[cryptography] Application Layer Encryption Protocols Tuned for Cellular?

Jeffrey Walton noloader at gmail.com
Wed Oct 31 18:23:57 EDT 2012


Hi All,

Is anyone aware of of application layer encryption protocols with
session management tuned for use on cellular networks? I need FIPS
compliant ciphers, but that should be an implementation detail (I
mention it because of setup and cipher text expansions).

I have an application that performs classic Diffie-Hellman to key an
channel using AES/CBC (or AES/CTR) with an HMAC, providing message
level security. (it was written some time ago, before OpenSSL had
Authenticated Encryption modes). The channel includes a counter for
playbacks and insertions. So far, so good - its Crypto 101 stuff.

The problem in practice is TCP/IP and later generation cellular
networks (especially 4G and the "All IP" implementations). All appears
OK when moving among cells if the IP address is forwarded and the
device remains connected. All hell breaks loose when a device looses
connectivity or gets a new IP. A device could get a new IP as users
move between service providers.

It appears the TCP/IP stack on both sides (device and server within
the carriers network) will queue messages when device connectivity is
lost. But the TCP/IP stack continues to operate as if all is
succeeding. So neither the client nor server realize there are
problems with underlying the socket. Its leading to a lot of session
management problems, including excessive resource usage.

In addition, I have an option to allow only one session per user (for
paranoid folks). When the previous session does not die as expected, a
new session cannot be started. Here, the device might realize the
socket is really dead, but the server has not realized it yet because
of the tricks that are being played in the TCP/IP stack on the server
side. So the client tries to reconnect but the server refuses due to
the "one session" rule.

The problem is not isolated to my application. On the train from
Washington to New York, it wreaks havoc on the VPN software I use. I
often get my account suspended due to fraud triggers (reconnects and
changing IPs). Ditto when using Acela's onboard WifFi and trying to
maintain an SSL/TLS connection to GMail.

TLDR: Is anyone aware of of application layer encryption protocols
with session management tuned for use on cellular networks?

Jeff



More information about the cryptography mailing list