The evolution of wireless

Feb 1, 2001 12:00 PM, By George Partington

As connected, internetworked computers become the heart of the enterprise, information security is critical. Traditionally, the information has traveled over cable, fiber and copper lines, but increasingly it now travels over thin air, i.e., through wireless transmission, which is being called the next evolution in access to the Internet.

Today, wireless devices primarily consist of the cell phone and pager, but they are being adapted to send and receive data in the same way as do PCs connected to the Internet. In fact, many devices already use the technology to wirelessly pull in weather and traffic information, news, stock quotes and sports scores. In Japan, which is leading the wireless data charge, the application has become popular with millions of users through Docomo's I-mode service. In addition to Internet-type access, the Japanese routinely use wireless devices to store monetary value for use in Web Application Protocol (WAP)-enabled vending machines, in much the way swipe and smart cards are currently used in the United States in campus-type environments and retail.

Wireless monetary applications are also being developed for the United States. VeriFone, a division of Hewlett Packard, has announced an expansion of its wireless payments strategy. And in March 2000, the company signed a non-binding memorandum of understanding with handheld computer giant Palm to jointly enable secure payment on Palm handheld computers.

IVI Checkmate Corp. is also entering the wireless payments segment. The Toronto-based company has announced a joint program with GTE Wireless Solutions and Alpharetta, Ga.-based Atomic Software Inc. The program allows retailers and service providers to use portable wireless devices for credit card authorization. In effect, the cell phone becomes an electronic wallet.

But in traditional security applications, wireless technology is limited to paging and cell phone communications, some wireless alarm systems and wireless tracking of remote CCTV cameras, according to Bill Hawthorne of security consulting firm William A. Hawthorn Associates Inc., Wayland, Mass.

Still, if the growth of wireless is any indication, the technology will become increasingly important to the security industry. Globally, the wireless industry has been growing at an astounding rate — by 50 percent in 2000, to $128.9 billion, according to Merrill Lynch & Co. “There's no question that high-speed wireless services will arrive,” said Graham M. Wallace, CEO of Cable & Wireless PLC, in Business Week.

“While standard encryption provides confidentiality, a digital signature is an electronic version of a pen signature, except it is akin to signing and sealing a document — the document becomes tamper-proof.”

Such wireless high-speed Internet access makes information access and manipulation convenient and portable, the chief benefits of wireless. Cell phones, which are already being equipped with WAP, the wireless equivalent of TCP/IP, and handheld computers, popularly known as PDAs (personal digital assistants), are expected to become the devices of choice for wireless Internet access.

In the United States, handheld computers are proliferating with new product introductions from Compaq, IBM, Sony and Gateway joining PalmPilot and Handspring. “I think the handheld market today is in a very embryonic stage, and the handheld of the future is going to be wireless,” Michael Dell, chairman and CEO of Dell Computer Corp., notes in a Red Herring interview. “Most handhelds today are not wireless; they're sort of batch connection: go back and plug the thing in and then you get your data and go from there.”

Short-range wireless communication between devices is another application that has implications for the security industry. Bluetooth, radio technology developed in 1998 that allows electronic devices to share information wirelessly, is in the lead to become a standard for short-range — about 30 feet maximum — wireless communication. Each communicating device must be equipped with a Bluetooth chip. If the developers of the technology are any indication — Ericsson, IBM, Nokia, Intel and Toshiba — it will succeed.

Bluetooth technology could eventually be adopted to become a type of proximity access control for both buildings and computers. And with Public Key Infrastructure (PKI) encryption built in from the start, it could be provide secure communication. PKI, the de facto standard for information security, is the management of public keys — algorithms that encrypt and decrypt — for use by widely distributed users or systems.

Finally, wireless Internet access is available in limited markets across the country. It comes in both fixed and mobile versions. Fixed wireless Internet, which uses a multi-point, multi-channel distribution system (MMDS), provides high-speed, or broadband, access and requires an antenna and a digital cable modem. The necessary sophisticated filter and down-converter are miniaturized and built into the small end-user antenna.

Mobile wireless Internet consists of a wireless data modem that users attach to a laptop or desktop computer with a universal serial bus (USB) or serial port. Users realize access speeds of up to 128 Kbps.

Securing wired and wireless information

With so much information flying through the air, it would seem ripe to be picked off and used to compromise security. That's why wireless security, whether it applies to cell phone conversations or more complex data transmissions, is an ever-present issue. In fact, experts predict that there will be more Internet-connected handsets than computers by 2003 or 2004.

