Securedsms a protocol for sms security

1. Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
37
SECUREDSMS: A PROTOCOL FOR SMS SECURITY
Deepthi Sucheendran, Asst Prof. Arun R, Dr. S.Sasidhar Babu, Prof. P.Jayakumar
Final Year M.Tech (Cyber Security), Department of Computer Science & Engineering, SNGCE, Kerala, India
ABSTRACT
Short Message Service (SMS) has become common in many of our daily life applications. Sometimes SMS is
used to send confidential information like password, passcode, banking details etc. But in traditional SMS service,
information content is transmitted as plain text which is not at all secure. It’s because when SMS is transmitted as plain
text without using any encryption mechanisms it is easily subjected to many attacks. In this paper, we propose a protocol
called SecuredSMS which make use of the symmetric key shared between the end users thus providing secure and safe
communication between two users. The analysis of this protocol shows that it is highly secure as it is able to prevent the
information content from various attacks like replay attack, man-in-the-middle attack, over the air modification and
impersonation attack. SecuredSMS can be activated in the phone using PIN number. It also provides a way for remote
destruction and remote locking in the case if the phone is stolen or lost.
Keywords: Authentication, Cryptography, Security, SMS, Symmetric Key.
1. INTRODUCTION
Short Message Service (SMS) has become one of the major means for communication. SMS service was first
started on December 3, 1992. Even after 21 years, the use of SMS is still increasing. SMS is widely used for many
applications which play a major role in daily life. Many Banks are now using SMS service as a means for communication
with its customers. Also SMS is used as a means of communication in Transportation Information System [1],
SMSAssassin [2], SMS-based web search such as SMSFind [3], private health facilities using SMS [4] and many more.
Even though SMS is widely used in many applications, the traditional SMS service has got many drawbacks. The
major problem lies in the transmission of information content as no encryption mechanisms are provided before
transmission. In traditional SMS service, SMS is sent as plain text which makes it vulnerable to many attacks. Also over
the air (OTA) traffic between the Mobile Station (MS) and the Base Transceiver Station (BTS) is encrypted by a weak
stream cipher (A5/1 or A5/2). An attacker can easily compromise these algorithms. Thus the SMS contents are not at all
secured. It is prone to various attacks like SMS disclosure [5], man-in-the-middle attack [6], replay attack [7] and
impersonation attack [8].
The above attacks can be efficiently avoided using SecuredSMS protocol which makes use of a symmetric key
for secure transmission of information between users. It also provides a way for Remote destruction and Remote locking
[10]. The key idea of this protocol is from EasySMS [9] protocol.
1.1 Organization
This paper contains 4 sections. Section 2 contains the literature review of previous work that had provided
security to SMS. Section 3 presents the proposed protocol SecuredSMS, which provides security for the information
content in the SMS. Section 4 summarizes the work.
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 5, Issue 12, December (2014), pp. 37-41
© IAEME: www.iaeme.com/IJCET.asp
Journal Impact Factor (2014): 8.5328 (Calculated by GISI)
www.jifactor.com
IJCET
© I A E M E

2. Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
38
2. RELATED WORKS
Previously different authors have described different techniques to provide security to the information content in
SMS. An application called SafeSMS was developed in [11] which was used to provide confidentiality, authentication and
integrity in SMS. It used a symmetric algorithm along with a shared secret password to generate the key used for
encryption. An application layer framework called SSMS was developed in [12]. It used elliptic curve-based public key
which uses public keys to provide secret key establishment and was used to provide security to SMS messaging in m-
payment applications. Another framework known as Secure Extensible and Efficient SMS (SEESMS) introduced in [13]
uses public key cryptography for exchanging information between two peers. Shared key is generated for each session in
[14] and [12]. But the major drawback with all the above frameworks are due to the huge overhead they cause which make
them unsuitable for real world applications. PK-SIM [10] and SMSSec [15] are the protocols which provide security
without changing the existing cellular networks architecture. SMSSec is a two phase protocol in which first handshake
uses asymmetric cryptography which occurs only once and uses symmetric cryptography in the second phase. This
protocol is used to provide security for SMS communications sent by Java’s Wireless Messaging API. PK-SIM protocol
uses PKI functionality by proposing a standard SIM card.
Our mobile phone has got many physical limitations. Therefore a protocol which makes use of minimum
computing resources is preferable. But all the above frameworks increase the overall overhead. The proposed protocol
SecuredSMS provide security without changing the existing architecture of cellular networks and also make use of
minimum resources.
3. SECUREDSMS: THE PROPOSED PROTOCOL
This section focuses on the proposed method and architecture of the proposed protocol. Table 1 shows
definition of various symbols used in this paper and their sizes. Table 2 represents various functions used in this paper
with their functions.
3.1 The Proposed Method
A new protocol SecuredSMS is proposed here which provide security for the information content in the SMS. It
provides security for the SMS sent between two mobile users. SecuredSMS has a different protocol structure than
EasySMS [9]. A client server architecture is used here to provide better security. SecuredSMS protocol gets activated in
the mobile phones after entering the corresponding PIN number. This provides additional security. SecuredSMS has got
an additional functionality called Remote destruction and Remote locking. This feature is very useful when mobile
phones are lost or stolen. This functionality can be triggered with the help of a special SMS message. Suppose the mobile
phone with the SecuredSMS functionality is stolen, the user can ask for the help of the Mobile Operator to send a ‘remote
destruction’ SMS message to the mobile phone which destroys the SecuredSMS protocol and its cryptographic
functionalities permanently. In case of a damage or Mobile Operator change, the user can ask the Mobile Operator to
send a ‘remote locking’ SMS message to the mobile phone which lock all the SecuredSMS functionality temporarily.
This can be unlocked later.
Table 1: Abbreviations and Symbols
Table 2: Definition of Functions used

3. Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
39
3.2 Design of SecuredSMS Protocol
In this section, we propose the new protocol named SecuredSMS to provide security the SMS. Two different
scenarios are described here. First scenario is shown in Fig. 1. Here both the mobile users, i.e. both the MS are under the
same Authentication Server (AS). The second scenario is shown in Fig. 2 where both MS are under different AS, which
means both MS belong to different Home Location Register (HLR). The AS is responsible for the storage of all the
symmetric keys shared between the AS and the respective MS. Information related to all the mobile users are stored in
Certified Authority (CA). SIM card gets activated only after the verification of the identity of the mobile user by CA. Each
AS and CA also share a symmetric key to provide information is transmitted between AS and CA.
Scenario 1 : Here both the mobile users (MS) belong to the same AS. This is shown in Fig.1. Here there are two phases.
Fig.1: SecuredSMS Scenario 1: (a) Phase 1 (b) Phase 2
Phase 1: Phase 1 has got a different protocol structure compared to EasySMS. Here it is client server architecture. MS1
represents the mobile user who wants to communicate with another mobile user (MS2). (1). MS1 sends a message to the

4. Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
40
AS which includes the identity of MS1 (IMS1), identity of the mobile user with whom MS1 wants to communicate (IMS2),
International Mobile Subscriber Identity of MS1(IDMS1), a request number ReqNo, a timestamp T1 and a message
authentication code MAC1 = f1SK1(IDMS1||ReqNo). The key shared between MS1 and AS is SK1. (2). On receiving the
message from MS1, AS now knows that MS1 wants to communicate with MS2. AS computes MAC1’ =
f1SK1(IDMS1||ReqNo) and checks whether MAC1’ and MAC1 are same. If the condition satisfies then AS sends a
message to MS2 containing IMS1, IDMS1, T2, MAC1, ReqNo. (3). Now MS2 knows that MS1 wish to communicate with
it. So MS2 sends it’s IDMS2 along with T2 and MAC2 all together encrypted with SK_MS2. SK_MS2 is the symmetric
key shared between AS and MS2.
