Nokia 9290 IT Guide - Page 38

SSL and TLS, 6 WAP security - review

Get Nokia 9290 PDF manuals and user guides View all Nokia 9290 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 38 highlights

To enhance the security of PAP, CHAP, and MS-CHAP, some other authentication methods can be used when creating a network connection. If the method works with normal PAP or CHAP, it can be used with the Nokia 9290 Communicator. Other login schemes can be supported using a login script. Some of the alternatives are: • Callback system (supported PPP callback protocols: IETF type 0 [RFC 1570] and the Microsoft callback protocol) • Centralized security (authentication server configured based on RADIUS [RFC 2138] and TACACS [RFC 1492]) • Multiple Passwords and one-time password schemes • Token-based security 10.5 SSL and TLS The Nokia 9290 Communicator supports the SSLv3 (Secure Socket Layer) and TLSv1 (Transport Layer Security) protocols. These protocols are integrated in the socket interface, so third-party programs can easily use these protocols to offer secure Internet connections. 10.5.1 Web browser Web URLs (addresses) that start with "https" are SSL-secured connections. The SSL connection is negotiated with the server and then the data is transferred over the encrypted connection. A small lock symbol is displayed as an indication that the connection is encrypted. The encryption strength depends on the SSL server. The Nokia 9290 Communicator supports strong 128 bit encryption in SSL and TLS, but can downgrade its security to a lower level if the server is not capable of handling such strong encryption. The authenticity of the Web server is determined by the help of certificates in the Certificate management tool. As discussed above in the software security chapter, the user can select which certificates are trusted and which are not. When connecting to a server, whose identity is certified by a trusted party, there will be no warning note. Otherwise, the user will be able to review the identification offered by the remote server. Some certification authority root certificates are factory-installed on the device; Nokia does not endorse any specific certification authority. The HTTP (Hypertext Transfer Protocol) also provides a simple authentication protocol, which uses a username/ password pair. It can be used to authenticate the user to a remote server. This method can be used over the SSL for additional security. 10.5.2 Reading and sending mail Access to remote mailboxes (IMAP and POP) and sending mail (SMTP) can also be secured using the SSL/TLS. You can request a secure connection by ticking the appropriate box in the settings. In order to use secure connections with electronic mail, the mail server has to support the "starttls" command (IMAP, SMTP) or the "stls" command (POP). Note: Sending electronic mail over a secure connection does not encrypt the mail itself, only the connection to the mail server. After the mail continues to its destination from the first mail server, it is not encrypted. This feature is most useful when accessing mail servers in a secure intranet through a public Internet service provider. 10.5.3 Supported encryption algorithms The selection of algorithms depends on the protocol being used. It is advisable to avoid the use of "export-grade" algorithms (RC4 with 40 secret bits and DES) for security reasons. The Nokia 9290 Communicator supports the following cryptographic algorithms in SSL/TLS: • For server authentication and/or key exchange: RSA, DSA, and Diffie-Hellman • For data encryption: RC4™ (plus the "export" version with 40 secret bits), DES, and Triple-DES 10.6 WAP security When using WAP for a data call, the dial-up security is the same as with Internet services. Please refer to the chapter above. WAP uses an optional security layer called WTLS. This can be turned on in the settings, or the server can mandate it. WTLS security ends at the WAP gateway. Connections to the target server from the WAP gateway might not be encrypted. WAP Forum specifies WTLS. The Nokia 9290 Communicator supports strong 128 bit encryption in WTLS, but is able to lower the security level if required by the server. The Nokia 9290 Communicator supports server authentication and key exchange using the RSA algorithm and data encryption using the RC5™ algorithm. The gateway is authenticated using certificates. Some certification authority root certificates are factory-installed on the device; Nokia does not endorse any specific certification authority. 35

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
To enhance the security of PAP, CHAP, and MS-CHAP, some
other authentication methods can be used when creating a
network connection. If the method works with normal PAP
or CHAP, it can be used with the Nokia 9290 Communicator.
Other login schemes can be supported using a login script.
Some of the alternatives are:
Callback system (supported PPP callback protocols:
IETF type 0 [RFC 1570] and the Microsoft callback
protocol)
Centralized security (authentication server
configured based on RADIUS [RFC 2138] and
TACACS [RFC 1492])
Multiple Passwords and one-time password schemes
Token-based security
10.5 SSL and TLS
The Nokia 9290 Communicator supports the SSLv3 (Secure
Socket Layer) and TLSv1 (Transport Layer Security) protocols.
These protocols are integrated in the socket interface, so
third-party programs can easily use these protocols to offer
secure Internet connections.
10.5.1 Web browser
Web URLs (addresses) that start with “https” are SSL-secured
connections. The SSL connection is negotiated with the
server and then the data is transferred over the encrypted
connection. A small lock symbol is displayed as an indication
that the connection is encrypted.
The encryption strength depends on the SSL server. The
Nokia 9290 Communicator supports strong 128 bit encryption
in SSL and TLS, but can downgrade its security to a lower
level if the server is not capable of handling such strong
encryption.
The authenticity of the Web server is determined by the
help of certificates in the Certificate management tool.
As discussed above in the software security chapter, the
user can select which certificates are trusted and which are
not. When connecting to a server, whose identity is certified
by a trusted party, there will be no warning note. Other-
wise, the user will be able to review the identification
offered by the remote server. Some certification authority
root certificates are factory-installed on the device; Nokia
does not endorse any specific certification authority.
The HTTP (Hypertext Transfer Protocol) also provides a
simple authentication protocol, which uses a username/
password pair. It can be used to authenticate the user to
a remote server. This method can be used over the SSL for
additional security.
10.5.2 Reading and sending mail
Access to remote mailboxes (IMAP and POP) and sending
mail (SMTP) can also be secured using the SSL/TLS. You can
request a secure connection by ticking the appropriate box
in the settings.
In order to use secure connections with electronic mail, the
mail server has to support the “starttls” command (IMAP,
SMTP) or the “stls” command (POP).
Note: Sending electronic mail over a secure connection does
not encrypt the mail itself, only the connection to the mail
server. After the mail continues to its destination from the
first mail server, it is not encrypted. This feature is most useful
when accessing mail servers in a secure intranet through a
public Internet service provider.
10.5.3 Supported encryption algorithms
The selection of algorithms depends on the protocol being
used. It is advisable to avoid the use of “export-grade”
algorithms (RC4 with 40 secret bits and DES) for security
reasons. The Nokia 9290 Communicator supports the
following cryptographic algorithms in SSL/TLS:
For server authentication and/or key exchange: RSA,
DSA, and Diffie-Hellman
For data encryption: RC4™ (plus the “export” version
with 40 secret bits), DES, and Triple-DES
10.6 WAP security
When using WAP for a data call, the dial-up security is
the same as with Internet services. Please refer to the
chapter above.
WAP uses an optional security layer called WTLS. This can be
turned on in the settings, or the server can mandate it.
WTLS security ends at the WAP gateway. Connections to the
target server from the WAP gateway might not be encrypted.
WAP Forum specifies WTLS. The Nokia 9290 Communicator
supports strong 128 bit encryption in WTLS, but is able to
lower the security level if required by the server. The Nokia
9290 Communicator supports server authentication and
key exchange using the RSA algorithm and data encryption
using the RC5™ algorithm. The gateway is authenticated
using certificates. Some certification authority root certifi-
cates are factory-installed on the device; Nokia does not
endorse any specific certification authority.
35