Attention to wireless security concerns emerged as the de facto theme of this year’s RSA Security Conference in San Jose, Calif., where several internationally recognized corporate security software firms stated their intention to concentrate on the wireless industry going forward.
“Everybody has made the leap that there’s going to be a wireless front-end to that Internet world. It’s mandatory now,” said Verne Meridith, vice president of sales and marketing at Diversinet Corp. “All anybody is talking about is wireless. It’s the theme of the conference.”
Diversinet is one of the few security companies that has focused specifically on wireless e-commerce security technology from the beginning. Sonera SmartTrust Ltd. is another. While their early concentration on wireless has given them a significant head start, the RSA Security Conference heralded the end of this exclusivity.
Entering the wireless space
Traditional landline security firms like VeriSign Inc., Baltimore Technologies Inc., Entrust Technologies Inc. and RSA Security all made announcements relating to wireless e-commerce security concerns. Besides adding to the competition, their interest validates the growing importance of wireless data.
Making the loudest entry into the wireless space was VeriSign, announcing partnerships, alliances and new products and technologies with several wireless firms, including Motorola Inc., InfoSpace.com Inc., Gemplus, Research In Motion Ltd., BellSouth Wireless Data L.P. and Sonera SmartTrust.
VeriSign is a leading provider of what is called Internet trust services. It provides authentication services through digital certificates, validation and payment solutions for Internet commerce applications.
“I think we used the show as an opportunity to lay out our road map in the wireless space and showcase new technologies,” said Anil Pereira, vice president, Internet Securities Group. “We used this as our opportunity to come out in full force.”
The keystone of this charge is VeriSign’s Wireless Personal Trust Agent technology-a micro client code that enables the use of certificates in the wireless space. The code defines the system by which certificates are requested and revoked.
Leading the string of announcements was VeriSign’s agreement with Motorola, a Memorandum of Understanding stating that Motorola will incorporate the Wireless Personal Trust Agent-based security architecture into wireless devices.
The two also said they will jointly fund the development of security products like server-side solutions supporting the Wireless Application Protocol using the Wireless Transport Layer Security standard, end-to-end client authentication solutions and directory and validation services. Also included are encryption services for transmissions between devices and gateways, nonrepudiation of transactions and payment settlement services.
“Motorola and VeriSign are going to push forward this product, which anybody can build on top of,” Pereira said.
BellSouth Wireless Data said it tapped VeriSign to develop a complete wireless public key infrastructure solution for wireless e-commerce transactions on its Intelligent Wireless Network. BSWD said it plans to use VeriSign’s trust services to perform authentication services, encryption and validation between businesses and end users.
Also, the two hope to create a wireless PKI toolkit and application programming interface developers may use to add security features to applications written for BSWD’s network.
VeriSign also formed partnerships with InfoSpace for secure targeted promotions and one-click buying services, as well as with RIM and Sonera to embed its security features with their products.
In addition, VeriSign and InfoSpace teamed with Gemplus, a smart-card solution provider, to add encryption and digital certification to short message service and subscriber identity module application toolkits.
Pereira said the agreements “clearly show we have a good set of partners. We can’t build out this trust infrastructure by ourselves.”
However, most of VeriSign’s news announcements were exactly that-announcements. The only products available to wireless carriers and developers today are tools and toolkits for application developers and a certificate for WAP servers. In the next few months, Pereira said the company will roll out certificate services for both enterprise and network operator servers.
Wireless challenges
Those traditionally focused on wireline Internet security features face several challenges when addressing the wireless space. Besides the low processing power and bandwidth restrictions inherent in wireless devices, Pereira said network carriers represent a middleman not present in wireline Internet e-commerce.
“With wireless, you have a network operator in the middle,” he said. “Your wireless operator picks the services you get. They are the ones who instigate the session between you and that business.”
Essentially, security companies have to find an extra chair to seat this third addition to the e-commerce table.
VeriSign plans to do this by issuing digital certificates at the network server, which interacts with the private key existing on the user’s device.
Diversinet, however, claims it has the only solution that authenticates the user all the way to the device.
Server-side authentication “still can’t sign the certificate,” Meridith said. “Nonrepudiation is still an issue.”
The company introduced an enhanced version of its Passport Certificate Server 3.0 at the show, which includes support for the Palm operating system. It also introduced its Digital Permit Server 2.0, specifically designed for wireless applications.
The certificate server issues digital certificates for authentication purposes, while the permit server attaches permissions to the digital certificate. This allows for such e-commerce uses as coupons, essentially allowing the merchant to sign the coupon electronically.
“The certificate is your identity,” Meridith said. “The permits are the cards in your wallet, whatever would be personalized to you individually. Permissions coordinate where you can go and what you can do.”
SensCom Inc. signed a letter of intent to license and integrate the Passport Certificate Server and Digital Permit Server product in its wireless Internet e-commerce services and applications.
Other wireless related announcements at the show include:
Digital Signature Trust Co. demonstrated its secure wireless e-mail system at the convention, using BlackBerry devices from RIM integrated with Diversinet’s client/server security solution.
Cipher Inc. announced it is working with Sonera SmartTrust to add nCipher’s security and transaction solutions to Sonera’s PKI e-commerce applications.
RSA Security said it will use VeriSign’s wireless trust and validation services, in return for RSA supplying VeriSign with software security tools for wireless developers.
Entrust Technologies said RIM will integrate its e-commerce security solutions in BlackBerry wireless devices.
