SECURITY ISSUES ON WAP

IN MOBILE COMPUTING
ABSTRACT

Mobility is about individual and on-demand connection. It's about

getting the right information at the right time and in the right place. In the end,
mobility has the power to transform the way we go beyond the Internet. Delivering
mobility isn't just about wireless devices and networks. It's really about connecting
people - connecting them with one another, with their work, their homes and their
play - and supporting their experience regardless of which technology is used. So that
the end result is a seamless customer experience with all the old boundaries removed.

The Wireless Application Protocol (WAP) has been proposed as a

better way to achieve the mobility.WAP is a specification for a set of communication
protocols designed to allow and standardize ways for wireless devices to get
information from networks and display it in their browsers. WAP helps to define
servers, called gateways, that mediate between wired and wireless networks, and
provide value-added services to wireless networks. Using WAP, you can communicate
with any operating system.

Global enterprises are automating the distribution and sharing of data,

information and applications in real time. This necessitates a strategic plan that
assures the privacy, confidentiality, integrity and availability of their information
systems, supporting infrastructures and other intellectual assets. In the transition from
e-commerce to the digital economy the major roadblock, lack of trust, must be
removed. So the issue of data security is given the top concern when planning
comprehensive information assurance strategy.

Security is both an enabling and disabling technology. Its purpose is to

enable communication and transactions to take place in a secure environment without
Fear of compromise, while at the same time disabling non-legitimate activities and
access to information and facilities. Non-legitimate activities include eavesdropping,
pretending to be another party (also known as impost ring or spoofing), or tampering
with data during transmission. In general these activities are either unacceptable or
illegal outside of the digital environment, so security simply helps to enforce the
status quo in that sense.

INDEX

 INTRODUCTION

 CONCEPTS

 SECURITY

 WAP ARCHITECTURE

 WAP ENVIRONMENT

 WAP PROTOCOL STACKS

 CONCLUSION
INTRODUCTION

There is a common perception that wireless environments are

inherently less secure than wired environments. Reports of phone masquerading and
phone call tapping in mobile wireless environments have led many to believe that this
is not an environment conducive for e-commerce. While this was certainly true in the
past, the wireless industry has been working hard at providing security protections
strong enough for real mobile-device based e-commerce.
CONCEPT

Familiarity with some concepts relating to digital communications and

to security are required in order to understand the points made later in this paper, and
the place within the communications process of the existing security solutions.

WHAT SECURITY IS ABOUT

We are going to begin the investigation of the topic of security with a

discussion of what security is about and why it matters. In this section we will
investigate:

1. The importance of security in mobile applications

2. The role of security in protecting data and systems

3. The basic issues which security solutions of all types need to address

THE ROLE OF SECURITY

Security is both an enabling and disabling technology. Its purpose is to

enable communications and transactions to take place in a secure environment
without fear of compromise, while at the same time disabling non-legitimate activities
and access to information and facilities. Non-legitimate activities include eaves
dropping, pretending to be another party (also known as impost ring or spoofing), or
tampering with data during transmission. In general these activities are either
unacceptable or illegal outside of the digital environment, so security simply helps to
enforce the status quo in that sense.

THE WAP ARCHITECTURE

The WAP standard defines two essential elements: an end-to-end

application protocol and an application environment based on a browser. The
application protocol is a communication protocol stack that is embedded in each
WAP-enabled wireless device (also known as the user agent). The server side
implements the other end of the protocol, which is capable of communicating with
any WAP client. The server side is known as a WAP gateway and routes requests from
the client to an HTTP (or Web) server. The WAP gateway can be located either in a
telecom network or in a computer network (an ISP)..
WAP NETWORKING ENVIRONMENT

