The important thing to remember when talking about any form of electronic
transfer of information is that you will never reach a satisfactory level of
security. Experience has shown that users will stay away from "truly secure"
solutions as this lowers the ease of use. Thus the approach normally ends up
as standard risk assessment (cost of security / ease of use / financial
exposure / first player advantages etc). A bank will normally start off with
unrealistically high security requirements (as the security department
typically drives the initial phases of any such project) but as the business
parts of the organization kicks in risk management takes over. I don't know
the exact algorithms that DoCoMo uses, but I would be surprised if they
exceed GSM's inherent security algorithm (which is appallingly bad from a
security viewpoint). Don't get deceived by security aspects of a solution.
By the end of the day Mammon still rules......
Kristian
-----Original Message-----
From: Kyle Barrow [mailto:kyle@X-9.com]
Sent: Tuesday, February 13, 2001 12:47
To: keitai-l@appelsiini.net
Subject: (keitai-l) Re: question on enterprise security
> I thought
> this was discussed on this list and the consensus was that since the data
> sent from DoCoMo to the handset was via proprietary non-public standard,
> that this would be plenty secure. Correct? So its just basic
> SSL security
> from the web server?
Correct. SSL to the gateway, proprietary from gateway to phone. I don't have
any details on DoCoMo security (does anyone else on the list) but banks are
confident enough to conduct online banking via i-mode which of course means
absolutely nothing.
> bottomline: what is the best way to ensure security on non-official imode
> websites such that corporate information can be accessed?
Any security model should always be proportional to the value of the data
being transmitted and the difficulty of obtaining this data through
nefarious means. Until more is known about DoCoMo's proprietary system you
must assume it is possible for someone to intercept this data - the
difficulty of which is the unknown.
Conversely, if someone wants someone else's credit card number they can wade
through any restaurant of hotel miniskip - no SSL there ;)
Kyle
X-9 DESIGN LAB
http://www.X-9.com
[ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
[ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
Received on Tue Feb 13 11:21:34 2001