Network Security for the Windows
Mobile Software Platform
White Paper
Published: March 2006
For the latest information, please see http://www.microsoft.com/windows/mobile/
Abstract
This paper presents information to enterprise-level network administrators who are exploring
network security standards and best practices related to Microsoft® Windows Server™ 2003
networks that include mobile devices running Microsoft Windows Mobile® 5.0 software.
Readers should be familiar with enterprise-level network and system administration and
technology, as well as have an understanding of mobile technologies and devices.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date
of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not
give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2006 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein
are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event
is intended or should be inferred.
Microsoft, Active Sync, Outlook, Windows, Windows Mobile, Windows Server, and the Windows logo are either registered trademarks
or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Introduction .................................................................................................................................1
Incorporation with Existing Windows Security Technology.....................................................1
Windows Mobile Security Management ......................................................................................2
Role-Based Security for OTA Provisioning .............................................................................2
Configuration Service Providers .............................................................................................2
Device Management and Provisioning ...................................................................................3
Installation Code Signing ........................................................................................................3
Execution Control ...................................................................................................................3
Windows Mobile Security Infrastructure......................................................................................4
Microsoft Cryptographic Application Program Interface .........................................................4
Cryptographic Service Providers ............................................................................................5
Security Service Providers ......................................................................................................6
Local Authentication Subsystem .............................................................................................6
Microsoft Public Key Infrastructure .........................................................................................7
Windows Mobile 5.0 Security Technologies ...............................................................................8
Local Device Security .............................................................................................................8
Network Security.....................................................................................................................9
Information Service Encryption .............................................................................................10
Wireless Security ..................................................................................................................10
Scenarios ..................................................................................................................................12
Connecting to a Corporate Network using 802.1x and EAP-TLS .........................................12
Connecting through a Wireless Hotspot or Third-party WWAN ...........................................13
Connecting by using Exchange ActiveSync..........................................................................13
Conclusion ................................................................................................................................15
Appendices ...............................................................................................................................16
Appendix A: Supported Encryption Algorithms .....................................................................16
Appendix B: Network Security Terminology and Definitions.................................................16
Introduction
One of the most difficult tasks for enterprise network administrators is finding methods and
technologies that can prevent malicious attacks to their systems from sources located both
inside and outside corporate firewalls. Securing servers, client computers, and mobile devices
becomes even more important as workers and contractors connect from multiple-wired or
wireless networks where security levels can vary greatly. Employees can inadvertently put
their businesses at risk by connecting remotely to mission-critical systems and applications
and transmitting unintended threats over mobile networks. In addition, passing critical
corporate data through an outside network operations center may increase the risk of
compromise or unavailability.
However, with the right technology and network architecture in place, network administrators
can dramatically improve security and management for mobile device connections. Careful
planning of how to handle permissions and security rights for these mobile users is the key to
a successful deployment.
Microsoft® technologies offer a multiple-layer approach to defending Microsoft Windows®based networks that include mobile devices. This paper provides information about e-mail and
Internet communication, Virtual Private Network (VPN), and wireless security technology for
devices running on Microsoft Windows Mobile® 5.0 software, including Windows Mobilepowered Smartphones and Pocket PCs. These technologies help network administrators
manage and protect Microsoft Windows Server 2003 networks that include mobile devices.
In addition, this paper presents information about the following:
Incorporation of Windows Mobile-powered devices with existing Windows networks.
The Windows Mobile security infrastructure.
Security features and technologies for Windows Mobile-powered devices.
Readers should be familiar with Windows networking technology for enterprise deployments
along with Microsoft certificate technology, and they should have an understanding of mobile
devices.
Incorporation with Existing Windows Security Technology
Windows Mobile-powered Pocket PCs and Smartphones can be incorporated into existing
Windows networks and conform to existing network security policies by using Windows Mobile
5.0 software. Therefore, these mobile devices can use many of the same Microsoft security
features used in Windows desktop and laptop computers. The technologies described in this
paper apply generally to devices running Windows Mobile 5.0 software. However, support for
these technologies can vary depending on the actual device.
Network Security for the Windows Mobile Software Platform
1
Windows Mobile Security Management
Mobile devices can enter a corporate network as part of an enterprise-wide deployment or as
personal devices purchased by employees. One important aspect of managing network
security for Windows Mobile-powered devices is managing how these devices interact with
mission-critical applications and third-party service providers, such as cellular service
providers. Windows Mobile software allows network administrators to control device security
settings through comprehensive provisioning features for Smartphones and Pocket PCs.
Role-Based Security for OTA Provisioning
Windows Mobile-powered devices use role-based security to control what provisioning
changes may be made by over-the-air (OTA) messages. Requests to the Windows Mobile
Configuration Manager carry an associated role, based on how the request was signed and
what security policy is in effect. These roles include:

Manager. This role is the most powerful, as policy changes requested with this role
have essentially unlimited access to the device. By default, the mobile operator is
assigned this role, although it may be assigned to the enterprise or individual who
owns the device.

