There are several steps that can be
taken in designing for security in mobile computing networks and
applications:
Physical Security, Policies
and Procedures
There is no point in implementing expensive hi-tech security systems
while the physical security of end user devices, base stations, and
information servers is ignored. A notebook left in the back seat of
an unlocked car is an obvious and only too common security violation
that should be discouraged in the strongest possible terms.
This potential problem will soon be
exacerbated with the advent of inexpensive PCS/PCN micro-cells
located in small and unattended sites throughout communities.
Application and System
Assisted Security
The use of user passwords and similar mechanisms is very common
method of ensuring security. We shall not dwell on these techniques
here. Instead, we shall concentrate on mobile computing security
issues.
Dial Back as a Security
Technique
Remote access type mobile computing applications can incorporate
dial back technique where users and their location are known. Many
hardware-based security servers provide this feature.
Firewalls � Security Servers
at the Host>
Many specialized security companies are providing security servers
that can be installed at the corporate host server. Several Remote
Access Servers also provide this functionality as an integral part
of the communications server. Cylink is well-known for providing RAS
security products in wireline remote access environment. You may get
more information from their web site.
Guardata Watchword II token
offers convenient alternatives to passwords based on common names,
birthdays, etc. When using WatchWord II, critical information is
never entered in clear. The operating principle is based on the
challenge/response mechanism described in the ANSI X9.26 secure
sign-on standard. The user enables the token by entering a PIN. The
WatchWord Generate process takes a digital challenge from the host
computer system entered into the token � which then generates a
seven-digit response: a one-time password. The response is
calculated from the challenge using the DES cryptographic process.
There is a security controller or server at the host between the
modem pool and the information server. It is anticipated that the
next generation of security products will integrate security into
the modem or communications server products.
Now, wireless security servers are
being provided by companies such as Certicom, Diversinet, Entrust
(subsidiary of Nortel), Sonera's SmartTrust (for m-commerce), etc..
Please see references to these vendors further down in the page).
Data Encryption Process in Mobile
Computing
Encryption involves scrambling digital information-bits with
mathematical algorithms and is the most potent protection available
against security intrusions into wireless and wire line
communications. Different encryption schemes have been proposed and
implemented. The Data Encryption Standard (DES) is one algorithm
that has held sway since the 1970s. RSA, based on public key
cryptography and named for the three MIT professors � Rivest, Shamir
and Adleman � who developed it, is another. Pretty Good Privacy (PGP)
is a public domain implementation of RSA available for
non-commercial use on the Internet in North America.
Many cellular carriers are now
providing encryption between cell sites and the MTSO. Unfortunately,
the last segment (i.e., between the end user device and the cell, or
base station) obviously cannot be encrypted and this is where all
the theft occurs. For end-to-end security, the only answer is to
build encryption/decryption capabilities into the end user device
itself. Unfortunately, this can be done only with end user devices
on digital cellular networks � and digital cellular is still not
ubiquitous (only 40 percent-coverage in the U.S. in 1995, according
to Dataquest).
Encryption Key Types
There are three types of keys used in encrypting data:
- A private key known only by the
sender and the recipient
- A private/public key combination
- A one-time key
| 
