QRSMS:

A SMS client with end-to-end encryption via Quick Response (QR) code

Introduction

With the first text message sent in 1992 through the Global System for Mobile communication (GSM) network, the technology has seen a lot of growth and development [1]. While mostly used for person-to-person communication [2], the medium has seen other applications such as alert notification [3], [4], empowering businesses and online services [5]–[7], mobile health (m-health) interventions [8], [9], mobile government applications [10], [11], education [12], Two-Factor Authentication (2FA) [13] and more. During the year 2022, Globe Telecom gained Php 8.8 billion revenue from SMS with 86.7 million mobile customers. Furthermore, the company has invested Php 1.1 billion to improve spam and fraudulent SMS detection and prevention [14]. Unreliable internet service as well as the lack of Internet infrastructure in some area remains a challenge in the adoption of online services for communication such as Facebook Messenger, Viber, Telegram, etc. SMS on the other hand is ubiquitous. Anyone with a mobile device and a registered subscriber identity module (SIM) card can send and receive text messages regardless of their platform and cellular provider [15].

Regardless of its wide range of applications and sustained use, however, SMS is not ideal for private communication such as sending sensitive and confidential information as early specifications for SMS does not have security in mind. This makes an end-to-end encryption a huge improvement over what is available in the GSM specifications.

Literature Review

PK-SIM card is a framework developed based on Public Key Infrastructure (PKI) providing end-to-end encryption between the Service Provider (SP) and the mobile user which contains the PK-SIM card. Their framework is composed of the mobile client, a Certification Authority and Registration Authority (CA/RA), a Secure Access gateway (SAG) found in the service provider’s infrastructure and the Mobile Operator (MO) that provides the network for SMS communication. Before the user can send secure messages, the SAG together, with the CA/RA must first validate the identity of the mobile client. A primary key shared between the client and the SAG is generated during the authentication phase. This key is used to establish a session key which is used to symmetrically encrypt/decrypt the message. However, in their approach, end-to-end security is only available between the mobile client and the SAG on the Service Provider’s side. Additionally, it is stated that the generation of primary key in the authentication phase takes up to a day or longer. Every time this key expires, the protocol must be performed again from the beginning [24]. Similarly, the SMSSec protocol is designed such that it uses a combination of asymmetric cryptography for authenticating the user and uses symmetric cryptography for the actual exchange of messages. It also falls short such that end-to-end encryption is between the mobile device and the authentication source. Unlike PK-SIM however, SMSSec is a software solution built with the Java Wireless Messaging API (WAP) [25].

In contrast, the EasySMS protocol is designed to provide end-to-end encryption using only symmetric algorithm. In their approach, an Authentication Server (AS) is responsible for the storage of all secret key shared between the AS and the respective Mobile Station (MS) or the user. It is also assumed that there is a shared secret key between the AS and a CA/RA which contains information about every mobile subscriber. Before a SIM card could be used, a subscriber must first register within the CA/RA. With these requirements met, the AS, with the help of CA/RA can now authenticate any MS that wants to send an SMS securely. However, this approach falls under the same disadvantage as the previous protocols. When user A wants to send a message to user B, the AS validates the identity of both users and generate different key for each respective user. This means that the message from user A is encrypted with the key shared between the AS and user A, decrypted in the AS then re-encrypt the message for user B using the key shared between the AS and user B [26]. This approach is also used for the development of SecureSMS but is proposed to be specific for value added services (VAS) and commercial applications [7]. SmartSMS follows a similar concept but instead of the AS being connected to a CA/RA, a trusted third party hosted in a public cloud is responsible for the functions of CA/RA [27].

Objectives

To create a secure platform for the exchange of encrypted SMS, the main objective of this research is to develop an SMS client application that can encrypt and decrypt messages and utilize QR codes as means of exchanging keys for generating a shared secret. To be specific, this research aims to do the following:

1. Design and implement a key-agreement protocol using QR code as means for key exchange.

2. Design and implement an SMS client for mobile android device with end-to-end encryption.

3. Conduct a usability study of the SMS client application.

Materials and Methods

To achieve end-to-end security, participants in the exchange should be able to generate a shared key known only to them. This process can be further divided into two steps. Key pair generation and shared secret key generation. This two step process is shown in Figure 1. The javax.crypto library contains the KeyAgreement class needed to establish a shared secret while the java.security library will enable us to use the KeyGenerator class which allows the generation of public and private key pair using EC. Since there are no built-in libraries for encoding and decoding of QR code, ZXing [33] and Google’s ML kit barcode scanning [34] will be bundled with the application to provide the missing functionalities.

Figure 1. Overview of key generation and key agreement in QRSMS

To enable end-to-end encryption, both the sending and receiving party must have the application installed and have exchanged their QR code generated by the application through other means suggested below. In case only one party has the software installed, if they decide to send an encrypted message to a user without the application, or the recipient have not yet established the shared secret, the latter might receive the message in cipher text, unable to read said text. If the opposite were to occur, the application should be able to determine if the received text was encrypted or not.

