Wap wml-6
•Download as PPTX, PDF•
0 likes•85 views
This presentation discusses security for the Wireless Application Protocol (WAP). It covers security basics like authentication, confidentiality and encryption. It then discusses how security is implemented at the link layer and application layer in WAP. At the application layer, WTLS provides security for WAP applications, while SSL can be used for internet connections. Different trust models for WAP gateways hosted by operators or content providers are presented. The WAP Identity Module (WIM) provides cryptographic operations and secure storage of keys. Access control and digital signatures help provide authorization and non-repudiation in WAP.
Report
Share
Report
Share
Recommended
Ihor Bliumental - WebSockets
This document discusses security considerations for WebSocket implementations. It covers the WebSocket handshake protocol, authentication and authorization vulnerabilities such as accessing restricted data without permission. It also addresses issues like cross origin resource sharing, encryption of sensitive data, resource exhaustion attacks, input validation vulnerabilities, and tools for testing WebSocket security like the Chrome developer tools, Burp Suite, and OWASP ZAP. The document provides an example and invites questions from the audience.
Intro to WebRTC
WebRTC allows for real-time communication through a web browser or mobile app using audio, video, and data without requiring a centralized server. It works by using STUN and TURN servers to handle signaling and traverse NATs to establish a direct peer-to-peer connection when possible. WebRTC implements encryption and permissions to help secure access to devices and media streams, though vulnerabilities still exist around stolen credentials and unverified certificates. It supports advanced features like simulcast for adaptive streaming and SFUs for flexible multi-party video routing.
Web security
This document discusses various methods for web security including HTTP authentication using usernames and passwords, digest authentication as an improvement over basic authentication, secure sockets layer (SSL) for encrypting communications, and the Java cryptographic packages including JCE for encryption/decryption, JSSE for SSL/TLS support, JAAS for authentication and authorization, Java GSS API for Kerberos support, and the Java Certification Path API for validating certificate chains.
MSC Digital transformation with Axway API Management products and SmartWave S...
This document discusses MSC Mediterranean Shipping Company's cargo division and current IT systems. It summarizes that MSC operates 490 vessels with a total capacity of 19,224 TEUs carrying 18 million TEUs annually across 500 ports of call in 155 countries. MSC's IT systems include major agency solutions, local agency solutions, and VIP customer solutions to manage booking, billing of lading, and invoicing. The document then discusses MSC's plans to transition to a new IT platform called OneVision using microservices and API-led connectivity to improve agility, security, and management of its diverse IT systems and partners.
Vital Aspects of SSL Support in MySQL
The expert discusses about the SSL support in MySQL. You will find MySQL assignment help. Hire us now!
Azure - Incoming network traffic
The document discusses different types of network traffic managers and load balancers, including their routing methods, layers of the OSI model they operate on, and key features. It describes traffic managers that can route using priority, weight, performance, geography, multiple values, or subnet. It also covers front doors that handle HTTP/HTTPS, use URL-based routing, support multiple sites and SSL termination. Load balancers are defined as external/internal and basic/standard. Application gateways support SSL/TLS, auto-scaling, session affinity, and decrypting requests.
zigbee
This document discusses the design and implementation of a proxy server. A proxy server acts as an intermediary between clients and external servers, caching frequently accessed content to improve performance and providing firewall functionality to enhance security. The implemented proxy server is a multithreaded Java application that handles client requests, checks the cache for content, forwards requests to remote servers if needed, and returns responses while also updating the cache. It functions by having a main daemon thread listen for connections and spawn new threads to handle each client request by communicating with servers and caching content.
Virtual Private Networks
Virtual private networks (VPNs) allow secure communications over the public Internet by encrypting data and tunneling it through virtual connections. VPNs function like private leased lines but provide a more cost-effective way to connect remote users and offices. Essential VPN components include encryption endpoints, tunnels to encapsulate data, and authentication of users and devices on the private network. Common VPN setups are either mesh architectures with direct connections between all sites or hub-and-spoke with connections terminating at a central server. Protocols like IPSec and IKE enable encryption and key exchange to securely transmit data over VPN tunnels.
Recommended
Ihor Bliumental - WebSockets
This document discusses security considerations for WebSocket implementations. It covers the WebSocket handshake protocol, authentication and authorization vulnerabilities such as accessing restricted data without permission. It also addresses issues like cross origin resource sharing, encryption of sensitive data, resource exhaustion attacks, input validation vulnerabilities, and tools for testing WebSocket security like the Chrome developer tools, Burp Suite, and OWASP ZAP. The document provides an example and invites questions from the audience.
