SlideShare a Scribd company logo

Wap wml

Download as PPTX, PDF
A
Ankit Anand

wap wml

Education
1 of 22
A Power point Presentation on WAP Security
Overview • Security Basics • Wireless Security • WTLS & SSL • WAP Security Models • WIM, WMLScript, Access Control • Summary • References
Security Basics • Security Goals – Authentication – Confidentiality – Integrity – Authorization – Non-Repudiation
Security Basics • Cryptography – Symmetric: 3DES, RC4, etc. – Asymmetric: RSA, ECC • Key Exchange • Digital Signature • Certificates • PKI
Wireless Security • Link Layer Security – GSM – CDMA – CDPD • Application Layer Security – WAP: WTLS, WML, WMLScript, & SSL – iMode: N/A – SMS: N/A
Need for App Level Security • Bearer Independence • Security out to Gateway • Advanced Security Goals (ie. Non-Repudiation)
Basic WAP Architecture Internet Gateway Web Server WTLS SSL
WAP Security Models • Operator Hosts Gateway – Without PKI – With PKI • Content Provider Hosts Gateway – Static Gateway Connection – Dynamic Gateway Connection
Operator Hosts Gateway • Without PKI Internet WAP/HDTP Gateway Web Server WTLS Class 1 or Encrypted HDTP SSL Operator Content Provider
Operator Hosts Gateway • Without PKI: – Advantages • No extra work for Content Provider • No extra work for user • System only requires one logical gateway – Disadvantages • Content Provider must trust Operator (NDA) • Operator can control home deck • Operator can introduce advertising
Operator Hosts Gateway • With PKI
Operator Hosts Gateway • With PKI: – Advantages • Content providers does not need to trust Operator. – Disadvantages • PKI Infrastructure must be in place.
Content Provider Hosts Gateway • Static Gateway Connection WAP Gateway Web Server WTLS Class 2 SSL Content Provider
Content Provider Hosts Gateway • Static Gateway Connection – Advantages • Content Provider does not need to trust Operator • Content Provider can control home deck • OTA can be used to configure mobile terminal – Disadvantages • Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) • Mobile Terminal needs to be configured. – OTA via WAP Push / SMS may not work with gateway / mobile terminal combination – Content Provider may have to pre-configure mobile terminals
Content Provider Hosts Gateway • Dynamic Gateway Connection Internet WAP Gateway WTLS Class 2 SSL Operator Web Server SSL Content Provider WAP Gateway
Content Provider Hosts Gateway • Dynamic Gateway Connection – Advantages • Content Provider does not need to trust Operator. • Content Provider does not need to worry about mobile terminal config – Disadvantages • Operator needs to trust Content Provider. • Not deployed yet.
Restricting Gateway Access • Consider the following attack: – Eve runs a “modified” WAP gateway – Eve fools a user into using her gateway • Now, Eve can eavesdrop on all of the users requests and responses! • To prevent this, check the gateway IP address in the HTTP request.
WIM: WAP Identity Module • WIM must be tamper-resistant • Stores Keys & Master Secrets • Computes crypto operations – “unwrapping master secret” – client signature in WTLS Handshake – key exchange (ECC WTLS Handshake) • Also: – Generates Keys – Stores Certificates (or their URLs) • CA & Root Certs • User Certs • Can be implemented with SIM
WMLScript Crypto API • Non-repudiation • signedString = Crypto.signText (stringToSign, options, keyIdType, keyId) • Uses a separate, distinct signing key • WIM can store signing key and compute signature
WML Access Control • WML Deck-Level Access Control <wml> <head> <access domain=“worldfaq.com” path = “/stats”> </head> <card> … </card> </wml> • WMLScript Access Control use access domain domain_name | path path_name | domain domain_name path path_name; • use access domain “worldfaq.com” path “/stats”
Summary • Gateway position & configuration allows for different trust models • Security at multiple levels – Link Layer (depends on bearer) – App Layer • Authentication, Confidentiality, and Integrity: WTLS • Authorization: App-dependent, or WML <access> and WMLScript use access pragma • Non-Repudiation: WML signText
References • C. Arehart, N. Chidambaram, S. Guruprasad, et. al. Professional WAP. Wrox Press, 2000. ISBN 1-861004-0-44 • D. Margrave, GSM Security and Encryption • WAP-100, Wireless Application Protocol Architecture Specification • WAP-191, Wireless Markup Language Specification • WAP-193, WMLScript Language Specification • WAP-199, Wireless Transport Layer Security Specification • WAP-198, Wireless Identity Module • WAP-161, WMLScript Crypto API Library • WAP-187, WAP Transport Layer E2E Security Specification • WAP-217, WAP Public Key Infrastructure Definition

