A Mobile Crime-reporting Application

Secure transfer protocol

Overview

Crime reports usually contain very sensitive data which the reporter would want to stay between them and the person they are reporting the crime to. The main focus for ensuring security of crime data in transmission was on protecting the crime reporter’s confidentiality. This was be done by providing end-to-end security through using public key cryptography.

Many researchers stand on opposite sides when it comes to end-to-end security implementation for mobile devices. Some say it is too costly and some say it is possible. Mobile phones have been known for their weaknesses such as limited processing power, limited memory and low bandwidth which hinder security implementations. As time has passed, we have been introduced to better mobile devices with increased power and memory. This introduces the possibility of a better security/performance tradeoff. In this project, a few chosen encryption and asymmetric key exchange and symmetric encryption algorithms were implemented to form hybrid cryptosystems, much like SSL,to ensure security for data in transit. The performance of the algorithms was tested to see which was best suited for a crime reporting context.

key exchange and encryption example

Figure 1: Example of cryptosystem implemented

Design and Implementation

In order to have secure transfer of crime report data, different attributes of the system to be developed were considered in te design of the system. These were :

  • Application Platform
  • Transmission Medium
  • Data Format
  • Key Exchange Protocols
  • Encryption algorithms

The platform chosen was Android and the method of transmission chosen was internet. For easier parsing on to the database and to retain data structure after transmission, XML format of data was use. To build the different cryptosystems RSA and Diffie-Hellman were chosen for key exchange and AES and Triple DES were used for encryption.

The cryptosystems were implemented using Java and Bouncy Castle libraries. An interface was developed to help with method calling and each system was tested for performance.

Figure 2: Secure Transfer GUI

Results and Evaluation

Each algorithm was tested to see how well they perform. Since SSL is widely used and accepted in the mobile world, it was used as a form of benchmark to see how well the other cryptosystems performed as compared to it. The first performance test done was to see how long it took each key exchange algorithm to run. The key key exchange algorithms were compared with the SSL handshake.

Figure 3: Graph comparing key exchange algorithms and ssl handsake

The next performance test done was on the encryption algorithms. This was compared with SSL encryption. Different file sizes, close enough to crime report file sizes, were used in this experiment.

Figure 4: Graph comparing encryption algorithms speeds w.r.t file size

As the graphs show, Diffie-Hellman key exchange proved to be the worst compared to RSA key exchanged algorithm and the SSL handshake. AES performed well when encrypting smaller file sizes but the time taken rose significantly at each file size increment. Though Triple DES performed badly, the performance with respect to file size slowed down steadily. SSl proves to be much better because it's performance is not much worse than when there is no encryption at all.

Conclusion

Hybrid cryptosystems, those using both asymmetric and symmetric key cryptography, were designed and implemented on an Android mobile device.These were RSA key exchange with AES encryption, RSA key exchange with Triple DES encryption, Diffie-Hellman key exchange with AES encryption and Diffie-Hellman Key exchange with Triple DES encryption. After design and implementation, experiments were performed on the different hybrid cryptosystems. A few results were shown and discussed.

The results obtained proved what many researchers had stated. The performance overhead on the mobile application due to the use of cryptography was significantly high. SSL remains as the prefferd protocol for secure mobile data transfer over the internet.

The secure transmission cryptosystems in the Cry-Help mobile crime reporting application were aimed towards protecting confidentiality of the user. This leaves other aspects of security including authentication, integrity and non repudiation of data. The cryptosystems were designed in such a way that these aspects of security could be added on with ease. Digital signatures should be used in the future and a better key exchange protocol could be implemented for RSA key exchange through using, hashes, digital signatures, nonces and many other security mechanisms that enhance security.