Mobile Device Security

Mobile Device Security

  • Company Confidential Data should be stored in an encrypted container.
  • The mobile device should only retain minimal data required to support business processes and functionalities.  Data should be transferred to the server for permanent storage using secure protocols.
  • Application cache should be purged once the application exits or after a fixed period of inactivity.
  • Application backgrounding should result in the presentation of a screen which do not display any sensitive information.
  • A Mobile Device Management (MDM) solution such as Blackberry GOOD should be used to manage applications deployed to company staff.
  • MDM should support remote wipe of the application data container and processes and policies for remote wipe should be set.
  • Company deployed applications should be password protected based on the company’s Password Policy.
  • Application should be locked after a specific period of inactivity.
  • Application data container should be wiped off after a certain number of successive unsuccessful login attempts.
  • Use of company applications should be supported by the Company’s Mobile Device Security Policy.  Consent of the users to the policy should be captured and recorded.
Mobile Device Security

Cost of End-To-End Encryption

Cost of End-To-End Encryption (Lack of Intrusion Detection / Prevention in Encrypted Traffic)

End-to-end encryption has its cost.  Intrusion Detection and Prevention Systems (IDS and IPS)  are unable to analyze encrypted traffic and attack vectors may get through the iDS / IPS if the traffic is in an encrypted format.  Encryption should be maintained as close to the Destination Server as possible.  Once the traffic is in a secure site, the traffic can be decrypted for analysis by Firewalls, IDS and IPS devices before they reach their Destination Servers.

IDS and IPS devices by themselves are incapable of decrypting and re-encrypting traffic.  Until this technology is developed, there is a risk of data sniffing at the last mile where the IDS / IPS is setup.  But this risk could be significantly lower than the risk of malicious traffic reaching your destination servers.  The risk of data sniffing could be further reduced by securing the DC, segregating the last mile communication into separate VLAN and turning off port mirroring for the VLANs concerned.


Cost of End-To-End Encryption

Cryptographic Key Management

Cryptographic Key Management

What are the common cryptographic keys in use?

  • Asymmetric keys for PKI
  • Asymmetric keys for SSL tunnel creation
  • Symmetric keys used for encryption of data

How does the Web Server / Load Balancer create the SSL session key for encrypting each session with the Client browser?

The secret session key for an SSL session is derived from a pre-master secret created by the client browser using its OS’s inherent random number generator.  The browser encrypts the pre-master secret with the server’s public key and sent to the server.  The server uses the pre-master secret to derive the secret key for further onward encryption of the data transferred in the SSL session.  The secret key is stored in cache only and is purged after the session expires.

How does proprietary Database, Fileserver, Data Backup Solution Server encrypt data?

Case-in-Point: Oracle Transparent Database Encryption (TDE).

  • Uses built-in Key Management solution.

Case-in-Point: EMC Data Domain which can be used as a Data Backup and Recovery Solution.  It provides the below options for Data-At-Rest encryption:

  • Static Key managed internally.
  • Internal Key Management for periodic Key Rotation.
  • External Key Management is allowed through RSA Data Protection Manager (DPM) server.

Case-in-Point: EMC VNX series of Storage Devices which could be used as a File Server.

  • Includes a Keystore, which is an embedded and independently encrypted container which holds all the Data-at-Rest Encryption keys on the data arrays.  The data array has an internal key manager called VNX Key Manager.  External key managers are not supported.

Key Management Solution (KMS)

A key management solution (KMS) is an integrated approach for generating, distributing and managing cryptographic keys for devices and applications. Compared to the term key management, a KMS is tailored to specific use-cases such as secure software update or machine-to-machine communication. In an holistic approach, it covers all aspects of security – from the secure generation of keys over the secure exchange of keys up to secure key handling and storage on the client. Thus, a KMS includes the backend functionality for key generation, distribution, and replacement as well as the client functionality for injecting keys, storing and managing keys on devices. With the Internet of Things, KMS becomes a crucial part for the security of connected devices.

There are many proprietary KMS.  Example: RSA Data Protection Manager, Amazon Web Service KMS, HP Enterprise Security Key Manager, Oracle Key Manager, Safenet Enterprise Key Management.

Use of Hardware Security Module (HSM) for the protection of Cryptographic Keys

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.  HSMs may possess controls that provide tamper evidence such as logging and alerting and tamper resistance such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing.  Many HSM systems have means to securely backup the keys they handle either in a wrapped form via the computer’s operating system or externally using a smartcard or some other security token.  Because HSMs are often part of a mission-critical infrastructure such as a public key infrastructure or online banking application, HSMs can typically be clustered for high availability. Some HSMs feature dual power supplies and field replaceable components such as cooling fans to conform to the high-availability requirements of data center environments and to enable business continuity.

