Cloud Security Authors: Elizabeth White, Pat Romanski, Maria C. Horton, Liz McMillan, Ravi Rajamiyer

Related Topics: Mobile IoT, Cloud Security

Mobile IoT: Article

Embedded Security: the Next Big Thing in Wireless Devices?

Embedded Security: the Next Big Thing in Wireless Devices?

The wireless world is going to move away from software-based security/encryption for a host of reasons, including processor speed, battery utilization, and memory scarcity. Embedded security in wireless networked devices is likely the "next big thing" in wireless device security. Read on for a comprehensive explanation.

The adage that best describes the current state of affairs with wireless devices and security is: "forecasting is always difficult, especially when it's about the future." To what degree will wireless LANs, PDAs, and next-generation 2.5G and 3G mobile handsets become part of the corporate IT landscape? I recently gave a speech on the growth of wireless devices and the attendant security needs at the RSA Security Conference in Paris. My presentation had about 100 attendees, all with varying views on how to meet this challenge.

All acknowledge that it's a matter of when, not if, they have to deal with the challenge. The numbers speak for themselves. According to a leading wireless market research consultancy, nearly 725 million wireless devices are expected to ship in 2003 (see Figure 1). Over 50% of these are expected to be mobile phones, followed by 20% PCs, and the remainder a mix of PDAs, wireless LANs, and broadband modems.

Most IT managers with whom I have spoken are working out a plan to make these new PDAs and wireless devices part of the networked ecosystem and thus more secure. The primary purpose of this article is to provide an overview of the current wireless security landscape with special attention given to the direction that many chip vendors such as Samsung, Intel, and Texas Instruments are taking with putting embedded intellectual property security "cores" into silicon. This increasingly important security methodology for wireless devices has wide-ranging implications, and users, IT executives and managers, and security architects should pay close attention.

What Can the Wireless Security Strategist and Implementer Do?
The cost of implementing a high level of security on wireless devices quickly adds up. It can get out of control when you become dependent on specialized security development staffs that understand all the variables of security methodologies, operating systems, hardware platforms, and the sheer volume of new wireless software applications often tied to the service provider. Talk with any IT security professional, and you'll find out quickly that security is the single most important enabling technology concerning the adoption and trust of mobile applications.

Further, as the wireless carriers and service providers attempt to build a sustainable revenue model for high-profit data services, security-conscious wireless device users aren't going to buy a $20 hardcover book from Amazon.com, let alone 100 shares of Microsoft from their wirelessly enabled brokerage account, unless they are assured that their device will enable a secure transaction. So what can the wireless security strategist and implementer do?

First, acknowledge that the wireless data is part of the entire networked data ecosystem (see Figure 2). Sure, the IT manager may not like the idea that sales employees are bringing in their PDAs with their Bluetooth cards, or that the engineering department is using an impromptu 802.11a wireless LAN, or that the marketing department people are e-mailing digital photos taken from their new mobile phones to the print studio, but that is the brave new world of wireless in the corporation.

In other words, don't stand in front of the wireless freight train, but manage what goes on the tracks and how it's used in your data network. Study the new technologies, the alternatives, and the new vendor offerings. For example, as the IEEE moves closer to resolution on the 802.11i standard (IEEE 802.11i is the standard for enhanced security of wireless LANs), pay close attention because the wireless LAN access point and card manufacturers and the various WLAN chip vendors such as Agere, Intersil, Texas Instruments, and Atheros invariably will follow this standard in an effort to supply standards-based products.

Within the IEEE, 802.1x is the authentication and authorization work done within the IEEE 802.1 working group, and it applies to all LAN technologies. It's also important to cover briefly the various protocols that are being used as an adjunct to 802.1x for increased security.

EAP, the Extensible Authentication Protocol, has various iterations that functionally serve to answer the widely discussed issues with a WEP-only security solution. The Wired Equivalent Privacy key uses the 128-bit RC4 algorithm that has proven to be vulnerable to eavesdropping. As such, there are various proposals, such as "Protected EAP" or PEAP, an IETF proposal by Cisco Systems, Microsoft, and RSA Security, which builds strong authentication into a WLAN environment and claims to "plug in" to 802.1x.

There are also variations of the transport layer security protocol called WTLS, which stands for Wireless Transport Layer Security. WTLS is similar in functionality to SSL, which is used to secure connections between your Web browser and a Web server. EAP-TLS is a part of Microsoft Windows XP and is based on the use of a user digital certificate and a server TLS certificate.

Cisco Systems' Lightweight Extensible Authentication Protocol, LEAP, is also based on the 802.1x security standard. It is Cisco proprietary, in that it uses Cisco's RADIUS servers, but it is one solution that can be configured in Windows XP. There are other vendors that also use RADIUS to provide a means to control MAC addresses that are allowed to use the wireless network. There is also TKIP, the Temporal Key Integrity Protocol, which provides initialization vector hashing to help prevent eavesdropping attacks. This is a pre-standard protocol and is considered a replacement to WEP. In addition to TKIP, AES is the other encryption standard proposed for 802.11i. There are several wireless device manufacturers that support this.

