Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 nd September 2004. Mobile Device Security Jason Langridge Mobile and Embedded Device Division 2 nd September, 2004.

Published byEstella Lynette White Modified over 9 years ago

Similar presentations

Presentation on theme: "2 nd September 2004. Mobile Device Security Jason Langridge Mobile and Embedded Device Division 2 nd September, 2004."— Presentation transcript:

1 2 nd September 2004

2 Mobile Device Security Jason Langridge Mobile and Embedded Device Division 2 nd September, 2004

3 Agenda Windows Mobile Security Windows Mobile Security  Perimeter Protection  Anti-Virus and Firewall  Installation and Execution Control  Data protection  Authentication 3 rd Party Solutions 3 rd Party Solutions Futures Futures Discussion Discussion

4 Device Owner Ownership challenges Enterprise Phone Operator Ensure device data protected Enable secure network access Deploy rich device apps Ensure secure device Ensure reliable device Operator specific configuration Enable rich device services Data access anywhere/anytime Ability to run rich applications Ensure secure device A reliable and secure device

5 Mobile Device Security Challenges Devices infrequently connected to an organisation’s network Devices infrequently connected to an organisation’s network Many Personal devices, yet expectation they should be managed by their employer Many Personal devices, yet expectation they should be managed by their employer Mixture of business and personal applications and data Mixture of business and personal applications and data Large % of devices enter through the back door (>75%) Large % of devices enter through the back door (>75%) Growing capacity > 1GB Growing capacity > 1GB Pilots blur into production Pilots blur into production

6 Device Password 4-digit PIN (Pocket PC) 4-digit PIN (Pocket PC) Strong password (Pocket PC & SmartPhone) Strong password (Pocket PC & SmartPhone) >4 digit PIN (Smartphone) >4 digit PIN (Smartphone) Exponential delay with incorrect password Exponential delay with incorrect password Password protected ActiveSync partnership Password protected ActiveSync partnership

7 1. Device Password – OEM Fingerprint reader HP iPAQ 5400 Series

8 Device Password – 3 rd Party Picture sequence Picture sequence  Tells a story  Easy to remember Picture order changes Picture order changes  Avoid pattern recognition  Balances screen scratches Short and long sequence Short and long sequence  Quick access short PIN  Incorrect PIN reverts to long PIN Pointsec Software

9 Device Password – 3 rd Party Password Replacement Secures PDA access Secures PDA access  Uses secret sign biometric  Sandia Laboratories Tested Scenarios Scenarios  Information warfare  Homeland defense  HIPPA compliance  Enterprise security Crypto-Sign Crypto-Sign TM

10 Anti-Virus Software Built-in APIs for Anti-virus solutions Built-in APIs for Anti-virus solutions  Computer Associates  F-Secure  McAfee  SOFTWIN Personal Firewall Personal Firewall  Bluefire Security Technologies  Check Point VPN-1 SecureClient

11 Execution Control Smartphone now - Pocket PC in future release. Smartphone now - Pocket PC in future release. Based on application signing and protects in two ways: Based on application signing and protects in two ways:  Installation  Execution Modes of operation Modes of operation  All apps allowed  Prompt user when un-signed app is trying to install or execute  Only signed applications (chaining to a trusted root certificate) are allowed Can revoke applications Can revoke applications  By author (revoke a signing cert)  By executable (revoke a hash) Windows Mobile: Mobile-2-Market program Windows Mobile: Mobile-2-Market program  Run registered applications as unprivileged

12 Data Protection Limit the data to just what is needed…. Limit the data to just what is needed…. Cryptographic services for applications are built-in (Crypto API v2) Cryptographic services for applications are built-in (Crypto API v2) SQL-CE provides 128-bit encryption (PPC only) SQL-CE provides 128-bit encryption (PPC only) 3 rd Party options: 3 rd Party options: CompanyProduct Applian TechnologiesThe Pocket Lock offers both file and folder encryption. Asynchrony.comPDA Defense for the Pocket PC encrypts databases, files, and memory cards. Cranite SystemsWirelessWall provides AES data encryption for Pocket PCs Developer One, Inc.CodeWallet Pro provides a secure way to store and access important information on your Pocket PC or Smartphone Handango, Inc.Handango Security Suite for Pocket PC provides file and data encryption. Pointsec Mobile Technologies Pointsec for Pocket PC encrypts all data stored in the device, whether in RAM or on external storage cards. SoftWinterseNTry 2020 encrypts data on external storage cards. Trust Digital LLCPDASecure secures access to a Pocket PC and encrypts the data on it. It also prevents unauthorized infrared beaming of data.

