270 likes | 443 Views
WAP Public Key Infrastructure. By: Juan Cao For: CSCI5939 Instructor: Dr. T. Andrew Yang Date: 04/03/2003. What is PKI?. Public-Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to provide secure services. “PKI integrate
E N D
WAP Public Key Infrastructure By: Juan Cao For: CSCI5939 Instructor: Dr. T. Andrew Yang Date: 04/03/2003
What is PKI? • Public-Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to provide secure services. • “PKI integrate * digital certificates, * public-key cryptography, * certificate authorities into a total, enterprise-wide network security architecture.”[1]
A typical enterprise's PKI encompasses • “the issuance of digital certificates to individual users and servers; • end-user enrollment software; • integration with corporate certificate directories (repository); • tools for managing, renewing, and revoking certificates; • and related services and support.”[1]
PKI is composed of following objects. • Certificate Authority • Digital Certificate • Registration Authority (RA) • Directory Servers • Certification Maintenance System
TLS and WTLS • WTLS is a variant of TLS optimized for use in wireless applications
WTLS instances are classified as • “Class 1 - Provides confidentiality and data integrity based on public-key cryptography between client and server. The two parties remain anonymous.”[6] • “Class 2 - Additionally introduces server certificates to allow the client to authenticate the server.”[6] • “Class 3 - Additionally introduces client certificates so that the WTLS session can be mutually authenticated and application-layer signatures can be generated as proof for non-repudiation.”[6]
CA root WAP CA Root SSL CA Root WAP Server SSL Server SSL Client w x x w w x WAP 1.1Security Architecture WTLS SSL/TLS terminal WAPGateway Server PKI portal CA
5 4 CA root WAP CA Root SSL CA Root SSL Server x x w w w 1 3 2 Enabling WTLSClass 2 Security terminal WAPGateway Server PKI portal CA
CA root WAP CA Root SSL CA Root WAP Server SSL Server SSL Client x w w x x x x w WAP 1.2Security Architecture WML Signature WTLS SSL/TLS terminal WAPGateway Server WTLS Auth WML Sign PKI portal CA repository
5 3 6 1 7 CA root WAP CA Root SSL CA Root WAP Server SSL Server x w w x x w 4 2 Enabling WTLSClass 3 Security terminal WAPGateway Server WTLS Auth PKI portal CA repository
Types of authentication: Message signing • “The WMLScript Crypto Library Specification provides cryptographic functionality for message signing.”[2] • “SignText provides a mechanism for client device to create a digital signature of text send to it using WMLScript.”[2] • “The WAP identity Module, WIM, may be used for private signing key storage and signature computation.”[2]
6 7 3 1 CA root WAP CA Root SSL CA Root WAP Server SSL Server w w w x x x x 4 2 Enabling WMLSignText Security terminal WAPGateway Server WML Sign WTLS auth PKI portal CA repository
CA root WAP CA Root SSL CA Root WAP Server WAP Server w x x x w w w WAP 1.3 End-to-EndSecurity Architecture WTLS WML Signature WTLS Server terminal WAPGateway Master pull proxy WTLS Auth WML Sign PKI portal CA repository
Digital Certificates • “Digital certificates are electronic files that are used to uniquely identify people and resources over networks such as the Internet.”[5] It is a passport. • A certificate typically includes a variety of information pertaining to its owner and to the CA that issued it, such as: * The name of the holder and other identification information * The holder’s public key * The name of the Certification Authority * A serial number * lifetime
Types of Digital Certificates • Client Certificate (Device Certificate for WIM): * Authenticates the clients • WAP Server WTLS certificate: * Authenticate the identity of the WAP server * Encrypt information for the server using WTLS • CA certificate: * Identifies CA * Is used to authenticate and validate the WAP server certificate.
WAP PKI Operations • Trusted CA information Handling. • WTLS Server Certificate Handling. • Client Registration. • Client Certificate URLs.
Trusted CA Information Handling • “This operation verifies whether the CA that issued the certificate, can be trusted or not.”[8] • “In order to provide integrity, trusted CA information is downloaded in self-signed format” [4] • “The CA information SHOULD be distributed (i.e. downloaded) to the clients through • WSP (wireless session protocol): CA information is pulled when a URL is presented to a user, • Provisioning: CA information is downloaded on the client.”[8]
Trusted CA information Handling contd.. • The CA information is sent to the client by: • Out of band hash verification method: the CA certificate is hashed and sent through an in-band channel whereas the “display” form of hash is sent in an out of band channel (phone or mail). * the hashed data hashVerification.doc[4]
Trusted CA information Handling contd.. • The CA information is sent to the client by: • Signature verification method: if a new CA has issued the certificate, then it can only be trusted if it is accompanied by the cert of a CA already trusted by the client. * signatureVerification.doc[4]
WTLS Server Certificate handling • The WAP server sends a certification request to a CA. • In response, the CA may. • Issue a long-lived WTLS certificate. • Or issue a sequence of short-lived WTLS certificates. • Used to check for revocation of servers. • Equivalent to certificate revocation lists (CRLs) in wired PKI • Typical lifetime is 48 hrs.
Client Registration • “The client “proves” its identity and also “proves” that it possesses the private key corresponding to the public key which is to be certified.”[7] • Finds the PKI portal via manual browsing or through a URL contained in WML page. • The PKI Portal checks if the requestor has the corresponding private key to the given public key (Proof of Possession). • The client can use either WTLS Class III or signText() as the mechanism for proving possession of the relevant private key. In other words: “prove it by using it”.
Client Certificate URLs • “it was suggested that instead of storing their certificates, clients could store a certificate URL that they then send over-the-air to verifiers.”[7] • “The verifier, presumably having fewer bandwidth limitations, can de-reference the URL and retrieve the client’s certificate.”[7] • “Doing this requires that the URL has a format that allows the verifier to check that the retrieved certificate and URL “match” and such a format is defined in the WPKI specification.”[7] • Protocols used HTTP, LDAP or FTP.
Examples • VirtualWine.doc[3] • Example.doc[5]
Future Outlook For WAP [9] • With the emergence of next generations networks it will make possible the delivery of full-motion video images and high-fidelity sound over mobile networks. • With the introduction of packet-switched data networks will kick-start the take-up of WAP services. • General packet radio services (GPRS), a method of sending Internet information to mobile telephones at high speed allowing mobile to be in always connected state • Technologies like bluetooth will connect the mobile to the personal computers.
References [1] http://www.misecurity.com/eng/products/wpki_info.html [2] http://www.eurescom.de/~pub/seminars/past/2001/SecurityFraud/10-Nardone/10aNardone/10nardone.pdf [3] www.mohca.org/presentations/wireless_vandergeest.ppt [4] http://www1.wapforum.org/tech/documents/WAP-217-WPKI-20010424-a.pdf [5] http://www.entrust.com/resources/pdf/understanding_wtls.pdf [6] http://www.ee.ucl.ac.uk/lcs/papers2002/LCS030.pdf [7] http://www.baltimore.co.kr/downloads/pdf/baltimore_telepathy_wpkiwhitepaper.pdf [8] http://nas.cl.uh.edu/yang/teaching/csci5939WAP/csci5939WAP.htm [9] http://www.mobileinfo.com/WAP/future_outlook.htm