SignWise Pro 2.51
by Berislav Kucan - Tuesday, 23 March 2004.
Handhelds are steadily becoming a must have for a number of organizations and because all the services they provide, we tend to cram a lot of important data on them. Some security precautions should be considered and the program I'm covering today tends to provide secure signature based logon and encryption mechanisms.

Installation and setup

As with most of the PocketPC installations, everything went by without any problems. I've installed the software to my Storage Card because the installation is a bit bigger than I expected - 2,7 MB. Installation to the Storage Card later became a big problem, but I'll look in to that later in the review.

After the initial install was completed, users are given a notice that introduces them to the early steps of the SignWise setup. Basically, to complete the process the PocketPC device must be restarted (this is done automatically) and briefly after starting the software for the first time, users must register their signature. As this is a crucial part of making this program THE boot up protection solution for your favorite handheld, you must take care of creating a decent signature. After restarting the device, we can see some new icons that were generated by SignWise. The first, SWLogout, is placed in the start menu and the important one, the SignWise program icon, is placed in the Settings/Personal folder. This is a bit peculiar from the first time user's point of view, as we usually strive to click the new icons in the Start menu. In this case we first need to go to the SignWise binary in the mentioned Settings/Personal folder.

If, in any case, you are testing this product on a handheld with some other password mechanism (Biometric Fingerprint for instance), SignWise will alert you that another security module has the control of the password and that before using SignWise, that method has to be turned off.

Initial notice of installation
Message regarding security settings

Configuration and usage

After clicking the SignWise icon, we are presented with a really smooth, professional looking GUI which offers a number of options that should make the SignWise experience a treat. For the start we will pass the first screen and go directly to the process of creating a signature. The signature setup is quite easy - you have to choose from three sensitivity levels (high, middle and low), which is quite nice as most of us have our fingers practically glued to the keyboards, so the writing style deteriorates on a daily basis. The thing with the SignWise signature is that you need to do three successful signatures followed by the final test attempt and there you go - SignWise is ready for active usage. By clicking the checkbox below the signature, your current signature is deployed and can be used for a couple of things - secure logon process and file encryption.

SignWise GUI and configuration
Signature creation options

Let's focus on the secure logon for now. There are several options for the logon process.

logon skin image - nice function offering you customizable look of the SignWise skin. With the pull down menu you can chose *.bmp images that are located in the programdir/bkimg folder.

time-lock after failed login - SignWise offers two pull down menus offering options for locking the device after a number of failed attempts and the time the device should get locked. The bad thing is that you must choose between six pre-defined options in both of these menus, so you cannot setup for instance something like "lock after 4 attempts and keep it locked for 20 minutes". Don't get me wrong, the options provided within these menus are quite sufficient (attempts: 3, 4, 7, 9, 12 and 30; minutes: 3, 5, 10, 30, 60 and 120) but for the control freaks and the likes, some customizable options would be a good addition. The good thing is that SignWise offers you a paranoia option which hard resets the device after x failed logins.

SignWise logoff options
Login to your handheld

There are a couple of other things the user can setup on this screen: key mapping to load logout dialog, the possibility of setting when a user should get a login prompt and a synchronization password setup. As regarding the setup, this is done in a pretty non-intuitive way as you can set 5 digits, but you must watch out to include S and W letters that are automatically included in the password.

The encryption process is very simple and can be done quickly after the user logs in to SignWise. The software uses 128-bit strong encryption.

Browsing through the directories
Encrypted file from the previous screen

Pros, cons and final thoughts

SignWise is a pretty useful program for handheld users that want to use non-password based way to authenticate themselves to their handhelds. Pretty good addition which extends SignWise' functionality is the possibility to easily encrypt and decrypt files by using your signature.

The user interface looks really nice and it's really easy to use. From the "cons" point of view, the first thing that crosses my mind isn't directly connected to SignWise but to generally signature-protecting anything. With using plain passwords, you can always forget them, but on the other hand you can write the down somewhere (this is a bad thing, but most of the IT people do that, just read some of the latest surveys), but when you are using your signature, there isn't any kind of a backup for this. If you forget how you typed one letter, the result can be pretty devastating. Another problem with signatures can be directly seen from the setup with SignWise - if you have a signature where you don't lift your pen/stylus from the paper/screen (writing it down in one take), the software will discard it because it doesn't provide sufficient data to generate the algorithm for signature recognition.

Signature without sufficient data
Signature that complies with SignWise

The buggy part of this SignVise's release, was that the software gave some errors. I've mentioned that I've used the Storage Card as the place for my SignWise installation and as it looks like, this is not possible. Technically it is possible as the software installs without any problems, user can create signatures, logoff, logon, encrypt, and so on, but turning off your handheld generates a problem. The users are presented with an error screen that says the program or one of the accompanying DLLs is missing. You can easily lick OK and everything will work just fine, but it is an annoyance that I wouldn't like to see on my Ipaq. I've uninstalled SignWise and installed it once again, but this time I've used the default directory the installation process offered me. On this way, everything worked just fine.

The install and uninstall process gave me a preview of another bug connected to SignWise. After uninstalling the software for the first time, out of the sudden, my System/Personal folder got yet another Password icon. Uninstalling the software one more time luckily didn't generate any new icons. I'm not absolutely sure if SignWise did this, but the extra icon wasn't there before the SignWise installation.

New password icon appearing
Extra password window

Another buggy experience came out when I used the software's logout function which gave me a "nice" looking screen freeze that looked a lot like screen melting "feature" I've came across a couple of years ago with Xfree and SiS 630 chipset on Asus 1000 notebooks.

The bottom line is that the product looks nice and has quality options, but the author should take care of the bugs I've encountered.



Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //