wap security: wtls · wap security: wtls 5/4/01 thanh v. do 6 of 24 at the transaction layer, the...

WAP Security: WTLS

By

Thanh V. Do

INFT 931May 4, 2001

Professor Kris GajSecure Telecommunication Systems

WAP Security: WTLS 5/4/01

Thanh V. Do 2 of 24

Table of Contents

Table of Contents ............................................................................................................ 2Introduction..................................................................................................................... 3Wireless Requirement & WAP........................................................................................ 4WAP Architecture........................................................................................................... 5WTLS Architecture......................................................................................................... 7

The Handshake Protocol.............................................................................................. 7The Alert Protocol....................................................................................................... 9The Change Cipher Spec Protocol ............................................................................. 10

Comparison between WTLS and SSL ........................................................................... 11Role of AES and ECC in WTLS Protocol...................................................................... 12WAP & WTLS Applications ......................................................................................... 13

WAP Gateway........................................................................................................... 13WAP Browser ........................................................................................................... 14WTLS Toolkit ........................................................................................................... 14Security..................................................................................................................... 15

WTLS Integration with PKI – WTLS Certificate........................................................... 17WTLS’ Competing Technologies .................................................................................. 19

Bluetooth .................................................................................................................. 193GPP......................................................................................................................... 19SIM Toolkit............................................................................................................... 20Imode........................................................................................................................ 20SET........................................................................................................................... 20IPSec......................................................................................................................... 21

Conclusion .................................................................................................................... 22References .................................................................................................................... 23


Thanh V. Do 3 of 24

IntroductionAccording to the Strategy Analysts in June 1999, the global mobile commerce (m-commerce) market is expected to be worth a staggering $200 billion by 2004 and $230billion by 2006 [14]. With the wireless Internet, users will be able to access manytransaction-based activities (banking, retail coupons and sale notification, auctionnotification, wireless ticketing, and many other services) from the screens of their mobiledevices (mobile phones, pagers, Personal Digital Assistants, etc).

There is an overwhelming interest in wireless technologies. This interest is not only forthe luxuries and conveniences that they promise, but also for the sheer magnitude inwhich they can and probably will change the way in which businesses are run andmaintained in the future. One immediate goal is to combine the mobility offered bymobile devices and the enormous amount of information available on the Internet. Alongthis goal involves the wireless security issues.

One technology that has grabbed the wireless communities is the Wireless ApplicationProtocol (WAP). WAP is an open industry-established global standard that empowersmobile users with wireless devices to easily access and interact with information andservices on the Internet.

In June 1999, WAP Version 1.1 was approved. It includes the Wireless Transport LayerSecurity (WTLS) specification that defines how the Internet security is extended to thewireless Internet. Now, WTLS is poised to open up whole new markets for e-commerceover the wireless Internet in the same way that SSL provided a secure system fortransactions over the Internet.

The intent of this paper is to examine the WAP and the security measures that have beenincluded within the protocol. The document will provide an in-depth look at how thistechnology is structured and implemented.


Thanh V. Do 4 of 24

Wireless Requirement & WAPMobile terminals have several fundamental limitations. They have less powerful CPUsand memory, restricted power consumption, smaller displays, and different input devicesthan the typical desktop computers. Moreover, the mobile networks also have limitationsthat must be taken into account. These include less bandwidth, more latency, lessconnection stability and less predictable availability.

For example, the Ericsson Mobile Companion MC218 has 40 hours of battery life (whenused 10% of the time and in standby the rest of the time. The CPU is a 32-bit ARM710,which works at 36.864 MHz. It has 16 MB of RAM and 12 MB of ROM. The screenresolution is 640x240 pixels. In contrast, a common desktop PC has 800MHz CPU, with128 MB of RAM, and 1024x768 resolution.

The SMS (Short Message Service) as a bearer can be as slow as 100 bit/s. The timebetween the request and the response using the SMS bearer can be as long as 10 seconds.On the other hand, a wired network is usually at least 100Mb/s and the responses are inmillisecond.

The Internet technology could not be adopted to the wireless communication withoutmodification because of the fundamental wireless limitations. Internet standards such asHTML, HTTP, TLS, and TCP are inefficient over mobile networks, requiring largeamounts data to be sent. Standard HTML web content generally cannot be displayed inan effective way on the small size screens of pocket-sized mobile devices. Navigationaround and between screens is not easy in one-handed mode. HTTP and TCP are notoptimized for the intermittent coverage, long latencies and limited bandwidth associatedwith wireless networks. HTTP sends its headers and commands in an inefficient textformat instead of compressed binary. Wireless services using these protocols are tooslow, costly, and difficult to use. The TLS security standard requires many messages tobe exchanged between client and server, which, with wireless transmission latencies,results in a very slow response for the user.

The Wireless Application Protocol (WAP) has been optimized to solve all theseproblems, utilizing binary transmission for greater compression of data and is optimizedfor long latency and low bandwidth. WAP sessions cope with intermittent coverage andcan operate over a wide variety of wireless transports using IP where possible and otheroptimized protocols where IP is impossible. The WML language used for WAP contentmakes optimum use of small screens and allows easy navigation with one hand.


Thanh V. Do 5 of 24

WAP ArchitectureThe WAP is developed by the WAP Forum to provide specifications for developingapplications that operate over wireless communication networks. The WAP is a five layerprotocol stack that contains an application layer, a session layer, a transaction layer, asecurity layer, and a transport layer. The WAP defines a set of protocols in each layer.The main purpose of having a layer protocol stack is that the communication with acertain layer is made through well-defined interfaces. Thus, changing something in onelayer does not imply changing all other layers. For example, if a new protocol has to besupported as a bearer, only the transport layer has to be changed and it will not affect theother layers.

The WAP has a layered architecture, which can be easily compared to the web model.

WEB & WAP Model

At the application layer, the protocol used is the Wireless Application Environment(WAE). The WAE is an environment in which general-purpose applications can beimplemented. Some examples of these applications are: the Wireless Markup Language(WML) or specific telephony services provided by Wireless Telephony Application(WTA). [28]

At the session layer, the protocol used is the Wireless Session Protocol (WSP), which isequivalent of HTTP 1.1. The WSP provides mechanism to establish a session from clientto server, agree on used protocol functionality, exchange content, and suspend andresume sessions. It provides, both connection-mode session and non-confirmed,connectionless services. When providing connection-mode, the WSP utilizes the WirelessTransaction Protocol layer. In the case of connectionless mode, the WSP takes advantageof the Wireless Datagram Protocol layer. [28]


Thanh V. Do 6 of 24

At the transaction layer, the protocol used is the Wireless Transaction Protocol (WTP). Itis a transaction-specific protocol designed to be used by "thin" clients, i.e. mobiledevices. The WTP provides a light-weight transaction-oriented protocol that reliablydelivers requests from the client to the server and responses from the server back to theclient. WTP runs on top of a datagram service and it is designed for interactive browsing.[28]

There is a security layer, which uses the protocol Wireless Transport Layer Security(WTLS). However, this security layer is optional and preserves the transport serviceinterface. Some management of secure connections (like initiation or termination) is leftto the session or application management. The WTLS support cryptographic operationssuch as digital signing, stream cipher encryption, block cipher encryption and public keyencryption. The attributes of these operations can be negotiated for each securetransmission. [29]

The actual transport layer protocol in the WAP architecture is the Wireless DatagramProtocol (WDP). It is supported by various network types. The upper layers are able tooperate independently of the underlying wireless network because of the WDP. Theyutilize the interface offered by WDP to communicate transparently over one of theavailable bearer services. [28]

External applications can have direct access to the session, transaction, security ortransport layers.

The communication between the different layers and the different elements in a givenlayer is done using service primitives. These service primitives allow the exchange ofinformation and controls between the layers.


Thanh V. Do 7 of 24

WTLS ArchitectureWTLS was specifically designed to conduct secure transactions in the mobile devices,without requiring desktop levels of processing power and memory. WTLS processessecurity algorithms faster by minimizing protocol overhead, and enables more datacompression than the traditional SSL approach. As a result, WTLS can perform securitywithin the constraints of wireless networks. These optimizations mean that smaller,portable devices can communicate securely over the Internet.

WTLS also provides a key refresh mechanism to update keys in a secure connectionwithout handshaking. The frequency of the key refresh is agreed on during thehandshake. In the key refresh, a new key block is generated using the master secret key,the message sequence number and other parameters.

The WTLS Record Protocol is a layered protocol, which accepts raw data from the upperlayers to be transmitted, optionally compresses the data, applies a MAC, encrypts andtransmits the result. Received data is decrypted, verified and decompressed, then handedto the higher layers. The Record Protocol takes care of the data integrity andauthentication.

