Re: Security on CDMA for Banking Applications

[Nick Owen <nickowen () mindspring com>]

I would add to this that each carrier has different network 
configurations that can affect security.  We discovered this when we 
developed the wireless versions of our two-factor authentication token 
system. For example, (in the US), Nextel gives you a real IP connection, 
but other carriers make you go through a WAP gateway.  If you go through 
a WAP gateway, you face the 'WAP gap', which is similar to the 
'MarketScore' proxy concern - there is no way for the user to know they 
have connected directly to the right SSL site or if they are being 
proxied.

We do asymmetric encryption using Ntru's encryption libraries (for 
speed's sake - key gen time on a cell phone for RSA keys too long, ECC 
better, but still like 14 hours when we tested).  We saw a lot of 
benefits in using asymmetric encryption - no need to rely on the 
security of the network protocol or the carriers' implementation of it, 
no need for SSL and no need for a VPN, very fast, very small footprint. 
 This may work for you if your financial institution or company is big 
enough to warrant licensing the crypto, but then I suppose you would 
have to license VPN software too.

Just to complicate things, one carrier wouldn't take our encrypted 
messages unless we said it was a bitmap image ;).

HTH,

Nick

Alessandro Bottonelli wrote:
> On Saturday 26 March 2005 04:19, shankarnarayan.d () netsol co in wrote:
>
> > a. Is it advisable to run banking apps (include financial transactions)
> > over CDMA 
>
> A radio link, CDMA or other, is an "open channel". It's easier to tap into 
> (sometimes by accident) than other means. It is also somewhat more "fragile" 
> than other means of communication (depending on distance, terrain, weather, 
> band of operation you may experience availability issues, more than on copper 
> or fiber).
>
> So, in principle,  it is not advisable to run sensitive applications other it, 
> yet if you have no options you.... have no options ;-)
>
>
> > b. What perceived Security threats are there when doing so 
>
> Confidentiality. Radio waves bounce, spread all other and do not require 
> physical intrusion to tap into them. 
>
> Availability. Radio waves (more so the higher the band of operation is) fade 
> in case of rain and antennas get misaligned in case of wind, earthquakes or 
> landslides. If something gets in between the link (a new building, a crane, 
> whatever) the link gets flaky or doesn't work at all...
>
>
> > c. What methods are available to overcome these (hardware/ software etc) -
> > any suggestions for products 
>
> For confidentiality do encryption. Best if end-to-end encryption with 
> technology you buy from a different vendor than the one you buy the radio 
> equipment from. At least a VPN with strong and safe keys (lot of bits, you 
> change the keys often, you manage the keys). The vendor may add some 
> "scrambling" in the CDMA scheme to make things worst for the would-be 
> intruder. If it is available use it, but do not count on it. Scrambling and 
> encryption are two different things. Do encryption and add scramling if it is 
> available at no extra cost. Otherwise stick with encryption.
>
> For availability try "low bands" for microwaves, they are less prone to fade 
> under rain, antenna alignment is less of an issue, electronics is more 
> robust. 3.5 or 10 Ghz bands are quite popular here in Europe, but it's tough 
> to get a PTT license for them since they are quite crowded. Also, if you go 
> beyond the 10 Ghz band (say 17 and up) ask the engineers to be 'generous' in 
> calculating the so called "link budget" and to analize the weather history in 
> the region (you will have to tell them how many hours a year of no operation 
> you are willing to tolerate, but remember that's statistics, you will not 
> know in advance when the link is going to be down and for how long).
>
>
> > d. What inherent Security is available in CDMA 
>
> Very little. The only good thing is that the higher the band of operation, the 
> tougher for the "average bad guy" to get the equipment to monitor the link 
> (which goes counter what we said of keeping the band low for availability 
> reasons...). 
>
>
> > e. Any previous experiences for the same
>
> We linked in Milano four points over a 27 Ghz CDMA/Point-to-MultiPoint link 
> with great success. Only 3 Km apart (some 1.5 miles) in a urban environment 
> (the worst for high band microwaves). Not a single security accident since 
> 1997.
>
> There is no single one-size-fits-all recipe for secure radio links. Local 
> conditions, local PTT licensing policies, terrain, weather will need to be 
> taken into account. For example, if the radio hops are short (say 3 to 5 Km) 
> with line-of-sight you may want to go high in the radio bands despite what I 
> said earlier. Confidentiality may weight more than availability in that case, 
> and high bands help a lot in that.
>
> I am not sure how many radio security experts there are (is a sub-specialty in 
> an already narrow specialty...) around. But I am sure you will be able to get 
> some radio/security expertise in your region. 

--
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor