MIKEY-SAKKE Android demonstrator -- SELEX Elsag Ltd

Authors

Adam Butcher <adam.butcher@selexelsag.com>

MIKEY-SAKKE Key Management Service HTTPS server and C++ client library.
Key-storage abstraction, parameter set sharing, ECCSI signing and SAKKE key exchange C++ cryptography library.
Re-entrant thread-safe C++ front-end for multi-precision arithmetic libraries OpenSSL and LibGMP.
- Efficient thread-specific scratch support for OpenSSL and LibGMP integers.
- Reclaim of terminated thread's bigint scratch pools by new threads, avoiding costly reallocations. (GMP only)
Efficient octet-string and bigint conversion routines (octet-string <=> bigint (OpenSSL and GMP), and GMP bigint <=> OpenSSL bigint)
Port of Minisip to Android
- New OpenSL-ES native Android audio device.
- Portability and build fixes.
- Java JNI front-end for Minisip including client interfaces for GUI applications.
- MinisipService (Android background service running the Minisip core.)
- MinisipTest application (Android UI for command-based interaction with Minisip core.)
Android build fixes for Boost, libcurl and libgmp.
MIKEY-SAKKE for Minisip
- Extensions to Minisip's libmikey to support ECCSI/SAKKE.
- Extensions to Minisip's user-accounts interface and profile configuration to support MIKEY-SAKKE parameters such as KMS location, authorization and test-vector support.
Enhancement to Wireshark MIKEY dissector to support ECCSI/SAKKE dissection.

Paul Roberts <paul.m.roberts@selexelsag.com>

Android Secure Phone GUI as a remote client to the MinisipAndroid library.
Android boot service to start MinisipAndroid backend at handset startup allowing secure MIKEY-SAKKE calls to be received using the Secure Phone GUI without the user having to explicitly load the application.
Configuration interface for Minisip parameters.
Use of Android's build-in contact details (address book) to make secure internet (SIP) calls with MIKEY-SAKKE.

Building

All of the software (save for the android-specific GUI parts) can be build for any supported platform. For instance it is possible to build the MIKEY-SAKKE enhanced GTK GUI for Minisip on x86 which can be useful for testing and demonstration.

Though the build instructions below detail the Android build, targeting a different platform can be done by simply replacing the android-cross prefix in the command-lines below with another environment front-end or nothing to build for the build platform.

Locations

Note that it is important to checkout the correct branch from the repositories below.

Repository for KMS and crypto libraries:
- git clone https://bitbucket.org/secollab/libmikey-sakke.git
  - git checkout selex-crypto

Repository for Minisip with Android port and MIKEY-SAKKE extensions:
- git clone https://bitbucket.org/secollab/minisip-android.git
  - git checkout mikey-sakke

Online browsing

MIKEY-SAKKE KMS (server/client) and Crypto libraries
- https://bitbucket.org/secollab/libmikey-sakke/src/selex-crypto

Minisip Android

Locations relative to these roots will be specified below for each component discussed.

Build environment

The whole environment can be set up in a local user account. There is no need to install system-wide or require root access.

Base dir and checkout

# establish base dir for android stuff
#
mkdir -p ~/src/android
cd ~/src/android

# clone the minisip-android tree
#
git clone https://bitbucket.org/secollab/minisip-android.git minisip
(cd minisip && git checkout mikey-sakke)

# clone the libmikey-sakke tree
#
git clone https://bitbucket.org/secollab/libmikey-sakke.git
(cd libmikey-sakke && git checkout selex-crypto)

Tooling prerequisites (One-time setup for Android cross-compiling)

# ensure that ~/bin is on your PATH.
# Add to ~/.profile or ~/.environment.local for persistence across logins.
#
export PATH=$HOME/bin:$PATH

# enter build base directory
#
cd ~/src/android

# fetch and extract sdk and ndk if you dont have them already
#
wget http://dl.google.com/android/android-sdk_r16-linux.tgz
tar zxvf android-sdk_r16-linux.tgz
wget http://dl.google.com/android/ndk/android-ndk-r7b-linux-x86.tar.bz2
tar jxvf android-ndk-r7b-linux-x86.tar.bz2

# ensure that ANDROID_SDK and ANDROID_NDK are set in your profile.
# Add to ~/.profile or ~/.environment.local for persistence across logins.
#
export ANDROID_SDK=$PWD/android-sdk-linux
export ANDROID_NDK=$PWD/android-ndk-r7b

# fetch and install android-cross tool (front-end environment setup tool)
#
svn co https://subversion.assembla.com/svn/ajb-tools/trunk/android/android-cross/
ln -s $PWD/android-cross/android-cross ~/bin/

# Build GDB 7.4 and overwrite NDK version.  Much better for debugging C++ than 6.x.
# (a script is provided in libmikey-sakke/selex/build to perform this)
#
wget http://ftp.gnu.org/gnu/gdb/gdb-7.4.tar.bz2
tar jxvf gdb-7.4.tar.bz2
GDB=$PWD/gdb-7.4 bash libmikey-sakke/selex/build/update-android-gdb.sh