WAP, or Wireless Application Protocol, is an industry initiated world

standard that allows the presentation and delivery of information and services to
wireless devices such as mobile telephones or handheld computers. The major players
in the WAP space are the Wireless Service Provider (WSP) and the Enterprise. The
Wireless Service Provider is the wireless equivalent of an Internet Service Provider
(ISP). The role of the WSP is to provide access to back-end resources for wireless
users. The WSP provides additional services because wireless users must transition
from the wireless to wired environments (unlike an Internet environment where the
user is already “on” the Internet). The WSP’s space contains a Modem Bank, Remote
Access Service (RAS) server, Router, and potentially a WAP Gateway. This
environment is analog to the wired environment, where all “connection-type” services
are provided by the Wireless Service Provider. Much of this functionality overlaps
with functionality currently provided by the telecommunications industry. We
anticipate that the majority of this functionality will be implemented and managed by
Telecommunication Companies such as Wireless Service Providers. The WSP handles
the processing associated with the incoming WAP communications, including the
translation of the wireless communication from the WAP device through the
transmission towers to a Modem Bank and Remote Access Server (RAS) and on to
the WAP Gateway. The Modem Bank receives incoming phone calls from the user’s
mobile device, the RAS server translates the incoming calls from a wireless packet
format to a wired packet format, and the Router routes these packets to the correct
destination.

TRADITIONAL WAP NETWORKING ENVIRONMENT

The WAP Gateway is used to translate the WAP protocols (protocols

that have been optimized for low bandwidth, low power consumption, limited screen
size, and low storage) into the traditional Internet protocols (TCP/IP). The WAP
Gateway is based on proxy technology. Typical WAP Gateways provide the following
functionality:

 Provide DNS services, for example to resolve domain names used in URLs.

 Provide a control point for management of fraud and service utilization.

 Act as a proxy, translating the WAP protocol stack to the Internet protocol
stack.

Many Gateways also include a “transcoding” function that will

translate an Hypertext Markup Language (HTML) page into a Wireless Markup
Language (WML) page that is suited to the particular device type (such as a Nokia
6120 or Motorola Time port mobile phone).The Enterprise space contains the back-
end Web and application servers that provide the Enterprise’s transactions. While it
seems “natural” for the Wireless Service Provider to maintain and manage the WAP
Gateway, there are circumstances under which this is not desirable. This is due to the
presence of an encryption “gap”, caused by the ending of the Wireless Transport
Layer Security (WTLS) session at the Gateway. The data is temporarily in clear text
on the Gateway until it is re-encrypted under the SSL session established with the
Enterprise’s web server in such cases, the WAP Gateway should be maintained at the
Enterprise. Maintaining a WAP Gateway does not require any telecommunications
skills; the Gateway receives regular UDP packets. The problem with this solution
remains the absence of the DNS client at the mobile device, which would require the
storage of profiles for every target on the mobile device. This also requires that the
Enterprise set up a relationship with the Service Provider whereby all incoming
packets destined for the Enterprise (identified by IP address) are immediately routed
by the WSP directly to the Enterprise and are never sent to the WSP’s Gateway.

THE WAP PROTOCOL STACK

To minimize bandwidth requirements, and guarantee that a variety of

wireless networks can run WAP applications, a new lightweight protocol stack called
the WAP protocol stack was developed The WAP protocol stack has four layers:
session layer, transaction layer, security layer, and datagram layer.

THE BASIC ISSUES

There are a number of basic issues around security that have to be

addressed. Almost all of these have parallels in the real world, and often the solutions
are based on, or similar to, real-world solutions.

These basic issues are:

Authentication – being able to validate that the other party participating in a

transaction is who the party claims to be, or a legitimate representative of that party

Confidentiality – being able to ensure that the content and meaning of

communications between two parties do not become known to third parties

Integrity – being able to ensure that messages received are genuine and have not been
tampered with or otherwise compromised

Authorization – being able to ascertain that a party wanting to perform some action is
entitled to perform that action within the given context
Non-repudiation – being able to ensure that once a party has voluntarily committed to
an action it is not possible.

ENCRYPTION

Cryptography is the study of encryption, or the science of encoding

data into another format that cannot easily be decoded or understood, using some sort
of mathematical algorithm. Developing and proving the robustness of an encryption
algorithm (called a cipher) is extremely difficult, so there are relatively few of these
algorithms in existence. If everyone used the same few algorithms their effectiveness
at concealing information would be severely limited, so the algorithms use keys,
which are strings of bits, to 'customize' the behavior of the algorithm. In general, the
strength of the algorithm (usually defined in terms of how much effort is required to
decode an encoded message) depends on the length of the key. In particular, there is a
class of ciphers that are particularly expensive, but which provide some particularly
useful features. These are called asymmetric ciphers. Their less computationally
expensive counterparts are called symmetric ciphers.