The Record Protocol supports four protocol clients: the handshake protocol, the alertprotocol, the application protocol, and the changer cipher spec protocol. The protocolstack is shown in the figure below. The application protocol is not described below, sinceit is the interface for the upper layers. (External applications have direct access to theWTLS layer using the Wireless Markup Language Script.)

WTLS Internal Architecture

The Handshake Protocol

All the security related parameters are agreed on during the handshake. These parametersinclude attributes such as protocol versions, cryptographic algorithms, and information onthe use of authentication and public key techniques to generate a shared secret. The flowchart of the full handshake is depicted in the figure below.


Thanh V. Do 8 of 24

Client Hello

Server Hello Server Certificate* Server Key Exchange* Certificate Request* Server Hello Done

Client Certificate* Client Key Exchange* Certificate Verify* [Change Cipher Spec] Finished

[Change Cipher Spec] Finished

Full Handshake Flow Chart

The WTLS full handshake is exactly the same as the SSL handshake. (The asterisksindicate the messages are optional and are not always sent.)

The WTLS also defines an abbreviated handshake where only the hello and the Finishedmessages are sent. In this case, both parties must have a shared secret, which is used as apre-master secret.

Client Hello

Server Hello [Change Cipher Spec] Finished


Abbreviated Handshake Flow Chart

Another variation is the optimized full handshake where the server can retrieve client'scertificate using the trusted third party, based on the information provided by the client inthe Client Hello message. With the information provided by the client’s certificates, bothparties are able to complete the shared secret values using the Diffie-Hellman keyexchange method. The server has to send the Server Hello, Certificate, and Finishedmessages to the client in order to complete the handshake on the server's behalf. Theclient responds with the Client Finished message.


Thanh V. Do 9 of 24

Client Hello

Server Hello Server Certificate [Change Cipher Spec] Finished


Optimized Full Handshake Flow Chart

If the client and server decide to resume a previously negotiated session, the handshakemay be started by sending a Client Hello message with the identifier of the previoussession. If both parties share a common session identifier they may continue the securesession. The parties may start using the connection after they have confirmed the sessionand informed the other party with the change cipher spec message.

Client Hello Session ID

Server Hello Session ID

[Change Cipher Spec]

Resumed Connection Handshake Flow Chart

The Alert Protocol

The Record Protocol provides a content type of alert messages. Alert messages conveythe severity of the message and a description of the alert. There are three descriptions ofalert messages: fatal, critical, and warning. Alert messages are sent using the currentsecure state, i.e. compressed and encrypted, or under null cipher spec, i.e. withoutcompression or encryption.

If a fatal alert message is sent, both parties terminate the secure connection. Otherconnections using the secure session may continue but the session identifier must beinvalidated so that the failed connection is not used to establish new secure connections.

A critical alert message results in termination of the current secure connection. Otherconnections using the secure session may continue and the secure identifier may also beused for establishing new secure connections.

The connection is closed using the alert messages. Either party may initiate the exchangeof closing messages. If a closing message is received, then any data after this message isignored. It is also required that the notified party verifies termination of the session byresponding to the closing message.


Thanh V. Do 10 of 24

Error handling in the WTLS is also by using the alert messages. When an error isdetected, the detecting party sends an alert message containing the occurred error. Furtherprocedures depend on the level of the error that occurred.

The Change Cipher Spec Protocol

The Change Cipher Spec is sent either by the client or the server. By means of thismessage, both parties decide that they start using the negotiated session parameters.When the Change Cipher Spec message arrives, the sender of the message sets thecurrent write state to the pending state and the receiver also sets the current read state tothe pending state. The Change Cipher Spec message is sent during the handshake phaseafter the security parameters have been agreed on.



Comparison between WTLS and SSLThe SSL is developed by Netscape. It has been universally accepted in the Internet forauthenticated and encrypted communication between clients and servers. The newInternet Engineering Task Force (IETF) standard called Transport Layer Security (TLS)is based on the SSL. This is published as an IETF Internet-Draft, The TLS ProtocolVersion 1.0. The TLS version 1.0 and SSL version 3.0 are very similar.

