[ISN] Certicom secures PDAs

From: InfoSec News (isnat_private)
Date: Fri Jun 08 2001 - 09:46:28 PDT

  • Next message: InfoSec News: "[ISN] Teen hacker who broke into Air Force sentenced to probation"

    By Tim Greene
    Network World, 06/07/01
    With the loss or theft of handheld devices an inevitable fact of life,
    Certicom is introducing a way to lock up handheld devices so even if
    they are stolen, no one can lift the data stored on them.
    Called movianCrypt, this software protects the PDA with a password and
    encrypts all the data stored on it so even if someone manages to
    bypass the password, all they get is impenetrable jibberish. The
    encryption used is 128-bit advanced encryption standard, which the
    Internet Engineering Task Force considers the most secure there is.
    Despite the power of the encryption and the limited processing power
    of PDAs, movianCrypt doesn't seem to slow down use of data stored on
    the devices, says John Houser, a network engineer for life insurance
    company AEGON USA who has used the software. "There is virtually no
    delay," he says.
    He says it is important to encrypt the data because it is possible
    through a "developer's backdoor" to bypass passwords and read the data
    on the device. These backdoors are there so users can check code as
    they write or customize applications.
    Other encryption software, such as Datagator made by Jawz, only
    encrypts a single file where users have to dump all the data they want
    to protect. Anything else is left unencrypted. James Kobielus, an
    analyst with The Burton Group.
    As users call up data on the devices, it is automatically decrypted.
    As the application is closed, movianCrypt encrypts it again, using
    processor downtime to do so. That way, the next application being used
    doesn't slow down, says Stacey Wu, a senior analyst with Mobile
    The software supports the Palm operating system versions 3.0 and
    above, and Certicom says it has a prototype written for Windows CE
    Some PDA operating systems, such as Palm's, come with password
    protection that locks down the device, but the password is stored on
    the PDA. That means whoever gets control of the device can hot-synch
    it with a PC where password-cracking tools can break in to access the
    data. The password for movianCrypt is not stored on the device.
    Instead, users scribble on the PDA screen with a stylus, and that line
    is digitized, creating a unique string of numbers that is used as an
    encryption key. Users also choose a password up to 25 characters. Both
    the key and the password are subjected to a mathematical function
    called a hash creating an outcome called a digest.
    When users enter their password, it and the key are subjected to the
    same hash. If the resulting digest matches the one stored on the PDA,
    the movianCrypt admits the user.
    Users can install the 100K-byte movianCrypt software during a
    hot-synch with a PC or server.
    The software can be downloaded from www.moviansecurity.com. It costs
    $40 for one copy and between $18 and $35 for multiple copies,
    depending on how many. It is available June 11.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 00:58:38 PDT