Re: Security on CDMA for Banking Applications

• Previous message: Robert Sherrard: "Win32 Firewalls."
• In reply to: shankarnarayan.d_at_netsol.co.in: "Security on CDMA for Banking Applications"
• Next in thread: Nick Owen: "Re: Security on CDMA for Banking Applications"
• Reply: Nick Owen: "Re: Security on CDMA for Banking Applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Tue, 29 Mar 2005 11:16:33 +0200

On Saturday 26 March 2005 04:19, shankarnarayan.d@netsol.co.in wrote:
>
> a. Is it advisable to run banking apps (include financial transactions)
> over CDMA
>
A radio link, CDMA or other, is an "open channel". It's easier to tap into
(sometimes by accident) than other means. It is also somewhat more "fragile"
than other means of communication (depending on distance, terrain, weather,
band of operation you may experience availability issues, more than on copper
or fiber).

So, in principle, it is not advisable to run sensitive applications other it,
yet if you have no options you.... have no options ;-)

> b. What perceived Security threats are there when doing so
>
Confidentiality. Radio waves bounce, spread all other and do not require
physical intrusion to tap into them.

Availability. Radio waves (more so the higher the band of operation is) fade
in case of rain and antennas get misaligned in case of wind, earthquakes or
landslides. If something gets in between the link (a new building, a crane,
whatever) the link gets flaky or doesn't work at all...

> c. What methods are available to overcome these (hardware/ software etc) -
> any suggestions for products
>
For confidentiality do encryption. Best if end-to-end encryption with
technology you buy from a different vendor than the one you buy the radio
equipment from. At least a VPN with strong and safe keys (lot of bits, you
change the keys often, you manage the keys). The vendor may add some
"scrambling" in the CDMA scheme to make things worst for the would-be
intruder. If it is available use it, but do not count on it. Scrambling and
encryption are two different things. Do encryption and add scramling if it is
available at no extra cost. Otherwise stick with encryption.

For availability try "low bands" for microwaves, they are less prone to fade
under rain, antenna alignment is less of an issue, electronics is more
robust. 3.5 or 10 Ghz bands are quite popular here in Europe, but it's tough
to get a PTT license for them since they are quite crowded. Also, if you go
beyond the 10 Ghz band (say 17 and up) ask the engineers to be 'generous' in
calculating the so called "link budget" and to analize the weather history in
the region (you will have to tell them how many hours a year of no operation
you are willing to tolerate, but remember that's statistics, you will not
know in advance when the link is going to be down and for how long).

> d. What inherent Security is available in CDMA
>
Very little. The only good thing is that the higher the band of operation, the
tougher for the "average bad guy" to get the equipment to monitor the link
(which goes counter what we said of keeping the band low for availability
reasons...).

> e. Any previous experiences for the same
>
We linked in Milano four points over a 27 Ghz CDMA/Point-to-MultiPoint link
with great success. Only 3 Km apart (some 1.5 miles) in a urban environment
(the worst for high band microwaves). Not a single security accident since
1997.

There is no single one-size-fits-all recipe for secure radio links. Local
conditions, local PTT licensing policies, terrain, weather will need to be
taken into account. For example, if the radio hops are short (say 3 to 5 Km)
with line-of-sight you may want to go high in the radio bands despite what I
said earlier. Confidentiality may weight more than availability in that case,
and high bands help a lot in that.

I am not sure how many radio security experts there are (is a sub-specialty in
an already narrow specialty...) around. But I am sure you will be able to get
some radio/security expertise in your region.

-- 
Alessandro Bottonelli
Axis-Net (Privacy & InfoSec Consulting)
Tel. +39 02 93595859
Fax. +39 02 93590544
Web. http://www.axis-net.it

• Previous message: Robert Sherrard: "Win32 Firewalls."
• In reply to: shankarnarayan.d_at_netsol.co.in: "Security on CDMA for Banking Applications"
• Next in thread: Nick Owen: "Re: Security on CDMA for Banking Applications"
• Reply: Nick Owen: "Re: Security on CDMA for Banking Applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages One Night Stand with the Big Bands ... Sounds of the Swing Era, ... the Big Band Era. ... Golden Age of Radio" and "A One Night Stand with the ... and thought a regular monthly show featuring interviews ... (rec.music.bluenote) One Night Stand with the Big Bands ... Sounds of the Swing Era, ... the Big Band Era. ... Golden Age of Radio" and "A One Night Stand with the ... and thought a regular monthly show featuring interviews ... (rec.music.makers.jazz) One Night Stand with the Big Bands ... and broadcast this Golden Age program as a two-hour special. ... In 1942, at the peak of his civilian career, Glenn decided he ... By doing this, the band gave up a $20,000 weekly income. ... radio broadcasts in their spare time. ... (rec.music.bluenote) One Night Stand with the Big Bands ... and broadcast this Golden Age program as a two-hour special. ... In 1942, at the peak of his civilian career, Glenn decided he ... By doing this, the band gave up a $20,000 weekly income. ... radio broadcasts in their spare time. ... (rec.music.makers.jazz) One Night Stand ... Life with J. Walter Thompson (Confessions of a Radio ... Big Band Era. ... and thought a regular monthly show featuring interviews ... (rec.music.bluenote)