ADHIYAMANN COLLEGE OF ENGINEERING-HOSUR A PAPER ON

SECURITY ISSUES ON WAP IN MOBILE COMPUTING

Presented By
M.DINESHKUMAR
Dineshmca000@gmail.com Cell-9629251432

K.ELAVARASAN arasumailme@gmail.com cell-9095558043 SECOND YEAR MCA

services to wireless networks. Using WAP, you can communicate with any operating system. Global enterprises are automating the distribution and sharing of data, information and applications in real time. This necessitates a strategic plan that assures the privacy, confidentiality, integrity and availability of their information systems, supporting infrastructures and other intellectual assets. In the transition from ecommerce to the digital economy the major roadblock, lack of trust, must be removed. So

ABSTRACT
Mobility is about individual and ondemand connection. It's about getting the right information at the right time and in the right place. In the end, mobility has the power to transform the way we go beyond the Internet.Delivering mobility isn't just about wireless devices and networks. It's really about connecting people - connecting them with one another, with their work, their homes and their play - and supporting their experience regardless of which technology is used. So that the end result is a seamless customer experience with all the old boundaries removed. The Wireless Application Protocol (WAP) has been proposed as a better way to achieve the mobility.WAP is a specification for a set of communication protocols designed to allow and standardize ways for wireless devices to get information from networks and display it in their browsers. WAP helps to define servers, called gateways, that mediate between wired and wireless networks, and provide value-added

the issue of data security is

given the top concern when planning comprehensive information assurance strategy. Security is both an enabling and disabling technology. Its purpose is to enable communication and transactions to take place in a secure environment without Fear of compromise, while at the same time disabling non-legitimate activities and access to information and facilities. Non-legitimate activities include eavesdropping, pretending to be another party (also known as impostering or spoofing), or tampering with data during transmission. In general these activities are either unacceptable or

illegal outside of the digital environment, so security simply helps to enforce the status quo in that sense.

Concepts
Familiarity with some concepts relating to digital communications and to security are required in order to understand the points made later in this paper, and the place within the communications process of the existing security solutions.

Introduction
There is a common perception that wireless environments are inherently less secure than wired environments. Reports of phone masquerading and phone call tapping in mobile wireless environments have led many to believe that this is not an environment conducive for e-commerce. While this was certainly true in the past, the wireless industry has been working hard at providing security protections strong enough for real mobile-device based e-commerce.

What Security is About

We are going to begin the investigation of the topic of security with a discussion of what security is about and why it matters. In this section we will investigate: 1. The importance of security in mobile applications 2.The role of security in protecting data and systems 3. The basic issues which security solutions of all types need to address

protocol stack that is embedded in each

The Role of Security

Security is both an enabling and disabling technology. Its purpose is to enable communications and transactions to take place in a secure environment without fear of compromise, while at the same time disabling non-legitimate activities and access to information and facilities. Nonlegitimate activities include eaves dropping,pretending to be another party (also known as impostering or spoofing), or tampering with data during transmission. In general these activities are either unacceptable or illegal outside of the digital environment, so security simply helps to enforce the status quo in that sense.

WAP-enabled wireless device (also known as the user agent). The server side implements the other end of the protocol, which is capable of communicating with any WAP client. The server side is known as a WAP gateway and routes requests from the client to an HTTP (or Web) server. The WAP gateway can be located either in a telecom network or in a computer network (an ISP)..

The WAP Architecture

The WAP standard defines two essential elements: an end-to-end application protocol and an application environment based on a browser. The application protocol is a communication

telecommunications industry. We

WAP Networking Environment

WAP, or Wireless Application Protocol, is an industry initiated world standard that allows the presentation and delivery of information and services to wireless devices such as mobile telephones or handheld computers.The major players in the WAP space are the Wireless Service Provider (WSP) and the Enterprise. The Wireless Service Provider is the wireless equivalent of an Internet Service Provider (ISP). The role of the WSP is to provide access to back-end resources for wireless users. The WSP provides additional services because wireless users must transition from the wireless to wired environments (unlike an Internet environment where the user is already on the Internet). The WSPs space contains a Modem Bank,Remote Access Service (RAS) server, Router, and potentially a WAP Gateway. This environment is analog to the wired environment, where all connectiontype services are provided by the Wireless Service Provider. Much of this functionality overlaps with functionality currently provided by the

