Download as rtf, pdf, or txt
Download as rtf, pdf, or txt
You are on page 1of 8


D.M.G.PRASAD, A.N.SAI of engg..,
Ph no: 9849616166 Ph no:

Abstract environment, security strategy needs to

Every day, mobile workers take laptop address ways of managing and securing the
computers and handheld devices outside of mobile devices that access and store
the organizations secure environment. Cell privileged data. Making d ata available to all
phones, PDAs, laptop computers, and other authorized users whenever they require it
devices make it convenient to access makes data more valuable. The use of
information anywhere. However, the mobile devices to access information has
potential for confidential information to be made it easier for users to be more
exp loited on these devices, the ability to productive by making data available outside
access the corporate network from outside th e enterprise. But mobile co mputing
the firewall, as well as the susceptibility of necessitates the exchange of confidential
these devices to loss and theft creates data over public networks, rather th an over
security risks that must be addressed in order wired networks inside the enterprise. There
to protect the privileged data. This paper is also the risk of data being intercepted over
discusses issues we have to consider when wireless networks. With mobile computing,
designing and implementing procedures to it is mo re difficult to identify the entity th at
protect the mobile data, including the is accessing the enterprise information than
security problems of interception of data it is to identify th e entity over a traditional
transmissions, authentication of users, rogue wired network.
access to data, and lost devices. It also
discusses how the security strategy can 2. Implementing Security
address these problems. Procedures
When thinking about mobile data security,
1. Introduction th ere is no perfect solution. Security is about
Mobile devices, such as laptops and PDAs, reducing risk, not eliminating it. In order to
make it possible for workers to access establish security procedures to protect the
information anywhere. However, enhanced data, there are several questions that we can
mobility means data can travel outside the consider. The answers to these questions will
boundaries of LAN firewall. As more vary from organization to organization, but
workers use mobile devices to access they can help us understand what security
privileged data outside organization's secure measures will best meet our needs.
Five common problems encountered with • Authentication we have to ensure that we
mobile data are: know who we are communicating with on
the other end and avoid a man-in-the-middle
attack. Clients connecting to the enterprise
• interception of data transmissions system need to know that they are
• authentication of users communicating with the correct server. We
• rogue access to data also want to ensure that only authorized
• lost devices clients are communicating with the server. In
• Protecting existing security order to protect the data, we should ensure
investments th at there is end-to-end encryption of the
data, from the remote device to behind the
3. Solving mobile data securit y corporate firewall.
Problems .
3.1.1. Communication architecture
It is important to find and address the
The communication stack isolates the
weakest link in the security system.
different functions needed for reliable data
Addressing an area of weakness could
transfer. Each layer of a protocol stack treats
include encrypting data on the device,
in formation passed to it by the layer above
encrypting data communications, password-
merely as data, labeling that data in such a
protecting devices, incorporating user login
way as to be identified and deciphered by the
mechanisms, or implementing device
equivalent layer on the other computer. Only
security po licies. Now, let's examine each of
the physical layer is responsible for actually
the five mo bile data security issues.
placing data onto the wire or over the air—
all other layers provide some well-defined
3.1. Protecting data transmissions level of functionality, such as error
When data is being transmitted, we want to detection, correction, and encryption [1] and
ensure that it is secure from end to end. so on. Figure 2 shows a typical
There are many places where our data may communication stack and how adding
be intercepted: in thin-client, browser-based
security affects the architecture.
applications, e-mail, voice, data
When an application needs to
synchronization, client/server
encrypt the data that it is sending, it is
communications, or messages and alerts.
necessary to have a security protocol to
Secure data transmission has the fo llowing
establish a secure connection. Security
protocols are a negotiation (often called a
• Confidentiality Communications should
handshake) of security parameters required
remain private.
to securely establish an encrypted
• Integrity No one should be able to change communication session. Generally, they also
the d ata, regardless of whether they are able provide authentication. Examples of security
to see it. protocols are Transport Layer Security
(TLS) and Secure Sockets Layer (SSL). [4]
Transport-layer security is important transmissions could be intercepted by an
whenever communications must travel over attacker. Usin g transport-layer security
a public or private network where

Client T Database
Application L Server

Figure 1

Communication stack Communication

Without encryption
stack with

Application Application

Encryption Security Protocol

Transport Transport
Layer (TCP) Layer (TCP)

