This document provides an overview of mobile and wireless security. It discusses the need for security as wireless networks become more prevalent and outlines some common security threats like spoofing, sniffing, tampering and theft. It then describes various security technologies used to address these threats, including cryptography, digital certificates, digital signatures and public key infrastructure. Specific security protocols like SSL, TLS and IPSec are also mentioned. The document emphasizes that securing wireless networks requires considering authentication, data integrity, confidentiality, authorization and non-repudiation across the entire environment.

1. MOBILE & WIRELESS
SECURITY

2. Contents
• Creating a Secure Environment
• Security Threats
• Security Technologies
• Other Security Measures
• WAP Security
• Smart Client Security

3. Introduction
• The increasing bandwidth and because of their flexibility and
freedom they are becoming the communication infrastructure
of choice.
• Securing enterprise data in a wired environment is difficult
enough
• adding wireless data transmission and mobile storage makes
the task even more challenging

4. Creating a Secure Environment
• For end-to-end security you have to consider the entire
environment, including enterprise access, iddle-tier
components, and client applications
• objectives involved in creating a secure mobile environment
– Authentication
– Data Integrity
– Confidentiality
– Authorization
– Nonrepudiation

5. cont…
• Authentication is the process of proving that people and
organizations are who or what they claim to be.
• For wireless networks, this is often done at two layers:
– The network layer: The network requires the user to be
authenticated before that person is granted access. This can
be done implicitly, based on the device or modem being
used
– The application layer: authentication is important at two
levels - the client and the enterprise server. The simplest,
and probably least secure, method of authentication is a
username/password combination. More advanced methods
include digital certificates or digital signatures.

6. cont…
• Data integrity is assurance that the data has not been altered or
corrupted in any way during the transmission from the sender
to the receiver. This can be accomplished by using data
encryption in combination with a cryptographic checksum or
Message Authentication Code (MAC). When recipients
receive the message, they compute the MAC and compare it
with the MAC encoded in the message to see if the codes are
the same.

7. cont…
• Confidentiality is one of the most important aspects of
security, and certainly the most talked about. Confidentiality is
about maintaining data privacy, making sure it cannot be
viewed by unwanted parties. The most common way of
providing confidentiality is by encrypting the data.

8. • Authorization is the process of determining the user's level of
access—whether a user has the right to perform certain
actions. Authorization is often closely tied to authentication.
Once a user is authenticated, the system can determine what
that party is permitted to do. Access control lists (ACLs) are
often used to help determine this.
cont…

9. • Non-repudiation is about making parties accountable for
transactions in which they have participated. It involves
identifying the parties in such a way that they cannot at a later
time deny their involvement in the transaction.
cont…

10. Security Threats
• Building a secure solution is difficult without awareness of the
potential risks.
• The requirements for a secure environment, we will look at
four common security threats: spoofing, sniffing, tampering,
and theft.

11. • Spoofing is the attempt by a party to gain unauthorized access
to an application or system by pretending to be someone he or
she is not.
• If the spoofer gains access, he or she can then create fake
responses to messages in an attempt to gain further knowledge
and access to other parts of the system.
• Spoofer can make application users believe that they are
communicating with a trusted source, such as their bank, when
in reality they are communicating with an attacker machine.
• Unknowingly, users often provide additional information that
is useful to the attacker to gain access to other parts and other
users of the system.
cont…

12. • Sniffing is a technique used to monitor data flow on a network.
• Sniffing can be used for proper purposes. But, it is more
commonly associated with the unauthorized copying of network
data. By "listening" to network data, unauthorized parties are
able to obtain sensitive information that will allow them to do
further damage to the application users, the enterprise systems,
or both.
• Sniffing is dangerous because it is both simple to do and
difficult to detect. Moreover, sniffing tools are easy to obtain
and configure.
• To combat the more sophisticated sniffing tools, data encryption
is the best defense. Many wireless LAN users have discovered
the hard way that Wired Equivalent Privacy (WEP) encryption
is often not enough to protect their data.
cont…

13. • Data tampering, also called an integrity threat, involves the
malicious modification of data from its original form. Very
often this involves intercepting a data transmission, although it
also can happen to data stored on a server or client device. The
modified data is then passed off as the original. Employing
data encryption, authentication, and authorization are ways to
combat data tampering.
cont…

14. • Theft is a problem inherent in mobile computing. Not only do you
lose the device itself but also any confidential data that may reside
on this device. This can be a serious threat for smart client
applications, as they contain persistent data, often confidential in
nature.
• You should follow these rules when it comes to securing mobile
devices:
– Lock down devices with a username/password combination to prevent easy
access.
– Require authentication to access any applications residing on the device.
– Do not store passwords on the device.
– Encrypt any persistent data storage facilities.
– Enforce corporate security policies for mobile users.
• Authentication and encryption, along with a security policy, are
required to help prevent malicious data access from a lost or stolen
device.
cont…

15. Security Technologies
• Cryptography
• Digital Certificates
• Digital Signatures
• Public Key Infrastructure
• Leading Protocols

16. Cryptography
• The basic objective of cryptography is to allow two parties to
communicate over an insecure channel without a third party
being able to understand
• Algorithms and Protocols- Cryptography works on many
levels.
– At the lowest level are cryptographic algorithms.
– The protocol describes the complete process of executing a
cryptographic activity, including explicit information on
how to handle any contingency that might arise.