Recommended

Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
Intro to WebRTC
Intro to WebRTCIntro to WebRTC
Intro to WebRTCTharuka KasthuriArachchi
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
MSC Digital transformation with Axway API Management products and SmartWave S...
MSC Digital transformation with Axway API Management products and SmartWave S...MSC Digital transformation with Axway API Management products and SmartWave S...
MSC Digital transformation with Axway API Management products and SmartWave S...SmartWave
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
zigbee
zigbeezigbee
zigbeemahamad juber
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networksprimeteacher32
 

Recommended

Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
Intro to WebRTC
Intro to WebRTCIntro to WebRTC
Intro to WebRTCTharuka KasthuriArachchi
 
Web security
Web securityWeb security
Web securityGreater Noida Institute Of Technology
 
MSC Digital transformation with Axway API Management products and SmartWave S...
MSC Digital transformation with Axway API Management products and SmartWave S...MSC Digital transformation with Axway API Management products and SmartWave S...
MSC Digital transformation with Axway API Management products and SmartWave S...SmartWave
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Azure - Incoming network traffic
Azure - Incoming network trafficAzure - Incoming network traffic
Azure - Incoming network trafficAgnieszka Cent
 
zigbee
zigbeezigbee
zigbeemahamad juber
 
Virtual Private Networks
Virtual Private NetworksVirtual Private Networks
Virtual Private Networksprimeteacher32
 
Proxy server
Proxy serverProxy server
Proxy serverDlovan Salih
 
Cloudron bay lisa-presentation
Cloudron bay lisa-presentationCloudron bay lisa-presentation
Cloudron bay lisa-presentationGirish Ramakrishnan
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy conceptMostafa El Lathy
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentationprimeteacher32
 
Enterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilotEnterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilotServicePilot
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Alexandra N. Martinez
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
WSO2 Application Server
WSO2 Application ServerWSO2 Application Server
WSO2 Application ServerSagara Gunathunga
 
Application Monitoring with WSO2 App Server
Application Monitoring with WSO2 App ServerApplication Monitoring with WSO2 App Server
Application Monitoring with WSO2 App ServerSagara Gunathunga
 
K8s Webhook Admission
K8s Webhook AdmissionK8s Webhook Admission
K8s Webhook AdmissionHuynh Thai Bao
 
Dangerous Demo: Apidaze
Dangerous Demo: ApidazeDangerous Demo: Apidaze
Dangerous Demo: ApidazeAlan Quayle
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudflare
 
Access control
Access controlAccess control
Access controlAravindan A
 
Proxy
ProxyProxy
ProxyTriad Square InfoSec
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch PresentationRam Dutt Shukla
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudNeelkamal Gaharwar
 
Web security
Web securityWeb security
Web securityMuhammad Usman
 
Vpn
VpnVpn
VpnLan & Wan Solutions
 

More Related Content

What's hot

16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy conceptMostafa El Lathy
 
Enterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilotEnterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilotServicePilot
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Alexandra N. Martinez
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
Application Monitoring with WSO2 App Server
Application Monitoring with WSO2 App ServerApplication Monitoring with WSO2 App Server
Application Monitoring with WSO2 App ServerSagara Gunathunga
 
Dangerous Demo: Apidaze
Dangerous Demo: ApidazeDangerous Demo: Apidaze
Dangerous Demo: ApidazeAlan Quayle
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudflare
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 

What's hot (15)

Proxy server
Proxy serverProxy server
Proxy server
 
Cloudron bay lisa-presentation
Cloudron bay lisa-presentationCloudron bay lisa-presentation
Cloudron bay lisa-presentation
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentation
 
Enterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilotEnterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilot
 
Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3Toronto MuleSoft Meetup: Virtual Meetup #3
Toronto MuleSoft Meetup: Virtual Meetup #3
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
WSO2 Application Server
WSO2 Application ServerWSO2 Application Server
WSO2 Application Server
 
Application Monitoring with WSO2 App Server
Application Monitoring with WSO2 App ServerApplication Monitoring with WSO2 App Server
Application Monitoring with WSO2 App Server
 
K8s Webhook Admission
K8s Webhook AdmissionK8s Webhook Admission
K8s Webhook Admission
 
Dangerous Demo: Apidaze
Dangerous Demo: ApidazeDangerous Demo: Apidaze
Dangerous Demo: Apidaze
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - Webinar
 
Access control
Access controlAccess control
Access control
 
Proxy
ProxyProxy
Proxy
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 

Similar to Wap wml

Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch PresentationRam Dutt Shukla
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudNeelkamal Gaharwar
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptSonukumarRawat
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)Channy Yun
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxAkashMalkood1
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSAmazon Web Services
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserverMicro Focus
 

Similar to Wap wml (20)

Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
 
Web security
Web securityWeb security
Web security
 
Vpn
VpnVpn
Vpn
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Unit08
Unit08Unit08
Unit08
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptx
 
Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWS
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
 

More from Ankit Anand

Voice oriented data communication
Voice oriented data communicationVoice oriented data communication
Voice oriented data communicationAnkit Anand
 
Wireless gateways and mobile appl. servers
Wireless gateways and mobile appl. serversWireless gateways and mobile appl. servers
Wireless gateways and mobile appl. serversAnkit Anand
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityAnkit Anand
 
Wireless lan security
Wireless lan securityWireless lan security
Wireless lan securityAnkit Anand
 
Middleware final
Middleware finalMiddleware final
Middleware finalAnkit Anand
 
Enhanced data gsm environment
Enhanced data gsm environmentEnhanced data gsm environment
Enhanced data gsm environmentAnkit Anand
 
10 mobile agents
10 mobile agents10 mobile agents
10 mobile agentsAnkit Anand
 

More from Ankit Anand (20)

Voice oriented data communication
Voice oriented data communicationVoice oriented data communication
Voice oriented data communication
 
Wireless gateways and mobile appl. servers
Wireless gateways and mobile appl. serversWireless gateways and mobile appl. servers
Wireless gateways and mobile appl. servers
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol security
 
Wireless lan security
Wireless lan securityWireless lan security
Wireless lan security
 
Wtls
WtlsWtls
Wtls
 
Wap wml-6
Wap wml-6Wap wml-6
Wap wml-6
 
Data (1)
Data (1)Data (1)
Data (1)
 
Mc
McMc
Mc
 
Mc seminar
Mc seminarMc seminar
Mc seminar
 
Mcseminar
McseminarMcseminar
Mcseminar
 
Middleware final
Middleware finalMiddleware final
Middleware final
 
Web services
Web servicesWeb services
Web services
 
Vpn 3
Vpn 3Vpn 3
Vpn 3
 
Vpn
VpnVpn
Vpn
 
Enhanced data gsm environment
Enhanced data gsm environmentEnhanced data gsm environment
Enhanced data gsm environment
 
Seminar gprs
Seminar gprsSeminar gprs
Seminar gprs
 
Seminar mc palm
Seminar mc palmSeminar mc palm
Seminar mc palm
 
Guided media
Guided mediaGuided media
Guided media
 
12 mobile os
12 mobile os12 mobile os
12 mobile os
 
10 mobile agents
10 mobile agents10 mobile agents
10 mobile agents
 

Recently uploaded

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 

Recently uploaded (20)