13 Secure Connectivity Infrastructure VPN VPN SSL SSL Network Authentication Network Authentication Credential Manager Credential Manager

14 VPN Virtual Private Networking (VPN) Virtual Private Networking (VPN)  Secure connection via Internet to corporate network Support for: Support for:  PPTP  IPSec/L2TP No support for IPSec Tunneling Mode No support for IPSec Tunneling Mode

15 SSL 128 bit encryption 128 bit encryption Server Validation Server Validation  Verify WEB Server Identity  Verify a trusted certifiate authority issued the server’s certificate – “Walking the Chain” Client Validation Client Validation  Uses certificate from MyStore

16 Network Authentication 802.1x technology for wireless LANs 802.1x technology for wireless LANs  Extensible Application Protocol-Transport Layer Security (EAP-TLS) for certificate-based authentication  Protected Extensible Authentication Protocol (PEAP) for password-based authentication  WiFi Protected Access (WPA) for security without the back-end infrastructure Dial-up authentication - Windows NT® Challenge/Response Dial-up authentication - Windows NT® Challenge/Response Support for multiple networking and authentication protocols for accessing secure Web sites Support for multiple networking and authentication protocols for accessing secure Web sites  SSL 3.1, Private Communications Technology (PCT), and Point-to-Point Protocol (PPP), as well as Wireless Transport Layer Security (WTLS) class 2 for accessing secure Wireless Access Protocol (WAP) sites. Authentication for Virtual Private Networking Authentication for Virtual Private Networking  Challenge Handshake Authentication Protocol (CHAP and MS-CHAP versions 1 and 2)  Password Authentication Protocol (PAP)  Serial Line Internet Protocol (SLIP) and PPP

17 Credential Management Credentials – Username/Password/Domain Credentials – Username/Password/Domain Stored per server Stored per server Credential storage can be disabled for Enterprise customers Credential storage can be disabled for Enterprise customers

18 Perimeter protection Perimeter protection  Device lock: PIN, Strong, exponential delay  Authentication protocols: PAP, CHAP, MS- CHAP, NTLM, TLS Data protection Data protection  128-bit Cryptographic services: CAPIv2  Code signing (SmartPhone only)  Anti-virus API Application Installation and Execution protection Application Installation and Execution protection Network protection Network protection  OTA device management security  Secure Browsing: HTTP (SSL), WAP (WTLS)  Virtual Private Networking (PPTP, L2TP IPSec)  Wireless network protection (WEP, 802.1x, WPA) Summary of Windows Mobile Security Features

19 References Windows Mobile Security White paper Windows Mobile Security White paper  http://www.microsoft.com/windowsmobile /resources/whitepapers/security.mspx http://www.microsoft.com/windowsmobile /resources/whitepapers/security.mspx http://www.microsoft.com/windowsmobile /resources/whitepapers/security.mspx Security Product Solutions Security Product Solutions  http://www.microsoft.com/windowsmobile /information/businesssolutions/security/s ecsearch.aspx http://www.microsoft.com/windowsmobile /information/businesssolutions/security/s ecsearch.aspx http://www.microsoft.com/windowsmobile /information/businesssolutions/security/s ecsearch.aspx

