Documente Academic
Documente Profesional
Documente Cultură
1 Introduction
Wireless communication has rapidly evolved in search of reliable, simple and busi-
ness-oriented solution to consumer demands for fast, easy and inexpensive informa-
tion access.
One of the wireless communication solutions is the i-mode that was developed by
NTT DoCoMo. i-mode uses compact HTML for delivery of content and packet switch-
ing to sustain a continuous connection at a data transfer speed of 9.6 kbps and it has
been very successful in Japan. However, -imode is a proprietary NTT DoCoMo
scheme and no detailed information, such as security issues, authentication and au-
thorization, has been made publicly available. The press has reported that DoCoMo is
working on strengthening i-mode security [1]. While no details have been given, the
information suggests that DoCoMo has experienced Internet attacks [2,3] on its serv-
ers.
Thus, this paper focuses on the Wireless Application Protocol (WAP) [4] that is
currently the only publicly available solution for wireless communication and enables
M-Commerce where Internet data moves to and from wireless devices. People are be-
ginning to use wireless applications more widely and, as a consequence, the face of
the Internet is rapidly changing. Mobile devices are now starting to challenge the
Lecture Notes in Computer Science 2
dominance of PCs. One powerful argument in favor of mobile devices has been the
ability to connect to a communications network wherever the end user is located.
Moreover, mobile devices are rapidly evolving into platforms other than wireless
telephones. It is transforming into a Personal Trusted Device (PTD). This is not neces-
sarily the case with PCs, which are used collectively in organizations, households, and
public places. Mobile devices are much less expensive than PCs and are easily carried
by their owners.
Furthermore, the numb er of mobile phone subscribers worldwide is expected to
reach one billion by 2002. A significant share of these users will be equipped with
Mobile Internet-enabled terminals. For example, recent forecasts indicate that the
penetration of mobile phones may reach 83% of the population in Western Europe by
2003 (EMC World Cellular Databases, January 2000). This means that by 2003 mobile
Internet users will outnumber fixed line Internet users. Several industry analysts pre-
dict that mobile E-Commerce will constitute a multi-billion dollar business by 2005 [5].
With mobile devices constantly online via GPRS (2.5G technology) [6] and 3G tech-
nologies [7, 8, 9], instant shopping, further enabled by payment services, mobile bank-
ing, ticketing and secure access-based operations, will be fully realized.
Since mobile devices are location-independent, widely distributed personal trusted
devices (PTDs), they are well suited to becoming one of the dominant enablers for
carrying out financial transactions and other activities related to M-Commerce. Conse-
quently, mobile devices will feature in applications that also demand adequate security
functions. Meeting these demands is the Wireless Application Protocol Public Key
Infrastructure (WPKI) as specified by the WAP Forum [4]. The purpose of WAP stan-
dards is to bring more advanced data services, such as Internet content and transac-
tions, to wireless devices. The term “Mobile Commerce”, or M-Commerce, and E-
Commerce have their own specific requirements for security. These security require-
ments are best met by cryptographic technology and WPKI services. WPKI encom-
passes the necessary cryptographic technology and a set of security management
standards that are widely recognized and accepted for meeting the security needs of
M-Commerce.
One of the essential advantages offered by some mobile devices that are available
today is that they already employ a security module such as a SIM (Subscriber Iden-
tity Module) card in GSM mobile phones. SIM is a tamper proof hardware module
consists of all user’s personal information and can store private keys. In the future,
many mobile devices will probably have one or more integrated security modules.
At present, wireless environments are not completely safe. No mobile network op-
erator can guarantee that confidential information (such as credit card numbers, per-
sonal financial data, trade secrets, or business documents) can be transmitted over the
mobile net in a secure way. Currently it is not possible to reliably verify the wireless
device user’s identity with a reliable authentication process expect for the network
operator that issued the SIM card to the user. In other words, trust is inherent in the
wireless devices.
