re: Mobile Security
Transaction security isn't the sexiest topic related to the mobile Internet, but one of the most important.
>> Secure This
By Carlo Longino
Jun 07 2001
The Feature
Wireless security is a certain barrier in mobile commerce. Many common-sense mobile services such as banking and shopping are held back not only by bandwidth constraints, but also because carriers and vendors can't guarantee consumers that their credit-card numbers and PINs are safe.
Traditional Internet-based security methods, like so many other things, don't translate to the Net's wireless cousin, and most connections from a Web server to a mobile client aren't designed with end-to-end security in mind.
In a desktop environment, data is encoded server-side and decoded by the client, usually using the industry standard secure sockets layer (SSL) method. SSL, however, is designed for somewhat fast network speeds and quite a bit of client-side decryption (ie processing), making it a non-starter in the mobile world.
But typical WAP carrier gateways can receive SSL-encrypted data, decrypt it and then re-encrypt it in the mobile-friendly wireless transport layer security (WTLS), which can then be decrypted by the handset's browser. This provides a modicum of security, but the brief instant the data is decrypted on the gateway provides a vulnerability that is too great for most financial institutions to take a chance on.
Most everyone agrees the ideal solutions are public key infrastructures (PKIs), a system that enables secure transactions by utilizing a pair of keys generated from the same cryptographic algorithm. But most PKIs are based on the RSA algorithm, which is heavily taxing on mobile CPUs, and neither mobile networks or handsets are equipped with the necessary software.
Dialin' In
A simple way to ensure secure transaction for a bank or other service is to host a WAP gateway behind a secure enterprise firewall. WAP gateways suited for corporate deployment are readily available and allow companies to offer dial-up WAP access through modems behind their firewall, bypassing the vulnerabilities of the carrier's network.
But the significant financial and technical overhead required provides yet another stumbling block. A bank, for instance, must install and support a modem bank for dial-up PC banking, something many of them did away with as the Internet gained in popularity. But more importantly, devices must point to the right gateway - something many users will not want to deal with.
Although there are products such as Nokia's Activ solution, which through smart SMS pushes set-up information to a user's phone, there is still a measure of handset-level work that must be done. Users must also manually switch from their carrier's gateway to the enterprise's, and unless their phone is one of a handful that can accept multiple WAP gateway profiles, it's no small task.
This solution is already in use by several banks in Europe, including the region's biggest, Deutsche Bank, and the world's first to offer WAP banking, Finland's Merita.
Openwave's Secure Enterprise Proxy operates on a variation of the same idea. An enterprise sets up an additional gateway behind its firewall, which then communicates with the carrier's WAP gateway, taking out the translation from SSL to WTLS and allowing the transmission to remain secure until it reaches its destination. This product allows consumers to use their carrier's initial WAP settings, however the product only supports Openwave's carrier gateways, and also requires additional client software available only in Openwave WAP browsers.
Under Lock & Key
PKIs provide all the features that enterprises need for secure transactions, whether they be transactions in the commercial or technical sense (ie sending secure e-mails and accessing secure corporate networks):
* Confidentiality - assurance that a third party can't monitor the transaction.
* Authentication - assurance that all parties involved are who they claim to be.
* Integrity - assurance that sent data is not tampered with.
* Non-repudiation - assurance that agreements and transactions are binding.
It provides these by providing every involved party with a pair of keys - one public, one private - that are derived from the same algorithm and linked through asymmetric cryptography and created by a certificate authority (a company such as Verisign or RSA Security). The private key, which is never shared or transmitted is given only to the requestor, and the public key is placed in an open directory referenced by a certificate.
The private key is used to decrypt data that has been encrypted with the freely available matching public key, and vice versa. So for instance, if a user logs on to a bank's secure system, his outgoing data is encrypted using the bank's public key. Thus, only the bank can decode that data with its private key. In reverse, the bank sends data to the user using his public key, so that only he can decrypt the information.
