MIDP Application Security

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
CSCI 6962: Server-side Design and Programming
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Web Security : Secure Socket Layer Secure Electronic Transaction.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
Web Security Network Systems Security
SARVAJANIK COLLEGE OF ENGINEERING & TECHNOLOGY. Secure Sockets Layer (SSL) Protocol Presented By Shivangi Modi Presented By Shivangi ModiCo-M(Shift-1)En.No
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
PRESENTATION ON SECURE SOCKET LAYER (SSL) BY: ARZOO THAKUR M.E. C.S.E (REGULAR) BATCH
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Computer and Network Security
The Secure Sockets Layer (SSL) Protocol
Web Security CS-431.
CSCI 555 Adv Computer Security
Cryptography and Network Security
Secure Sockets Layer (SSL)
CSCE 715: Network Systems Security
Visit for more Learning Resources
COMP3220 Web Infrastructure COMP6218 Web Architecture
BINF 711 Amr El Mougy Sherif Ismail
NETWORK PROGRAMMING CNET 441
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Using SSL – Secure Socket Layer
CSE 4095 Transport Layer Security TLS
Cryptography and Network Security
Cryptography and Network Security Chapter 16
CS 465 TLS Last Updated: Oct 31, 2017.
Secure Web Application-SSL
Cryptography and Network Security
SSL (Secure Socket Layer)
Lecture 8: Transport Level Security – SSL/TLS
Security at the Transport Layer: SSL and TLS
CSCE 815 Network Security Lecture 16
SSL Protocol Figures used in the presentation
The Secure Sockets Layer (SSL) Protocol
Cryptography and Network Security Chapter 16
Transport Layer Security (TLS)
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

MIDP Application Security Ying Hong Wireless Security Spring 2003

MIDP Application Security Contents Introduction to MIDP Overview of TLS Samples Current Research Status 11/12/2018 MIDP Application Security

MIDP Application Security Introduction To MIDP What is MIDP An approach to develop wireless applications. The MIDlet structure It extends MIDlet. It Has startApp(), parseApp(), and destroyApp(). It may have commandAction() if it implements CommandListener. MIDP is an approach to develop wireless application. Basic MIDlet structure is: it extends MIDlet, implements CommandListener, and it includes constructor, startApp(), parseApp(), destroyApp(), and usually these is at least a commandAction(). The MIDP programming model is a mix of the Java programming model and the web programming model. MIDlets are developed using Java and compiled the same way you compile any java application. Similar to applets, where an applet is described in an HTML file, a MIDlet or a group of MIDlets (known as a MIDlet suite) is described in a java descriptor (JAD) file, While applets run in a web browser, MIDlets run in a MIDlet management software that provides an operating enviroment for KVM and MIDLets where they run. However, unlike applets, MIDlets do not get destroyed when they finish running. They remain installed on the device until they are explicitly removed. [J2ME MIDP and WAP: complementary Technologies] 11/12/2018 MIDP Application Security

MIDP Application Security Introduction To MIDP MIDP 1.0 MIDP 1.0 provides a standards APIs. MIDP 2.0 MIDP 2.0 provides several new features, including secure networking. Extended Network Connectivity Connection using the HTTPS and SSL/TLS protocols. MIDP 1.0 provides a standards APIs for application development. It includes APIs for application lifecycle, HTTP network connectivity, user interface, and persistent storage. MIDP 2.0 includes many enhancements and additions. The new features in MIDP 2.0 include: schedule, secure networking, multimedia, form enhancements, game APIs, RGB images, code signing and permissions. Actually, what we are concerned is secure networking. Now MIDlets can establish connections using the HTTPS and SSL/TLS protocols that are necessary for secure handling of sensitive information. 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS What is TLS TLS is an updated version of the SSLv3 protocol. They are protocols enabling authentication and data encryption over insecure networks. They are implemented layer b/w TCP/IP and higher-level network protocols. One of the strengths of TLS is that it operates directly on top of TCP/IP sockets. TLS is an updated version of the SSLv3 protocol. The two protocols are closely related. They are protocols enabling authentications and data encryption over insecure networks. They are implemented as a layer between TCP/IP and higher-level network protocols like HTTP, SMTP, and NNTP. Their implementation in web browsers is nearly seamless for users. They provide cryptographic authentication and session-based encryption at a minimal cost and they are very easy to be used. One of the strengths of TLS is that it operates directly on top of TCP/IP sockets and behaves very much like TCP/IP sockets. As a result it’s relatively easy to make network applications use an TLS socket instead of a plain socket. 11/12/2018 MIDP Application Security

