View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by DSpace@IZTECH Institutional Repository End-To-End Security For Mobile Devices By Barış KAYAYURT A Dissertation Submitted to the Graduate School in Partial Fulfillment of the Requirements for the Degree of MASTER of SCIENCE Department: Computer Engineering Major: Computer Software Izmir Institute of Technology Izmir, Turkey July, 2004 ACKNOWLEDGEMENTS I would like to give my deepest thanks to my thesis advisor Asst. Prof. Dr. Tuğkan Tuğlular, Ph.D., for his encouragement on this subject, for his valuable review and comments on this study and for all of his supervisioning and support on me. Also, I would like to thank all my employers and colleagues for the time they gave me for this thesis; all the academic staff on my department for their encouragement and my family and my friends for their patience. ii ABSTRACT End-to-end security has been an emerging need for mobile devices with the widespread use of personal digital assistants and mobile phones. Transport Layer Security Protocol (TLS) is an end-to-end security protocol that is commonly used in Internet, together with its predecessor, SSL protocol. By using TLS protocol in mobile world, the advantage of the proven security model of this protocol can be taken. J2ME™ (Java 2 Micro Edition) has been the de facto application platform used in mobile devices. This thesis aims to provide an end-to-end security protocol implementation based on TLS 1.0 specification and that can run on J2ME™ MIDP (Mobile Information Device Profile) environment. Because of the resource intensive public-key operations used in TLS, this protocol needs high resources and has low performance. Another motivation for the thesis is to adapt the protocol for mobile environment and to show that it is possible to use the protocol implementation in both client and server modes. An alternative serialization mechanism is used instead of the standard Java object serialization that is lacking in MIDP. In this architecture, XML is used to transmit object data. The mobile end-to-end security protocol has the main design issues of maintainability and extensibility. Cryptographic operations are performed with a free library, Bouncy Castle Cryptography Package. The object-oriented architecture of the protocol implementation makes the replacement of this library with another cryptography package easier. Mobile end-to-end security protocol is tested with a mobile hospital reservation system application. Test cases are prepared to measure the performance of the protocol implementation with different cipher suites and platforms. Measured values of all handshake operation and defined time spans are given in tables and compared with graphs. iii ÖZ Kişisel sayısal asistanlar ve mobil telefonların yaygın olarak kullanılmasıyla birlikte uçtan uca güvenlik, mobil cihazlar için acil bir ihtiyaç haline gelmiştir. Taşıma Katmanı Protokolü (TLS), atası olan SSL protokolü ile birlikte, Internet’te yaygın olarak kullanılan bir uçtan uca güvenlik protokolüdür. TLS protokolü mobil dünyada kullanılarak, bu protokolün kanıtlanmış güvenlik modeli avantajından yararlanılabilir. J2ME™ (Java 2 Micro Edition) mobil cihazlar için defakto uygulama platformu olmuştur. Bu tez, TLS 1.0 spesifikasyonuna dayalı ve J2ME MIDP (Mobil Bilgi Cihaz Profili) ortamında çalışabilecek, uçtan uca güvenlik protokolü gerçekleştirimi sağlamayı hedefler. TLS içinde kullanılan kaynak yoğun açık anahtar işlemleri nedeniyle, bu protokol yüksek kaynaklara ihtiyaç duyar ve düşük bir performansa sahiptir. Tez için diğer bir motivasyon da, protokol gerçekleştiriminin istemci ve sunucu modda kullanımının mümkün olduğunu göstermektir. MIDP ortamında eksik olan standart Java nesne dizi yayınlaması yerine, alternatif bir dizi yayınlama mekanizması kullanılmıştır. Mobil uçtan uca güvenlik protokolünün sürdürülebilirlik ve genişletilebilirlik gibi ana tasarım hususları bulunmaktadır. Kriptografi işlemleri ücretsiz bir dışsal kütüphane olan Bouncy Castle Kriptografi Paketi tarafından gerçekleştirilmektedir. Protokol gerçekleştiriminin nesneye yönelik mimarisi, bu kütüphanenin başka kriptografi paketleriyle değiştirilmesini kolaylaştırır. Mobil uçtan uca güvenlik protokolü, mobil hastane rezervasyon sistemi uygulaması ile test edilmiştir. Test vakaları, protokol gerçekleştirimin farklı şifre takımları ve platformları ile performansını ölçmek için hazırlanmıştır. El sıkışma operasyonu ve belirlenen zaman aralıklarının ölçülen değerleri tablolarla verilmiş ve grafiklerle karşılaştırılmıştır. iv TABLE OF CONTENTS LIST OF FIGURES...................................................................................................VIII LIST OF TABLES........................................................................................................IX CHAPTER 1................................................................................................................ 1 1.1. MOTIVATION ....................................................................................................... 2 1.2. SOFTWARE DEVELOPMENT .................................................................................. 3 1.3. SCOPE AND STRUCTURE ...................................................................................... 5 CHAPTER 2................................................................................................................ 7 2.1. TLS PROTOCOL ................................................................................................... 7 2.1.1. Cryptographical Concepts Used In TLS..................................................... 8 2.1.1.1. Private Key Cryptography .................................................................. 9 2.1.1.2. Public Key Cryptography................................................................. 10 2.1.1.2.1. RSA................................................................................................. 10 2.1.1.2.2. ECC................................................................................................ 11 2.1.1.3. Hash Function................................................................................... 13 2.1.1.4. Message Authentication Code.......................................................... 13 2.1.1.5. Digital Signature............................................................................... 14 2.1.1.6. Key Agreement Protocol .................................................................. 15 2.1.1.7. Digital Certificates............................................................................ 15 2.1.2. TLS Protocol Details ................................................................................ 16 2.1.2.1. TLS Record Protocol ........................................................................ 17 2.1.2.1.1. Key Generation And Pseudo-Random Function .............................. 17 2.1.2.1.2. Encoding And Decoding................................................................ 18 2.1.2.1.3. Connection States ............................................................................. 20 2.1.2.2. TLS Handshake Protocol.................................................................. 20 2.1.2.2.1. Full Handshake ................................................................................. 21 2.1.2.2.2. Abbreviated Handshake.................................................................... 23 2.1.2.3. TLS Cipher Suites............................................................................. 25 2.1.3. TLS In Wireless Devices ........................................................................... 25 2.2. J2ME................................................................................................................. 26 2.2.1. J2ME Overview............................................................................................. 26 2.2.2. CLDC / MIDP............................................................................................... 28 2.2.3. Security In MIDP.......................................................................................... 28 2.2.4. KSSL.............................................................................................................. 29 2.2.5. Lightweight Mobile Cryptography Toolkits.................................................. 31 2.2.5.1. Bouncy Castle Lightweight API.............................................................. 31 2.2.5.2. Phaos Technology Micro Foundation Toolkit......................................... 32 2.2.5.3. NTRU Neo for Java™ Toolkit ................................................................. 32 2.2.5.4. B3 Security .............................................................................................. 33 2.3. XML AND JAVA ................................................................................................ 33 2.3.1. XML Overview ................................................................................................ 33 2.3.2. Using XML In J2ME....................................................................................... 34 2.3.3. Object To XML Serialization .......................................................................... 35 CHAPTER 3.............................................................................................................. 37 v 3.1. MOBILE DEVICE ARCHITECTURE........................................................................... 37 3.1.1. J2ME™ Mobile Devices................................................................................