These keys are mathematically related, data encrypted with one key can only be decrypted by the other key, however one key cannot be derived from the other key. The public key is distributed, optionally using a digital certificates , and the corresponding 1 OFF eye encryption – to send encrypted data to someone, the sender encrypts the data with the receiver’s public key, and the receiver decrypts it with his/her (corresponding) private key. Compared with symmetric-key encryption, public-key encryption requires more computation and is therefore not always appropriate for large amounts of data.
However, it’s possible to use public-key encryption to exchange a symmetric key, which then can be used to encrypt additional data. This approach is frequently used by many security protocols and is called hybrid encryption. The reverse scheme, sometimes called private key encryption, is also useful, being used for digital signatures. A person can digitally sign data by encrypting it with his/her private key. The receiver can use the sinner’s public key to verify the digital signature.
Given that data verified with a public key could have been signed only with the corresponding private key, which is possessed only by its owner, digital signatures provide authentication, non-repudiation and tamper detection. These are the most essential building blocks for electronic commerce and banking. Public key techniques have been adopted in many areas of information genealogy, including network security, operating systems security, application data security and Digital Rights Management (DORM).
Internet standardization bodies, such as the Internet Engineering Task Force (IETF)2 are constantly influencing the standardization process of the mobile platforms and specifically the cellular environment. Consequently, cellular-related standards have already adopted PKZIP as a fundamental element in the construction of security for the near and far future of wireless environment. The following sections provide an overview of public key cryptography use-cases in the cellular environment. Secure Browsing Network security protocols are probably the most common use of public key methodologies by wireless devices.
The Open Mobile Alliance (MOM, formerly the WAP Forum)3 has specified a Wireless version of the IETF Transport Layer Security (TLS) protocol, known as WTLS, to secure mobile browsing. WTLS provided for a secure channel between the mobile phone and a WAP gateway, however, did not satisfy the demand for end-to-end security in data networks. A later version of WAP (2. 0) adopted the TLS protocol itself within WAP Transport Layer end-to-end Security specification. The TLS protocol allows for true end-toned security while browsing the Internet by: 1 .
Allowing a web server and a client (in this case – a mobile phone) to authenticate each other and establish an encrypted connection. The authentication is part of the handshake process, where public key cryptography is utilized to provide mutual authentication and shared key agreement. 2. Once the handshake is successfully completed, application data is securely exchanged by means of symmetric key encryption using the shared-key. Access to Enterprise Networks One of the greatest promises of 2. 56 and 36 wireless networks is enabling mobile vices to access execute corporate applications, such as email, file transfer, CRM and others.
This raises the need for a Virtual Private Network (VPN) client application that will provide network layer security between the mobile device and the corporate gateway (or the end server). VPN clients may be implemented at different layers, whereas the dominant implementation is within the Internet Protocol (P) layer, using the network layer, providing data origin authentication, data confidentiality, replay protection and data integrity. Pipes uses PKZIP as part of the Internet Key Exchange (EKE) rotator, which facilitates automatic key management.
EKE handles the exchange of security parameters prior to communication, by the establishment and maintenance of Security Associations. EKE also allows a VPN server to authenticate a mobile device using address independent credentials (user certificates). VPN is already a powerful motive for enterprises to deploy public key infrastructure incorporating the set up of a Certificate Authority (CA) to deploy digital signatures. Once this infrastructure is in place for remote users, it can surely serve remote wireless users as well. Mobile Payment Authentication
Public key cryptography is considered as a preferred architecture for mobile commerce and banking. The most notable illustration for this is Visa Three- Domain Secure (3-D Secure””) specification. Its architecture relies on the issuer’s ability to authenticate a remote cardholder by a pre-determined mechanism, where necessary data may be collected during the enrollment process. The 3-D Secure Wireless Authentication Scenarios specification presents several authentication methods relevant for the wireless environment, including shared secret, signature and biometrics.
The most secure scenario is that of a signature, that relies on public key raptorial. Local (proximity) transactions are also regarded as a future application of wireless phones. The Mobbed forum has recently adopted the MOVE protocols for these transactions, in Mobbed Local Preferred Payment Architecture (Local PA) specification. Access control A mobile phone with public key cryptography capabilities can also be used as an authentication device for access control systems, based on the selenographer’s mechanism, where the phone receives a challenge from a server and generates a response.
The mechanism may be based on the use of a symmetric or asymmetric algorithm. Symmetric algorithms require initialization of the phone with a secret, specific to each application, which is often impractical. As opposed to asymmetric algorithms that only require the server to attain the user certificate for signature validation. The Mobile Electronic Transactions (MeT)6 group is working on a local authentication protocol called Personal Transaction Protocol (PPTP) that will allow users to authenticate themselves at retail locations, ticket collection points, workstations, etc. Sing their cellular phones. Digital Signatures on Mobile Transactions Digital signatures make public key cryptography a most practical tool in real-life applications, being the most reliable method for authentication and no repudiation. As such, digital signatures are expected to become a fundamental element of mobile devices business applications, as they already are being used for signing transactions, taking place in online banking and payment applications.
A new concept for mobile transactions is called actionable alerts. These are constructed by a service provider sending a message to the mobile user, and the mobile user responding with an alert. A secure version of actionable alerts application, based on agitate signatures and encryption, allows the banks to facilitate mobile platforms to secured by engaging digital signatures, where the mobile user signs documents such as a contract, AND, MOMS, RIP, bids etc.
Messaging Public key cryptography can also be used to secure other kinds of mobile messaging, such as SMS messages or wireless email applications using S/MIME (Secure/ Multipurpose Internet Mail Extensions) – a specification for secure electronic mail messages in MIME format. Content Authentication Code signing is an essential technology for mobile devices that enable application download over the air, such as Java applets. It is necessary, for such devices, to have the means to assure the safety of the downloaded code.
The originator or the provider of the code may provide such assurance by digitally signing the code, via an XML digital signature, Java API or by other interfaces. The phone holds a trusted copy of the sinner’s public key, for verifying the code’s signature before using it. Code signing, does not in itself, certify the safety of the code, but it assures that the code was not originated or modified by illegal parties. Digital ID A digital ID identifies its holder for multiple purposes, such as driver’s license, latherer, insurance policy etc.