There differences between the TLS version 1.0 and SSL version 3.0 are: [24]• SSLv3.0 has support for Fortezza (KEA & Skipjack), while TLSv1.0 doesn’t.• SSLv3.0’s protocol version number 3.0 and TLSv1.0 is 3.1.• TLSv1.0 has 9 more alert protocol messages than SSLv3.0.• The cryptographic computations are slightly in the Certificate Verify, Finished,

MAC generation, and key generation.• SSLv3.0’s padding length is the minimum bytes that results in a total length that

is a multiple of the cipher’s block length. TLSv1.0’s padding length is anyamount up to 255 bytes that results in a total length that is a multiple of thecipher’s block length.

The SSL protocol provides privacy, authentication, and integrity. User authentication isdone using asymmetric or public key cryptography and data is encrypted with symmetriccryptography. The integrity of messages is checked using a keyed MAC. Secure hashfunctions like SHA or MD5 are used for MAC computations. The goals of the SSL arecryptographic security, interoperability, extensibility, and relative efficiency.

The SSL is a layered protocol. At each layer, messages may include fields for length,description, and content. The SSL takes messages to be transmitted, fragments the datainto manageable blocks, optionally compresses the data, applies a MAC, encrypts, andtransmits the result. Received data is decrypted, verified, decompressed, and reassembledand then delivered to higher-level clients.

The WTLS provides a secure end-to-end connection for the Wireless ApplicationProtocol. TLS version 1.0 was adopted as a basis of the WTLS. It was not possible toapply the procedures, used in the traditional connection-oriented world. The developmentwork resulted in a protocol, which resembles the TLS, but it has additional propertiesadjusted for the wireless world.

The WTLS supports a coverable span of algorithms to meet the requirements of privacy,authentication, and integrity. Currently, privacy is implemented using the block ciphers,such as DES, Triple-DES, IDEA, and RC5. RSA, Elliptic Curve Diffie-Hellman, andDiffie-Hellman based key exchange suites are supported to authenticate thecommunicating parties. Finally, integrity is implemented with SHA-1 and MD5 MACalgorithms. [29]



Role of AES and ECC in WTLS ProtocolAmong the most significant enhancements of the WTLS is the inclusion of elliptic curvecryptography (ECC). The WAP Forum incorporated the standard, ANSI-compliant ECCtechnology into the WTLS specification. Most WTLS toolkits fully support ECC.

The Advanced Encryption Standard (AES) is another formidable cryptosystem, which isexpected to replace Data Encryption Standard (DES). On February 28, 2001, NationalInstitute of Standards and Technology (NIST ) announced a Draft Federal InformationProcessing Standard (FIPS), proposing Rijndael as AES. It is available for public reviewand comment until May 29, 2001. After that, the Draft FIPS for AES will be revised byNIST, as appropriate, in response to public comments. A review, approval, andpromulgation process will then follow. If all steps of the AES development processproceed as planned, it is anticipated that the standard will be completed by the summer of2001. [12]

Once Rijndael becomes AES, it is expected that WAP will incorporate AES into itsspecification.



WAP & WTLS Applications

WAP Gateway

The programming model used in Internet is adopted to WAP as much as possible. Thenew component introduced in the WAP programming model is the WAP gateway (orsometimes called server). It bridges the wireless networks to the Internet. The gateway’smain function is to act as a protocol gateway to encode and decode content. The protocolgateway translates requests from the WAP protocol stack to the Internet protocol stack.

WAP Gateway Functionality

The encoders translate WAP content into compact encoded formats to reduce the size ofthe transferred data over the network. This model allows the content and the applicationto be hosted on standard Internet HTTP servers and to be developed using existingInternet technologies like CGI, application servers, and servlets. The illustration belowdemonstrates the concept.

Wireless Network Model

The WAP gateway uses SSL to communicate securely with a Web server, ensuringprivacy, integrity and server authenticity. The WAP gateway takes SSL-encryptedmessages from the Web and translates them for transmission over wireless networks



using the WTLS security protocol. Similarly, messages from the mobile devices to theWeb server are likewise converted from WTLS to SSL. In essence, the WAP gatewayprovides a bridge between the WTLS and SSL security protocols. The need fortranslation between SSL and WTLS arises because of the nature of wirelesscommunications: low bandwidth transmissions with high latency.

SSL-WTLS Translation

The translation between SSL and WTLS in WAP gateway takes milliseconds and occursin memory, allowing for a virtual secure connection between the two protocols. WTLSprovides privacy, integrity and authentication between the WAP gateway and the WAPbrowser client.

WAP BrowserIn order to communicate with the WAP gateway, the mobile client must have some WAPbrowser. Many wireless devices use the generic WAP browser. A generic browserfulfils the mandatory requirements of the WAP specifications as well as most usableoptional requirements, including WTLS. It is independent of bearer services and networktechnologies, and the device’s operating system, so it can easily be integrated to any hostenvironment. A typical browser usually requires the client to have at least 300KB ofRAM. However, the browser uses about 25KB of RAM. The executable program usesstatic memory and can be stored in ROM. If the mobile device does not support ROM,persistent memory (hard disk, flash memory, etc.) is used instead. Persistent memory isnot a mandatory requirement for the browser. If persistent memory is available, it can beused to store user preferences, application data, history list and favorites.

WTLS ToolkitThere are many WTLS toolkits available for creating secure encrypted sessions betweenonline-networked applications. Most toolkit allows the developer to integrate WTLS dataencryption capabilities into any applications. This entails the ability to initiate andreceive WTLS-secured connection and to configure the security parameters to be used forprivacy, integrity and authentication. Most toolkits supports:

• Anonymous and authenticated Elliptic Curve Diffie-Hellman (ECDH) keyexchange and Elliptic Curve Digital System Algorithm (ECDSA) schemes at 163-bits,

• 768-bit and 512-bit anonymous and authenticated Diffie-Hellman,• Anonymous and authenticated 1024-bit and 512-bit RSA,• DES, Triple-DES (RC5 and IDEA are less commonly supported) for symmetric

encryption, and



• MD5 and SHA-1 for message authentication.They also support WTLS certificate and X.509 v3 certificates.

Security

A number of potential security problems have been identified in the WTLS.

The adoption of TLS has at least partly led to some security problems including thechosen plaintext data recovery attack, the datagram truncation attack, the messageforgery attack and the key-search shortcut for some exportable keys. [19], [22]

• The predictable initiation vectors (IVs) in CBC can lead to chosen-plaintextattacks. In WTLS, the IV for encrypting each packet is computed by XOR’ingthe original IV with the sequence number of the packet. Unfortunately, thesequence numbers are sent without encryption.

• The 40-bit XOR MAC in WTLS does not provide any integrity protection whenstream ciphers are used, regardless of the key length. The XOR MAC works bypadding the message with zeros, dividing it into 5-byte block and XOR’ing theseblocks together. If one inverts a bit position n in the ciphertext, the MAC can bemade to match by inverting that bit (n mod 40) in the MAC.

• Using PKCS#1 version 1.5 padding, RSA messages can be decrypted with 220

chosen ciphtertext queries. The WTLS bad_certificate and decode_error mayprovide an oracle for an intruder. A system has an oracle if it tells the intruderwhether the used key is correct. A brute force attack can be mounted because thecorrect key can always be recognized with the trial decryption.

• Some alert messages in WTLS are sent in clear text and are not authenticated.Since an alert message is assigned a sequence number, an active attacker mayreplace an encrypted datagram with an unauthenticated plaintext alert messagewith the same sequence number without being detected. This leads to a truncationattack that allows arbitrary packets to be removed from the data stream.

• Under some exportable keys, the IV of each packet can be determined from theHello messages and the sequence number alone.

• An eavesdropper can determine the change of keys by reading the contents of thisrecord_type field, which is sent unencrypted. The existence of error messages canalso be determined from this same record_field, though the exact nature of theencrypted error messages cannot be determined.

• WTLS includes pre-defined primes along with generators that are used in Diffie-Hellman computations, but the group order is left specified. The absence of thegroup order makes it impossible to check that the give value belongs to the correctmultiplicative subgroup.

Cookies may also be an issue in WAP applications. Cookies are used on the Internet toidentify the web browser and thereby assist in providing customized and streamlinedservices. Because cookies are transmitted via HTTP headers and WAP WSP is based onHTTP headers, it should be possible to transmit cookies to the clients. The problem is themobile clients themselves. They may not support the handling of cookie HTTP headerinformation or save this information on a persistent storage in the mobile devices. [3]



Furthermore, security from the web or application server to the mobile client may not beguaranteed. The WTLS defines encryption between the mobile client and the WAPgateway only. The "endpoint" of the encrypted WTLS data is the WAP Gateway proxyserver. To have a secure connection to a host (e.g. banking web server) the WAP gatewayhas to establish secure (https) connections to the host. In this case the WAP gateway hasaccess to the decrypted data received via WTLS from the mobile station or from thecontent host via https. Future versions of WAP will allow a WTLS session to terminatebeyond the WAP gateway at the application or web server. [3], [6]



