Lightweight and Secure Elliptical Curve Cryptography (ECC) Key Exchange for Mobile Phones

— Open networks enable data communication between different types of mobile devices that showcase the need to enforce elevated security measures. Securing sensitive or confidential data in mobile phones is accomplished by implementing a diverse range of cryptographic techniques. While encryption algorithms, such as Rivest–Shamir–Adleman (RSA) may offer secure solutions that are often difficult to compromise, these in turn prerequisite high speed computational resources for effective operation. Elliptical curve cryptography (ECC) is well thought-out standard that offers a workable and feasible methods of encryption/decryption, whilst being applicable to resource constraint devices. This paper implements a novel key exchange mechanism that helps to secure exchange of data between the communicating mobile devices. The study aims to address the limitation of Elliptic Curve Deffie Hellman, which is susceptible to Man-in-the-Middle attack and proposes an enhanced Elliptic Curve Deffie Hell - man (ECDH) technique for secure data communication in open networks. The study results reveal, how the implementation of ECDH allows exchange of keys between the two communicating devices with limited resources.


Introduction
Smart phones' processing capabilities are almost leveling up with the currently available desktop computers, and these carry functions that are equally comparable to functions offered by desktop computers. Although the size of a mobile phone is comparatively much lower than that of a desktop, it presents needs to have -high computational power to perform high speed operations, long battery life for powering the device, storage to handle large amounts of data, perhaps in Terabytes (TBs). Widely used smart phone operating systems-Android and IoS, include the basic and more advanced features targeted to attract a huge customer base, are consistently enriched with new intuitive features in the form of new product release. Innovative products as such offer more user centric features in addition to technological changes that improve the major devices functionalities such as processing capabilities, network bandwidth, storage, and I/O functions.
Despite more and more appealing features, researchers, techno savvy and educated class [24] of smartphone users are highly concerned about the security of smartphone data, and the way how confidentiality is ensured when smart phones exchange data with each other or communicate over a network susceptible to intruders. Over open networks, Android and IOS operating systems use apps that are specifically designed to allow data exchange or communication [17][18][19][20].
However, due to open networks being more vulnerable to attacks, these apps pose more security concerns, and must guarantee confidentiality and privacy to users' data during the communication process [21] [22]. Typical scenarios experiencing such challenges, include mobile learning environments, as well as mobile performance support systems that demand security solutions to improve the security of data exchanges, particularly in Mobile Electronic Performance Support Systems (MEPSS). A study by [23], implements MEPSS to benefit participants who aim to complete assigned tasks in a more reliable and timely manner. MEPSS supports delivery of instructions ubiquitously in the moment of need and eliminates the serve to reserve hard copy of the data for learning, or to follow instructions from a web-based information source on the internet. However, to access and allow data exchanges as such, prerequisites the need to secure data communication between the employed mobile devices. This leads us to propose a solution that secures data on resource constraint devices, such as mobile phone with limited processing capability. The field of instructional technology encompasses instructional and non-instructional solutions to improve learning and performance. The ECC based solution, in this context, has been used as a non-instructional solution for mobile communication end users.

Problem statement
Operating systems referred in the prior section typically run on resource constraint mobile devices, and as such encryption algorithms, like RSA, may not find its place within those operating systems due to their intense computational nature [1]. In symmetric encryption, both the dispatcher or sender, and the beneficiary or receiver use a particular secret key in both encryption/encipher and decryption/decipher operations, whereas in asymmetric encryption, exchanging key during data communication between the phone devices, presents a major challenge [3][4][5][6][7], (see Figure 1). In the case of symmetric encryption, the key used to encrypt data, must be communicated confidentially to the receiver, to allow decryption of data at the receiver's end. Although the performance of such algorithms is better than the asymmetric algorithms, however the major concern is the secret exchange of key in an open network [8][9][10][11][12][13][14][15][16]. Asymmetric encryption, on the other hand makes use of two keys-public and private key to support encryption and decryption of data. The Figure 2 shows a typical process flow of asymmetric key exchange: Prime factorization based RSA and Elliptic Curve Cryptography ECC are the two well-known algorithms that base on the asymmetric encryption technique. These cryptographic techniques comprise of public/asymmetric key cryptographic algorithms along with the symmetric key cryptography, wherein only one key is employed for encryption. Cryptographic techniques as such, are competent enough to ensure security of data in networks with higher availability of and unlimited resources. Apparently, these cryptographic techniques are neglected for use in Android and IOS based smart phones owing to their reserve restriction characteristic.
As explained in the previous section, standard public key cryptographic algorithms, like RSA, is practically hard to implement on resource constraint devices since these type of algorithms demand high speed processors and need sustained supply sources to operate the device. Alternatively, a substitute called as Elliptical Curve Cryptography (ECC), has been devised as a pragmatic solution to the problems demanding application of public key cryptography. Several research studies have been conducted [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16] and researchers have concluded that ECC based algorithms can proficiently execute on the reserve/restricted equipment like smart phones. ECC offers the same level of encryption/decryption with key size of 210 bits compared to the encryption/decryption offered by RSA that uses a long key size of 2048 bits for encryption. RSA key length offers hardcore cryptographic security to block hackers to crack the algorithm (see Table 1). This concludes that ECC serve as an alternative to the established RSA. This study focuses on the need of ECC in Android smart phone operating system.

