Table of Contents
Advertisement
Nokia Mobile Phones
User authentication in GSM networks is done with a SIM card. The authentication is a challenge-response type
scheme as specified in GSM specifications. The strength of the authentication is network-specific. The SIM card
authenticates the user based on their PIN code.
3.2 Short Messages
GSM networks have a bidirectional paging system called SMS (Short Message Service). This means that the user can
send and receive short text messages using the GSM network. Short messages can be transported using GSM
signalling channels, but these signalling channels are not encrypted. Therefore, short messages are not a secure way
to transport data.
4. Software security
As the Nokia 9290 Communicator is a versatile and open programming environment, anyone can create new software
for it. Malicious software is a security risk which should be taken into account. Fortunately, the Nokia 9290
Communicator has a secure software installation system that can be used to minimise the risks. The user must always
be cautious when installing software, however.
4.1 Software Installation Security
Software is distributed in software packages called SIS files. These packages can be digitally signed. By signing a
software package, the originator of the package makes sure that the package cannot be modified while it is being
sent or stored to the communicator.
When installing software, the user will see the alleged originator of the package and the party that authenticates the
originator's identity. For security reasons, it is recommended that software is not installed unless the user trusts both
the originator (author) of the package and the authenticator (certification authority).
The questions the user should ask are: 'Do I allow software produced by X (the author) to be run on my device? Do I
trust Y (the certifier) to vouch for the identity of X (the author)?' If either of the answers is 'no', the user should
cancel the installation.
To view the currently trusted certification authorities, the user can go to the Certificate Manager tool in the Control
Panel. The user can edit trust settings for each listed certificate. By giving a certificate trusted status, the user
vouches that he/she knows that a given certificate really belongs to the given entity.
To summarise:
In order to maximise software security in your communicator,
When editing trust parameters in the Certificate Manager tool, only trust those certificates whose origin you can
be sure of, and only when you know that the certificate really belongs to the entity whose name is on the
certificate. If you are in doubt, contact the certification authority's help desk and ask them for their certificate
fingerprint. Compare the fingerprint with the one that is displayed in the Certificate Manager tool.
Make sure that the software is intended for the Nokia 9290 Communicator.
Only install software that comes in SIS files. Never install raw DLLs or EXEs. Be wary of requests that you 'copy
file X to folder Y on your Communicator'.
Only install software that has been signed and only install if you trust both the author and the certification
authority.
Copyright
Nokia Corporation 2001-2002. All rights reserved.
Nokia 9290 Communicator
Security White Paper
5 (9)
Advertisement
Table of Contents
