1 wap overview csci 5939.02 – independent study fall 2002 yasir zahur presentation no 1
TRANSCRIPT
1
WAP Overview
CSCI 5939.02 – Independent StudyCSCI 5939.02 – Independent Study
Fall 2002Fall 2002
Yasir ZahurYasir Zahur
Presentation No 1Presentation No 1
2
Agenda
Background / Motivation Architectural Overview Protocol Layers Push Technology Current WAP Status Security Limitations
3
Lessons from the World Wide Web
WWW Limitations1. Requires at least some computer skills
2. If you don’t already own a computer, entrance costs are relatively high
However it would be foolish on the other extreme to ignore the Internet as a mean of data transportation
4
Wireless Industry Before 1998(Some serious problems)
Handheld mobile devices could access network based content but the technologies were incompatible
Not much use of existing Internet infrastructure
No single global standard for data access for all handheld mobile devices
5
Searching for the answer…
Omnipoint issues a tender for the definition of a common standard for the supply of mobile information services, early 1997
WAP Forum founded by Ericsson, Nokia, Motorola and Phone.com. Importance of a common technical base was realized Strong belief that existing technology did not meet the
needs of the market
6
Searching for the answer…(cont)
Work started June, 1997 Architecture published September, 1997 Membership opened in January, 1998 Draft specifications published January, 1998 WAP 1.0 available April 30, 1998
7
What is WAP?
WAP is an effort, with broad industry support, to define a standard for communicating
Internet – type information to devices that have roughly the same form factor and
processing power as the average mobile telephone.
8
What sort of devices is WAP designed for?
Primarily includes mobile phones, pagers and PDAs
Low bandwidth and high latency environments Unpredictable stability and availability Limited processing power and battery life Less memory (ROM and RAM)
Smaller displays
9
WAP Architectural Objectives
Create global wireless protocol specifications that work across differing wireless technologies
Facilitate network-operator and third party service provisioning
Define a layered, scalable and extensible architecture Bring Internet/Intranet information and advanced data
services to wireless terminals Optimize for efficient use of device resources
10
WAP Architectural Objectives (cont)
Provide support for secure applications and communication Embrace and extend existing standards where possible Optimize for efficient use of device resources Optimize for narrowband bearers with potentially high
latency Enable personalization and customization of the device, the
content delivered to it and presentation of the content
11
The World – Wide Web Model
WWW standards specify many mechanisms to build a general purpose application environment including: Standard naming model Content typing Standard content formats Standard protocols
12
The World – Wide Web Model (cont)
13
The WAP Model
Based on WWW programming model stable architecture ability to embrace and enhance existing tools including
web-servers, XML tools etc
Enhancements Push technology Telephony Support (WTA)
14
The WAP Model (cont)
Components that enable communication between mobile terminals and network servers include: Standard naming model Content typing Standard content formats Standard communication protocols
15
The WAP Model (cont)Based on Version 30-Apr-1998
16
WAP Proxy
WAP Architectural specification (version 12-July-2001) specifies the term WAP Proxy.
WAP utilizes proxy technology to optimize and enhance the connection between wireless domain and WWW. WAP proxy provides various functions including:
17
WAP Proxy (cont)
Protocol Gateway:Protocol Gateway: Translates requests from a wireless protocol stack to the WWW protocols. Also performs DNS look up
Content Encoders and Decoders:Content Encoders and Decoders: Translate WAP content into a compact format due to slow underlying wireless link and vice versa
User Agent Profile Management:User Agent Profile Management: Enable personalization and customization of the device
Caching proxy:Caching proxy: Improves perceived performance and network utilization by maintaining a cache of frequently accessed resources
18
WAP Client
Primarily include wireless phones, PDAs and pagers Beginning to support more memory, faster processing power
and longer battery life Contains a user agent or a mini-browser that implements
WAE specification and can execute any WAP compliant application.
