Home | Business News | Browse by Publication | J | Java Developer's Journal

Wireless Java security: understanding the issues. (J2ME).

Article Excerpt
The need for wireless security is often motivated by the image of a teenage hacker driving by and stealing your data with a mobile scanner. While such sensationalist ideas make good copy, the simple fact is that, wireless or not, serious business applications do not get deployed on the Internet today without security. So if you are thinking of using your cell phone for something other than playing Tetris or downloading the latest Britney Spears ringtone, you'll need to give some thought to how you might secure access to your business applications.

What is Security?

When we speak of "secure communications," what do we actually mean? Essentially, we are trying to ensure that data sent across these connections has the following properties:

* Confidentiality: Only the legitimate sender and receivers can obtain the content of a message sent across the connection.

* Integrity: The receivers are assured that messages are not modified in transit.

* Authentication: The sender of the message is who the receivers expect it to be (and/or vice versa).

These properties are usually achieved through a combination of various cryptographic techniques. While the details of these aren't terribly important for our purposes, it is useful to divide these techniques into two categories:

1. Symmetric key cryptosystems: Both the sender and receiver share the same keys.

2. Public key cryptosystems: The sender and receiver each have different keys (one called the public key and the other the private key).

Public key cryptosystems are extremely useful for Internet applications; unlike symmetric key systems they can be used to establish secure communications without requiring any prior relationship between the sender and receiver. However, they have a significant drawback--one that is particularly problematic for constrained devices such as cell phones--they require large amounts of computational power. This is a severe limitation on constrained platforms such as cell phones. To save on the cost and to increase the battery life of the device, CPU power is deliberately limited. This means that public key cryptography is typically only used to establish the initial connection (which can take anywhere from a few seconds to minutes on a low-powered device), and subsequent communication is secured using considerably faster symmetric key techniques.

An important concept provided by public key cryptography is a digital signature. It uses a private key to authenticate data in such a way that it can be verified by anyone with access to the public key. If only one user has access to the private key, this can be used to authenticate that user and also provide integrity protection of the signed data.

A final point to make about public key cryptosystems is that they require a mechanism to distribute public keys securely to users. This is done by using a certificate that contains the public key and is digitally signed by a third party called a Certification Authority whose public keys are known. Certificates can also be used to authenticate other certificates so they can be chained together back to a trusted root certificate.

Secure Sockets Layer

SSL is a protocol that is typically used in Internet applications...

View this article FREE - Now for a Limited Time, try Goliath Business News
Free for 3 Days!