Authenticated user. This role is assigned to messages signed with the user's PIN, or
messages delivered by the remote application programming interface (RAPI) for PCto-mobile device communications. Depending on the settings applied by the device
manager, the user may or may not have access to all configuration settings on the
device; the exact permissions given authenticated users are assigned by the
manager.

Unauthenticated user. This role is assigned to unsigned OTA messages; it can only
be used to install ring tones or a new Today screen.

OEM. This role is normally assigned to the original equipment manufacturer; by
default, it does not provide permissions to configure settings using OTA messages.

Operator. OTA messages that arrive signed by the mobile operator's key carry this
role; it is provided so that mobile operators can configure carrier-specific properties on
the device even if the operator does not have access to the Manager role. .

Additional roles for trusted proxies and gateways. These roles are not used by all
mobile network operators, and they are assigned to devices provisioned by individual
operators as needed.
Configuration Service Providers
Many of the network features in Window Mobile-powered devices are enabled by configuration
service providers, assemblies of code and data that carry out all application configuration
queries and changes. After data has been passed to a configuration service provider, it makes
any requested changes as allowed by the specified security policy, then reports the success or
failure of the transaction to the requestor.
One of the primary features of configuration service providers is the ability to assign a security
role requirement for each individual setting or group of settings. Security roles are used to
control whether the device user or the device administrator have access to a particular
configuration setting. For example, the SecurityPolicy configuration service provider requires
use of the manager security role while the BrowserFavorite Configuration Service Provider
only requires the authenticated user security role.
Network Security for the Windows Mobile Software Platform
2
Device Management and Provisioning
Windows Mobile-powered devices can be managed by using XML-based provisioning
documents to configure OS and application settings, including security settings. These
provisioning documents can be applied to multiple mobile devices. The XML provisioning
documents are distributed through:

Over-the-air synchronizations with a device management server on the network. This
server could be Microsoft Systems Management Server (SMS), Exchange, a thirdparty device management solution, or a device management server operated by a
mobile operator.

Deployment in a cabinet provisioning format file (.cpf). Application installation files are
known as cabinet files (.cab); the .cpf file is a special type of cabinet file that contains
the XML provisioning document. The device can download the .cpf file from a
provisioning server or from an attached desktop.

A desktop to which the device is connected using desktop ActiveSync.
For large deployments of Windows Mobile-powered devices, the XML provisioning not only
reduces deployment efforts, but also helps standardize security settings. Along with security
settings, XML provisioning allows network administrators to create a standard configuration for
mobile devices, including wireless and other network settings, Internet connection, and e-mail
synchronization settings. The XML provisioning features can also manage how mobile devices
connect to third-party voice and data service providers.
Installation Code Signing
Application installation files (again, known as cabinet or .cab files) may be digitally signed by
the application provider: Microsoft, a third-party software company, or the developer of an
enterprise line-of-business application. At install time, the digital signature of the installation
.cab is checked against certificates in the software publishing certificate store. If there is a
match, the installation can take place. You can apply application configuration settings through
the .cab installer as well. The installer will check the digital signature of the .cab against the
certificates in the SPC store to determine the security role used for the configuration.
Execution Control
Windows Mobile 5.0 allows programs that run on the Smartphone to have one of two levels of
access. Privileged or fully trusted code can call any application programming interface (API)
routine and write to any registry key on the device; normal code is restricted from calling some
API routines and writing to certain registry keys. (For a list of trusted APIs, see the Platform
Builder for Microsoft Windows CE 5.0 documentation.) Windows Mobile 5.0 Pocket PC
devices do not support these two tiers. The code is either run with full trust or not run at all.
Execution control is configured using the Security Policy Configuration Service Provider. The
device can be configured to block execution of all unsigned application, to run them after
consent from the user, or to run all unsigned applications without prompting the user.
Microsoft also provides a program, Mobile2Market, that allows third-party ISVs to sign their
applications to install and run on devices where installation and execution security are
enabled. The ISV must pay for the signing and formally document their ownership of the
application to obtain the Mobile2Market digital signature for their application.
Network Security for the Windows Mobile Software Platform
3
Windows Mobile Security Infrastructure
Most mobile devices connect from outside the security perimeter of corporate networks,
exposing them to varying levels of risk. In addition, today’s mobile devices offer many of the
same features and applications employees use on their laptops or desktop computers,
including access to the Internet, business applications, and personal e-mail. As a result, many
of the security threats that exist for desktops also exist for mobile devices.
Windows Mobile 5.0 software offers advanced security technologies that help protect data and
applications, whether on the local device or across the corporate network. Windows Mobile
software takes advantage of many of the same Windows security features used in typical
desktop/server network architectures. The security architecture built into Windows Mobile 5.0
enables Windows Mobile-powered Smartphones and Pocket PCs to be incorporated easily
into the existing security protocols in an enterprise Windows Server-based network.
Windows Mobile software includes four architectural features that provide security functionality
to Windows Mobile-powered Smartphones and Pocket PCs: the Microsoft Cryptographic
Application Program Interface, Cryptographic Service Providers, Security Service Providers,
and the Local Authentication Subsystem (LASS).
Microsoft Cryptographic Application Program Interface
The Microsoft Cryptographic Application Program Interface (CryptoAPI) provides encryption
and authentication functionality to Windows Mobile-powered devices to help secure
applications. CryptoAPI also supports encryption services for local data stored on a mobile
device or removable media.
Figure 1. The Microsoft CryptoAPI security architecture
As shown in Figure 1, CryptoAPI architecture provides network administrators with the
technology backbone required to incorporate Windows Mobile devices into existing enterprise
networks securely, and includes the following features:

