1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions...
-
Upload
aleesha-holmes -
Category
Documents
-
view
216 -
download
1
Transcript of 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions...
![Page 2: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/2.jpg)
2
Mobile Data Security
Why?Mobile computing:
• Necessitates exchanging confidential data over public networks
• Storing data on portable devices that are more easily lost or stolen
• Wireless networks
![Page 3: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/3.jpg)
3
![Page 4: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/4.jpg)
4
Where to Start?
What security problem are you trying to solve?How expensive is the implementation and
infrastructure?How difficult is it for users to follow security
procedures?How expensive is it to the organization to follow
the security procedures?
![Page 5: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/5.jpg)
5
General Observations
Costs must be compared to cost and risk of security breech
No solution is perfect security is reducing risk not eliminating risk
If security is cumbersome, it will likely be circumvented
User education is important
![Page 6: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/6.jpg)
6
Agenda
What’s the Problem?Security OverviewDiscuss each Mobile Data Security Problem
![Page 7: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/7.jpg)
7
What’s the problem?
What security problem are you trying to solve?
• Interception of data transmission
• User authentication
• Rogue access to data on device
• Loss of device
![Page 8: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/8.jpg)
8
Interception of Data Transmissions
Where?
• Thin client applications
• Voice
• Data synchronization
• Client/Server communications
• Messages and alerts
![Page 9: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/9.jpg)
9
Interception of Data Transmissions
What is the Attack? • Confidentiality: we want our communications to remain
private
• Integrity: we want our communications to remain intact
• Non-repeatable: a recording of the stream should not be useful if it is resent to the server
• Authentication: we want to ensure we know who we are communicating with on the other end (no man-in-the-middle attack)
![Page 10: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/10.jpg)
10
User Authentication
Who?• Is the client that has connected to your server an
authorized client
• What is that client allowed to do
• As a client, have you connected to the server you want
• More complicated in message systems
![Page 11: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/11.jpg)
11
Rogue Access to Data on Device
Services on Device may respond to data requestsLaptops connected to internet
• Drive shares
• FTP server
• Any type of server (database, web server, etc.)
Not many services yet on handhelds
![Page 12: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/12.jpg)
12
Loss of Device
How to protect against stolen data?• Data persistently stored on the device
• Hard disks
• Persistent memory
• Removable flash cards (both in device and out)
• Running applications• Always-on devices
• Data on screen
• Stored in application memory
![Page 13: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/13.jpg)
13
Background Info on Security
Communication ArchitecturePublic Key CryptographyDigital CertificatesDigital SignaturesSymmetric Key CryptographySecurity Protocols
![Page 14: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/14.jpg)
14
Communication Architecture
Encryption
Transport Layer
Physical Hardware
Application
Security Protocol
TCPIP
DES, RC4, RSA
SSL, TLS, WTLS
![Page 15: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/15.jpg)
15
Public Key Cryptography
Based on pairs of large associated numbers called keysPublic key can be published
Private key is kept private
Data encrypted with one can only be decrypted with the other
examples: RSA, Diffie-Hellman, Elliptic Curve Cryptography (ECC)
![Page 16: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/16.jpg)
16
Digital Certificates
Identity info• name, company, address
Public keyExpiry dateDigital signature(s)
• made with the private key of the certificate authority
• May have third-party signatures to confirm identity
prevent modification
![Page 17: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/17.jpg)
17
Digital Signatures
Process:Digest of the document is produced using one way hash
• MD5, SHA-1
• Difficult to match after document modification
Digest is encrypted using the private key
Protects against document modificationKnow it came from the signer
![Page 18: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/18.jpg)
18
PKI – Public Key Infrastructure
Certificate AuthorityIssues certificates
Certificate infrastructure for securitySystems and software based on certificate security
Certificate managementRevocation lists
Certificate distribution
![Page 19: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/19.jpg)
19
