Certicom secures PDAs

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2001/0607certicom.html

By Tim Greene
Network World, 06/07/01

With the loss or theft of handheld devices an inevitable fact of life,
Certicom is introducing a way to lock up handheld devices so even if
they are stolen, no one can lift the data stored on them.

Called movianCrypt, this software protects the PDA with a password and
encrypts all the data stored on it so even if someone manages to
bypass the password, all they get is impenetrable jibberish. The
encryption used is 128-bit advanced encryption standard, which the
Internet Engineering Task Force considers the most secure there is.

Despite the power of the encryption and the limited processing power
of PDAs, movianCrypt doesn't seem to slow down use of data stored on
the devices, says John Houser, a network engineer for life insurance
company AEGON USA who has used the software. "There is virtually no
delay," he says.

He says it is important to encrypt the data because it is possible
through a "developer's backdoor" to bypass passwords and read the data
on the device. These backdoors are there so users can check code as
they write or customize applications.

Other encryption software, such as Datagator made by Jawz, only
encrypts a single file where users have to dump all the data they want
to protect. Anything else is left unencrypted. James Kobielus, an
analyst with The Burton Group.

As users call up data on the devices, it is automatically decrypted.
As the application is closed, movianCrypt encrypts it again, using
processor downtime to do so. That way, the next application being used
doesn't slow down, says Stacey Wu, a senior analyst with Mobile
Insights.

The software supports the Palm operating system versions 3.0 and
above, and Certicom says it has a prototype written for Windows CE
devices.

Some PDA operating systems, such as Palm's, come with password
protection that locks down the device, but the password is stored on
the PDA. That means whoever gets control of the device can hot-synch
it with a PC where password-cracking tools can break in to access the
data. The password for movianCrypt is not stored on the device.

Instead, users scribble on the PDA screen with a stylus, and that line
is digitized, creating a unique string of numbers that is used as an
encryption key. Users also choose a password up to 25 characters. Both
the key and the password are subjected to a mathematical function
called a hash creating an outcome called a digest.

When users enter their password, it and the key are subjected to the
same hash. If the resulting digest matches the one stored on the PDA,
the movianCrypt admits the user.

Users can install the 100K-byte movianCrypt software during a
hot-synch with a PC or server.

The software can be downloaded from www.moviansecurity.com. It costs
$40 for one copy and between $18 and $35 for multiple copies,
depending on how many. It is available June 11.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.