Contact:[email protected]
Experts ponder securing the wireless world April 13, 2001 Web posted at: 10:23 a.m. EDT (1423 GMT) By Cameron Crouch SAN FRANCISCO, California (IDG) -- As security experts watch the airwaves get crowded with wireless transmissions of voice and data, they see their field becoming more vital -- and complicated, in this world of mixed network protocols. Unlike the Internet, which uses only a handful of standard protocols, the wireless world is built on many disparate protocols that don't necessarily work together at all. This lack of standards complicates the security of wireless networks, which discourages their wider adoption. Effective security requires widely accepted standards, agree security gurus and vendors at the RSA Conference here this week. Discussion at the gathering has tackled proposed new protocols, algorithms, and networks for both the wired and wireless worlds. While still in their infancy, wireless broadband and other forms of wireless networking, including home LANs, show great promise as an alternative to wired services used by businesses and home users. But unless the security of those networks can be assured, the young industry could be stillborn, the security experts warn. To protect you, these networks will have to incorporate new security protocols and algorithms as well as some existing methods found on the wired Internet. But agreeing on which standards to adopt may be as big a challenge as getting the high-speed services out the door. New toys raise risks "Modern expectations of the Internet include [service that's] always on, handy, and immediate as well as secure," says Shawn Abbot, president of IVEA Technologies, a developer of security infrastructure products for e-commerce. "But the challenge of these connected personal devices is that they put more personal data into cyberspace, raising the threat to privacy." The most dire risks include forms of identity theft. Someone might learn and misuse your personal information through eavesdropping or information tapping, Abbot says. Also, marketers are eager for the opportunities offered by global positioning functions, which could let them target ads or services based on your location. But "location-based services only magnify these threats, increasing the need for trust from consumers," Abbot adds. Current networks won't do Today's mobile phone and paging networks -- used for wireless devices -- weren't really designed to meet the security needs of transactions, corporate communications, and network-based personal profiles, the experts agree. The traditional mobile phone network has limited security, says Yiquin Lisa Yin, research leader at NTT DoCoMo's Multimedia Communications Labs. "The proprietary protocols and algorithms only provide security for the air interface and not the whole network," Yin says. The air interface in traditional cell phone networks includes the traffic between the handset and the cellular base station, Yin says. Then, the base station connects to a core network for the carrier, often with little security between them, she adds. On the reverse end, Internet data connects to the core network through a wireless application protocol gateway. There, it is temporarily decrypted and then re-encrypted in a mobile-phone-friendly format, Yin says. That WAP gap isn't a big deal for simple applications, but it's becoming more important with transaction services, Abbot agrees. But Yin urges security improvements not for the gateway, but for every link in the network. She says security in traditional networks is not flexible enough to handle new attacks, or even to be beefed up to support new applications like commerce. New speeds require better security Besides security, wireless nets need a speed boost to support sophisticated WAP services, Abbot says. Today's circuit-switched mobile phone networks are simply too slow. "Until packet-switched networks dominate, WAP won't be that great," he adds. GPRS, a packet-switch network extending from today's GSM system, promises speeds up to 150 kilobits per second, a sizable improvement when compared with the 9.6 kbps of current GSM systems. GPRS uses limited bandwidth efficiently and can send and receive small bursts of data, such as e-mail and Web browsing. But with that speed comes need for better security to support the many applications that speed makes possible. Several standards offer answers, Yin says. One contender, 3GPP, is based on the architecture of GSM and addresses many security weaknesses of today's networks, Yin says. It adds mutual authentication and strong cryptographic algorithms, and can incorporate new services, she says. 3GPP secures every link in the mobile network, not just the air interface between phone and base station, Yin adds. Like 3GPP, the WAP standard is also being modified for better security. Many enhancements bring it closer to the wired Internet protocols, making it easier to do full Web-style transactions and exchanges, Abbot says. Today, WAP supports Wireless Transport Layer Security (now known as TLS), an optimized version of Secure Socket Layer designed for mobile devices. A dominant standard for secure transactions on the Internet, SSL works by using a private key to encrypt data that's transferred over the connection. The WAP 2.0 protocol, however, will include SSL, he adds. "Newer wireless devices will probably move to SSL or some hybrid of WTLS and SSL," Abbot adds. Speed is on the way Although 3G services here won't roll out before the end of this year, Yin says NTT DoCoMo will launch the first third-generation services in Japan in May, offering transmissions of 64 to 384 kbps. The NTT DoCoMo services will use the WCDMA, the third-generation iteration of the Code Division Multiple Access network. CDMA is in common use in the United States, notably by carriers like Verizon and Sprint PCS. Mobile users can look forward to 3G networks not only for more data services, but multimedia and mobile commerce as well, Yin notes. And with those new applications come more security issues, because third parties will become involved in what was previously a carrier-to-consumer exchange. And, of course, general download risks increase with the increased use of multimedia content and applications, Yin says. She suggests new technologies like smart cards to keep these new networks secure. Smart cards can support encryption and authentication, and can even add new applications to devices, Yin says. Another option is biometric authentication, to ensure only you can access your data. Smart cards aren't showing up in phones in the United States or Japan yet, but NTT DoCoMo offers this additional peek at the future: Yin says DoCoMo has plans for phones with two slots for smart cards. With that capability comes another slew of security and application possibilities. Back to the Index