As mobile devices grow increasingly capable, user's expect them to mirror their desktop applications and use cases.  Hence, web browsing, e-commerce and similar web-services are increasingly popular on mobile devices. SSL, and its underpinning public-key cryptography operations are a fundamental component of these services.  While some services such as GMail require that the initial authentication be performed over https, all other interaction between the user and GMail service occurs in the clear.  On the other hand, banking services require that the user's entire communication session be secure. However, as past work has shown (Cobalt, Trustworthy kiosks, etc.), secure session establishment is one of the most expensive components of a user's interaction with a webservice.  Specifically, computing the public key exponentials and verifying the credentials of the remote party is intensive in terms of CPU, power and computation time. To address this problem, we propose to shift the burden of public-key cryptography off the mobile device to the cloud.  One possible usage scenario is as follows.  At the start of the day, the user's mobile device establishes a secure session with an EC2 (or similar in-cloud) server, and negotiates a session key with a ttl of 1 day.  Later, when the user attempts to check his email, the mail server will request an SSL session be established.  The mobile device offloads all public-key computations to his EC2 server by encrypting the SSL seesion parameters received from the mail server and sending it off to the EC2 server (the actual messages can be sent over wifi or as an SMS).  The EC2 server performs the operations and returns the results to the mobile device as an SMS.  The mobile device can use these results and successfully establish a secure session.  Any future communication between the mobile device and the webservice will either be in the clear or encrypted with a session key (symmetric-key cryptography) which has significantly low overhead when compared to public-key crypto.

 

Tasks and Responsibilities: Build a security service that runs on EC2 using the Amazon API.  Build a mobile client that interposes on cryptographic operations and offloads them to the EC2 server instead of performing them locally.  Measurement of the offload approach as compared to the current local approach.