David Kanto

Subscribe to David Kanto: eMailAlertsEmail Alerts
Get David Kanto: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Article

Embedded Security: the Next Big Thing in Wireless Devices?

Embedded Security: the Next Big Thing in Wireless Devices?

The wireless world is going to move away from software-based security/encryption for a host of reasons, including processor speed, battery utilization, and memory scarcity. Embedded security in wireless networked devices is likely the "next big thing" in wireless device security. Read on for a comprehensive explanation.

The adage that best describes the current state of affairs with wireless devices and security is: "forecasting is always difficult, especially when it's about the future." To what degree will wireless LANs, PDAs, and next-generation 2.5G and 3G mobile handsets become part of the corporate IT landscape? I recently gave a speech on the growth of wireless devices and the attendant security needs at the RSA Security Conference in Paris. My presentation had about 100 attendees, all with varying views on how to meet this challenge.

All acknowledge that it's a matter of when, not if, they have to deal with the challenge. The numbers speak for themselves. According to a leading wireless market research consultancy, nearly 725 million wireless devices are expected to ship in 2003 (see Figure 1). Over 50% of these are expected to be mobile phones, followed by 20% PCs, and the remainder a mix of PDAs, wireless LANs, and broadband modems.

Most IT managers with whom I have spoken are working out a plan to make these new PDAs and wireless devices part of the networked ecosystem and thus more secure. The primary purpose of this article is to provide an overview of the current wireless security landscape with special attention given to the direction that many chip vendors such as Samsung, Intel, and Texas Instruments are taking with putting embedded intellectual property security "cores" into silicon. This increasingly important security methodology for wireless devices has wide-ranging implications, and users, IT executives and managers, and security architects should pay close attention.

What Can the Wireless Security Strategist and Implementer Do?
The cost of implementing a high level of security on wireless devices quickly adds up. It can get out of control when you become dependent on specialized security development staffs that understand all the variables of security methodologies, operating systems, hardware platforms, and the sheer volume of new wireless software applications often tied to the service provider. Talk with any IT security professional, and you'll find out quickly that security is the single most important enabling technology concerning the adoption and trust of mobile applications.

Further, as the wireless carriers and service providers attempt to build a sustainable revenue model for high-profit data services, security-conscious wireless device users aren't going to buy a $20 hardcover book from Amazon.com, let alone 100 shares of Microsoft from their wirelessly enabled brokerage account, unless they are assured that their device will enable a secure transaction. So what can the wireless security strategist and implementer do?

First, acknowledge that the wireless data is part of the entire networked data ecosystem (see Figure 2). Sure, the IT manager may not like the idea that sales employees are bringing in their PDAs with their Bluetooth cards, or that the engineering department is using an impromptu 802.11a wireless LAN, or that the marketing department people are e-mailing digital photos taken from their new mobile phones to the print studio, but that is the brave new world of wireless in the corporation.

In other words, don't stand in front of the wireless freight train, but manage what goes on the tracks and how it's used in your data network. Study the new technologies, the alternatives, and the new vendor offerings. For example, as the IEEE moves closer to resolution on the 802.11i standard (IEEE 802.11i is the standard for enhanced security of wireless LANs), pay close attention because the wireless LAN access point and card manufacturers and the various WLAN chip vendors such as Agere, Intersil, Texas Instruments, and Atheros invariably will follow this standard in an effort to supply standards-based products.

Within the IEEE, 802.1x is the authentication and authorization work done within the IEEE 802.1 working group, and it applies to all LAN technologies. It's also important to cover briefly the various protocols that are being used as an adjunct to 802.1x for increased security.

EAP, the Extensible Authentication Protocol, has various iterations that functionally serve to answer the widely discussed issues with a WEP-only security solution. The Wired Equivalent Privacy key uses the 128-bit RC4 algorithm that has proven to be vulnerable to eavesdropping. As such, there are various proposals, such as "Protected EAP" or PEAP, an IETF proposal by Cisco Systems, Microsoft, and RSA Security, which builds strong authentication into a WLAN environment and claims to "plug in" to 802.1x.

There are also variations of the transport layer security protocol called WTLS, which stands for Wireless Transport Layer Security. WTLS is similar in functionality to SSL, which is used to secure connections between your Web browser and a Web server. EAP-TLS is a part of Microsoft Windows XP and is based on the use of a user digital certificate and a server TLS certificate.

Cisco Systems' Lightweight Extensible Authentication Protocol, LEAP, is also based on the 802.1x security standard. It is Cisco proprietary, in that it uses Cisco's RADIUS servers, but it is one solution that can be configured in Windows XP. There are other vendors that also use RADIUS to provide a means to control MAC addresses that are allowed to use the wireless network. There is also TKIP, the Temporal Key Integrity Protocol, which provides initialization vector hashing to help prevent eavesdropping attacks. This is a pre-standard protocol and is considered a replacement to WEP. In addition to TKIP, AES is the other encryption standard proposed for 802.11i. There are several wireless device manufacturers that support this.

