Million of users in the world exchange every day several SMS messages to communicate faster and cheaper. Users write anything in their SMS messages, irrilevant matters as well as important and secret stuffs, but very a few know the vulnerabilities and the risks beyond this communication way. Most users do not realize how easy it may be to intercept SMS messages. From one end, carriers store SMS messages on their database. Potentially, carrier's employees can read your messages as well any third party that is near to the carrier or that can intercept your SMS messages in the air when you send it. More in depth, it would be relatively complex for a third party to hack into the carrier's systems to obtain the content of SMS messages. But finding staff privileged to look at the SMS messages and persuading them to reveal the contents proved easier. From the other end, sent and received messages are usualy stored in the phone or in the SIM card and are clearly readable on the mobile phone. This means that if you leave your phone on the table for some minutes, your colleague, your wife or husband or your dad, can read your SMS messages violating your privacy without any effort.
There is very interesting article by Nick Jones from Gartner Research that explains why we should not use SMS for confidential communication: "Don't Use SMS for Confidential Communication".
Despite to what that article says, I created a new technology that allows to protect SMS messages. My idea came from a simple question: "What happen if we encrypt the SMS messages before sending?". Very simple scenario: I wrote the message, encrypt it and send it to my friend. My friend receives the encrypted SMS message, decrypts and reads it. The answer to my question was: "It works!! Nobody but me and my friend can read the message".
Unfortunately neither the mobile phones, nor the SMS service supplied by the carrier allow to encrypt the SMS messages. The only way to do that is to extend in some way the phone functionalities adding an SMS encryption/decryption service. In other words, an application to install on the phone that manages encrypted SMS messages. I named it "Message in a Bottle", MIABO for short.
Message in a Bottle uses the most powerful cryptographic algorithms and protocols, such as Elliptic Curve cryptography and AES, to send encrypted SMS messages and stores and protects your private messages and contacts in special encrypted folders (separated from the canonical phone's SMS and contacts folders). It can be installed on the most of mobile phones available on the market: Nokia, SonyEricsson, BlackBerry, Windows Mobile, Samsung etc. Specific versions for Android and iPhone are in roadmap and will be available soon.
The following is a web demo to show how the application works:
|
|
The PIN for this demo is 1234.
Once started Message in a Bottle asks for a PIN. Such a PIN is used to protect the private SMS and contacts folder. More in depth, the PIN is used as a key to encrypt the messages inside the private SMS folder and the contacts inside the private contacts folders. If you type an incorrect PIN the decryption fails and you cannot read the messages and the contacts. A quick user manual is available here.
Message in a Bottle is based on Public Key Cryptography protocol similar to the one used by PGP: users have to exchange their public key before all. Once the public keys are exchanged both can send and receive encrypted messages (more info about the Public Key Exchange are available here). More info about Message in a Bottle, a tutorial and more info about Elliptic Curve Cryptography are available on the official Message in a Bottle web site: http://www.ugosweb.com/miabo
|
To download the Business Edition on your phone follow this instructions:
BlackBerry:
Point your mobile browser to the this url:
http://www.ugosweb.com/miabobb
and follow what your read on the display
Other phones (Nokia, SonyEriccson, Samsung, etc.):
Point your mobile browser to the this url:
http://www.ugosweb.com/miabobe
and follow what your read on the display
Advanced User:
If you are and advanced user you can install it as you prefer using other ways.
Read this page to know more: http://www.ugosweb.com/miabo/setup.aspx
Some technical details:
Message in a Bottle uses Elliptic curve cryptography over Prime Finite Field GF (p) following the standard specifications defined in the document IEEE-1363.
Key length of cryptographyc key (in bit), called |p|, is:
- Standard Edition: |p| = 160 bit
- Business Edition: |p| = 192 bit
- Government Edition: |p| = 256 bit
SMS encryption is made in two phases:
1) generation of the encryption key by the algorithm "Elliptic Curve Secret Value Derivation Primitive, Diffie-Hellman version (ECSVDP-DH)" as defined in the document IEEE-1363 §7.2.12
2) SMS encryption by AES algorithm by using the key generated above. The key length (in bit) of the AES jey is:
- Standard Edition: 128 bit
- Business Edition: 192 bit
- Government Edition: 256 bit