iGillottResearch An Introduction to Wireless Security WebCast Iain Gillott Charul Vyas April 23, 2002

iGillottResearch Agenda Security Basics Mobile Security Why is Mobile Security important? Can we have too much security? Authentication WLAN Security Recommendations

iGillottResearch Security Basics AAA Authentication, Authorization, Auditing Identity of an end user is verified e.g. biometric Remote access dial-in user service (RADIUS) is the best known and most widely used AAA protocol Nonrepudiation In the physical world, nonrepudiation is achieved through handwritten signatures Digital signatures — a string of unique bits attached to a message — fill that need The challenge is that there is very little legal recognition yet for digital signatures. Encryption Process of encoding information in such a way as to make it inaccessible

iGillottResearch Security Basics … PKI Digital certificates (“certs”) are electronic credentials that bind the identity of a certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign digital information Not an end all security method because digital certificates from different vendors do not interoperate Wireless PKI Issue is limited UIs, processors, bandwidth, memory, battery life on mobile devices Limited effectiveness of PKI

iGillottResearch Security Basics … IPSec IP security Implemented at the IP layer (Layer 3 of the OSI Model) Creates secure tunnels between users and/or hosts Encapsulates each data packet in a new packet Contains the information necessary to set up, maintain and tear down the tunnel when it is no longer needed Designed to provide VPN technology and connectivity SSL Secure Sockets Layer Very effective in securing communications in an open user group Originally developed by Netscape Adopted by the IETF as the transport layer security (TLS) protocol WAP Forum has incorporated a modified version of SSL/TLS technology into its WAP specification, calling it wireless TLS (WTLS)

iGillottResearch Mobile Security Why is Mobile Security Important? Recent proliferation of wireless data capable devices Enterprises and individuals are beginning to make use of wireless data Access corporate data and applications Wireless is a shared medium Inherently less secure than conventional wireline connectivity Steps need to be taken to ensure the privacy and authentication of data transmitted Security becoming increasingly important to enterprises Security concerns are sited as a main reason why companies do not mobile In many cases, perception of problem greater than the actual problem

iGillottResearch Why is Security Lacking? Problems with mobile and portable solutions Two main issues: Lack of user authentication to the device and/or network Lack of encryption or sufficiently strong encryption to deter motivated intruders Good security starts with four basic principles: AAA (authentication, authorization and auditing), integrity, privacy and nonrepudiation Besides the authentication issues, wireless suffers from lack of strong encryption, or lack of any type of encryption at all

iGillottResearch Can we have too much Security? Problem is that we can make a solution so secure it is unusable If need a PIN, blood sample, retina scan and PKI just to check a bank balance, few will use the application Only the User can decide what level of security is appropriate for specific applications Security profiles therefore need to be portable …and flexible

iGillottResearch WAP and WTLS WAP security is provided by the wireless transport layer security (WTLS) protocol Based on SSL Optimized for use in the high latency, low bandwidth wireless networks Provides data integrity, confidentiality/privacy, and authentication WTLS has three different classes: Class 1 Uses an unauthenticated Diffie-Hellman key exchange to establish the session key Class 2 Forces server-side authentication using public key certificates WTLS certificate used by WAP is “thinner,” having been optimized for use on wireless networks Class 3 Implements the server-to- client/client-to-server mutual authentication that is optionally used in SSL

iGillottResearch The WAP Gap Two legs on the data path from a WAP handset through gateway to content server From the content provider to the WAP gateway in the carrier network via IP and SSL From the carrier WAP gateway to the handset via WAP and WTLS The WAP gap is the result of having to convert between WTLS and SSL WAP Forum responded by removing the WAP gap in version 2.0 through the use of: Dynamic proxy navigation (DPN) Manual proxy navigation (MPN)

iGillottResearch Viruses There have been few instances of viruses that targeted wireless devices One Palm OS No real viruses on the Symbian OS No known malware for Windows Pocket PC devices Yet … As more smart devices enter the market it is likely that more viruses will spring up Just as broadband wireline connectivity allows always-on access, so too will IP-enabled phones … Such exposure in the wireline world means that personal firewall software on the modem/PC is a must … It is reasonable to expect such firewall applications will be needed on IP phones

iGillottResearch Authentication Robust user authentication will help solve many of the problems discussed Accomplished via a variety of methods: Strong username/password access implemented consistently across all devices deployed by the enterprise Use of token-based access, such as SecurID Requires live access to the SecurID server so the entered PIN can be matched against the server’s expectations Biometric solutions integrated into the device itself or on a smart card PKI could also be implemented on the smart card and phone/device, with key exchange and certificate validation happening when the card is inserted into the phone The best user authentication is two-factor based Username/password in combination with a token; or with biometrics

iGillottResearch WLAN Security Security Flaws PKI can be used to address the failing of b’s security mechanism, wired equivalent privacy (WEP) WEP is flawed because Algorithm itself uses too short a key - 40-bits Keys are shared between the client and its access point Basic WEP contains no provision for the secure distribution and management of those keys Fixes IPsec VPNs are the best and easiest way to secure WLANs Security can be extended to a local domain of WLAN users as well as to those users that remotely access the network IPsec also contains standard provisions for key distribution and management

iGillottResearch WLAN Security … Authentication IEEE is currently working on the 802.1x standard which incorporates extensible authentication protocol (EAP) support into networks As a result, WLANs can use RADIUS servers, quite often already deployed within an enterprise, to authenticate users

iGillottResearch Recommendations No one can guarantee airtight security Enterprises can take steps to increase security Should not be an issue that stops wireless solution implementation Recommendations: Adopt and enforce a corporate-wide policy governing the use of mobile devices Selected devices should contain support for current security/technology standards User-to-device/user-to- network authentication technology is available and should be deployed Understand that deployment of wireless PKI, in either a mobile and/or portable environment, is a risky Security fixed from one WLAN provider many not carry over to another vendor Consider IPsec VPNs as a way to secure the WLAN

iGillottResearch Recommendations … Test the hackers weapons against the network Do not allow employees to install their own WLANs For Wireless Vendors Does your solution support the necessary security? Security is a long term issue As IP networks and devices proliferate, new issues will arise Management of physical device Management of keys, etc Nework management Virus protection RADIUS management

iGillottResearch Questions? Iain GillottCharul Vyas (512) (512)