Transcript FAQ’S ABOUT WAP

FAQ’S ABOUT WAP
Presented By
Abhilash Pillai
CSCI 5939-Independent Study
1
Topics Covered
•
•
•
•
•
•
Definition of a WAP gateway
Architecture of a WAP gateway
Configuration of WAP gateway
Security over a WAP gateway
Definition of WAP server
Role of a WAP server
2
Definition of WAP gateway
• A WAP gateway is a piece of software that
has several functions in the chain between
the WAP device and the web server.
• When implementing services in Wireless
Application Protocol(WAP),information is
translated into Wireless Markup
language(WML) by a two way device
called a WAP gateway
3
Architecture of WAP Gateway
Components of
architecture
• Wireless Device
• WAP Gateway
• HTTP Server
4
Explanation Of Architecture
The data transfer procedure is as follows
•
•
•
•
•
Client sends a WSP request to WAP gateway
WAP gateway decodes the WSP request into HTTP request
WAP gateway sends the HTTP request to HTTP server
WAP gateway receives the HTTP reply from HTTP server
WAP gateway encodes the HTTP reply headers into WSP
reply headers
• WAP gateway uses WML compiler to encode the received
WML data to WMLC format ,which is more compact
• WAP gateway sends WSP reply
• Client parses WSP reply and presents data.
5
Architecture cont…….
From the previous procedure we can see the
main tasks for a WAP gateway are
• Communication with clients (based on WSP)
• Decoding WSP requests into HTTP requests
• Communication with HTTP server (based on
HTTP)
• Encoding HTTP reply headers into WSP Reply
headers
• Compile WML data into WMLC format
6
Configuration of WAP gateway
• The WAP gateway and web server together form the WAP server
are placed in outside the content providers domain
• System is less secure
7
Configuration Cont…..
• The WAP server ie the WAP gateway and the web server are
placed in the content providers domain
• System is more secure
8
How the configuration works
• Mobile user types in the URL for a site on the
WAP device
• The WAP device first checks if it already has an
open connection.
• If not it dials the modem attached to a dial-in
server (RAS, or Remote Access Service). This
server gives the WAP device access to the
protocols it needs.
• These protocols are the same lower level protocols
as a normal Internet Service Provider will give
you, i.e. PPP (Point-to-Point Protocol).
9
Description Cont….
• After the PPP provider has given the WAP device
the required protocols and assigned it an IP
address, the request for the URL is then sent to the
WAP Gateway.
• The WAP Gateway, now under "control" of the
WAP device requests the URL with a normal
HTTP request.
• The WAP Gateway is the link between the
wireless and the Internet, basically giving the
WAP device access to the common Internet.
10
Description Cont….
• On the Internet, the web server receives the request from
WAP Gateway and sends out the contents located at the
URL back.
• Finally, back at the WAP device that requested the URL,
the WML browser, when receiving the tokenized WML
code renders the contents on the WAP device's display to
present the first card off of the deck on the screen for the
user
• To sum up, the client makes a request. This request is
received by a WAP gateway that then processes the
request and formulates a reply using WML and send back
to the client for display. This process is very similar in
concept to the standard HTTP transaction involving client
Web browsers
11
Security Issues
• For a short span of time when the data is unencrypted in the WAP
gateway; is major security issue
• It is upto the vendors discretion to make the gateway as secure as
12
possible
Security issues Contd…..
• The second issue with security is that of
certificates that are provide for the device
• This certificate is used to access the various
services for a particular user
• If the mobile device is lost it is possible for any
user who possess that mobile device to access the
various services
• Thus for this purpose in the new WTLS
specification the idea of pins were introduced ie a
secure token id.thus the user is supposed to reveal
the token before using the services.
13
What is a WAP server
• A WAP Server is nothing more than a normal web server
and a WAP gateway-like device built into one.
• The WAP server can plug a few holes that are currently
unplugged in the WAP environment.
• Since the WAP server contains a gateway, the third
party gateway usually hosted by the mobile
operator can be skipped, and the host of the WAP
content will have full control over the encrypted
stream
14
Is WAP secure with SSL and
WTLS?
• SSL or Secure Sockets Layer which is widely used in the
"web" world to encrypt the data stream between the
browser and the webserver is actually also used in the
WAP environment.
• SSL is only used between the webserver and the WAP
gateway. Between the WAP gateway and the WAP device,
a similar system called WTLS or Wireless Transport Layer
Security. WTLS is specialized for the wireless
environment.
• SSL and WTLS on their own provide adequate security for
most applications. However, there is a potential security
problem where the two protocols meet, and that's inside the
WAP gateway.
15
Models of WAP system
|
|
[WAP device]--|------[WAP gateway]---| [Content Server]
-|---| {unprotected}-|-
WTLS |
SSL
(Firewall)
|
| (Firewall)
• SSL is not directly compatible with WTLS, so the
WAP gateway must decrypt the SSL protected data
stream coming from the webserver and then reencrypt it using WTLS before passing the data on
to the WAP device
• Inside the memory of the WAP gateway, the data 16
is unprotected
Models Cont….
A more secure model but with tradeoff
[WAP device]--|-----------| [WAP Server acting as
WAP gateway]
-|--------
WTLS |
(Firewall)
|
|
(Firewall)
• WAP players are developing solutions to the
problem posed in the earlier model, but for now
these solutions create other problems
• "WAP servers", provide end-to-end security in a
way because the data stream leaves the "WAP
server" already encrypted with WTLS
17
Proposed solution for the future
• Pass Through Model of WAP system
[WAP device]--|[WAP gateway}---| [WAP Server]
(Firewall)
| -----------------|
WTLS
|
|(Firewall)
18
What is a proxy server?
• A proxy-server plays the role of an agent between
the web-browser or another web-client and the
internet. With the help of a proxy-server users can
use the internet in a controlled way, e.g. through a
firewall.
• Furthermore, a proxy can be used as a filter (e.g.
suppressing the referrer-header for security) or to
cache documents.
• It is possible to create "off-line" caches and to
index them for later searching. Because WAP
Proxy-Server can also act as a web-server, it is 19
possible to create virtual sites or to hide real sites
References
•
•
•
•
Proxy servers- www checkcom.com/products
WAP faq’s –www.wirelessfaq.com
Ric Howell,Concise Group-WAP security
Architecture of WAP Gatewayhttp://weblog.cs.uiowa.edu/22C178f01/uploads/ac
ct/ntang/architecture.html
20