The WDN Symbian DevZone... Diversinet - PKI Security Solutions for the Symbian OS

by Richard Bloor, November 27, 2002

Delivering eCommerce applications to mobile devices requires a high level of security for the data exchanged between the device and application server. While a number of VPNs have become available for the Symbian OS a PKI based solution is needed for the type of validation necessary for applications such as banking and mobile shopping. Canadian wireless security specialist Diversinet Corp. has recently added the Symbian OS to its Passport family of PKI solutions.

Security is a key enabler for a range of mobile services where personal and financial information needs to be exchanged between a wireless device and application server.

Based in Toronto with offices in Hong Kong and London, Diversinet (www.diversinet.com) has for the past 5 years been focused exclusively on communications security for wireless devices. It has recently added a Symbian OS implementation to the Passport suite of security products.

Diversinet’s Passport family includes a public key infrastructure that allows for the validation, authorization and non-repudiation of wireless transactions and is the only wireless PKI solution with Common Criteria (http://csrc.nist.gov/cc/) certification. Diversinet also have a VPN that offers seamless roaming between wireless networks such as GPRS, CDMA, WiFi and wired networks. The VPN uses WLTS rather than IPSec to achieve this seamless roaming and eliminate the need for constant re-authentication by the user as he or she moves across various networks.

Diversinet solutions are provided for a very wide range of wireless devices including Microsoft Windows® notebooks, Pocket PC handhelds, Palm, Symbian, RIM wireless handhelds, SIM and WAP phones amongst others. To find out more about Diversinet's security solutions and its Symbian OS implementation I spoke to Steven Hunwicks, Product Marketing Manager, and York Lam, Team Leader of Mobile Devices.

WDN: What were the commercial drivers behind Diversinet supporting the Symbian OS?

Steve: There were three main reasons. Firstly Symbian is an emerging platform for mass-market mobile devices. Secondly that it has incredible support from a wide range of mobile phone vendors; we see it as a top 3 PDA OS competing with Pocket PC and Palm. And the final reason is that a customer requested the Symbian OS implementation, so we have a real application going forward. While we currently support Symbian in the PKI product and not in the Passport Wireless VPN, our roadmap does include adding both Symbian and Palm implementations in the future.

WDN: What differentiates your solution from a number of other emerging security solutions for the Symbian OS?

Steve: I think it is that we are exclusively focussed on wireless, we have built a solution in the most convenient and efficient way to accommodate the limitations of wireless networks. Also, while I would not want to downplay the usefulness of VPN - after all we have a VPN product - PKI provides application level security rather than the more general network level security of a VPN.

WDN: When you talk about application level security, in practical terms what does this mean for the developer?

Steve: It means that they can secure the data within the application, encrypt it before it is transmitted, get the user to digitally sign the data so that it can be confirmed as their transaction. We can achieve far greater granularity in how the security is applied to data and to allow the developer to build it into the core of the application.

WDN: How easy did you find it to port your technology to Symbian OS? York: Our software, written in C++, was designed to be portable between operating systems. So for example it can be configured to address specific implementations. We found the Symbian OS SDK easy to use and while we obviously had to learn the APIs for the user interface and other aspects of the OS we found it quite straightforward to implement on Symbian.

WDN: One of the common criticisms of the SDKs is that the documentation is not as complete as it could be, did you find this to be the case? York: I’d agree, the UI certainly could have been better documented. However I was able to fill in the holes with searches on the Internet, through the various Symbian developer forums. So we found that the information is out there; from people who have encountered similar problems.

WDN: So you do not have a direct relationship with Symbian or one of their licensees? York: We did contact Symbian when we started this project, mainly to find out how we could get started but beyond that we have not had too much interaction with them.

WDN: So you have not considered any of the partner programs? York: Initially we did think about these, but we found we could do what we needed to do without this type of relationship. We have not ruled out involvement in the future, but that will probably depend on how our Symbian product line develops.

WDN: You mentioned that the implementation is in C++, does this mean the APIs are limited to C++ development? York: Yes, currently only C++ APIs are available but we are working towards a Java implementation.

WDN: If a developer wanted to implement your products for a range of wireless devices how easy would they find that? For example are the APIs common across all your supported platforms? York: Yes all the API calls for the core security functionality are the same. There are some device specific calls that are used to configure the network, but the majority of calls are the same.

WDN: How does the PKI infrastructure integrate with standard communication mechanisms? York: If an application is using TCP/IP and sends data in plain text our solution binds the users identity, using their digital certificate, to that data, encrypts it and send it over the air. At the server the data is decrypted, checking that it was sent by the authorized user and is then passed to the server application. So it can be implemented between an existing client and server.

WDN: How much will the user of the application know about this process? York: Apart from supplying a password, which can be added into a logon process when the application is started, this process can be largely hidden from the user.

WDN: The key to PKI is the digital certificate and I know that delivery has been a problem in some wired PKI applications, how does the process work in your solution?

Steve: Perhaps I can illustrate this by talking about one of our largest implementations, which is with Hong Kong Post. Hong Kong Post acts as the Certification Authority; they issue the digital certificates. The mobile operators using this service act as the Registration Authority, defining the rules that govern what needs to be done to verify the identity of a user before a certificate can be issued. So a user would apply to their mobile operator, prove to them that they are who they say they are and then Hong Kong Post would supply the certificate. The user could then retrieve the certificate over the air or collect it via one of the mobile operator’s stores. A small piece of software on the mobile device then installs the certificate. To ensure that the person who collects the certificate is the person the Registration Authority approved a one time secret password is used, which can be delivered by a number of mechanisms, using standard post mailers or a scratch card, for example.

WDN: Security is often a complex area for development so support is important, what services do you offer?

Steve: We provide fully documented software development kits for both the server and client components, which include sample code and applications. We then offer support via email, or telephone support is purchased from a tiered support program. Premier support is provided through our Developer Alliance program that in addition to the other support services includes the facility to co-market applications.

WDN: If a developer wanted to use your technology what are the steps they need to follow? Is there evaluation software available?

Steve: A developer would simply need to contact us. We do not provide free evaluation downloads from our web site, because we like to do things on an interactive, personal basis. Once a developer has contacted Diversinet, he or she can then get the SDKs and start building secure applications.

About the WDN Symbian Editor, Richard Bloor:
Richard Bloor has 16 years experience in the IT industry. His earlier work was largely in design and development of commercial and manufacturing systems but more recently has focused on development and test management of government systems.

Richard Bloor is the Mobile Applications champion at System Architecture consultancy Equinox of Wellington, New Zealand.

Richard can be reached at rbloor@wirelessdevnet.com.