This paper gives a brief overview of PKI in general and WPKI in particular. PKI
consists of two basic elements: public key cryptography and public key certification
practice. This paper also addresses some shortcomings of WAP and how these prob-
Lecture Notes in Computer Science 3
lems may be overcome and the future directions of WAP that provide secure commu-
nications and unilateral or mutual authentication to implement M-Commerce applica-
tions in order to ensure worldwide interoperability in wireless environments.
keys themselves. Fortunately, we can use the public key certificate management to
overcome this problem.
Digital certificates are a means of unambiguously binding one person to a public
key. At its simplest, the idea is that an external body such as a Trusted Third Party
(TTP) or CA takes your personal details (may be including the user’s name, email ad-
dress and company name, similar information about the issuer’s certificate, the serial
number of certificate, an issue date and expiration date) and public key, packages them
together and then signs the package with the CA private key. Thus, one can use the
public key of the other party only if the certificate signature verifies successfully.
Anyone who receives a signed message from you can safely assume that you sent
it. However, this opens up the possibility of a replay attack. For example, if someone
sends a signed message to their bank, saying “Pay Alice $100”, if Alice happens to
intercept this message then Alice can keep sending it to the bank. This attack can be
easily overcome by including a precise time, a serial number, or a unique identifier in
the signed message. For example, the TLS/SSL protocol gives each message an ID to
prevent reply attacks.
The widespread adoption of PKI could control every aspect of a certificate’s life
cycle. The Internet X.509 PKIX Working Group [10] defines a PKI as “The set of
hardware, software, people and procedures needed to create, store, distribute and
revoke certificates based on public key cryptography”.
A PKI consists of the following components:
• Certificate Authorities (CAs): These are responsible for issuing and revoking
certificates.
• Registration Authorities (RAs): These verify the binding between public keys
and the identities of their holders.
• Certificate holders (or subjects): People, machines or software agents that
have been issued with certificates and can use them to sign digital docu-
ments.
• Clients: These validate digital signatures and their certificate paths from a
known public key of a trusted CA.
• Repositories: These store and make available certificates and Certification
Revocation Lists (CRLs).
The following functions are typically supported within a PKI:
• Registration: The CA verifies the details supplied by the subject are correct,
before issuing a certificate.
• Certification: CA issues a certificate that contains the subject’s public key,
delivers this certificate to the subject, and publishes it in suitable reposito-
ries.
• Key generation: In some case, the subject generates a key pair in its local en-
vironment, before passing the public key to the CA for certification. If CA
generates a key pair then the keys should be supplied to the subject as an
encrypted file or a hardware module such as a smart card.
• Key update: All key pairs, and their associated certificates, should be up-
dated at regular intervals.
Lecture Notes in Computer Science 5
OCSP [15] is an automated status checking protocol. This protocol specifies the data
that needs to be exchanged between an application checking the status of a certificate
and the server providing that status. It queries a remote server for the status of a par-
ticular certificate, returning whether the certificate is still trusted by the CA that issued
it.
The previous method of checking a certificate’s status was through CRLs. Using
this method, certificates revoked by CA are placed on a CRL. The list comprises serial
numbers of revoked certificates, maintained by the CA. The CA usually makes the CRL
available by placing it in a known location, such as an X.500 server. You can then
check the revocation status of a certificate by checking the CRL.
However, this method has several drawbacks. To check if a certificate is in a CRL,
the whole CRL should be retrieved from the directory and then search through it for
the serial number in question. This becomes inefficient when only the information on
one serial number is wanted in the CRL, which may contain thousands. In addition,
there is often a lag between the time a certificate is revoked and the time that informa-
tion is made known via the CRL. Another drawback could be the management of repli-
cated CRL lists, which is required to enable scalability. This must ensure that all repli-
cas are consistent.