Symmetric Key Cryptography
Same key used to encrypt and decrypt data• Much faster than public key
Stream ciphers• Cipher produces a random stream from the key that is XORed with
the plaintext
• Key should never be reused
• RC4, SEAL
Block ciphers• Cipher transforms a block of data into a seemingly unrelated block
of data of the same size
• DES, Blowfish, Twofish, Rijndael, MDSR
![Page 20: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/20.jpg)
20
TLS/SSL Protocol
• SSL 3.0 – 1996 specification from Netscape• TLS 1.0 – 1999 specification from IETF
Not compatible with SSL, but will negotiate down
• 2 components:Complex handshake for protocol negotiations
• Algorithms negotiated• Certificates exchanged• Public key algorithm used to exchange symmetric key info
Messaging definition for data exchange• Symmetric encryption used• Each message signed to prevent alteration
![Page 21: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/21.jpg)
21
SSL Handshake Server Authentication Mode
Client Server
Client Hello
Server Hello Server Certificate Chain
Client Key ExchangeFinished
Finished
Application Data
~40 bytes
Certicom Message
sizes
~500 bytes per cert
~80 bytes
~50 bytes
![Page 22: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/22.jpg)
22
SSL Handshake Server Authentication Mode
• Random bytes generated on each side and exchanged• Server must encrypt clients random bytes and send back to prove
it has the private key called a challenge
• Randomness ensures session cannot be replayed against either side
• Random bytes also used to generate symmetric keys and hashing keys using fixed algorithms that both client and server know
• Symmetric key then used to encrypt application data
• Hashing key used to sign messages
![Page 23: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/23.jpg)
23
Where are We?
What security problem are you trying to solve?
• Interception of data transmission
• User authentication
• Rogue access to data on device
• Loss of device
![Page 24: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/24.jpg)
24
Interception of Data Transmissions
Mobile Unit Server
Web Server
App Server
Database Server
Thin Client -- Browser
Smart Client – Local Data
-Raw Data-Application control on both ends
-Screen display info-browser control
Mobile Data Arhcitectures
![Page 25: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/25.jpg)
25
Interception of Data Transmissions
Thin client applications• Rely on browser SSL
Email• Rely on email provider
Voice• Not much protection
Messages and alerts• Rely on infrastructure provider• Broadbeam ExpressQ uses userid/password authentication and
Certicom encryption libraries
Watch for weakest link!
![Page 26: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/26.jpg)
26
Interception of Data Transmissions
Data Synchronization
MobiLink Server
ASA Server
Database Server
UltraLite
TLS
dbmlsyncASA
Client/Server Communications
Client AppTLS
![Page 27: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/27.jpg)
27
SQL Anywhere Communication Security
Synchronization Stream (new in 7.0)Client/Server Comm (new in 8.0)
Certicom TLS
• ECC public key (faster and smaller than RSA)
• RC4 symmetric cipher
Server certificates for server authentication
• Tools for generating and requesting certificates• See certificate white paper
http://www.sybase.com/detail/1,3693,1009621,00.html
![Page 28: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/28.jpg)
28
SQL Anywhere Communication Security
Synchronization Stream (new in 7.0)Client/Server Comm (new in 8.0)
User authentication achieved through Userid/Password
• UltraLite userid/password
• Dbmlsync – specify userid/password on command line or prompt
• ASA userid/password
![Page 29: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/29.jpg)
29
SQL Anywhere Communication Security
Mechanics:gencert utility
• Used to generate certificates• Can generate certificate chains
reqtool utility• Certicom's tool for generating a request for
a certificate which they will sign
Outlined in “MobiLink transport-layer security and digital certificates” white paper found at www.ianywhere.com/developer
![Page 30: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/30.jpg)
30
SQL Anywhere Communication Security
Specify certificate for MobiLink/ASA/UltraLite
Dbmlsrv8 –x tcpip(security=certicom_tls(certificate=mobilink.crt; certificate_password=tJ1#m6+W)) …
CREATE SYNCHRONIZATION DEFINITION test SITE 'user001' TYPE tcpip ADDRESS 'host=myhost;security=certicom_tls(trusted_certificates=mobilink.crt)' …
Ulgen –r mobilink.crt
![Page 31: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/31.jpg)
31
SQL Anywhere Communication Security
Specify certificate for ASA client/server
Dbsrv8 –ec certicom(certificate=sample.crt;certificate_password=certpwd) …
Connection string or ODBC connection parms: “uid=dba; pwd=sql; links=tcpip; encryption=certicom(trusted_certificates=sample.crt)”
![Page 32: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/32.jpg)
32
Where are We?
What security problem are you trying to solve?
• Interception of data transmission
• User authentication
• Rogue access to data on device
• Loss of device
![Page 33: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/33.jpg)
33
Rogue Access to Data on Device
Laptops• Hooked up to the internet
• Always-on connections are of particular concern
• Dialup also a concern
• Install personal firewall
• BlackIce, ZoneAlarm
• Be careful with any servers installed on the machine
• Eg. FTP, drive shares, device management software etc.
Handhelds • Not many server services -- device management software
![Page 34: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/34.jpg)
34
Where are We?
What security problem are you trying to solve?
• Interception of data transmission
• User authentication
• Rogue access to data on device
• Loss of device
![Page 35: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/35.jpg)
35
Loss of Device
Data Stored Persistently on Device• Encrypt sensitive data
• Encrypt entire file system
Always On – Running Applications• Password protected timeout on device
• Devices must lock down
• Application code to verify user has not defeated device password protection
![Page 36: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/36.jpg)
36
SQL Anywhere Persistent Data Encryption
UltraLite and ASA data stores (new in 8.0)• Rijndael (rine doll) encryption
• Key must not be stored on device
• If you lose the key, you are toast!
![Page 37: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/37.jpg)
37
ASA Store Encryption
• Specify key when database is created• CREATE DATABASE ‘test.db’ ENCRYPTED KEY ‘this is the password’
• Key required to start database and for utilities• dbeng8 test.db –ek “this is the password”
• Dbping -c “uid=dba; pwd=sql; dbf=edb.db; dbkey=this is the password”
• dbtran test.log –ek “this is the password”Will prompt for key using –ep switch
Key is case sensitive!
• All files encrypted:• Main database file, dbspace files, transaction log file, temporary files
![Page 38: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/38.jpg)
38
UltraLite Store Encryption
• Uses Rijndael AES encryption algorithmULEnableStrongEncryption() called before db_init()Key= UL_STORE_PARMS used to specify key on db_init call
• First sync will create encrypted database, all calls to db_init must specify key parameter
• On Palm, ULAppLaunch is called every time the application is switched to must provide key also must provide key on synchronization for HostSync conduit
• No memory penalty if you don’t use store encryption
![Page 39: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/39.jpg)
39
Summary
Identify the security problem you are trying to solve:
• Interception of data transmission
• User authentication
• Rogue access to data on device
• Loss of device
Design an appropriate solution taking into account risks and costs.
Identify the Weakest Link!
![Page 40: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/40.jpg)
40
iAnywhere Solutions Highlights
• Ask the Experts - about Mobile & Wireless Solutions-Mezzanine Level Room 15B Mon./Tues. 11:30 am - 3:30 pm; Wed. 11:30 - 1:30;Thurs. 9 am - 12 noon-Exhibit Hall - Demo Center (truck) exhibit hall hours
• SIG (Special Interest Group)- Tuesday 5:30pm Mobile & Wireless SDCC, Upper level, Room 11
• Keynote - Enabling m-Business SolutionsWednesday 1:30 pm - 3:00 pm
• iAnywhere Solutions Developer Community-Excellent resource for commonly asked questions, newsgroups, bugfixes, newsletters, event listings - visit www.ianywhere.com/developer
![Page 41: 1 EM406 Mobile Data Security Dave Neudoerffer VP of Software Engineering iAnywhere Solutions Dave.Neudoerffer@ianywhere.com.](https://reader034.fdocuments.net/reader034/viewer/2022042822/56649e915503460f94b96022/html5/thumbnails/41.jpg)
41
The END