WTLS Integration with PKI – WTLS CertificateFull participation in m-commerce requires that the additional security functions ofauthorization and non-repudiation be addressed. This means integration with the PKIsystems is necessary. Incorporating the PKI solution will provide the consumers theconfidence and convenience of performing secure transactions from anywhere, atanytime with a variety of WAP-enabled devices. It will enable consumers to digitallysign high-value transactions - such as mortgage agreements, opening brokerage accounts,buying insurance, and applying for credit cards - without having to go on location to signa piece of paper. PKI will also impact the retail world by enabling non-repudiation,permitting legally binding transactions to be performed in mobile and onlineenvironments. This will assure the merchant of the end-user's identity.

As of March 3, 2000, the WAP Forum published a draft of the WAP PKI (WPKI). Thegoal of the WPKI is to reuse the existing PKI standards where possible, and only developnew standards where necessary to support the specific requirements of WAP. WPKIdefines the PKI model and operations required to support WTLS. It also describes securemethods for downloading CA roots, server and client certificate registration andcertification delivery. The WPKI draft is expected to be approved by June 2001. [27]

The security provided in WAP can be of various levels. In the simplest case, anonymouskey exchange is used for creation of an encrypted channel between server and client; inthe next level a server provides a certificate mapping back to an entity trusted by theclient; and finally the client itself may possess a private key and public key certificateenabling it to identify itself to other entities in the network.

WTLS server certificates, defined as part of WAP 1.1, are used to authenticate a WTLSserver to a WTLS client and to provide a basis for establishing a key to encrypt a client-server session. WTLS mini-certificates are functionally similar to X.509 but are smallerand simpler than X.509 to facilitate their processing in resource-constrained mobiledevices.

WTLS client certificates, defined as part of WAP 1.2, are used to authenticate a WTLSclient to a WTLS server. They also can be formatted as either X.509 certificates or mini-certificates. WAP 1.2 also defines an interesting PKI-based function that is not part ofWTLS. This function, which allows a WAP client to digitally sign a transaction, isknown as the WML2 Script Sign Text (at the application level) function, and is intendedfor applications that require non-reputable signatures from clients.

In contrast to current practice on the Internet (i.e. web browsers), mobile devices do notstore their own certificates. Instead, they store a URL for each certificate they have andthe verifiers follow the URL to get the certificate.

The PKI model is adaptable to many certificate types including X.509v3 and WTLScertificates. The WTLS certificate has the advantage of being very compact, easilyimplemented in code, and easily parsed which is important for the initial implementationsof WAP clients. The WAP PKI will work interchangeably with existing X.509v3



certificates in existing Internet applications, in order to leverage the existing InternetPKIs.

Any new format that requires major changes to the installed base of certificate-processingproducts and CA infrastructure is unlikely to be easily adopted in a short timeframe. Forthis reason the general model for this version is that server certificates will use the WTLScertificate format whereas client certificates will use X.509 format, but as long as they arenot sent over the air nor stored on the client (mobile device).



WTLS’ Competing TechnologiesCurrently there are a few other wireless security options. They include Bluetooth, 3GPP,SIM toolkit, Imode, SET and IPSec. Unfortunately, these technologies are eitherproprietary or are not optimized to meet the wireless constraints.

Bluetooth

The Bluetooth wireless technology allows users to make effortless, wireless and instantconnections between various communication devices, such as mobile phones and desktopand notebook computers. Since it uses radio transmission, transfer of both voice and datais in real-time. The sophisticated mode of transmission adopted in the Bluetoothspecification ensures protection from interference and security of data.

The Bluetooth radio is built into a small microchip and operates in a globally availablefrequency band ensuring communication compatibility worldwide. The Bluetoothspecification has two power levels defined; a lower power level that covers the shorterpersonal area within a room, and a higher power level that can cover a medium range,such as within a home. Software controls and identity coding built into each microchipensure that only those units preset by their owners can communicate. “The primary usefor Bluetooth is to replace close proximity wired solutions, such as your keyboard, mouseand cellular handset.” As far as security is concerned, the built-in security modesprovided by the Buletooth specification may not be sufficient. Security should beplanned for and implemented at the application level.” Bluetooth’s current securitysystem is not in the protocols themselves. Therefore, a PKI system is required at theapplication level to eliminate this problem. [2], [15]

3GPP

The Third Generation Partnership Project (3GPP) is developing the globallyapplicable Technical Specifications and Technical Reports for a 3rd GenerationMobile System based on evolved GSM core networks and the radio accesstechnologies that they support (i.e., Universal Terrestrial Radio Access (UTRA)both Frequency Division Duplex (FDD) and Time Division Duplex (TDD)modes). The partners have further agreed to co-operate in the maintenance anddevelopment of the Global System for Mobile communication (GSM) TechnicalSpecifications and Technical Reports including evolved radio access technologies(e.g. General Packet Radio Service (GPRS) and Enhanced Data rates for GSMEvolution (EDGE)). [1]

The specifications are based on mobile-IP and are for the third generation GSMproprietary networks. (Mobile-IP permits IP nodes (mobile devices) using eitherIPv4 or IPv6 to seamlessly "roam" among IP sub-networks and media types.)



SIM Toolkit

Subscriber Identity Module (SIM) Toolkit is the European TelecommunicationsStandards Institute Special Mobile Group (ETSI/SMG) standard for value added servicesand e-commerce using GSM phones to do the transactions.

The SIM Toolkit is programmed into the special GSM SIM card essentially enables theSIM card to drive the GSM handset interface. It provides the users with the necessaryauthentication to access the network using GSM encryption algorithms. It’s the interfacebetween the mobile terminal and the network. [23]

The SIM Toolkit is semi-proprietary. A GSM proprietary device is accessed via astandard interface.

Imode

Imode is NTT DoCoMo’s mobile Internet access system in Japan.

Technically, Imode is an overlay over NTT-DoCoMo's ordinary mobile voice system.While the voice system is circuit-switched (i.e. a dial-up is necessary), Imode is "packet-switched so it’s always on, provided the mobile phone is in an area where the Imodesignal be reached. When mobile phone is switched to Imode, a dial-up is not necessary.However, communication delays still exist.

Imode uses cHTML (compact HTML), which is in part a subset of ordinary HTML.However, in addition to HTML tags, there are some special Imode-only tags (for examplea tag to inform search machines that a particular web page is an Imode page). BecausecHTML is an extended subset of HTML, Imode pages can be viewed by a regularbrowser (i.e. Internet Explorer or Netscape Browser). [13]

The Imode portable phones will only work with DoCoMo’s telephone network. Thesecurity of the radio link between the Imode portable phones and the cellular basestations uses NTT DoCoMo’s proprietary protocols and encoding.

SET

Secure electronic transaction (SET) is an open encryption and security specificationdesigned to protect credit card transactions on the Internet. SET provides three essentialservices:

• Provides secure communication channels for all parties involved in thetransaction,

• Provides trust using the X.509v3 certificates, and• Ensures privacy by providing information to parties only when and where

necessary.

SET uses only DES to provide confidentiality, SHA-1 for message authentication, andRSA for digital signature. It provides only one choice for each cryptographic algorithm.SET can securely operate on TCP/IP by itself, independent of SSL or IPSec. [24]



IPSec

IP Security (IPSec) is a set of protocols currently being developed by the IETF to supportsecure exchange of packet at the IP layer. It encompasses three functional security areas:authentication, encryption, and key management.

IPSec supports two encryption modes: transport and tunnel. The transport mode encryptsonly the payload of each packet, but leaves the header unchanged. The more securetunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.

Key management involves the use of Internet Security Association (SA) and KeyManagement Protocol/Oakley (ISAKMP/Oakley).

IPSec’s design does not include any wireless constraints.



ConclusionThe Wireless Application Protocol (WAP) is a result of continuous work to define anindustry-wide specification for developing applications that operate over wirelessnetworks. The security layer protocol WTLS operates above the transport layer protocol.The WTLS is optional so it may or may not be used depending on the required securitylevel of the application.

The WTLS layer provides data privacy, data integrity, and authentication between twocommunication parties. The WTLS provides functionality similar to TLS butincorporates new features such as datagram support, optimized handshake, and dynamickey refreshing. Additionally, it is optimized for low-bandwidth bearer networks withrelatively long latency.

The WAP PKI with WTLS will provide additional security services of authorization andnon-repudiation.

