Security Basics mailing list archives
Re: Security on CDMA for Banking Applications
From: Alessandro Bottonelli <a.bottonelli () axis-net it>
Date: Tue, 29 Mar 2005 11:16:33 +0200
On Saturday 26 March 2005 04:19, shankarnarayan.d () netsol co in wrote:
a. Is it advisable to run banking apps (include financial transactions) over CDMA
A radio link, CDMA or other, is an "open channel". It's easier to tap into (sometimes by accident) than other means. It is also somewhat more "fragile" than other means of communication (depending on distance, terrain, weather, band of operation you may experience availability issues, more than on copper or fiber). So, in principle, it is not advisable to run sensitive applications other it, yet if you have no options you.... have no options ;-)
b. What perceived Security threats are there when doing so
Confidentiality. Radio waves bounce, spread all other and do not require physical intrusion to tap into them. Availability. Radio waves (more so the higher the band of operation is) fade in case of rain and antennas get misaligned in case of wind, earthquakes or landslides. If something gets in between the link (a new building, a crane, whatever) the link gets flaky or doesn't work at all...
c. What methods are available to overcome these (hardware/ software etc) - any suggestions for products
For confidentiality do encryption. Best if end-to-end encryption with technology you buy from a different vendor than the one you buy the radio equipment from. At least a VPN with strong and safe keys (lot of bits, you change the keys often, you manage the keys). The vendor may add some "scrambling" in the CDMA scheme to make things worst for the would-be intruder. If it is available use it, but do not count on it. Scrambling and encryption are two different things. Do encryption and add scramling if it is available at no extra cost. Otherwise stick with encryption. For availability try "low bands" for microwaves, they are less prone to fade under rain, antenna alignment is less of an issue, electronics is more robust. 3.5 or 10 Ghz bands are quite popular here in Europe, but it's tough to get a PTT license for them since they are quite crowded. Also, if you go beyond the 10 Ghz band (say 17 and up) ask the engineers to be 'generous' in calculating the so called "link budget" and to analize the weather history in the region (you will have to tell them how many hours a year of no operation you are willing to tolerate, but remember that's statistics, you will not know in advance when the link is going to be down and for how long).
d. What inherent Security is available in CDMA
Very little. The only good thing is that the higher the band of operation, the tougher for the "average bad guy" to get the equipment to monitor the link (which goes counter what we said of keeping the band low for availability reasons...).
e. Any previous experiences for the same
We linked in Milano four points over a 27 Ghz CDMA/Point-to-MultiPoint link with great success. Only 3 Km apart (some 1.5 miles) in a urban environment (the worst for high band microwaves). Not a single security accident since 1997. There is no single one-size-fits-all recipe for secure radio links. Local conditions, local PTT licensing policies, terrain, weather will need to be taken into account. For example, if the radio hops are short (say 3 to 5 Km) with line-of-sight you may want to go high in the radio bands despite what I said earlier. Confidentiality may weight more than availability in that case, and high bands help a lot in that. I am not sure how many radio security experts there are (is a sub-specialty in an already narrow specialty...) around. But I am sure you will be able to get some radio/security expertise in your region. -- Alessandro Bottonelli Axis-Net (Privacy & InfoSec Consulting) Tel. +39 02 93595859 Fax. +39 02 93590544 Web. http://www.axis-net.it
Current thread:
- Security on CDMA for Banking Applications shankarnarayan.d (Mar 28)
- Re: Security on CDMA for Banking Applications Alessandro Bottonelli (Mar 29)
- Re: Security on CDMA for Banking Applications Nick Owen (Mar 30)
- Re: Security on CDMA for Banking Applications Alessandro Bottonelli (Mar 30)
- Re: Security on CDMA for Banking Applications Nick Owen (Mar 30)
- Re: Security on CDMA for Banking Applications Alessandro Bottonelli (Mar 29)