A Survey of WAP Security Architecture Neil Daswani

Slides:



Advertisements
Similar presentations
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? Get index.htm from Response from
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Introduction to M-Commerce. Overview What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mobile Security and Payment Nour El Kadri University Of Ottawa.
Cryptographic Execution Time for WTLS Handshakes on Palm OS Devices Neil Daswani September 21, 2000.
Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
Intro to SSL/TLS Network Security Gene Itkis. 6/23/2015 cs Network Security (Gene Itkis) 2 Origins Internet Engineering Task Force (IETF) –
Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
Secure Socket Layer (SSL)
PKI interoperability and policy in the wireless world.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Security in WAP and WTSL By Yun Zhou. Overview of WAP (Wireless Application Protocol)  Proposed by the WAP Forum (Phone.com, Ericsson, Nokia, Motorola)
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
C HAPTER 15 MACs and Signatures Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and.
December 2008Prof. Reuven Aviv, SSL1 Web Security with SSL Network Security Prof. Reuven Aviv King Mongkut’s University of Technology Faculty of information.
WIRELESS APPLICATION PROTOCOL Definition It is universal, open standard developed by the WAP Forum to provide mobile users of wireless phones and other.
Web Security Network Systems Security
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
8.4 – 8.5 Securing & Securing TCP connections with SSL By: Amanda Porter.
WAP Architecture Presented by, Nithya Inbamani. WAP Background Wireless Application Protocol – secure specification. Wireless Application Protocol – secure.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
8-1 CSE 4707/5850 Network Security (2) SSL/TLS. 8-2 Think about Google or YouTube  Desired properties  Indeed the other side is Google or YouTube server.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
The Secure Sockets Layer (SSL) Protocol
Secure Sockets Layer (SSL)
CSCE 715: Network Systems Security
COMP3220 Web Infrastructure COMP6218 Web Architecture
CSE 4095 Transport Layer Security TLS, Part II
WAP Public Key Infrastructure
Mark A. Shaw CS 522 Project Presentation
CSE 4095 Transport Layer Security TLS
Design Experience of WAP Identity Module for M-Commerce
SSL Protocol Figures used in the presentation
Presentation transcript:

A Survey of WAP Security Architecture Neil Daswani

December 3, 2000Neil Daswani, Overview Security Basics Wireless Security WTLS & SSL WAP Security Models WIM, WMLScript, Access Control Summary References

December 3, 2000Neil Daswani, Security Basics Security Goals –Authentication –Confidentiality –Integrity –Authorization –Non-Repudiation

December 3, 2000Neil Daswani, Security Basics Cryptography –Symmetric: 3DES, RC4, etc. –Asymmetric: RSA, ECC Key Exchange Digital Signature Certificates PKI

December 3, 2000Neil Daswani, Wireless Security Link Layer Security –GSM –CDMA –CDPD Application Layer Security –WAP: WTLS, WML, WMLScript, & SSL –iMode: N/A –SMS: N/A

December 3, 2000Neil Daswani, Need for App Level Security Bearer Independence Security out to Gateway Advanced Security Goals (ie. Non-Repudiation)

December 3, 2000Neil Daswani, Basic WAP Architecture Internet Gateway Web Server WTLSSSL

December 3, 2000Neil Daswani, WTLS & SSL WTLS Goals –Authentication: Asymmetric Key Crypto Class 1: No Authentication Class 2: Server Authentication Class 3: Mutual Authentication –Privacy: Symmetric Key Crypto –Data Integrity: MACs

December 3, 2000Neil Daswani, WTLS: Class 1 No Authentication ClientHello > ServerHello < ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished > < Finished Application Data

December 3, 2000Neil Daswani, WTLS: Class 2 Server-Authentication Only ClientHello > ServerHello Certificate < ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished > < Finished Application Data 1. Verify Server Certificate 2. Establish Session Key

December 3, 2000Neil Daswani, WTLS: Class 3 Client Hello > ServerHello Certificate CertificateRequest < ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished > < Finished Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature Mutual-Authentication

