WAP-Wireless application Protocol

WAP is a universal open standard developed by WAP Forum to provide mobile users, pagers and PDA’s access to Internet.

WAP is designed to work with all wireless network technologies (GSM,TDMA,CDMA).

WAP is based on existing Internet standards (TCP/IP,XML,HTML,HTTP)

WAP Gateway

A WAP Gateway is an intermediary between the Internet and the mobile network. It converts our "WAP' request into a "Web' request when we send information from a mobile phone to the Internet. On the flip side, a WAP Gateway also converts a "Web' to a "WAP' request when sending information

from the Internet back to a mobile phone.

WAP Architecture

How it works

•Using WAP the mobile users can browse web content on a ordinary web server.The web provides content on an ordinary web server.•The web server provides content in the form of HTML code pages that are transmitted using the standard web protocol stack.•The HTML content must go through an HTML filter which converts HTML content into WML content.•If the filter is separate from proxy,HTTP is used to deliver the WML to the proxy.•The proxy converts the WML to a more compact form known as binary WML and delivers it to the mobile user over a wireless network using the WAP protocol stack.

WAP Infrastructure

Fig 12.10

Wireless Markup Language(WML)

WML was designed to describe content and format for presenting data on deviceswith limited bandwidth,limited screen size and limited user input capability

Features:

Text and Image support

Deck/card organizational metaphor

support for navigation

WML script

References

http://www.devx.com/wireless/articles/WAP/WAPIntro.asphttp://wp.netscape.com/eng/ssl3/3-SPEC.HTM#7-2

BooksBooksWireless communication and networksWireless communication and networks--William William stallingsstallings

Wireless SecurityWireless Security-- MerritMerrit Maxim, David Maxim, David PollinoPollino

WAP Protocol stack

WAE-WAE specifies an application framework for wireless devices.Elements: WAE user agent, Content generators, standard content encoding, Wireless telephony applications.

WSP-Establish a reliable session from client to server, similar to HTTP

WTP-Manages transaction by conveying requests and responses between a user agent and an application server and similar to TCP/IP

WTLS-Provides security services between the mobile device and the WAP gateway.

WDP-provides an interface to the bearers

Wireless transport Layer Security

WTLS is based on TLS,which is an refinement of Secure Socket Layer(SSL)

WTLS Features

Authentication- Authentication is a technique to ensure that the stated identity of the user is correct

Privacy-Ensures that the data cannot be read by a third party, using encryption.

Data Integrity-Ensures that the data sent between the client and the gateway are not modified, using message authentication

Authorization-Process of determining whether a particular party has the right to perform a particular action.

Denial-of-service protection- Detects and rejects messages that are replayed or not successfully verified.

WTLS protocol stack

WTLS Record Protocol

WTLS Handshake protocol

WTLS change Cipher protocol

WTLS Alert protocol WTP

WTLS RP-provides basic security services to higher layer protocols

WTLS Record Protocol Operation

User data

Compress

Add MAC

Encrypt

Append WTLS record header

1.The payload is compressed using a lossless compression algorithm.

2.A MAC is computed over the compressed data,using HMAC.HMAC is a keyed hash codealgorithm.One of the several hash algorithm can be used with HMAC, MD-5 and SHA-1The MAC is added after the compressed data.

3.The compressed message plus the MAC code are encrypted using a symmetric encryption algorithm

4.The record protocol prepends a header to the encrypted payload.

WTLS Record Formaten

cryp

ted

R = reserved C=cipher spec indicator S=sequence number field indicatorL=record length field indicator MAC=message authentication code

Content type R s Lc Sequence number

Record length

Plain text(optionally compressed)

MAC (0,16or 20 bytes)

- takes care of integrity and authentication

MAC-Message Authentication Code

MAC is added after the compressed data to verify that received message are authenticMAC is computed using HMAC, a keyed Hash code (one way hash function)It verify the content of the message have not been altered and the source is authentic.