17. • Data Encryption- The core of any cryptographic system is
encryption, the process of taking a regular set of data, called
plaintext, and converting it into an unreadable form, called
cipher text
cont…

18. • Modern algorithms use keys to control the encryption and
decryption of data. Once a message has been encrypted, it can
only be decrypted by users who have the corresponding key.
• Key-based algorithms come in two classes: symmetric and
asymmetric.
• Symmetric encryption is also referred to as secret-key
encryption. The most popular form of this method is the Data
Encryption Standard (DES)
• Asymmetric encryption addresses the main problem that has
plagued symmetric key systems: the use of a single key.
cont…

19. Digital Certificates
• Digital certificates provide a way to guarantee that a public key
belongs to the party it represents.
• For this to be successful, the certificate itself also has to be
verified to ensure that it represents the claimed entity (a person or
organization). This is accomplished using a trusted third party
called a certificate authority (CA).
• Digital certificates typically contain the following:
– The name of the holder, as well as other information that
uniquely identifies the holder.
– The holder's public key.
– The name of the CA that issued the certificate.
– The lifetime that the certificate if valid for (usually a start and
end date).
– A digital signature from the CA

20. Digital Signatures
• Digital signatures are used to verify that a message really came
from the claimed sender.
• It is based upon the notion that only the creator of the signature has
the private key and that it can be verified using a corresponding
public key.
• The digital signature is created by computing the message digest of
a document, then concatenating it with information about the
signer, a timestamp, and any other required information.
• A message digest is a function that takes arbitrary-sized input data
(the message) and generates a fixed-size output, called a digest.
• This set of information is then encrypted using the private key of
the sender using a suitable asymmetric algorithm. The resulting
encrypted block of information is the digital signature.
• It is possible for the recipient of the document to easily detect if the
document has been altered since the digital signature was created.

21. Public Key Infrastructure
• Public key infrastructure (PKI) is the term used to describe a
complete organization of systems and rules defining a single
security system. The Internet Engineering Task Force (IETF)
X.509 Working Group defines PKI as “the set of hardware,
software, people, and procedures needed to create, manage,
store, distribute, and revoke certificates based on public key
cryptography”.
• The components of PKI include the following:
– Certificate authorities responsible for issuing and revoking certificates
– Registration authorities responsible for binding between public keys
and the identities of their holders
– Certificate holders who have been issued certificates that they can use
to sign digital documents
– Repositories that store certificates as well as certificate revocation lists
– Security policy that defines an organization's top-level direction on
security

22. Leading Protocols
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
• Wireless Transport Layer Security (WTLS)
• IP Security (IPSec)

23. Secure Sockets Layer
• SSL is the dominant security protocol being used on the Internet today.
• It was developed by Netscape to provide secure and private Internet sessions, typically on
top of HTTP, FTP and other relevant protocols.
• SSL uses a combination of symmetric and asymmetric algorithms to maximize
performance.
• There are four phases in an SSL session:
– Handshake and cipher negotiation. Both the client and server agree on the
algorithms or ciphers to use.
– Authentication. The server, and optionally the client, is authenticated using digital
certificates.
– Key exchange.
– Application data exchange.
• SSL can be used by many of the more powerful wireless clients, including laptops and
Pocket PC devices. You can tell you are using SSL when the URL starts with https://.
• Encrypting the data within the protocol is more efficient than encrypting the data yourself
and sending it over HTTP. Within the SSL protocol, the data will be encrypted on a
packet level and can be decrypted on a packet level after it has arrived and has passed any
sort of integrity test.
• If you encrypt your data as one large cipher text, then you will not be able to decrypt the
data until all the packets have arrived.

24. Transport Layer Security
• Transport Layer Security (TLS) is the next generation of SSL.
• It consists of two layers. The lower layer is the TLS Record
protocol, which is layered on top of a reliable transport
protocol such as TCP.
• The two main features of the Record protocol are private and
reliable connections.
• The higher level is the TLS Handshake protocol. This layer
provides connection security that authenticates using
asymmetric cryptography, negotiates a secret key, and provides
a reliable negotiation.

