CYBER security FOR GSM DATA PROTECTION
CYBER SECURITY FOR GSM DATA PROTECTION
With the increased usage of complex IT and telecommunication systems for sensitive or life-critical applications, IT and telecommunication security is becoming increasingly vital. To be trustworthy, the computer system and its connected applications, including data, must be secure.
This project addresses every area of computer security. This study also investigated data security as it relates to mobile systems in relation to the Global System for Mobile Telecommunications (GSM).
The existing security algorithms in the GSM network have been understudied, and serious faults in them have been discovered, making it impossible to guarantee the security and confidentiality of user data during communication sessions.
This poses a significant risk in sensitive and safety-critical situations such as financial institutions, military installations, educational institutions, and even espionage organisations such as State Secret Services (SSS) and security organisations.
By using a software-based approach, this Masters project finally provided a remedy to the problems discovered in the GSM security system.
End-to-end data encryption (SMS only) in two-way communication utilising compatible MIDP mobile phones or other portable communication devices was provided via a computer-based programme written in the JAVA programming language.
INTRODUCTION TO chapter ONE
1.0 BACKGROUND OF THE STUDY
Until one defines what is to be guarded and for whom, the phrase security has no significance. Similarly, security is difficult to comprehend in the absence of a possible threat.
The mobile platform must deliver security services to numerous security stakeholders for third-generation mobile systems (3G) phones. Furthermore, the possible hazards may differ from one stakeholder to the next.
Users, the first class of security stakeholders, expect mobile phones to provide safe and reliable communication; that is, they believe their phones can be trusted to undertake sensitive tasks such as e-commerce transactions.
Malicious software, such as viruses and Trojans, as well as weak or malfunctioning security mechanisms, pose the most serious hazards to this group of stakeholders.
Mobile network operators, the second class of stakeholders, rely on phone network identification mechanisms (connected to billing capability) and network-related software.
These safeguards must not be circumvented by criminals or malicious software.
As a result, operators require that the integrity of software be assured when the mobile phone is in use. They also want to ensure that users cannot circumvent SIM lock technologies.
A third type of security stakeholder, content providers, wishes to be compensated for the content (music, images, videos, and software) that users download. It also needs to know that two users cannot (mis)use their phones to copy or distribute anything illegally.
This is where digital rights management (DRM) functions enter the picture. However, DRM techniques cannot provide all of the necessary security.
To provide a DRM solution that fits the needs of content providers, the mobile phone platform must have security functionalities that ensure secure execution and code integrity.
Security is typically measured in terms of four fundamental features : confidentiality, integrity, authentication, and authorisation.
– The principle of non-repudiation
Confidentiality ensures that material is shielded from those who should not see it.
Data confidentiality is achieved by cryptographically changing original data, often known as plaintext, into cypher text, which conceals the plaintext's content. This action is carried out as a parameterized transformation that conceals the controlling parameter.
The regulating parameter is frequently referred to as a key. The process is known as encryption.
It is simple to do the inverse transform or decryption with a key. Decryption would be difficult without the key.
The term “integrity” refers to the assurance that data has not been altered or modified without consent during transport or storage.
This is accomplished through the use of cryptographic transformations and a key. To ensure the plaintext's integrity, further information must be supplied.
3 Authentication is the process of convincing another unit (the verifier) of a unit's (right) identity. Authentication is not the same as authorization, which is the process of granting someone or something permission to do or have access to something.
Non-repudiation ensures that the sender of a message does not dispute sending it by utilising security techniques such as digital signature.
Cryptographic mechanisms are classified into two types: symmetric and asymmetric. The same key is utilised for encryption and decryption in symmetric techniques. Here are some examples of symmetric confidentiality mechanisms:
• block cyphers like DES and AES; and • stream cyphers like GSM A1, A2, and A3 algorithms.
Integrity is frequently safeguarded through symmetric procedures. Message authentication codes (MAC) are another name for integrity-protection methods.
The HMAC algorithm is the most widely used MAC. Because the key in symmetric methods can be used to decrypt content, it must be kept hidden from everyone but the encryption scheme's authorised users.
Asymmetric techniques employ separate pairs of keys for encryption and decryption. The public key can be made public, but the private key must never be disclosed.
Asymmetric techniques are commonly employed for key distribution (for example, a symmetric key) or digital signing. A public key can be used to encrypt a symmetric key, which can only be decrypted with the associated private key by the legitimate 4 receiver.
A private key can also be used to digitally sign information. Anyone with access to the appropriate public key can validate the signature. The RSA technique is a well-known asymmetric cryptographic algorithm.
A lot of study has already been done in this area, and it has been proven that most, if not all, of the present algorithms used by GSM firms as security measures have been broken.
Similarly, the smart-card in GSM phones, SIM card, can be cloned, necessitating additional study to protect sensitive and essential data where GSM technologies are used.
This Masters thesis focuses on approaches to further protect sensitive user data (particularly short message services (SMS)) from malevolent and criminally motivated users. The study also investigates all other aspects of information and system security.
1.1 AIMS AND OBJECTIVES OF STUDY
The project's goals and objectives are as follows:
– To learn how GSM works in terms of the many security methods that are incorporated into it.
