Security for mobile devices in the enterprise

Transferring data securely

To secure a data communication channel, end-to-end encrypted communication must be implemented between trusted terminals. The terminals have to exchange the proper authentication and certificate. A virtual private network (VPN) is the preferred connectivity solution for implementing secure data communication. Unfortunately, mobile devices generally aren't trusted terminals.

Moreover, loading and configuring VPN client applications on multiple types of mobile devices isn't easy. Also, a secure "vessel" is required to protect VPN secret keys and certificates against malicious attacks.

Methods often used to safeguard confidential data in a mobile device from unauthorized access include locking out access to the device by a password and encrypting the data files with a key. Password lockouts can be easily defeated if the attacker can gain access to the internal components of the mobile device that stores the data. The problem with encryption algorithms is that, to be sufficiently robust, they require longer keys than are practical for most users of mobile devices.

Viruses and malicious codes can compromise data security by hijacking applications and services on the mobile device. One solution, antivirus software, requires that users and administrators be vigilant in keeping the software current. And even when it is current, the software may provide little or no protection against new viruses.

Memory card solutions

Fortunately, there is now a convenient, cost-effective security approach for mobile devices, one that performs all the functions required to protect confidential data while facilitating the data mobility and accessibility needed by authorized mobile professionals: security solutions based on secure memory card technology from Renesas Technology Corp.

The cards utilize the existing memory card expansion slot on mobile devices. meaning the user doesn't need an add-on card reader. These card products incorporate security functionality derived from Renesas' expertise in smart card technology, such as hardware tamper-resistance module (TRM), public key infrastructure (PKI) and secure data storage. These features allow the memory to act as both the secure container of digital certificates and the application platform for the VPN client and other data security applications.

As a result, the mobile device can establish secure connectivity for remote access of information and store data securely for local access.

Renesas secure memory card technology utilizes the hardware TRM to protect sensitive information and assure security integrity. To gain access to the TRM, the user must authenticate to the card that he or she has access authority. In contrast to user-authentication software for mobile devices, the user-authentication process takes place in the hardware of the secure memory card instead of on the host device. The secret information or certificate, or both, for authenticating the user is never exposed to the host device. This reduces the risk that security will be compromised.

Another benefit of the technology is that there is very little opportunity for viruses and malicious codes to defeat the security functions installed in the mobile device. That's because the product is a self-contained security device. Most of the security functions reside and are executed in the card's hardware, and the communication between the card and the remote host can be protected by secured communication sessions.

The PIN Secure MultiMediaCard (PIN SecureMMC) is a product based on Renesas secure memory card technology. This limited-access flash memory card is based on the popular, proven MultiMediaCard format. The card prevents unauthorized data access by a combination of PKI encryption technology, the hardware tamper-resistant module that contains a cipher engine and secure data storage and hardware-based user authentication. The card's PKI technology and a robust digital-right-management system safeguard the transfer and access to data such as the tokens, PIN codes and decryption keys that are stored in the TRM.

The rugged, easily-transportable PIN SecureMMC cards are a cost-effective removable storage medium for restricted-access enterprise applications. They're fully compatible with standard MultiMediaCards and currently have 32- and 64-Mbyte storage capacities. (The technology road map extends to 128 Mbytes and beyond.)

The cards have a built-in memory controller and a seven-pin serial interface for easy system integration. Their memory array uses the advanced Renesas multilevel-cell AND-flash technology. Protected data is stored in an encrypted form and the license keys to decrypt that data and the PIN code to the license keys are stored in the TRM. The cards include a built-in error-correction capability and require no external programming voltage.

They offer damage-free powered card insertion and removal and provide 4-kV electrostatic discharge protection.

To prevent unauthorized personnel from obtaining or modifying protected data, the license keys can be accessed only after the user is authenticated by a correct PIN input. Authentication takes place within the secured environment of the TRM, so the secret PIN code is never exposed to the unsecured environment of the host system.

The PIN SecureMMC card is host-independent medium that allow two convenient methods of safe data dissemination. Authorized individuals can obtain secured content via pre-programmed, plug-and-play memory cards. Alternatively, they can download the files via intranet or Internet channels into a PIN SecureMMC card inserted in a mobile device.

The flexible MultiMediaCard format can accommodate additional security-oriented technology advances. For example, Renesas is exploring a concept of integrating smart card chips that are common in mobile phones and bank cards into secure memory cards. The product concept, code named the X-Mobile Card, has the potential to transform mobile devices into mobile commerce platforms. It would be designed to make possible highly secure mobile financial transactions, not to mention a new generation of portable data security applications.

Devices based on the X-Mobile Card concept will be much more than just another form of writable/readable storage media. They will offer a memory function, content protection, user authentication and network and security functions. That is, they will have the large memory capability of MultiMediaCards, plus the smart-card features that enable secure subscription services, banking transactions, network and data access, and identity verification.

Design goals call for extra computing and cryptographic functions and greater protection against data theft and unauthorized use. The new type of Renesas secure memory card would combine large data storage with high-security technology and maintain backward compatibility to the existing legacy host system of the MultiMediaCard. The cards would support a span of applications that need from low levels to high levels of security.

Renesas started the developer program, X-Mobile Card Developer Studio, in April to create a support structure for developers to design value-added security applications based on X-Mobile Card. Once a developer joins the developer program, he or she can gain access to developer tool kits and specifications to jump start application development. As part of a larger community, the developer can leverage the developer program in the promotion of his or her products.

Victor Tsai is segment marketing manager for the system business unit at Renesas Technology America Inc. (San Jose, Calif.).