voice based MITMA attacks.

The key distribution system proposed by Okamoto [10] extracts its identity in-formation in a similar manner as in our scheme, but does not address the case ofkey agreement between different domains.

7 Conclusions

In this paper, an identity-based key agreement system for mobile telephony inGSM and UMTS networks was presented. All attacks presented in the paper canbe successfully prevented by the identity-based cryptographic solution. The useof telephone numbers as public keys reduced the complexity of the security man-agement framework and well as the usage complexity for phone call encryption.

Page 11: Securing Mobile Phone Calls with Identity-Based Cryptography · Symbian implementation running on N95-1 and N82-1 Nokia smartphones. 1 Introduction In mobile phone networks, eavesdropping

The approach offers solutions to the real world problems in realizing an identity-based security framework for mobile phone call encryption, namely multi-domainkey generation, key distribution, multi-domain public parameter distribution andinter-domain key agreement. Experimental results based on a Symbian implemen-tation for the Nokia smartphones N95-1 and N82-1 were presented showing thatcurrent smartphones are powerful enough to run the presented system.

Future work will include simulated large scale deployment and scalability stud-ies to quantitatively evaluate the administrative benefit of using the presentedidentity-based approach compared to a traditional PKI. The proof-of-concept solu-tion will also be ported to further platforms beyond Symbian. Finally, user-studieswill be performed to further evaluate the benefits to the non-tech savvy end user.

References

1. J. Horwitz and B. Lynn, “Toward Hierarchical Identity-Based Encryption,” in EURO-CRYPT ’02: Proceedings of the International Conference on the Theory and Applications ofCryptographic Techniques. Springer-Verlag, 2002, pp. 466–481.

2. N. McCullagh and P. Barreto, “A New Two-Party Identity-Based Authenticated KeyAgreement,” in Cryptographers’ Track at RSA Conference - CT-RSA, 2005.

3. D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical Identity Based Encryption with Con-stant Size Ciphertext ,” in Advances in Cryptology - Eurocrypt 2005, Lecture Notes in Com-puter Science, vol. 3494. Springer-Verlag, 2005, pp. 440–456.

4. W. Diffie and M. E. Hellman, “New Directions In Cryptography,” IEEE Transactions OnInformation Theory, no. 6, pp. 644–654, 1976.

5. R. L. Rivest, A. Shamir, and L. Adleman, “A Method For Obtaining Digital SignaturesAnd Public-Key Cryptosystems,” Communications Of ACM, vol. 1, no. 2, pp. 120–126,1978.

6. S. Petrovic, “An improved Cryptanalysis of the A5/2 Algorithm for Mobile Communi-cations,” in Proceedings of the IASTED International Conference on Communication Systemsand Networks, 2002, pp. 437–444.

7. C. Clavier, “An Improved SCARE Cryptanalysis Against a Secret A3/A8 GSM Algo-rithm,” in Third International Conference on Information Systems Security, 2007, pp. 143–155.

8. U. Meyer and S. Wetzel, “A Man-In-The-Middle Attack on UMTS,” in WiSe ’04: Proceed-ings of the 3rd ACM Workshop on Wireless Security. New York, NY, USA: ACM, 2004, pp.90–97.

9. F. Bao, R. H. Deng, and H. Zhu, “Variations of Diffie-Hellman Problem,” in InternationalConference on Information and Communications Security, 2003, pp. 301–312.

10. E. Okamoto, “Key Distribution Systems Based on Identification Information,” inCRYPTO ’87: A Conference on the Theory and Applications of Cryptographic Techniques onAdvances in Cryptology. London, UK: Springer-Verlag, 1988, pp. 194–202.

11. S. Pohlig and M. Hellman, “An Improved Algorithm for Computing Logarithms overGF(p) and its Cryptographic Significance,” 1984, pp. 106–110.

12. J. Pollard, “Theorems of Factorization and Primality Testing,” Mathematical Proceedingsof the Cambridge Philosophical Society, vol. 76, pp. 521–528, 1974.

13. C. Schridde, M. Smith, and B. Freisleben, “An Identity-Based Key Agreement Protocolfor the Network Layer,” in SCN - The 6th Conference on Security and Cryptography forNetworks, vol. 5229. Lecture Notes in Computer Science, Springer-Verlag, 2008, pp.409–422.

14. L. Dryburgh and J. Hewett, Signaling System No. 7 (SS7/C7): Protocol, Architecture, andApplications. Cisco Press, 2003.

15. D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing,” SIAMJournal of Computation, vol. 32, no. 3, pp. 586–615, 2003.

16. K. P. Kumar, G. Shailaja, A. Kavitha, and A. Saxena, “Mutual Authentication and KeyAgreement for GSM,” in ICMB ’06: Proceedings of the International Conference on MobileBusiness. Washington, DC, USA: IEEE Computer Society, 2006, p. 25.

17. “Cryptophone,” HTTP://WWW.GSMK.DE/.18. “ZFone,” HTTP://ZFONEPROJECT.COM/.


Recommended