Invited Paper
A Secure Wireless Mobile-to-Server Link Abhinav Kumar*a, David Akopian*a, Sos Agaiana, Reiner Creutzburgb a The University of Texas at San Antonio, San Antonio, TX, USA b Fachhochschule Brandenburg, Germany ABSTRACT Modern mobile devices are some of the most technologically advanced devices that people use on a daily basis and the current trends indicate continuous growth in mobile phone applications. Nowadays phones are equipped with cameras that can capture still images and video, they are equipped with software that can read, convert, manipulate, communicate and save multimedia in multiple formats. This tremendous progress increased the volumes of communicated sensitive information which should be protected against unauthorized access. This paper discusses two general approaches for data protection, steganography and cryptography, and demonstrates how to integrate such algorithms with a mobile-toserver link being used by many applications. Keywords: cryptography, steganography, mobile, server, security, communication
1. INTRODUCTION Wireless communication is the fastest growing field in the communications industry. It has captured the attention of the media and the imagination of the public and sparked great interest in the scientific community and amongst researchers for decades. Today mobile phones have become the most widely used wireless devices and as a result cellular systems have experienced exponential growth over the last decade and there are currently about two billion users worldwide. The mobile phone has become an integral part of people’s lifestyles and has an extensive and fast growing developer community designing applications that are bringing business, entertainment and communication to hand-held devices on demand the world over. In addition, wireless local area networks currently supplement or replace wired networks in many homes, businesses, and campuses. Through the assistance of miniaturized hardware, mobile devices now offer PC-like hardware and software features. Some phones have a sophisticated software suite that includes PC based applications such as a Microsoft Word™, Excel™ and PowerPoint™. Modern mobile phones are also equipped with various communication technologies such as the Internet, Bluetooth, Wi-Fi, etc. For a wide category of mobile devices known as smartphones [Table 1] external third party applications can be developed and embedded by the users. The emergence of smartphones has been a revolutionary development providing superior features, integrating technologies and better multimedia experience for people using hand-held devices. Surveys have shown that out of the billion phones that will be shipped, sales of smart phones will represent about one-fifth (more than 200 million) of all mobile handset sales by 2009. This emergence has also resulted in great excitement on behalf of service providers and software developers. Smart-phones today are empowered by operating systems and platforms that enable software developers and content providers to deploy PC-like applications. Tables 1 and 2 illustrate recent evolution in smartphone market2. One can observe that several competing OS are available [Table 2], and the share of dominating OS (SymbianTM) has been recently reduced due to success of iPhoneTM (Apple) and BlackberryTM (RIM) smartphones. The competition is extended to 3rd party software developers as the vendors recognized that the success of their platforms will be also defined by the loyal software developer base to enrich their devices with exciting new applications. This competition resulted in a new development – the vendors open their platforms to attract more developers. For example, SymbianTM17 has been a dominating OS for many years. Currently Nokia acquired SymbianTM and made it open source to extend 3rd party developer base17. Similarly Google developed an open source Android OS for smartphones in an attempt to enter this market18. Apple provides kits and application sales channel for developers19. *
[email protected]; 210-355-9133;
[email protected]; 210-458-7718
Table 1 Worldwide Smartphone Market shares Q3 3008, Q3 20072
Vendor Nokia Apple RIM Motorola Others
Q3 2008 % share Total 100% 38.9 17.3 15.2 5.8 17
Q3 2007 % share Total 100% 51.4 3.6 10.6 6.6 25.1
Table 2 Worldwide Smartphone Operating System Market shares Q3 3008, Q3 20072
OS Vendor Symbian Apple RIM Microsoft Linux
Q3 2008 % Share Total 100% 46.6 17.3 15.2 13.6 5.1
Q3 2007 % Share Total 100% 68.1 3.6 10.6 12.2 4.4
While the development of applications in native operating system environments is more optimal and fully utilizes their capabilities, developers are often interested to make their applications portable across many platforms for wider reach. Java Platform, Micro Edition (Java ME) provides such a flexible environment, applications based on Java ME are portable across many devices, yet leverage each device's native capabilities20. Java ME includes flexible user interfaces, robust security, built-in network protocols, and support for networked and offline applications that can be downloaded dynamically. This paper overviews aspects of Java ME application development and discusses two general approaches for secure data communication, steganography and cryptography. While cryptographic protection is a built-in feature of most of the smartphones, wireless steganography has been recently introduced by authors in "Wireless Steganography"1. Steganography is the science of hiding data in innocuous cover media such as images, audio and video. The information intended to be unseen by intermediate parties is considered as the steganographic content. Some possible media are to include audio files, video files, text files, and images. For example, in “Wireless Steganography”1 we discussed scenarios of hiding an image within an image and textual information in audio files. Cryptography is the discipline concerned with communication of secret information by transforming clear, meaningful information into an enciphered, unintelligible form using a predetermined algorithm and a key. This paper demonstrates how to integrate such algorithms with a HTTP mobile-to-server link in case developers seek protection of communicated data in addition to built-in security mechanisms. The implementation peculiarities are discussed along with extraction and decryption.
2. MOBILE APPLICATION DEVELOPMENT USING JAVA ME Java Platform, Micro Edition or Java ME3, formerly known as Java 2 Micro Edition (J2ME) is a collection of technologies and specifications to create a platform that fits the requirements for mobile devices such as consumer products, embedded devices, and advanced mobile devices3. It is a collection of technologies and specifications that can be combined to create a complete Java runtime environment specifically to fit the requirements of a particular device. Before we get into the details of this specific platform, let us review the Java 2 platform in general. The Java 2 Platform comprises three basic elements: • All coding is done in the object-oriented Java programming language. Syntactically, it is similar to C++, but the two languages have fundamental differences. One of the biggest differences lies in their management of objects and object
ref rences. The Jav language alocates and e-alocates me objects.C+ program ersmustalocateandfre memoryexplictly.
mory automaticaly as the pr
• The Jav platformfeatures virtual mach can be implemented to run atop a variety of operating sy operating consi tently acros many implementaions. In ad iton, the virtual machine provides tight control of ex cutedbinaries,enablingsafe xecutionofuntrustedcode.
ine architecture. This advantageous
in sev ral respects: the virtual machine stemsand hardware, with binary-compatible programs
• The Jav platform includes and extensive set of standard APIs. Takentogether,theJav language,Jav VirtualMachine(JVM) the Jav platform is designed to encompas a wide range of computer hardware, ev rything from smart cards through enterp iseservers.Ther f
clas libra ies caledap lica
tion program ing 21
interfaces or
andJav APIscomposetheJav platform.Moreover,
ore,theJav platformcomesinthre flavors:
Jav 2,StandardEditon(J2SE)
isdesignedfordesktopcomputers.
Jav 2,Enterp iseEditon(J2E )
isacompreh nsiveplatformformulti-user,enterp ise-wideap lications.
Jav 2,MicroEditon(J2ME) pagers,mobilephones,andset-opboxes.J2MEuse subsetsofJ2SEcompone ts, uchas malervirtualmachinesand leanerAPIs incetheproces ingcap biltiesandmemoryresourcesonsuchsmal devicesarelimited. 2.1
ogram creates and estroys
isasetoftechnol giesandspecifcations
dev lopedforsmal deviceslikesmartcards,
RangeandScopeofJavaME
As mentioned earlier, Jav ME is a colection of technol gies and specifcations that are designed for dif er nt partsof the smal device market. Because Jav ME spans uch a va solution using this platform. Jav ME, ther fore, is divde into configurations and profiles. Configurations can be defined as pecifcations that detail a virtual machine and a base set of APIs device. A profile builds on a configuration but ad s more specifc APIs to make a complet environment for building ap lications.WhileaconfigurationdescribesaJVM toenableyoutobuildcomple persi tentsorage.
riety of devices, we can ot
to create a one-size-fits-al 3
21
that can be used with a certain clas of
andabasicsetofAPIs,itdoes
notbyitselfspecifyenoughdetail
teap lications.Profilesus alyincludeAPIs
forap licationlifecy l
ame
Profil
rofil
e,userinterface,and
PDA' Profile
DC
PI*fnrm Micro Editio.,.va ME) CDC: Connected Device Configuration CLDC: Connected Limited Device Configuration MIDP: Mobile Information Device Profile RMI: Remote Method Invocation
Fig.1Jav MEArchitecture As hown in Figure 1, the Jav ME tre has two main branches. The first is based on the Con ected Limited Device Configuration (CLDC). This configuration is for smal wi pagers,mobilephones,andPersonalDigtalAs istants(PDAs).TheMobileInformationDeviceProfile(MIDP),which is based on CLDC, is the first finshed profile and thus the first finshed Jav ME ap lication environment. MIDPcompliantdevicesarealreadyav ilable.Theothermajorbr Configuration (CDC). This configuration is for larger devi network con ections. Set-op boxes and internet ap liances are go d examples of CDC devices. Devices implement a complet softwarestack(Fig.2),whichus alyconsi tsofaconfiguration,aprofile,andoptionalAPIs.
3
rel s devices with intermitent network con ections, like anchoftheJav MEtre is basedontheCon ectedDevice ces (in terms of memory and proces ing power) with robust
I
MIDP 1.0
MIDP 2.0
CLDC 1.0
CLDC 1.1
(a)
MMAPI
(b)
Fig. 2 (a) Current Java ME Stack (b) Future Java ME Stack featuring the multimedia API (MMAPI)
2.2 Advantages of Using the Java ME Platform Major advantages of using the Java ME platform for mobile application development are summarized below: • The Java platform is safe i.e. Java code always executes within the confines of the Java Virtual Machine, which provides a safe environment for executing any downloaded code. In general, a binary application could freeze a device or crash. By contrast, at worst a Java application can bring down only the Java Virtual Machine, not the device itself. • The Java language encourages robust programming. The garbage collector saves programmers countless hours of hunting down memory leaks. Likewise, the Java language's exception mechanisms encourage programmers to create robust applications. • Portability is a big win for wireless Java technology. A single executable can run on multiple devices. For example, a MIDlet (a MIDP application) will run on any device that implements the same MIDP specification. Given the dizzying profusion of wireless devices, not having to maintain a plethora of implementations is a big advantage. Even if a Java application makes use of vendor specific APIs, applications written using the Java programming language are inherently easier to modify for another device than applications written in C or C++. Another benefit of portability is the ease of delivering applications to a device over the wireless network (sometimes called Over-the-air, or OTA, provisioning). Binary applications can be moved from a server onto a device, too, but not safely. Because Java code runs inside the Java Virtual Machine, code that is downloaded from the network can be run safely. Binary code cannot be contained at execution time and is much less safe. 2.3 Creating a MIDlet MIDP development tools are available for Linux, Solaris, and Windows operating environments. The development environment consists of three components which are described next: • Java 2 Standard Edition (J2SE) SDK version 1.3 or higher. • J2ME Wireless Toolkit (J2MEWTK). This is a package of tools for building and testing MIDlets. • Code editor. This can be something as rudimentary as Notepad (on Windows) or something more elaborate like the Net Beans IDE depending on the developer’s choice.
