Browse Prior Art Database

End to End WTLS Security Model for WAP

IP.com Disclosure Number: IPCOM000016778D
Original Publication Date: 2003-Jul-15
Included in the Prior Art Database: 2003-Jul-15

Publishing Venue

IBM

Abstract

Industry research suggests that the most significant factor influencing the take-up of mobile Internet solutions is security concerns [Yan00]. This paper surveys the components of security used in WAP 1.x based solution. This includes SSL, TLS, WTLS, and the GSM security protocols: A2/A4, A3, A5, and A8. A list of the security exposures are outlined including the key exposure at the WAP gateway where WTLS is converted to SSL. Several techniques for how these exposures are mitigated are described, together with an end-to-end security model using a WDP-UDP Datagram gateway to eliminate the security exposure at the WAP gateway.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 10% of the total text.

Page 1 of 10

End to End WTLS Security Model for WAP

1. Introduction

  Presently, two mobile Internet platforms dominate the international market. The first is i-mode, deployed exclusively in Japan and run by NTT DoCoMo ‐ formerly a subsidiary company of Nippon Telegraph & Telephone (NTT). The second is the Wireless Application Protocol (WAP), purported to be an open standard for vendors to develop mobile solutions [WAP]. The success of i-mode is renowned, with 50,000 new subscribers every day [Mor00]. The success is suggested, in contrast to WAP, to be attributed to several factors: availability of content, ease of use, competitive pricing models, reliability, and responsiveness [HRL00]. In addition to these elements, a closer inspection of the underlying mechanisms involved reveals that i-mode also furnishes an end-to-end security model, an area where present WAP 1.X solutions are trailing.

  Despite the growth of mobile services, and the factors contributing to this growth, the current security model for WAP 1.X solutions is inhibiting the take-up of new services. This notion is supported by current industry research, which suggests that security is the most significant factor influencing the take-up of mobile WAP solutions [Yan00]. This is perhaps not a function of how the Wireless Transaction Layer Security (WTLS) protocol has been devised, but rather the omissions in the end-to-end deployment scenario.

  In this paper we outline the current security models available for developing WAP solutions, providing details on how the protocols are used, the security threats present, and discuss several techniques for mitigating these risks. Whilst the key problem of end-to-end security is addressed by WAP 2.0, the problem still persists in WAP 1.X implementations. This paper presents several approaches to address end-to-end security for WAP 1.X implementations.

2. Background

We define the terminology relevant to mobile and Internet security and describe the construction of the Internet security protocol SSL, and how this has been adapted for use in a WAP environment. The terminology used in security may be categorised as security services and security mechanisms, and in a WAP (or Internet) context the intent is to secure transactions exchanged between the customer device and the origin server (i.e. the content webserver). Unless otherwise stated, there is no explicit distinction made between transactions over the Internet and transactions that extend beyond this realm to a mobile device.

2.1 Security Services

Table 1 summarises the principle security services that are required to support secure transactions. Confidentiality is one of the most fundamental security services and is required to protect sensitive payloads such as financial, personal, or critical business data from unauthorised disclosure. However, data integrity and authentication services are arguably even more critical in this environment since modification of transmitted data, or mis-at...