UK SECURITY SCHEMES FOR HANDHELD DEVICES Techworld.com - Security schemes for handheld devices

There's all sorts of reasons why PC security won't port over.
By Bryan Betts, Techworld

Handheld devices pose problems all of their own when it comes to security. First of all, as the US Computer Security Resource Center notes, they are more vulnerable than laptop or desktop PCs because of their size and mobility, but at the same time, PC security mechanisms cannot simply be transferred over - because of the power needed, say, or the smaller size of the device, or the attachment method, or the programming interfaces in the operating system.

However, these devices also have built-in characteristics which PCs typically lack, such as touchscreens, microphones or expansion slots for memory cards. These can offer new and different methods of security and authentication.

To take the latter first, there are three fundamental forms of authentication: something you know, such as a PIN, password or other code; something that's a property of you, such as a signature or fingerprint; and something you possess, for instance a smartcard or token. These can be used individually or combined for stronger authentication, either with each other or with a secondary security feature such as location

Something you know
If a PIN is too easily stolen by someone watching over your shoulder, several alternative knowledge schemes exist. One is cued recall, where your code is a sequence of images instead of alphanumeric characters. This has been implemented by Pointsec as PicturePIN - the idea is that you make up a story as a mnemonic for the sequence of icons that makes up your passcode, so a stick-man, a cup and a PC might become "man spills coffee on laptop".

Studies indicate that cued recall is especially suited to how humans remember. You can also extend the size of the 'alphabet' by using paired pictures, with one acting as a shift key for others.

Alternatively, the passcode could be graphical, so you could register on the device by drawing a secret symbol which you must draw again to log on. Microsoft has a sample Pocket PC application called Let Me In, where you doodle on a grid to log on. A limiting factor with this approach is cell size, and how big an area can you hit with a stylus.

One other possibility is to use faces, rather than characters or icons, as implemented by Real User in its Passfaces application. The human brain is remarkably good at recognising faces, so this method uses a grid of one passface and eight decoys.

Something you are
Biometrics are a lot easier to manage than passcodes, but they are harder to measure, not least because they are live measurements so you can have false positives or negatives (acceptances or rejections).

Some handheld devices now incorporate a reader for fingerprints, which are the best known biometric of all. However, this is an area where computational speed - or rather the lack of it, on a small battery-powered device - is important, and some algorithms can be slow to give a match.

Your signature can be used as a biometric too, with the handheld device measuring the dynamics of how you write, not the static image. This has the advantage of being software-only, so potentially less expensive. One's signature can vary with mood though, so you may have to remember the state of mind you were in when you registered with the device!

And with more and more handheld devices now including cameras, the first applications are appearing which use facial recognition for access control. An example is OKAO from Japan's Omron, which runs on Symbian, BREW and Linux platforms. Neven Vision is also among those working in this area, and has a handheld device designed to match faces against a database of suspects.

Something you have
Tokens are a very popular way of adding strong security to a PC, for example a USB token or a smartcard, usually in combination with something you know, such as a PIN. However, very few handhelds have either a USB port or a smartcard reader.

An RSA SecurID-type token, generating a PIN, could be used but this type of security typically needs a link back to an authentication server, so is less useful for controlling access to a standalone PDA, say.
Security researchers are therefore working on alternative tokens which could be more appropriate for use with PDAs and smartphones. For instance, the US CSRC has prototyped a detachable smartcard which also has a Bluetooth chip, so can connect wirelessly.

Another possibility the CSRC has looked into is building a smart MMC or SD-Card by taking a standard format memory card and adding a smartcard chip to turn it into a token..

Qualified security
One other factor that can be especially appropriate to handhelds is location, used either as an enabler to allow or block access, or as a qualifier that determines the level of access allowed - for example, some features might be usable everywhere, but others (wireless access to the corporate database, say) only in the office.

The security possibilities will also differ depending on whether it's the infrastructure or the device that determines location. The infrastructure can do it if the device is detectable - by its WiFi transmitter, say.
Another route might be to have beacons that broadcast a signal to the device, so it knows whether it's inside or outside the organisation's boundary. That will need policy control mechanisms within the device to handle the result, though.

Other options could include personal beacons that have to be in proximity to the device, perhaps communicating via near-field magnetics or Bluetooth.

Belt and braces
Authentication and access control is only one aspect of handheld device security, however. With enough persistence and money, a device will eventually be compromised, so the contents should be encrypted too.

In addition, there are software tools which can order a handheld to wipe itself, for instance if it tries to connect to HQ after being reported lost or stolen, or if it fails to connect within a specified time.

Beyond that, you are into risk and cost-benefit analyses. Once data goes outside the office it is always going to be at risk, so one question is how much is someone else willing to pay to get at it - and of course, at what point it becomes cheaper and easier for them simply to bribe a member of your organisation's staff instead.