300 likes | 462 Views
Introduction to M-Commerce. Overview. What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples Q & A. What is M-Commerce?. E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) Different than E-Commerce?
E N D
Overview • What is M-Commerce? • Security Issues • Usability Issues • Heterogeneity Issues • Business Model Issues • Case Studies / Examples • Q & A
What is M-Commerce? • E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) • Different than E-Commerce? • No, but additional challenges: • Security • Usability • Heterogeneous Technologies • Business Model Issues • But first, let’s learn a little about wireless technologies…
Wireless Technologies • Link Layer (examples…) • WAN: Analog / AMPSCDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe)CDMA: Code Division Multiple AccessMobitex (TDMA-based) • LAN:802.11Bluetooth • Devices: Cell Phones, Palm, WinCE, Symbian, Blackberry, …
PDA Microprocessor Speed Palm, Handspring Motorola Dragonball 16.6 – 20 MHz RIM Interactive Pager Intel 386 10 MHz Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz HP Jornada 820 Intel/StrongARM RISC SA-1100 190 MHz Casio Cassiopeia E-100 NEC/VR4121 MIPS 131 MHz Psion Revo ARM 710 36 MHz Psion Series 5 Digital/Arm 7100 18 MHz Examples of PDA Devices
Application Layer Technologies • Micro-browser based:WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.netXHTML: W3C • Voice-browser based:VoiceXML: W3C • Client-side: J2ME: Java 2 Micro Edition (Sun)WMLScript: Openwave • Messaging: SMS: Part of GSM Spec.
Example: WAP • WAP: Wireless Application Protocol • Created by WAP Forum • Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com • 500+ member companies • Goal: Bring Internet content to wireless devices • WTLS: Wireless Transport Layer Security
WTLS SSL Internet WAP Gateway Basic WAP Architecture Web Server
Security Challenges • Less processing power on devices • Slow Modular exponentiation and Primality Checking (i.e., RSA) • Crypto operations drain batteries(CPU intensive!) • Less memory (keys, certs, etc. require storage) • Few devices have crypto accelerators, or support for biometric authentication • No tamper resistance (memory can be tampered with, no secure storage) • Primitive operating systems w/ no support for access control (Palm OS)
Wireless Security Approaches • Link Layer Security • GSM: A3/A5/A8 (auth, key agree, encrypt) • CDMA: spread spectrum + code seq • CDPD: RSA + symmetric encryption • Application Layer Security • WAP: WTLS, WML, WMLScript, & SSL • iMode: N/A • SMS: N/A
Example: Security Concerns • Performance: we’ll do an example: should we use RSA or ECC for WTLS mutual auth? • Control: WAP Gap data in the clear at gateway while re-encryption takes place
Example: WTLS– ECC vs. RSA? • WTLS Goals • Authentication • Privacy • Data Integrity • Authentication: Public-Key Crypto (CPU intensive!!!) • Privacy: Symmetric Crypto • Data Integrity: MACs
WTLS: Crypto Basics • Public-Key Crypto • RSA (Rivest-Shamir-Adelman) • ECC (Elliptic Curve) • Certificates • Authentication • None, Client, Server, Mutual
WTLS w/ Mutual-Authentication • Mutual-Authentication Client Hello -----------> ServerHello Certificate CertificateRequest <----------- ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished -----------> <----------- Finished Application Data <----------> Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature
Operation Cryptographic Primitive(s) Time Required (ms) WTLS Handshake Timings (Palm VII) Server Certificate Verification RSA Signature Verification (Public decrypt, e=3) 598 Session Key Establishment RSA Encryption (Public encrypt) 622 Client Authentication RSA Signature Generation (Private encrypt) 21734 TOTAL 22954 • Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required (ms) WTLS Handshake Timings (Palm VII) Server Certificate Verification CA Public Key Expansion 254.8 ECC-DSA Signature Verification 1254 Session Key Establishment Server Public Key Expansion 254.8 Key Agreement 335.6 Client Authentication ECC-DSA Signature Generation 514.8 TOTAL 2614 • Mutual-Authentication: ECC The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.
WAP Gap: One Alternative… • Dynamic Gateway Connection • Other alternatives also exist… WTLS Class 2 SSL Operator WAP Gateway Internet WAP Gateway Content Provider Web Server SSL
Usability Challenges • Hard Data Entry • Poor Handwriting Recognition • Numeric Keypads for text entry is error-prone • Poor Voice Recognition • Further complicates security (entering passwords / speaking pass-phrases is hard!) • Small Screens • i.e., can’t show users everything in “shopping cart” at once! • Voice Output time consuming
Usability Approaches • Graffiti (Scaled-down handwriting recognition, Palm devices) • T9 Text Input (Word completion, most cell phones) • Full alphanumeric keypad & scrollbar (Blackberry) • Restricted VoiceXML grammars for better voice recognition • Careful task-based Graphical User Interface & Dialog Design • Lots of room for improvement!
Heterogeneity Challenges • Many link layer protocols (different security available in each) • Many application layer standards • Businesses need to write to one or more standards or hire a company to help them! • Many device types: • Many operating systems (Palm OS, Win CE, Symbian, Epoch, …) • Wide variation in capabilities
Heterogeneity Approaches • HTML/Web screen scraping • Protocol & Mark-up language translators • Standardization
Business Models Issues • Possible Models: • Slotting fees • Wireless advertising (text) • Pay per application downloaded • Pay per page downloaded • Flat-fees for service & applications • Revenue share on transactions • Trust issues between banks, carriers, and portals • Lack of content / services
Case Studies • NTT DoCoMo’s I-Mode • Palm.net • Sprint PCS Wireless Web
NTT DoCoMo I-Mode • 20 million users in Japan • HTML-based microbrowser(supports HTTPS/SSL) on CDMA-based network • 10’s of thousands of content sites, ring tones, and screen savers • Pay per application downloaded and pay per page models • Invested in AT&T Wireless so we may see it here in US in next few years!
Palm.Net • Low 100K users in USA • Web Clipping (specialized HTML) microbrowser on Mobitex (TDMA) – based network run by BellSouth (>98% coverage in urban areas) • 100’s of content sites (typically no charge for applications) • Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)
Sprint PCS Wireless Web • Low, single-digit millions of US users • Multi-device strategy: WAP/HDML based microbrowser on phones, Web Clipping on Kyocera, both on CDMA network • ~50 content sites slotted, many others available (very hard to enter URLs, though) • Slotting-fee + rev-share on xactions model • $10 per month flat-fee to users, most phones already have microbrowser installed.