This look at wireless security focuses on wide area wireless systems. Contrary to popular belief, wireless systems are secured in a number of ways that can approach the security levels of Web systems. Radio frequency (RF) transfer of data is the most secure part of transmissions between wireless devices and enterprise or commerce servers. The RF network uses protocols such as Global System for Mobile Communication (GSM), Cellular Digital Packet Data (CDPD), or Code Division Multiple Access (CDMA), which include data-encryption mechanisms at the network (bearer) level. Note that low-power CPUs, limited memory, and power constraints drive most wireless system features. As wireless-device hardware increases in power, the level of encryption and other mechanisms designed to provide secure wireless systems will improve.
Four main areas form the foundation of both wired and wireless secure systems: authentication, encryption, authorization, and nonrepudiation.
Authentication confirms the identity of the person connecting to the system as a known user. Basic authentication involves a username and password. In enterprise situations, security increases when wireless account aliases and auxiliary domains separate users. Intercepting a username and password yields access to wireless resources only through wireless gateways. Such a complex security approach increases costs and administrative requirements.
Advanced techniques might use two-factor authentication such as RSA SecureID, which requires the user to enter a randomly generated PIN in addition to the username and password. In the future, user authentication might involve smart cards and biometrics.
Encryption ensures that data intercepted during transmission can't be easily used. As noted above, wireless networks have bearer-level encryption, and you can add application-level encryption. Application-level encryption usually involves RSA or Wireless Transport Layer Security (WTLS) between the device and wireless gateway. Between the wireless gateway and the Web server, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) work well.
Encryption architecture often appears in Wireless Application Protocol (WAP) and other wireless technologies and presents certain security risks. One is the WAP gap, the point in the WAP gateway where content is decrypted from WTLS and re-encrypted into SSL. The data is unencrypted for a split second and only in gateway server memory. Most WAP gateways in the United States are controlled by the carrier and typically kept under high security. For most uses, the WAP gap is an insignificant security concern.
Some companies can't accept that risk, however, and must consider advanced techniques such as WTLS tunneling. WTLS tunneling keeps data encrypted between the device and enterprise and requires the implementation of WAP gateways within the enterprise demilitarized zone (DMZ). Thus, encrypted data passes through the carrier gateways and enters the enterprise network before being decrypted.
Wireless systems currently use 40-bit or 56-bit encryption. Many corporations require a minimum of 128-bit encryption for security, making wireless systems unacceptable. As new encryption algorithms such as elliptic-curve and lattice cryptography enter the market, 128-bit and higher encryption will be possible with much lower processing requirements.
The next Wireless & Mobile UPDATE will address authorization, nonrepudiation, and other aspects of delivering a secure wireless system.