20 Signature authentication Signature authentication  Certicom Corporation  Communication Intelligence Corporation  TSI/Crypto-Sign  VASCO Enhanced password protection Enhanced password protection  Hewlett-Packard Pictograph authentication Pictograph authentication  Pointsec Mobile Technologies Fingerprint authentication Fingerprint authentication  Biocentric Solutions Inc.  HP iPAQ 5400 Card-based authentication Card-based authentication  RSA Security  Schlumberger Sema Certificate Authentication on a Storage Card Certificate Authentication on a Storage Card  JGUI Software Storage Encryption Software Storage Encryption  F-Secure  Pointsec Mobile Technologies  Trust Digital LLC Encrypt Application Data Encrypt Application Data  Certicom Corporation  Glück & Kanja Group  Ntrū Cryptosystems, Inc. Virtual Private Networking Virtual Private Networking  Certicom Corporation  Check Point Software Technologies Ltd.  Columbitech  Entrust, Inc.  Epiphan Consulting Inc. Disable Applications Disable Applications  Trust Digital LLC Device Wipe Device Wipe  Asynchrony.com Public Key Infrastructure (PKI) Public Key Infrastructure (PKI)  Certicom Corporation  Diversinet Corp.  Dreamsecurity Co., Ltd.  Glück & Kanja Group Thin Client Technology Thin Client Technology  Citrix  FinTech Solutions Ltd.  Microsoft 3 rd Party Solution Providers

21 Discussion Is Security a significant barrier to you deploying mobile devices today? Is Security a significant barrier to you deploying mobile devices today? What key elements are we missing from our product set? What key elements are we missing from our product set?

22 Application Security Mobile2Market process Mobile2Market process  Build app  Logo test app with M2M test house  Purchase certificate from M2M CA  Sign app and submit to CA for countersign w/ M2M cert  Create and sign CAB, and submit to CA for countersign  Submit to M2M catalog Differences with Windows Desktop Differences with Windows Desktop  Desktop does not have code signing for normal apps (only drivers, VBA, ActiveX controls)  No online revocation  Code signing happens at CA service (not offline)  In most device configurations, every app must be signed with a recognized id  Run/block decision made by MO, not user (usually)

23 Native Application Privileges Locked Device: Block all Block all Only MO apps Only MO apps Closed Device: Run signed only Run signed only Default Config: Run w/ prompts Run w/ prompts Open device: Run everything Trusted Run everything Trusted

24 Certificate Stores Root Store Root Store  Contains trusted intermediate authorities (Trusted CA’s)  Contains certificate roots trusted for secure web sessions (https)  Operators should not need to add Certificates to this store My Store My Store  User personal certificates  Operator should not add certificates to this store SPC (Software Publishers Certificate) SPC (Software Publishers Certificate)  Root of trusted software publishers whose application are allowed to install on the device. M2M (Mobile to Market) certificates are already here  Operators may install certificates here if interested in managing application downloads (recommended)

25 Certificate Stores Privileged Store Privileged Store  Root certificates in this store define which signed applications can access privileged API’s  Operators must add root certificates to Privileged store to allow privileged applications to be signed for execution Unprivileged Store Unprivileged Store  Root certificates in this store define which signed applications can access unprivileged API’s. M2M certificates are already here  Operators may add their own root cert or partner cert here if they implement a closed device. Reliance on M2M cert is recommended

26 Certificate Management How to add or manage certificates How to add or manage certificates  Flashed to operator ROM region and invoked during cold boot  Push XML provisioning file Over the Air (OTA)  Browse a site with hyperlink to.CPF file  Use MMC/SD card that contains.CPF file  Push XML file over the desktop ActiveSync via USB cable or IR port

27 Revocation Right to recourse against misbehaving apps. Revoke an individual app Revoke an individual app  Device never runs BadNews.exe Revoke a specific developer Revoke a specific developer  Device never runs apps from JunkApps.com Revoke signing cert Revoke signing cert  Never run apps from developers cleared by FlakeySign cert authority All of these revocations can be performed Over-the-air

Download ppt "2 nd September 2004. Mobile Device Security Jason Langridge Mobile and Embedded Device Division 2 nd September, 2004."

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
Vpn-info.com.

Vpn-info.com.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Remote Access Network Management Kelly Given Allison Traina.

Remote Access Network Management Kelly Given Allison Traina.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Remote Networking Architectures

Remote Networking Architectures
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Similar presentations

Ads by Google