Security Services for Windows Mobile 5.0 and Windows Mobile 6


Windows Mobile implements the following security services as part of the core operating system.

Service Description

Cryptographic services

Cryptography helps provide privacy and authentication. Windows Mobile offers the following cryptographic services:

  • Encryption, to help provide privacy and authentication between two communicating parties who have exchanged a shared secret.
  • Hashing, to help insure data integrity of information when sent over a nonsecure channel such as the Internet and to protect user credentials on the device. For example, with Basic Authentication, the user credentials are hashed while stored on the device.
  • Digital Signature, to help authenticate another party, or information sent by that party, without prior exchange of a shared secret.

Cryptographic algorithms are used to provide these services. The algorithm implementation is certified as compliant with the US Federal Information Processing Standard (FIPS) 140-2, level 1. This certification asserts that the Windows Mobile cryptographic implementations work properly and that they are secure against a variety of potential threats. Supported algorithms include the US Government standard Advanced Encryption Standard (AES) in 128-, 192- and 256-bit key lengths, single and triple DES, the Secure Hash Algorithm (SHA-1), and RSA public-key encryption and decryption.

For more information about FIPS, see Cryptographic Services and FIPS Compliance in Windows Mobile 5.0 and Windows Mobile 6.

Authentication services

Authentication services can be used by application developers to authenticate clients. Services include security services or client certificates for user authentication, credential management, and message protection. Services include:

  • Security services for user authentication
  • Credential management.
  • Message protection through a programming interface called Security Support Provider Interface.
  • Windows Mobile provides integrated support for remote access networking and authentication, including Windows NT® LAN Manager Challenge/Response protocol version 2 (NTLMv2), SSL 3.1, Private Communications Technology (PCT), Point-to-Point Protocol (PPP), and the Wireless Transport Layer Security (WTLS) class 2 for accessing secure Wireless Access Protocol (WAP) sites.

Virtual private networking support

Built-in support for virtual private networking, using Layer Two Tunneling Protocol with Internet Protocol Security (IPSec) encryption (LT2P/IPSec) or Point-to-Point Tunneling Protocol (PPTP) in combination with strong passwords using the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). Third-Party VPNs may be installed.

For more detailed information about VPNs, PPTP, or IPSec/L2TP, see this Microsoft Web site.

Wi-Fi encryption

Support for the Wireless Protected Access (WPA and WPA2) and (Wireless Network Encryption Types) Wired Equivalent Privacy (WEP) encryption standards for use with 802.11a/b/g wireless LANs.

The following are some of the product compatibility standards for wireless local area networks (WLAN) based on the IEEE 802.11 specifications:

  • WEP (Wired Equivalent Privacy) provides data confidentiality services by encrypting the data sent between wireless nodes.
  • Wi-Fi Protected Access (WPA) provides enhanced security for wireless networks and is based on a subset of the IEEE 802.11i standard.

Applies to Windows Mobile 6:

  • WPA2 provides a stronger encryption mechanism through Advanced Encryption Standard (AES) with key sizes of 128 and 256.

Storage card encryption

Applies to Windows Mobile 6:

Support for encryption of data stored in removable storage cards. Storage card encryption supports Advanced Encryption Standard (AES) in 128 bit cipher strength.

The following list shows the storage card encryption support:

  • Encrypt data written from the mobile device to removable media. The data will be encrypted for use on the encrypting device only. If unencrypted data is transferred to the storage card by another device (Phone, PC), the content is not encrypted by the device. ActiveSync file explorer provides desktop access to encrypted data files.
  • Enable Over-the-Air (OTA) provisioning of encryption via Exchange or other OTA DM solution.

OEMs and Mobile Operators can to provision the encryption policy during a cold boot of the device.

Encryption is transparent to applications and user, not including performance impacts.

Storage card encryption can be managed by Exchange Server 2007 policies. The user can also manage the mobile encryption configuration through the control panel.

Secure Sockets Layer (SSL) support

Internet Information Services (IIS) and Internet Explorer Mobile implement SSL to help secure data transmission when a user connects to a server to synchronize Microsoft Exchange data, configure the Windows Mobile-powered device, or download applications.

The SSL protocol helps Web servers and Web clients to communicate more securely through the use of encryption. When SSL is not used, data sent between the client and server is open to packet sniffing by anyone with physical access to the network.

To authenticate using SSL, Basic or Microsoft Windows NT LAN Manager (NTLM) authentication is used. If it is necessary to support Basic authentication, for instance for Web browsers that do not support NTLM, it is recommended that SSL be used as well so that the user's password is not sent in plain text.

For information about configuring a web server to use SSL, see the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 at

For information about using SSL in a network configuration, see Security Considerations within the Corporate Network.

Applies to Windows Mobile 6:

Advanced Encryption Standard (AES) AES is now available for SSL channel encryption. AES is the encryption standard for the U.S. Federal Government and NSA, the National Security Agency.

At present, AES cannot be used with Exchange ActiveSync (EAS) because EAS is built on IIS which does not currently support AES.

AES is available for SSL channel encryption in 128 and 256 bit cipher strengths. NSA has approved 128, 192 and 256 bit AES ciphers as sufficient to protect classified information up to the SECRET level. TOP SECRET information requires use of either 192 or 256 bit AES ciphers. With AES encryption, Windows Mobile 6 offers the same level of security approved by NSA for TOP SECRET information, the highest level of security the U.S. government requires.

Windows Mobile implements these security services so that applications can make use of them; for example, the built-in Outlook Mobile client can use SSL (and, by extension, various cryptographic algorithms) for POP and IMAP accounts.