1 / 27

WAP Public Key Infrastructure

WAP Public Key Infrastructure. By: Juan Cao For: CSCI5939 Instructor: Dr. T. Andrew Yang Date: 04/03/2003. What is PKI?. Public-Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to provide secure services. “PKI integrate

nailah
Download Presentation

WAP Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WAP Public Key Infrastructure By: Juan Cao For: CSCI5939 Instructor: Dr. T. Andrew Yang Date: 04/03/2003

  2. What is PKI? • Public-Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to provide secure services. • “PKI integrate * digital certificates, * public-key cryptography, * certificate authorities into a total, enterprise-wide network security architecture.”[1]

  3. A typical enterprise's PKI encompasses • “the issuance of digital certificates to individual users and servers; • end-user enrollment software; • integration with corporate certificate directories (repository); • tools for managing, renewing, and revoking certificates; • and related services and support.”[1]

  4. PKI is composed of following objects. • Certificate Authority • Digital Certificate • Registration Authority (RA) • Directory Servers • Certification Maintenance System

  5. WPKI Model

  6. TLS and WTLS • WTLS is a variant of TLS optimized for use in wireless applications

  7. WTLS instances are classified as • “Class 1 - Provides confidentiality and data integrity based on public-key cryptography between client and server. The two parties remain anonymous.”[6] • “Class 2 - Additionally introduces server certificates to allow the client to authenticate the server.”[6] • “Class 3 - Additionally introduces client certificates so that the WTLS session can be mutually authenticated and application-layer signatures can be generated as proof for non-repudiation.”[6]

  8. CA root WAP CA Root SSL CA Root WAP Server SSL Server SSL Client w x x w w x WAP 1.1Security Architecture WTLS SSL/TLS terminal WAPGateway Server PKI portal CA

  9. 5 4 CA root WAP CA Root SSL CA Root SSL Server x x w w w 1 3 2 Enabling WTLSClass 2 Security terminal WAPGateway Server PKI portal CA

  10. CA root WAP CA Root SSL CA Root WAP Server SSL Server SSL Client x w w x x x x w WAP 1.2Security Architecture WML Signature WTLS SSL/TLS terminal WAPGateway Server WTLS Auth WML Sign PKI portal CA repository

  11. 5 3 6 1 7 CA root WAP CA Root SSL CA Root WAP Server SSL Server x w w x x w 4 2 Enabling WTLSClass 3 Security terminal WAPGateway Server WTLS Auth PKI portal CA repository

  12. Types of authentication: Message signing • “The WMLScript Crypto Library Specification provides cryptographic functionality for message signing.”[2] • “SignText provides a mechanism for client device to create a digital signature of text send to it using WMLScript.”[2] • “The WAP identity Module, WIM, may be used for private signing key storage and signature computation.”[2]

  13. 6 7 3 1 CA root WAP CA Root SSL CA Root WAP Server SSL Server w w w x x x x 4 2 Enabling WMLSignText Security terminal WAPGateway Server WML Sign WTLS auth PKI portal CA repository

  14. CA root WAP CA Root SSL CA Root WAP Server WAP Server w x x x w w w WAP 1.3 End-to-EndSecurity Architecture WTLS WML Signature WTLS Server terminal WAPGateway Master pull proxy WTLS Auth WML Sign PKI portal CA repository

  15. Digital Certificates • “Digital certificates are electronic files that are used to uniquely identify people and resources over networks such as the Internet.”[5] It is a passport. • A certificate typically includes a variety of information pertaining to its owner and to the CA that issued it, such as: * The name of the holder and other identification information * The holder’s public key * The name of the Certification Authority * A serial number * lifetime

  16. Types of Digital Certificates • Client Certificate (Device Certificate for WIM): * Authenticates the clients • WAP Server WTLS certificate: * Authenticate the identity of the WAP server * Encrypt information for the server using WTLS • CA certificate: * Identifies CA * Is used to authenticate and validate the WAP server certificate.

  17. WAP PKI Operations • Trusted CA information Handling. • WTLS Server Certificate Handling. • Client Registration. • Client Certificate URLs.

  18. Trusted CA Information Handling • “This operation verifies whether the CA that issued the certificate, can be trusted or not.”[8] • “In order to provide integrity, trusted CA information is downloaded in self-signed format” [4] • “The CA information SHOULD be distributed (i.e. downloaded) to the clients through • WSP (wireless session protocol): CA information is pulled when a URL is presented to a user, • Provisioning: CA information is downloaded on the client.”[8]

  19. Trusted CA information Handling contd.. • The CA information is sent to the client by: • Out of band hash verification method: the CA certificate is hashed and sent through an in-band channel whereas the “display” form of hash is sent in an out of band channel (phone or mail). * the hashed data hashVerification.doc[4]

  20. Trusted CA information Handling contd.. • The CA information is sent to the client by: • Signature verification method: if a new CA has issued the certificate, then it can only be trusted if it is accompanied by the cert of a CA already trusted by the client. * signatureVerification.doc[4]

  21. WTLS Server Certificate handling • The WAP server sends a certification request to a CA. • In response, the CA may. • Issue a long-lived WTLS certificate. • Or issue a sequence of short-lived WTLS certificates. • Used to check for revocation of servers. • Equivalent to certificate revocation lists (CRLs) in wired PKI • Typical lifetime is 48 hrs.

  22. Client Registration • “The client “proves” its identity and also “proves” that it possesses the private key corresponding to the public key which is to be certified.”[7] • Finds the PKI portal via manual browsing or through a URL contained in WML page. • The PKI Portal checks if the requestor has the corresponding private key to the given public key (Proof of Possession). • The client can use either WTLS Class III or signText() as the mechanism for proving possession of the relevant private key. In other words: “prove it by using it”.

  23. Client Certificate URLs • “it was suggested that instead of storing their certificates, clients could store a certificate URL that they then send over-the-air to verifiers.”[7] • “The verifier, presumably having fewer bandwidth limitations, can de-reference the URL and retrieve the client’s certificate.”[7] • “Doing this requires that the URL has a format that allows the verifier to check that the retrieved certificate and URL “match” and such a format is defined in the WPKI specification.”[7] • Protocols used HTTP, LDAP or FTP.

  24. Examples • VirtualWine.doc[3] • Example.doc[5]

  25. Future Outlook For WAP [9] • With the emergence of next generations networks it will make possible the delivery of full-motion video images and high-fidelity sound over mobile networks. • With the introduction of packet-switched data networks will kick-start the take-up of WAP services. • General packet radio services (GPRS), a method of sending Internet information to mobile telephones at high speed allowing mobile to be in always connected state • Technologies like bluetooth will connect the mobile to the personal computers.

  26. Any Questions??

  27. References [1] http://www.misecurity.com/eng/products/wpki_info.html [2] http://www.eurescom.de/~pub/seminars/past/2001/SecurityFraud/10-Nardone/10aNardone/10nardone.pdf [3] www.mohca.org/presentations/wireless_vandergeest.ppt [4] http://www1.wapforum.org/tech/documents/WAP-217-WPKI-20010424-a.pdf [5] http://www.entrust.com/resources/pdf/understanding_wtls.pdf [6] http://www.ee.ucl.ac.uk/lcs/papers2002/LCS030.pdf [7] http://www.baltimore.co.kr/downloads/pdf/baltimore_telepathy_wpkiwhitepaper.pdf [8] http://nas.cl.uh.edu/yang/teaching/csci5939WAP/csci5939WAP.htm [9] http://www.mobileinfo.com/WAP/future_outlook.htm

More Related