HP iPAQ Handheld Security Solutions Overview..........................................................................................................................................................2 Security........................................................................................................................................................2 HP ProtectTools...............................................................................................................................................3 Using HP ProtectTools.................................................................................................................................3 Odyssey Client.................................................................................................................................................3 Biometric Fingerprint Reader (HP iPAQ hx2700 series only)...........................................................................4 Special issues related to security.....................................................................................................................4 Recovering from a locked device.................................................................................................................5 Passphrases ................................................................................................................................................5 Performance considerations related to data encryption ...............................................................................5 Network Connections.......................................................................................................................................6 Virtual Private Network and Wired Equivalency Privacy ..............................................................................6 Wi-Fi Protected Access (WPA) and TKIP/AES ................................................................................................6 Wireless fidelity (Wi-Fi) ................................................................................................................................7 Wi-Fi hotspots..............................................................................................................................................7 WLAN standards..........................................................................................................................................7 Additional Security Solutions ...........................................................................................................................8 Terminology .....................................................................................................................................................9 For more information......................................................................................................................................10 Call to action ..................................................................................................................................................10 Overview Protecting the private information on your HP iPAQ is serious business. There are many ways that you can protect your HP iPAQ. Taking advantage of the built-in security features is a great way to start protecting your HP iPAQ. These security features are powerful defenses against data theft. Your login name and password are great ways to begin protecting your HP iPAQ against theft. It is important to protect the information contained on your HP iPAQ from unauthorized access. Data encryption is probably the best way to protect information on mobile devices as well as on external storage cards. (Data encryption is a conversion process that is used for protecting data.) This white paper provides detailed information about HP ProtectTools, Odyssey Client®, and biometric security solutions. In today's world, a lot of valuable information is being stored on handheld devices. That is why securing your personal data is so important to HP. The HP ProtectTools security features provide on-device security protection that decreases the risk of you losing sensitive data and from unauthorized access on your HP iPAQ. In addition, Odyssey Client allows easy and secure connection to a wireless network. This document is designed to assist you in understanding security and how it works on HP iPAQ devices. Security Security is a crucial issue facing business users today. Without strong security protection, a lost or stolen mobile device can give unauthorized users easy access to mission-critical data and network resources, exposing the business to potential legal liability, financial loss, and competitive espionage. For these reasons, strong security is an indispensable asset for mobile business computing devices such as HP iPAQ handhelds. HP iPAQ devices address these security challenges head-on with a unique mix of advanced features and tools designed to prevent unauthorized access to user data. Several important technologies converge to make it happen: · HP ProtectTools secured by CREDANT Technologies uses many of the same capabilities found in that company's enterprise-class Mobile Guardian® product, including user authentication and data encryption. (Authentication is the process of granting or denying someone access to a network resource.) · Odyssey Client developed by Funk Software, Inc. allows users to connect their device (HP iPAQ hw6900 Mobile Messenger series only) to multiple secured wireless networks. Odyssey Client supports networks that adhere to the 802.11b wireless LAN standards. These networks can be found in hotels, airports, and other Internet hotspots. · A special Biometric Fingerprint Reader allows users to easily login with a swipe of the finger (HP iPAQ hx2700 series Pocket PC only) and/or with a PIN (personal identification number). This feature provides highly secure, convenient, and fast authentication--without users having to remember passwords. · Full virtual private network (VPN) and WEP-enhanced security is included in the Microsoft operating system. A VPN provides enhanced security when accessing corporate data over the Internet. WEP provides 64-bit and 128-bit encryption security when connected via wireless networks (802.11b). · Even more advanced security for wireless communication through built-in support for 802.1X and WPA (Wi-Fi Protected Access) along with support for LEAP and TKIP. LEAP is used for