Main security mechanisms of Windows CE

Windows CE has its own security service system and structure and it provides users with support for user authorization, trust level management and message protection through SSPI (Security Support Provider Interface). Meanwhile, Windows CE can customize its own security package through OEM (Original Equipment Manufacturer). Only in this way, can Windows CE use its own specific encryption and decryption algorithms or authorization and authentication methods. The newly released version of Windows CE also provides users with support for VPN and firewall.
Security mechanisms of Windows CE Here, we are going to introduce five main security mechanisms of Windows CE to let users have a better understanding of this operating system so as to protect data better. 1.  Creating a trusted environment through OEM layer: in fact, users are able to prevent loading unknown module, restrict access to system API and prohibit the write operations to certain parts of system registry by creating a trusted environment through OEM layer. Before the loading of kernel, OEMCertifyModule function and OEMCertifyModuleInit function will check the modules to be loaded in order to verify whether the application contains a valid signature or not. Only when the application contains a valid signature will Windows CE platform load corresponding module. As a result, OEM layer must ensure that all third-party drivers are signed with digital marks. Otherwise, they will fail to load. The security registry architecture of Windows CE only allows “trusted applications” to modify keys and values in registry. We can see OEM layer is indeed one of the most important security mechanisms of Windows CE to avoid loading unsafe applications. 2.  Storing security information through smart card: when using smart card to store authentication information or digital signature mechanism, users can add a security layer to Windows CE devices. In this way, users can write custom CryptoAPI provider and reach secure information storage through smart card function. The subsystem of Windows CE smart card supports CrytoAPI through SCSP, which is the DLL used to allow access to particular services. This subsystem will provide links between smart card reader hardware and applications. 3.  Providing security protection through SSPI: among so many security mechanisms of Windows CE, SSPI (Security Support Provider Interface) is another important one. Provided in Secur32.dll module, SSPI is a strictly defined generic API. SSPI is used to obtain and execute authentication, check the integrity of message and realize encrypted and integrated security services. In addition, it provides an abstract layer between the application layer protocol and security protocol. 4.  Cryptography in Windows CE: cryptography in Windows CE is able to make the communications between entities more secure. By making use of the services provided by CryptoAPI in Windows CE, the application developers can finish the following things: add custom data encryption and decryption program; use digital certificate for authentication; perform ASN.1 encoding or decoding operations for Win 32-based applications. Meanwhile, application developers are able to use the functions in CryptoAPI without knowing internal implementation details. 5.  Realizing secure network communication through SSL: as a kind of secure communication protocol, SSL (Secure Sockets Layer) provides three basic services: information confidentiality, information integrity and mutual authentication. The advantage of SSL is that it has nothing to do with the independence of application layer protocol. Besides, high-level application protocol, such as HTTP, FTP and TELNET can be built on top of SSL transparently.