Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey of WAP Security Architecture Neil Daswani

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Survey of WAP Security Architecture Neil Daswani"— Presentation transcript:

1 A Survey of WAP Security Architecture Neil Daswani neil@yodlee.com

2 December 3, 2000Neil Daswani, neil@yodlee.com Overview Security Basics Wireless Security WTLS & SSL WAP Security Models WIM, WMLScript, Access Control Summary References

3 December 3, 2000Neil Daswani, neil@yodlee.com Security Basics Security Goals –Authentication –Confidentiality –Integrity –Authorization –Non-Repudiation

4 December 3, 2000Neil Daswani, neil@yodlee.com Security Basics Cryptography –Symmetric: 3DES, RC4, etc. –Asymmetric: RSA, ECC Key Exchange Digital Signature Certificates PKI

5 December 3, 2000Neil Daswani, neil@yodlee.com Wireless Security Link Layer Security –GSM –CDMA –CDPD Application Layer Security –WAP: WTLS, WML, WMLScript, & SSL –iMode: N/A –SMS: N/A

6 December 3, 2000Neil Daswani, neil@yodlee.com Need for App Level Security Bearer Independence Security out to Gateway Advanced Security Goals (ie. Non-Repudiation)

7 December 3, 2000Neil Daswani, neil@yodlee.com Basic WAP Architecture Internet Gateway Web Server WTLSSSL

8 December 3, 2000Neil Daswani, neil@yodlee.com WTLS & SSL WTLS Goals –Authentication: Asymmetric Key Crypto Class 1: No Authentication Class 2: Server Authentication Class 3: Mutual Authentication –Privacy: Symmetric Key Crypto –Data Integrity: MACs

9 December 3, 2000Neil Daswani, neil@yodlee.com WTLS: Class 1 No Authentication ClientHello-----------> ServerHello <----------- ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished-----------> <-----------Finished Application Data

10 December 3, 2000Neil Daswani, neil@yodlee.com WTLS: Class 2 Server-Authentication Only ClientHello-----------> ServerHello Certificate <----------- ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished-----------> <-----------Finished Application Data 1. Verify Server Certificate 2. Establish Session Key

11 December 3, 2000Neil Daswani, neil@yodlee.com WTLS: Class 3 Client Hello-----------> ServerHello Certificate CertificateRequest <-----------ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished-----------> <-----------Finished Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature Mutual-Authentication

12 December 3, 2000Neil Daswani, neil@yodlee.com TLS/SSL vs. WTLS WTLS supports ECC WTLS over WDP TLS over TCP Premaster secret is 20 bytes (vs. 48 in TLS/SSL)

13 December 3, 2000Neil Daswani, neil@yodlee.com WAP Security Models Operator Hosts Gateway –Without PKI –With PKI Content Provider Hosts Gateway –Static Gateway Connection –Dynamic Gateway Connection

14 December 3, 2000Neil Daswani, neil@yodlee.com Operator Hosts Gateway Without PKI Internet WAP/HDTP Gateway Web Server WTLS Class 1 or Encrypted HDTPSSL Operator Content Provider

15 December 3, 2000Neil Daswani, neil@yodlee.com Operator Hosts Gateway Without PKI: –Advantages No extra work for Content Provider No extra work for user System only requires one logical gateway –Disadvantages Content Provider must trust Operator (NDA) Operator can control home deck Operator can introduce advertising

16 December 3, 2000Neil Daswani, neil@yodlee.com Operator Hosts Gateway With PKI

17 December 3, 2000Neil Daswani, neil@yodlee.com Operator Hosts Gateway With PKI: –Advantages Content providers does not need to trust Operator. –Disadvantages PKI Infrastructure must be in place.

18 December 3, 2000Neil Daswani, neil@yodlee.com Content Provider Hosts Gateway Static Gateway Connection WAP Gateway Web Server WTLS Class 2 SSL Content Provider

19 December 3, 2000Neil Daswani, neil@yodlee.com Content Provider Hosts Gateway Static Gateway Connection –Advantages Content Provider does not need to trust Operator Content Provider can control home deck OTA can be used to configure mobile terminal –Disadvantages Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) Mobile Terminal needs to be configured. –OTA via WAP Push / SMS may not work with gateway / mobile terminal combination –Content Provider may have to pre-configure mobile terminals

20 December 3, 2000Neil Daswani, neil@yodlee.com Content Provider Hosts Gateway Dynamic Gateway Connection Internet WAP Gateway WTLS Class 2SSL Operator Web Server SSL Content Provider WAP Gateway

21 December 3, 2000Neil Daswani, neil@yodlee.com Content Provider Hosts Gateway Dynamic Gateway Connection –Advantages Content Provider does not need to trust Operator. Content Provider does not need to worry about mobile terminal config –Disadvantages Operator needs to trust Content Provider. Not deployed yet.

22 December 3, 2000Neil Daswani, neil@yodlee.com Restricting Gateway Access Consider the following attack: –Eve runs a “modified” WAP gateway –Eve fools a user into using her gateway Now, Eve can eavesdrop on all of the users requests and responses! To prevent this, check the gateway IP address in the HTTP request.

23 December 3, 2000Neil Daswani, neil@yodlee.com WIM: WAP Identity Module WIM must be tamper-resistant Stores Keys & Master Secrets Computes crypto operations –“unwrapping master secret” –client signature in WTLS Handshake –key exchange (ECC WTLS Handshake) Also: –Generates Keys –Stores Certificates (or their URLs) CA & Root Certs User Certs Can be implemented with SIM

24 December 3, 2000Neil Daswani, neil@yodlee.com WMLScript Crypto API Non-repudiation signedString = Crypto.signText (stringToSign, options, keyIdType, keyId) Uses a separate, distinct signing key WIM can store signing key and compute signature

25 December 3, 2000Neil Daswani, neil@yodlee.com WML Access Control WML Deck-Level Access Control … WMLScript Access Control use access domain domain_name | path path_name | domain domain_name path path_name; use access domain “worldfaq.com” path “/stats”

26 December 3, 2000Neil Daswani, neil@yodlee.com Summary Gateway position & configuration allows for different trust models Security at multiple levels –Link Layer (depends on bearer) –App Layer Authentication, Confidentiality, and Integrity: WTLS Authorization: App-dependent, or WML and WMLScript use access pragma Non-Repudiation: WML signText

27 December 3, 2000Neil Daswani, neil@yodlee.com References C. Arehart, N. Chidambaram, S. Guruprasad, et. al. Professional WAP. Wrox Press, 2000. ISBN 1-861004-0-44 D. Margrave, GSM Security and Encryption WAP-100, Wireless Application Protocol Architecture Specification WAP-191, Wireless Markup Language Specification WAP-193, WMLScript Language Specification WAP-199, Wireless Transport Layer Security Specification WAP-198, Wireless Identity Module WAP-161, WMLScript Crypto API Library WAP-187, WAP Transport Layer E2E Security Specification WAP-217, WAP Public Key Infrastructure Definition

Download ppt "A Survey of WAP Security Architecture Neil Daswani"

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group

Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? 1.2.3.4 Get index.htm from 1.2.3.4 Response from 1.2.3.4.

Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? Get index.htm from Response from
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols

Internet Security Protocols
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Introduction to M-Commerce. Overview What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples.

Introduction to M-Commerce. Overview What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Similar presentations

Ads by Google