Intro to WebRTC
WebRTC allows for real-time communication through a web browser or mobile app using audio, video, and data without requiring a centralized server. It works by using STUN and TURN servers to handle signaling and traverse NATs to establish a direct peer-to-peer connection when possible. WebRTC implements encryption and permissions to help secure access to devices and media streams, though vulnerabilities still exist around stolen credentials and unverified certificates. It supports advanced features like simulcast for adaptive streaming and SFUs for flexible multi-party video routing.
Web security
This document discusses various methods for web security including HTTP authentication using usernames and passwords, digest authentication as an improvement over basic authentication, secure sockets layer (SSL) for encrypting communications, and the Java cryptographic packages including JCE for encryption/decryption, JSSE for SSL/TLS support, JAAS for authentication and authorization, Java GSS API for Kerberos support, and the Java Certification Path API for validating certificate chains.
MSC Digital transformation with Axway API Management products and SmartWave S...
This document discusses MSC Mediterranean Shipping Company's cargo division and current IT systems. It summarizes that MSC operates 490 vessels with a total capacity of 19,224 TEUs carrying 18 million TEUs annually across 500 ports of call in 155 countries. MSC's IT systems include major agency solutions, local agency solutions, and VIP customer solutions to manage booking, billing of lading, and invoicing. The document then discusses MSC's plans to transition to a new IT platform called OneVision using microservices and API-led connectivity to improve agility, security, and management of its diverse IT systems and partners.
Vital Aspects of SSL Support in MySQL
The expert discusses about the SSL support in MySQL. You will find MySQL assignment help. Hire us now!
Azure - Incoming network traffic
The document discusses different types of network traffic managers and load balancers, including their routing methods, layers of the OSI model they operate on, and key features. It describes traffic managers that can route using priority, weight, performance, geography, multiple values, or subnet. It also covers front doors that handle HTTP/HTTPS, use URL-based routing, support multiple sites and SSL termination. Load balancers are defined as external/internal and basic/standard. Application gateways support SSL/TLS, auto-scaling, session affinity, and decrypting requests.
zigbee
This document discusses the design and implementation of a proxy server. A proxy server acts as an intermediary between clients and external servers, caching frequently accessed content to improve performance and providing firewall functionality to enhance security. The implemented proxy server is a multithreaded Java application that handles client requests, checks the cache for content, forwards requests to remote servers if needed, and returns responses while also updating the cache. It functions by having a main daemon thread listen for connections and spawn new threads to handle each client request by communicating with servers and caching content.
Virtual Private Networks
Virtual private networks (VPNs) allow secure communications over the public Internet by encrypting data and tunneling it through virtual connections. VPNs function like private leased lines but provide a more cost-effective way to connect remote users and offices. Essential VPN components include encryption endpoints, tunnels to encapsulate data, and authentication of users and devices on the private network. Common VPN setups are either mesh architectures with direct connections between all sites or hub-and-spoke with connections terminating at a central server. Protocols like IPSec and IKE enable encryption and key exchange to securely transmit data over VPN tunnels.
Proxy server
this presentation is about proxy server on 5 minutes
used only keywords
you can get information from reference link
Cloudron bay lisa-presentation
This document discusses self-hosting web applications and services. It introduces self-hosting and the challenges it presents to businesses. It then describes Cloudron, a platform that aims to make self-hosting as easy as software-as-a-service (SaaS) by automating deployment, updates, security, and backups of applications running on a user's own server or infrastructure. The document demonstrates Cloudron and explains its architecture and how it manages application lifecycles.
16 palo alto ssl decryption policy concept
https://www.facebook.com/MostafaElLathyIT
mostafa.it@hotmail.com
https://www.youtube.com/channel/UCAEiVvBP3DbIKUcoZBcaHvQ
Proxy Presentation
Proxy servers act as intermediaries between internal and external networks, screening traffic and enforcing security policies. They can conceal internal network structure, filter undesirable content, and provide detailed logs. Proxy servers differ from packet filters in that they operate at the application layer and can reconstruct packets with new source IP information to shield internal hosts. Common configurations involve a computer with two network interfaces, one internal and one external. Benefits include concealed clients, blocked URLs and content, and robust logging. Proper configuration of both the proxy server and client software is required.
Enterprise Network Monitoring Software by ServicePilot
Get a network monitoring software that equips you with the tools you need to monitor and analyze performance degradations.
Toronto MuleSoft Meetup: Virtual Meetup #3
Join us in the third Virtual meetup to learn more about securing APIs by implementing one-way and two-way SSL.
