Wireless Security White Paper
19
The following VPN products, however, are available from third parties for the Compaq iPAQ
Pocket PC:
movianVPN by Certicom:
•
Based on IPSec
•
Uses Certicom ECC for IKE
•
Connects to back-end VPN products from: Alcatel, Check Point, Cisco, Intel, Nortel,
Radguard, Symantec
Check Point VPN Client:
•
In development
•
Not based on IPSec
•
Will support only Check Point VPN products
VGate by V-One:
•
Works only with V-One VPN appliance gateway
•
Supports many strong, third-party authentication schemes
SecureTunnel by Traxit:
•
Provides VPN functionality by performing packet switching at remote hosting center
•
Designed to provide direct, end-to-end connectivity and authentication (mobile client directly
to application server)
Security Specific to WWAN Carrier Technologies
All digitized mobile telephone and wireless packet data networks use some form of encryption.
GSM uses a smart card to protect its keys. The smart card contains both the international mobile
subscriber identity (IMSI) and the subscriber identification key. When the user makes a
connection with a mobile base station, a session key is negotiated and all transmissions, both
voice and data are encrypted.
GSM documents specify the rough functional characteristics of its protocols, including the secure
encryption of transmitted digital messages. However, apart from the protocols, details of the
algorithms are kept secret. Most security specialists will argue that secrecy is not an effective
approach, since only the close scrutiny of a large set of experts can ensure that there are no
obvious weaknesses in the technique. Nonetheless, GSM contains three secret algorithms that are
given only to vendors with established need-to-know, such as carriers and handset manufacturers.
The three algorithms are:
•
A3: Authentication algorithm
•
A5: Ciphering/Deciphering algorithm (currently A5/1,A5/2, provides over-the-air voice
privacy)
•
A8: Cipher Key Generator (essentially a one-way function), and session key generation
The smart card contains A3, A5 and A8; the base station is equipped with A5 encryption, and is
connected to an authentication center using A3 and A8 algorithms to authenticate the mobile
participant and generate a session key.