Fig. 3 J2ME Wireless Toolkit
The first step to writing a MIDlet is to download and install the J2SE SDK. It provides the Java platform upon which the J2ME Wireless Toolkit runs. Second, it includes a Java compiler and other tools that the J2MEWTK uses to build your projects. The next step is to download the J2ME Wireless Toolkit from http://java.sun.com/products/j2mewtoolkit/ and install it onto the workstation or PC. On Launching the WTK, the opening screen looks like in Fig. 3.
The J2MEWTK helps the dev loper create project is one MIDlet suite which can be deployed onto the actual Jav enabled mobile phone. The to lkit works with on properties of the cur ent project, build the emulator (Fig.4) in order to test its lo k and fe l before deployment. Sev ral example projects come instal is av ilable for fre download and its console is easy to use, thus helping the dev lopertoconcentratefulyonthetaskwithouthavingtowor yabout estingand deployment.
3.
projects, wher the
end result of each
e project at a time. You can change project, and run the pr
MiDlet Help
G
Java
oject in a device
led with the to lkit for ef rence purpose .The to lkit
AMOBILE-TO-SERVERCOM UNICATIONLINK
A mobile-to-server com unication can be stablished through various means, for e.g; tT
• SMS (Short Mes aging Service) mes ages betwe n mobile phones or e.g froma PC to a mobile phone. We know that hecontrolchan elbetwe nbasestaionandphoneisusedforcal setup.This controlchan elalsoprovidesthepas ageforthetextmes ages.Al textmes ages pas throughacentralizedSMScontrolcent storesandforwardsthemes agestoth
alows the com unication of short ext aEF
er(SMSC)inthecorenetworkwhich eap ropriateuserinthenetwork.
• M S(MultimediaMes agingService) include multimedia objects like audio, video or images. This tandard was introducedand ev lopedbytheOpenMobileAliance(O WAP technol gies. When a mobile pho SMS (WAP ush) which contains header information about mustfetchinordertoretriev thecontentoftheM Smes age.
isastandardforsendingmes ageswhich
Fig. 4 WTK Emulator
MA).M Smes agesaredeliver dusingboththeSMSand ne rec ives an M S mes age, it rec ives an M S notifcation mes age over the M Smes age and an URL
• WAP (Wirel s Ap lication Prot col) phones equip ed with a micro-browser. It involves an in com onlyusedontheinternetintoWMLpagescompatiblewiththemicro-browser.
pointer that he recipent
is a standard for alowing internet content o be made av ilable onto mobile termediate WAP gateway which translates the HTML pages
• Hypertext Transfer Prot col (HT P) com unication over the Internet. HT P is a end-user;theserveristhewebsite.Typicaly,anHT Pc Prot col (TCP) con ection to a particular port on a host (port 80 by default). An HT P server listeni g on that port waitsfortheclient osendarequestmes age.Uponrec ivng "HT P/1. 20 OK",andames ageofitsown,thebodyofwhichisperhapstherequestedresource,aner ormes age, orsomeotherinformation.
is a com unication prot col com only used in the client-server request/response
standard betwe n a client and a server. A client is the lientintiaesarequest.ItestablishesaTransmis ionControl therequest, heserver sendsback astausline,such as
Intoday’sworldofdat com unicationwith and-held evices a very ef ective scenario for a vast range of ap lications ac es websites built for mobile phones (WAP discus the later case. Building this client-server HT P com unication link would involve thre basic ompone ts (Fig.5):
,interactionbetwe namobilephoneandaweb-serveris . This can hap en using the phone’s in-built micro-browser to sites) or by having a client-serve
r based request/respond model. Let us
• AMIDletrun ingontheclientmobilephone(tosend at ) • AJav
servlet
run ingonaserver(e.g theApach
eTomcatServer)torec ivedat
• Adat base(e.g MS QL)ontheserver(tosortandstoredat ) The MIDlet is writen using the Jav ME platform and deployed as a MIDlet suite onto the client phone. The cor esponding Jav request-response Thefirst episto penacon ectionto
servlet
is housed inside the Apache Tomcat Server.
Servlet jav .servletjav x.servlet
model. This is done by the theserverusingtheCon ectorclas .
.*; and
works with client based on jav x.servlet.htp.*
; packages.
