1WAP Security: WTLSThanh V. DoAgenda•Introduction• Wireless Device & Network Constraints• Wireless Application Protocol• Wireless Transport Layer Security• WAP & WTLS Applications• WTLS’ Competing Technologies• Conclusion2Introduction• Using Wireless Devices (phone, pager,PDA, etc) to do transactions (banking, sale& auction notification, wireless ticketing,etc)• Forecasts by by Strategy Analysts in June1999 about Mobile Commerce:– $200 billion by 2004– $230 billion by 2006Wireless Device Constraints• Restricted Power Consumption• Less Powerful CPU• Less Memory• Smaller Display• Smaller Input Device3Wireless Network Constraints• Less Bandwidth• Longer Response Time• Less Connection Stability• Less Predictable AvailabilityWireless ConstraintsExample100 Mb/smillisecond100 bits/sec10 secondsConnection &Response Speed1024 x 768640 x 240Screen Resolution128MB RAM16MB RAM12MB ROMMemory800MHz40MHzProcessor SpeedDesktopWirelessConfiguration4Wireless Application ProtocolWireless Transport Layer Security• Similar to TLS, BUT has• Datagram Support• Optimized Handshake• Dynamic Key Refreshing5WAP & WTLS ApplicationsWAP & WTLS ApplicationsWAP Gateway• Translate SSL-encrypted messages fromWEB Server to WTLS• Take millisecond6WAP & WTLS ApplicationsWAP BrowserTypical Browser Requirements:• 300KB of RAM, browser uses only 25KB• Program stored in ROM or other persistentmemory (hard disk, flash memory)• Persistent memory used to store userpreference, application data, history list, etc.WAP & WTLS ApplicationsWTLS Toolkit• To create secure encrypted session• Support:– Anonymous & Authenticated 163-bit ECDH & ECDSA– Anonymous & Authenticated 1024- & 512 RSA– Anonymous & Authenticated 768- & 512-bit DH– DES, 3DES (RC5 & IDEA less commonly supported)–MD5 & SHA-1– X.509v3 & WTLS Certificates7WAP & WTLS ApplicationsSecurity• Known Attacks– Chosen plaintext– Datagram truncation– Message forgery attack– Key-search shortcut in some exportable keys• Issues– Cookies – client may not support– WTLS-to-SSL decryption at WAP GatewayWTLS’ Competitors• Bluetooth– Short-distance radio frequency– Examples: Wireless mouse & keyboard– No security in protocol•3rd Generation Partnership Project (3GPP)– Based on Mobile-IP– Support only 3G GSM8WTLS’ Competitors• SIM Toolkit– Subscriber Identity Module (SIM)– Card in GSM phones– Use GSM encryption algorithms– European Telecom. Standards Institute for E-commerce using GSM phone– Semi-proprietary (proprietary device usingstandard interface)WTLS’ Competitors• I-mode (in Japan)– NTT DoCoMo’s mobile Internet access system– Packet-switch network (always on)– Use compact HTML (cHTML), a subset ofHTML– Use proprietary protocols and encoding9WTLS’ Competitors• Secure Electronic Transaction (SET)– Provide secure credit card transactions– Use DES, SHA-1, RSA (no others in standards)– No wireless considerations• IP Security (IPSec)– Transport & Tunnel Mode– ISAKMP/Oakley for key management– No wireless considerationsConclusionWAP – industry standard– General protocol for developing wirelessapplicationsWTLS – non-proprietary security protocol– Provides privacy, integrity, authentication– Optimized for wireless devices constraints &low-bandwidth
View Full Document