Reprinted from Software Magazine

The future of e-security is as complex as the companies and individuals it aims to serve. Frank Prince, senior analyst in e-business infrastructure, security, and manageability with Forrester Research, a market research firm in Cambridge, Mass, says the advent of e-business networks will further complicate matters. He envisions the example of a consumer ordering a product from an online retailer, who contracts with Wholesaler A to buy the product and sends it to the consumer that is using Shipper B. When another customer orders the same product, it may be fulfilled by Wholesaler B and Shipper C, who are offering better deals at that instant.

"Think about the security implications of that and all the things you need to do," Prince says. "In order to make those decisions appropriately, you can't have much secrecy, and you can't have very costly links between companies, because the ability to change from one organization to another is exactly why it works."

Wireless woes
Add in to the mix the possibility that at least some links involved in such a transaction will be wireless, and you complicate matters even further.

Yet that possibility is very real. Dataquest Inc., a unit of Gartner Group Inc., San Jose, Calif., estimates that more than 45 million Web-capable wireless phones will be in use by the end of this year. By 2003 there will be more than 1 billion wireless service subscribers, the company says, and nearly 800 million of them will use Web-capable phones.

However, the technologies don't all sing the same tune. Whereas on the order of 90% of PCs are based on some version of the Windows operating system, no one wireless device so dominates the market, nor does a single type of wireless network dominate like the Internet does in the wired world.

According to a July 2000 report from Forrester dubbed "Latent Demand for a Wireless Web," the installed base determines the launching point for any technological innovation. In that respect, the most obvious platforms from which to launch wireless Web services are the digital cell phone and the wireless personal digital assistant (PDA).

Platform Flavors
From a security perspective, the problem is thenumerous flavors of PDAs and digital phones, says Verne Meredith, vice president of sales and marketing for Diversinet, a provider of wireless security products based in Toronto. "We believe there are going to be at least four platforms that evolve, and while one may dominate with 40% to 50% share, we don't see any one with 90% like Windows does."

On top of that, wireless network providers play a major role in the applications installed on digital phones and other access devices.

"On a PC I can load an application myself," Meredith says. "On a CDMA phone I can't. The only applications that are going to get on my device are the ones the phone company thinks I should have."

Additionally, wireless devices have a relatively small footprint and limited processing power, he says, and the wireless access pipe has limited bandwidth compared with the wired Internet.

From a security perspective, these issues create a challenge in terms of being able to support the same kinds of encryption algorithms used on full-powered PCs and on wired networks, as well as enabling users to employ whatever access device they choose.

"Merrill Lynch isn't going to be comfortable saying we've got this great trading application, but you have to have a Palm Pilot," Meredith says. Users likewise won't want to carry different devices for different applications.

Digital Certificates
Diversinet is developing software that amounts to a digital certificate for wireless devices, communicating with a back-end database that manages the certificates, validating user identities. An additional piece of client software provides authorization, detailing which applications the user is allowed to access, for example. That separates the users' identity from their permissions, which Meredith says is key. Traditionally, users need a separate certificate for each application or online vendor they want to deal with.

Another key to the Diversinet approach is the use of elliptic curve cryptography (ECC), essentially a lean encryption algorithm that uses less processing power and can be executed quickly, even on a wireless device and over a wireless network. "If I use the same encryption as Verisign, it'll take seven to nine minutes to encrypt and decrypt," over a wireless network, Meredith says.

Additionally, the Diversinet approach allows authorization on a transaction-by-transaction basis, similar to credit card authorizations in the brick-and-mortar world. With this arrangement, only one database needs to be maintained by the certificate authority (CA), and it allows for root-key rollover, which lets a CA issue new keys to all subscribers over the air. That capability will be crucial should the root key in a PKI system, which is the foundation of the trust hierarchy, ever be compromised. If that happened, the CA could use the wireless network to issue new keys to all subscribers without subscribers even knowing it.

Alternatively, a CA could decide to simply issue new keys to all subscribers every so often, maybe once a day or even every 15 minutes, to further improve security. In that case, even if your digital certificate is stolen or compromised, it will only be good until the next one is issued. That capability would also be useful in the wired world, Meredith notes.

