Wireless PKI Implementation

The following section provides examples of PKI implemented in wireless environments. The field of wireless PKI is nascent, but promising technology is already emerging.

Example: Entrust Secure Web Portal Solution

Our neighbor Entrust (http://www.entrust.com) is a global company based near us in Dallas, TX ”which is yet one more reason why it is said that Dallas is the information security capital of the world. Entrust's solutions provide a useful example of a wireless PKI implementation. Entrust provides a "Secure Web Portal Solution" that it bills as a single doorway to online services. This solution is designed to protect the content, applications, and data an organization provides via its Web portal, regardless of the user 's chosen display device. We give an overview of their solution here, included with Entrust's permission and kind assistance.

The Entrust Secure Web Portal solution uses both wired and wireless techniques for authentication. Authentication approaches include the following:

• Basic security with username/password

• Enhanced security with digital signature login

• Enhanced security with 2nd factor authentication

After the system identifies the user, the portal allows personalized access to information based on user identities. For portals supporting e-commerce, this system provides transaction confirmation by way of both basic and enhanced security mechanisms.

One of the greatest challenges of such an implementation is integration. Users expect single sign-on access to multiple applications, some of which third parties provide. Mobile commerce requires integration to business logic and legacy systems, such as database and billing systems. Throughout the various levels, the solution must maintain user identity. Unfortunately, each integration point opens the door for breakdown or attack.

Entrust's approach is to pre-integrate third-party proprietary applications, which come from certified "Entrust Ready" enterprise vendors including PeopleSoft, SAP, Adobe, Ariba, i2, Accelio (formerly JetForm), Shana, Tibco, and so on. Although not as catholic or robust as an open source system, this solution nevertheless provides guaranteed compatibility.

Entrust's GetAccess Mobile Server extends its authentication scope by providing individualized Web access via wireless devices. This Mobile Server offers several authentication options.

Basic Security with Username/Password

With the GetAccess server (Figure 15.1), administrators define protected areas of their Internet content. When an unauthenticated user attempts to access a protected area, the GetAccess Runtime intercepts the request and redirects the user to a login screen.

When the user completes the login process, GetAccess returns a set of credentials in the form of secure encrypted cookies, which are stored in the user's browser. For devices that do not support cookies, such as many wireless devices available today, the GetAccess Mobile Server acts as a proxy, storing the cookies and sending them to GetAccess as needed.

By default, the login screen requests a username and password. With the GetAccess Mobile Server, users gain access with the same username and password, regardless of the device they use to access the portal.

Digital Signatures

Basic username/password login security solutions suffer from the limitations of the input keypad of many wireless devices. Entering the alphanumeric usernames and passwords can be tedious and time consuming, which has a negative impact on user experience, and can limit their use of the application.

Digital signature login provides an elegant solution. With digital signature login, when an unauthenticated user attempts to access a protected resource, the portal returns a digital signature request. To perform the signature, the user enters the 4-digit numeric PIN code used to unlock their signature certificate. Because the same PIN code is used for all digital signatures, this PIN is both easier to remember and easier to enter than a username and password. Digital signature login is also more secure than username/password, because no user secrets are ever sent over the air, and a digital signature is resistant to forgery.

2nd Factor Authentication

2nd factor authentication solutions use an out-of- band delivery mechanism to provide additional user identification. Traditional solutions require SecureID tokens or smart cards. The Entrust solution leverages the user's existing wireless devices to provide the same level of security, but with improved convenience and at a lower cost per user.

With Entrust's 2nd factor authentication, a user initiates the login process by entering login information such as a username and password into a Web browser. The Entrust Secure Web Portal supports two options for what can happen next :

1. The portal generates and sends a one-time PIN code.

   The Entrust Secure Web Portal can be configured to generate and send a one-time PIN code via the user's preferred messaging strategy. The portal supports mobile phones (via SMS), pagers , both instant and email messaging, and is expandable to support additional techniques as they become available. After sending the PIN code, the portal returns a page to the user's Web browser requesting the PIN code to complete the login.

2. The portal generates and sends a digital signature request.

   The Entrust Secure Web Portal can be configured to send a digital signature request, for example via WAP Push, to the user's wireless device. After sending the request, the portal returns a page to the Web browser that provides a link to the protected resource and a message indicating that the resource will become available when the user has performed and returned the digital signature.