Encryption. Encryption provides privacy and authentication between two
communicating parties who have exchanged a shared secret key.
Network Security for the Windows Mobile Software Platform
4

Hashing. Hashing helps ensure data integrity of information sent over a non-secure
channel, such as the Internet.

Digital signature. Digital signatures authenticate received data or information sent by
a third party who is not using encryption based on a shared secret key.
A cryptographic service provider (CSP in Figure 1)—composed of independent modules within
CryptoAPI—performs CryptoAPI functions and uses a variety of algorithms to perform all of
the security needed for the applications running on an employee’s mobile device. There are
several cryptographic service providers that can be used with CryptoAPI, and each one uses a
different combination of algorithms.
Cryptographic Service Providers
A cryptographic service provider contains implementations of cryptographic standards and
algorithms. Windows Mobile 5.0 software supports a full host of encryption algorithms that
allow network administrators to incorporate Windows Mobile-powered devices into the existing
security infrastructure of a corporate network. As with desktop applications, Windows Mobile
software does not communicate directly with a cryptographic service provider. Instead, these
applications call the CryptoAPI functions exposed by the operating system. The operating
system filters these function calls and passes them on to the appropriate cryptographic service
provider. Each cryptographic service provider provides the application calling it with one or
more symmetric or asymmetric encryption algorithms.
Network administrators can use encryption to help secure data communication, such as e-mail
messages, calendar information, or line-of-business applications, between mobile users and
company network resources. Data is encrypted by using a public key that provides
cryptographic algorithms for the sender’s mobile device. Data from the sender is converted
into a cryptic string of data that can only be deciphered by using a secret cipher known as a
private key. This private key is provided only to the receiver of the information, a security
measure that helps to protect the data as it travels over various networks and over the
Internet.
In the current software market, there are many different encryption technologies. Windows
Mobile software supports a host of reliable, mature, industry-standard technologies. The
following are encryption algorithms supported by cryptographic service providers in Windows
Mobile software:

Data Encryption Standard (DES). DES is a widely-used method of data
encryption using a private (secret) key that offers 56-bit encryption for each 64bit block of data. For greater security, companies can implement Triple-DES,
which provides 112-bit encryption for 2-key connections and 168-bit encryption
for 3-key connections.

Advanced Encryption Standard (AES). The AES algorithm suite is the
current algorithm recommended by the US National Institute of Standards and
Technology (NIST) for use in U.S. Government applications. Windows Mobile
5.0 supports both 128-bit and 256-bit AES encryption.