Available in thousands of different models and types. A WAP compliant application written once can reach and be executed on all of theses devices
19
Application Servers
Real power of WAP lies in the fact that it leverages existing Internet infrastructure to extend reach of applications to millions of users with wireless devices
Application servers typically consist of three tiers: Web ServerWeb Server; understands HTTP protocol and responds to HTTP
requests from the clients. E.g. Apache, iPlanet, Microsoft IIS etc Application ServerApplication Server; encodes elements like personalization,
commerce, security and data persistence logic. E.g. iPlanet, WebLogic etc
Database ServerDatabase Server; used for persistence storage of application data. E.g. Oracle, Sybase, Informix etc
20
The WAP Model Based on Version 12-July-2001
21
Supporting Servers
22
Typical WAP Network
23
WAP Architecture (protocols) Based on Version 30-Apr-1998
24
Comparison between Web and WAP Architectures
25
WAP Architecture (protocols) Based on Version 12-July-2001
26
Bearer Networks
WAP specification is air-interface independent WAP specification is intended to sit on top of existing
bearer channel standards so that any bearer standard can be used with the WAP protocols to implement complete product solutions
WAP operates over different bearer services including short message, circuit-switched data and packet data
Since bearers offer service of varying throughput, delays and error rate, WAP protocols are designed to compensate for or tolerate these varying level of services
27
Bearer Networks (cont)
Some of the common bearers are: SMS (Short Message Service)SMS (Short Message Service); stateless and one of the slowest
bearers. Each SMS message is broken down into a short message of maximum 160 characters, no session maintenance
CSD (Circuit Switched Data)CSD (Circuit Switched Data); uses circuit switching to establish connection with WAP gateway at around 9600bps; much faster than SMS
USSD (Unstructured supplementary Services Data)USSD (Unstructured supplementary Services Data); messages of maximum 182 characters; session based
GPRS (General Packet Radio Service)GPRS (General Packet Radio Service); one of the fastest bearers; uses packet based data transmission with speeds of up to 171.2 kbps
28
Transport Services Layer
Offers set of consistent services to upper layer protocols and maps those services to available bearer services.
Transport services include: Datagrams; Datagrams; provides a connectionless, unreliable datagram service
where each datagram is routed independently. WDP and UDP are the two protocols used. WDP is replaced by UDP when used over an IP network layer i.e WDP over IP is UDP/IP
ConnectionsConnections; provides data transport service in which communications proceed in three phases: connection establishment, two way reliable data transfer and connection release. TCP (usually profiled) is used to provide connection transport service
29
Transfer Services
Provides for structured transfer of information Transfer services include:
Hypermedia TransferHypermedia Transfer: WSP and WTP provide the hypermedia transfer service over secure and non-secure datagram transports. HTTP provides same service over secure and non-secure connection oriented transports
StreamingStreaming: provides a mean for transferring isochronous data such as audio and video
Message TransferMessage Transfer: provides mean to transfer asynchronous multimedia messages like email or instant messages
30
Wireless Transaction Protocol (WTP) Based on Version 30-Apr-1998
Three classes of transaction service Unreliable one-way requests, Reliable one-way requests, Reliable two-way request-reply transactions
Use of unique transaction identifiers, acknowledgements, duplicate removal and retransmissions
PDU concatenation and delayed acknowledgment to reduce the number of messages sent
Optional user to user reliability – WTP triggers the confirmation of each received message
Asynchronous transactions
31
Session Services
Provide for the establishment of shared state between network elements that span multiple network requests or data transfers. It includes:
Capability NegotiationCapability Negotiation; includes specifications for describing, transmitting and managing capabilities and preference information about the client, user and network elements
Push-OTAPush-OTA; provides for network initiated transactions to be delivered to wireless devices
SyncSync; provides for synchronization of replicated data CookiesCookies; allows applications to establish state on the client or proxy