Two requirements evolve from this: firstly, the ability to request just the revocation
status of the certificates in question, and secondly, to greatly reduce the lag between
revocation time and revocation publication. OCSP has addressed both of these re-
quirements by providing a mechanism that allows you to ask for the status of particu-
lar certificates and to get information on just those certificates in a more timely manner.
Speed is particularly important, for instance, in large fund transfers or stock trades.
Lecture Notes in Computer Science 6
An OCSP client issues a status request to an OCSP responder and suspends accep-
tance of the certificate in question until the responder acknowledges. You can use
OCSP instead of traditional CRL checking, or as a supplement to it.
4 WAP Security
This section will look at the security measures that exist in the WAP and the recent
developments as well as the future directions. The basis of WAP 1.x security is in the
Wireless Transport Layer Security (WTLS) protocol, which is analogous to the Inter-
net’s Transport Layer Security (TLS) [17]: the standardized name for the widely used
Secure Socket Layer (SSL) 3.1. WTLS is based on TLS, but there are a few differences
in the wireless version but TCP/IP is now integrated into WAP 2.0 due to the demand
of end-to-end security as the previous versions could not provide this service.
WAP encompasses several standards that apply security at the application, trans-
port and management levels in the wireless environment. These standards are known
as follows:
• WIM: The WAP Identity Module [22] is a tamper-resistance computer chip
that optionally resides in the WAP enabled device such as mobile phones
and PTD. It can store key material like the PKI root public key and user’s pri-
vate key. WIMs are most commonly implemented using smart card chips.
Smart card chips have memory and storage for data and programs.
• WMLSCrypt: WML Script Crypto API (WMLSCrypt) [23] is an application
programming interface that allows access to basic security functions in the
WML Script Crypto Library (WMLSCLib), such as key pair generation, digital
signatures and the functions that process objects commonly found in the PKI
for example, keys and public key certificates. WMLSCrypt allows WAP appli-
cations to access and use the security objects and basic security services
managed by other WAP security standards. The basic functions in the
WMLSCrypt and WMLSLib include generate key pairs, store keys and other
personal data, control access to stored keys and data, generate and verifying
digital signatures and encrypt and decrypt data. WML Script can utilize an
underlying WIM Module to provide the crypto functionality.
• WTLS/TLS: Wireless Transport Layer Security [24] is a transport level secu-
rity protocol based on the Internet security protocol known as Transport
Layer Security (TLS). A new WAP 2.0 uses TLS instead of WTLS due to re-
quiring end-to-end security with all-IP based technology in order to over-
come the WAP gateway security breaches. For example, sensitive information
can be translated into clear texts so the operator may read sensitive informa-
tion at the gateway. That’s way the WAP 2.0 overcomes this problem by us-
ing TLS tunneling to support end-to-end security at the transport level. TLS
Lecture Notes in Computer Science 9
In many cases, PTDs are not able to fulfill all these requirements. For example, ordi-
nary PTDs do not have sufficient memory to perform all of the above-mentioned func-
tions. Sometimes the client’s functionality has to be implemented outside the mobile
equipment. For this reason, some WPKI solutions are very likely to employ “network
agents” that take care of some of these tasks. The PTDs must at least be able to per-
form a digital signature function to permit the establishment of a WPKI.
Network agents can perform all other PKI-related tasks such as validation, archiving
or certificate delivery. An implementation in which the private keys are stored in proxy
server or alternatively embedded into the tamper resistant modules such as
WIM/SWIM of PTDs. Unfortunately, the WIM/SWIM solutions require more im-
provements particularly the area of key pairs generation by end users, rather than
being assigned by the network operators. In addition, a lack of standardization pre-
sents a major barrier in the development of wireless PKI. In other words, establishing
trust in a WPKI is crucial for the success of applications that will exploit the opportu-
nities created by PTDs. This trust is based on the reliability of the technology, but
also on a carefully implemented system of laws, policies, standards, and procedures
which includes the management of certificates by trusted certificate authorities. The
questions of anonymity, privacy, government surveillance and industry based policies
and standards represent challenges that we must face if we are to strengthen the level
of trust that recent legislation has already made possible in important economic re-
gions throughout the world. Please read more detailed information regarding the global
status report on PKI legislation in [26, 27].
