Mobile Security

1
Mobile Security
2
Security is Hard

• Just this year
• Denial of service
• Credit card compromise
• I Love you
• Cost to manage security quickly becomes
  prohibitive
• How do we do it?

3
Wireless is Complex

• The wireless telegraph is not difficult to
  understand. The ordinary telegraph is like a
  very long cat. You pull the tail in New York,
  and it meows in Los Angles The wireless is the
  same only without the cat.
• Albert Einstein

4
Speed is Everything
GROSS PROFIT
TIME LATE TO MARKET
Source McKinsey Co
5
Recommendations

• Consolidate as much as possible the security
  mechanisms necessary to perform commerce
• Standards-based, vendor neutral, global scope,
  legal framework
• Leverage the work already done in e-Business,
  e-Security
• After all, wireless is just an extension of
  technology

6
Trust in the Digital World
Passports
Check Books
Credit Cards
PKI
Encryption
Authentication
Trust in the Physical World
Trust in the Digital World
7
Public Key Infrastructure(PKI)

• Allow unknown parties to communicate securely
• Parties can be
• Employees
• Devices
• Suppliers
• Partners
• And most importantly, PKI can scale to millions
  of customers . . .

8
Market is Huge
Source IDC, 2000
9
Infrastructure Investments Yield Benefits Beyond
Commerce

• Cisco realized 825 million in financial benefits
  in 1999
• Customer Service 269
• E-Commerce 37
• Supply Chain 444
• Employee Resources 55
• Dell enjoying similar rewards
• Dell generates more working capitol than it
  consumes
• Customers pay for product before Dell pays
  suppliers
• Inventory turns over 60 times/year, 6 times/year
  in 1994

10
Wireless Network Architecture
Internet
Network Operator
Users
E-businesses
11
Evolution of WAP Security
12
WTLS Layer in WAP Stack
WTLS is the wireless equivalent of SSL/TLS
13
Web WAP Architecture
14
Web WAP Session Security
15
WTLS Authentication Levels

• Three levels of authentication
• All levels have privacy and integrity
• Class I- Anonymous
• No authentication
• Class II
• Server authentication only
• Class III
• Client and server authentication

16
Which Certificates Do I Use for Authentication?

• WAP gateways/server need to provide WAP
  certificates for authentication
• Need to obtain WTLS certificate
• Web servers use X.509
• The same ones they use today
• Mobile users use X.509
• Wireless PKI

X.509
X.509
WTLS
WAP Gateway
Web Server
Mobile User
17
How to Achieve End-to-End Security

• Move everything to a secure domain
• WAP end-to-end security solution
• SIM toolkit-based solution
• WAP application layer security

18
Baltimore Telepathy WAP Solution
19
Conclusion

• Partner with a leader who has the completeness of
  vision and the ability to execute
• PKI solutions can help move security from
  enterprise to extranet, high value customers and
  suppliers, and m-Commerce world