RSA. RSA is an Internet encryption and authentication system that provides
encryption algorithms developed for Web browsers. The encryption system is
owned by RSA Security. The company licenses the algorithm technologies and
also sells development kits. The technologies are part of existing or proposed
Web, Internet, and computing standards. Microsoft Windows Mobile software
supports RSA Key Exchange and RSA Signature, both of which offer 512- or
1024-bit encryption.
Network Security for the Windows Mobile Software Platform
5

RC2 / RC4 / RC5. Like DES, RC2, RC4, and RC5 provide encryption to 64-bit
blocks of data, with up to 128-bit encryption. Typically, RC2 and RC4 are faster
and more secure than DES-based encryption standards.
Windows Mobile 5.0 software also includes support for several additional algorithms, including
the Secure Hash Algorithm (SHA-1) and implementation of the Public Key Cryptography
Standard (PKCS) methods for creating, requesting, and securely storing certificates. For
technical specifications of the encryption technologies supported by Windows Mobile software,
see Appendix A.
Security Service Providers
Security Service Providers (SSPs) provide security services for user authentication, credential
management, and message protection. Through the Security Support Provider Interface,
SSPs enable applications to access authentication and cryptographic protection methods.
Depending on existing software, line-of-business applications, and network resources,
Windows Mobile software provides security services for four SSPs.
SSPs help make securing network resources less difficult for network administrators.
Windows Mobile-powered devices offer network administrators the same SSP functionality as
in Windows-based desktop computers. With support for SSPs, network administrators can
expect the same level of security between applications and platforms they rely on in typical
desktop-server deployments.
Windows Mobile software supports the following SSPs:

Kerberos Security Support Provider provides mutual client-server authentication
between Windows Mobile devices and computers running Windows 2000, Windows
XP, and Windows Server 2003. Kerberos provides cryptographically strong mutual
authentication, and it is the preferred client/server authentication method for Windows
networks.

Microsoft Windows NT® LAN Manager (NTLM) Security Support Provider provides
connectivity to systems that are using the NTLM authentication interface. Windows
2000 and Windows Server 2003 natively support (and prefer) the Kerberos
authentication system; the NTLM SSP is provided for backwards compatibility and for
communications with servers that do not support Kerberos.

Secure Channel Security Support Provider is used primarily for secured HTTP
connections; it provides both client and server authentication using X.509 digital
certificates.