'i
SAMPLECODE:hcon=(HtpCon ection)Con ector.open(url) Next,we obtain a Dat InputSream on ourHtpCon ection, alowi char cter.
ng usto read the server's
responsedat , char cter by
SAMPLECODE:resp=newDat InputSream(hcon.openI putSream() Using the read () method of Dat InputSream, each char cter of object. When the client com unicates the information (image/options/text) it ad res es it o a particular server. The servlet method, doPost(), takes two arguments, the first argument is an HtpServletRequest object and the second argument is HtpServletResponse object. Using FileOutputSream()method (image,text,audio rvideo)intotheSQLdat base.
the server's response is colected and ap ende to an servlet is nvoked and responds ac ording to the method e
fined by the client (POST or GET). The POST request.getInputSream() method servlet
ex cutesclient’srequest.The
servlet
servlet then post he rec ived
rec ives client’s information. Using dat dep ndingontype
SAMPLECODE:Clas .forName("sun.jdbc.odbc.JdbcOdbcDriver") Stringdat SourceName="Image"; String
dbURL="jdbc:odbc:"+dat SourceName;
con=DriverMan ger.getCon ection(dbURL," ," )
Server (e.g Tomcat) Aug 5. 2AAA 3:54:1? PM org-apache - catalina.core.A prLifecycleListener INFO: The APR hated Apache Toncat Natige lihrary which allows optina in pro duction eneironnents was not found on the jaea.lihrary.path: iles'Apache Software Powndation'Toncat 6 A\hin;. ;C:\WINpOWS \systen3 ;C:'Progran Piles\PAP\;C:\WINpOWS \systen32 ;C:\WINpOWS ;C:\WINPOWS'Sys :\PA0CArl\p-Secwre \Ssh;C:'Prograe Piles'Qwichliee'QTS ysten';C:'Prog a'jdhl 5\hin;C-\Progran Piles'PostgreSQL'A 2'hin;C:\hypen-estn-aienug 5 2AAA 3:54:1? PM orgapachecoyotehttpllAttpllProtocol mit I NPO: Initializing Coyote ATTP/I - I on http-AAAA - ug S 2AAA 3:54:1? PM org-apache - catalinastartwpCatalina load INFO: Initialization processed in 421 ns
Client-side (MIDlet)
-
I
ug S. 2AAA 3:54:1? PM orgapachecatalinacoreStandardSergice star I NPO: S tartin g sergice Catalina
- ug S. 2AAA 3:54:1? PM org-apache - catalinacoreStandardEngine start INFO: Starting Serelet Engine- Apache Toncat/6A16 - ug S. 2AAA 3:54:1? PM org-apache -coyote httpll AttpllProtocol start INFO: Starting Coyote ATTP/I -1 on http-AAAA
ug S. 2AAA 3:S4:1? PM orgapachejhconnonChannelSochetinit INFO: IA: ajpl3 listening on ,A.A.A.A:AAAg ugS. 2AAA 3:54:1? PM org.apache.jh.sergerJhMain start
INFO: Jhrwnning IIIA tineA/32confignwll ug S. 2AAA 3:S4:1? PM org-apache-catalina-startup-Catalina start INFO: Serger startup in 424 ns
DB (e.g MS SQL)
Fig.5Anilustrationofmobile-to-serverlink
4. The advancement in computer powerfulandcreativeap lications. Digtalmultimediadat ,su created, edited, distributed, shared, and
INTRODUCTIONTOMULTIMEDIASECURITY technol gy and the wide range of netw
ork ac es av ilabilty have nabled many chasdigtalimages,audio,video,and ocuments,canbe stored with convenience at a very low co
st, e.g on the Internet. On one hand,
on the
new technologies help individuals to achieve better communications with one another. On the other hand, since the emerging Internet is an open network which is vulnerable to eavesdropping or unauthorized users, the fear that the vital data transmitted through the Internet could be manipulated or stolen is very much valid and needs to be addressed4. The key objectives of a given multimedia security system, which has been shown to present many new challenges for industry in general to ensure a secure management system for their vital information, can be summarized based on the following criteria: • Confidentiality: information.
The protection of important data from unauthorized access, and privacy of the transmitted
• Availability and Copy Control: Provision of access to the data resources by preventing illegal distribution and theft. • Data/Origin Integrity: Authentication to assure the credibility of multimedia information. Integrity/authentication ensures that information has not been manipulated in an unauthorized way, and checks the authenticity of multimedia content and its source (which involves the illegal duplication, illegal tampering, and wrongful distribution of media ownership assertion). We briefly describe two security features that have been very popular and widely used in multimedia communication namely, Cryptography4, 5, 7, 8, 10, 13, 22 and Steganography1, 6, 9, 11, 12, 13,23.
5. CRYPTOGRAPHY 5
Cryptography (or cryptology; derived from Greek κρυπτός kryptós "hidden," and the verb γράφω gráfo "write"-"secret writing") is the study of message secrecy. It is closely related to encryption which is the technique of writing ordinary text or plaintext in a predetermined extraordinary manner such that the original information can only be read by applying the same concept that was for the encryption in the reverse (decryption). A cipher is a pair of algorithms which creates the encryption and the reversing decryption. Cryptanalysis is the study of finding a weakness in a cryptographic algorithm. More generally, encryption is a one-to-one mapping of a sequence of symbols from a given set to another sequence of symbols, usually from the same set. Cipher (or cypher) is a message written in a secret code. The original message, M , is called the plaintext; the encrypted data is the ciphertext, C . C is a function of M and the enciphering key K e : C = G ( M , Ke ) , M = G (C, Kd )
(1)
In order to obtain M from C , one needs the decrypting key K d . It is extremely difficult to get M from except when one has the K d . A cryptographic algorithm may or may not be broken depending on a number of factors like length, randomness, secrecy of key. Modern cryptography can be broadly classified depending on key-space into “Symmetric key5” and “Asymmetric key5” cryptography. In Symmetric key cryptography, each pair of sender and the receiver share the same key for encryption and decryption. The advantages of the Symmetric-key cryptosystems over public key systems are (a) symmetric cryptosystems require much smaller key sizes for the same level of security, (b) are much more computationally intensive than the symmetric one and (c) require less memory. The basic disadvantages of Symmetric key cryptography are (a) the key management necessary to use the key securely, (b) the difficulty of establishing a secret key between two communicating parties when a secure channel doesn’t already exist between them, and (c) Symmetric key cryptography cannot handle large communication networks (for instance, if a communication network of n nodes needs to communicate confidentially with all other nodes in the network, it needs (n -1) shared secret keys. For a large value of n the system requires complex key management schemes which are highly impractical and inconvenient). Symmetric key ciphers can be further classified into block and stream ciphers. Block ciphers take as input a block of plaintext and a key, and output a block of cipher text of the same size. Stream ciphers create an arbitrary long stream of key, which is combined with the plaintext bit-by-bit or character-by-character. In a stream cipher, the output stream is created based on an internal state which changes as the cipher operates. That state change is controlled by the key or sometimes by the plain-text stream. Asymmetric cryptography involves private-public key pair algorithms. This means that the encryption and decryption algorithms use different but related keys. A few popular and widely used cryptographic algorithms are as follows,
5.1
Dat EncryptionStandard(DES)
Subkey (48 bits)
Half Block (32 bits)
It is a Sym etric key algo 1976, since then it has be internationaly.Itprescribestheuseofa56bitkeywhich was later found to be to smal. The DES algorithm (Fig.6) is now beli ved to be insecure; the Electronic FrontierFoundationwaspublicyandsuc es fulyableto crackthealgorithmusingbrute Although the DES was later supersed by more theoreticaly secure algorithms like the Triple DES 13 AES , it was a front run er in the field of modern el ctronic encryption and sparke field for years to come resulting in amazing advancementsincryptography.
rithm sel cted by the NBS in come a popular algorithm 13
forceinamaterofhours.
4 13
and
II!!! I!!!! I!!!! I!!!! I!!!! I!!! I!!!! I!!!!
d great inter st in this
5.2 5.3
5.2AdvancedEncryptionStandard(AES)
13 AES also known as an ounced by the National Instiute of Standards and Technol gyasaU.S standardin20 1andhas incethen foundworldwidefame.AEShasafixedblocksizeof128 bits and can have a key size of 128, 192 or 256 bits. The cipher was dev loped by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. AES has many advantagesoverDES,it shighlysecure,requiresles memo
Rijndael
p
is a block cipher that was
Fig.6Dat EncryptionStandard
ryandiseasytoimplementonboth ardwareandsoftware.
5.4 5.
5.3Dif e-Helmankeyexchange
This cryptographic prot col introduced in 1976 propose calculationofone’sprivatekeyis mpos ible privatekeysi related.Insuchacryptosy tem,thepublic secret.Thepublickeyisusedforencryptio
the use of a public key and ev nifthepublickeyisknowninspite
a private key su ofthefact hat
ch that he apairofpublicand
keycanbefre lydistributedwhiletheprivatekeymustremain nandtheprivatekeyisusedfordecryption.
Thel ngthof56bitskeywaswidelyuseduntilthe19 0’swhenitcametolight hat hiskeyisnotsuf icent oprotect dat ag inst a key decryption/search algorithm. Modern cryptosy tems typicaly use 128-bit or ev n 256-bit keys. The numberoftest forencryption128-bitkeycryptosy temis; 2 34028122836 920938463463 7460743=176821 456
andforthe256-bitkeycryptosy temis; 2 1 5792205689237 16 954235709850 86=7907853269 846 5640564039457 840 7913 29639 36
. 2
One of the most importantprinciples in cryptography is caled Kerckhof ’s principle the19thcenturywhichbasicalysaysthat if ev rything about a cryptosy tem is secretkey. Asurveyofvarious tae-of-the-artcryptosy temsincludingfastvideoencryptionsy temshavebe npres ntedbyC.E 5 Shan on ,WhitfeldDif e 5.6
5.4 Implementa ionofaCryptogra
In previous ections the concepts related to mobile ap lication dev lopment using Jav ME and cryptography are reviewed.Now emergethes twotopicstogethertodem run ingaclientMIDletresponsibleforperforming218bitAESencryptionandsendingtotheserverandaJav servlet
staed by Aug ste Kerckhof s in entirelyonthesecretkeys,i.e ven s age is protected by the choice of the
thesecrecyofacryptosy temmustreside public, it’s integrity of the ncrypted me
7
,MartinHelman
7
andJ.Mas ey
8
intheir ndep ndentwork.
