Network Security for the Windows Mobile Software PlatformWhite Paper

Published: March 2006

For the latest information, please see http://www.microsoft.com/windows/mobile/

Abstract

This paper presents information to enterprise-level network administrators who are exploring network security standards and best practices related to Microsoft® Windows Server™ 2003 networks that include mobile devices running Microsoft Windows Mobile® 5.0 software. Readers should be familiar with enterprise-level network and system administration and technology, as well as have an understanding of mobile technologies and devices.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft, Active Sync, Outlook, Windows, Windows Mobile, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Introduction........................................................................................................................... 1Incorporation with Existing Windows Security Technology.................................................1

Windows Mobile Security Management.................................................................................2Role-Based Security for OTA Provisioning........................................................................2Configuration Service Providers........................................................................................2Device Management and Provisioning...............................................................................3Installation Code Signing...................................................................................................3Execution Control..............................................................................................................3

Windows Mobile Security Infrastructure.................................................................................4Microsoft Cryptographic Application Program Interface......................................................4Cryptographic Service Providers.......................................................................................5Security Service Providers................................................................................................6Local Authentication Subsystem........................................................................................6Microsoft Public Key Infrastructure....................................................................................7

Windows Mobile 5.0 Security Technologies...........................................................................8Local Device Security........................................................................................................8Network Security...............................................................................................................9Information Service Encryption........................................................................................10Wireless Security............................................................................................................10

Scenarios............................................................................................................................ 12Connecting to a Corporate Network using 802.1x and EAP-TLS......................................12Connecting through a Wireless Hotspot or Third-party WWAN.........................................13Connecting by using Exchange ActiveSync.....................................................................13

Conclusion.......................................................................................................................... 15

Appendices......................................................................................................................... 16Appendix A: Supported Encryption Algorithms.................................................................16Appendix B: Network Security Terminology and Definitions.............................................16

IntroductionOne of the most difficult tasks for enterprise network administrators is finding methods and technologies that can prevent malicious attacks to their systems from sources located both inside and outside corporate firewalls. Securing servers, client computers, and mobile devices becomes even more important as workers and contractors connect from multiple-wired or wireless networks where security levels can vary greatly. Employees can inadvertently put their businesses at risk by connecting remotely to mission-critical systems and applications and transmitting unintended threats over mobile networks. In addition, passing critical corporate data through an outside network operations center may increase the risk of compromise or unavailability.

However, with the right technology and network architecture in place, network administrators can dramatically improve security and management for mobile device connections. Careful planning of how to handle permissions and security rights for these mobile users is the key to a successful deployment.

Microsoft® technologies offer a multiple-layer approach to defending Microsoft Windows®-based networks that include mobile devices. This paper provides information about e-mail and Internet communication, Virtual Private Network (VPN), and wireless security technology for devices running on Microsoft Windows Mobile® 5.0 software, including Windows Mobile-powered Smartphones and Pocket PCs. These technologies help network administrators manage and protect Microsoft Windows Server 2003 networks that include mobile devices.

In addition, this paper presents information about the following:

Incorporation of Windows Mobile-powered devices with existing Windows networks.

The Windows Mobile security infrastructure.

Security features and technologies for Windows Mobile-powered devices.

Readers should be familiar with Windows networking technology for enterprise deployments along with Microsoft certificate technology, and they should have an understanding of mobile devices.

Incorporation with Existing Windows Security TechnologyWindows Mobile-powered Pocket PCs and Smartphones can be incorporated into existing Windows networks and conform to existing network security policies by using Windows Mobile 5.0 software. Therefore, these mobile devices can use many of the same Microsoft security features used in Windows desktop and laptop computers. The technologies described in this paper apply generally to devices running Windows Mobile 5.0 software. However, support for these technologies can vary depending on the actual device.

Network Security for the Windows Mobile Software Platform 1

Windows Mobile Security ManagementMobile devices can enter a corporate network as part of an enterprise-wide deployment or as personal devices purchased by employees. One important aspect of managing network security for Windows Mobile-powered devices is managing how these devices interact with mission-critical applications and third-party service providers, such as cellular service providers. Windows Mobile software allows network administrators to control device security settings through comprehensive provisioning features for Smartphones and Pocket PCs.