25. Wireless Transport Layer Security
• WTLS is the security layer defined in the WAP specification.
• It operates above the Transport Protocol Layer, making it
suitable for a variety of underlying wireless protocols.
• It is similar to TLS, but is optimized for low-bandwidth
networks with high latency.
• It also adds new features such as datagram support, optimized
handshakes, and key refreshing.

26. IP Security
• IPSec is different from the other protocols in that it does not
operate on the application layer.
• SSL, TLS, and WTLS are aimed at providing secure
communications over an inherently insecure network, where as
IPSec is aimed at making the Internet itself secure.
• It does this by providing authentication, integrity, and privacy
services at the IP datagram layer.
• IPSec will become a more prominent solution when mobile
devices start to support IP6, which includes IPSec as part of
the standard.

27. Other Security Measures
• Firewalls
• Virtual Private Networks
• Two-Factor Authentication
• Biometrics
• Security Policy

28. Firewalls
• Firewalls are the most common form of security implemented
within organizations. They establish a network perimeter
between what is public and what is private. A firewall is a set
of software programs, usually located on a separate gateway
server that restricts access to the private network resources
from users on other networks
• At a lower level, a firewall will examine each packet of
network data to determine whether it should be forwarded to
its destination.
• For mobile devices that have always-on connections, a
personal firewall may also be useful. A personal firewall will
prevent not only suspicious connections but also inappropriate
content.

29. Virtual Private Networks
• A VPN allows a company to turn a public network into a
private network.
• This technology allows remote workers to communicate with
the corporate network in a secure fashion.
• Before VPN technology became available, dedicated leased
lines were required to achieve the same result.
• VPNs present an additional benefit over leased lines, by
providing secure access from many locations—essentially
anywhere an Internet connection is available.
• Mobile VPNs for devices on public networks are still in the
early phases of adoption.

30. Two-Factor Authentication
• For some purposes, usually dealing with financial transactions,
strong authentication is required.
• This involves using a two-factor approach, where users have to
apply two factors to authenticate themselves.
• One factor is usually something the user knows, such as a PIN
number; the other is something the user has, such a token card
to generate a one-time password.
• Smart client applications inherently provide a form of two-
factor authentication: First you must have the device to access
the application; second, you must authenticate yourself to gain
access to the application, as well as to any back-end system to
which it connects.

31. Biometrics
• Even with the increased security of two-factor authentication,
unauthorized users can compromise the system, for example,
by obtaining the PIN code and token card, thereby gaining
access to the enterprise system.
• stronger form of authentication: biometric authentication.
• Biometrics provides a wide range of techniques for
authenticating an individual based on his or her unique
physical characteristics. Such techniques include fingerprint
identification, face recognition, voice recognition, or iris and
retina scanning.
• Using biometric techniques, you can ensure that the
identification token is indeed unique.

32. Security Policy
• Most important security measure is the adoption of a corporate
security policy. Such a policy will outline all aspects of a
corporation's security measures, including both technology and
the use and disclosure of confidential information within the
enterprise. Even if a corporation has implemented a very
strong technical security solution, the overall system will still
be insecure if its users do not follow corporate security
guidelines. Remember, intruders will always attack the
weakest link in a system. Unfortunately, this link is often the
users themselves.
• Sometimes, very simple measures will dramatically increase
overall security. For example, many PDA users do not lock the
operating system when it is not in use. If the device is lost,
nothing prevents another user from accessing the applications
and corresponding data on the device.

33. WAP Security
• What are the security issues with WAP?
• How can organizations overcome them?
• WAP 1.x, security architecture, two aspects of security need to
be addressed:
– Transport-level security. This aspect deals with the
communication between the client applications and the
enterprise servers. This involves two protocols: WTLS is
used over the air, while SSL or TLS is used over the wire.
This change in protocols is the basis of the major WAP
security problem.
– Application-level security. This aspect deals with the
security of the client application. This involves digital
signatures and encryption
• WAP 2.x

34. Transport-Level Security
• Transport-level security, also known as channel security, deals
with the point-to-point communication between a wireless
client and the enterprise data source. This involves
communication over both wireless and wireline channels. With
WAP, data is encrypted during over-the-air transport using
Wireless Transport Layer Security (WTLS) protocol, and over-
the-wire transport using Internet security protocols such as
SSL and TLS.
• Wireless Transport Layer Security (WTLS) protocol was
developed to address the unique characteristics of wireless
networks, namely low bandwidth and high latency. It is a
variation of the Transport Layer Security (TLS) protocol.