AS should now confirm the validity of both IDMS1 and IDMS2.(4) For that it sends a message to CA/RA
containing IDMS1, IDMS2, along with a timestamp T3, all encrypted with a symmetric key shared between AS and
CA/RA. (5). CA/RA now checks the validity of both the users and sends a message to AS along with T3. (6). On receiving
the message from CA/RA ,if AS finds that entities are valid then it generates a new timestamp T4, an expiry time for
MS1(ExpT) , a delegate key DK1= f2SK1(T4||ReqNo) and a new message authentication code MAC3 =
f1SK1(T4||ExpT||ReqNo). AS then sends T4, MAC3 and ExpT to MS1. Suppose if AS finds that any of the entities are
invalid then it terminates the connection. (7). On receiving the message from AS, MS1 computes
MAC3’=f1SK1(T4||ExpT||ReqNo) and checks it with the received MAC3. If both are same then MS1 generates DK1.
MS1 then sends T4 and ReqNo to AS encrypted with DK1. (8) AS compares the values of T4 and ReqNo with the values
stored in it. MS1 is authenticated by AS in this way. AS then sends a message to MS2 containing a new timestamp T5,
along with ReqNo, ExpT and the symmetric key DK1, all encrypted with SK_MS2. (9). On receiving message from AS,
MS2 sends an acknowledgment to AS. (10). MS2 also sends a message to MS1 containing ReqNo encrypted with DK1.
On receiving this MS1 checks the value of ReqNo. Also MS1 now knows that MS2 has got the symmetric key DK1.
Phase 2: This phase is same as the phase 2 of EasySMS. After phase1, both MS1 and MS2 has got the symmetric key
DK1. They can now securely transmit the information using this key using a suitable cryptographic algorithm within the
time period ExpT. (1). MS1 sends a message to MS2 containing IDMS1 and a timestamp Ti encrypted with DK1. (2).
MS2 checks whether Ti<=ExpT. If the condition is satisfied then MS2 sends an acknowledgment to MS1 containing the
same received timestamp Ti encrypted with DK1. (3) Now both MS can securely transmit their information. Once the
session gets expired then MS1 needs to send a fresh request to MS2 and phase 1 should be carried out again.
Scenario 2: Here both the mobile users are far away, which means both the MS belong to different AS. Here there are two
phases.
Fig.2: SecuredSMS Scenario 2: (a) Phase 1 (b) Phase 2
Phase 1: (1). This message is same as that of step 1 of scenario 1. This is send by MS1 to its authentication server AS1.
Here SK1 is the symmetric key that is shared between AS1 and MS1. (2). AS1 computes MAC1’ =

5. Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
41
f1SK1(IDMS1||ReqNo) and checks whether MAC1 and MAC1’ are the same. AS1 then sends a message to the
authentication server of MS2 (AS2). This message includes IMS1, IMS2, IDMS1 and ReqNo. (3). AS2 sends a message to
MS2 which includes IMS1, ReqNo, T2 and MAC1. (4). On receiving this message MS2 now understands that MS1 wants to
communicate with it. So MS2 sends a message back to AS2 containing IDMS2, T2 and MAC2 after encrypting all with
SK_MS2. SK_MS2 is the symmetric key shared between AS2 and MS2. (5). AS computes MAC2’ as in scenario 1 and
checks whether MAC2=?MAC2’. In order to verify the validity of both the mobile users, AS2 sends a message to CA/RA
containing IDMS1, IDMS2, T3, all encrypted with the symmetric key SK_AS-CA that is shared between AS2 and
CA/RA. (6). CA/RA now check the validity and reply back to AS2 along with the received timestamp T3 encrypted with
SK_AS-CA (7). If AS2 finds that any of the entities are invalid then the connection is terminated. If all entities are valid
then it informs this to AS1 by simply sending the ReqNo encrypted with SK_AS1-AS2, which is the symmetric key shared
between AS1 and AS2. (8). AS1 now generates a new timestamp T4, ExpT, MAC3 and a delegate key DK1 which is
generated from SK1 with the help of a function f2 and MAC3. MAC3= f1SK1(T4||ExpT||ReqNo) and DK1=
f2SK1(T4||ReqNo). AS1 then sends a message to MS1 containing T4, ExpT, MAC3. (9). MS1 checks whether
MAC3=?MAC3’ as in scenario 1. It then generates DK1 and sends T4 and ReqNo encrypted with DK1 to AS1. (10). AS1
then sends (ReqNo, ExpT, DK1) to AS2 encrypted with SK_AS1-AS2. (11). AS2 now sends a message to MS2 including
(T5, ReqNo ExpT, DK1) using SK_MS2. (12). MS2 has now got the symmetric key DK1. It sends a reply to AS2 by
sending encrypted T5. (13). This step is same as step 10 in scenario 1.