CERTIFICATES

Certificates are a convenient place for storing and managing public

keys. They also form the basis of authentication in digital communications, being the
digital equivalent of a passport. Like a passport, they have to be issued by a
recognized authority and contain certain things that allow the subject's identity to be
confirmed and the certificate's validity to be ascertained. The former is achieved by
including some identifying information on the subject, along with the subject's public
key. The latter is achieved by certificates being issued by a recognized Certification
Authority, and being digitally signed by that authority. Are convenient places for
storing and managing public keys? They also form the basis of authentication in
digital communications, being the digital equivalent of a passport. Like a passport,
they have to be issued by a recognized authority and contain certain things that allow
the subject's identity to be confirmed and the certificate's validity to be ascertained.
The former is achieved by including some identifying information on the subject,
along with the subject's public key. The latter is achieved by certificates being issued
by a recognized Certification Authority, and being digitally signed by that authority.

WTLS

WTLS is the Wireless Transport Layer Security protocol. As can be

ascertained by the name, it operates at, or more correctly just above, the transport
layer in the OSI protocol stack. It is based on transport layer security (TLS), which is
the defacto security implementation on the Internet. It works by establishing a session
between a client and a server (which in the case of WTLS is the WAP gateway),
during which it negotiates security parameters to be used to protect the session. These
include the encryption protocols to be used, signature algorithms, public keys, pre-
master secrets, or the exchange of certificates, depending on the capabilities of both
the client and the server and the required level of security. The process of establishing
a session is called the handshake. Once a session has been established all
communications between the mobile device and the WAP gateway are encrypted, and
therefore should be unintelligible if they are intercepted. Another advantage of WTLS
over TLS is that it operates over UDP. TLS requires a reliable transport protocol, in
particular TCP, so it cannot be used over UDP. WTLS addresses this shortcoming, and
also functions over WDP in the absence of UDP. There are three classes of WTLS
implementation defined in the WAP specification. They are:

Class 1: Anonymous key exchange with no authentication.

Class 2: Certificate based server authentication. Server key is anonymous or

authenticated, client key is anonymous.

Class 3: Certificate based client and server authentication. Both client and server keys
are anonymous or authenticated.

PROTOCOL LAYERS FOR NETWORKS SUPPORTING IP

 A key feature of WAP 2.0 is the introduction of Internet protocols into
the WAP environment. This support has been motivated by the emergence of high-
speed wireless networks that provide IP support directly to the wireless devices.

 Wireless Profiled HTTP (WP-HTTP)

 Transport Layer Security (TLS)

 Wireless Profiled TCP (WP-TCP)

TRANSPORT LAYER SECURITY (TLS)

The TLS protocol will permit interoperability for secure transactions.

This profile for TLS includes cipher suites, certificate formats, signing algorithms and
the use of session resume. The profile also defines the method for TLS tunneling to
support end-to-end security at the transport level.

APPLICATION LEVEL SECURITY ON TOP OF WAP

This method amounts to introducing security at a software layer above WAP, Instead
of using WAP’s protocol for secure transport (WTLS), security is taken care of by
means of dedicated software running at the two “ends”, the mobile phone and the e-
merchant’s web server. Such software could perform encryption in a way that
eliminated the security hole at the gateway.

CONCLUSION

Enterprise demand for increased productivity and competitive

advantage virtually guarantees that wireless mobility solutions will make their way
into the core of enterprise IT infrastructure. Wireless mobility solutions promise a
host of benefits both at the top and bottom lines of the balance sheet. However,
outstanding security concerns about wireless technology have been one of the main
reasons why these solutions have not gained greater acceptance to date. By addressing
all four key areas of wireless mobility security –

 Authentication and Authorization

 Over-the-air security

 Offline security

 Firewall Security

WAP user community can be with both peace of mind and confidence that there
privacy, confidentiality, integrity are strictly secure.

Thus the fact that the user community on the wireless telephony
network is growing faster and Future generations of wireless technology will not only
bring the Internet to individuals, they will deliver individuals to the Internet in more
transparent ways. However, mobility is not about the technology and it is not only
about being wireless. But establishing and maintaining effective policies that address
the security, integrity, availability, confidentiality and privacy of critical information
system assets is crucial to business survival. These policies are all part of the broader
information assurance, where trust is key and which is a fundamental part of the
digital economy's four imperatives.