Overview of TLS How does it work – handshake client_hello server_hello certificate (certificate_request) server_hello_done (certificate) client_key_exchange (certificate_verify) change_cipher_spec finished Step 1 Step 2 Step 3 Step 4 The TLS protocol begins with a handshake, in which the client and server try to agree on a cipher suite, a group of cryptographic algorithms they will use for authentication and session encryption. Once the client and server have agreed with a cipher suite, they can authenticate each other and generate a premaster secret used as the basis of the session key. This session key will be used to encrypt and decrypt all data transmitted b/w the client and the server. 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Step1 client_hello The SSL versions supported by the client 32 bytes of random data that the client creates A session ID that it makes up A list of supported ciphers A list of supported compression methods Client first sends his message called client_hello, which includes:… 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Step2 server_hello The SSL version the server selects from the client’s list; 32 bytes of random data that the server creates; The session ID; The ciphers chosen from the client’s list; The compression method selected. Server responds with a server_hello, which contains:… 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Step 2 (cont.) server’s certificate It’s an X.509 certificate signed by a certificate authority. It includes server’s public key. request for client’s certificate It’s not required. server_hello_done It indicates communication is finished. Next the server sends its certificate, which is an X.509 certificate signed by a certificate authority. It includes the owner of the server, and the server’s public key. So now it will be possible for the client to send encrypted messages to the server using this public key. If server want to authenticate client, he can send a certificate request to client. But this is not normally required for HTTPS. Usually, clients are anonymous. Finally, the server sends the server_hello_done to indicate that it has completed its communication and is waiting for a response from the client. 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Step3 client’s certificate, if server required it It’s a client’s X.509 certificate. client_key_exchange It’s 48 bytes of random data. It’s encrypted using server’s public key. ceritificate_verify, if client’s certificate is sent Hashed messages and signed using client’s private key. When client receives server’s information sent, he will check the server’s certificate first and various parameters it just sent. If he receives a certificate request, then client will send a his certificate to the server. Next the client sends the client_key_exchange, which is 48 bytes of random data that the client and server will each use to construct a session key. The random bytes are created from the random data transmitted b/w client and server. These random bytes are RSA-encrypted with the server’s public key. Then certificate_verify message is sent if client has already sent his certificate to the server. In this message, client hashes all the messages that have sent so far, and signs them with its private key. Then server will be able to verify that the client actually have the key corresponding to its certificate. Whether having this step just depends on server’s certificate request to the client. 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Step 3 (cont.) change_cipher_spec It’s an indication that future communication will be encrypted. Finished It’s encrypted with the session key and including a MAC for integrity. Step4 Server’s indication about future secured communication. Then client computes the key for encryption using RC4, and a key for the message authentication code (MAC) that will be used to verify data integrity. These keys are generated using the secret random number that the client and server have exchanged up to now. The client then sends this change_cipher_spec message, which indicates that future communication will be handled with these ciphers and parameters, but does not need to tell the server the keys, since server can compute them independently based on the same random data transmitted b/w client and server. Finally, the client sends a finished message, encrypted with the session key and including a MAC for integrity. The server then responses with its own change_cipher_spec message, which indicates to the client that it too want encrypt all future communication with the same parameters as the client. It should be able to generate the same session key as client generated. To finish the handshake, the server sends its own finished message, encrypted with the agreed specs and keys. 11/12/2018 MIDP Application Security

