Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIDP Application Security

Published byJohan Salim Modified over 6 years ago

Similar presentations

Presentation on theme: "MIDP Application Security"— Presentation transcript:

1 MIDP Application Security
Ying Hong Wireless Security Spring 2003

2 MIDP Application Security
Contents Introduction to MIDP Overview of TLS Samples Current Research Status 11/12/2018 MIDP Application Security

3 MIDP Application Security
Introduction To MIDP What is MIDP An approach to develop wireless applications. The MIDlet structure It extends MIDlet. It Has startApp(), parseApp(), and destroyApp(). It may have commandAction() if it implements CommandListener. MIDP is an approach to develop wireless application. Basic MIDlet structure is: it extends MIDlet, implements CommandListener, and it includes constructor, startApp(), parseApp(), destroyApp(), and usually these is at least a commandAction(). The MIDP programming model is a mix of the Java programming model and the web programming model. MIDlets are developed using Java and compiled the same way you compile any java application. Similar to applets, where an applet is described in an HTML file, a MIDlet or a group of MIDlets (known as a MIDlet suite) is described in a java descriptor (JAD) file, While applets run in a web browser, MIDlets run in a MIDlet management software that provides an operating enviroment for KVM and MIDLets where they run. However, unlike applets, MIDlets do not get destroyed when they finish running. They remain installed on the device until they are explicitly removed. [J2ME MIDP and WAP: complementary Technologies] 11/12/2018 MIDP Application Security

4 MIDP Application Security
Introduction To MIDP MIDP 1.0 MIDP 1.0 provides a standards APIs. MIDP 2.0 MIDP 2.0 provides several new features, including secure networking. Extended Network Connectivity Connection using the HTTPS and SSL/TLS protocols. MIDP 1.0 provides a standards APIs for application development. It includes APIs for application lifecycle, HTTP network connectivity, user interface, and persistent storage. MIDP 2.0 includes many enhancements and additions. The new features in MIDP 2.0 include: schedule, secure networking, multimedia, form enhancements, game APIs, RGB images, code signing and permissions. Actually, what we are concerned is secure networking. Now MIDlets can establish connections using the HTTPS and SSL/TLS protocols that are necessary for secure handling of sensitive information. 11/12/2018 MIDP Application Security

5 MIDP Application Security
Overview of TLS What is TLS TLS is an updated version of the SSLv3 protocol. They are protocols enabling authentication and data encryption over insecure networks. They are implemented layer b/w TCP/IP and higher-level network protocols. One of the strengths of TLS is that it operates directly on top of TCP/IP sockets. TLS is an updated version of the SSLv3 protocol. The two protocols are closely related. They are protocols enabling authentications and data encryption over insecure networks. They are implemented as a layer between TCP/IP and higher-level network protocols like HTTP, SMTP, and NNTP. Their implementation in web browsers is nearly seamless for users. They provide cryptographic authentication and session-based encryption at a minimal cost and they are very easy to be used. One of the strengths of TLS is that it operates directly on top of TCP/IP sockets and behaves very much like TCP/IP sockets. As a result it’s relatively easy to make network applications use an TLS socket instead of a plain socket. 11/12/2018 MIDP Application Security

6 Overview of TLS How does it work – handshake client_hello server_hello
certificate (certificate_request) server_hello_done (certificate) client_key_exchange (certificate_verify) change_cipher_spec finished Step 1 Step 2 Step 3 Step 4 The TLS protocol begins with a handshake, in which the client and server try to agree on a cipher suite, a group of cryptographic algorithms they will use for authentication and session encryption. Once the client and server have agreed with a cipher suite, they can authenticate each other and generate a premaster secret used as the basis of the session key. This session key will be used to encrypt and decrypt all data transmitted b/w the client and the server. 11/12/2018 MIDP Application Security

7 MIDP Application Security
Overview of TLS Step1 client_hello The SSL versions supported by the client 32 bytes of random data that the client creates A session ID that it makes up A list of supported ciphers A list of supported compression methods Client first sends his message called client_hello, which includes:… 11/12/2018 MIDP Application Security

8 MIDP Application Security
Overview of TLS Step2 server_hello The SSL version the server selects from the client’s list; 32 bytes of random data that the server creates; The session ID; The ciphers chosen from the client’s list; The compression method selected. Server responds with a server_hello, which contains:… 11/12/2018 MIDP Application Security

9 MIDP Application Security
Overview of TLS Step 2 (cont.) server’s certificate It’s an X.509 certificate signed by a certificate authority. It includes server’s public key. request for client’s certificate It’s not required. server_hello_done It indicates communication is finished. Next the server sends its certificate, which is an X.509 certificate signed by a certificate authority. It includes the owner of the server, and the server’s public key. So now it will be possible for the client to send encrypted messages to the server using this public key. If server want to authenticate client, he can send a certificate request to client. But this is not normally required for HTTPS. Usually, clients are anonymous. Finally, the server sends the server_hello_done to indicate that it has completed its communication and is waiting for a response from the client. 11/12/2018 MIDP Application Security

10 MIDP Application Security
Overview of TLS Step3 client’s certificate, if server required it It’s a client’s X.509 certificate. client_key_exchange It’s 48 bytes of random data. It’s encrypted using server’s public key. ceritificate_verify, if client’s certificate is sent Hashed messages and signed using client’s private key. When client receives server’s information sent, he will check the server’s certificate first and various parameters it just sent. If he receives a certificate request, then client will send a his certificate to the server. Next the client sends the client_key_exchange, which is 48 bytes of random data that the client and server will each use to construct a session key. The random bytes are created from the random data transmitted b/w client and server. These random bytes are RSA-encrypted with the server’s public key. Then certificate_verify message is sent if client has already sent his certificate to the server. In this message, client hashes all the messages that have sent so far, and signs them with its private key. Then server will be able to verify that the client actually have the key corresponding to its certificate. Whether having this step just depends on server’s certificate request to the client. 11/12/2018 MIDP Application Security