Role-Based Security for OTA ProvisioningWindows Mobile-powered devices use role-based security to control what provisioning changes may be made by over-the-air (OTA) messages. Requests to the Windows Mobile Configuration Manager carry an associated role, based on how the request was signed and what security policy is in effect. These roles include:

Manager. This role is the most powerful, as policy changes requested with this role have essentially unlimited access to the device. By default, the mobile operator is assigned this role, although it may be assigned to the enterprise or individual who owns the device.

Authenticated user. This role is assigned to messages signed with the user's PIN, or messages delivered by the remote application programming interface (RAPI) for PC-to-mobile device communications. Depending on the settings applied by the device manager, the user may or may not have access to all configuration settings on the device; the exact permissions given authenticated users are assigned by the manager.

Unauthenticated user. This role is assigned to unsigned OTA messages; it can only be used to install ring tones or a new Today screen.

OEM. This role is normally assigned to the original equipment manufacturer; by default, it does not provide permissions to configure settings using OTA messages.

Operator. OTA messages that arrive signed by the mobile operator's key carry this role; it is provided so that mobile operators can configure carrier-specific properties on the device even if the operator does not have access to the Manager role. .

Additional roles for trusted proxies and gateways. These roles are not used by all mobile network operators, and they are assigned to devices provisioned by individual operators as needed.

Configuration Service ProvidersMany of the network features in Window Mobile-powered devices are enabled by configuration service providers, assemblies of code and data that carry out all application configuration queries and changes. After data has been passed to a configuration service provider, it makes any requested changes as allowed by the specified security policy, then reports the success or failure of the transaction to the requestor.

One of the primary features of configuration service providers is the ability to assign a security role requirement for each individual setting or group of settings. Security roles are used to control whether the device user or the device administrator have access to a particular configuration setting. For example, the SecurityPolicy configuration service provider requires use of the manager security role while the BrowserFavorite Configuration Service Provider only requires the authenticated user security role.

Network Security for the Windows Mobile Software Platform 2

Device Management and ProvisioningWindows Mobile-powered devices can be managed by using XML-based provisioning documents to configure OS and application settings, including security settings. These provisioning documents can be applied to multiple mobile devices. The XML provisioning documents are distributed through:

Over-the-air synchronizations with a device management server on the network. This server could be Microsoft Systems Management Server (SMS), Exchange, a third-party device management solution, or a device management server operated by a mobile operator.

Deployment in a cabinet provisioning format file (.cpf). Application installation files are known as cabinet files (.cab); the .cpf file is a special type of cabinet file that contains the XML provisioning document. The device can download the .cpf file from a provisioning server or from an attached desktop.

A desktop to which the device is connected using desktop ActiveSync.

For large deployments of Windows Mobile-powered devices, the XML provisioning not only reduces deployment efforts, but also helps standardize security settings. Along with security settings, XML provisioning allows network administrators to create a standard configuration for mobile devices, including wireless and other network settings, Internet connection, and e-mail synchronization settings. The XML provisioning features can also manage how mobile devices connect to third-party voice and data service providers.

Installation Code SigningApplication installation files (again, known as cabinet or .cab files) may be digitally signed by the application provider: Microsoft, a third-party software company, or the developer of an enterprise line-of-business application. At install time, the digital signature of the installation .cab is checked against certificates in the software publishing certificate store. If there is a match, the installation can take place. You can apply application configuration settings through the .cab installer as well. The installer will check the digital signature of the .cab against the certificates in the SPC store to determine the security role used for the configuration.

Execution ControlWindows Mobile 5.0 allows programs that run on the Smartphone to have one of two levels of access. Privileged or fully trusted code can call any application programming interface (API) routine and write to any registry key on the device; normal code is restricted from calling some API routines and writing to certain registry keys. (For a list of trusted APIs, see the Platform Builder for Microsoft Windows CE 5.0 documentation.) Windows Mobile 5.0 Pocket PC devices do not support these two tiers. The code is either run with full trust or not run at all. Execution control is configured using the Security Policy Configuration Service Provider. The device can be configured to block execution of all unsigned application, to run them after consent from the user, or to run all unsigned applications without prompting the user.

Microsoft also provides a program, Mobile2Market, that allows third-party ISVs to sign their applications to install and run on devices where installation and execution security are enabled. The ISV must pay for the signing and formally document their ownership of the application to obtain the Mobile2Market digital signature for their application.