When each of the user involved in the key-agreement now having generated a shared secret with their intended contact, the exchange of encrypted SMS can now begin. AES encryption algorithm can be used generate the cipher text with the shared secret as the key for symmetric cryptography shown in fig. 2. The android platform comes with the android . telephony package contains the classes needed for sending and receiving SMS messages while the javax.crypto contains classes that allows the use of cryptographic libraries that will help achieve the goals of the application [36].

Figure 2. Overview of sending and decryption of messages in QRSMS

Throughout the duration of the development process, the features and interface of the system will be thoroughly tested to ensure that the program can perform its intended functions. However, upon the completion of a minimum viable product, usability test will be conducted to further inspect the working condition off the application as well as analyze users’ thoughts with regards to the system. Users will be asked to perform various tasks that involves the following capabilities of the application:

1. Generation of QR code containing the public key to be used for a contact

2. Scanning and decoding of QR code received from a contact

3. Sending of unencrypted and encrypted messages

4. Reading of unencrypted and encrypted messages

5. Management of stored keys

Along with the given tasks are questionnaire that aims to understand users’ perspective throughout their usage of the application. Single Ease Question (SEQ) will be asked after completing each task. With measures of central tendency, a general sentiment can be derived on how well the users performed in each of the tasks. This can provide an insight on the ease-of-use of the system. This is followed by a System Usability Scale (SUS) Questionnaire to assess the system’s perceived usability.

References

[1] G. Le Bodic, Mobile messaging technologies and services: SMS, EMS, and MMS, 2nd ed. Chichester, West Sussex, England; Hoboken, NJ: J. Wiley & Sons, 2005, ch. 3, p. 47.

[2] S. Herring, D. Stein, and T. Virtanen, Pragmatics of Computer-Mediated Communication. Walter de Gruyter, Jan. 2013, ch. 7, p. 162, google-Books-ID: 9cTmBQAAQBAJ.

[3] C. W. Yoo, J. Lee, C. Yoo, and N. Xiao, “Coping behaviors in short message service (sms)-based disaster alert systems: From the lens of protection motivation theory as elaboration likelihood,” Information & Management, vol. 58, no. 4, p. 103454, June 2021.

[4] S. Azid, B. Sharma, K. Raghuwaiya, A. Chand, S. Prasad, and A. Jacquier, “Sms based flood monitoring and early warning system,” ARPN Journal of Engineering and Applied Sciences, vol. 10, no. 15, 2015.

[5] D. Gargaro, “What is sms for business?” Sept. 2023. [Online]. Available: https://www.business.com/articles/sms-for-business/

[6] S. Okazaki and C. R. Taylor, “What is sms advertising and why do multinationals adopt it? answers from an empirical study in european markets,” Journal of Business Research, vol. 61, no. 1, p. 4–12, Jan. 2008.

[7] N. Saxena and N. S. Chaudhari, “Securesms: A secure sms protocol for vas and other applications,” Journal of Systems and Software, vol. 90, p. 138–150, Apr. 2014.

[8] J. Tuckerman, K. Harper, T. R. Sullivan, A. R. Cuthbert, J. Fereday, J. Couper, N. Smith, A. Tai, A. Kelly, R. Couper, M. Friswell, L. Flood, C. C. Blyth, M. Danchin, and H. S. Marshall, “Short message service reminder nudge for parents and influenza vaccination uptake in children and adolescents with special risk medical conditions: The flutext-4u randomized clinical trial,” JAMA Pediatrics, vol. 177, no. 4, p. 337–344, Apr. 2023.

[9] S. L. King, J. Lebert, L. A. Karpisek, A. Phillips, T. Neal, and K. Kosyluk, “Characterizing user experiences with an sms text messaging–based mhealth intervention: Mixed methods study,” JMIR Formative Research, vol. 6, no. 5, p. e35699, May 2022.

[10] A. Onashoga, A. Ogunjobi, T. Ibharalu, and O. Lawal, “A secure framework for sms-based service delivery in m-government using a multicast encryption scheme,” African Journal of Science, Technology, Innovation and Development, vol. 8, no. 3, p. 247–255, June 2016.

[11] T. D. Susanto and R. Goodwin, “User acceptance of sms-based e-government services: Differences between adopters and non-adopters,” Government Information Quarterly, vol. 30, no. 4, p. 486–497, Oct. 2013.

[12] J. B. Hill, C. M. Hill, and D. Sherman, “Text messaging in an academic library: Integrating sms into digital reference,” The Reference Librarian, vol. 47, no. 1, p. 17–29, July 2007.

[13] A. Rhoda Iyanda and M. Ebenezer Fasasic, “Development of two-factor authentication login system using dynamic password with sms verification,” International Journal of Education and Management Engineering, vol. 12, no. 3, p. 13–21, June 2022.