Set Up a Corporate Policy
Set up a corporate standard with an approved list of PDAs and wireless devices. It can be a relatively painless task to assemble a quorum of the wireless user community in your company to discuss their needs, determine which wireless devices and technologies are allowable, and establish a corporate wireless usage policy. Once there is a stated policy on approved wireless devices and usage, the next step falls into place more easily: develop clear procedures and policies for remote usage.

For example, on the occasions that I access the corporate network from home, I connect my laptop using a wireless LAN PC Card, an 802.11b access point, and a router. I use the corporate VPN to tunnel into the network to access my e-mail and the Internet. There are many wireless managed service providers who are skilled in providing secure access services if this proves to be beyond the core offerings of your IT department.

Wireless Security Implementation Choices
Let's take a look at two key areas of wireless security implementations. First, there is security in software. Then there is security in hardware, in the form of embedded intellectual property in silicon.

Security in Software
An implementation that is time-proven, standards-based, and widely used is an IPSec VPN client. Chances are good that you are already using a VPN client in your laptop or desktop computer; in fact, a VPN client is a standard offering in Windows XP. An IPSec VPN is a proven, robust, simple, cost-effective tool for secure communications. An IPSec VPN client offers a secure client-to-gateway communication over a wireless network at the network layer of the OSI model.

The key here is to use a product that is certified IPSec interoperable by the Internet Certification Standards Authority (ICSA) or the VPN Consortium (VPNC). IPSec-certified security, in addition to other wireless security protocols that I'll discuss shortly, overcomes wireless security vulnerabilities. For example, you can have a secure connection when using IPSec security software on your wireless LAN-enabled laptop and an IPSec VPN gateway behind the 802.11 wireless access point.

A few WLAN access point manufacturers are putting IPSec VPN gateway functionality in the box to serve both needs. The disclaimer here is that even though an IPSec VPN is a private, encrypted tunnel, the security is only as good as the authentication choice you make. We have all used passwords at one time or another, which is less than perfect.

The use of two-factor authentication, such as hardware tokens, requires users to present something they know, such as a password, and something they have, like the hardware token. Digital certificates are a fast-growing form of authentication as well. IPSec supports the use of industry-standard X.509 certificates as one authentication method. Although this introduces a digital certificate management system which can add complexity, it's worth the effort. Managed digital certificates use a unique key pair in the form of one public key and one private key that the VPN client shares with the VPN gateway (server) to ensure the mobile devices' authenticity.

Security in Silicon
Embedded security in wireless networked devices is likely the "next big thing" in wireless device security. Embedded security takes the cryptographic functions normally available in software and puts the intellectual property "security cores" into the silicon. Examples of some of these cores are encryption engines such as DES, 3DES, RC-4, and AES (see Figure 3). AES is the Advanced Encryption Standard, which is based on the Rijndael algorithm.

There are also hash engines such as SHA-1 and MD5, and packet engines such as IPSec, SSL, and TLS. Another is the widely used True Random Number Generator. There is the associated software cryptographic library that can run to optimize the algorithms embedded in silicon. New PDAs and mobile handsets are already utilizing this new technology.

Why the movement toward this hardware (silicon) based security paradigm? The two main reasons are performance and security. To achieve optimum performance, there is the drive to move software applications away from robbing CPU horsepower on the device. Software-based cryptographic functions can consume anywhere from 30-80% of the CPU, thus robbing horsepower from other important applications. Software-based 3DES and SHA-1 can achieve only up to several Mbps of speed depending on the CPU.

Embedded hardware IP cores can scale from hundreds of Mbps to several Gbps. A public key "handshake" can take up to one minute on slower CPUs used in many PDAs currently sold. This is why many silicon manufacturers have selected to go the route of embedded IP in their next-generation wireless processors.

Embedded IP in silicon also provides trusted algorithms. Software algorithms by definition can be compromised. Silicon-based embedded IP can also provide key protection logic. Key protection logic is a part of secure memory in the silicon that only a trusted application can access. For instance, IPSec could be one of the trusted applications. One example is that chip manufacturers will allow only certain trusted applications to access keys stored in memory in the chip, a feature not achievable in a software-only security solution.

If this discussion has given some insight into the challenges faced by IT security professionals, and the strategies and solutions available, then I have achieved my goal. By setting policies for wireless device users, educating the user on those policies, and setting up a secure network with a combination of standards-based IPSec VPNs and the various EAP protocols being used with 802.1x for additional security, you will put the pieces in place for a secure and trusted wireless network. And with an understanding of the next generation of wireless security based on silicon vendors using embedded IP security cores, you will know how to put an effective wireless strategy in place to meet the growing needs of the wireless user community.

More Stories By David Kanto

David Kanto is the director of business development for SafeNet, Inc., in Danvers, MA. He is responsible for all business development activities in the Embedded Silicon Technologies group. Prior to joining SafeNet, David held various senior management roles at RSA Security and Nokia.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.