Keyware is mentioned in this piece, Maybe IDX and VeriSign can let CNN in on their secret...
Crossing the wireless security gap
From...
January 3, 2001
Web posted at: 10:50 a.m. EST (1550
GMT)
by Alan Radding
(IDG) -- Organizations have high hopes
for wireless commerce. Bob Egan, an
analyst at Stamford, Conn.-based
Gartner Group, calls wireless "the
growth hormone for e-commerce." But before wireless e-commerce or even
wireless access to the corporate network takes off, organizations are going to
have to nail down wireless security.
It's not that wireless isn't secure as it stands now. "We are doing secure wireless
transactions today," declares Philip Wood, director of international wireless at
Charles Schwab in San Francisco. Rather, wireless security is difficult to
implement, requiring organizations to piece together myriad technologies. Few
vendors offer a complete security package, and large pieces of the security
puzzle are beyond the control of corporate IT, resting instead with carriers and
wireless device manufacturers.
Most organizations would prefer to support only a single security model for
e-commerce, preferably the Internet model in use today, notes Jeff Reed, vice
president of e-commerce consulting firm Logical, a division of London-based
Datatec. E-commerce in the wired world today relies primarily on Secure
Sockets Layer (SSL), which is used to transmit everything from personal
identification numbers (PIN) and passwords to credit card numbers.
But when you try to move this approach to the
wireless world, you immediately encounter
problems, starting with cellular phones with
Wireless Application Protocol (WAP) capabilities.
Unlike desktop and laptop computers or even personal digital assistants (PDA),
WAP phones are pretty limited when it comes to security and lack the CPU
power and memory necessary for RSA encryption, a key element of SSL.
Encryption ensures confidentiality by preventing eavesdropping, and WAP
devices include their own security protocol, Wireless Transport Layer Security
(WTLS). This is equivalent to SSL but uses less-resource-intensive encryption
algorithms, such as elliptic-curve cryptography (ECC).
There's nothing wrong with WTLS except
that "it is not compatible with SSL," which is
the industry standard, notes Jeffrey Robinson,
manager of corporate development at RSA
Security Inc. in Bedford, Mass. So WTLS
messages must be converted into SSL before
an e-commerce site or corporate network can
read them.
Conversion presents a security problem.
Wireless messages travel through the air to
the carrier's transmitter, where they are
received and passed to a gateway that funnels
them into the conventional wired network for
transmission to the destination. At the
gateway, the WTLS message is converted
into SSL. For a brief moment, the message
sits unencrypted inside the gateway, creating
a security vulnerability.
To some observers, this gap in encryption
presents an intolerable threat. Others take a
more practical view. "We're not losing any
sleep over it," says Wood. The messages
spend only a few milliseconds in the clear on
a machine buried deep inside the carrier's
facility. "Somebody would have to break into
a carrier site and do a data dump at that
precise moment," he explains.
Egg PLC is a wireless Web-based bank in
London. To guard the gateway conversion
from WTLS to SSL, it runs its own gateway
internally. Each message still spends a
moment in the clear, but it happens within the
Egg facility. "The best solution would be SSL
end to end," says Iain Hunneybell, Egg's
Internet customer authentication manager.
Redwood City, Calif.-based Phone.com's
Secure Enterprise Proxy achieves end-to-end
security using SSL and WTLS, but it lets
organizations avoid re-encryption at the
carrier's gateway by creating a WTLS tunnel
that lets secure data pass through a network operator's gateway without
decryption. WTLS tunneling ensures that the data remains encrypted until it
reaches its final destination.
"The Phone.com approach lets you get all the way to your application server,"
explains John Pescatore, research director for Internet security at Gartner
Group.
No Denying PKI
Encryption addresses part of the wireless security challenge. But it doesn't
provide the solid authentication required for nonrepudiation, which is a
mechanism that validates the information sender's identity to the receiver so that
the receiver can be sure the user is who he says he is.