phicAlgorithmforMobile-to-ServerLink onstrateasecurecom unication
linkbetwe namobilephone
responsible for decrypting this encrypted mes age and storing it case, for demonstration purpose , we have downloade and modifed open-source cryptography software caled Pocket Protector V 1.01 launching,theap licationask forapas phras to create the 128 bit key used for AES sym etric encryption in previouslystoredtextmes agefileorcreateanewfileforencryption.Thedat isencryptedusingthekeyandstoredin the RMS memory in the phone by making us store is tored as a series of encrypted byte ar ays. This HT Pmobiletoserverlinkexplainedinthispa erfordecryptionbyaJav
in an SQL dat base for later etrieval (Fig.7). In this 14
. This oftware implements the above introduced and widely recognized AES algorithm. Upon etoprotect hefiletobe ncrypted.It akesthispas phrasefromtheuser CBC mode. It hen alows the user to either sel ct a e of the Jav ME RMS libra y in the ap lication. Each file in the record encrypted file is then com uni
cated to the server using the servlet
+5550000- DefaiiItCoIorPhore
L
+5550000 - DefuultColorPhone
J
+5550000 - DefaultColorPhone
MIDlet View Help
MIDlet View Help
/ Y.suil
L=
MIDlet View Help
Sun
S
a
Pocket - List
Pocket - Unlock
andstorageinadat base.
Sun
Is it OKto Use Airtime?
Enter a passphrase, This will be used to secure the storage. Make sure is secret, and that you can remember t.
MobileAppicetioni wants to connect to ittp:/Aocalhost:8O8OIexamplesIser1etmageServl
Menu
using ahtime. This may resut in tharges
I Open 2 Delete
St OKto use abtime?
3 New
Ex
Ex
Menu No
OK
(b)
1
2
3 DLI
4
5 KL
6 MN C)
7 PQRS
8
9
*
0
NH lET
I SPACE
(a)
Fig.7(a)Pas -phrasetogen rate128bitAESkey (b)Sel ctingfiletobe ncrypted (c)Grantingairtmepermis ion
(c)
Yes
6. STEGANOGRAPHY Steganography6,23 can be classically defined as the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient realizes the existence of a message. The word steganography is of Greek origin and means "covered, or hidden writing". This technique dates back to the ancient times of Herodotus (485 – 525 BC) who was the first Greek historian. Herodotus recounted the story of Histaiaeus, who wanted to encourage Aristagoras of Miletus to revolt against the Persian king. In order to securely convey his plan, Histaiaeus shaved the head of his messenger, wrote the message on his scalp, and then waited for the hair to re-grow. The messenger, apparently carrying nothing contentious, could travel freely. Arriving at his destination, he shaved his head and pointed it at the recipient. In the 16-17th centuries, several methods had been developed. In his book Schola Steganographica9, Gaspar Schott explains how to hide messages in music scores. Modern steganography came into the picture with the advent of the personal computer and became a strong electronic security feature with the use of computer networks and the Internet. Modern steganography is the science of hiding data in innocuous cover media such as images, audio and video. The modern formulation of steganography is often given in terms of the prisoner's problem10 where Alice and Bob are two inmates who wish to communicate in order to hatch an escape plan. However, all communication between them is examined by the warden, Wendy, who will put them in solitary confinement at the slightest suspicion of covert communication. The difference between steganography and cryptography is that in cryptography, one can tell that a message has been encrypted, but he cannot decode the message without knowing the proper key. In steganography, the message itself may not be difficult to decode, but the idea is that everyone apart from the intended recipient should not detect the presence of the secret message. In steganography, unlike other forms of communication, one's awareness of the underlying communication between the sender and receiver defeats the whole purpose. Therefore, the requirement of a steganographic system is that it should not be detectable. When combined, steganography and cryptography can provide two levels of security such that even if a third party knows the steganography algorithm shared by the two legitimate parties, a secret key would still be required to unlock the secret message. The secret key, for example, can be a password used to seed a pseudo-random number generator to select pixel locations in an image cover-object for embedding the secret message (possibly encrypted). This principle is called Kerckhoff’s principle22 in cryptography. The reliability of a stego-system is based on relative entropy between the probability distributions of the cover-object and stego-object, denoted by Pc and Ps, respectively12, i.e. D (Pc|Ps) = ∫ Pc log Pc/Ps
(2)
From equation (2), we note that D (Pc|Ps) increases with the ratio Pc/Ps which in turn means that the reliability of steganalysis detector will also increase. Accordingly, a stego technique is said to be perfectly secure if D (Pc|Ps) = 0 (Pc and Ps are equal), and secure if the relative entropy between Pc and Ps is at most €, D(Pc|Ps) ≤€. Perfectly secure algorithms are shown to exist, although they are impractical. There have been various approaches in defining and evaluating the security of a steganographic system. Zollner11 was amongst the first to address the undetectability aspect of steganographical systems. Zollner11 and some others provided an analysis to show that information theoretically secure by steganography is possible if the embedding operation has a random nature and the embedded message is independent from both the cover-object and stego-object. Hence, the definition of security is based on the assumption that the cover-object and stego-object are independent and identically distributed vectors of random variables. Another important consideration is steganographic capacity which can be defined as the maximum amount of information that can be embedded into a cover object such that the secret information can be reliably recovered from the stego object and at the same time provides the intended invisibility to unauthorized viewers. Until now, steganography had mostly been implemented in computers due to substantial processing and memory requirements. However in the past couple of years, with miniaturization of mobile components such as memory and the advanced capabilities of mobile device processors, this science is slowly finding a whole new opportunity on mobile devices. With the availability of 200+ MHz processors and memory expansion capabilities, the smart phones make excellent candidates to implement steganography applications as they became an integral lifestyle item. Figure 8 displays the block diagram of a typical data-hiding support-based digital multimedia security system, where a sensitive message Mo is to be transmitted through a public channel. Let Io be the cover media from a class of covers C_I, into which the message Mo is embedded (mapped), the embedded message such that, the modified media I=Io+Mo, is visually indistinguishable from Io, where + is an embedding operation. It is a practical assumption that the embedding operation +, which could be also binary, has the inverse operation * which means that I*Io=Mo. A reasonable guess is that the sensitive message then undergoes some processing before hiding, such as encryption (in order to increase the
security of the system), compression, or both used simultaneously. Based on the data hiding detection key, the data hiding decoder maps signal back to the message Mo. The information intended to be unseen by intermediate parties is considered the steganographic content and that carrying it is called the cover object. Some possible media are to include audio files, video files, text files, and images. In this article, we discuss scenarios of hiding an image within an image. Steganography itself is an established field. The ability to apply wireless steganography1 to mobile device data exchange greatly increases the effectiveness and relevance of this particular type of covert communication. In addition, this new concept helps to validate the art and aides in the establishment of steganography as a practical approach for transmitting sensitive material. We consider this new idea to be a great contribution to this rapidly growing field.