anticipate that the majority of this functionality will be implemented and managed by Telecommunication Companies such as Wireless Service Providers.The WSP handles the processing associated with the incoming WAP communications, including the translation of the wireless communication from the WAP device through the transmission towers to a Modem Bank and Remote Access Server (RAS) and on to the WAP Gateway. The Modem Bank receives incoming phone calls from the users mobile device, the RAS server translates the incoming calls from a wireless packet format to a wired packet format, and the Router routes these packets to the correct destination.

Traditional WAP Networking Environment

The WAP Gateway is used to translate the WAP protocols (protocols that have been optimized for low bandwidth, low power consumption, limited screen size, and low storage) into the traditional Internet protocols (TCP/IP). The WAP Gateway is based on proxy technology. Typical WAP

Gateways provide the following functionality: Provide DNS services, for example to resolve domain names used in URLs. Provide a control point for management of fraud and service utilization. Act as a proxy, translating the WAP protocol stack to the Internet protocol stack. Many Gateways also include a transcoding function that will translate an HyperText Markup Language (HTML) page into a Wireless Markup Language (WML) page that is suited to the particular device type (such as aNokia 6120 or Motorola Timeport mobile phone).The Enterprise space contains the back-end Web and application servers that provide the Enterprises transactions. While it seems natural for the Wireless Service Provider to maintain and manage the WAP Gateway, there are circumstances under which this is not desirable. This is due to the presence of an encryption gap, caused by the ending of the Wireless Transport Layer Security (WTLS) session at the Gateway. The data is temporarily in clear text on the Gateway until it is re-encrypted under

the SSL session established with the Enterprises web server In such cases, the WAP Gateway should be maintained at the Enterprise. Maintaining a WAP Gateway does not require any telecommunications skills; the Gateway receives regular UDP packets. The problem with this solution remains the absence of the DNS client at the mobile device, whichwould require the storage of profiles for every target on the mobile device. This also requires that the Enterprise set up a relationship with the Service Provider whereby all incoming packets destined for the Enterprise (identified by IP address) are immediately routed by the WSP directly to the Enterprise and are never sent to the WSPs Gateway.

The WAP Protocol Stack

To minimize bandwidth requirements, and guarantee that a variety of wireless networks can run WAP applications, a new lightweight protocol stack called the WAP protocol stack was developed The WAP protocol stack has four layers: session layer, transaction layer, security layer, and datagram layer.

The Basic Issues

There are a number of basic issues around security that have to be addressed.Almost all of these have parallels in the real world, and often the solutions are based on, or similar to, real-world solutions. These basic issues are: Authentication being able to validate that the other party participating in a transaction is who the party claims to be, or a legitimate representative of that party Confidentiality being able to ensure that the content and meaning of communications between two parties do not become known to third parties Integrity being able to ensure that messages received are genuine and have not been tampered with or otherwise compromised Authorization being able to ascertain that a party wanting to perform some action is

entitled to perform that action within the given context Non-repudiation being able to ensure that once a party has voluntarily committed to an action it is not possible.

Encryption
Cryptography is the study of encryption, or the science of encoding data into another format that cannot easily be decoded or understood, using some sort of mathematical algorithm.Developing and proving the robustness of an encryption algorithm (called a cipher) is extremely difficult, so there are relatively few of these algorithms in existence. If everyone used the same few algorithms their effectiveness at concealing information would be severely limited, so the algorithms use keys, which are strings of bits, to 'customize' the behavior of the algorithm.In general, the strength of the algorithm (usually defined in terms of how much effort is required to decode an encoded message) depends on the length of the key.In particular, there is a class of ciphers that are particularly expensive, but which provide some

particularly useful features. These are called asymmetric ciphers. Their less computationally expensive counterparts are called symmetric ciphers.

confirmed and the certificate's validity to be ascertained. The former is achieved by including some identifying information on the subject, along with the subject's public key.The latter is achieved by certificates being issued by a recognized Certification Authority, and being digitally signed by that authority.