The system also allows for authentication in the same way. To send an encrypted signature, the bank would encrypt a digital "signature" using its private key, which could then be decrypted using its freely available public key.
When the technology is combined with products to generate, store and manage the keys, and security policies that dictate how the system is used, it is referred to as a PKI, and commonly used to protect Web and messaging servers, virtual private networks, and high-level financial transactions. Many Web functions, such as online banking, use the system with the exception that the consumer uses a username and password in place of a certificate.
PKI systems offer the best current level of transaction security, and are ideally suited for customer-enterprise transactions. But they don't make sense in the mobile arena. The system requires a significant amount of processing power on the client side to perform decryption, as well as a considerable amount of memory for storing keys and certificates.
Another Approach
But a technology that offers significant advantages over Internet-based security methods are PKI systems based on elliptic curve cryptography.
Pioneered by Certicom, ECC offers security levels comparable to those generated by the RSA algorithm, but at up to one tenth of the size, meaning mobile CPUs have a much easier time decrypting data.
Certicom's ECC systems work in devices with modest amounts of memory, and the algorithm's smaller size reduces the amount needed for key and certificate storage, as well as allowing quicker computations, meaning transactions are quicker. And on today's slow mobile networks, speed is essential.
ECC-based PKI systems look certain to catch on at least in the short-term, as the system is basically an extension of the wired PKI systems many companies and carriers already have in place. SIM cards are being developed for GSM networks that include certificates that can be unlocked with a PIN code.
Another advantage of PKI systems is interoperability. That is to say a system designed to run over WAP can easily be adapted for I-mode or HDML, or to interact with existing Web-based systems.
Like A Deadbolt
But looking to the future, engineers see the obvious solution for 3G security - build the encryption and decryption into silicon.
Several device manufacturers - including Nokia, Ericsson, Handspring and Sony - have signed on to use Texas Instruments' Open Multimedia Applications Platform (OMAP) in their next-generation devices. OMAP is a dual-core architecture featuring a TI digital signal processor and an ARM RISC microcontroller, designed to take advantage of both processor's strengths - multimedia processing on the DSP and control code (such as operating systems and user interfaces) on the microcontroller - at a low power consumption.
A more exciting OMAP feature is that it allows for dynamic upgrades. So when, for instance, streaming video or audio services are available on 3G networks, carriers can send out an upgrade to a phone with an MPEG or MP3 decoder. OMAP is also developer-friendly as it is an open architecture that uses standardized application programming interfaces (APIs), and allows developers to easily move applications to and from other platforms.
TI recently announced the availability of a wide-ranging security library that utilizes both OMAP hardware and software and allows handset manufacturers to choose from a variety of security methods, including public and private key encryption, virus screening, firewall protection and even fingerprint detection. The library utilizes solutions from different developers designed specifically for the OMAP architecture and designed to run swiftly and efficiently across its processors, and transparently to the user.
The OMAP security library offers a number of significant advantages to manufacturers and enterprise. Its security solutions are easily integrated with existing operating systems, and interoperable with major security protocols like WTLS and SSL, as well as conforming to existing standards.
Keep It In The Family
Device manufacturers as well as financial institutions realize the implications and the necessity of common security systems. Interoperability rather than territorialism seems to be the order of the day in future wireless systems. Companies are banding together through industry consortiums such as MeT and Mobey to develop common frameworks and initiatives to ensure ease of use for consumers.
It's clear that security (as well as bandwidth) is holding back m-commerce. And solutions that are easy on the wired Internet just don't cut it in the wireless world. But device manufacturers as well as financial institutions and commerce enterprises must develop transparent, fast, and most of all highly safe security systems to win over consumers.
Carlo Longino is a freelance writer based in Austin, Texas. His previous experience includes work for The Wall Street Journal, Dow Jones Newswires, and Hoover's Online. He doesn't hold much hope for m-commerce as long as his mobile carrier can't even get voice calls right. <<
- Eric - |
