SideShow Security (Windows CE 5.0)
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
10/16/2008
A Windows Embedded CE powered SideShow device connects and communicates with a Windows Vista computer by using Microsoft Bluetooth, USB, or TCP/IP connections. Registering a SideShow device with a Windows Vista computer is accomplished through a series of manual steps the user must initiate and complete. No further security is used for these transports because the user must register the SideShow device, and because the connection methods physically restrict access (a USB connection uses a cable; a Microsoft Bluetooth connection requires proximity).
TCP/IP
The TCP/IP stack for Windows Embedded CE has been implemented to avoid the most common security attacks, but some security risks remain. TCP/IP has the following potential security risks:
- TCP/IP is designed to run over a public network, such as the Internet. If the security of TCP/IP is compromised, it could expose the device or local network to attacks originating from the public network.
- Use extreme caution when using the Internet Protocol Helper application programming interfaces (IP Helper API). It exposes functions that enable programmatic network administration of the local computer.
Secure Socket Layer (SSL) is used with the TCP/IP transport to reduce these risks.
Secure Socket Layer (SSL)
Windows CE supports Secure Socket Layer (SSL) versions 2.0 and 3.0. These are available through Windows Internet Services (WinInet) or directly from Windows Sockets (Winsock). SSL uses an encryption key and an encryption algorithm to secure the HTTP connection. The encryption keys are contained in SSL certificates used by both the client and the server.
SSL Implementation
The goal of implementing Secure Socket Layer (SSL) over the IP connection is to encrypt private data sent from the Windows Vista computer to the Windows Embedded CE powered device. This data can consist of personal information such as calendar items, e-mail messages, or benign information such as local-weather data.
The socket connection implements SSL in order to protect the user’s data through encryption. SSL uses a server-side certificate to enable the client and server to encrypt/decrypt the data transmitted.
OEM Implementation Details
The tasks for the OEM when creating the Windows Embedded CE powered device are very basic. Other than creating an application that uses the sideshow API, all the OEM needs to do is decide which transport to use. If the TCP/IP transport is selected, Secure Socket Layer (SSL) is enabled as the default. SSL can be disabled for debugging purposes, but the device should never be shipped with SSL disabled.