Print
Close Window
From: www.itworld.com
Experts ponder securing the wireless world
April 12, 2001 —
As security experts watch the airwaves get crowded with wireless transmissions
of voice and data, they see their field becoming more vital--and complicated,
in this world of mixed network protocols.
Unlike the Internet, which uses only a handful of standard protocols, the wireless
world is built on many disparate protocols that don't necessarily work together
at all. This lack of standards complicates the security of wireless networks,
which discourages their wider adoption.
Effective security requires widely accepted standards, agree security gurus
and vendors at the RSA Conference here this week. Discussion at the gathering
has tackled proposed new protocols, algorithms, and networks for both the wired
and wireless worlds.
While still in their infancy, wireless broadband and other forms of wireless
networking, including home LANs, show great promise as an alternative to wired
services used by businesses and home users. But unless the security of those
networks can be assured, the young industry could be stillborn, the security
experts warn.
To protect you, these networks will have to incorporate new security protocols
and algorithms as well as some existing methods found on the wired Internet.
But agreeing on which standards to adopt may be as big a challenge as getting
the high-speed services out the door.
New toys raise risks
"Modern expectations of the Internet include [service that's] always on,
handy, and immediate as well as secure," says Shawn Abbot, president of
IVEA Technologies, a developer of security infrastructure products for e-commerce.
"But the challenge of these connected personal devices is that they put
more personal data into cyberspace, raising the threat to privacy."
The most dire risks include forms of identity theft. Someone might learn and
misuse your personal information through eavesdropping or information tapping,
Abbot says.
Also, marketers are eager for the opportunities offered by global positioning
functions, which could let them target ads or services based on your location.
But "location-based services only magnify these threats, increasing the
need for trust from consumers," Abbot adds.
Current networks won't do
Today's mobile phone and paging networks--used for wireless devices--weren't
really designed to meet the security needs of transactions, corporate communications,
and network-based personal profiles, the experts agree.
The traditional mobile phone network has limited security, says Yiquin Lisa
Yin, research leader at NTT DoCoMo's Multimedia Communications Labs. "The
proprietary protocols and algorithms only provide security for the air interface
and not the whole network," Yin says.
The air interface in traditional cell phone networks includes the traffic between
the handset and the cellular base station, Yin says. Then, the base station
connects to a core network for the carrier, often with little security between
them, she adds.
On the reverse end, Internet data connects to the core network through a wireless
application protocol gateway. There, it is temporarily decrypted and then re-encrypted
in a mobile-phone-friendly format, Yin says.
That WAP (wireless application protocol) gap isn't a big deal for simple applications,
but it's becoming more important with transaction services, Abbot agrees.
But Yin urges security improvements not for the gateway, but for every link
in the network. She says security in traditional networks is not flexible enough
to handle new attacks, or even to be beefed up to support new applications like
commerce.
New speeds require better security
Besides security, wireless nets need a speed boost to support sophisticated
WAP services, Abbot says. Today's circuit-switched mobile phone networks are
simply too slow. "Until packet-switched networks dominate, WAP won't be
that great," he adds.
GPRS, a packet-switch network extending from today's GSM (Global System for
Mobile telecommunications) system, promises speeds up to 150 kilobits per second,
a sizable improvement when compared with the 9.6 kbps of current GSM systems.
GPRS uses limited bandwidth efficiently and can send and receive small bursts
of data, such as e-mail and Web browsing.
But with that speed comes need for better security to support the many applications
that speed makes possible. Several standards offer answers, Yin says.
One contender, 3GPP, is based on the architecture of GSM and addresses many
security weaknesses of today's networks, Yin says. It adds mutual authentication
and strong cryptographic algorithms, and can incorporate new services, she says.
3GPP secures every link in the mobile network, not just the air interface between
phone and base station, Yin adds.
Like 3GPP, the WAP standard is also being modified for better security. Many
enhancements bring it closer to the wired Internet protocols, making it easier
to do full Web-style transactions and exchanges, Abbot says.
Today, WAP supports Wireless Transport Layer Security (now known as TLS), an
optimized version of Secure Socket Layer designed for mobile devices. A dominant
standard for secure transactions on the Internet, SSL works by using a private
key to encrypt data that's transferred over the connection.
The WAP 2.0 protocol, however, will include SSL, he adds. "Newer wireless
devices will probably move to SSL or some hybrid of WTLS and SSL," Abbot
adds.
Speed is on the way
Although 3G services here won't roll out before the end of this year, Yin says
NTT DoCoMo will launch the first third-generation services in Japan in May,
offering transmissions of 64 to 384 kbps. The NTT DoCoMo services will use the
WCDMA, the third-generation iteration of the Code Division Multiple Access network.
CDMA is in common use in the United States, notably by carriers like Verizon
and Sprint PCS.
Mobile users can look forward to 3G networks not only for more data services,
but multimedia and mobile commerce as well, Yin notes.
And with those new applications come more security issues, because third parties
will become involved in what was previously a carrier-to-consumer exchange.
And, of course, general download risks increase with the increased use of multimedia
content and applications, Yin says.
She suggests new technologies like smart cards to keep these new networks secure.
Smart cards can support encryption and authentication, and can even add new
applications to devices, Yin says. Another option is biometric authentication,
to ensure only you can access your data.
Smart cards aren't showing up in phones in the United States or Japan yet,
but NTT DoCoMo offers this additional peek at the future: Yin says DoCoMo has
plans for phones with two slots for smart cards. With that capability comes
another slew of security and application possibilities.
PC World