Set Up a Corporate Policy
Set up a corporate standard with an approved list of PDAs and wireless devices. It can be a relatively painless task to assemble a quorum of the wireless user community in your company to discuss their needs, determine which wireless devices and technologies are allowable, and establish a corporate wireless usage policy. Once there is a stated policy on approved wireless devices and usage, the next step falls into place more easily: develop clear procedures and policies for remote usage.

For example, on the occasions that I access the corporate network from home, I connect my laptop using a wireless LAN PC Card, an 802.11b access point, and a router. I use the corporate VPN to tunnel into the network to access my e-mail and the Internet. There are many wireless managed service providers who are skilled in providing secure access services if this proves to be beyond the core offerings of your IT department.

Wireless Security Implementation Choices
Let's take a look at two key areas of wireless security implementations. First, there is security in software. Then there is security in hardware, in the form of embedded intellectual property in silicon.

Security in Software
An implementation that is time-proven, standards-based, and widely used is an IPSec VPN client. Chances are good that you are already using a VPN client in your laptop or desktop computer; in fact, a VPN client is a standard offering in Windows XP. An IPSec VPN is a proven, robust, simple, cost-effective tool for secure communications. An IPSec VPN client offers a secure client-to-gateway communication over a wireless network at the network layer of the OSI model.

The key here is to use a product that is certified IPSec interoperable by the Internet Certification Standards Authority (ICSA) or the VPN Consortium (VPNC). IPSec-certified security, in addition to other wireless security protocols that I'll discuss shortly, overcomes wireless security vulnerabilities. For example, you can have a secure connection when using IPSec security software on your wireless LAN-enabled laptop and an IPSec VPN gateway behind the 802.11 wireless access point.

A few WLAN access point manufacturers are putting IPSec VPN gateway functionality in the box to serve both needs. The disclaimer here is that even though an IPSec VPN is a private, encrypted tunnel, the security is only as good as the authentication choice you make. We have all used passwords at one time or another, which is less than perfect.

The use of two-factor authentication, such as hardware tokens, requires users to present something they know, such as a password, and something they have, like the hardware token. Digital certificates are a fast-growing form of authentication as well. IPSec supports the use of industry-standard X.509 certificates as one authentication method. Although this introduces a digital certificate management system which can add complexity, it's worth the effort. Managed digital certificates use a unique key pair in the form of one public key and one private key that the VPN client shares with the VPN gateway (server) to ensure the mobile devices' authenticity.

Security in Silicon
Embedded security in wireless networked devices is likely the "next big thing" in wireless device security. Embedded security takes the cryptographic functions normally available in software and puts the intellectual property "security cores" into the silicon. Examples of some of these cores are encryption engines such as DES, 3DES, RC-4, and AES (see Figure 3). AES is the Advanced Encryption Standard, which is based on the Rijndael algorithm.

There are also hash engines such as SHA-1 and MD5, and packet engines such as IPSec, SSL, and TLS. Another is the widely used True Random Number Generator. There is the associated software cryptographic library that can run to optimize the algorithms embedded in silicon. New PDAs and mobile handsets are already utilizing this new technology.

Why the movement toward this hardware (silicon) based security paradigm? The two main reasons are performance and security. To achieve optimum performance, there is the drive to move software applications away from robbing CPU horsepower on the device. Software-based cryptographic functions can consume anywhere from 30-80% of the CPU, thus robbing horsepower from other important applications. Software-based 3DES and SHA-1 can achieve only up to several Mbps of speed depending on the CPU.

Embedded hardware IP cores can scale from hundreds of Mbps to several Gbps. A public key "handshake" can take up to one minute on slower CPUs used in many PDAs currently sold. This is why many silicon manufacturers have selected to go the route of embedded IP in their next-generation wireless processors.

Embedded IP in silicon also provides trusted algorithms. Software algorithms by definition can be compromised. Silicon-based embedded IP can also provide key protection logic. Key protection logic is a part of secure memory in the silicon that only a trusted application can access. For instance, IPSec could be one of the trusted applications. One example is that chip manufacturers will allow only certain trusted applications to access keys stored in memory in the chip, a feature not achievable in a software-only security solution.

Conclusion
If this discussion has given some insight into the challenges faced by IT security professionals, and the strategies and solutions available, then I have achieved my goal. By setting policies for wireless device users, educating the user on those policies, and setting up a secure network with a combination of standards-based IPSec VPNs and the various EAP protocols being used with 802.1x for additional security, you will put the pieces in place for a secure and trusted wireless network. And with an understanding of the next generation of wireless security based on silicon vendors using embedded IP security cores, you will know how to put an effective wireless strategy in place to meet the growing needs of the wireless user community.

More Stories By David Kanto

David Kanto is the director of business development for SafeNet, Inc., in Danvers, MA. He is responsible for all business development activities in the Embedded Silicon Technologies group. Prior to joining SafeNet, David held various senior management roles at RSA Security and Nokia.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.