11 MIDP Application Security
Overview of TLS Step 3 (cont.) change_cipher_spec It’s an indication that future communication will be encrypted. Finished It’s encrypted with the session key and including a MAC for integrity. Step4 Server’s indication about future secured communication. Then client computes the key for encryption using RC4, and a key for the message authentication code (MAC) that will be used to verify data integrity. These keys are generated using the secret random number that the client and server have exchanged up to now. The client then sends this change_cipher_spec message, which indicates that future communication will be handled with these ciphers and parameters, but does not need to tell the server the keys, since server can compute them independently based on the same random data transmitted b/w client and server. Finally, the client sends a finished message, encrypted with the session key and including a MAC for integrity. The server then responses with its own change_cipher_spec message, which indicates to the client that it too want encrypt all future communication with the same parameters as the client. It should be able to generate the same session key as client generated. To finish the handshake, the server sends its own finished message, encrypted with the agreed specs and keys. 11/12/2018 MIDP Application Security

12 MIDP Application Security
Overview of TLS Algorithms used in handshake Key exchange RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman, Anonymous Diffie-Hellman, Fortezza Ciphers RC4, 3DES, IDEA, Fortezza, DES, DES40, RC2 MAC (message authentication code) MD5, SHA For the key exchange, RSA is the standard method for SSL key exchange, and it is commonly supported in browsers and servers. For the ciphers, not all SSL implementations support all algorithms. 11/12/2018 MIDP Application Security

13 MIDP Application Security
Samples Sample 1: Creating a secure connection and getting information about the secure connection. Create secure connection: Javax.microedition.io.HttpsConnection Get information about the secure connection Get an instance of SecurityInfo using getSecurityInfo() SecurityInfo provides: getProtocolName() getProtocolVersion() getCipherSuite() getServerCertificate() (return a Certificate object) 11/12/2018 MIDP Application Security

14 MIDP Application Security
Samples Sample 1 Code of HttpsExample Screen snapshots of running HttpsExample Question left: Since HttpsConnection takes care of all secure action explained in TLS handshake, then how the server side code is implemented? 11/12/2018 MIDP Application Security

15 MIDP Application Security
Samples Sample 2 JSSE (Java Secure Sockets Extension) An API for using SSL in Java A reference implementation of that API Installing JSSE Read installing_jsse.txt to learn how to install JSSE or read chapter 9 in Professional Java Security by Jess Garms and Daniel Somerfield. The JSSE is a reasonable SSL implementation. It is not fully optimized, but performs fairly well and is good enough for most uses. If there is an extremely high-traffic situation that requires a Java SSL implementation, then some other implementation, like Phao’s SSLava or RSA’s SSL-J may be needed. However, they may not be free. At least, I tried to download Phao’s SSLava, it required the company’s for free evaluation trial. 11/12/2018 MIDP Application Security

16 MIDP Application Security
Samples Sample 2: creating a pair of https server and client Coding HTTPSServer Create server socket through javax.net.ssl.SSLServerSocketFactory Running HTTPSServer: Create a certificate and private key to the SSL server with keytool. Set two system properties: keyStore and keyStorePassword in command line or coding it in the program. In server side, we will create an application which will deliver HTML pages over SSL. In client side, we need to register HTTPS support with the system. And then, when we try to create a connection with a server using a URL that begins with the VM will automatically invoke the JSSE. 11/12/2018 MIDP Application Security

17 MIDP Application Security
Samples Sample 2: Coding HTTPSClient Running HTTPSClient Authentication and encryption will be done transparently. Question left: Find the corresponding implementation in MIDP 2.0, especially server side coding. 11/12/2018 MIDP Application Security

18 MIDP Application Security
Samples Sample 3: SSL socket example instead of HTTPS Coding SSLSocketServer Coding SSLSocketClient Difference between SSL socket and plain socket Underlying SSLSocket implementation will take care of authentication of the server and encryption of the data transmitted. This example is going to illustrate using SSL sockets directly without using HTTPS. Server side almost keeps the same coding SSLServerSocket as in sample 2, while client side will using SSLSocket instead of HTTPS. 11/12/2018 MIDP Application Security

19 Current Research Status
What we know: How to connect a server which support HTTPS. How to build a server supporting HTTPS in java application. How to build a server and client over SSL layer in java application. What we need to search: How to build a server supporting HTTPS in servlet? Is it possible to rewrite HTTPSClient (in sample 2) in MIDP and still make sample working? 11/12/2018 MIDP Application Security

20 MIDP Application Security
References “MIDP Application Security 2: Understanding SSL and TLS”, “MIDP Application Security 3: Authentication in MIDP”, “Wireless Application Programming”, “Introduction to Wireless Technologies”, “J2ME MIDP and WAP complementary technologies”, “What’s new in MIDP 2.0”, “SSL, and TLS page”, “Programming Wireless Devices Samples”, “Introducing MIDP 2.0”, “Professional Java Security”, Jess Garms and Daniel Somerfield, ISBN: 11/12/2018 MIDP Application Security

Download ppt "MIDP Application Security"

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols

Internet Security Protocols
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, 08.05. 2010 University of Palestine Applied and Urban Engineering College Information Security.

11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Introduction to Secure Sockets Layer (SSL) Protocol Based on: https://developer.mozilla.org/En/Introduction_to_SSL#The_SSL_Protocol.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Similar presentations

Ads by Google