Throw Away the Key
Indeed, another security company, NTRU Cryptosystems Inc., has similar technology, based on what it calls disposable keys. The Burlington, Mass.-based company has its own security algorithm that is even leaner than ECC, says Scott Crenshaw, company CEO. The base NTRU algorithm consists of about 1,400 bytes of code vs. at least 30,000 for ECC, Crenshaw says. And NTRU can generate keys much more quickly than ECC can, up to thousands or millions of keys per second.

That makes the NTRU algorithm well suited to wireless devices. Taking the Diversinet root-key rollover example a step further, an NTRU-capable device would be able to generate a public/private key pair for every transaction, or even for every step in a transaction.

But the company is initially targeting the consumer space, for applications such as streaming media protection. For example, a consumer could buy a music clip over the Internet and, potentially, every second of music could be encrypted using a different key pair. "That changes the economics of trying to compromise keys," Crenshaw says, given a three-minute song would have 180 unique keys.

As for Diversinet, the infrastructure that surrounds its technology isn't yet complete and won't be until early to mid-2001. What is complete is an implementation for Palm Pilot and RIM PDAs as is an implementation for the Gemplus smart card, which is targeted at the GSM mobile phone standard used throughout Europe and Asia.

Versions of the Diversinet technology that work with the CDMA and TDMA wireless networks prevalent in North America are awaiting more standards development from the Wireless Application Protocol (WAP) Forum.

Bill Jaeger, director of applied research at METASeS, a security consultancy in Atlanta., agrees that the strength of the encryption algorithm used is a key vulnerability in wireless security and that ECC is much faster and suitable for handheld devices.

Another vulnerability in the way wireless encryption is handled today is that a translation has to occur between the wireless and wired networks. Typically a WAP-compliant form of encryption is used from the wireless devices to the cell phone provider's WAP gateway, which provides a link to the wired network. At the gateway, the stream is decrypted, then encrypted again, typically using Secure Sockets Layer (SSL), the leading encryption algorithm for browser-based wired applications.

"That means the encryption ends, the server does some processing, then it starts again," Jaeger says. "That's one of the single largest vulnerabilities in the whole handset approach."

The Common Denominator
Jaeger is less concerned about the various types of handheld devices in use, reasoning that WAP standards will be the common denominator. WAP is built to operate on top of underlying transport technologies, including CDMA, TDMA, and analog networks. Vendors will have to implement security technologies that conform to the operational capabilities and memory constraints of the end device in use, but that is not so different from having to conform to the vagaries of different Web browsers and operating systems.

User perception may be another issue, however. "Lots of people feel comfortable using a handheld to look up a movie," Jaeger says. "But jumping the hurdle to do things with finances at stake, such as home banking, there's a fair bit of hesitation about that in the consumer market."

Yet another wireless issue is the advent of Bluetooth, the technology spearheaded by vendors including IBM, Ericsson, Nokia, Intel, and Toshiba that promises to wireless-enable all manner of devices, from headphones to refrigerators.

"My suspicion is that Bluetooth over the next couple of years will be another iron in the fire that organizations will have to juggle," says Forrester's Prince. "Even though the core security protocols associated with Bluetooth are good enough to do the job they need to do, the layers above security are going to have to be worked out in practice and integrated with corporate security systems."

Sorting It Out
Even if the technology issues are adequately addressed, Patrick McBride, executive vice president of METASeS, says there's an "underground" issue looming.

"You can have an absolutely perfect security architecture and still be at high risk," he says. "The weak link in the chain is people."

If your employees, partners, and customers aren't properly following security policy, they could be leaving you at risk. When McBride asks security officers how they would carve up a dollar that they have to spend on security, they typically say about 40% would go to training and awareness programs that seek to integrate security thinking into the company or customer base.

Over time, more and more state and federal funds will be made available to address high-tech security law enforcement. Laws will change, and states and countries will make agreements such that perpetrators can be prosecuted no matter where they are located, he says.

"In 10 or 15 years, we'll see a different world from what we see today," says Dr. Martin Goslar, principal analyst and managing partner of E-PHD.COM, an e-security research and analysis firm in Phoenix. "We're stumbling into the future. That seems to be the human plight."

Desmond is editor of the ecomSecurity.com Web site and vice president of King Content, a strategic publishing company in Framingham, Mass. E-mail him at paul_desmond@king-content.com.