Crossing the wireless security gap

Organizations have high hopes for wireless commerce. Bob Egan, an analyst at Stamford, Conn.-based Gartner Group Inc., calls wireless “the growth hormone for e-commerce.” But before wireless e-commerce or even wireless access to the corporate network takes off, organizations are going to have to nail down wireless security.

It’s not that wireless isn’t secure as it stands now. “We are doing secure wireless transactions today,” said Philip Wood, director of international wireless at Charles Schwab & Co. in San Francisco. Rather, wireless security is difficult to implement, requiring organizations to piece together myriad technologies. Few vendors offer a complete security package, and large pieces of the security puzzle are beyond the control of corporate IT, resting instead with carriers and wireless device manufacturers.

Most organizations would prefer to support only a single security model for e-commerce, preferably the Internet model in use today, said Jeff Reed, vice-president of e-commerce consulting firm Logical, a division of London-based Datatec Ltd. E-commerce in the wired world today relies primarily on Secure Sockets Layer (SSL), which is used to transmit everything from personal identification numbers (PINs) and passwords to credit card numbers.

But when you try to move this approach to the wireless world you immediately encounter problems, starting with cellular phones with wireless application protocol (WAP) capabilities. Unlike desktop and laptop computers or even personal digital assistants (PDA), WAP phones are pretty limited when it comes to security and lack the CPU power and memory necessary for RSA encryption, a key element of SSL.

Encryption ensures confidentiality by preventing eavesdropping, and WAP devices include their own security protocol, wireless transport layer security (WTLS). This is equivalent to SSL but uses less-resource-intensive encryption algorithms, such as elliptic-curve cryptography (ECC).

There’s nothing wrong with WTLS except that “it is not compatible with SSL,” which is the industry standard, said Jeffrey Robinson, manager of corporate development at RSA Security Inc. in Bedford, Mass. So WTLS messages must be converted into SSL before an e-commerce site or corporate network can read them.

Conversion presents a security problem. Wireless messages travel through the air to the carrier’s transmitter, where they are received and passed to a gateway that funnels them into the conventional wired network for transmission to the destination. At the gateway, the WTLS message is converted into SSL. For a brief moment, the message sits unencrypted inside the gateway, creating a security vulnerability.

To some observers, this gap in encryption presents an intolerable threat. Others take a more practical view. “We’re not losing any sleep over it,” Wood said. The messages spend only a few milliseconds in the clear on a machine buried deep inside the carrier’s facility. “Somebody would have to break into a carrier site and do a data dump at that precise moment,” he said.

Encryption addresses part of the wireless security challenge. But it doesn’t provide the solid authentication required for nonrepudiation, which is a mechanism that validates the information sender’s identity to the receiver so that the receiver can be sure users are who they say they are.

One emerging security tool is biometric devices, which use unique physical identifiers such as voiceprints, fingerprints or retina images to positively identify the user.

“By 2004, we expect biometrics will have reached the price/performance level to allow it to be integrated into PDAs and cell phones,” Pescatore said.

Many of the obstacles confronting wireless security will disappear with the widespread adoption of third-generation wireless technology. The third-generation phones will be IP-based and sport more processing power, memory and bandwidth, which will allow SSL security end to end, said Matthew Decker, a consultant at Lucent Technologies Inc. in Murray Hill, N.J.