Table of Contents
Advertisement
Nokia Mobile Phones
Some of these products, such as SecurID by RSA Security, use a time-based token system. For example, when users
dial into the server, they are prompted to enter a personal identification number (PIN), along with the six-digit
number currently showing on their hand-held card. This number changes every minute at the same time as a
corresponding number on the server, making it virtually impossible to gain access to the network without the card.
There are also other variations of how SecurID cards are used, some of them having a built-in PIN keypad and some
being pure software implementations.
5.3.5 Other one-time password systems
As the Nokia 9290 Communicator is an open software platform, it is possible to implement any kind of one-time
password system (such as S/Key and OPIE) as a separate application. One-time password generators that are currently
available for other Symbian operating system (EPOC32) devices can be ported to the Nokia 9290 Communicator with
relative ease using the software development kit from Nokia.
5.4 SSL and TLS
The Nokia 9290 Communicator supports the SSLv3 (Secure Socket Layer) and TLSv1 (Transport Layer Security)
protocols. These protocols are integrated in the socket interface, so third-party programs can easily use these
protocols to offer secure Internet connections.
When using SSL or TLS, all data transferred over the secure connection will be transferred securely to the target
server. This means that the security of the radio interface (GSM connection), dial-up access (PPP), and all Internet
servers between your communicator and the target server are irrelevant. SSL and TLS will offer a secure channel
through all of these.
If the target server is not capable of supporting strong security, security of this secure channel may be weaker than
what it potentially could be.
5.4.1 Web Browser
Web URLs (addresses), which start with 'https', are SSL -secured connections. The SSL connection is negotiated with
the server and then the data is transferred over the encrypted connection. A small lock symbol is displayed as an
indication that the connection is encrypted.
The encryption strength depends on the SSL server. The Nokia 9290 Communicator supports strong 128-bit encryption
in SSL and TLS, but can downgrade its security to a lower level if the server is not capable of handling such strong
encryption.
The authenticity of the Web server is determined by the help of certificates in the Certificate Manager tool. As
discussed above in the software security chapter, the user can select which certificates are trusted and which are not.
When connecting to a server, whose identity is certified by a trusted party, there will be no warning note. Otherwise,
the user will be able to review the identification offered by the remote server. There is a set of certificates from major
commercial certification authorities that is factory-installed and trusted by default. However, Nokia does not endorse
any specific certification authority. New certificates can be added to the Certificate Manager by the user.
As a security measure, it is recommended that you never send confidential data to a server that is not trusted.
Furthermore, make sure that the connection is encrypted before sending confidential data. Read the warning notes
that are displayed as they may contain further security information.
The Hypertext Transfer Protocol (HTTP) also provides a simple authentication protocol which uses a
username/password pair. It can be used to authenticate the user to a remote server. This method can be used over the
SSL for additional security.
Copyright
Nokia Corporation 2001-2002. All rights reserved.
Nokia 9290 Communicator
Security White Paper
8 (9)
Advertisement
Table of Contents
