Re: Security on CDMA for Banking Applications

[Alessandro Bottonelli <a.bottonelli () axis-net it>]

On Saturday 26 March 2005 04:19, shankarnarayan.d () netsol co in wrote:
> a. Is it advisable to run banking apps (include financial transactions)
> over CDMA 
A radio link, CDMA or other, is an "open channel". It's easier to tap into 
(sometimes by accident) than other means. It is also somewhat more "fragile" 
than other means of communication (depending on distance, terrain, weather, 
band of operation you may experience availability issues, more than on copper 
or fiber).

So, in principle,  it is not advisable to run sensitive applications other it, 
yet if you have no options you.... have no options ;-)

> b. What perceived Security threats are there when doing so 
Confidentiality. Radio waves bounce, spread all other and do not require 
physical intrusion to tap into them. 

Availability. Radio waves (more so the higher the band of operation is) fade 
in case of rain and antennas get misaligned in case of wind, earthquakes or 
landslides. If something gets in between the link (a new building, a crane, 
whatever) the link gets flaky or doesn't work at all...

> c. What methods are available to overcome these (hardware/ software etc) -
> any suggestions for products 
For confidentiality do encryption. Best if end-to-end encryption with 
technology you buy from a different vendor than the one you buy the radio 
equipment from. At least a VPN with strong and safe keys (lot of bits, you 
change the keys often, you manage the keys). The vendor may add some 
"scrambling" in the CDMA scheme to make things worst for the would-be 
intruder. If it is available use it, but do not count on it. Scrambling and 
encryption are two different things. Do encryption and add scramling if it is 
available at no extra cost. Otherwise stick with encryption.

For availability try "low bands" for microwaves, they are less prone to fade 
under rain, antenna alignment is less of an issue, electronics is more 
robust. 3.5 or 10 Ghz bands are quite popular here in Europe, but it's tough 
to get a PTT license for them since they are quite crowded. Also, if you go 
beyond the 10 Ghz band (say 17 and up) ask the engineers to be 'generous' in 
calculating the so called "link budget" and to analize the weather history in 
the region (you will have to tell them how many hours a year of no operation 
you are willing to tolerate, but remember that's statistics, you will not 
know in advance when the link is going to be down and for how long).

> d. What inherent Security is available in CDMA 
Very little. The only good thing is that the higher the band of operation, the 
tougher for the "average bad guy" to get the equipment to monitor the link 
(which goes counter what we said of keeping the band low for availability 
reasons...). 

> e. Any previous experiences for the same
We linked in Milano four points over a 27 Ghz CDMA/Point-to-MultiPoint link 
with great success. Only 3 Km apart (some 1.5 miles) in a urban environment 
(the worst for high band microwaves). Not a single security accident since 
1997.

There is no single one-size-fits-all recipe for secure radio links. Local 
conditions, local PTT licensing policies, terrain, weather will need to be 
taken into account. For example, if the radio hops are short (say 3 to 5 Km) 
with line-of-sight you may want to go high in the radio bands despite what I 
said earlier. Confidentiality may weight more than availability in that case, 
and high bands help a lot in that.

I am not sure how many radio security experts there are (is a sub-specialty in 
an already narrow specialty...) around. But I am sure you will be able to get 
some radio/security expertise in your region. 

-- 
Alessandro Bottonelli
Axis-Net (Privacy & InfoSec Consulting)
Tel. +39 02 93595859
Fax. +39 02 93590544
Web. http://www.axis-net.it