December 3, 2000Neil Daswani, TLS/SSL vs. WTLS WTLS supports ECC WTLS over WDP TLS over TCP Premaster secret is 20 bytes (vs. 48 in TLS/SSL)

December 3, 2000Neil Daswani, WAP Security Models Operator Hosts Gateway –Without PKI –With PKI Content Provider Hosts Gateway –Static Gateway Connection –Dynamic Gateway Connection

December 3, 2000Neil Daswani, Operator Hosts Gateway Without PKI Internet WAP/HDTP Gateway Web Server WTLS Class 1 or Encrypted HDTPSSL Operator Content Provider

December 3, 2000Neil Daswani, Operator Hosts Gateway Without PKI: –Advantages No extra work for Content Provider No extra work for user System only requires one logical gateway –Disadvantages Content Provider must trust Operator (NDA) Operator can control home deck Operator can introduce advertising

December 3, 2000Neil Daswani, Operator Hosts Gateway With PKI

December 3, 2000Neil Daswani, Operator Hosts Gateway With PKI: –Advantages Content providers does not need to trust Operator. –Disadvantages PKI Infrastructure must be in place.

December 3, 2000Neil Daswani, Content Provider Hosts Gateway Static Gateway Connection WAP Gateway Web Server WTLS Class 2 SSL Content Provider

December 3, 2000Neil Daswani, Content Provider Hosts Gateway Static Gateway Connection –Advantages Content Provider does not need to trust Operator Content Provider can control home deck OTA can be used to configure mobile terminal –Disadvantages Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) Mobile Terminal needs to be configured. –OTA via WAP Push / SMS may not work with gateway / mobile terminal combination –Content Provider may have to pre-configure mobile terminals

December 3, 2000Neil Daswani, Content Provider Hosts Gateway Dynamic Gateway Connection Internet WAP Gateway WTLS Class 2SSL Operator Web Server SSL Content Provider WAP Gateway

December 3, 2000Neil Daswani, Content Provider Hosts Gateway Dynamic Gateway Connection –Advantages Content Provider does not need to trust Operator. Content Provider does not need to worry about mobile terminal config –Disadvantages Operator needs to trust Content Provider. Not deployed yet.

December 3, 2000Neil Daswani, Restricting Gateway Access Consider the following attack: –Eve runs a “modified” WAP gateway –Eve fools a user into using her gateway Now, Eve can eavesdrop on all of the users requests and responses! To prevent this, check the gateway IP address in the HTTP request.

December 3, 2000Neil Daswani, WIM: WAP Identity Module WIM must be tamper-resistant Stores Keys & Master Secrets Computes crypto operations –“unwrapping master secret” –client signature in WTLS Handshake –key exchange (ECC WTLS Handshake) Also: –Generates Keys –Stores Certificates (or their URLs) CA & Root Certs User Certs Can be implemented with SIM

December 3, 2000Neil Daswani, WMLScript Crypto API Non-repudiation signedString = Crypto.signText (stringToSign, options, keyIdType, keyId) Uses a separate, distinct signing key WIM can store signing key and compute signature

December 3, 2000Neil Daswani, WML Access Control WML Deck-Level Access Control … WMLScript Access Control use access domain domain_name | path path_name | domain domain_name path path_name; use access domain “worldfaq.com” path “/stats”

December 3, 2000Neil Daswani, Summary Gateway position & configuration allows for different trust models Security at multiple levels –Link Layer (depends on bearer) –App Layer Authentication, Confidentiality, and Integrity: WTLS Authorization: App-dependent, or WML and WMLScript use access pragma Non-Repudiation: WML signText

December 3, 2000Neil Daswani, References C. Arehart, N. Chidambaram, S. Guruprasad, et. al. Professional WAP. Wrox Press, ISBN D. Margrave, GSM Security and Encryption WAP-100, Wireless Application Protocol Architecture Specification WAP-191, Wireless Markup Language Specification WAP-193, WMLScript Language Specification WAP-199, Wireless Transport Layer Security Specification WAP-198, Wireless Identity Module WAP-161, WMLScript Crypto API Library WAP-187, WAP Transport Layer E2E Security Specification WAP-217, WAP Public Key Infrastructure Definition

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.