2. WAP SECURITY
Wireless Application Protocol(WAP)
WAP is a specification for a set of communication protocols to standardize
the way that wireless devices, such as cellular telephones and radio
transceivers, can be used for Internet access, including e-mail, the World
Wide Web, newsgroups, and instant messaging. While Internet access has
been possible in the past, different manufacturers have used different
technologies. In the future, devices and service systems that use WAP will
be able to interoperate.
The WAP layers are:
1) 1. Wireless Transport Layer Security (WTLS)
2) 2. Wireless Transport Layer (WTP)
3) 3. Wireless Session Layer (WSL)
4) 4. Wireless Application Environment (WAE)
4. Transport-level security. This aspect deals with the
communication between the client applications and the
enterprise servers. This involves two protocols: WTLS is used
over the air, while SSL or TLS is used over the wire. This
change in protocols is the basis of the major WAP security
problem.
Application-level security. This aspect deals with the security of
the client application. This involves digital signatures and
encryption.
5. Transport Level security
Transport-level security, also known as channel security, deals
with the point-to-point communication between a wireless client
and the enterprise data source. This involves communication
over both wireless and wireline channels.
With WAP, data is encrypted during over-the-air transport using
Wireless Transport Layer Security (WTLS) protocol, and over-
the-wire transport using Internet security protocols such as SSL
and TLS.
This creates major security issue on WAP
6. Wireless Transport Layer Security (WTLS) protocol was developed to
address the unique characteristics of wireless networks, namely low
bandwidth and high latency. It is a variation of the Transport Layer Security
(TLS) protocol, which is the IETF standard for security on Internet.
Unfortunately, TLS cannot be used directly because it is not efficient enough
for a wireless environment. WTLS improved on the efficiency of the protocol
while adding new capabilities aimed at wireless users.
WTLS also introduced three levels of authentication between the client and
the gateway. They are listed in ascending order:
Class I WTLS:Anonymous interactions between the client and WAP gateway;
no authentication takes place.
Class II WTLS:The server authenticates itself to the client using WTLS
certificates.
Class III WTLS:Both the client and the WAP gateway authenticate to each
other. This is the form of authentication used with smartcards. GSM
Subscriber Identity Modules (SIM), for example, can store authentication
details on the device for two-way authentication.
WTLS
7. WAP GAP
Unfortunately, at the same time WTLS improved on TLS for wireless
communication, it also caused a major problem: Now that both TLS
and WTLS are required within the WAP architecture, there is a point
at which a translation between the two protocols occurs. It is from this
point, not from the WTLS protocol itself, that the security issues arise.
The translation occurs on the WAP gateway: From the client device to
the WAP gateway, WTLS is used; from the gateway to the enterprise
server, TLS is used. At this point, the WTLS content is decrypted and
then re-encrypted using TLS. The content exists as plaintext while
this transfer takes place, creating the so-called WAP gap.
There are two options for alleviating the WAP gap:
1. Accept that the gateway is a vulnerable point and make every
effort to protect it using firewalls, monitoring equipment, and a
stringent security policy.
2. Move the WAP gateway within your corporate firewall and
manage it yourself.
8. Application Level security
With so much attention given to the WAP gap and transport-level
security, developers often forget about application-level security
altogether. Application-level security is important for two main
reasons: (1) when security is required past the endpoints of transport-
level security, and (2) when presentation content needs to be
accessed but enterprise data does not. This can happen during
transcoding, that is, when another markup language (often HTML) is
being transformed into WML.
1. The first scenario can be addressed using the techniques provided
in the WML specification. In general, the default settings are set to the
highest security.
2. The second scenario can be addressed using WMLScript and the
Crypto API. Using this signText function in the API, digital signatures
can be created, opening the door for wireless PKI to manage and
issue public key certificates. This technology allows for end-to-end
encryption between the content provider (usually the enterprise) and
the client.