"For authentication and nonrepudiation, PKI, where certificates and keys are
bound to the user, is the way to go. Everything is initiated through those keys,"
explains Paul Mansz, vice president of architecture at Toronto-based 724
Solutions Inc., a provider of wireless e-commerce applications. Several
public-key infrastructure (PKI) products for wireless are starting to emerge,
such as San Jose-based Certicom Corp.'s MobileTrust.
With PKI, organizations issue digital certificates to users to validate users'
identity. The certificate is encrypted and accompanies each transaction. By using
the public and private key and a certificate authority to validate the certificate,
authorized parties can decrypt the certificate to authenticate the user with greater
assurance than can be achieved through PIN-based authentication.
With this approach, however, a third party is needed to validate the digital
certificate. Vendors that have introduced digital certificates include Certicom,
RSA Security, Entrust Technologies in Plano, Texas; Baltimore Technologies in
London; and VeriSign in Mountain View, Calif.
San Carlos, Calif.-based ePocrates Inc., a provider of handheld computing
devices for physicians, opted for Certicom's wireless certificate security for its
Palm-based applications.
The combination of Certicom certificate-based security and the more capable
Palm device allows ePocrates to avoid the wireless gateway handoff.
"We have true nonrepudiation end to end, all the way to the application-level
security," says Daniel Zucker, chief technology officer at ePocrates. With that
level of security, ePocrates runs a drug prescription application that relies on
Certicom's mobile client certificates to authenticate the identity of the prescribing
physician and lets the physician digitally sign the prescription right on the Palm
device. The Certicom certificate uses ECC encryption algorithms, which are
smaller than RSA encryption algorithms.
Schwab is taking another approach. It opted for a smart-card system from
Stockholm-based cellular phone vendor Ericcson Inc. and Gemplus SA in
Gemenos, France, which provides the smart card, says Wood. In the system,
currently being deployed in Hong Kong, the wireless device reads the smart card,
which carries the Schwab customer's private key and digital certificate. The
customer then enters his account number and PIN.
The smart-card system allows for nonrepudiation, but it's available only where
there are Global System for Mobile Communications (GSM) wireless networks.
In the U.S., there are few GSM networks, thus forcing Schwab to use two
different wireless security strategies - one for the U.S. and one for Asia and
Europe.
When it comes to authentication, wireless adds a disturbing wrinkle. A wireless
phone can be easily stolen or lost. If the owner's digital certificate and key are in
the phone, as a smart card or otherwise embedded, it presents an opportunity for
considerable mischief. By combining smart cards with the requirement to
separately enter a PIN, organizations can thwart such threats. But entering data
such as account names and PINs on a cell phone "isn't easy to do. We need
simpler approaches," says Pescatore.
On the Horizon
One emerging security tool is biometric devices, which use unique physical
identifiers such as voiceprints, fingerprints or retina images to positively identify
the user. With biometrics, even if someone should steal your mobile phone, he
wouldn't be able to imitate your voice or fingerprint. "By 2004, we expect
biometrics will have reached the price/performance level to allow it to be
integrated into PDAs and cell phones," Pescatore says.
Woburn, Mass.-based Keyware offers a system that lets users register their
voiceprints for authentication purposes. The voiceprints can be stored on a
central server or on a smart card within the wireless device. At least one U.S.
bank is testing Keyware's wireless voice recognition system in conjunction with
a smart card, says Mik Emmerechts, Keyware's director of U.S. operations, but
he declines to identify the bank.
Many of the obstacles confronting wireless security will disappear with the
widespread adoption of third-generation wireless technology. The
third-generation phones will be IP-based and sport more processing power,
memory and bandwidth, which will allow SSL security end to end, explains
Matthew Decker, a consultant at Lucent Technologies in Murray Hill, N.J.
By combining third-generation wireless with smart cards and biometrics,
organizations will finally have a unified security system that works for both the
wireless and wired worlds.
cnn.com
steve |