There are numerous technologies available for secure wireless communications. Amongthem are WTLS, Bluetooth, 3GPP, SIM Toolkit, Imode, SET, and IPSec. WTLS is theonly one in the list that is both optimized for the wireless communication and non-proprietary.



References

[1] 3GPP. http://www.ednmag.com/ednmag/reg/2000/08172000/17tt.htm

[2] Armstrong, Illena, Plugging the Holes in Bluetooth. SC Magazine. February2001. http://www.infosecnews.com

[3] Buzzland WAP Technology Guide.http://buzzland.hypermart.net/wapguide3.htm

[4] Carpy, Céline. The Influence of the Wireless Application Protocol Gateway onBrowsing HTML Pages.http://www.d.kth.se/~x99_cca/Internetworking/WAP.html

[5] Clark, Tim, RSA to Back Rival Cryptography, CNET News.com, January 5,1998. http://news.cnet.com/news/0,10000,0-1003-200-325310,00.html

[6] Cobb, Stephen, The Flip Side of the Wireless Explosion: Dealing with the WAP-GAP Security Risks.http://www.serverworldmagazine.com/sunserver/2001/01/wapgap.shtml

[7] Cravotta, Nicholas, Securing the Wireless World Wide Web, August 17, 2000.http://www.ednmag.com/ednmag/reg/2000/08172000/17tt.htm

[8] Cutts, Marcus, Secure Wireless Applicaton Protocol (WAP on the Enterprise,Ready or Not? September 5, 2000. Sans Institute.http://news.cnet.com/news/0,10000,0-1003-200-325310,00.html

[9] Dierks, T. and Allen C., The TLS Protocol, January 1999. ftp://ftp.isi.edu/in-notes/rfc2246.txt

[10] Farrell, Stephen, Wireless PKI, RSA Conference 2001 Presentation.http://www.rsaconference.com/rsa2001/index2.html

[11] Freier A. O. & Karlton P. & Kocher P. C., The SSL Protocol Version 3.0, October18, 1996. http://www.netscape.com/eng/ssl3/draft302.txt

[12] http://csrc.nist.gov/encryption/aes/index.html - comments

[13] http://eurotechnology.com/Imode/

[14] http://www.baltimore.com/

[15] http://www.bluetooth.com/



[16] http://www.certicom.com/

[17] http://www.rsa.com

[18] Indiantimes Infotech, Wireless Apps with PKI-based Security.http://www.indiatimes.com/infotech/help/enterprise/pki.html

[19] Jormalainen, Sami and Laine, Jouni, Security in the WTLS, Computer Scienceand Engineering. Helsinki University of Technology. October 1, 2000.http://www.hut.fi/~jtlaine2/wtls/

[20] Khare, Rohit, W*Effect Considered Harmful, April 9, 1999. 4K Associates.http://news.cnet.com/news/0,10000,0-1003-200-325310,00.html

[21] Maxim, Merritt, Wireless Security – Oxymoron or Reality, RSA Conference 2001Presentation. http://www.rsaconference.com/rsa2001/index2.html

[22] Saarinen, Markku-Juhani, Attacks Against the WAP WTLS Protocol, September29, 1999, http://www.freeprotocols.org/harmOfWap/wtls.pdf

[23] SIM Toolkit, http://www.ednmag.com/ednmag/reg/2000/08172000/17tt.htm

[24] Stallings, William, Cryptography and Network Security: Principle and Practice,Second Edition, Prentice Hall, 1995.

[25] Telecommunications Development Asia-Pacific, Understanding Security on theWireless Internet.http://www.tdap.co.uk/uk/archive/billing/bill(phonecom_9912).html

[26] VerSign, WAP Wireless Technology: Security at a New Level.http://www.verisign.com/support/tlc/wap/about_wap.html

[27] WAP Forum, Wireless Application Protocol PKI Definition, March 3, 2000.http://www.wapforum.org/

[28] WAP Forum. Wireless Application Protocol Architecture Specification,.April 4,1998. http://www.wapforum.org/

[29] WAP Forum. Wireless Transport Layer Security Specification Version 1.1,November 2, 1999. http://www.wapforum.org/

[30] Zuccherato, Robert, WAP Security: WTLS, WPKI and Beyond, RSA Conference2001 Presentation. http://www.rsaconference.com/rsa2001/index2.html

wap security: wtls · wap security: wtls 5/4/01 thanh v. do 6 of 24 at the transaction layer, the...

Documents