The previous issue of Wireless & Mobile Tips and Tricks contained an overview of wireless security and the workings of authentication and encryption. This column addresses authorization and nonrepudiation, additional and equally important aspects of wireless security.
Authorization ensures that authenticated users can access only appropriate resources, such as mailbox data. This internal network and back-end function, often built into applications, lets users access authorized wireless (as well as wired) resources by establishing appropriate permissions and policies. Wireless account aliases and auxiliary domains can limit user access to wireless resources. This approach separates general enterprise resource authorization from wireless resources while preventing a global logon in which a single username and password supplies access to all network resources.
The nonrepudiation function, offered primarily through personal certificates and wireless public key infrastructure (WPKI), validates user identities through third-party authorities. Thus, users can't dispute transactions later by claiming misidentification. Commercial WPKI is nonexistent, however, primarily because so few wireless devices can store and transfer personal certificates. Although some people claim that more hardware and wireless network bandwidth devoted to WKPI could solve the problem, consider this: Although nonrepudiation is available on the wired Internet, very few use personal certificates. I've received only a couple of emails from people who've signed with their personal certificates, so I don't believe increased hardware capability and more bandwidth will really increase the use of nonrepudiation in wireless systems.
The only real security difference between wired and wireless systems is wireless's lower encryption levels and lack of WPKI, both arising from wireless devices' low CPU power, limited storage capacity, and low bandwidth wireless network connections. So if wireless systems do have sufficient security, what's stopping people from doing secure mobile commerce and enterprise transactions?
A couple of issues now slow the acceptance of wireless security.mechanisms and hence the use of wireless systems for mobile commerce and.enterprise transactions. First, users and enterprises perceive that wireless systems are insecure. On the Web, users feel confident of a secure connection when they see the Web browser's lock icon. Only a few new wireless devices, such as the Ericsson r520, show users a lock icon to indicate a secure connection. As user and enterprise perceptions change, more people will use secure wireless systems without worry.
Without good mobile commerce and enterprise applications, no one will.want to adopt more sophisticated, secure wireless connections. Now, desktop PCs and Web browsers are far more powerful than wireless devices, yet no wireless user wants to re-key a credit-card number to complete a mobile-commerce transaction. In the future, methods such as using mobile wallets, charging to carrier phone bills instead of credit cards, and better wireless applications might solve this problem.
The next Wireless & Mobile Tips and Tricks will look at other aspects of the wireless and mobile industry.