Negotiate Security Support Provider allows client and server applications to negotiate
which specific SSP they will use for authentication; applications may be written to
require a given SSP, or they may allow negotiation between client and server.
Local Authentication Subsystem
The Local Authentication Subsystem (LASS) is a new feature in Windows Mobile 5.0 software
that decouples user authentication from the application and its authentication method.
Hardware and software manufacturers can add LASS plug-in modules to provide support for
additional authentication methods, including biometric and smartcard authentication. Windows
Mobile 5.0 applications that are written to use LASS for local authentication can automatically
take advantage of any installed authentication plug-in, providing multiple-factor authentication
in an application-independent way.
The Windows Mobile Mobility and Security Feature Pack adds the ability to use X.509 digital
certificates for authentication. This provides more secure logon capability without the
Network Security for the Windows Mobile Software Platform
6
requirement that users' network credentials be stored on the device, reducing the risk that
those credentials will be compromised.
Microsoft Public Key Infrastructure
Windows Mobile-powered devices can be easily incorporated into existing Public Key
Infrastructure (PKI) deployments and can take advantage of the same certificate and
encryption technology available to desktop and laptop users. Microsoft PKI is a system of
digital certificates, certificate authorities, and other registration authorities. This system uses
public key cryptography to verify and authenticate the validity of server and client computers or
users involved in an electronic transaction. For more information on Microsoft PKI, see Public
Key Infrastructure.
Network Security for the Windows Mobile Software Platform
7
Windows Mobile 5.0 Security Technologies
Windows Mobile software features an architecture that provides the technology backbone to
incorporate Windows mobile devices into enterprise-level networks securely. Additionally, it
includes built-in technologies that provide out-of-the-box functionality to manage local device
security, Web and application security, network security, and wireless security for Windows
Mobile-powered Pocket PCs and Smartphones.
Local Device Security
Network administrators should be able to control which applications can be installed on any
device within their network, including mobile devices that connect directly to resources located
behind corporate firewalls. In addition, network administrators should be able to protect the
data located on mobile devices in case the device is stolen or lost.
The local device security features included with Windows Mobile software work together to
allow network administrators the functionality they need to secure sensitive data moving
between corporate networks and mobile devices. This multifaceted approach to device
security helps ensure system configurations remain updated and protected.
Strong password technology for Windows Mobile-powered Pocket PCs
Mobile devices are subject to loss or theft, even more so than laptops. This susceptibility
means that ensuring the security of locally stored data on mobile devices becomes a high
priority. Windows Mobile-powered Pocket PCs allow network administrators to implement
strong password policies, such as power-on passwords and smartcard authentication, to help
secure access to mobile devices and the data they store. Several third parties are producing
smartcard and token readers that work with Pocket PC devices to provide enhanced twofactor authentication.
SIM lock support
Windows Mobile-powered Smartphones and Pocket PC Phone Edition devices also support a
Subscriber Identity Module (SIM) lock, which allows network administrators to set a password
for the device’s SIM card. Because the SIM card has the ability to store personal and
confidential information, it is crucial to consider ways to protect that information from being
accessed should the device be lost or stolen.
Local and remote device wipe
Windows Mobile 5.0 software allows administrators to erase information from a device under
specified circumstances. The device itself may be configured by the user, or by an
administrator or configuration service provider, to erase the device after a preset number of
incorrect attempts to guess the device unlock password. In addition, Exchange Server 2003
Service Pack 2 provides a remote administration tool that can be used to remotely erase a lost
or stolen device, providing an added degree of protection.
Microsoft SQL Server 2005 Mobile Edition
In addition to strong password technology, network administrators have the option to
implement Microsoft SQL Server™ 2005 Mobile Edition (SQL Mobile) on Windows Mobilepowered Pocket PCs to provide application and file-level security. SQL Mobile technology
stores local information in encrypted databases. The information can be accessed, viewed,
and modified only by a user who has the correct credentials and user rights.
Network Security for the Windows Mobile Software Platform
8
Network Security
With mobile devices becoming more versatile and able to store and transmit large packets of
data, the risk of these devices introducing malicious code or viruses to a network has
increased dramatically. Windows Mobile 5.0 software can take advantage of advanced
authentication technology to help ensure network resources stay protected when accessed
from mobile devices.
Microsoft certificate technology
Windows Mobile software supports the X.509 digital certificate format, which enables network
administrators to apply enterprise-level certificate standards to Windows Mobile devices using
Microsoft PKI. The following applications use certificates for most Windows Mobile-powered
devices:
Microsoft Pocket Internet Explorer for Secure Sockets Layer (SSL) connections for Pocket
PCs.
Microsoft Exchange Server 2003 for SSL over-the-air and server-based synchronizations.
802.1x Extensible Authentication Protocol / Transport Layer Security for wireless connections.
Network administrators can control where certificates are stored, locally or on removable
media such as a smartcard or token. This control helps prevent certificate information and
associated privileges from being used by unauthorized users should the mobile device be
stolen or lost. Windows Mobile includes root certificates for major certificate authorities
(including Microsoft, Entrust.net, Equifax, GlobalSign, GTE Cybertrust, Thawte, and Verisign).
Optionally, administrators can control which certificate authorities are trusted by modifying the
list of trusted root certificates on the device using the appropriate tool:
Addrootcert.exe to install root certificates on Pocket PC 2002 and Pocket PC Phone Edition
2002 devices.
Spaddcert.exe to install root certificates on Windows Mobile-powered Smartphones.
Certinst.exe to install root certificates on Windows Mobile-powered Pocket PC and Pocket PC
Phone Edition devices.
Virtual Private Network
Windows Mobile-powered devices can connect to corporate networks through secured VPNs.