A hardware security module can be employed in any application that uses digital keys. Typically the keys must be of high-value – meaning there would be a significant, negative impact to the owner of the key if it were compromised.  The functions of an HSM are:

  • onboard secure cryptographic key generation
  • onboard secure cryptographic key storage and management
  • use of cryptographic and sensitive data material
  • offloading application servers for complete asymmetric and symmetric cryptography

HSM are also deployed to manage Transparent Data Encryption keys for databases.  HSMs provide both logical and physical protection of these materials, including cryptographic keys, from non-authorized use and potential adversaries.  The cryptographic material handled by most HSMs are asymmetric key pairs (and certificates) used in public-key cryptography.  Some HSMs can also handle symmetric keys and other arbitrary data.

Use of HSM for End-to-End Encryption of User Password

HSM mainly provides end-to-end encryption of the User Password – [i] Browser to HSM Flow; and [ii] HSM to Application Database Flow.  This is  through secure generation of Asymmetric key pairs on demand (for end-to-end encryption of User Password from Browser to HSM) and secure management of a Symmetric key for storage of User Password in an encrypted format in an external Database (for end-to-end encryption of User Password from HSM to Application Database).  The User Password remains in an unencrypted form only at the User’s Browser.  The User Password remains in a cleartext-hashed format at both the User’s Browser and the HSM, but nowhere else.

General HSM Security Features

  • Provide strong physical and logical protection of cryptographic keys – Asymmetric key pairs and Symmetric keys.
  • Asymmetric key pairs are created to handle User Authentication.  Public key created will be passed to the application server who passes it to the application client.  The application client encrypts the user password hash with the public key.  The user password hash will be retrieved by the HSM by decrypting using the private key.  The user password hash will then be encrypted with a secret key and passed to the application server for storage in its LDAP or Database.  Both the values – user password hash encrypted with public key and user password hash encrypted with secret key – will be passed back to the UAS for matching and authentication of a User.
  • Only allow connectivity from pre-defined servers using IP restriction.
  • Configuration of HSM only allowed by physically visiting the HSM at the Datacenter with the physical Keys and User ID/Password credentials.
  • Installation and configuration of HSM driver is needed at the connecting server before connection establishment.
  • Support for High-Availability clustering supported by configuration in the HSM driver.

PKI environment (CA HSMs)

In PKI environments, the HSMs may be used by certification authorities (CAs) and registration authorities (RAs) to generate, store, and handle key pairs. In these cases, there are some fundamental features a device must have, namely:

  • Logical and physical high level protection
  • Multi-part user authorization schema
  • Full audit and log traces
  • Secure key backup

On the other hand, device performance in a PKI environment is generally less important, in both online and offline operations, as Registration Authority procedures represent the performance bottleneck of the Infrastructure.

Card payment system HSMs (bank HSMs)

Limited-feature HSMs are used in card processing systems. These systems are usually less complex than CA HSMs and normally do not feature a standard API. These devices can be grouped in two main classes:

OEM or integrated modules  – for automated teller machines and point of sale terminals:

  • to encrypt the personal identification number (PIN) entered when using the card
  • to load keys into protected memory

Authorisation and personalisation modules:

  • check an on-line PIN by comparing with an encrypted PIN block
  • in conjunction with an ATM controller, verify credit/debit card transactions by checking card security codes or by performing host processing component of an EMV based transaction
  • support a crypto-API with a smart card (such as an EMV)
  • re-encrypt a PIN block to send it to another authorisation host
  • support a protocol of POS ATM network management
  • support de facto standards of host-host key|data exchange API
  • generate and print a “PIN mailer”
  • generate data for a magnetic stripe card (PVV, CVV)
  • generate a card keyset and support the personalisation process for smart cards

The major organization that produces and maintains standards for HSMs on banking market is the Payment Card Industry Security Standards Council.



Cryptographic Key Management

Encryption for Portable Hard Disks

Encryption for Portable Hard Disks for Huge Data Transfer

Full Disk Encryption may be achieved by using Bitlocker for Windows or FileVault for MAC.  Please refer to this link:

Further References:

Encryption for Portable Hard Disks

Virtual Private Network

VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption.

A VPN spanning the Internet is similar to a wide area network (WAN). From a user perspective, the extended network resources are accessed in the same way as resources available within the private network. Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.

VPNs allow employees to securely access the corporate intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo-restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.

Why Use VPN?  What is the most frequent Use-Case of a VPN?

