Encrypted SMS
A number of companies have been applying their encryption technology to SMS. One of these companies is Masabi; see Encrypted SMS As a Backup for Mobile Data Applications (Cellular-news).
Is SMS encryption a must have? Do you think users care? Personally, I don’t think so.
The problem is lack of true integration with the native SMS inbox and thus are not transparent enough. These 3rd party SMS encryption solutions work as a separate application, meaning the end-user must invoke a native or Java ME application to send/receive encrypted SMS messages.
One of the issues with encryption is key management. To address this, these 3rd party solutions rely on a server to authenticate and perform some kind of key management; here the server must always be involved in the sending and receiving on the other end (which could be another handset or a server). Some may rely on public-key encryption (digital certificate), or hashing w/ salt, or maybe even exchanging a symmetric key directly. In either case, all those solutions rely on a data connection to a proprietary server for such secure SMS exchanges. Another thing to consider is that some encryption algorithms increases the size of the actual message, and complications may arise (including extra cost) if the resulting ciphertext exceeds 160 characters.
While I am not familiar with how Masabi works, it is my personal opinion that most solutions are not transparent enough and users will not use them, not to mention that the majority of people don’t care about encrypting their text messages.
ceo
September 18th, 2008 at 3:11 am
A nice info. I also think that encrypted SMS will work and find their place in some special areas where high security might be needed.
But as usually with security it affects usability and most “normal” users will tend to put usability and knowing their system above security.
September 18th, 2008 at 11:39 am
CEO, did u know that if there was ever a court case against a person, they can get all the communication records, including SMS communications.. There was a govt official in California who was communicating via sms and having extra marital affair with a co-worker and they were able to get to his SMSs.
So, I think people would want encrypted sms if it was done right. I do agree that key management is an issue and needs to be done right.
September 18th, 2008 at 12:31 pm
Hi Kiram. You said it, if done right, i.e. it is integrated and is transparent and turned on by default, people will use.
I should have clarified above when I said most of the SMS people don’t care about encryption; I said that because the majority of texters are young folks, who don’t care.
But sure, there are some who will; government, businesses, and people with extra marital affairs
LOL
ceo
September 19th, 2008 at 4:06 am
Thanks CEO,
valid points about whether or not normal users will want to use a separate application for sending normal messages to other human beings.
Exactly as Kiram said, only some users would have a compelling enough reason for security, such as top executives or government ministers who have a duty to keep certain communications confidential.
From an integration point of view, the incoming encrypted SMS messages can auto-start the application, so that the user doesn’t have to fire up the application separately to receive messages. If a mobile operator or manufacturer were to pre-install the application, it could be more tightly coupled with the phone’s UI, but we don’t assume that.
Our person to person messaging system (which is not publicly available yet) does not go via a central server - that would mean that all of your security depends on that server, which would be foolish. We use PKI with RSA to exchange keys. We get 120 characters in the first message, and 154 characters in subsequent messages.
However the main thing we use encrypted SMS for is not person to person messaging, but for application to server messages for normal retail services, such as selling train tickets, or international money transfer. The application tries to use GPRS, and if that fails, it automatically switches over to encrypted SMS (must be encrypted to protect your Credit Card Details). This means that m-commerce can be used in all sorts of situations where GPRS would not work, or for users that have no data in their call plan.
Ben.