authentication purposes. Mobile viruses are not currently a serious threat; but, it is important be aware of potential risks to your HP iPAQ. Viruses (also called worms or Trojan horses) are malicious and can be widely distributed. When you download programs or files that are already infected, a virus can spread between your personal computer, laptop, or other removable storage. To get more information about mobile viruses, visit http://www.microsoft.com/athome/security/viruses/mobilevirus.mspx. 2 HP ProtectTools The special security technology found in many HP iPAQ devices is provided by HP ProtectTools, a suite of built-in, not bolted on security solutions. These security solutions are based on the same technologies used by market leader CREDANT Technologies Inc. CREDANT Mobile Guardian® (CMG) provides solutions that reduce specific security risks to handheld users. These security solutions provide certain advantages that allow you to protect your device more effectively. The first layer of security involves PIN or password access for HP iPAQ devices. A second layer of defense involves data encryption, which helps ensure that sensitive information remains confidential. You can encrypt e-mail messages, attachments, My Documents, and other files that are then automatically protected whether stored on the device or an external storage card. (By default, all data in the My Documents folder is encrypted.) If you forget your PIN or password, you can regain access by entering an answer to a pre-selected question. If a device is lost or stolen, aggressive failsafe actions can be automatically invoked to hard reset the device back to factory defaults after a pre-determined number of access attempts. Using HP ProtectTools HP ProtectTools helps protect your device and the data stored on it. When HP ProtectTools is enabled, you may have an option to enroll a fingerprint or enter a PIN and/or password to access the device. Once you have set the security features on your device and are unable to successfully swipe your fingerprint or forget your PIN or password, you can access your device with a back-up question and answer. You should only need to set up HP ProtectTools one time. If needed, you can make changes to any of your security settings later. Refer to the HP iPAQ documentation on the Companion CD or Getting Started CD to learn more about: · Setting up HP ProtectTools · Managing security options · Changing your HP ProtectTools settings · Encrypting/decrypting data Odyssey Client Using Odyssey Client, you can do the following: · Connect your HP iPAQ to a wireless network · Connect peer-to-peer to other devices on a network · Configure multiple networks to connect to various networks (possibly using different credentials and/or authentication methods) · Use 802.1x to authenticate to a network · Use various authentication methods (such as EAP-TTLS, EAP-PEAP, and EAP-TLS protocols) to keep your credentials secure 3 To use Odyssey Client on your HP iPAQ, your device must have an 802.1x-compliant (network interface card) NIC driver. The HP iPAQ can be compatible with your preferred WLAN security protocol for network authentication. A readme.txt file is included with the Odyssey Client software that lists compatible devices. You will need a license key to use Odyssey Client. A license key is a text sequence that corresponds to your licensed copy of Odyssey Client. During the installation process, you are prompted to enter the license key. You can also enter the license key after the installation process. Several features of Odyssey Client are licensed separately. Depending on the license, some features may be unavailable and areas of the user interface may be grayed out. You will need to install the Odyssey Client software onto your HP iPAQ. For instructions on installing Odyssey Client via the CD or web download version, refer to the information that came with your HP iPAQ. After configuring a network on Odyssey Client, you must be within range of an access point to log on to a specified network and connect to it. Some wireless networks require that you log on while others let anyone within range log on. The access point links your HP iPAQ to a network. (The range of an access point is usually several hundred feet.) If there is no access available, two or more wireless devices can use peer-to-peer networking to share files and play games. No additional hardware equipment is needed to use peer-to-peer networking. Currently, the Odyssey Client for network authentication is available with the HP iPAQ hw6900 Mobile Messenger series only. Biometric Fingerprint Reader (HP iPAQ hx2700 series only) The built-in Biometric Fingerprint Reader is exclusive to the HP iPAQ hx2700 series. The built-in fingerprint reader is convenient, and it adds an extra level security for authorized users. This robust security feature easily identifies authorized users and prevents access by others. Depending on the strength of protection required, you can specify whether to identify yourself using only a fingerprint, a PIN, a password, or various combinations of these methods. This type of identification is virtually foolproof, for the simple reason that fingerprints are a unique form of biometric identification possessed only by the specific user. This also provides the ultimate in convenient access and does not have to be remembered like a password or PIN. You can also find more specific information about how to enroll fingerprints using HP ProtectTools in the User's Guide on the Companion CD. (If you purchased an HP iPAQ hx2700 Pocket PC, the Companion CD is available with your device.) Special issues related to security The unprecedented set of powerful security features found in the HP iPAQ hx2000 series requires new behavior for some individual users. In particular, users may find that they run the risk of losing current data in the devices if regular backups do not occur and they forget any required access passwords or PIN numbers. This is because a locked device without a password requires a "hard reset" that will wipe out all of the data on the unit. The "hard reset" feature is another level of security that helps prevent data theft by unauthorized users. For the strongest level of protection, you can set a flag in the device that blocks any attempt to log back in after a certain number of tries. The HP default is to turn this flag off. If this flag is turned on, in circumstances where lockout ...