H

H

compare

Hash code(MDm)

Secret keym

essa

ge

mes

sage

mes

sage

1.MDm=H(Sab || M)

M || MDm

MDm

MDm

EncryptionMAC code is encrypted using symmetric encryption algorithm-DES,RC5,IDEA

DES-The Data Encryption Standard is a mathematical algorithm in the encrypting and decrypting of binary information. The system consists of an algorithm and a key.

Key-64 bits (of this 6 bits are parity)Even with just fifty six bits there are over seventy quadrillion possible keys (simply 2^56). The digits in the key must be independently determined to take full advantage of seventy quadrillion possible keys. The government claims that short of trying all seventy quadrillion combinations there is no way to break the DES algorithm.

RC5-RC5 encrypts blocks of plain text of length 32,64,or 128 bits into blocks of ciphertext of the same length.It is a variable length key and intented to provide high security

IDEA-a block cipher that uses 128-bit key to encrypt data in blocks of 64 bits.

Change Cipher Spec protocol

•The change cipher spec message is sent by both the client and server to notify the receiving party that subsequent records will be protected under the just-negotiated CipherSpec and keys.

•The protocol consists of a single message, which is encrypted and compressed under the current CipherSpec. The message consists of a single byte of value 1.

•Separate read and write states are maintained by both the SSL client and server. When the client or server receives a change cipher spec message, it copies the pending read state into the current read state. When the client or server writes a change cipher spec message, it copies the pending write state into the current write state.

•The client sends a change cipher spec message following handshake key exchangeand the server sends one after successfully processing the key exchange message it received from the client.

Alert ProtocolAlert Protocol is used to convey WTLS-related alerts to the peer entity.As with other applications,alert messages are compressed and encrypted as specified by the current state

consists of two bytes.1st byte- warning or critical or fatal2st byte- specific alerts

fatal alerts- If the level is fatal, WTLS immediately terminates the connection.Ex: unexpected_message, bad_record_mac, decompression_failure,handshake_failure..etc.,

Nonfatal alerts- bad_certificate,unsupported_certificate,certificate_revoked..etc.,

Hand shake protocol

Hand shake Protocol

This protocol allows the server and the client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in a WTLS record.

I Phase- Used to initiate logical function and establish security capabilities.

II phase-Used for server authentication and key exchange

III phase-Used for client authentication and key exchange

IV phase- Completes the secure connection.

WAP security architecture

WAP GAPThe WAP architecture is based on a wireless gateway (WAP gateway) that translates data

from the wireless formats defined by WAP (such as WML) to the Internet formats used by

Web servers (e.g. HTML).

To make the translation, the WAP gateway needs access to the unsecured, plaintext data being

transmitted. While many WAP gateways don't do any data translation, the deployed security

protocols are defined on the basis that they do. Therefore, the WAP gateway still accesses the

plaintext data. The resulting architecture does secure all transport.

The WAP WTLS specification provides strong security between a WAP client and the gateway,

and the gateway uses some other secure mechanism (e.g. SSL) to connect to the content server.

In between those two connections, for a very brief time (milliseconds), the data is (temporarily)

unsecured.

This is the so-called "WAP gap." Solution: Have the company’s own gateway

End-to-end security will be an option in the next version of WAP.

End to End security-filling the gap

WIM (WAP Identity Module)In order to provide the user of the WML browser a secure and unique identity, the WAP specification has added a identity Module.(used for bank transaction)

The WAP Identity Module (WIM) is used to store the cryptographic keys used in WTLS and in the application layer. Furthermore, all operations using these keys should be performed within the WIM so that the keys are never exposed outside the secure environment.

These operations include:

Signing in the application layer.

Decryption when setting up a shared key as part of a secure session in WTLS.

MAC computation and verification as part of securing messages in WTLS.

Conventional encryption and decryption as part of securing messages in WTLS.

Ideally, the WIM should be implemented as an additional application on the GSM SIM card.

Such enhanced SIM cards are expected on the market in the near future.