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 

Wap wml

  • 1. A Power point Presentation on WAP Security
  • 2. Overview • Security Basics • Wireless Security • WTLS & SSL • WAP Security Models • WIM, WMLScript, Access Control • Summary • References
  • 3. Security Basics • Security Goals – Authentication – Confidentiality – Integrity – Authorization – Non-Repudiation
  • 4. Security Basics • Cryptography – Symmetric: 3DES, RC4, etc. – Asymmetric: RSA, ECC • Key Exchange • Digital Signature • Certificates • PKI
  • 5. Wireless Security • Link Layer Security – GSM – CDMA – CDPD • Application Layer Security – WAP: WTLS, WML, WMLScript, & SSL – iMode: N/A – SMS: N/A
  • 6. Need for App Level Security • Bearer Independence • Security out to Gateway • Advanced Security Goals (ie. Non-Repudiation)
  • 8. WAP Security Models • Operator Hosts Gateway – Without PKI – With PKI • Content Provider Hosts Gateway – Static Gateway Connection – Dynamic Gateway Connection
  • 9. Operator Hosts Gateway • Without PKI Internet WAP/HDTP Gateway Web Server WTLS Class 1 or Encrypted HDTP SSL Operator Content Provider
  • 10. Operator Hosts Gateway • Without PKI: – Advantages • No extra work for Content Provider • No extra work for user • System only requires one logical gateway – Disadvantages • Content Provider must trust Operator (NDA) • Operator can control home deck • Operator can introduce advertising
  • 12. Operator Hosts Gateway • With PKI: – Advantages • Content providers does not need to trust Operator. – Disadvantages • PKI Infrastructure must be in place.
  • 13. Content Provider Hosts Gateway • Static Gateway Connection WAP Gateway Web Server WTLS Class 2 SSL Content Provider
  • 14. Content Provider Hosts Gateway • Static Gateway Connection – Advantages • Content Provider does not need to trust Operator • Content Provider can control home deck • OTA can be used to configure mobile terminal – Disadvantages • Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) • Mobile Terminal needs to be configured. – OTA via WAP Push / SMS may not work with gateway / mobile terminal combination – Content Provider may have to pre-configure mobile terminals
  • 15. Content Provider Hosts Gateway • Dynamic Gateway Connection Internet WAP Gateway WTLS Class 2 SSL Operator Web Server SSL Content Provider WAP Gateway
  • 16. Content Provider Hosts Gateway • Dynamic Gateway Connection – Advantages • Content Provider does not need to trust Operator. • Content Provider does not need to worry about mobile terminal config – Disadvantages • Operator needs to trust Content Provider. • Not deployed yet.
  • 17. Restricting Gateway Access • Consider the following attack: – Eve runs a “modified” WAP gateway – Eve fools a user into using her gateway • Now, Eve can eavesdrop on all of the users requests and responses! • To prevent this, check the gateway IP address in the HTTP request.
  • 18. WIM: WAP Identity Module • WIM must be tamper-resistant • Stores Keys & Master Secrets • Computes crypto operations – “unwrapping master secret” – client signature in WTLS Handshake – key exchange (ECC WTLS Handshake) • Also: – Generates Keys – Stores Certificates (or their URLs) • CA & Root Certs • User Certs • Can be implemented with SIM
  • 19. WMLScript Crypto API • Non-repudiation • signedString = Crypto.signText (stringToSign, options, keyIdType, keyId) • Uses a separate, distinct signing key • WIM can store signing key and compute signature
  • 20. WML Access Control • WML Deck-Level Access Control <wml> <head> <access domain=“worldfaq.com” path = “/stats”> </head> <card> … </card> </wml> • WMLScript Access Control use access domain domain_name | path path_name | domain domain_name path path_name; • use access domain “worldfaq.com” path “/stats”
  • 21. Summary • Gateway position & configuration allows for different trust models • Security at multiple levels – Link Layer (depends on bearer) – App Layer • Authentication, Confidentiality, and Integrity: WTLS • Authorization: App-dependent, or WML <access> and WMLScript use access pragma • Non-Repudiation: WML signText
  • 22. References • C. Arehart, N. Chidambaram, S. Guruprasad, et. al. Professional WAP. Wrox Press, 2000. ISBN 1-861004-0-44 • D. Margrave, GSM Security and Encryption • WAP-100, Wireless Application Protocol Architecture Specification • WAP-191, Wireless Markup Language Specification • WAP-193, WMLScript Language Specification • WAP-199, Wireless Transport Layer Security Specification • WAP-198, Wireless Identity Module • WAP-161, WMLScript Crypto API Library • WAP-187, WAP Transport Layer E2E Security Specification • WAP-217, WAP Public Key Infrastructure Definition