Study outline
The study is organized in the following sections. Section 2.0-gives an insight into the fundamental concepts of Android based operating system, as the implementation of the proposed key exchange will be demonstrated on this mobile operating system. Section 3.0-introduces prior works related to the Elliptic Curve Cryptography with main focus on the generation of public and private keys. Section 4.0-presents the implementation of the Enhanced ECC Key Exchange for secure data transmission using mobile phones. Section 5.0-recommends an improvement to the Elliptic Curve Diffie Hellman (ECDH) algorithm on Android based operating system to avoid Manin-the-Middle attack. Section 6.0-provides an overall conclusion of the current study.

Overview of Android OS
Smart phone adoption has expanded at a rapid pace and mobile computing has seen huge increase over the past decade. This is what Andy Robin director of versatile smartphone frameworks at Google, has envisioned. He envisions that desktops ought to be totally supplanted by these little, intelligent and compact handheld gadgets called the smartphones [2]. The time has arrived, when smart phones have totally supplanted the desktops and personal computers (PCs). Handheld gadgets as such, are now becoming a close companion and part of the daily lives of ICT clients/users across the globe.
Smart phones typically run either Android or IOS operating system. Android operating system (AOS) is a superimposed or layered framework. Various functionalities are incorporated at the application layer, which include apps, like SMS, Email, GPS and other interesting applications with user interfaces. The development of such applications carrying several intuitive features is mainly carried out with Java programing language. Figure 3 shows detailed architecture of the Android Operating System is as under.

Review of elliptic curve cryptography
Elliptic Curve Cryptography (ECC) is an asymmetric, public key cryptographic technique wherein the communicating devices generate two keys-a public key and a secret key called the private key. The public key is distributed to all the devices, whereas the private key is hidden and kept secret by the client encrypting or decrypting the message [1]. Elliptic curve is represented (see Figure 4)   The realization of ECC depends on the following concepts, being imperative in the implementation of ECC.

ECC as discrete logarithm problem
As depicted in Figure 5, let's suppose two points on the curve are P and Q, such that k P Q . = , where k is a scalar. If by chance an intruder gains access to the values of P and Q, then it is not easy for the intruder to compute the value of k since computing the value of k is impractical from the curve. Thus, ECC is very hard to be cracked, as computing the value of k basically represents a Discrete Logarithm Problem (DLP) [3][4][5][6], that needs to be intractable.

ECC public key cryptosystem
In public key elliptic curve cryptosystems, suppose that a mobile device-1 intends to send a message 'Msg' to mobile device-2, confidentially. Then, the points on the curve can be computed as N, such that,

Generate public and private keys
As mentioned in the prior section, the communication between two entities, say mobile device-1 and mobile device-2 is established once both the parties would agree to use the same parameters on the curve. The initial generated point is P, and the N is concurred upon successive additions of P to itself. Now mobile device-1 generates a random number M no 1_ < N , which is the private key for mobile device-1. The public key is set by the mobile device-1 as pub M P M no _ . _ 1 1 = . Accordingly, the mobile device-2 generates a private key as M no 2_ < N and a public key by computing pub M P M no _ . _ 2 2 = .

Generate shared keys
As mobile device-1 and mobile device-2 start communication to exchange public keys, as generated in the above step, both the devices then generate a common key by computing a

Encryption
In this step, mobile device-1 wishes to encrypt a message "Msg", which it intends to send it to mobile device-2. The mobile device-1 randomly selects a number N and a private key M no 1_ , and the public key is generated by computing pub M P M no _ _ 1 1 u . The encryption of the given message then generates a new encrypted text called as cipher text.

Decryption
For the mobile device-2 to decrypt the cipher text, a reverse process used in the encryption, is applied to isolate the actual intended message.