Imagine you check-in into a hotel in China.  The hotel may provide a Wifi service.  The traffic from your phone/laptop may be easily eavesdropped by other “fellow” tourists or a criminal who might have embedded a sniffing tool within the hotel premises.  Over and above this scenario, the hotel may itself present a proxy server / gateway through which all internet traffic from the hotel rooms have to go through to be routed to the public Internet.  This proxy server is able to inspect all your unencrypted traffic.  Furthermore, some hotels might also do a Man-In-The-Middle for your SSL sessions (you are presented with an SSL certificate by the hotel’s proxy server when you try to visit for example).  This would result in the proxy server able to intercept and read all your SSL traffic.

The only safe way to protect yourself in such a scenario is to use a VPN service.  All the traffic originating from your mobile/laptop will be encrypted and sent to a secure remote proxy server for decryption and release into the Public Internet; Protected from the prying eyes and  ears in the hotel environment.


OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively and contains many security and control features.

VPN Services

There are many VPN service providers to choose from.

An example – Private Tunnel VPN service is a commercial VPN service based on the OpenVPN platform.  They provide free VPN service for upto 500 MB.  Their charging model is based on the amount of data transferred rather than monthly recurring charges.  This business model of paying per GB could be a very useful asset for those that only need intermittent secure internet connections.


Virtual Private Network

Encryption of Data-At-Rest

 Approaches for Encryption of Data-At-Rest

  • Application Encryption
  • Disk Encryption
  • Database Encryption

Application Encryption

You can task a given application with encrypting its own data. This encryption capability is designed into the application itself, and organizations will not have to add another solution for encrypting data across the network. By the time the database receives the data, it has already been encrypted and then stored in the database in this encrypted state.

The solution can be implemented at the application layer or the database layer via an API.

A benefit to application encryption is that the data is only accessible to authenticated, authorized application users. If an attacker, whether an insider or outsider, tried to access the data directly within the database without going through the application, the data would be encrypted and inaccessible.

The disadvantages to application encryption include:

  1. Significant changes required in the application and/or database layer: First, to implement application encryption you must make significant changes in both the application layer and the database layer. Applications accessing the data need to be modified to understand and implement encryption. This could mean changing literally hundreds of applications for some organizations. In addition, the database tables and views that reside in the database and support the application need to be changed because the values being stored will no longer match the external data type representation. For example, a nine-digit SSN could not be encrypted and stored in the same field or data type that was originally used to store the unencrypted SSN. Complicating the situation further is the fact that many organizations do not even know all the applications that may be accessing the data. Some applications, such as legacy applications, may also make it extremely difficult, if not impossible, to implement this solution.
  2. Database performance issues: Second, database performance issues may arise because external applications control the encrypted data within the database. For example, if the application layer is doing the encryption, indexes and search capabilities within the database will not work. Alternatively, a database layer encryption solution can be implemented using an API, but that requires applicable triggers and views, which also introduce additional overhead, thus affecting database performance.
  3. Difficult Key Management: Finally, consider key management. Because multiple applications may be doing the encryption then sending to the database, keys are stored in many locations, introducing additional exposure points. When it is time to change the key, this may mean decrypting all the data with the old key and re-encrypting all the data with the new key—a significant impact to the environment.

Disk Encryption

Typically, disk encryption requires operating system support hooks to encrypt database files or the media on which the files reside. In these cases, keys typically must be managed by system or storage administrators. With file and disk encryption, there is no need to change the application(s) to accommodate encryption to the database with application encryption. In addition, file/disk encryption is a concept that organizations tend to be familiar with because it is similar to laptop encryption that many organizations have already implemented.

Because the encryption is occurring at the file or disk level, everyone with access to the operating system typically has access to all the data encrypted on that system.

Database Encryption

Database encryption falls somewhere between application encryption and disk encryption.

With Transparent Database Encryption (TDE), the encryption process and associated encryption keys are created and managed by the database. This is transparent to database users who have authenticated to the database. At the operating system, however, attempts to access database files return data in an encrypted state. Therefore, for any operating system level users, the data remains inaccessible. Additionally, because the database is doing the encryption, there is no need to change the application(s), and there is a minimal performance overhead when changes occur in the database.

A disadvantage to TDE is that the data is not protected from authenticated, authorized database users, including the DBA.

Encryption Approaches – Software Encryption vs Hardware (Appliance Based) Encryption

Hardware based encryption is deemed faster and more efficient than Software based encryption as dedicated hardware components are used for the heavy data crunching instead of precious CPU cycles.



Encryption of Data-At-Rest