Wireless calls for flexible, embedded tech

Within a relatively short time, wireless communication has evolved from a novelty into an integral part of everyday life. In fact, market research firm Meta Group Inc. reported last year that over the next few years, more than 50 percent of enterprises will deploy personal digital assistants and smart phones for communication, coordination, planning and other corporate activities.

With the growth of 2.5G and 3G devices, there is an ever-increasing number of new and complex applications being packed into mobile devices, creating loopholes that may compromise security. As a result, mobile operators and users may face such security risks as lost or stolen devices; loss of service (spam); malicious attacks (viruses or Trojan horses); data or identity theft or both; or unauthorized access to enterprise resources.

The security requirements of the operator differ from those of consumers and enterprise markets. Operators need a reliable method to deliver and store important data, as well as secure software updates, commercial support, content protection, efficient use of bandwidth and standards-based interoperability.

Enterprise requirements are even more complex, often involving the extension of internal applications to wireless users. These can range from calendar and e-mail programs to customer-relationship management, sales-force automation and inventory applications. The enterprise will demand strong user authentication, access control and the ability to work in the existing infrastructure.

Even more restrictive are the requirements of government users. Not only do they demand the same level of security as the enterprise, but the security solutions they implement must integrate approved cryptography. Ideally, the products they implement are validated to Federal Information Processing Standard (FIPS) 140-2.

So what does all of this amount to? A recognition that the same device in the hands of different users may be required to deliver widely varied levels of security, making it necessary for manufacturers to include a flexible and interoperable set of underlying security components.

There are many challenges when one is trying to embed security on a constrained device. There are limitations introduced by the processor, operating system, memory and, finally, the wireless-communications channel.

One popular method of extending applications to wireless devices is to use middleware. Typically, that approach involves a client and a server component that is designed to securely deliver a specific application such as messaging or sales force automation. The problem is that the built-in security varies widely, so the solutions that implement open, standards-based protocols are the ones to consider when choosing middleware.

The reason is that corporations want to use standards-based security protocols because they can operate with existing enterprise security policies and infrastructure. Further, security protocols need time to develop and mature. That's why it's so important to have standards-based security protocols open to public scrutiny and testing.

So the answer to wireless security is right in front of us. Wireless is just another connectivity option and should be treated as such. Security technologies that are widely deployed in the wired world -like the Secure Sockets Layer, (SSL), Internet Protocol Secure (IPsec) and S/MIME-should be used in the wireless world and adapted to its needs.

An SSL-enabled browser can be used on a wireless handheld for secure Web access and Web mail. Many small and midsized organizations already use SSL virtual private networks (VPNs) to access corporate e-mail and the intranet. This may be the best solution if the enterprise already has Web-based security.

Securing the gateway

On the other hand, many such organizations have already deployed VPN gateways to allow users access to the enterprise network with almost no restriction on application or protocol. Here the VPN is truly a secure extension of the local-area network. It is effective in offering the user the experience of being on the LAN from anywhere. To extend this experience to wireless, the device must run a VPN client application (IPsec embedded) that interoperates with market-leading VPN gateways. This is an attractive solution for those who already have a VPN gateway security infrastructure.

For an added level of security, S/MIME actually secures the e-mail so that e-mails are stored encrypted on mail servers and can be opened only by the intended recipient. In other words, without S/MIME, when an e-mail is sent it sits on a number of different mail servers in the clear, even if the transport is secure, so anyone having access to the mail server can see the e-mails.

Again, in order for S/MIME to work on a mobile device the wireless e-mail client must support S/MIME or have an added plug-in that operates with desktop e-mail clients and e-mail servers.

Adding new core functionality to a wireless device presents a number of challenges, especially when that functionality is as sophisticated and potentially resource- and power-intensive as security. Manufacturers, then, must constantly strive for an optimal balance between what a device can do and how well it can do it.

Unlike the PC environment, where multiple cryptographic services can run simultaneously, the constrained environment must offer a single set of reliable, interoperable services that can be used to build any secure application. The bottom line is that the standards-based security protocols discussed above must be optimized for a mobile environment.

The common cryptographic service provider must address the following:

• A simple API that allows developers to focus on system-level concerns and eliminates the hardware security-integration process.

• Interoperability with proven standards and protocols, including SSL, IPsec, PKI and authentication standards.

• Cryptographic acceleration, secure key storage and true random-number generation operations, all done on the chip.

• Offloading of the public key to DSP to increase operational speed.

All of the above must be achieved with extreme code efficiency and within a minimal footprint.

The ideal solution is a wireless security architecture that has a cryptographic engine at its core with a common set of APIs that can support many different security requirements. This common Cryptographic Service Provider (CSP) would contain appropriate APIs that allow developers to quickly and easily embed interoperable security protocols.

The CSP can be built entirely in software; however, manufacturers can dramatically improve performance by making hardware/software trade-offs. There are changes that can be made to hardware that will dramatically improve security at almost no cost. Organizations should choose elements that will remain static for the life of the device. Good candidates for hardware implementation are: true hardware-based random-number generation; crypto hardware accelerators supporting DES, Triple DES, AES, SHA-1 and other standards-based security operations; a secure boot loader for device-code integrity, including code signing; and a secure-execution mode, enabling secure key storage and run-time authentication.

Upper-layer security protocols such as SSL, IPsec, S/MIME, firewall, antivirus and authentication methods change over time and are too big to implement in hardware. These components should be optimized to run on the target platform within the embedded operating system. Optimized implementations of these security protocols are an order of magnitude smaller than code found on the PC platform. For example, SSL can be implemented in 100 kbytes, vs. the 1-Mbyte-plus code size on a standard PC.

In other words, with this CSP on the processor, security components in the operating system-algorithms, SSL, IPsec, PKI and so on-execute natively at the hardware level and take advantage of the many resources available there, from acceleration to security-object storage.

Securing today's-and tomorrow's-wireless devices is complicated by the fact that so much varies depending on who the users are, what type of information they're dealing with, their mode of network access and the nature of the existing security infrastructures with which they may be interacting.

Wireless security is a necessity, and that need will only grow over time. While standards and protocols wrestle with liabilities at the network level, manufacturers have an opportunity to provide devices to their customers that offer a full range of built-in security.

Security applications can be built to enhance device performance by capitalizing on the integrated cryptographic service provider proposed above. The CSP guarantees the reliability of the security architecture and offers a trusted computing environment. Other benefits include time-to-market, performance, reliability, interoperability and small code size.

The conclusion, then, is that security is best embedded within the architecture of the device itself, rather than delivered externally via an add-on component or cumbersome extension.

Any security solution that is adopted must be transparent to the user and must exert only a minimal impact on device performance.

Tony Rosati is vice president of marketing and product management at Certicom Corp. (Mississauga, Ont.).