Magazine Article | October 1, 2002

Decrypting Mobile Computing Security

Source: Field Technologies Magazine

Learn how you can protect your mobile computing solution from eavesdroppers and hackers.

Integrated Solutions, October 2002

Have you ever picked up someone else's phone conversation while using a cordless phone or a cell phone? Could this same scenario happen (intentionally or unintentionally) to your enterprise mobile computing solution? Before you send out any more sensitive data over the airwaves, make sure your bases are covered in three main areas: your network(s), your transmission protocol, and your devices.

Network Options: Public, Private, Or Virtually Private?
When it comes to choosing the right wireless network, it may seem there are enough concerns to think about, such as data throughput, cost of usage, and reliability of coverage, without having to think about security. However, if you're sending (or planning to send) sensitive data over the airwaves, you simply can't overlook this important issue. Most likely you are considering a public network, owned by a telecommunications giant such as Sprint, AT&T, Cingular, or Bell. Public networks offer a few distinct advantages over their private network counterparts. They can be used to connect multiple users across a vast expanse (even globally), and they offer a less expensive startup cost than private networks. However, when it comes to data security, you need to keep in mind that data transmitted via a public network shares the same gateway as hundreds of thousands of other businesses and consumers, making it more susceptible to eavesdropping. However, some public companies are taking the initiative to provide a level of protection for their clients. "CDPD [cellular digital packet data] providers offer some encryption as part of their service," says Yvonne Chong, product marketing manager for wireless and mobile computing at MDSI (Vancouver, British Columbia), a wireless workforce management provider. "However, the wireless data is only encrypted from the sender's wireless device to the provider's gateway, not through to the application server behind the corporate firewall." This level of security can stop the problem of accidental eavesdropping, such as was described earlier in the cordless phone example, but this type of encryption is insufficient at thwarting the intentional hacker because there is a security gap from the provider's gateway to the back end server.

The second type of wireless network is a private network. With this type of network, instead of leasing radio towers that are shared by other consumers and enterprises, you buy the radio towers yourself and install your own modem equipment and antenna networks. "Private networks are inherently more secure than public networks because you don't have any strangers using your gateways and transmitting data at your same frequency," says Sherman Banks, chief engineer for Dataradio (Atlanta), a provider of wireless data products and systems for mission-critical applications. "Government agencies such as the FBI and the police often use private networks for their security as well as superior throughput and reliability," says Banks. Anyone who has ever been to a technology trade show can relate to the difficulty of trying to place a call on a cell phone. If your business depends on anytime access to data and data security with a low monthly cost, a private network may be a more viable alternative than a public network. The drawbacks to choosing a private network, however, are that you have a higher up-front investment to make, and you will only be able to communicate with users within range of your towers who are set up to transmit data using your proprietary frequency.

A third kind of network called a VPN (virtual private network) attempts to capture key strengths of both the public and private networks. First, since it uses the public network, the user enjoys the lower startup costs associated with public networks. Second, because a higher level of encryption is added to the data in a VPN environment, it resembles the security of a private network. VPNs maintain private transmissions by using tunnels. In networking, tunnels are the paths that data travels across a network. VPNs take a private data packet protocol, such as AppleTalk, and wrap it within a public data packet protocol such as IP (Internet protocol) or OSI (open systems interconnection). The end result is that transmitted data has the outward appearance of one format but is actually something very different. Because data is encrypted before it is sent and not decrypted until received by the end user, VPNs provide end-to-end data security.

What Level Of DES Is Right For You?
Whether you choose data encryption software to create end-to-end security over a public network or you use one of the various encryption protocols associated with a VPN, you have to think about how much encryption is sufficient for you. The problem of too little security is obvious - your data may get into the wrong hands. But, the problem of too much security can also cause problems. For instance, the more levels of encryption you add to your data, the more you will spend in data transmission costs (unless you own the network or your network provider only charges a flat fee instead of a per transaction fee). Also, more encryption requires extra bandwidth, which may require purchasing more expensive, high-end servers and processors, and perhaps IT support.

To get a better understanding of different levels of data encryption, let's look at the DES (data encryption standard), an algorithm invented by IBM in 1977. Normal DES, also known as single DES, uses a 56-bit key. This means that a person trying to decipher the key to this type of encrypted data could potentially try as many as 256 (more than a quadrillion) combinations before cracking the code. Because of advances in computer processing speeds, however, this kind of massive combination searching is possible for the most determined of hackers. For instance, in 1997 a group of users managed to crack a DES-coded message with the help of 10,000 networked PCs in a four-month time period. By 1999, the same achievement could be accomplished in less than one day. To counter this threat, a new level of encryption, called triple DES, was invented. Triple DES uses 112-bit encryption, or 2112 combinations, which means that the computing power that was used to crack a single-DES encoded message in less than a day would take nearly 200 trillion years to do the same for a triple-DES encoded message. "For most transportation and dispatch applications, basic [single-DES] encryption is usually more than adequate," says Wolfgang Stichling, director of engineering at Mentor Engineering (Calgary, Alberta), a mobile wireless solutions provider. "For companies that do payment processing or send other highly sensitive data over the airwaves, a triple-DES encryption solution is the way to go." The cost difference between single- and triple-DES encryption is typically around $150 per user for the extra setup time involved. This figure does not take into consideration the extra transmission charges, hardware, and IT support that may be required with a triple-DES solution.

Authentication: Just Be Yourself?
There is a final step to consider regarding mobile computing security. If you opt for the highest level of end-to-end encryption for your data and transmit your data over a highly secure network, but forget this step ... you're done. What would make things worse is that this step is less expensive and easier to set up than the other two steps. I'm talking about security at the device level. With wireless devices storing more and more memory, you can't forget about the sensitive data that resides on your device. What if your field worker leaves a device at a client's office or on a park bench? Could anyone get into your database? Device authentication can be as simple as requiring users to identify themselves by entering name and a special alphanumeric code and adding a time-out function if the device is left on without any activity for a specified period of time. The next level of device security would be a centrally managed logoff function. "An example of this would be a field worker who calls back to headquarters after realizing he lost his wireless device. Immediately, the administrator punches a few keys into his computer and the field worker's device is forcibly logged off the application," says Chong. Beyond these two scenarios, a third level of security could be added to a wireless device using some kind of card ID or a biometrics peripheral, such as a thumbprint reader.

"The bottom line is that enterprises need to evaluate how sensitive their data is and how much they are willing to spend to protect it," says Stichling. "Is your desire for data security based on facts or are you responding to hype and fear mongering?" By having a balanced approach to mobile computing security - adding the necessary amount of encryption and authentication - enterprises will be less likely to overlook the basics of having a properly designed and maintained system.