Phase 2: This phase is same as phase 2 described in scenario 1.
4. CONCLUSION
The new protocol SecuredSMS has been designed. This protocol provides security for the information content
that is sent during SMS. It protects SMS from various attacks. The protocol can be activated using a PIN number. It makes
use of a symmetric key which is shared between the end users for secure transmission. A functionality called remote
locking and remote destruction is introduced which is very helpful if the phone is lost or stolen. SecuredSMS was designed
in such a way that it causes lesser computation and communication overhead.
REFERENCES
[1] R. E. Anderson et al., “Experiences with a transportation information system that uses only GPS and SMS,” in
Proc. IEEE ICTD, no.4, Dec.
[2] D. Risi and M. Teófilo, “MobileDeck: Turning SMS into a rich user experience,” in Proc. 6th MobiSys, no. 33,
2009.
[3] K. Yadav, “SMSAssassin: Crowd sourcing driven mobile-based system for SMS spam filtering,” in Proc.
Workshop Hot mobile, 2011, pp. 1–6.
[4] J. Chen, L. Subramanian, and E. Brewer, “SMS-based web search for low-end mobile devices,” in Proc. 16th
MobiCom, 2010, pp. 125–135.
[5] K. Park, G. I. Ma, J. H. Yi, Y. Cho, S. Cho, and S. Park, “Smartphone remote lock and wipe system with
integrity checking of SMS notification,” in Proc. IEEE ICCE, Jan. 2011, pp. 263–264.
[6] A. Nehra, R. Meena, D. Sohu, and O. P. Rishi, “A robust approach to prevent software piracy,” in Proc. SCES,
2012, pp. 1–3.
[7] N. Gligoric, T. Dimcic, D. Drajic, S. Krco, and N. Chu, “Application layer security mechanism for M2M
communication over SMS,” in Proc.20th TELFOR, 2012, pp. 5–8.
[8] S. Gupta, S. Sengupta, M. Bhattacharyya, S. Chattrejee, and B. S. Sharma, “Cellular phone based web
authentication system using 3-D encryption technique under stochastic framework,” in Proc. AH- ICI, 2009,
pp. 1–5.
[9] Neetesh Saxena and Narendra S. Chaudhari, “EasySMS: A Protocol for End-to-End Secure Transmission of
SMS,” IEEE Transactions On Information Forensics And Security, Vol. 9, No. 7, July 2014.
[10] H. Rongyu, Z. Guolei, C. Chaowen, X. Hui, Q. Xi, and Q. Zheng, “A PK-SIM card based end-to-end security
framework for SMS,” Comput. Standard Interf., vol. 31, no. 4, pp. 629–641, 2009.
[11] M. Hassinen, SafeSMS — end-to-end encryption for SMS messages, Proceedings of the 8th International
Conference onTelecommunications, 2, June 15 -17, 2005.
[12] M. Toorani and A. Shirazi, “SSMS—A secure SMS messaging protocol for the m-payment systems,” in Proc.
IEEE ISCC, Jul. 2008, pp. 700–705.
[13] A. De Santis, A. Castiglione, G. Cattaneo, M. Cembalo, F. Petagna, and U. F. Petrillo, “An extensible
framework for efficient secure SMS,” in Proc. Int. Conf. CISIS, 2010, pp. 843–850.
[14] S. Wu and C. Tan,“A high security framework for SMS,” in Proc. 2n
Int. Conf. BMEI, 2009, pp.1–6.
[15] J. L.-C. Lo, J. Bishop, and J. H. P. Eloff, “SMSSec: An end-to-end protocol for secure SMS,” Comput. Security,
vol. 27, nos. 5–6, pp. 154–167, 2008.