Windows Mobile Encryption and Security Certifications

Security

There is a lot of talk about what policies Windows Mobile Supports and you can find a Matrix here on the various security policies you can apply to Windows Phones. Today I’ve decided to expand a little on the on device encryption and SD Card encryption policies as well as outline some of the details around Common Criteria Certification and FIPS Compliance that Windows Mobile enjoys.

On Device Encryption

Windows Mobile 6.1 supports AES 128 Encryption for On Device Encryption. If this policy is enabled in Exchange, you will encrypt the PIM.VOL file which contains all your Email, Tasks, Calendar Info and your notes. It will also encrypt the TEMP Directory and the My Documents Folder. In short your critical information will be encrypted. Mobile Device Manager (MDM) gives you the additional ability to also encrypt other directories.

Note:

1. There is no way to export the Encryption Key

2. The Encryption Key Changes on Hard Reset

3. Device encryption can only be enabled via a security policy there is no way a user can enable this feature in Windows Mobile.

SD Card Encryption

Windows Mobile 6.0 onward supports AES 128 Encryption for files written to the SD card. If this is enabled either by the user or via policy then any files that are copied to the SD Card, edited on the SD Card or moved to the SD card will be encrypted. Any files that existed on the SD card that were obtained from other sources like a PC will not be touched. If you removed the SD card from the Windows Phone you WILL NOT be able to read the encrypted contents on any other Windows Phone or PC.

Note:

1. There is no way to export the Encryption Key

2. The Encryption Key Changes on Hard Reset

Common Criteria Certification

Windows Mobile 6.1 obtained Common Criteria Certification. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security.

Common Criteria is based upon a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner

Microsoft Windows Mobile 6.1 completed evaluation to Common Criteria EAL 2 augmented with Flaw Remediation (ALC_FLR.1) in the AISEP on 7 August 2008.

The Windows Mobile 6.1 evaluation builds on and extends the core security features of the Microsoft Windows Mobile 6 evaluation at EAL 2+.

Further details about the scope of the evaluation can be found at https://www.dsd.gov.au/infosec/evaluation_services/epl/mobile_products/windows_mobile_v6.1.html

FIPS Compliance

Windows Mobile 5.0 onward supports the technologies required for Federal Information Processing Standard (FIPS) compliance. FIPS certification is required for selling products to the federal government. Some security-sensitive industries such as finance and insurance, have also adopted FIPS certification.

FIPS 140-1 and its successor, FIPS 140-2, are U.S. Government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.

An evaluation process administered by the National Institute of Standards and Technology (NIST) Cryptographic Module Validation (CMV) Program (https://csrc.nist.gov/cryptval/) allows encryption product vendors to demonstrate the extent of their compliance with the standards, and thus the trustworthiness of their implementations.

Further details about the scope of the evaluation can be found at https://technet.microsoft.com/en-us/library/cc182284.aspx