MIDP Application Security Overview of TLS Algorithms used in handshake Key exchange RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman, Anonymous Diffie-Hellman, Fortezza Ciphers RC4, 3DES, IDEA, Fortezza, DES, DES40, RC2 MAC (message authentication code) MD5, SHA For the key exchange, RSA is the standard method for SSL key exchange, and it is commonly supported in browsers and servers. For the ciphers, not all SSL implementations support all algorithms. 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 1: Creating a secure connection and getting information about the secure connection. Create secure connection: Javax.microedition.io.HttpsConnection Get information about the secure connection Get an instance of SecurityInfo using getSecurityInfo() SecurityInfo provides: getProtocolName() getProtocolVersion() getCipherSuite() getServerCertificate() (return a Certificate object) 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 1 Code of HttpsExample Screen snapshots of running HttpsExample Question left: Since HttpsConnection takes care of all secure action explained in TLS handshake, then how the server side code is implemented? 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 2 JSSE (Java Secure Sockets Extension) An API for using SSL in Java A reference implementation of that API Installing JSSE Read installing_jsse.txt to learn how to install JSSE or read chapter 9 in Professional Java Security by Jess Garms and Daniel Somerfield. The JSSE is a reasonable SSL implementation. It is not fully optimized, but performs fairly well and is good enough for most uses. If there is an extremely high-traffic situation that requires a Java SSL implementation, then some other implementation, like Phao’s SSLava or RSA’s SSL-J may be needed. However, they may not be free. At least, I tried to download Phao’s SSLava, it required the company’s email for free evaluation trial. 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 2: creating a pair of https server and client Coding HTTPSServer Create server socket through javax.net.ssl.SSLServerSocketFactory Running HTTPSServer: Create a certificate and private key to the SSL server with keytool. Set two system properties: keyStore and keyStorePassword in command line or coding it in the program. In server side, we will create an application which will deliver HTML pages over SSL. In client side, we need to register HTTPS support with the system. And then, when we try to create a connection with a server using a URL that begins with https://, the VM will automatically invoke the JSSE. 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 2: Coding HTTPSClient Running HTTPSClient Authentication and encryption will be done transparently. Question left: Find the corresponding implementation in MIDP 2.0, especially server side coding. 11/12/2018 MIDP Application Security

MIDP Application Security Samples Sample 3: SSL socket example instead of HTTPS Coding SSLSocketServer Coding SSLSocketClient Difference between SSL socket and plain socket Underlying SSLSocket implementation will take care of authentication of the server and encryption of the data transmitted. This example is going to illustrate using SSL sockets directly without using HTTPS. Server side almost keeps the same coding SSLServerSocket as in sample 2, while client side will using SSLSocket instead of HTTPS. 11/12/2018 MIDP Application Security

Current Research Status What we know: How to connect a server which support HTTPS. How to build a server supporting HTTPS in java application. How to build a server and client over SSL layer in java application. What we need to search: How to build a server supporting HTTPS in servlet? Is it possible to rewrite HTTPSClient (in sample 2) in MIDP and still make sample working? 11/12/2018 MIDP Application Security

MIDP Application Security References “MIDP Application Security 2: Understanding SSL and TLS”, http://wireless.java.sun.com/midp/articles/security2 “MIDP Application Security 3: Authentication in MIDP”, http://wireless.java.sun.com/midp/articles/security3 “Wireless Application Programming”, http://wireless.java.sun.com/midp/articles/getstart “Introduction to Wireless Technologies”, http://wireless.java.sun.com/getstart/articles/intro “J2ME MIDP and WAP complementary technologies”, http://wireless.java.sun.com/midp/articles/midpwap “What’s new in MIDP 2.0”, http://wireless.java.sun.com/midp/articles/midp20 “SSL, and TLS page”, http://www3.tsl.uu.se/~micke/ssl_links.html “Programming Wireless Devices Samples”, http://java.sun.com/docs/books/j2mewireless/examples/README.html “Introducing MIDP 2.0”, http://www.onjava.com/pub/a/onjava/2002/12/18/midp.html “Professional Java Security”, Jess Garms and Daniel Somerfield, ISBN: 1861004257 11/12/2018 MIDP Application Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.