Windows Mobile software not only supports traditional Point-to-Point Tunneling Protocol
(PPTP) VPN connections, but also allows employees and network administrators to create
VPN connections that use Layer Two Tunneling Protocol (L2TP) technology with IP Security
Protocol (IPSec) encryption, which uses client certificates to authenticate connections.
VPN software can apply a number of supporting technologies to help protect data traveling
over VPNs from Windows Mobile-powered devices. These technologies include public key
certificates, pre-shared keys, encryption, and Internet Key Exchange protocol, which supports
authentication and key exchange using the Diffie-Helman algorithm. When these technologies
are used in combination, network administrators can create VPN connections that provide
multiple layers of security to authenticate sender and recipient credentials and protect data
and the communication lines it travels over.
Extensible Authentication Protocol
Windows Mobile-powered Pocket PCs can also create VPN connections by using the
Extensible Authentication Protocol (EAP). The feature provides a layer of protection for
communication between mobile devices and enterprise networks that use Protected
Network Security for the Windows Mobile Software Platform
9
Extensible Authentication Protocol (PEAP) authentication methods and Transport Layer
Security (TLS) encryption to create a security-enhanced channel of communication.
Information Service Encryption
For employees who use Microsoft ActiveSync® technology to connect to e-mail, calendar, and
personal contacts applications, Windows Mobile software supports Microsoft Exchange
ActiveSync features that can create a protected connection to the company’s Microsoft
Exchange Server 2003. With Exchange ActiveSync, network administrators can allow, or
require, Windows Mobile-powered devices to create SSL-encrypted connections with
Exchange Server 2003. By default, SSL-encrypted connections are 128-bit.
Employees who use Pocket Internet Explorer to retrieve personal information, for example
through Microsoft Outlook® Mobile Access, can also create 128-bit SSL connections with Web
servers, and use Hypertext Transfer Protocol over SSL (HTTPS). Wireless Transport Layer
Security (WTLS) handles Wireless Application Protocol (WAP) security for mobile devices
when employees connect to WAP-enabled Web sites. WTLS class 2, which provides server
authentication with encryption, is also supported.
Wireless Security
Wireless security is important to consider when implementing mobile devices as part of an
enterprise-level network. Most mobile devices offer some type of wireless connectivity to both
public and private wireless access points. Eavesdropping and “packet sniffing” (intercepting
and inspecting data packets by using software or hardware devices) have become major
threats to users of public and, sometimes, private wireless connections.
Windows Mobile-powered devices include support for wireless connections and can be
configured to work with multiple enterprise-level wireless protection technologies, including the
802.1x protocol, Wireless VPN, and Wired Equivalent Privacy (WEP) wireless encryption.
VPN over Wireless Networks
Because Windows Mobile includes native support for VPNs, mobile users can feel safer when
using 802.11-based connections to communicate with a corporate network, using the same
VPN technologies available to wired clients. With VPN security for wireless connections,
employees are provided with user authentication and a strongly encrypted connection. In
addition to the built-in support for PPTP and IPsec/L2TP VPNs in Windows Mobile, many third
party vendors offer Windows Mobile VPN clients for specific proprietary VPN implementations.
802.1x encryption and authentication
The standard typically used for wired networks, the Institute of Electrical and Electronics
Engineers’ (IEEE) 802.1x, has been adapted to provide wireless network encryption and
authentication services. The 802.1x standard offers better wireless security than traditional
WEP or nonsecured networks for large organizations to protect and control access to network
resources. The protocol defines port-based network access control by using the physical
characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN
port. Access to the port can be denied if the authentication process fails.
Windows Mobile-powered devices support wireless 802.1x authentication standards for
wireless connections. A typical 802.1x-protected network will use EAP-TLS, in which all of the
EAP-protected exchanges are secured by the TLS protocol. Depending on existing network
resources, network administrators can include a number of 802.1x-supported security
technologies, including username and passwords, certificates, smartcards, or biometrics, to
protect mobile devices.
Network Security for the Windows Mobile Software Platform
10
WEP Wireless Encryption
Windows Mobile-powered Pocket PCs and Smartphones also support WEP wireless security,
which uses a pre-shared wireless key to encrypt wireless connections. WEP provides the least
amount of wireless security for mobile devices, and the technology’s security flaws have been
well documented. WEP-based wireless connections can be used in combination with a more
secure authentication method, such as a VPN connection.
Wi-Fi Protected Access (WPA)
WEP encryption is generally acknowledged as weak because there are a number of practical
attacks that allow passive eavesdroppers to recover WEP encryption keys. For that reason,
Microsoft and its partners have aggressively moved to support the Wi-Fi Protected Access
(WPA) standard. WPA offers stronger cryptographic protection than WEP; the Windows
Mobile implementation of WPA supports use with an 802.1x authentication server or with preshared keys.
Third-party Wireless Wide Area Networks
Many Windows Mobile-powered Smartphones and Pocket PC Phone Edition devices connect
to voice and data wireless wide area networks (WWANs) provided by mobile operators. The
technology used to connect to these WWANs is embedded in the device, and varies according
to the device manufacturer and mobile carrier. Most devices support either Global System for
Mobile communication (GSM)/General Packet Radio System (GPRS) or code-division multiple
access (CDMA)/1xRTT technology.
With these WWAN connections, mobile users can connect to the Internet and then to
corporate networks and e-mail accounts. Because of this extensive connectivity, many of
these service providers allow mobile users to take advantage of network security features for
mobile devices, such as SSL- and VPN-based connection protocols and technologies. For
devices that connect to network resources using third-party carriers, network administrators
should make sure that all security settings and technologies required to connect to network
resources will be supported by these carriers. And network access should be denied to mobile
users who connect without meeting these security requirements.
Network Security for the Windows Mobile Software Platform
11
Scenarios
The following section describes usage scenarios for employees who connect to corporate
networks by using a Windows Mobile-powered Pocket PC or Smartphone.