35. cont…
• The following are some of the major features added to WTLS, which are
not in TLS:
– Support for other cryptographic algorithms. SSL and TLS primarily
use RSA encryption. WTLS supports RSA, Diffie-Hellman (DH), and
Elliptic Curve Cryptography (ECC).
– Definition of a new compact public key certificate, WTLS certificates.
These are a more efficient version of X.509 certificates.
– UDP datagram support. This impacts many areas of the protocol, from
how data is encrypted to extra support for message handling, to ensure
messages do not get lost, duplicated, or delivered out of order.
– A key refresh option. This is renegotiated periodically, based on the
number of messages sent.
– An expanded set of alerts. This adds clarity for error handling.
– Optimized handshakes. This reduces the number of round-trips required
in high-latency networks.

36. cont…
• WTLS also introduced three levels of authentication between
the client and the gateway.
– Class I WTLS. Anonymous interactions between the client
and WAP gateway; no authentication takes place.
– Class II WTLS. The server authenticates itself to the client
using WTLS certificates.
– Class III WTLS. Both the client and the WAP gateway
authenticate to each other. This is the form of
authentication used with smartcards

37. cont…
• The WAP Gap: Unfortunately, at the same time WTLS improved on TLS for
wireless communication, it also caused a major problem. Now that both TLS
and WTLS are required within the WAP architecture, there is a point at which a
translation between the two protocols occurs. From the client device to the
WAP gateway, WTLS is used; from the gateway to the enterprise server, TLS is
used. At this point, the WTLS content is decrypted and then reencrypted using
TLS.
• The content exists as plaintext while this transfer takes place, creating the so-
called WAP gap. Keep in mind that the amount of time that the content is
unencrypted is minimal, and that the WAP gateway is not in the public domain,
so there is still security in place. However, for many corporations, this risk is
still too great, as it presents a vulnerable point in the network, preventing end-
to-end security.
• There are two options for alleviating the WAP gap:
– Accept that the gateway is a vulnerable point and make every effort to
protect it using firewalls, monitoring equipment, and a stringent security
policy.
– Move the WAP gateway within your corporate firewall and manage it
yourself.

38. cont…
WAP 2.x
• There are many new features in WAP 2.0, but none is as
important as the move to standard Internet protocols. This
move to using HTTP, TCP, and IP allows the TLS protocol to
be used for data communication, thereby removing the need
for WTLS. Once a single protocol can be used from the client
device to the enterprise server, WAP can enable true end-to-
end security, making the WAP gap a thing of the past.

39. Application-Level Security
• Application-level security is important for two main reasons:
– when security is required past the endpoints of transport-level security
– when presentation content needs to be accessed but enterprise data does
not. This can happen during transcoding, that is, when another markup
language (often HTML) is being transformed into WML.
• The first scenario can be addressed using the techniques provided in the
WML specification. In general, the default settings are set to the highest
security
• The second scenario can be addressed using WMLScript and the Crypto
API. Using this signText function in the API, digital signatures can be
created, opening the door for wireless PKI to manage and issue public key
certificates. This technology allows for end-to-end encryption between the
content provider (usually the enterprise) and the client

40. Smart Client Security
• The smart client architecture does not depend on a gateway for
protocol conversion, so it does not suffer from the WAP gap.
• The main areas of security concern for smart client
applications include
– User authentication
– Encryption of the client data store
– Transport-level security

41. cont…
• User Authentication: Smart client applications store data
directly on the device. To restrict access to this data, user
authentication is required. A username/password combination
is the minimal level of authentication that should be
implemented.
• However you implement user authentication to the device and
its data, it should not automatically authenticate the user to the
enterprise server's data. At this level, a second form of
authentication should be implemented

42. cont…
• Data Store Security: With smart client applications, corporate
data is stored locally on mobile devices. This data requires
protection from unauthorized access, just as other parts of a
mobile solution do. In many cases, requiring users to be
authenticated before accessing the data is one step to securing
this data. Another step is to encrypt the data store itself,
making it impossible to view without providing the proper
identification, ideally in the form of a digital certificate.
• Implementing both authentication and encryption in a single
process is the best way to ensure the data remains confidential.
The data store can be encrypted using the password as the seed
to a symmetric key algorithm.

43. cont…
• Transport-Level Security: At the transport level, data
encryption is required to secure the enterprise data being
synchronized. Whether you are using a packaged
synchronization solution or building one in-house, the
synchronization may be the most important part of the
application to secure.
• Many of the smart client application vendors include 128-bit
data encryption with their solutions. In this way, you can be
ensured that the data being transferred over public networks is
private from the time it leaves the device to the time it reaches
the enterprise server.
• Along with encryption, using a strong form of authentication,
such as digital certificates, is recommended. In addition, try to
keep the firewall around your corporate data as secure as
possible; don't open any ports that are not absolutely required
by your synchronization server.