IP Layer IP Layer

Physical Physical
Hardware Hardware

Figure 2
allows a client application to verify the incorporate randomness designed to be truly
identity o f a server. Clients can ensure that unpredictable. Algorithms that use public
they communicate only with servers they key cryptography include RSA, Diffie-
trust Hellman, and Elliptic Curve Cryptography
3. Public-key cryptography .
Public-key cryptography [3] mak es use of 3.1.3 Digital certificates
mathematical systems th at work with pairs .
Adigital certificate is an electronic
of very large, associated numbers. These document th at iden tifies a person or entity
numbers, called keys, have particular
and contains a copy of their public key. Each
properties. Each key can be used to encrypt certificate includes a public key so that
information. Once encrypted, these messages
anyone can communicate securely with the
can be decrypted only using the matching person or entity b y encrypting information
key. One of the keys, called the public key,
with this public key. Digital certificates
is published in a public forum and can be conform to a standard ized file format that
used to encrypt information that is sent to
contains the following information:
the owner of the public key. The owner 1. Identity information, such as the name and
keeps the second key, called the private key,
address of the certificate owner
secret. 2. Public key
A message encrypted with the
3. Expiry date
public key an c be decrypted only by using 4. One or more di gital signatures, to prevent
the private key. Since the public key is
modification of the certificate
published, anyone can create a message that
only the private key owner can read. In
3.1.4. Digital signatures
add ition, anyone who knows the public key Adigital signature [5] provides a means to
can decrypt a message encrypted with the
detect whether a document has been altered.
private key. In this way, the owner of the A digital signature is also used to verify that
private key can "prove" that they know the
the certificate represents the person or
private key by using it to create a message company that it claims to represent. For
that can be decrypted using the associated
example, if you receive a certificate from the
public key. It is essential that the private key ABC Company that is signed by VeriSign or
cannot be found easily through knowledge
another certificate authority, then you can be
of the public key. The ease with which the confident th at you are communicating with
private key can be derived from the public
th e real ABC Company if you trust the
key is often associated with the strength of certificate authority. A d igital signature is a
the cryptosystem and the size (in bits) of the
cryptographic operation created by
public key. Another aspect of the private key calculating a value, called a message digest,
is that it must be difficult to guess. The
from the document information, or in the
gen eration of high-quality private keys must
case of a certificate, the identity information 3.3 Protecting against rogue access to data
and the public key. In some cases, services on a mobile device
3.2. Protecting against unauthorized users may respond to requests for data. These
[2] services can be exploited to gain access to
We have to be certain th at only authorized the device's contents. Trojans can lurk on
clients can connect to server and that client devices, and if a device has been exposed,
are connecting to the correct server. then the Trojan can make connections and
Verifying that the correct entities are pass ou t data: in effect, the Trojan becomes a
involved in data transmission is even more service. Currently, there are not many
difficult in message systems because hand- Trojans around for handheld devices, but
shaking protocols cannot be used. Each time th is is a significant concern for laptops that
the user goes deeper into a new area of are connected to the Internet. A device can
sensitivity or functionality, our application also be attacked through interfaces such as
and middleware infrastructure should know database servers, Internet servers, or FTP
who they are, and whether they should be servers.
3.3.1. Preventing rogue access to data
3.2.1. Only the chosen may enter On laptop computers, you can use a per sonal
A password should be required before a firewall, such as Black ICE or Zone Alarm,
mobile user can synchronize with a back-end to help prevent rogue access to your data.
database or browse information stored on a Device management software can also help
company server; no exceptions. We can use address the problem of rogue access to data
mobile device management software to by allowing you to enforce your security
ensure that users have not circumvented policies from a central location.
security measures or stored their password in
a file on their device. 3.3.2. The enemy
withinthe biggest threat to the security of our
3.2.2. Rights and privileges corporate systems and data are our own
Define what clients can a nd cannot do. users, who disable security mechanisms and
Depending on the application, specific rights configurations in order to save a few seconds
and permissions are configured on a per-user when logging in or synchronizing data.
basis. For example, a sales force automation Protect and enforce system configurations by
app lication might allow a sales automatically identifying and correcting
representative to submit orders, but not devices where users have defeated password
approve them. A sales manager’s password protection by storing the password on the
would carry with it the authorization to view device, or changing security configuration
orders and approve or deny them. options.
3.4. Protecting data on lost devices firewall. Our mobile application should also
Mobile devices are small and expens ive, so enforce password entry, and harmonize
they are easily lost or left in taxis, and are a secu rity configurations with LAN e-mail
favorite target for thieves. If you don’t want systems.
the new owner to have access to your
corporate systems or view sensitive data, 4. Conclusion
precautions must be taken.

3.4.1. Persistent data needs persistent Security is about minimizin g risk, not
eliminating it. This means identifying the
There are t wo precautions that that you can weakest links in our system and then
designing an appropriate solution that takes
take to prevent disclosure of the data stored
on a mobile d evice: encrypting sensitive into account the associated risks and costs to
protect the mobile data.
data, and encrypting the entire file system
(this may be useful when using data outside
of a database, such as in a spread 5. REFERENCES
sheat).protect the data that is stored on hard
disks, in persistent memory, or on removable [1] Bernard Sklar, “Digital
flash cards (whether they are in or out of the Communications”,
device). Second edition, Pearso n Education.
[2] Diffie, W., and Hellman, M.E., Privacy
3.5. Protecting existing security “and Authentication: Introduction to
investment Cryptography”, Proc.IEEE, Vol.67, no.3,
Whether we are creating new mobile Mar.1979, pp.397-427
applications or extending the reach of [3] Benning, ”Cryptography and
existing systems, our mobile development D.E.R.,
Data Security”, Addison-Wesley publishing,
should be as secure as applications running 1982
on our corporate LAN. Integrate our mobile [4] N ational Bureau of standards,”Data
applications with existing security Encryption Standard”, FIPS, no.46, Jan
infrastructures through open standards and 1977.
flexible architecture. [5] Di gital Signature Standard,FIPS,186-1,
Govt. printing office,Dec .1998
3.5.1. The e-mail of the species
E-mail is one of the most frequ ent points of Websites:
entry for potential security threats, whether 37
insid e or outside the office. As you do with 031017_410&type=RES
desk top e-mail systems, encrypt all
incoming and outgoing messages between
our corporate email server and mobile
devices that are outside our company’s

You might also like