Secret Message + Cover Media + Secret Key = Stego Media Io
The output of the embedding module is perceptually identical to the cover media
Cover Media
Mo Secret Message
+ Embedding Algorithm
I Stego Message
* Channel
Message Retrieval Algorithm
Mo Secret Message
Fig. 8 General Steganography arrangement
In next section we will explain the theory and implementation of an algorithm as an example of image steganography in mobile phones. Image steganography involves the discrete embedding or hiding of the secret image into a cover image (cover object) to generate a stego object. For this to be effectively carried out, the secret image needs to be of a lower resolution than the cover image. Before we go ahead with our selected algorithm, it is important to state that most techniques for image steganography1, 12 can be classified based on the basis of principle into, • Spatial or Transform Domain Embedding • Model-based or Ad-hoc, or Human visual system based embedding 6.1 Example: LSB Technique As the name suggests, this technique12 of steganography involves modifying the least significant bits of the cover image i.e. decomposing the cover image into bit planes and replacing the least significant bits of the cover image by the bits of the secret image. This technique works on the fact that the least significant bits in an image could be thought of random noise and changes to them would not have a significant effect on the cover image. The sensitive message can be in any kind of format that is represented as a sequence of binary bits, a = ( a1 , a2 ,..., an ) where ai takes the values of {0, 1}. The cover media can be pictures, videos, music, text, a source code file, ciphertext, and can be also created synthetically (Fig. 9). These data formats have potential for information hiding due to the redundancy and irrelevancy inherent in digital media. For example, the validity of a digital image as cover medium is justified when considering the limitations of the Human Visual System (HVS) and a cover image: 3135 × 2295 bmp , 24 bit/pixel, 7 MB, which has an embeddable data capacity of approximately 2.2 MB, approximately equal to 50 pages of Adobe documents. Of course, this does result in some statistical changes which in turn can be made use of in order to detect the presence of the secret image within. Bit plane decomposition1 of the cover image is the process of decomposing or breaking down every image component (gray scale image) to be represented as a set of binary images (Fig. 10). If each pixel of the cover image can be
represented by 8 bits, then we can have 8 such bit planes, and we can hide our secret image within each pixel of the LSB or first bit plane to obtain our stego image.
After LSB Embedding
SECRET IMAGE
COVER IMAGE
STEGO IMAGE
Fig. 9 LSB Embedding
Fig. 10 Bit plane decomposition of simple LSB embedding procedure
6.2 An Implementation of LSB Technique for Mobile to Server Communication Link In order to consolidate our idea of wireless steganography, we demonstrate a simple implementation of image steganography in a mobile phone (Fig.11) and communicate the resultant stego-image to the server using the HTTP link described above. This demonstration consists of the following elements, a Java ME MIDlet running on the client-side that takes a low resolution image (secret image) and hides it within a high resolution cover image using the LSB technique. Both the images are in the .png format. The MIDlet basically converts both the images into bit streams and then replaces the LSB bits of the high resolution image with the bits of the secret image in order to obtain the stegoimage. Before doing this, we need to convert the images into an integer array of pixel values and then into respective byte-arrays. To create a byte-array of data from an image, we can use the getRGB (..) method in the image class in MIDP 2.0. From the getRGB method we get an int-array of data containing all the ARGB values of each pixel in the image. Integers in java are four bytes, so we need to split each int value into four byte values. To mask out each of the bytes in the int we can use the 'AND &' operator and the 'shift-right >>' operator. Here's an example13: int ARGB = 0xFFFFFFFF; // AARRGGBB int a = (ARGB & 0xFF000000); int r = (ARGB & 0x00FF0000); int g = (ARGB & 0x0000FF00); int b = (ARGB & 0x000000FF);
/ Her wemove achbit otheright. a=(a> 24);/ a=0x 0 0 F r=(r> 16);/ r=0x 0 0 F g=(g> 8);/ g=0x 0 0 F b=b; / b=0x0 0 F When we convert he integ r to a byte, ther are some problems ince ther are only signed bytes in Jav . A byte may contain values betwe n –128 and 127 and from our integ r we'l have a value betwe n 0 and 25 . Her are some conversionexamples
13
:
Integ rval127=byteval127. Integ rval128=byteval–128. Integ rval25 =byteval–1. byteba=(byte)(a); / ifa=0x 0 0 F (25 ),thenba=-1 bytebr=(byte)(r ; bytebg=(byte)(g); byteb =(byte)(b); We have to lo p though each pixel in ar aysforthetwoimages,wethenconvertbothofthebytear aysinto the bit sream repres ntaions of the two images. We then us image with the bits of the secret image. using HT P to the server wher it s rec ived by the Apache servlet which folows the same logic in a rev rse order in orde SQL dat base.