Certificates
Certificates are a convenient place for storing and managing public keys. They also form the basis of authentication in digital communications, being the digital equivalent of a passport.Like a passport, they have to be issued by a recognized authority and contain certain things that allow the subject's identity to be confirmed and the certificate's validity to be ascertained. The former is achieved by including some identifying information on the subject, along with the subject's public key.The latter is achieved by certificates being issued by a recognized Certification Authority, and being digitally signed by that authority. are a convenient place for storing and managing public keys. They also form the basis of authentication in digital communications, being the digital equivalent of a passport.Like a passport, they have to be issued by a recognized authority and contain certain things that allow the subject's identity to be

WTLS
WTLS is the Wireless Transport Layer Security protocol. As can be ascertained by the name, it operates at, or more correctly just above, the transport layer in the OSI protocol stack. It is based on transport layer security (TLS), which is the defacto security implementation on the Internet. It works by establishing a session between a client and a server (which in the case of WTLS is the WAP gateway), during which it negotiates security parameters to be used to protect the session.These include the encryption protocols to be used, signature algorithms, public keys, pre-master secrets, or the exchange of certificates, depending on the capabilities of both the client and the server and the required level of security. The process of establishing a session is called the

handshake. Once a session has been established all communications between the mobile device and the WAP gateway are encrypted, and therefore should be unintelligible if they are intercepted. Another advantage of WTLS over TLS is that it operates over UDP. TLS requires a reliable transport protocol, in particular TCP, so it cannot be used over UDP. WTLS addresses this shortcoming, and also functions over WDP in the absence of UDP. There are three classes of WTLS implementation defined in the WAP specification. They are: Class 1: Anonymous key exchange with no authentication. Class 2: Certificate based server authentication. Server key is anonymous or authenticated, client key is anonymous. Class 3: Certificate based client and server authentication. Both clientand server keys are anonymous or authenticated. Transport Layer Security (TLS) A wireless profile of the TLS protocol will permit interoperability for secure transactions. This profile for TLS includes cipher suites, certificate formats, signing algorithms and the use of session resume. The profile also defines the method for TLS tunneling to support end-to-end security at the transport level. A key feature of WAP 2.0 is the introduction of Internet protocols into the WAP environment. This support has been motivated by the emergence of high-speed wireless networks that provide IP support directly to the wireless devices. Wireless Profiled HTTP (WPHTTP) Transport Layer Security (TLS) Wireless Profiled TCP (WPTCP)

Protocol Layers for Networks Supporting IP

Application level security on top of WAP

acceptance to date. By addressing all four key areas of wireless mobility security Authentication and Authorization Over-the-air security Offline security Firewall Security WAP user community can be with both peace of mind and confidence that there privacy, confidentiality, integrity

This method amounts to introducing security at a software layer above WAP, Instead of using WAPs protocol for secure transport (WTLS), security is taken care of by means of dedicated software running at the two ends, the mobile phone and the e-merchants web server.

are strictly secure.

Thus the fact that

the user community on the wireless telephony network is growing faster and Future generations of wireless technology will not only bring the Internet to individuals, they will deliver individuals to the Internet in more transparent ways. However, mobility is not about the technology and it is not only about being wireless. But establishing and maintaining effective policies that address the security, integrity, availability, confidentiality and privacy of critical information system assets is crucial to business survival. These policies are all part of the broader information assurance, where trust is key and which is a fundamental part of the digital economy's four imperatives.

Conclusion
Enterprise demand for increased productivity and competitive advantage virtually guarantees that wireless mobility solutions will make their way into the core of enterprise IT infrastructure. Wireless mobility solutions promise a host of benefits both at the top and bottom lines of the balance sheet. However, outstanding security concerns about wireless technology have been one of the main reasons why these solutions have not gained greater