Introduction

Secure communication is a major concern for personal and professional use, with numerous solutions having emerged over the years. The current wave of secure chat clients dates as far back as 2004 with the development of the Off-the-record (OTR) messaging protocol [1], which supports secure instant messaging with message encryption, authentication, and forward secrecy. Signal, Theema, Telegram, and WhatsApp represent some of the most widely used secure messaging solutions in today’s mar- ketplace.  One major shortcoming with these systems, however, is their reliance on a remote, cen- tralised infrastructure to set-up and maintain communication channels with other participants. They perform poorly in circumstances where Internet access is unreliable or unavailable; for instance, com- municating in rural areas, during natural disasters, at sea, and in the air. With the widespread use of Bluetooth technology on personal devices, e.g. tablets and smartphones, there is an opportunity for a secure chat system for protecting communications at short physical distances.

Scenario

In this project, you are tasked to design, implement, and evaluate a Bluetooth chat system for en- crypted short-range communication. Your system will allow two platforms of your choosing (mo- bile, laptops, tablets etc.) to send and transmit messages over a Bluetooth-based secure channel. In this context, the definition of ‘secure’is based on addressing a reasonable set of threats identified in Task 2. Message confidentiality and authenticity, and user authentication should be covered as a minimum requirement.

Task 1: Literature Study

Conduct a literature review of existing secure messaging systems from the academic literature and technical documentation of popular applications.  Consider the advantages and disadvantages of these systems, their features and properties. The references section provides some initial papers to help begin your search; the survey paper by Unger et al. [2] serves as a good starting point.

Task 2: System Design

Design the architecture and workflow of a Bluetooth-based encrypted messaging system. An exam- ple interaction is illustrated at a high level in Figure 1for one-to-one communication. This comprises two devices—I, the initiating device, and R, the responding device—along with the following stages:

1. Device pairing: This stage is common in any Bluetooth interaction. An initiator issues a pair request to the responder, who replies with an optional PIN code request. The pairing is estab- lished if I submits the correct PIN to R.

Figure 1: A sketch of the main phases of a Bluetooth-based chat protocol.

2. Session creation: Both I and R verify and authenticate the identities of each other.  (For ex- ample, this can be done by using certificate-based authentication system or the entry of a pass- word). Upon successful verification of I and R’s identities, an encrypted channel is created to support the next stage.

3. Message exchange: I and R exchange numerous messages as desired. At the end of the ex- change, the session is terminated and the channel is closed.

List the threats, assets and vulnerabilities that would be relevant within your architected system. Furthermore, consider any countermeasures that you believe are appropriate to address these issues. Some points for investigation are:

• How will you protect the confidentiality of messages sent during stage  3  of Figure 1? What algorithms will you use?

• Will your system securely store, and later delete, previously received messages?

• Is an adversary able to conduct a man-in-the-middle attack [3] during a session?

• How does your system react if the Bluetooth link is unexpectedly lost during an active session?

In your group project, justify any countermeasures that you deploy in response to potential security threats.

Lastly, examine how your design will meet real-world performance requirements. For example, the time it takes to create a chat session and send and receive messages. Additionally, measuring your system’s impact on power consumption is an important factor for portable devices.

Task 3: Implementation

Create an implementation of the system on a platform of your choice. Implement your system in a way that covers the concerns, requirements, and other design considerations in the previous section. For example, Android or Apple iOS for mobile communication, or a Windows or Linux application for communicating with laptops and personal computers. You are also free to select your develop- ment environment and chosen platforms, although these must be justified in the group report.

Guidance

In practice, it is highly desirable to take advantage of well-developed security implementations be- fore developing one’s own. As such, it is worthwhile to first investigate the security and encryption features offered by Bluetooth itself in order to meet some of your security requirements, rather than developing bespoke mechanisms. For general Bluetooth development on mobile devices, Android’s Bluetooth overview [4] and Apple’s Core Bluetooth framework documentation [5] are two useful resources.

For preserving message confidentiality, it is worth investigating best practices for securely working with sensitive data on your chosen platform.  On Android platforms, the article‘Work with data more securely’ [6] is a useful resource, although the principles discussed can be translated to other platforms.  For verifying the identity of users, consider looking at how digital certificates can be securely configured and used on your chosen platform; for example, see the Android documentation on ‘Security with network protocols’ [7].

Task 4: Evaluation

Measure the performance of your system using methods and metrics that you deem appropriate. Some potential approaches include measuring communication latency, battery usage, memory us- age, and the maximum distance of operation. Evaluate and discuss the results in the context of the performance requirements from Task 2. Incorporate the results and the discussion into your group project report.

References

[1] N. Borisov, I. Goldberg, and E. Brewer,“Off-the-record communication, or, why not to use PGP,” in Proceedings of the ACM Workshop on Privacy in the Electronic Society, pp. 77–84, 2004.

[2] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, “SoK: Secure messaging,” in IEEE Symposium on Security and Privacy, pp. 232–249, IEEE, 2015.

[3] Wikipedia contributors, “Man-in-the-middle attack,” 2023.  https://en.wikipedia.org/ wiki/Man-in-the-middle_attack.