Motorola deal ups m-commerce security

A deal between Motorola and digital certificates company Baltimore Technologies will give a much-needed security boost to m-commerce.

Amid Wap security fears, the pair have taken a further step towards providing true end-to-end security between users' mobile devices and the servers which control transactions.

To date, there has only been Class 2 encryption and authentication in mobile transactions, which means that only the server processing the data is truly secure. This has seen Wap servers being secured by wireless transport layer security (WTLS), but the mobile device generating the transaction has been far from secure.

Users and m-commerce companies could not therefore guarantee the basic requirements of any digital transaction: confidentiality, authentication, authorisation, integrity and non-repudiation.

But Class 3 authentication, an extension to WTLS, is the main thrust of the Motorola/Baltimore agreement. The mobile industry is moving towards the Wireless Identity Module (WIM), of which Class 3 is a part. This solution sees both powerful encryption laid on between the device and the server, as well as the generation of digital certificates through users' personal SIM cards in their mobile devices.

Until now, banks and most financial companies have been unwilling to offer anything more than account balances and similar low grade facilities via Wap. But the fact that users will soon be able to carry their own encrypted digital certificates on their mobiles, will mean that companies will be more confident about offering the opportunity for real trades, without the fear of being sued if something goes wrong when users connect to their servers.

John Fallon, director of wireless at Baltimore, said: "There is an evolution taking place among devices to offer certificate support, but this deal will quickly offer root certificates to users which will enable them to trade with servers carrying Baltimore certificate support."

Whenever a Motorola handset user trades with a server equipped with Baltimore's technology, they will have the capability to use a digital certificate with which to trade. They will also know that they are dealing with a trusted server and are in a secure session using at least 128-bit encryption.

Fallon said that when the next version of Wap is established - Wap 1.2 - the user will be able to carry both a Baltimore certificate to use with specific servers for particular trades - with their own bank, for instance - and a personal certificate for all other trades.

First published in Network News