Network Security for the Windows Mobile Software Platform 3

Windows Mobile Security InfrastructureMost mobile devices connect from outside the security perimeter of corporate networks, exposing them to varying levels of risk. In addition, today’s mobile devices offer many of the same features and applications employees use on their laptops or desktop computers, including access to the Internet, business applications, and personal e-mail. As a result, many of the security threats that exist for desktops also exist for mobile devices.

Windows Mobile 5.0 software offers advanced security technologies that help protect data and applications, whether on the local device or across the corporate network. Windows Mobile software takes advantage of many of the same Windows security features used in typical desktop/server network architectures. The security architecture built into Windows Mobile 5.0 enables Windows Mobile-powered Smartphones and Pocket PCs to be incorporated easily into the existing security protocols in an enterprise Windows Server-based network.

Windows Mobile software includes four architectural features that provide security functionality to Windows Mobile-powered Smartphones and Pocket PCs: the Microsoft Cryptographic Application Program Interface, Cryptographic Service Providers, Security Service Providers, and the Local Authentication Subsystem (LASS).

Microsoft Cryptographic Application Program InterfaceThe Microsoft Cryptographic Application Program Interface (CryptoAPI) provides encryption and authentication functionality to Windows Mobile-powered devices to help secure applications. CryptoAPI also supports encryption services for local data stored on a mobile device or removable media.

Figure 1. The Microsoft CryptoAPI security architecture

As shown in Figure 1, CryptoAPI architecture provides network administrators with the technology backbone required to incorporate Windows Mobile devices into existing enterprise networks securely, and includes the following features:

Encryption. Encryption provides privacy and authentication between two communicating parties who have exchanged a shared secret key.

Network Security for the Windows Mobile Software Platform 4

Hashing. Hashing helps ensure data integrity of information sent over a non-secure channel, such as the Internet.

Digital signature. Digital signatures authenticate received data or information sent by a third party who is not using encryption based on a shared secret key.

A cryptographic service provider (CSP in Figure 1)—composed of independent modules within CryptoAPI—performs CryptoAPI functions and uses a variety of algorithms to perform all of the security needed for the applications running on an employee’s mobile device. There are several cryptographic service providers that can be used with CryptoAPI, and each one uses a different combination of algorithms.

Cryptographic Service Providers A cryptographic service provider contains implementations of cryptographic standards and algorithms. Windows Mobile 5.0 software supports a full host of encryption algorithms that allow network administrators to incorporate Windows Mobile-powered devices into the existing security infrastructure of a corporate network. As with desktop applications, Windows Mobile software does not communicate directly with a cryptographic service provider. Instead, these applications call the CryptoAPI functions exposed by the operating system. The operating system filters these function calls and passes them on to the appropriate cryptographic service provider. Each cryptographic service provider provides the application calling it with one or more symmetric or asymmetric encryption algorithms.

Network administrators can use encryption to help secure data communication, such as e-mail messages, calendar information, or line-of-business applications, between mobile users and company network resources. Data is encrypted by using a public key that provides cryptographic algorithms for the sender’s mobile device. Data from the sender is converted into a cryptic string of data that can only be deciphered by using a secret cipher known as a private key. This private key is provided only to the receiver of the information, a security measure that helps to protect the data as it travels over various networks and over the Internet.

In the current software market, there are many different encryption technologies. Windows Mobile software supports a host of reliable, mature, industry-standard technologies. The following are encryption algorithms supported by cryptographic service providers in Windows Mobile software:

Data Encryption Standard (DES). DES is a widely-used method of data encryption using a private (secret) key that offers 56-bit encryption for each 64-bit block of data. For greater security, companies can implement Triple-DES, which provides 112-bit encryption for 2-key connections and 168-bit encryption for 3-key connections.

Advanced Encryption Standard (AES). The AES algorithm suite is the current algorithm recommended by the US National Institute of Standards and Technology (NIST) for use in U.S. Government applications. Windows Mobile 5.0 supports both 128-bit and 256-bit AES encryption.

RSA. RSA is an Internet encryption and authentication system that provides encryption algorithms developed for Web browsers. The encryption system is owned by RSA Security. The company licenses the algorithm technologies and also sells development kits. The technologies are part of existing or proposed Web, Internet, and computing standards. Microsoft Windows Mobile software supports RSA Key Exchange and RSA Signature, both of which offer 512- or 1024-bit encryption.