An end user has not yet registered with a PKI and attempts to connect to a service
provider or content server. Since the service provider requires digital signatures on its
transactions and secure communications, it notifies the user that it must contact a PKI
Portal, which provides PKI ID information such as URL, CA service name and etc.
WPKI requires the same components used in traditional PKI. However, the end de-
vice’s applications and registration are implemented differently, and a new component
referred to as the PKI Portal is also required.
The end device application in WPKI is implemented as optimized software that runs
in the WAP device. It relies on the WMLSCrypt API for key services and crypto-
graphic operations as well as including the traditional PKI functionalities such as gen-
erate, store and allow access to a user’s public key pair and complete, sign and submit
first time certificate applications, certificate renewal requests, and certificate revocation
requests, and search for and retrieve certificates and revocation information, validate
certificates and read the certificate contents and generate and verify digital signatures.
The PKI Portal is a network server, like the WAP Proxy, it logically functions as the
Registration Authority (RA) and is responsible for translating requests made by the
WAP client to the RA and CA in the PKI. The PKI Portal will typically embed the RA
functions and interoperate with the WAP devices on the wireless network and the CA
on the wired network.
Lecture Notes in Computer Science 11
WML2.0 [28] uses XHTML, which is in reality optimised HTML and WTLS is now
changed to TLS to provide end-to-end security, WPKI is an optimization of the tradi-
tional IETF PKIX [10] standards for the wireless environment. In particular, it has op-
timized the PKI protocols, certificate format as well as cryptographic algorithms and
keys. Let us look at these areas in more details, as follows:
WPKI Protocols. The traditional method used to handle PKI service requests relies
on the ASN.1 Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).
BER/DER require more processing resources than a WAP device should effectively
have to handle. WPKI protocols are implemented using WML2.0 and WMLSCrypt.
WML2.0 AND SignText function in WMLSCrypt provide for significant savings when
encoding and submitting PKI service requests as compared to the methods used in
traditional PKI.
WPKI Certificate Format. The WPKI certificate format specification sought to reduce
the amount storage required for a public key certificate. One of the mechanisms was to
define a new certificate format for sever side certificates, which significantly reduces
the size as compared to a standard X.509 certificate. Another significant reduction in
the WPKI certificate can be attributed to Elliptic Curve Cryptography (ECC). With
ECC, the saving in the overall size of the certificate is typically more than 100 bytes
due to the smaller keys needed for ECC vs. other signature schemes. WPKI has also
limited the size of some of the data fields of the IETF PKIX certificate format. Because
the WPKI certificate format is sub-profile of the PKIX certificate format, it is possible
to maintain interoperability between standard PKIs.
WPKI Cryptographic Algorithms and Keys. While traditional signature schemes are
optionally supported by the WAP security standards, they are viewed as impractical
to implement in the wireless environment from a performance and resource viewpoint.
Traditional signature schemes demand much more processing, memory, and storage
resources in the WAP device when compared to the resource requirements of more
efficient cryptographic-ECC. ECC techniques are recognized as the most optimized,
and therefore the best suited for supporting security in the wireless environment. The
keys for elliptic curve are typically of the order of six times smaller than equivalent
keys in other signature schemes, for example 164 bits vs. 1024 bits. This creates great
efficiencies in key storage, certificate size, memory usage and digital signature proc-
essing. ECC is fully supported by the WAP security standards and has been widely
accepted by WAP device manufacturers. However, one must carefully choose good
Elliptic Curves otherwise it might be prone to various attacks. Please see more detail in
[29, 30, 31].
