Securing/encrypting avantgo m-business databases (virgil) on device

Originally Published 2004-08-23 12:02:39

The following is a technical note written to address Vigil database encryption requirements using Afaria 5.1. Any questions, comments, or feedback is greatly appreciated.



Currently, the device-side Virgil databases used in M-Business Anywhere applications (e.g. Mobile Sales) do not have an on-device encryption solution. In the technical services group, we encountered this problem during a recent project proposal. In the future, it may be possible to take advantage of encrypted UltraLite databases using the UltraLite Pod, for applications such as Mobile Sales (depends on the product Roadmap and isn't guaranteed). For an immediate solution, we looked at the Afaria 5.1 Security Manager technology. The Security Manager channels created by Afaria can encrypt specified files while the device is powered off. This encryption, partnered with forced password-protection, provides additional security to the Vigil database files on a device. However, unlike an UltraLite database, the database files are not encrypted while the device is in use.



The following technical note highlights the general use and steps required to implement encryption on the Virgil database using Afaria 5.1. This procedure has undergone minimal testing, but has proven to work on both Windows CE and Palm devices. It would be recommended that extensive testing is made before a production deployment.



Usage Illustration:



1) The device is turned on

2) All files marked for encryption by the Afaria Security Manager are currently encrypted.

3) The user is prompted for a password.

Note: Afaria can be configured to deny non-administrator access to the PDA after a specified number of failed logins. Other possible actions include deleting all encrypted data or performing a hard-reset.

4) The user is successfully authenticated.

5) All files marked for encryption by the Afaria Security Manager are decrypted and are now readable.

6) User shuts down device

7) All files marked for encryption by the Afaria Security Manager are encrypted.

Note: Afaria Security channels can be configured to encrypt the desired files using one of the following algorithms:

- Blowfish

- AES

- Triple DES

- RC2

8) Device is powered down.



Note: It may be not feasible to use this solution with larger Virgil databases due to the delay of encryption/decryption of the database files. It is recommended to test the performance of the encryption with several encryption algorithms on sets of data that represent typical and high-end deployments.



Implementing this solution requires a workaround on Windows CE devices and is rather straight forward on Palm devices. Security channels designed for the CE device cannot encrypt files found in or underneath the \Program Files and \Windows directories. Since Virgil databases are installed underneath \Program Files, they will have to be moved to take advantage of the Afaria encryption features.



Windows CE implementation:



Requirements:

Afaria 5.1 Server

Windows CE Device with a synchronizing M-Business Server application using Virgil technology.

Windows CE Registry Editor - http://www.phm.lu/products



Implementation Steps:

1) Install a Windows CE Registry Editor on your CE device

2) Change the following two registry values:

HKEY_CURRENT_USER\Software\AvantGo\DatabaseLocation from \Program Files\AvantGo\Databases to \AvantGo\Databases.

HKEY_CURRENT_USER\Software\AvantGo\SRSDatabaseLocation from \ProgramFiles\AvantGo\Databases\srs to \AvantGo\Databases\srs.

3) Move the entire Databases directory found in \Program Files\AvantGo to a newly created AvantGo directory off of the root.

Note: Steps 1-3 can be accomplished using an Afaria Session Manager channel. What you would do is include both the session and security channels inside the channel set and send this to the CE device.

4) Synchronize your M-Business Anywhere application to ensure the move was successful.

IMPORTANT NOTE: If we want this to be a viable solution for customers, it would be beneficial to have a version of the M-Business Client installation that contains registry values similar to those changed in previous steps.

5) Disable any password on the CE device. Start | Settings | Password

Note: You can also use Afaria Session Manager channels for this because enabling/disabling the CE password is controlled by a registry flag.

6) Create a Afaria security channel for CE devices on the Afaria 5.1 server.

i) On the Channels, Administration bar, click New and then choose Security Manager channel.

ii) In the Client types dialog, label the channel and choose the WinCE Client type and click Next.

iii) Accept the selected Enforce power-on password check box.

iv) To allow an administrator's password to unlock a locked down device, select the respective check box, then enter and confirm the password.

v) Specify the allowable number of invalid password attempts before the device locks down and choose the desired lockdown behaviour.

vi) Select Next twice to complete the channel. (Encryption settings are handled later)

vii) In the left pane of Channels, Administration, select the newly created Security Manager channel.

viii) Select Set encryption options

ix) Select the Allow user to select additional files / databases for encryption check box.

x) Click the Add link and specify \AvantGo\*.* for encryption. Select the Include sub-folders check box and click OK.

xi) Return to Channels, Administration, click Save and then Close.

xii) Right-click on the newly created channel and select "Publish". You need to 'publish' a channel before a client can 'subscribe' to it.

7) Install the Afaria client on the CE device.

8) Configure the Afaria client to connect to your Afaria 5.1 server machine

i) Start the Afaria Client in Start | Program Files

ii) Select View | Configuration

iii) Specify the name of IP address of the Afaria 5.1 server machine.

iv) Enter the newly created security channel in the Channel Name field. The channel name must be preceded by a backslash.

v) Select OK.

9) Synchronize the device to obtain the Security Channel from the Afaria server.

10) Power down the device and test the encryption behavior.



Palm Implementation:



Requirements:

Afaria 5.1 Server

Palm OS Device with a synchronizing M-Business Server application using Virgil technology.



Implementation Steps:

1) Disable any password on the Palm device. Start | Settings | Password

Note: You can also use Afaria Session Manager channels for this because enabling/disabling the CE password is controlled by a registry flag.

2) Create a Afaria security channel for Palm devices on the Afaria 5.1 server.

i) On the Channels, Administration bar, click New and then choose Security Manager channel.

ii) In the Client types dialog, label the channel and choose the Palm Client type and click Next.

iii) Accept the selected Enforce power-on password check box.

iv) To allow an administrator's password to unlock a locked down device, select the respective check box, then enter and confirm the password.

v) Specify the allowable number of invalid password attempts before the device locks down and choose the desired lockdown behavior.

vi) Select Next twice to complete the channel. (Encryption settings are handled later)

vii) In the left pane of Channels, Administration, select the newly created Security Manager channel.

viii) Select Set encryption options

ix) Select the Allow user to select additional files / databases for encryption check box.

x) Click the Add link and specify your M-Business Anywhere application database file for encryption and click OK.

Note: This requires the administrator to know the names of all M-Business application database files. Repeat this step for all sensitive database files.

xi) Return to Channels, Administration, click Save and then Close.

xii) Right-click on the newly created channel and select "Publish". You need to 'publish' a channel before a client can 'subscribe' to it.

3) Install the Afaria client on the Palm device.

4) Configure the Afaria client to connect to your Afaria 5.1 server machine

i) Start the Afaria Client in Start | Program Files

ii) Select View | Configuration

iii) Specify the name of IP address of the Afaria 5.1 server machine.

iv) Enter the newly created security channel in the Channel Name field. The channel name must be preceded by a backslash.

v) Select OK.

Note: Afaria requires a direct TCP/IP connection to interact with Palm devices. There are several communication options available including: Windows RAS connections, Ethernet cradles, and Wi-Fi connections.

5) Synchronize the device to obtain the Security Channel from the Afaria server.

6) Power down the device and test the encryption behavior.