Security in WAP and WTSL By Yun Zhou
Download
Report
Transcript Security in WAP and WTSL By Yun Zhou
Security in WAP and WTSL
By
Yun Zhou
Overview of WAP (Wireless
Application Protocol)
Proposed by the WAP Forum (Phone.com,
Ericsson, Nokia, Motorola) in 1997.
A wireless communication model, similar to the
ISO OSI model
An application environment for deploying
wireless services regardless of different types of
services, wireless bearers, and devices.
WAP provides a series of security measures
However, there are still various security loopholes
in WAP.
WAP Architecture
Components:
WAP device (cell phone), WAP client/browser, User agent,
Network operator (companies that provides bearer services),
Bearer services (SMS, CDMA…), Application server
WAP Protocols
Recall the ISO OSI model:
• WAE (Wireless Application Environment): WML, WMLScript
• WSP (Wireless Session Protocol) and WTP (Wireless
Transaction Protocol): together provide session layer services
connection oriented sessions or connectionless sessions. Reliable
sessions can be resumed.
• WTLS (Wireless Transport Layer Security) (Optional)
Overview of WTLS
Based on TLS
Provides client-server mutual authentication,
privacy, data integrity, non-repudiation
But not the same as TLS
Modifications due to
Narrow-bandwidth communication channel
Much less processing power
Much less memory
High loss ratio
Unexpected disconnections
Restrictions on exported encryption algorithms
Built on top of WDP and UDP (unreliable data transfer)
More security problems
WTLS Sub-Protocols
WTLS contains four sub-protocols:
Handshake protocol:
Client and server negotiate over the security
parameters to be used for later message exchanges
Alert protocol:
Specifies the types of alerts and how to handle them.
warning, critical, fatal
Alerts can be sent by either the client or the server.
Application protocol: interface for the upper layer
Change Cipher Spec Protocol:
Usually used towards the end of the handshake when the
negotiation succeeds
What does the handshake specify?
Handshake Procedure
Complete handshake
Resume connection
How Security Functions Are Achieved
Authentication:
Supports X.509v3 and X9.68 certificates, optimized sizes.
Key exchange: RSA, DH, ECC-DH (Preferable algorithm for
WAP)
Bulk encryption algorithms:
RC5 with 40, 56 or 128 bit keys, DES with 40 or 56 bit keys,
3DES, IDEA with 40, 56 or 128 bit keys, and ECC. (No stream
ciphers)
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
key_block = PRF(master_secret + expansion_label + seq_num +
server_random + client_random);
Keys and IVs are all generated from key_blocks.
Keys are refreshed according to the negotiated frequency.
MAC algorithms: SHA-1, MD5, and SHA_XOR_40
Security Loopholes, Threats,
Solutions - WAP Gateway
Decrypts and re-encrypts data – “White spot”
End-to-end security, but the ends are actually
the web client and the gateway.
Solution by the network operators:
Decrypts and re-encrypts only in the memory
Cannot solve the problem entirely:
still uses swapfiles, hackers can do core dumps
Some companies try to completely get rid of the
WAP gateway.
Deploy the Gateway in the
Server’s network
Decryption and re-encryption are done on the server side.
Security Loopholes, Threats,
Solutions - WTLS
Has to use keys of small sizes:
40-bit DES -> 35 bits are actually used
Allows weak algorithms to be chosen
exchanges unauthorized messages or unencrypted
packet fields, such as alert messages and
recode_type field.
Vulnerable to viruses, Trojan horses, and worms.
Saarinen discussed a chosen plaintext data
recovery attack, a datagram truncation attack, a
message forgery attack, and a key-search shortcut
for some exportable keys
Attack against SHA_XOR_40
SHA_XOR_40:
Padded messages are divided into 5-byte
blocks. All blocks are XOR’ed to get the
digest.
Attack:
Flip a bit in one block, flip the bit in the
corresponding position in the digest
Tada! Message modification succeeds!
User Authentication vs. Device
Authentication - WIM
Mobile devices are easy to lose
One British article reported that “for the first time
of this century the umbrella has been overtaken as
the most popular item to leave on a train — by
mobile phones”.
Cannot authenticate user if the passwords and
certificates are stored locally
Use WIM (Wireless Identity Module), which can
be a smart card or a SIM card.
Dedicated memory
Provides user authentication
Need to keep it separately from the device. Hard to
achieve.
References
Arehart, C., Professional WAP, Wrox Press Ltd, 2000.
Jormalainen, S., Laine, J. “Security in WTLS”, 10/1/2000.
Referred on 3/24/2004],
<http://www.hut.fi/~jtlaine2/wtls/>
Nicolas, R., Lekkas, P. Wireless security : models, threats,
and solutions. McGraw-Hill. 2002.
Saarinen, Markku-Juhani, “Attacks against the WAP WTLS
Protocol”, 9/221999 [Referred on 3/24/2004], <
http://www.jyu.fi/~mjos/wtls.pdf>
Schneier, B., Applied Cryptography, Second Edition, John
Wiley & Sons, Inc, p. 758, 1996.
WAP Forum, “WAP Security Group (WSG) Charter”,
6/12/2002 [Referred on 3/24/2004].