the image and get each pixel value to u
Tomcat server. The server pas es this image to the Jav r to recover the secret image and then stores it nto the
I = I ixt I
T.,iII This is the LOW PESOLIJTIOII inlage
&, t ,
CUTSA
.... Exit
Next
1 ui
7 pots
2
3°
5jxi
6mno
8'uv
9wx57
0 SHIFT
555ODO- DfrnftCoIorPhcne MIDIe View Help
STEGANO GRAPH V
Fig.1 (a)Thelowresolutionimag
string
We then re-create the stego image thus obtained and then transmit his mage
x5550000 - DefesltColorPhone
4
ar ays.Thes
e nested if and for lo ps to replace the LSBs of the cover
MIDIeC View Help
.
r byte-ar ay. Once we have two byte string
SPACE
e (b) LSB embed ed stego-image
=
ar aysarenothingbut
7. CONCLUSION In this paper, we described in detail the entire process of communicating information from a cell phone to a server. This involved developing a mobile application in Java ME and deploying it onto the client phone, establishing an http connection, sending information from the client application on the phone to a server application or a servlet running on the server to receive this information and store it in a MS SQL database. This paper also sheds light on the important issue of security for the mobile-server communication channel using Cryptography and Steganography and discusses a few security algorithms and their properties popularly used in today’s wireless communication. We also discuss the implementation of both these security features i.e. cryptography and wireless image steganography in Java ME for a secure client-server application suite. This paper provides valuable insight into mobile application development using Java ME and a very relevant perspective on wireless security implementation which will be an interesting reference to beginners and experienced developers alike.
8. ACKNOWLEDGEMENTS This work was partially supported by National Science Foundation Grant SGER # 0833852 and UTSA iTEC Center. We also sincerely thank all those directly or indirectly involved in the successful completion of this work.
REFERENCES [1] S. Agaian, D. Akopian S. D’Souza, "Wireless Steganography" SPIE Electronic Imaging Conference, January 2006 [2] www.canalys.com [3] http://developer.att.com [4] Wu, C.P., Kuo, C.C., “Fast Encryption Methods for Audiovisual Data Confidentiality”, SPIE International Symposia on Information Technologies, vol. 4209, 284-295, Boston, MA, USA, 2000 [5] C.E. Shannon, “Communication theory of secrecy systems” Bell Systems Technical Journal, vol. 28, 656-715, 1949 [6] S. Agaian, “Steganography & Steganalysis: An overview of Research & Challenges” Network Security and Intrusion Detection, NATO Proceedings, 2005 [7] Whitfield Diffie, Martin E. Hellman, “New Directions in Cryptography” IEEE Transactions on Information Theory, vol. IT-22, 644-654, 1976 [8] J. L. Massey, “An introduction to contemporary cryptology” Proc. IEEE, Vol.76, No.5, May 1988 [9] GC Langelaar, JCA van der Lubbe, J Biemond, “Protection for Multimedia Data based on Labeling Techniques" 17th Symposium on Information Theory in Benelux, Enschede, The Netherlands, May 1999 [10] G. Simmons, “The prisoners problem and the subliminal channel," CRYPTO, pp. 51-67, 1983. [11] J. Zollner, H. Federrath, H. Klimant, A. Pfitzman, R. Piotraschke, A. Westfeld, G. Wicke, G.Wolf, “Modeling the security of steganographic systems" 2nd Information Hiding Workshop, 345-355, April 1998 [12] M. Kharrazil, H.T. Sencar, N Memon, ”Image Steganography: Concepts and Practice” 3-14 WSPC Lecture Notes, April 2004 [13] W. Stallings, “Cryptography and Network Security” Fourth Edition, 72-160, 2006 [14] http://developer.sonyericsson.com/site/global/techsupport/tipstrickscode/java/p_java_0502.jsp [15] http://www.eaves.org/jon/j2me/pocket.shtml [16] www.netbeans.org [17] www.symbian.com [18] http://code.google.com/android/ [19] http://developer.apple.com/iphone/ [20] www.java.sun.com/javame [21] http://java.sun.com/new2java/programming/intro/index.html [22] A Kerckhoff, ‘La cryptographie militaire’, Journal des sciences militaires, vol. IX, 5–38, Jan. 1883, 161–191, Feb. 1883. [23] I. Cox, M. Miller, J. Bloom, J. Fridrich, T. Kalker, “Digital Watermarking and Steganography,” Morgan Kaufman Publishers, 2008