Connecting to a Corporate Network using 802.1x and EAP-TLS
With Windows Mobile-powered devices, employees can easily connect to their corporate
Windows-based network by using a wireless connection secured by the 802.1x protocol with
EAP-TLS to link their mobile device to the network.
The most common reason that employees connect to the network is to retrieve personal email and calendar information. To do so, an employee first accesses his or her device by
entering a password or SIM lock code. If the password or lock code is incorrect, access to the
device will be denied. When access has been granted, the employee can use the Microsoft
Connection Manager to establish a VPN connection to the company’s corporate network.
Network administrators can also integrate smartcard or biometric modules onto mobile
devices to provide a two- or three-factor authentication process.
As shown in Figure 2, when an employee is connected to an 802.1x-protected wireless access
point, the network authenticates access against the mobile device’s machine certificate.
Wireless encryption is handled by using dynamic WPA keys that change on a predetermined
time frame. Because WPA keys are changed at predetermined time intervals and
authentication is controlled with machine certificates, the threat of an unauthorized user
stealing local data, WPA keys, or user credentials over the wireless connection can be
dramatically reduced.
Figure 2. Connecting to a Microsoft Windows network using 802.1x with EAP-TLS
Network Security for the Windows Mobile Software Platform
12
Connecting through a Wireless Hotspot or Third-party WWAN
If the same employee wants to access the corporate network from a wireless hot spot (for
example, in a coffee shop), or through a third-party WWAN, security features built into
Windows Mobile software allow her access with increased security, as well. Depending on the
type of wireless connection, the employee can connect to her corporate account and maintain
a high level of security. For example, if she connects while using a wireless hot spot in a
coffee shop that uses no type of wireless protection, she can connect to her corporate network
by using her VPN connection. Data sent over the VPN connection is encrypted, and Internet
access is made available through the corporate proxy server rather than the hot spot’s local
router.
Figure 3. Mobile connection to a corporate network using a third-party WWAN
Connecting by using Exchange ActiveSync
Alternatively, the employee can access her e-mail account by using Exchange ActiveSync,
which will allow her to send and receive e-mail, calendar, contact, and task data through
Exchange servers on the corporate network. Exchange ActiveSync connections are protected
with 128-bit SSL encryption.
With Exchange ActiveSync, her e-mail, calendar information, and other Exchange-based
features can be accessed quickly from off-site locations. She can create a synchronization
schedule for working hours (peak), non-working hours (off-peak), and while roaming.
Synchronization can be set to occur automatically from as often as every five minutes to as
seldom as every four hours for each of these “profiles”, or even to only occur when manually
invoked. Alternatively, synchronization can be set to occur when a new message arrives at the
Exchange Server 2003 computer for any of these “profiles”. When a new message arrives in
her Inbox, Exchange Server 2003 sends an SMS message notification to the employee’s
mobile device. Upon receiving this message, the mobile device automatically synchronizes
with Exchange Server 2003 and updates her mobile device.
With Exchange Server 2003 Service Pack 2 and the Messaging and Security Feature Pack
(MSFP) for Windows Mobile 5.0, users can use the new Direct Push technology to receive
Network Security for the Windows Mobile Software Platform
13
pushed e-mail as it arrives at the server, without waiting for a scheduled synchronization.
MSFP devices maintain a latent TCP/IP connection to the Exchange Server computer,
allowing quick e-mail updates without requiring synchronization on a fixed schedule and
without the use of Short Message Service (SMS) messages to force the device to pull e-mail.
If her corporate network includes Microsoft Internet Security and Acceleration (ISA)
Server 2004 and PKI, network administrators can easily configure ISA Server 2004 to allow
incoming requests from mobile devices to maintain existing security policies for incoming Web
traffic. With certificate services, the employee’s user information is verified against the
company’s CA server. With proper authentication and a secured line of communication, the
employee can access network resources directly from her mobile device. However, if
authentication cannot be verified, access to all network resources will be denied.
Exchange Server 2003 also supports the use of RSA's SecurID authentication mechanism to
provide two-factor authenticated access to electronic mail. The RSA SecurID Server product
supports caching authentication information so that users are not prompted for their SecurID
authenticator at each synchronization.
Network Security for the Windows Mobile Software Platform
14
Conclusion
Microsoft Windows Mobile software employs a multiple-layer approach to security that allows
network administrators to take advantage of existing Windows technologies to deploy and help
protect networks that include mobile devices. As a result, network administrators can provide
feature-rich mobile application with a high level of security to workers so that businesses can
fully realize all the benefits of a mobile work force, including increased productivity, real-time
information sharing and communication, and extended access to information to remote or
dynamic locations.
Additional technical and business oriented information can be found at the Windows Mobile
Business Homepage.
Network Security for the Windows Mobile Software Platform
15
Appendices
Appendix A: Supported Encryption Algorithms
Windows Mobile 5.0 software is certified to meet the standards of Federal Information
Processing Standard (FIPS) 140-2, the US Government set of requirements for products that
securely handle data for government applications.
Algorithm
Base
Enhanced
RSA Key Exchange
512 bit
1024 bit
RSA Signature
512 bit
1024 bit
RC2 block
40 bit
128 bit
RC4 stream
40 bit
128 bit
Advanced Encryption Standard
(AES)
128 bit
256 bit
RC5 block
Not Supported
128 bit
DES
Not Supported
56 bit
Triple DES (2-key)
Not Supported
112 bit
Triple DES (3-key)
Not Supported
168 bit
Secure Hash Algorithm-1 (SHA-1)
160-bit
160 bit
In addition, Windows Mobile 5.0 supports several of the Public Key Cryptography Standard
(PKCS) algorithms, including: PKCS#1 for signing and encrypting data; PKCS#7 for creating
and verifying signed and encrypted messages (including embedded certificates); PKCS#10 for
requesting and processing certificates; and PKCS#12 for securely storing certificates and their
associated private key data. Windows Mobile 5.0 also includes full support for creating,
verifying, and processing S/MIME messages.
Appendix B: Network Security Terminology and Definitions
3DES – Triple Data Encryption Standard