# manual method for build is roughly:
(
 cd gdb-7.4
 mkdir arm-linux-androideabi
 PATH=$(android-cross @PATH) ../configure --prefix=$ANDROID_NDK/prebuilt/linux-x86 --target=arm-linux-androideabi
 make install
)

# ensure you have Android 2.3 (API level 10) SDK Platform installed
# via the android GUI and exit
#
android-cross android

# fetch and install make-target-pkg-config to override pkg-config for android
#
svn co https://subversion.assembla.com/svn/ajb-tools/trunk/build/make-target-pkg-config/
./make-target-pkg-config/make-target-pkg-config arm-linux-androideabi

# rehash command cache in case a local version now overrides the system installed version
hash -r || rehash

Prerequisites for C++ libraries (One-time setup)

The build scripts below perform build configuration and perform the build. To skip the configuration stage prefix the script with NO_CONFIGURE=1.

cd ~/src/android

# clone the openssl-android tree
#
git clone https://github.com/eighthave/openssl-android.git

# fetch and extract boost, curl and gmp (use curl -O if you don't have wget)
#
wget http://sourceforge.net/projects/boost/files/boost/1.49.0/boost_1_49_0.tar.bz2/download
tar jxvf boost_1_49_0.tar.bz2
wget http://curl.haxx.se/download/curl-7.25.0.tar.bz2
tar jxvf curl-7.25.0.tar.bz2
wget http://ftp.gnu.org/gnu/gmp/gmp-5.0.5.tar.bz2
tar jxvf gmp-5.0.5.tar.bz2

# build scripts exist for these within the libmikey-sakke/selex/build
# directory.  They take care of applying Android fixes and required
# configuration parameters.
#
# To remove the need to configure in various stages, the following
# environment variables should be defined: (it may be convenient to
# add them to some sort of build-env file to be sourced in new
# shells).
#
export BOOST=$PWD/boost_1_49_0
export CURL=$PWD/curl-7.25.0
export GMP=$PWD/gmp-5.0.5
export OPENSSL=$PWD/openssl-android

# build OpenSSL for Android
(cd $OPENSSL && android-cross ndk-build)

# build the others
(
 cd libmikey-sakke/selex
 android-cross ./build/build-gmp.sh
 android-cross ./build/cutdown-build-curl.sh
 android-cross ./build/cutdown-build-boost.sh
)

Building the libraries and applications

In the following N in -jN is the number of processors to use for the build.

MIKEY-SAKKE C++ libraries and test programs

cd ~/src/android/libmikey-sakke/selex

android-cross make -j8

Individual components can be build with the same command in the mskms and mscrypto subdirectories.

Minisip

cd ~/src/android/minisip-android

# build from scratch -- this will clean build every time.
#
android-cross ./buildmodules.sh -j8

A few options are provided to customize the above. They can be combined where it is logical to do so.

Build stage customization

# don't clean, but still bootstrap and configure
NO_CLEAN=1 android-cross ./buildmodules.sh -j8

# reconfigure but don't clean or bootstrap
NO_BOOTSTRAP=1 android-cross ./buildmodules.sh -j8

# don't configure, just make
NO_CONFIGURE=1 android-cross ./buildmodules.sh -j8 

# don't consider the minisip libs at all (just build Android GUIs)
NO_LIBS=1 android-cross ./buildmodules.sh -j8

Build component customization

It is possible to selectively build or skip any of Minisip libraries using the SKIP and ONLY variables. It is also possible to cause the build to consider additional components via the EXTRA variable.

# make only the mikey and libminisip libraries
NO_CONFIGURE=1 ONLY="libmikey libminisip" android-cross ./buildmodules.sh -j8

# make everything except the libmutil and libmnetutil libraries
NO_CONFIGURE=1 SKIP="libmutil libmnetutil" android-cross ./buildmodules.sh -j8

# build all libraries and additionally the minisip main desktop
# program.  Note that we are not building for android here (no
# android-cross).
#
NO_CONFIGURE=1 EXTRA=minisip ./buildmodules.sh -j8

# build only the minisip desktop application (useful, for example, if
# a GUI change has been made)
NO_CONFIGURE=1 EXTRA=minisip ONLY=minisip ./buildmodules.sh -j8

Installing to PC or target Android phone

Whether you are installing the native Minisip to a local user account on the development PC or to a USB connected Android device (or emulator), just pass install to the script.

# build and install to an attached android device
NO_CONFIGURE=1 android-cross ./buildmodules.sh -j8 install

# build and install the native GTK gui to the local user account
NO_CONFIGURE=1 EXTRA=minisip ./buildmodules.sh -j8 install

MIKEY-SAKKE Key Management Service Server

See https://bitbucket.org/secollab/libmikey-sakke/raw/selex-crypto/selex/mskms/server/README for build and usage details.

Minisip Java/Android front end

The java source is all under the following path:

  /libminisip/source/java

The android extras with test UI is at

  /libminisip/source/android

The Java interface for a developing a GUI, and the CommandString wrapper for message passing is at:

  /libminisip/source/java/se/kth/minisip
  /libminisip/source/java/se/kth/mutil

Note that the OpenSSL libraries (libssl and libcrypto) form part of the android 8 base so it is unnecessary to package them in the APK.

Android Secure Phone GUI