Brian O'Higgin, executive vice president and chief technology officer for Entrust Technologies, maintains that same information security protocols, no matter the transmission method, apply across the board. Entrust, based in Plano, Texas, provides PKI products and services. O'Higgins says there is no such thing as isolating information, since information databases are generally connected to the Internet, whether they are intranets, extranets or any variation. “There is no such thing as a secure computer and probably never will be,” notes O'Higgins. “But you can secure the information that is on it.”

The most basic level of PKI security is the WAP server certificate, roughly the equivalent of a password that is entered on a PC for access to a wired server. WAP Server Certificates are digital certificates that enable WAP servers to establish Wireless Transport Layer Security (WTLS) sessions with mobile phones and micro-browsers such as PDAs that support the WAP standard. WTLS can be thought of as the wireless version of Secure Socket Layer (SSL); both provide privacy, data integrity and authentication.

WAP Server certificates are created and digitally signed by the “root key” of the certificate authority of the provider. The mobile phone uses the public portion of the certificate authority's “root key” to verify the certificate of the WAP server to which the phone is connecting.

A certificate is a password-protected, encrypted data file issued by a certificate authority that identifies the transmitting party. A provider of PKI is also a certificate authority. There are public and private certificates, and both are integral to public key certification. Each secured module is assigned a pair of keys, one public and one private. The encryption key is “public” and does not require distribution by secure means. The encrypted document can only be decrypted — that is “read” — with the private key. This key is secure, because it cannot be discovered through knowledge of the public key or its underlying algorithms. So anything a user has encrypted cannot be viewed without the private key.

The provider keeps your public key, guarantees that it belongs to you and posts it on the Web. The private key is kept separate and resides with the user. These public and private keys work together in two ways. Someone can send you an encrypted document using your public key and only you can read it by decrypting with your private key. Or, to prove that a file comes from you, you can encrypt it using your private key and only your public key makes it readable.

The next stage of security is client-side certification in handsets. “A person's certificate is roughly equivalent to electronic version of a passport,” says O'Higgins. “We think they will take off big time.”

One advantage of the certificate in the handset is ease of use. On standard PCs, it is easy to enter a PIN, but on wireless devices it is much harder due to the small keyboard. The solution is a certificate in the handset. Although it is a relatively large bit of software — 2K bytes of data — it is secure and cannot be forged. Here's how the certificate works: It lives on the Web portal, not on the handset. The user enters a password only once, to log onto the handset. For each wireless access transmission, the user's certificate goes out automatically from the server to verify authorization.

A digital signature provides a further level of security. Digital signature creation uses an algorithm derived from — and unique to — both the signed document and a given private key. Digital signature verification is the process of checking the signature to the original document and a given public key, thereby determining whether the digital signature was created for that document using the corresponding private key.

For each digital signature, a new, unique algorithm is created and attached to a document such that any attempt to alter the document alters the signature, thereby invalidating the document. Thus, use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver.

While standard encryption provides confidentially, a digital signature is an electronic version of a pen signature, except it is akin to signing and sealing a document — the document becomes tamper-proof. “That's the power of private key cryptography: you can't change the data because the signature will fail to verify,” says O'Higgins. “No security is perfect, but there is nothing safer.”

For the record

About the author

George Partington is an Atlanta-based writer and former senior associate editor of Access Control & Security Systems Integration.

Stages of data security

1. Do nothing

2. Enter user password that is compared on server

3. Turn on SSL, or WTLS for wireless, which will encrypt link between browser and server. This is still vulnerable, because a hacker can break into the back-end server. The link is encrypted, but the information on the server is not.

4. Use persistent encryption, which means data on the server is encrypted.

5. Use digital signatures, which protect data integrity.

Then bring in logic of what functions are authorized for each identified user.

Up to speed on wireless data terms (450 words)

Here's a handy guide to help you decipher the world of wireless communication. If you want to become even more tech-savvy, see the online dictionary of Internet- and computer-related definitions at http://webopedia.internet.com.

Bluetooth: Wireless technology for small-form factor, low-cost, short-range radio links between mobile PCs, mobile phones and other portable devices. It allows relatively fast data transmission over a range of about 30 feet between devices equipped with a proprietary chip.

Certificate Authority (CA): A provider that issues digital certificates used to create public-private key pairs and digital signatures.

Digital Signature: Encryption system that allows users to sign and seal a document. Digital signature creation uses an algorithm derived from and unique to both the signed document and a given private key. Digital signature verification is the process of checking the signature to the original document and a given public key, thereby determining whether the digital signature was created for that document using the corresponding private key.

Encryption: The transformation of data to an unreadable form using algorithms. Only those with a key, either public key or private key depending on the encryption purpose and method, can translate the data into readable form.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue