Mobile's Cryptography Conundrums - InformationWeek
10:54 AM
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Mobile's Cryptography Conundrums

Two RSA presentations--one by NSA and one by Cryptography Research experts--show lack of maturity in mobile ecosystem.

Immaturity in mobile device hardware and operating system environments is holding back organizations' deployments of strong cryptographic protections around mobile applications, according to a pair of unrelated presentations at the RSA Conference last week.

In one instance, the National Security Agency (NSA) discussed how difficult it was for the government to tweak commercially available devices to conform to government cryptographic standards. And in another case, a pair of experts from the firm Cryptographic Research showed a demonstration of how mobile devices are radiating cryptographic keys for sensitive applications such as payment applications through wireless transmissions.

"Why is this so hard? We tried very hard to just stick with the standards and build a component-based infrastructure using what we think are the industry standards now, and yet at every point we ran into little gotchas," said Margaret Salter, technical director for the fusion, analysis and mitigations group within the Information Assurance Directorate of the NSA. "So I'm really hoping I can engage industry and everybody to sort of push together for this standards-based idea so that it's easier for everybody to build a system like this."

[ Catch up on our complete RSA 2012 Security Conference coverage. ]

Salter's much-attended discussions--so much so there was an encore presentation--walked the audience through the NSA's process of creating an architecture where it could encrypt voice and data over commercial 3G and 4G networks using commercially available phones. According to her, the genesis of the project came due to the rapid advancement of mobile handsets and tablets that far outpaced the NSA's ability to create its own homebrew devices, which in years past was its mobile strategy.

"We were looking at regular tablets and regular smartphones and trying to figure out some way of creating an architecture where those phones could be used to protect some of our most classified information," she said, explaining that one of the first applications most important to the agency was voice over IP. "So we consider voice as a data connection and we looked for the secure protocol we could use to connect that up to our backend infrastructure and terminate that on some sort of SIP server or unified communications server, and we also encrypted that. And that's how we get what we call double-tunneling. And that's basically been our guiding principles for creating an architecture for mobility."

Read the rest of this article on Dark Reading.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/9/2012 | 5:25:19 PM
re: Mobile's Cryptography Conundrums
It's probable that the difficulty the NSA had here is going to discourage other organizations from trying the same thing for the time being.

Brian Prince, InformationWeek/Dark Reading Comment Moderator
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll