150 likes | 221 Views
Security in WAP and WTSL By Yun Zhou. Overview of WAP (Wireless Application Protocol). Proposed by the WAP Forum (Phone.com, Ericsson, Nokia, Motorola) in 1997. A wireless communication model, similar to the ISO OSI model
E N D
Security in WAP and WTSL By Yun Zhou
Overview of WAP (Wireless Application Protocol) • Proposed by the WAP Forum (Phone.com, Ericsson, Nokia, Motorola) in 1997. • A wireless communication model, similar to the ISO OSI model • An application environment for deploying wireless services regardless of different types of services, wireless bearers, and devices. • WAP provides a series of security measures • However, there are still various security loopholes in WAP.
WAP Architecture Components: WAP device (cell phone), WAP client/browser, User agent, Network operator (companies that provides bearer services), Bearer services (SMS, CDMA…), Application server
WAP Protocols Recall the ISO OSI model: • WAE (Wireless Application Environment): WML, WMLScript • WSP (Wireless Session Protocol) and WTP (Wireless • Transaction Protocol): together provide session layer services • connection oriented sessions or connectionless sessions. Reliable • sessions can be resumed. • WTLS (Wireless Transport Layer Security) (Optional)
Overview of WTLS • Based on TLS • Provides client-server mutual authentication, privacy, data integrity, non-repudiation • But not the same as TLS • Modifications due to • Narrow-bandwidth communication channel • Much less processing power • Much less memory • High loss ratio • Unexpected disconnections • Restrictions on exported encryption algorithms • Built on top of WDP and UDP (unreliable data transfer) • More security problems
WTLS Sub-Protocols • WTLS contains four sub-protocols: • Handshake protocol: Client and server negotiate over the security parameters to be used for later message exchanges • Alert protocol: Specifies the types of alerts and how to handle them. warning, critical, fatal Alerts can be sent by either the client or the server. • Application protocol: interface for the upper layer • Change Cipher Spec Protocol: Usually used towards the end of the handshake when the negotiation succeeds
Handshake Procedure Resume connection Complete handshake
How Security Functions Are Achieved • Authentication: Supports X.509v3 and X9.68 certificates, optimized sizes. • Key exchange: RSA, DH, ECC-DH (Preferable algorithm for WAP) • Bulk encryption algorithms: RC5 with 40, 56 or 128 bit keys, DES with 40 or 56 bit keys, 3DES, IDEA with 40, 56 or 128 bit keys, and ECC. (No stream ciphers) master_secret = PRF(pre_master_secret, "master secret", ClientHello.random + ServerHello.random) key_block = PRF(master_secret + expansion_label + seq_num + server_random + client_random); Keys and IVs are all generated from key_blocks. Keys are refreshed according to the negotiated frequency. • MAC algorithms: SHA-1, MD5, and SHA_XOR_40
Security Loopholes, Threats, Solutions - WAP Gateway • Decrypts and re-encrypts data – “White spot” • End-to-end security, but the ends are actually the web client and the gateway. • Solution by the network operators: Decrypts and re-encrypts only in the memory • Cannot solve the problem entirely: still uses swapfiles, hackers can do core dumps • Some companies try to completely get rid of the WAP gateway.
Deploy the Gateway in the Server’s network Decryption and re-encryption are done on the server side.
Security Loopholes, Threats, Solutions - WTLS • Has to use keys of small sizes: 40-bit DES -> 35 bits are actually used • Allows weak algorithms to be chosen • exchanges unauthorized messages or unencrypted packet fields, such as alert messages and recode_type field. • Vulnerable to viruses, Trojan horses, and worms. • Saarinen discussed a chosen plaintext data recovery attack, a datagram truncation attack, a message forgery attack, and a key-search shortcut for some exportable keys
Attack against SHA_XOR_40 • SHA_XOR_40: Padded messages are divided into 5-byte blocks. All blocks are XOR’ed to get the digest. • Attack: Flip a bit in one block, flip the bit in the corresponding position in the digest • Tada! Message modification succeeds!
User Authentication vs. Device Authentication - WIM • Mobile devices are easy to lose • One British article reported that “for the first time of this century the umbrella has been overtaken as the most popular item to leave on a train — by mobile phones”. • Cannot authenticate user if the passwords and certificates are stored locally • Use WIM (Wireless Identity Module), which can be a smart card or a SIM card. • Dedicated memory • Provides user authentication • Need to keep it separately from the device. Hard to achieve.
References Arehart, C., Professional WAP, Wrox Press Ltd, 2000. Jormalainen, S., Laine, J. “Security in WTLS”, 10/1/2000. Referred on 3/24/2004], <http://www.hut.fi/~jtlaine2/wtls/> Nicolas, R., Lekkas, P. Wireless security : models, threats, and solutions. McGraw-Hill. 2002. Saarinen, Markku-Juhani, “Attacks against the WAP WTLS Protocol”, 9/221999 [Referred on 3/24/2004], < http://www.jyu.fi/~mjos/wtls.pdf> Schneier, B., Applied Cryptography, Second Edition, John Wiley & Sons, Inc, p. 758, 1996. WAP Forum, “WAP Security Group (WSG) Charter”, 6/12/2002 [Referred on 3/24/2004].