Organizations have high hopes for wireless commerce. Bob Egan, an analyst at Stamford, Conn.-based Gartner Group Inc., calls wireless “the growth hormone for e-commerce.” But before wireless e-commerce or even wireless access to the corporate network takes off, organizations are going to have to nail down wireless security.
It’s not that wireless isn’t secure as it stands now. “We are doing secure wireless transactions today,” said Philip Wood, director of international wireless at Charles Schwab & Co. in San Francisco. Rather, wireless security is difficult to implement, requiring organizations to piece together myriad technologies. Few vendors offer a complete security package, and large pieces of the security puzzle are beyond the control of corporate IT, resting instead with carriers and wireless device manufacturers.
Most organizations would prefer to support only a single security model for e-commerce, preferably the Internet model in use today, said Jeff Reed, vice-president of e-commerce consulting firm Logical, a division of London-based Datatec Ltd. E-commerce in the wired world today relies primarily on Secure Sockets Layer (SSL), which is used to transmit everything from personal identification numbers (PIN) and passwords to credit card numbers.
But when you try to move this approach to the wireless world you immediately encounter problems, starting with cellular phones with wireless application protocol (WAP) capabilities. Unlike desktop and laptop computers or even personal digital assistants (PDA), WAP phones are pretty limited when it comes to security and lack the CPU power and memory necessary for RSA encryption, a key element of SSL.
Encryption ensures confidentiality by preventing eavesdropping, and WAP devices include their own security protocol, wireless transport layer security (WTLS). This is equivalent to SSL but uses less-resource-intensive encryption algorithms, such as elliptic-curve cryptography (ECC).
There’s nothing wrong with WTLS except that “it is not compatible with SSL,” which is the industry standard, said Jeffrey Robinson, manager of corporate development at RSA Security Inc. in Bedford, Mass. So WTLS messages must be converted into SSL before an e-commerce site or corporate network can read them.
Conversion presents a security problem. Wireless messages travel through the air to the carrier’s transmitter, where they are received and passed to a gateway that funnels them into the conventional wired network for transmission to the destination. At the gateway, the WTLS message is converted into SSL. For a brief moment, the message sits unencrypted inside the gateway, creating a security vulnerability.
To some observers, this gap in encryption presents an intolerable threat. Others take a more practical view. “We’re not losing any sleep over it,” Wood said. The messages spend only a few milliseconds in the clear on a machine buried deep inside the carrier’s facility. “Somebody would have to break into a carrier site and do a data dump at that precise moment,” he said.
Egg PLC is a wireless Web-based bank in London. To guard the gateway conversion from WTLS to SSL, it runs its own gateway internally. Each message still spends a moment in the clear, but it happens within the Egg facility. “The best solution would be SSL end to end,” said Iain Hunneybell, Egg’s Internet customer authentication manager.
Redwood City, Calif.-based Phone.com Inc.’s Secure Enterprise Proxy achieves end-to-end security using SSL and WTLS, but it lets organizations avoid re-encryption at the carrier’s gateway by creating a WTLS tunnel that lets secure data pass through a network operator’s gateway without decryption. WTLS tunneling ensures that the data remains encrypted until it reaches its final destination.
“The Phone.com approach lets you get all the way to your application server,” explains John Pescatore, research director for Internet security at Gartner Group.
No Denying PKI
Encryption addresses part of the wireless security challenge. But it doesn’t provide the solid authentication required for nonrepudiation, which is a mechanism that validates the information sender’s identity to the receiver so that the receiver can be sure users are who they say they are.
“For authentication and nonrepudiation, PKI, where certificates and keys are bound to the user, is the way to go. Everything is initiated through those keys,” said Paul Mansz, vice-president of architecture at Toronto-based 724 Solutions Inc., a provider of wireless e-commerce applications. Several public-key infrastructure (PKI) products for wireless are starting to emerge.
With PKI, organizations issue digital certificates to users to validate users’ identity. The certificate is encrypted and accompanies each transaction. By using the public and private key and a certificate authority to validate the certificate, authorized parties can decrypt the certificate to authenticate the user with greater assurance than can be achieved through PIN-based authentication.
Charles Schwab opted for a smart-card system from Stockholm-based cellular phone vendor Ericcson Inc. and Gemplus SA in Gemenos, France, which provides the smart card, Wood said. In the system, currently being deployed in Hong Kong, the wireless device reads the smart card, which carries the Schwab customer’s private key and digital certificate. The customer then enters the account number and PIN.
The smart-card system allows for nonrepudiation, but it’s available only where there are Global System for Mobile Communications (GSM) wireless networks. In the U.S., there are few GSM networks, thus forcing Schwab to use two different wireless security strategies – one for the U.S. and one for Asia and Europe.
When it comes to authentication, wireless adds a disturbing wrinkle. A wireless phone can be easily stolen or lost. If the owner’s digital certificate and key are in the phone, as a smart card or otherwise embedded, it presents an opportunity for considerable mischief. By combining smart cards with the requirement to separately enter a PIN, organizations can thwart such threats. But entering data such as account names and PINs on a cell phone “isn’t easy to do. We need simpler approaches,” Pescatore said.
On the Horizon
One emerging security tool is biometric devices, which use unique physical identifiers such as voiceprints, fingerprints or retina images to positively identify the user. With biometrics, even if someone should steal your mobile phone, that person wouldn’t be able to imitate your voice or fingerprint.
“By 2004, we expect biometrics will have reached the price/performance level to allow it to be integrated into PDAs and cell phones,” Pescatore said.
Many of the obstacles confronting wireless security will disappear with the widespread adoption of third-generation wireless technology. The third-generation phones will be IP-based and sport more processing power, memory and bandwidth, which will allow SSL security end to end, said Matthew Decker, a consultant at Lucent Technologies Inc. in Murray Hill, N.J.
By combining third-generation wireless with smart cards and biometrics, organizations will finally have a unified security system that works for both the wireless and wired worlds.