Lecture Notes in Computer Science 12
5 Conclusions
The number of mobile devices in use is rising rapidly, and is projected to reach one
billion by 2002 so multiple competing roughly equivalent protocols are developed in
an attempt to develop the next effective solution in the new platform.
Wireless communication plays an important role in M-Commerce. The wireless envi-
ronment is no longer isolated; the WAP standards have made it possible to extend
Internet content and transactions to wireless devices such as PTDs. Security require-
ments of E-Commerce remain the same in both the wired and wireless environment and
PKI plays an important role in meeting these requirements. WPKI is an extension of,
and includes most of the technologies and concepts that are present in traditional PKI.
WPKI must be optimized using more efficient cryptography such as ECC but one must
carefully select the good curves in order to prevent known attacks.
Employing the above-mentioned public key cryptography based on key pairs and
digital certificates have proven themselves on the wired Internet and are now moving
on to the wireless world of mobile communications. An infrastructure of security ser-
vices will ensure that transactions are confidential, that the parties involved are clearly
identified, and those agreements are non-reputable. This will establish a reliable and
convenient framework for valid contracts signed with digital signatures. In other
words, PTDs will be able to generate legally binding digital signatures and also enable
you to authenticate yourself remotely over networks. These moves will quickly make
M-Commerce a part of everyday life for many. Businesses will be able to extend their
services to customers on the move.
In the near future, mobile operators face the challenge of providing secure authenti-
cation and value added services between the PTDs and service/content providers.
Their task will be to perform such function as encryption/decryption, certificate valida-
tion and key generation.
Moreover, manufacturers also face the challenge of making wireless devices that
are compact, powerful, easy to use and with single log-on security mechanisms em-
ploying biometric techniques. Each of these attributes will contribute to the success of
WPKI, and companies that are to develop, produce, and sell these products inexpen-
sively and with the required quality will play an important role to gain an extremely
large market. WIM/SWIM cards are an example of tamperproof hardware used to store
cryptographic keys and perform other cryptographic functions. Future 3G devices will
host these smart cards.
One of the issues with getting WPKI widely accepted is the management of certifi-
cates via CA’s. Currently, there is no centrally trusted entity that manages certificates
and companies seem to be reluctant to provide and/or trust these services.
Establishing a WPKI will generate potential for additional services such as those
that will be required for managing the financial risk involved in certification practices.
Another major area of potential business will be found in offering and packaging a
variety of certificate-related services such as a directory services, a notary service, or
services for key generation, key-escrow, or archiving. Others will be involving in
monitoring technical compliance with policies and regulations.
Lecture Notes in Computer Science 13
Currently the WAP specification is evolving continually, and WAP 2.0 reflects
adoption of the latest standards and protocols, accommodates change in the wireless
environment, such as increases in bandwidth, data speeds, processing power, screen
sizes, and other technologies, and anticipates market requirements. Now WAP 2.0
allows further integration with the Internet by using Mobile IP from one end to the
other. This moves overcome the security problems in the WAP Gateway by using TLS
all the way from mobile devices to the service providers. Thus, it provides a true end-
to-end security and enables deployment of advanced functions and services, while
leveraging and extending benefits of previous versions of WAP via managed back-
ward compatibility.
WAP 2.0 allows backward compatibility with the previous Wireless Markup Lan-
guage (WML) rather than making it an option, mobile manufacturers will have to bear
the burden of doubling code size thus doubling the memory required in a handset to
support separate WML and XHTML enabled browsers.
The future challenge is to establish trust in WPKI as a new medium and the success
of wireless applications will depend on their usefulness. The easy-to-use solutions are
more likely to succeed than complicated ones, the main goal is to set up invisible infra-
structures that provides WPKI services at the stroke of a few buttons by the end user.
In order to enable secure M-Commerce solutions, one must consider the need for
qualified legal expertise in every environment and the continuous enhancement of the
WPKI standards throughout the world.
References