that survives multiple hypermedia transfer transactions
32
Wireless Session Protocol (WSP) Based on Version 30-Apr-1998
Provides WAE with a consistent interface for two session services:
Connection oriented service over WTP Connectionless service over secure and non-secure WDP
Long lived session state Common facility for reliable and unreliable data push HTTP/1.1 functionality and semantics in a compact over-
the-air encoding Provides for session suspend/resume
33
Application Framework
Primary objective is to establish an interoperable environment that will allow operators and service providers to build applications and services that can reach a wide variety of different wireless platforms in an efficient and useful manner. It includes: WAE/WTA User-AgentWAE/WTA User-Agent; WAE is a micro-browser
environment containing WML, XHTML, WML Script, WTA, WTAI all optimized for handheld devices
Content FormatsContent Formats; WAE includes support for color, audio, video, images, phone book records, animation etc
34
Application Framework (cont)
PushPush; provides a general mechanism for the network to initiate the transmission of data to applications resident on WAP devices
Multimedia Messaging; Multimedia Message Service (MMS) provides for the transfer and processing of multimedia messages such as email and instant messages to WAP devices
35
Security Services
PrivacyPrivacy; to ensure that communication is private and cannot be understood by any eavesdropper
AuthenticationAuthentication; to establish the authenticity of parties to the communication
IntegrityIntegrity; to ensure that communication is unchanged and uncorrupted
Non-RepudiationNon-Repudiation; to ensure that parties cannot deny that communication took place Some examples include Authentication, Cryptographic
Libraries, Identity, PKI, Secure Transport and Secure Bearer
36
Service Discovery
Services are found at many layers. These include: External Functionality Interface (EFI); allows
applications to discover what external functions/services are available on the device
Provisioning; allows a device to be provisioned with the parameters necessary to access network services
Navigation Discovery; allows a device to discover new network services
Service Lookup; provides for the discovery of a service’s parameters through a directory lookup by name
37
WAP 1.x Gateway
WAP 1.x Gateway
38
WAP HTTP Proxy with Profiled TCP and HTTP
wireless profiled versions are interoperable with TCP and HTTP
39
Direct Accesswireless optimizations as defined by the Wireless Profiles for TCP and HTTP may not
be available
40
Dual Stack Supportuseful when a device needs to interoperate with both old and new WAP servers
41
Push Architecture
Normal client–server model is ‘pull’ technology. E.g. browsing the world wide web
In ‘push’ technology, there is no explicit request from the client before the server transmits its contents. E.g. SMS
Extremely beneficial for time and location based services. E.g. to get traffic alerts up ahead on the highway, weather alerts, listing of nearby restaurants etc
42
Pull vs. Push
43
The Push Framework
44
The Push Framework (cont)PPG usually needs WAP Gateway to communicate with cellular network
45
Push Initiator (PI)
Responsible for generating the message to be pushed and passing it on to PPG.
Messages are all XML based Commonly HTTP Post mechanism is used for
communication between PI and PPG Responsible for authenticating itself with the PPG usually
using X.509 based digital client certificates Also responsible for managing the workflow of the push
messages
46
Push Proxy Gateway (PPG)
Acts as access point for content pushes from Internet to the mobile network
PI identification and authentication Parsing of and error detection in push content Translates client address provided by PI into a format
understood by mobile network Store the content if client is currently unavailable Notify PI about final outcome of push a submission Protocol conversion
47
Push Access Protocol (PAP)
XML based communication protocol by which a PI pushes content to mobile network addressing its PPG
Can be transported over virtually any protocol that allows MIME types to be transported over the Internet
Supports following operations: Push Submission (PI to PPG) Result Notification (PPG to PI) Push Cancellation (PI to PPG) Push Replacement (PI to PPG) Status Query (PI to PPG) Client Capabilities Query (PI to PPG)
48
Push Over-The-Air Protocol
Responsible for transporting content from the PPG to the client and its user agents
Provides both connectionless (mandatory) and connection-oriented (optional) services
