Baltimore Technologies -security on the move

M-commerce is set to be the next growth area. But with commerce on the move comes security risks What is needed is Public Key...

M-commerce is set to be the next growth area. But with commerce on the move comes security risks What is needed is Public Key Infrastructure security for the wireless marketplace.

The Wireless World
Mobile phones are becoming more than just voice devices. With the ever-increasing availability of data-enabled phones, the possibility is opening up for new and innovative applications. Personal Digital Assistants (PDAs) will soon have wireless connectivity as standard, enabling anywhere, anytime, access to the Internet. The promise of being able to connect millions of mobile subscribers to providers of goods and services has many wireless operators and financial analysts expecting m-commerce to be one of the next major growth opportunities.

The main cause for optimism is the forecasted surge in mobile Internet users, which will underpin the growth in m-commerce. There is plenty of reason to believe the forecasts will soon become a reality, as there are already over 500m mobile devices worldwide, with 1bn forecast by 2003. More importantly, it is predicted there will be more than 30m wireless devices with Internet access in circulation by 2001. This will lead to mobile Internet users outnumbering their fixed-line counterparts from 2003. Durlacher, the Internet investment group, predicts the European m-commerce market will be worth 23bn Euro by 2003.

Before the goal of secure m-commerce for all wireless users can be attained there are a number of challenges to be overcome. The mobile device needs to develop into more than either a mobile phone or a PDA. They are required to change into Personal Trusted Devices (PTDs), with the capability
Until recently, many early adopters have implemented a 'walled garden' approach to bringing applications and services to the mobile arena
Source: Butler Group
to enable new applications and services, such as banking, payments, and ticketing. This aim is helped by the personal nature of the devices, and the provision, in most wireless devices, of tamper-resistant storage capacity in the guise of a Subscriber Identification Module (SIM) card. The usability constraints imposed by limited storage capacity, current slow connection speed, and the lack of a keypad, need also to be borne in mind.

Securing the Mobile Environment
A secure platform
The explosive growth forecast for mobile transactions will fail to materialise, unless users can trust the mobile device
Source: Butler Group
for m-commerce will provide the wherewithal to allow the predictions for the mobile marketplace to be met. It is imperative that consumers and businesses feel confident that information transmitted over the wireless networks is protected. The explosive growth forecast for mobile transactions will fail to materialise, unless users can trust the mobile device, feel confident their data is safe from unauthorised viewing, whom they are communicating with is who they believe it to be, and any agreements made are binding. The needs of secure m-commerce can be summed up by the following four requirements:
  • Integrity - information transmitted has not been tampered with
  • Confidentiality - communications should be private, and only read by the intended recipient
  • Authentication - corroborating the identity of the entity being communicated with
  • Non-repudiation - agreements entered into are legally binding.

All organisations working within this emerging m-commerce channel have the responsibility of making sure transactions are secure from end-to-end. The challenge for the wireless providers is both technical and promotional. It is important that user perception about the mobile environment, as a secure place to conduct business, is maintained and enhanced. The rush to get m-commerce offerings into the marketplace should not override the need to avoid breaches in security, which could set back already fragile consumer confidence. The on-going debate about the safety of personal information on the Internet gives an indication of the strength of feeling that network operators and others will need to overcome.

The technological problems are no less intimidating. The wireless market is fragmented between Telecommunication Operators (Telcos), device manufacturers, and the Internet content providers. This has led to a clash of cultures where, up until recently, many early adopters have implemented a 'walled garden' approach to bringing applications and services to the mobile arena. For m-commerce to succeed in the long term requires the industry to agree to a common security framework that will provide the expected level of safety, and allow interoperability between wireless environments.

In Europe, interested parties have formed a number of alliances in order to push forward the implementation of a common methodology for secure m-commerce. This is based on Wireless Application Protocol (WAP), Wireless Public Key Infrastructure (WPKI), and Wireless Identification Module (WIM). Baltimore has been at the forefront of many of these initiatives and, as a result, has been able to develop products based on the latest mobile security standards. Baltimore was the first security infrastructure company to join the WAP Forum and is a major contributor to the WPKI specifications. Baltimore is also an active member of the MeT Initiative, Mobey Forum, PKI Forum, and Global Mobile Commerce Interoperability Group (GMCIG).

Within the WAP specification, the Wireless Transport Security Layer (WTLS) provides data integrity and confidentiality. WTLS is the mobile equivalent of the Transport Layer Security (TLS), or Secure Sockets Layer (SSL) 3.1, utilised by Internet applications. WTLS makes possible a secure connection between the mobile device and a WAP gateway. Dynamic key refreshing is used to cater for the low transport speeds of the mobile environment, instead of handshaking procedures that have a relatively higher bandwidth overhead.

Technologies based on cryptography have been adopted to help solve the security requirements of authentication, and non-repudiation, for Internet transactions. To meet the specific needs of the wireless environment, the existing Web PKI functionality has been enhanced to create WPKI, which is now included in the WAP specification. WPKI is a combination of encryption, digital certificates, digital signatures, and other services. WPKI takes into account the restrictions on storage and bandwidth of wireless devices, by providing the functionality to point to the location of a certificate, rather than hold all the certificate information on the mobile device. Additionally, WAP gateways can use a special WTLS, or WAP, certificate to authenticate themselves to a mobile user.

An enhancement to WAP security, to be available on mobile devices in 2001, will be the use of a WIM. This is not to be confused with the existing SIM already found in Global System for Mobile Communications (GSM) mobile devices that hold the subscriber's ID number, security information, and a directory of phone numbers. The WIM specification includes storage space for users' public and private keys, certificates and certificate Universal Resource Locators (URLs), and optional cryptographic functionality.

The WIM interface remains unchanged, regardless of how the storage requirements are physically implemented. The WIM can be implemented with a dual slot, where the existing PKI infrastructure could be used, or dual chip, where an extra smart card the same size as the SIM is used for WIM information. WIM in the hardware is another option, which could see adoption in the US, or WIM in the software that could possibly be easier to implement in smart phones and PDAs. The current operator preferred approach is to provide a SWIM, where the WIM is another application on the SIM card.

Telepathy Product Suite
Baltimore launched its first Telepathy security toolkit in September 1999, and in January 2000, Baltimore unveiled the Telepathy suite of products. Baltimore has continued to innovate with the subsequent release of products supporting WIM- based signatures. Baltimore has developed a number of modules to allow organisations to benefit from the evolving wireless security technologies. The Telepathy system is designed to complement the existing Baltimore Internet security infrastructure, and can interface with UniCERT PKI technology. Telepathy can enable new business opportunities, from improved security for Financial Institutions, Wireless Application Service Providers (Wasps), Mobile Network Operators, System Integrators, Mobile Device Manufacturers, and Commercial Certificate Authorities. The products can be used individually, or as a comprehensive security system.

Baltimore Telepathy consists of the following modules:
  • Telepathy WAP Security Toolkit (WST) - A software development kit for programmers to develop secure encrypted sessions between on-line, networked applications. An implementation of WTLS is incorporated into the toolkit.
  • Telepathy WTLS Certificate Authority (WLTS CA) - WAP gateways require WAP certificates to authenticate themselves to a mobile device. Baltimore's existing UniCERT system has been enhanced with a plug-in module to allow the creation of WAP digital certificates.
  • Telepathy WAP Certificate Service - Baltimore provides a WAP Certificate Service that allows certificates to be purchased from Baltimore's hosted service.
  • KeyTools Telepathy m-Sign - A developer toolkit to enable content providers to authenticate digital signatures generated by mobile devices by integrating this into their applications.
  • Telepathy Registration System (TRS) - This is Baltimore's implementation of a PKI portal, the interface between mobile devices and standard PKI. The TRS allows mobile users to register their digital identity, link to their digital certificates, and authenticate themselves. (Available Q1 2001).
  • Telepathy Validation System (TVS) - This component retrieves and validates certificate identifiers, permitting access to multiple certificates stored on servers. (Available in the second quarter of 2001).

Vendor Profile
Baltimore Technologies, one of the main players in the e-security solutions marketplace, provides e-security infrastructure enabling enterprises to develop secure services in the areas of e-business, e-commerce, e-services, m-commerce, and enterprise IT systems. Baltimore is a public company operating from 30 cities around the globe, including headquarters in Dublin, and offices in London, Boston, and Sydney. Baltimore employs more than 1,000 people worldwide.

Baltimore was founded in 1976, and acquired by the current Chief executive officer, Fran Rooney during 1996. In 1999, the company was merged with Zergo (UK) and listed on the London Stock Exchange (BLM). Later in 1999, Baltimore was listed on Nasdaq (BALT) and raised $170m in funding. 2000 saw the company acquiring CyberTrust from GTE, Content Technologies, and Nevex Software Technologies. In addition, Baltimore acquired a majority stake in NSJ Corporation, forming Baltimore Technologies Japan.

Baltimore's customer base extends to more than 50 countries, covering a variety of industry areas, taking in finance, government, utilities, healthcare, and telecommunications. Customers include: ABN-AMRO Bank; Australian Tax Office; Australian Stock Exchange; Banco Santander (BSCH); Bank of Ireland; Belgacom; Citibank; Commerce One; Europay; Identrus; Intel IAS; Irish Revenue Commissioners; MasterCard; Ministry of Defence (UK); and Visa International.

Baltimore takes a leading role in formulating e-security standards and technology with its partnership program. Baltimore TrustedWorld partners number 400 in 52 countries, and include: Andersen Consulting; Check Point; Cisco; Compaq; EDS; Hewlett-Packard; Logica; PriceWaterhouseCoopers; Sony; and Unisys.

Baltimore's portfolio of award-winning security technology includes: PKI products and services (UniCERT Options); wireless e-security solutions (Baltimore Telepathy); developer toolkits (Baltimore KeyTools); security applications; hardware cryptographic devices (Baltimore SureWare); content security (MIMEsweeper); and access/authorisation management (SelectAccess and SolutionPlus). Providing a comprehensive offering of security-based, e-business solutions.

Contact details
Baltimore Technologies
Head Office, Parkgate Street, Dublin 8, Tel: + 353 1 647 7300, Fax: + 353 1 647 7499.

Baltimore Technologies
UK Office, The Square, Basing View, Basingstoke, RG21 4EG, Tel: +44 (0)1256 818 800, Fax: +44 (0)1256 812 901.

About Butler Group Research And Advisory Services
This Research Paper is reproduced from Butler Group's Research and Advisory Service. For more information on this and other technology focused services, contact Mike James on +44(0)1482 586149, email [email protected] or visit

Read more on Data centre hardware