Network Security for the Windows Mobile Software Platform 5

RC2 / RC4 / RC5. Like DES, RC2, RC4, and RC5 provide encryption to 64-bit blocks of data, with up to 128-bit encryption. Typically, RC2 and RC4 are faster and more secure than DES-based encryption standards.

Windows Mobile 5.0 software also includes support for several additional algorithms, including the Secure Hash Algorithm (SHA-1) and implementation of the Public Key Cryptography Standard (PKCS) methods for creating, requesting, and securely storing certificates. For technical specifications of the encryption technologies supported by Windows Mobile software, see Appendix A.

Security Service ProvidersSecurity Service Providers (SSPs) provide security services for user authentication, credential management, and message protection. Through the Security Support Provider Interface, SSPs enable applications to access authentication and cryptographic protection methods. Depending on existing software, line-of-business applications, and network resources, Windows Mobile software provides security services for four SSPs.

SSPs help make securing network resources less difficult for network administrators. Windows Mobile-powered devices offer network administrators the same SSP functionality as in Windows-based desktop computers. With support for SSPs, network administrators can expect the same level of security between applications and platforms they rely on in typical desktop-server deployments.

Windows Mobile software supports the following SSPs:

Kerberos Security Support Provider provides mutual client-server authentication between Windows Mobile devices and computers running Windows 2000, Windows XP, and Windows Server 2003. Kerberos provides cryptographically strong mutual authentication, and it is the preferred client/server authentication method for Windows networks.

Microsoft Windows NT® LAN Manager (NTLM) Security Support Provider provides connectivity to systems that are using the NTLM authentication interface. Windows 2000 and Windows Server 2003 natively support (and prefer) the Kerberos authentication system; the NTLM SSP is provided for backwards compatibility and for communications with servers that do not support Kerberos.

Secure Channel Security Support Provider is used primarily for secured HTTP connections; it provides both client and server authentication using X.509 digital certificates.

Negotiate Security Support Provider allows client and server applications to negotiate which specific SSP they will use for authentication; applications may be written to require a given SSP, or they may allow negotiation between client and server.

Local Authentication SubsystemThe Local Authentication Subsystem (LASS) is a new feature in Windows Mobile 5.0 software that decouples user authentication from the application and its authentication method. Hardware and software manufacturers can add LASS plug-in modules to provide support for additional authentication methods, including biometric and smartcard authentication. Windows Mobile 5.0 applications that are written to use LASS for local authentication can automatically take advantage of any installed authentication plug-in, providing multiple-factor authentication in an application-independent way.

The Windows Mobile Mobility and Security Feature Pack adds the ability to use X.509 digital certificates for authentication. This provides more secure logon capability without the

Network Security for the Windows Mobile Software Platform 6

requirement that users' network credentials be stored on the device, reducing the risk that those credentials will be compromised.

Microsoft Public Key InfrastructureWindows Mobile-powered devices can be easily incorporated into existing Public Key Infrastructure (PKI) deployments and can take advantage of the same certificate and encryption technology available to desktop and laptop users. Microsoft PKI is a system of digital certificates, certificate authorities, and other registration authorities. This system uses public key cryptography to verify and authenticate the validity of server and client computers or users involved in an electronic transaction. For more information on Microsoft PKI, see Public Key Infrastructure.

Network Security for the Windows Mobile Software Platform 7

Windows Mobile 5.0 Security TechnologiesWindows Mobile software features an architecture that provides the technology backbone to incorporate Windows mobile devices into enterprise-level networks securely. Additionally, it includes built-in technologies that provide out-of-the-box functionality to manage local device security, Web and application security, network security, and wireless security for Windows Mobile-powered Pocket PCs and Smartphones.

Local Device Security Network administrators should be able to control which applications can be installed on any device within their network, including mobile devices that connect directly to resources located behind corporate firewalls. In addition, network administrators should be able to protect the data located on mobile devices in case the device is stolen or lost.

The local device security features included with Windows Mobile software work together to allow network administrators the functionality they need to secure sensitive data moving between corporate networks and mobile devices. This multifaceted approach to device security helps ensure system configurations remain updated and protected.

Strong password technology for Windows Mobile-powered Pocket PCsMobile devices are subject to loss or theft, even more so than laptops. This susceptibility means that ensuring the security of locally stored data on mobile devices becomes a high priority. Windows Mobile-powered Pocket PCs allow network administrators to implement strong password policies, such as power-on passwords and smartcard authentication, to help secure access to mobile devices and the data they store. Several third parties are producing smartcard and token readers that work with Pocket PC devices to provide enhanced two-factor authentication.

SIM lock supportWindows Mobile-powered Smartphones and Pocket PC Phone Edition devices also support a Subscriber Identity Module (SIM) lock, which allows network administrators to set a password for the device’s SIM card. Because the SIM card has the ability to store personal and confidential information, it is crucial to consider ways to protect that information from being accessed should the device be lost or stolen.

Local and remote device wipeWindows Mobile 5.0 software allows administrators to erase information from a device under specified circumstances. The device itself may be configured by the user, or by an administrator or configuration service provider, to erase the device after a preset number of incorrect attempts to guess the device unlock password. In addition, Exchange Server 2003 Service Pack 2 provides a remote administration tool that can be used to remotely erase a lost or stolen device, providing an added degree of protection.

Microsoft SQL Server 2005 Mobile Edition In addition to strong password technology, network administrators have the option to implement Microsoft SQL Server™ 2005 Mobile Edition (SQL Mobile) on Windows Mobile-powered Pocket PCs to provide application and file-level security. SQL Mobile technology stores local information in encrypted databases. The information can be accessed, viewed, and modified only by a user who has the correct credentials and user rights.

Network Security for the Windows Mobile Software Platform 8

Network Security With mobile devices becoming more versatile and able to store and transmit large packets of data, the risk of these devices introducing malicious code or viruses to a network has increased dramatically. Windows Mobile 5.0 software can take advantage of advanced authentication technology to help ensure network resources stay protected when accessed from mobile devices.

Microsoft certificate technologyWindows Mobile software supports the X.509 digital certificate format, which enables network administrators to apply enterprise-level certificate standards to Windows Mobile devices using Microsoft PKI. The following applications use certificates for most Windows Mobile-powered devices:

Microsoft Pocket Internet Explorer for Secure Sockets Layer (SSL) connections for Pocket PCs.

Microsoft Exchange Server 2003 for SSL over-the-air and server-based synchronizations.

802.1x Extensible Authentication Protocol / Transport Layer Security for wireless connections.

Network administrators can control where certificates are stored, locally or on removable media such as a smartcard or token. This control helps prevent certificate information and associated privileges from being used by unauthorized users should the mobile device be stolen or lost. Windows Mobile includes root certificates for major certificate authorities (including Microsoft, Entrust.net, Equifax, GlobalSign, GTE Cybertrust, Thawte, and Verisign). Optionally, administrators can control which certificate authorities are trusted by modifying the list of trusted root certificates on the device using the appropriate tool:

Addrootcert.exe to install root certificates on Pocket PC 2002 and Pocket PC Phone Edition 2002 devices.

Spaddcert.exe to install root certificates on Windows Mobile-powered Smartphones.

Certinst.exe to install root certificates on Windows Mobile-powered Pocket PC and Pocket PC Phone Edition devices.

Virtual Private Network Windows Mobile-powered devices can connect to corporate networks through secured VPNs. Windows Mobile software not only supports traditional Point-to-Point Tunneling Protocol (PPTP) VPN connections, but also allows employees and network administrators to create VPN connections that use Layer Two Tunneling Protocol (L2TP) technology with IP Security Protocol (IPSec) encryption, which uses client certificates to authenticate connections.

VPN software can apply a number of supporting technologies to help protect data traveling over VPNs from Windows Mobile-powered devices. These technologies include public key certificates, pre-shared keys, encryption, and Internet Key Exchange protocol, which supports authentication and key exchange using the Diffie-Helman algorithm. When these technologies are used in combination, network administrators can create VPN connections that provide multiple layers of security to authenticate sender and recipient credentials and protect data and the communication lines it travels over.

Extensible Authentication Protocol Windows Mobile-powered Pocket PCs can also create VPN connections by using the Extensible Authentication Protocol (EAP). The feature provides a layer of protection for communication between mobile devices and enterprise networks that use Protected

Network Security for the Windows Mobile Software Platform 9

Extensible Authentication Protocol (PEAP) authentication methods and Transport Layer Security (TLS) encryption to create a security-enhanced channel of communication.

Information Service EncryptionFor employees who use Microsoft ActiveSync® technology to connect to e-mail, calendar, and personal contacts applications, Windows Mobile software supports Microsoft Exchange ActiveSync features that can create a protected connection to the company’s Microsoft Exchange Server 2003. With Exchange ActiveSync, network administrators can allow, or require, Windows Mobile-powered devices to create SSL-encrypted connections with Exchange Server 2003. By default, SSL-encrypted connections are 128-bit.

Employees who use Pocket Internet Explorer to retrieve personal information, for example through Microsoft Outlook® Mobile Access, can also create 128-bit SSL connections with Web servers, and use Hypertext Transfer Protocol over SSL (HTTPS). Wireless Transport Layer Security (WTLS) handles Wireless Application Protocol (WAP) security for mobile devices when employees connect to WAP-enabled Web sites. WTLS class 2, which provides server authentication with encryption, is also supported.

Wireless SecurityWireless security is important to consider when implementing mobile devices as part of an enterprise-level network. Most mobile devices offer some type of wireless connectivity to both public and private wireless access points. Eavesdropping and “packet sniffing” (intercepting and inspecting data packets by using software or hardware devices) have become major threats to users of public and, sometimes, private wireless connections.

Windows Mobile-powered devices include support for wireless connections and can be configured to work with multiple enterprise-level wireless protection technologies, including the 802.1x protocol, Wireless VPN, and Wired Equivalent Privacy (WEP) wireless encryption.

VPN over Wireless NetworksBecause Windows Mobile includes native support for VPNs, mobile users can feel safer when using 802.11-based connections to communicate with a corporate network, using the same VPN technologies available to wired clients. With VPN security for wireless connections, employees are provided with user authentication and a strongly encrypted connection. In addition to the built-in support for PPTP and IPsec/L2TP VPNs in Windows Mobile, many third party vendors offer Windows Mobile VPN clients for specific proprietary VPN implementations.

802.1x encryption and authenticationThe standard typically used for wired networks, the Institute of Electrical and Electronics Engineers’ (IEEE) 802.1x, has been adapted to provide wireless network encryption and authentication services. The 802.1x standard offers better wireless security than traditional WEP or nonsecured networks for large organizations to protect and control access to network resources. The protocol defines port-based network access control by using the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails.

Windows Mobile-powered devices support wireless 802.1x authentication standards for wireless connections. A typical 802.1x-protected network will use EAP-TLS, in which all of the EAP-protected exchanges are secured by the TLS protocol. Depending on existing network resources, network administrators can include a number of 802.1x-supported security technologies, including username and passwords, certificates, smartcards, or biometrics, to protect mobile devices.

Network Security for the Windows Mobile Software Platform 10

WEP Wireless EncryptionWindows Mobile-powered Pocket PCs and Smartphones also support WEP wireless security, which uses a pre-shared wireless key to encrypt wireless connections. WEP provides the least amount of wireless security for mobile devices, and the technology’s security flaws have been well documented. WEP-based wireless connections can be used in combination with a more secure authentication method, such as a VPN connection.

Wi-Fi Protected Access (WPA)WEP encryption is generally acknowledged as weak because there are a number of practical attacks that allow passive eavesdroppers to recover WEP encryption keys. For that reason, Microsoft and its partners have aggressively moved to support the Wi-Fi Protected Access (WPA) standard. WPA offers stronger cryptographic protection than WEP; the Windows Mobile implementation of WPA supports use with an 802.1x authentication server or with pre-shared keys.

Third-party Wireless Wide Area NetworksMany Windows Mobile-powered Smartphones and Pocket PC Phone Edition devices connect to voice and data wireless wide area networks (WWANs) provided by mobile operators. The technology used to connect to these WWANs is embedded in the device, and varies according to the device manufacturer and mobile carrier. Most devices support either Global System for Mobile communication (GSM)/General Packet Radio System (GPRS) or code-division multiple access (CDMA)/1xRTT technology.

With these WWAN connections, mobile users can connect to the Internet and then to corporate networks and e-mail accounts. Because of this extensive connectivity, many of these service providers allow mobile users to take advantage of network security features for mobile devices, such as SSL- and VPN-based connection protocols and technologies. For devices that connect to network resources using third-party carriers, network administrators should make sure that all security settings and technologies required to connect to network resources will be supported by these carriers. And network access should be denied to mobile users who connect without meeting these security requirements.

Network Security for the Windows Mobile Software Platform 11

ScenariosThe following section describes usage scenarios for employees who connect to corporate networks by using a Windows Mobile-powered Pocket PC or Smartphone.

Connecting to a Corporate Network using 802.1x and EAP-TLSWith Windows Mobile-powered devices, employees can easily connect to their corporate Windows-based network by using a wireless connection secured by the 802.1x protocol with EAP-TLS to link their mobile device to the network.

The most common reason that employees connect to the network is to retrieve personal e-mail and calendar information. To do so, an employee first accesses his or her device by entering a password or SIM lock code. If the password or lock code is incorrect, access to the device will be denied. When access has been granted, the employee can use the Microsoft Connection Manager to establish a VPN connection to the company’s corporate network. Network administrators can also integrate smartcard or biometric modules onto mobile devices to provide a two- or three-factor authentication process.

As shown in Figure 2, when an employee is connected to an 802.1x-protected wireless access point, the network authenticates access against the mobile device’s machine certificate. Wireless encryption is handled by using dynamic WPA keys that change on a predetermined time frame. Because WPA keys are changed at predetermined time intervals and authentication is controlled with machine certificates, the threat of an unauthorized user stealing local data, WPA keys, or user credentials over the wireless connection can be dramatically reduced.

Figure 2. Connecting to a Microsoft Windows network using 802.1x with EAP-TLS

Network Security for the Windows Mobile Software Platform 12

Connecting through a Wireless Hotspot or Third-party WWANIf the same employee wants to access the corporate network from a wireless hot spot (for example, in a coffee shop), or through a third-party WWAN, security features built into Windows Mobile software allow her access with increased security, as well. Depending on the type of wireless connection, the employee can connect to her corporate account and maintain a high level of security. For example, if she connects while using a wireless hot spot in a coffee shop that uses no type of wireless protection, she can connect to her corporate network by using her VPN connection. Data sent over the VPN connection is encrypted, and Internet access is made available through the corporate proxy server rather than the hot spot’s local router.

Figure 3. Mobile connection to a corporate network using a third-party WWAN

Connecting by using Exchange ActiveSyncAlternatively, the employee can access her e-mail account by using Exchange ActiveSync, which will allow her to send and receive e-mail, calendar, contact, and task data through Exchange servers on the corporate network. Exchange ActiveSync connections are protected with 128-bit SSL encryption.

With Exchange ActiveSync, her e-mail, calendar information, and other Exchange-based features can be accessed quickly from off-site locations. She can create a synchronization schedule for working hours (peak), non-working hours (off-peak), and while roaming. Synchronization can be set to occur automatically from as often as every five minutes to as seldom as every four hours for each of these “profiles”, or even to only occur when manually invoked. Alternatively, synchronization can be set to occur when a new message arrives at the Exchange Server 2003 computer for any of these “profiles”. When a new message arrives in her Inbox, Exchange Server 2003 sends an SMS message notification to the employee’s mobile device. Upon receiving this message, the mobile device automatically synchronizes with Exchange Server 2003 and updates her mobile device.

With Exchange Server 2003 Service Pack 2 and the Messaging and Security Feature Pack (MSFP) for Windows Mobile 5.0, users can use the new Direct Push technology to receive

Network Security for the Windows Mobile Software Platform 13

pushed e-mail as it arrives at the server, without waiting for a scheduled synchronization. MSFP devices maintain a latent TCP/IP connection to the Exchange Server computer, allowing quick e-mail updates without requiring synchronization on a fixed schedule and without the use of Short Message Service (SMS) messages to force the device to pull e-mail.

If her corporate network includes Microsoft Internet Security and Acceleration (ISA) Server 2004 and PKI, network administrators can easily configure ISA Server 2004 to allow incoming requests from mobile devices to maintain existing security policies for incoming Web traffic. With certificate services, the employee’s user information is verified against the company’s CA server. With proper authentication and a secured line of communication, the employee can access network resources directly from her mobile device. However, if authentication cannot be verified, access to all network resources will be denied.

Exchange Server 2003 also supports the use of RSA's SecurID authentication mechanism to provide two-factor authenticated access to electronic mail. The RSA SecurID Server product supports caching authentication information so that users are not prompted for their SecurID authenticator at each synchronization.

Network Security for the Windows Mobile Software Platform 14

ConclusionMicrosoft Windows Mobile software employs a multiple-layer approach to security that allows network administrators to take advantage of existing Windows technologies to deploy and help protect networks that include mobile devices. As a result, network administrators can provide feature-rich mobile application with a high level of security to workers so that businesses can fully realize all the benefits of a mobile work force, including increased productivity, real-time information sharing and communication, and extended access to information to remote or dynamic locations.

Additional technical and business oriented information can be found at the Windows Mobile Business Homepage.

Network Security for the Windows Mobile Software Platform 15

Appendices

Appendix A: Supported Encryption AlgorithmsWindows Mobile 5.0 software is certified to meet the standards of Federal Information Processing Standard (FIPS) 140-2, the US Government set of requirements for products that securely handle data for government applications.

Algorithm Base EnhancedRSA Key Exchange 512 bit 1024 bit

RSA Signature 512 bit 1024 bit

RC2 block 40 bit 128 bit

RC4 stream 40 bit 128 bit

Advanced Encryption Standard (AES)

128 bit 256 bit

RC5 block Not Supported 128 bit

DES Not Supported 56 bit

Triple DES (2-key) Not Supported 112 bit

Triple DES (3-key) Not Supported 168 bit

Secure Hash Algorithm-1 (SHA-1) 160-bit 160 bitIn addition, Windows Mobile 5.0 supports several of the Public Key Cryptography Standard (PKCS) algorithms, including: PKCS#1 for signing and encrypting data; PKCS#7 for creating and verifying signed and encrypted messages (including embedded certificates); PKCS#10 for requesting and processing certificates; and PKCS#12 for securely storing certificates and their associated private key data. Windows Mobile 5.0 also includes full support for creating, verifying, and processing S/MIME messages.

Appendix B: Network Security Terminology and Definitions3DES – Triple Data Encryption Standard

Encryption by separating the original text into fixed-length blocks and then using an encryption key of differing strengths. 3DES is three successive DES encryptions (64-bit blocks and 56-bit key) with different keys equivalent to 168-bit key. AES (Advanced Encryption Standard) is considered the successor to DES.

DES is a U.S. Government standard created to protect unclassified data.

Biometrics

Using a factor based on physical identity as part of an authentication sequence. Common biometric technologies include fingerprint readers, iris scanners, and hand geometry readers.

Smartcard

Credit card or SIM card-sized device for storing security certificates and small amounts of information (such as passwords, business data, financial account data, personal medical data, or airline and hotel loyalty program data). Smartcards do their own cryptographic processing, so they can securely hold sensitive information like signing keys without exposing them to the outside world. Smartcards are often used as an additional authentication factor, requiring users to both have the card and know the associated PIN.

Network Security for the Windows Mobile Software Platform 16

802.1x

A standard published by the Institute of Electrical and Electronic Engineering (IEEE) for port-based network access control. 802.1x is used to provide authenticated network access and encryption for Ethernet networks and wireless local area networks such as 802.11b.

EAP-TLS – Extensible Authentication Protocol - Transport Layer Security

A method for authenticating users and encrypting data associated with the 802.1x wireless LAN security standard,

VPN – Virtual Private Networking

Using the Internet as a pass-through mechanism to access a private network,

Some enterprises use VPN gateways (from companies like Alcatel, Avaya, Check Point, Cisco, Hewlett-Packard, Intel, Lucent, Netscreen, Nortel Networks, Radguard, Secure Computing, and Symantec) that utilize the IPSec tunnel mode protocol. PPTP and IPSec L2TP are additional VPN standard protocols used in the Microsoft Windows server platform and in other VPN gateways from companies such as Cisco.

SSL – Secure Socket Layer

Industry standard method for protecting Internet communications. SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL has been renamed to TLS by the IETF standards body.

WTLS – Wireless Transport Layer Security

Encryption based on SSL that is used with Wireless Application Protocol (WAP) phone-Internet service.

PKI – Public Key Infrastructure

Digital certificates designed to provide strong user authentication, ensure integrity of transmitted data, assist with transaction integrity, and encrypt data.

S/MIME – Secure/Multipurpose Internet Mail Extensions

Digitally signed and encrypted e-mail using certificates.

S/MIME is being phased in as a requirement by the U.S. Dept. of Defense, U.S. government contractors, and other international government organizations.

S/MIME is fully supported by Windows Mobile 5.0 devices.