Connectionless service relies upon WSP Connection-oriented service may be provided in
conjunction with WSP (OTA-WSP) and HTTP (OTA-HTTP)
49
Current Successes
Over 18 million WAP users (Cahners-In-Stat / Gartner Dataquest / Strategis, eTforecasts)
Close to 200 carriers deployed or in final testing (Mobile Lifestreams)
50 million WAP-enabled handsets shipped worldwide (International Data Corp)
Tens of thousands of developers creating apps and content (WAP Forum)
12,000 WAP sites from 100+ countries (Cellmania.com) 7.8 million WAP-readable pages (Pinpoint Networks
50
Consumer Successes
Sprint “wireless Web” users reached 1.3 M in 1Q01
Telesp Celular - 323,000 out of 623,000 subscribers with WAP-enabled phone accessed WAP services (EYO2000)
Digital Bridges – 30 Million hits on WAP game site from 1 Million games played in a six month period
51
The Survey FACTS
Survey of 500+ users in Scandinavia: 61% of WAP users61% of WAP users: satisfied with their WAP
experience (Strand Consult)
Survey of 250 users in UK (on all networks) 71% of WAP users71% of WAP users: WAP is meeting or
exceeding expectations (Teleconomy)
52
WAP 2.0 Launched July 31, 2001
What the Developers see: XHTML (fully backwards compatible) TCP
Supported User Features: Color Graphics Animation Large File Downloading Location-Smart Services Pop-up/Context Sensitive Menus Data Synchronization with Desktop PIM
53
WAP Roadmap 1999-2001
54
Secure From Day One
Security meets most extreme demands End-to-end encryption Supports PKI (new in 2.0) Secure proxies in handset and gateway Transactions are as secure as PC sites
55
A Secure Foundation For Wireless Commerce
Transactions demanding security already happening over WAP Banking (Citicorp, Deutche, Allied Irish Bank, Schwab) Finance (Abbey National and Halifax Bank mortgages
online) M-Commerce (Amazon.com, MySimon)
Basing their future mobile commerce plans on WAP: Certicom, VeriSign, Entrust.com
56
Security Loop HolesA generic m-commerce transaction using WAP
57
Security Loop Holes (cont)Security zones showing standard security services (WTLS and TSL)
58
Security Loop Holes (cont)
Data flows between WAP device and application server through WAP gateway
All TSL/SSL encrypted content is decrypted at the WAP gateway before being re-encrypted using WTLS for transmission over wireless network and vice versa
Thus data exists in the memory of gateway for a brief period of time in human-readable plain text format……….SECURITY RISK
Conversion between WTLS and TLS is one of the most controversial features of the WAP gateway because it violates the concept of end-to-end security between the WAP client and the application or content server
59
Proposed Solutions
Host the gateway within the secure intranet of application server
However users need to configure their WAP devices to communicate with the new gateway
Application level security on top of WAP Introduce security at a software layer above WAP and consider
WAP merely as a potential insecure communication means. Security is solely taken care of by means of dedicated software
running at two ends i.e. mobile phone and web server No use of WAP security features neutralizes most of
optimizations offered by WAP gateway including data conversion and compression to accommodate for the limited bandwidth
60
Proposed Solutions (cont)
Enabling Internet on the Mobile Device Proposed by WAP Forum for WAP 2.0 Re-design the WAP protocol to not to use a gateway Employ the existing Internet standards, including TCP for entire
wired and wireless part of a connection Disregarding WAP gateway makes it possible to attain same high
level of security for an m-commerce transaction as an e-commerce transaction on ordinary web using end-to-end encryption
However this change will cause compatibility problems and will neutralize optimizations offered by WAP gateway
61
Proposed Solutions (cont) Hosting the gateway within the secure intranet of application server
62
Proposed Solutions (cont)Application Level Security on Top of WAP
63
Bibliography
[1] Technical specifications and presentations by Scott Goldman http://www.wapforum.org[2] Damon Hougland, Khurram Zafar.2001. essential WAP FOR WEB
PROFESSIONALS. Upper Saddle River (NJ): Prentice Hall; 234 p. [3] Wei Meng, Soo Mee, Karli Watson, Ted Wugofski. 2000. Beginning WAP,
WML & WMLScript. Birmigham (UK): Wrox Press; 650p[4] Niels Christian Juul and Niels Jorgensen “Security Limitations in the WAP Architecture” Position Paper[5] Presentation by Bruce Martin http://www.w3.org[6] Presentation by Owen Sullivan http://www.ietf.org