[14] “Empowering customers with everyday digital solutions,” Globe Telecom, Inc., Apr. 2023. [Online]. Available: https://www.globe.com.ph/content/dam/globe/brie/AboutUs/investor-relations/integrated-report/Globe-2022-Integrated-Report.pdf

[15] E. F. Rosales, “Text messaging remains relevant in philippines,” Nov. 2022. [Online]. Available: https://www.philstar.com/business/2022/11/25/2226194/text-messaging-remains-relevant-philippines

[16] Short Message Service (SMS) for Wideband Spread Spectrum Systems, 3GPP2 Technical Requirement C.S0015-C, Nov. 2012. [Online]. Available: https://www.arib.or.jp/english/html/overview/doc/STD-T64v6 20/Specification/ARIB STD-T64-C.S0015-Cv1.0.pdf

[17] J. Schiller, Mobile communications, 2nd ed. London: Addison-Wesley, 2011, pp. 120–122. [18] A. Biryukov, A. Shamir, and D. Wagner, “Real time cryptanalysis of a5/1 on a pc,” in Fast Software Encryption, ser. Lecture Notes in Computer Science, G. Goos, J. Hartmanis, J. van Leeuwen, and B. Schneier, Eds. Berlin, Heidelberg: Springer, 2001, p. 1–18.

[19] A. Bogdanov, T. Eisenbarth, and A. Rupp, “A hardware-assisted realtime attack on a5/2 without precomputations,” in Cryptographic Hardware and Embedded Systems - CHES 2007, ser. Lecture Notes in Computer Science, P. Paillier and I. Verbauwhede, Eds. Berlin, Heidelberg: Springer, 2007, p. 394–412.

[20] E. Barkan, E. Biham, and N. Keller, “Instant ciphertext-only cryptanalysis of gsm encrypted communication,” in Advances in Cryptology CRYPTO 2003, ser. Lecture Notes in Computer Science, D. Boneh, Ed. Berlin, Heidelberg: Springer, 2003, p. 600–616.

[21] O. Dunkelman, N. Keller, and A. Shamir, “A practical-time attack on the a5/3 cryptosystem used in third generation gsm telephony,” Cryptology ePrint Archive, Paper 2010/013, 2010, publication info: Published elsewhere. Unknown where it was published. [Online]. Available: https://eprint.iacr.org/2010/013

[22] Digital cellular telecommunications system (Phase 2+); Security mechanisms for SIM application toolkit; Stage 2, European Telecommunications Standards Institute Technical Specification 03.48, Dec. 2001. [Online]. Available: https://www.etsi.org/deliver/etsi_ts/101100101199/101181/08.08.00 60/ts 101181v080800p.pdf

[23] G. Cattaneo, G. De Maio, P. Faruolo, and U. F. Petrillo, “A review of security attacks on the gsm standard,” in Information and Communication Technology, ser. Lecture Notes in Computer Science, K. Mustofa, E. J. Neuhold, A. M. Tjoa, E. Weippl, and I. You, Eds. Berlin, Heidelberg: Springer, 2013, p. 507–512.

[24] H. Rongyu, Z. Guolei, C. Chaowen, X. Hui, Q. Xi, and Q. Zheng, “A pk-sim card based end-to-end security framework for sms,” Computer Standards & Interfaces, vol. 31, pp. 629–641, June 2008.

[25] J. L.-C. Lo, J. Bishop, and J. Eloff, “Smssec: An end-to-end protocol for secure sms,” Computers & Security, vol. 27, no. 5–6, p. 154–167, Oct. 2008. [Online]. Available: https://linkinghub.elsevier.com/retrieve/pii/S0167404808000151

[26] N. Saxena and N. S. Chaudhari, “Easysms: A protocol for end-to-end secure transmission of sms,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 7, p. 1157–1168, July 2014.

[27] P. Vijayakumar, S. M. Ganesh, L. J. Deborah, and B. S. Rawal, “A new smartsms protocol for secure sms communication in m-health environment,” Computers & Electrical Engineering, vol. 65, p. 265–281, Jan. 2018.

[28] S. Tiwari, “An introduction to qr code technology,” in 2016 International Conference on Information Technology (ICIT), Dec. 2016, p. 39–44. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/7966807

[29] What is a qr code. [Online]. Available: https://www.qrcode.com/en/about/

[30] D.-H. Shin, J. Jung, and B.-H. Chang, “The psychology behind qr codes: User experience perspective,” Computers in Human Behavior, vol. 28, no. 4, p. 1417–1426, July 2012.

[31] S. N. Karale, K. Pendke, and P. Dahiwale, “The survey of various techniques & algorithms for sms security,” in 2015 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS), Mar. 2015, p. 1–6. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/7192943

[32] M. Amara and A. Siad, “Elliptic curve cryptography and its applications,” in International Workshop on Systems, Signal Processing and their Applications, WOSSPA, May 2011, p. 247–250. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/5931464

[33] zxing. [Online]. Available: https://github.com/zxing/zxing

[34] Scan barcodes with ml kit on android. [Online]. Available: https://developers.google.com/ml-kit/vision/barcode-scanning/android

[35] Android keystore system. [Online]. Available: https://developer.android.com/privacy-and-security/keystore

[36] Package index. [Online]. Available: https://developer.android.com/reference/packages

[37] M. Moskala and I. Wojda, Android Development with Kotlin. Packt Publishing Ltd, Aug. 2017, pp. 8–9, google-Books-ID: PJZGDwAAQBAJ.

Page updated

Report abuse