Encryption by separating the original text into fixed-length blocks and then using an
encryption key of differing strengths. 3DES is three successive DES encryptions (64bit blocks and 56-bit key) with different keys equivalent to 168-bit key. AES (Advanced
Encryption Standard) is considered the successor to DES.

DES is a U.S. Government standard created to protect unclassified data.
Biometrics

Using a factor based on physical identity as part of an authentication sequence.
Common biometric technologies include fingerprint readers, iris scanners, and hand
geometry readers.
Smartcard

Credit card or SIM card-sized device for storing security certificates and small
amounts of information (such as passwords, business data, financial account data,
personal medical data, or airline and hotel loyalty program data). Smartcards do their
own cryptographic processing, so they can securely hold sensitive information like
signing keys without exposing them to the outside world. Smartcards are often used
Network Security for the Windows Mobile Software Platform
16
as an additional authentication factor, requiring users to both have the card and know
the associated PIN.
802.1x

A standard published by the Institute of Electrical and Electronic Engineering (IEEE)
for port-based network access control. 802.1x is used to provide authenticated
network access and encryption for Ethernet networks and wireless local area
networks such as 802.11b.
EAP-TLS – Extensible Authentication Protocol - Transport Layer Security

A method for authenticating users and encrypting data associated with the 802.1x
wireless LAN security standard,
VPN – Virtual Private Networking

Using the Internet as a pass-through mechanism to access a private network,

Some enterprises use VPN gateways (from companies like Alcatel, Avaya, Check
Point, Cisco, Hewlett-Packard, Intel, Lucent, Netscreen, Nortel Networks, Radguard,
Secure Computing, and Symantec) that utilize the IPSec tunnel mode protocol. PPTP
and IPSec L2TP are additional VPN standard protocols used in the Microsoft
Windows server platform and in other VPN gateways from companies such as Cisco.
SSL – Secure Socket Layer

Industry standard method for protecting Internet communications. SSL security
protocol provides data encryption, server authentication, message integrity, and
optional client authentication for a TCP/IP connection. SSL has been renamed to TLS
by the IETF standards body.
WTLS – Wireless Transport Layer Security

Encryption based on SSL that is used with Wireless Application Protocol (WAP)
phone-Internet service.
PKI – Public Key Infrastructure

Digital certificates designed to provide strong user authentication, ensure integrity of
transmitted data, assist with transaction integrity, and encrypt data.
S/MIME – Secure/Multipurpose Internet Mail Extensions

Digitally signed and encrypted e-mail using certificates.

S/MIME is being phased in as a requirement by the U.S. Dept. of Defense, U.S.
government contractors, and other international government organizations.

S/MIME is fully supported by Windows Mobile 5.0 devices.
Network Security for the Windows Mobile Software Platform
17