– To investigate all existing GSM cryptography methods and identify their strengths and weaknesses.
– To provide a solution to the flaws inherent in the original encryption algorithms found in GSM technologies by using a software-based approach to 5 develop a MIDlet programme in JAVA that can be used to further secure and protect user's sensitive and critical data (SMS only) using Bouncy Castle JAVA cryptographic Application Programming Interface (API).
– To put the security JAVA MIDlet software to the test, run it on suitable Mobile Information Device Profile (MIDP) phones or mobile devices that are engaged in an end-to-end GSM data connection session.
1.2 JUSTIFICATION OF THE STUDY
Hundreds of millions of people use mobile phones every day via radio links. Unlike a fixed phone, which provides some level of physical security (i.e. physical access to the phone line is required for listening in), anyone with a receiver can passively monitor the airwaves.
Mobile phones are utilised in a variety of sensitive and mission-critical environments, such as financial, military, educational, and so on, where the integrity and privacy of data must not be compromised.
As a result, it is critical that acceptable technological security measures are implemented to preserve the privacy of users' phone conversations and text messages (and data), as well as to prevent unauthorised use of the service provided by mobile phone applications.
1.3 SCOPE OF THE PROJECT
This research will look at:
– data security in the Global System for Mobile Communication (GSM); all existing security methods will be examined, with their strengths and flaws highlighted.
6 – Using a MIDlet JAVA programme written in the Bouncy Castle Java cryptographic API, software will be utilised to solidify where flaws exist in the GSM data.
As a result, a software programme in the JAVA programming language will be built to strengthen the security characteristics of GSM data where the integrity of user data is vital and must not be compromised.
This Master's project will concentrate on creating a software programme that will solely secure users' Short Message Service (SMS) data.
LIMITATIONS OF THE PROJECT
1. This application is only available on Java-enabled phones that support the Mobile Information Device Profile (MIDP). 2.0.
2. In order to apply the solution and send and read encrypted and secure SMS, both the sender and the recipient must install the security software: secureSMS software programme in their mobile phones.
3. To send and receive encrypted SMS data, the two people engaged in two-way communication must turn on their mobile phones.
4. Because the application lacks a Record Management Store feature, mobile phones cannot save sent and received SMS data for future reference.
5. The security application can only be used in environments where the Global System for Mobile Telecommunications (GSM) or Universal Mobile Telecommunications System (UMTS) network is available; it cannot yet be used on the CDMA (Code Division Multiple Access) network.
1.5 Project Stages Block Diagram Overview
The following are block diagrams of the Research and Project stages:
Figure 1.1: Research and Project Stages Block Diagram
STAGE 1: Investigation and analysis of
GSM technologies, GSM data security, and existing GSM security methods are all examples of GSM technologies.
STAGE 2 Software Development – Create a MIDlet JAVA computer programme in NetBeans IDE to further fortify GSM data (SMS only) using the Bouncy Castle JAVA Cryptographic API.
STAGE 3: Implementation of two JAVA programmes 8 1.6 Project Report Organisation Test-running, deployment, and implementation of the programmes developed in STAGE 3 above
The following is the format of this master thesis report:
Chapter 1: Background knowledge: This chapter provides broad background knowledge on security in computer systems, information systems, and data security in GSM data,
as well as the difficulties associated with them.
The chapter also covers the research project's Aims and Objectives, the Justification for Beginning the Research Project on Information and GSM Data Security, as well as the study's objectives and scope.
Chapter 2: Review of Literature: Various important books and facts about the area of study: The importance of GSM technologies and GSM data security is emphasised.
The Java data security technologies used in the project to overcome the weaknesses in existing GSM security are also emphasised.
Methodology and System Analysis, Chapter 3: A MIDlet JAVA programme is designed using the BouncyCastle cryptographic Application Programming Interface (API)
to give additional protection for data in mobile devices in conjunction with existing encryption techniques incorporated in GSM mobile handsets during communication sessions (SMS).
This chapter delves deeper into the JAVA technology used in this project.
Chapter 4, System Design and building: This chapter covers the entire programme design for the building of a security programme to protect the user's GSM SMS data 9 utilising the JAVA programming language and the NETBEANS 6.8 Integrated Development Environment.
Chapter 5, System Implementation: This chapter deals with the full testing, operating, deployment, and implementation of the two programmes written in Chapter 4 above to be used to enhance existing GSM algorithms and give simulation exercise for existing GSM security methods.
To implement the solution, the JAVA MIDlet secure SMS programme is installed through Cable to PC as well as Over the Air (OTA) connection on suitable MIDP 2.0 Nokia phones such as the Nokia 2700 Classic.
Chapter 6, summary and Conclusion: A summary of the implementations' goals is provided. Problems encountered during the project and solutions are also mentioned.
Furthermore, recommendations for future work on the project are provided, and the chapter concludes with a last remark on the project.
All cited works of others utilised in this Master thesis are covered in the references.
Appendix A: Contains the project's programme source codes.
Appendix B: Covers containing GSM and other acronyms, as well as their entire meanings.