Certicom secures PDAs

With the loss or theft of handheld devices an inevitable fact of life, Certicom Corp. is introducing a way to lock up handheld devices so even if they are stolen, no one can lift the data stored on them.

Called movianCrypt, this software protects the PDA with a password and encrypts all the data stored on it so even if someone manages to bypass the password, all they get is impenetrable jibberish. The encryption used is 128-bit advanced encryption standard, which the Internet Engineering Task Force considers the most secure there is.

Despite the power of the encryption and the limited processing power of PDAs, movianCrypt doesn't seem to slow down use of data stored on the devices, says John Houser, a network engineer for life insurance company AEGON USA who has used the software. "There is virtually no delay," he says.

He says it is important to encrypt the data because it is possible through a "developer's backdoor" to bypass passwords and read the data on the device. These backdoors are there so users can check code as they write or customize applications.

Other encryption software, such as Datagator made by Jawz, only encrypts a single file where users have to dump all the data they want to protect. Anything else is left unencrypted. James Kobielus, an analyst with The Burton Group.

As users call up data on the devices, it is automatically decrypted. As the application is closed, movianCrypt encrypts it again, using processor downtime to do so. That way, the next application being used doesn't slow down, says Stacey Wu, a senior analyst with Mobile Insights.

The software supports the Palm Inc. operating system versions 3.0 and above, and Certicom says it has a prototype written for Windows CE devices.

Some PDA operating systems, such as Palm's, come with password protection that locks down the device, but the password is stored on the PDA. That means whoever gets control of the device can hot-synch it with a PC where password-cracking tools can break in to access the data. The password for movianCrypt is not stored on the device.

Instead, users scribble on the PDA screen with a stylus, and that line is digitized, creating a unique string of numbers that is used as an encryption key. Users also choose a password up to 25 characters. Both the key and the password are subjected to a mathematical function called a hash creating an outcome called a digest.

When users enter their password, it and the key are subjected to the same hash. If the resulting digest matches the one stored on the PDA, the movianCrypt admits the user.

Users can install the 100K-byte movianCrypt software during a hot-synch with a PC or server.

The software can be downloaded from www.moviansecurity.com. It costs US$40 for one copy and between $18 and $35 for multiple copies, depending on how many. It is available June 11.http://www.certicom.com