Related work
The research done in the area of security and privacy of users using various IoT devices is summarized in Table 2, as under: Table 2. Previous studies

Reference Description Limitations
Al-Mahmud and Morogan [6] The Elliptic Curve based digital signature is implemented for the identity and authentication of users who are registered at the base stations who have every control to give access to the authenticated users This research has contributed in preventing the denial of service attacks (DoS) but the base station is vulnerable to number of attacks while the users are registering or doing any other activity through base station.
Gupta et al. [7] A cloud based approach is used wherein the IoT devices are directly communicating with the cloud with the help of embedded sensors. The XML based web services are used to enable IOT devices to secure their data and to fast the interaction with the cloud.
The increased numbers of users are directly interacting with the server database which may lead to the delay in the response. No authentication is provided by the researchers and the data may be compromised Rathee et al. [8] Smart Healthcare is discussed in this research and a blockchain technology based framework is proposed The proposed approach has a 86% success against different attacks in a smart city Wang et al. [9] The authentication of users is executed through a central repository called the key distribution centre. The KDC is responsible for the authentication and the privileges are provided to different users through KDC The mutual authentication of sensors and users is not supported by the proposed framework Kavitha et al. [10] The cryptographic techniques are discussed and an ECC based enhanced technique is implemented to secure the privacy of users while communicating.
The performance of the proposed technique is not computed.
Wazid et al. [11] The detailed comparison of authentication schemes is presented and the issues pertaining to IoT devices in terms of computational capabilities are discussed. The use of cloud and big data is discussed in this research Only the theoretical description os provided.
Ummer Iqbal et al [12] The researchers have made use of hash function and a modified ECC to design a novel access control scheme which is able to execute with low computational facility. The realistic testing of the proposed framework is conceded using the TinyOS operating system on MICAz motes. The security validation is done using AVISPA.
The proposed protocol is restricted and is not permitted for the cross-domain.

Key exchange via Android OS
The study employs two mobile devices with insufficient hardware resources, limiting the power to execute the computationally expensive algorithms on the employed devices. The key objective of this study is to securely communicate confidential data, in this study a simple message, between two smart phones using the ECC. As explained in the prior sections, ECC is capable to perform well on low power devices. We also reviewed the functionality of Android so as to implement ECC on Android platform. Before implanting the ECC on the two Smartphone devices, the concept of Elliptic Curve Diffie-Hellman Exchange (ECDH) is illustrated in the Figure 6. The generator point G is used by the two communicating smart phones, and the public_ key and private_key is generated. Public keys are shared by the two devices so as to generate a common shared key.
The javax.Crypto library is used for the implementation of ECC on the Android platform. The class libraries used are described as in the Figure 7. The screen shot shown in Figure 8 of the implementation of ECC on Android based operating system with two communicating smart phones is shown in the Figure 8. The two applications developed are-Mobile-1 and Mobile-2, to exchange the data. The validation of secure data exchange between mobile phones is completed by generating two keys-the public_key and the private_key. Once the public_key is sent via an open network, the two communicating mobile phones are proficient to generate a universal secret_key. After sharing the keys, the two communicating mobile phones were capable to establish a communication link and could now proficiently exchange confidential data on an insecure communication channel.

Proposed enhancement and results
In the previous section, we implemented Elliptic Curve Dephie Helman (ECDH) algorithm to secretly communicate the shared keys between the two smart phone devices. While communicating the shared keys for the encryption and decryption of the confidential message, researchers identify Man-in-the-Middle attack as a security loophole in such type of communication, and this attack is enforced as a result of weak validation methods used in the user authentication process [11][12]. We can further enhance the above implemented algorithm on mobile phones by incorporating more authentication procedures so as to get rid of the Man in the Middle Attacks. The proposed enhanced algorithm is presented in this section and the secret codes utilized in the algorithm are described in the Table 3. The proposed algorithm works with the objective to create a common shared key that is not susceptible to the Man-In-the-Middle Attack. The two algorithms which are getting executed at two smart phones are as under:  The developed protocol aims to make ECDH authentication more secure and safeguard data exchanges from the Man-in-the-Middle attack. The above algorithm relatively consumes more memory as compared to the original ECDH algorithm, nonetheless it simultaneously prevents Man-in-the-Middle attack. The proposed protocol was evaluated and tested on an emulator in the Android Studio and the results of our proposed protocol over the traditional ECDH are highlighted in the Figure 9.

Conclusion
This study attempted to address the security needs of the smart phones with limited computational capabilities. Since traditional cryptographic techniques like RSA need sufficient hardware resources, ECC as an alternative is introduced to handle security and privacy necessities in smart phones. An improved key exchange procedure has been suggested to overcome the shortcomings of ECDH in terms of man in the middle attack.
With an immaterial operating outlay of Random Access Memory and slightly higher Read Only Memory, the significant advantage of the proposed protocol is that it protects itself of well-known Man-in-the-Middle attack; Such an active attack is a serious threat to users of smart phones, novice users in particular.
As ECC encryption requires lower computational processing, ECC is practically more viable and suitable for resource constrained mobile devices. ECC can wisely put into practice, the preliminary concepts of authentication, confidentiality and Integrity in smart, and ECC can be exploited more closely in future studies to develop conventional protocols, as explained in this study.