Protecting the PDA

Encryption wares in the works for handheld devices

In what amounts to a 180-degree reversal, the mobile computing industry is starting to take security seriously.

Certicom Corp. and F-Secure Corp. are each preparing to launch file encryption products for the ever-growing number of PDAs (personal digital assistants) on the market, devices that at present have few security features.

Standard security on the Palm and Pocket PC platforms consists of password-based authentication and little else. And, as more users store ever-more-sensitive corporate data on their handhelds, those very PDAs represent one of the largest—and most ignored—security holes in corporate networks.

As a result of this weak link, many IT managers have been reluctant to deploy PDAs on a large scale.

One vendor addressing the need is Certicom, of Hayward, Calif., which this week will roll out its MovianCrypt product for Palm Inc.s Palm OS. The product, which uses the 128-bit Advanced Encryption Standard algorithm, encrypts each record in the Palms database, but users can choose to disable the encryption on a per- application basis.

With MovianCrypt, users will be required to enter a password upon turning on their PDA. To improve performance, MovianCrypt, which works in 98KB of storage, decrypts only the record that the user requests. This provides an extra layer of security, since a thief would, at best, have access to only the record that was displayed at the time he or she stole the PDA.

Once the user is finished with the record, it is re-encrypted using idle CPU time, minimizing the performance hit that usually accompanies encryption operations on small processors.

In addition, the users password—which is required for HotSync and beaming operations—is hashed and not stored on the Palm and therefore cannot be synced with the data, protecting it from attack.

A Pocket PC version is in the works.

This level of security is exactly what many corporate users have been waiting for.

"Users tend not to think much about security and privacy, and they just go out and use [PDAs]," said John Luo, director for psychiatric informatics at the University of California Davis Medical Center, in Davis, Calif., which has been beta testing MovianCrypt since August.

Luo has rolled the application out to 40 users in his department who previously used Palms with just password protection. When one of the devices containing reams of patient data was stolen, Luo decided he needed more security. "Theres a great need for encryption in this industry because the data is so sensitive. Our PDA solution has to be secure," he said.

F-Secure has taken a slightly different approach to the problem. Its [email protected], which will ship in August, will include the companys FileCrypto software, with support for the Pocket PC and Symbian Ltd. platforms as well as the Palm OS.

Like MovianCrypt, FileCrypto uses 128-bit encryption and requires a password to decrypt files, but it does not allow users to define which files to encrypt; that decision is reserved for the IT manager, who must enter a second password to access the policy administration tools.

This feature is meant to appeal to IT managers in large corporations who want to retain some control over the way users handle sensitive data.

"In security, the user is always the weakest link, so you want to take those decisions out of their hands," said Chris Vargas, president of F-Secure, which is based in Helsinki, Finland, with U.S. headquarters in San Jose, Calif. "If the device is lost or stolen, you want to know that the data is safe."