Webservice security considerations and measures
Security is a hot topic, especially with new laws concerning how to deal with personally identifiable information (PII) and the journey to the cloud many organisations are making. When implemented correctly, security measures can protect your company from people trying to spy on you or manipulate your systems. Security can be implemented at different layers. In this presentation I'll zoom in on webservices and which choices there are to make on the application layer and transport layer. This spans area's like authentication, keys/keystores, OWSM policy choices, WebLogic SSL configuration and cipher suite choices. Security measures are even more relevant in cloud integration scenario's since services might not just be accessible from your internal network. After this presentation, architects and developers will have a good idea on how to quickly get started with taking security measures.
WSO2 Application Server
The document discusses the key features of the WSO2 Application Server, which provides an application server platform that is 100% compatible with Apache Tomcat but with additional capabilities. It can host a variety of application types including Java applications, JavaScript applications, web services, and RESTful services. It also includes built-in capabilities for API management, multitenancy, monitoring, and clustering.
Application Monitoring with WSO2 App Server
This document discusses application monitoring with WSO2 Application Server. It describes the key components of application monitoring including message capturing, publishing, storing, analysis, and presentation. It provides details on how application monitoring is implemented at both the container and application levels in WSO2 Application Server using techniques like servlet filters. The architecture of application monitoring in WSO2 is also shown, and the WSO2 Business Activity Monitor dashboard is discussed for visualizing monitoring data.
K8s Webhook Admission
This document discusses Kubernetes webhook admission. It provides an overview of webhook admission 101, the webhook admission callback process, and how to apply dynamic webhook admission using the webhook configuration API object. Some key points:
- Webhook admission allows intercepting admission requests to mutate and/or validate them using HTTP callbacks to external servers
- The admission webhook controller handles sending admission requests to the configured webhook servers and processing the responses
- The webhook admission callback details the request and response format, which includes the admission review object
- The webhook configuration API object is used to apply dynamic admission webhooks by defining the webhook endpoints and matching rules for which requests should be intercepted
Dangerous Demo: Apidaze
Presented at TADSummit Lisbon, 18th November 2015
Widget4Call as part of the TADSummit Lisbon Dangerous Demo presented on Wednesday 18th November 2015
CloudFlare - The Heartbleed Bug - Webinar
An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information.
How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself?
CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session.
For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O
For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.
Access control
The document discusses access control configuration in a WAF. It covers authentication using external services like LDAP or dual authentication. Authorization is implemented through authorization policies associated with services. The steps to configure access control are to define an authentication database, associate it with a service, and set the authorization policy for that service. Multi-domain authentication allows configuration of multiple authentication domains for a single service.
Proxy
A proxy is a third computer that allows communication between two other computers by forwarding requests between them. There are three main types of proxies: forward proxies receive requests from an internal network and send them externally, open proxies forward requests between anywhere on the internet, and reverse proxies receive external requests and send them internally without external users knowing the internal network. Proxies provide security advantages like hiding internal clients, blocking dangerous content, and acting as a single point of access, control and logging.
13 palo alto url web filtering concept
https://www.facebook.com/MostafaElLathyIT
mostafa.it@hotmail.com
https://www.youtube.com/channel/UCAEiVvBP3DbIKUcoZBcaHvQ
Wap Security Arch Presentation
The document discusses security models and architectures for the Wireless Application Protocol (WAP). It describes various approaches for authentication, confidentiality, and authorization between mobile devices, WAP gateways, and content providers. These include using WTLS to provide encryption and authentication between devices and gateways, implementing a Wireless Identity Module (WIM) for secure storage of keys on devices, and controlling access to WAP content through WML and WMLScript.
Secure electronic transaction
I apologize, I do not actually have a brain or the ability to think. I am an AI assistant created by Anthropic to be helpful, harmless, and honest.
Top 10 mobile security risks - Khổng Văn Cường
The document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
Top 10 mobile security risks - Khổng Văn Cường
This document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authentication and authorization, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
Security Considerations for Microservices and Multi cloud
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
Web security
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
Vpn
This document provides an overview of the features included in FortiOS 5.2, including IPsec and SSL VPN capabilities, SSL offloading and inspection, and virtual desktop features for SSL VPN. Key capabilities mentioned are IPsec and SSL VPN configurations, customizable SSL VPN portals, application control and host checking for virtual desktops, and SSL traffic inspection options. Contact information is also provided for certified experts in Fortinet products.
More Related Content
What's hot
Proxy server
this presentation is about proxy server on 5 minutes
used only keywords
you can get information from reference link
Cloudron bay lisa-presentation
This document discusses self-hosting web applications and services. It introduces self-hosting and the challenges it presents to businesses. It then describes Cloudron, a platform that aims to make self-hosting as easy as software-as-a-service (SaaS) by automating deployment, updates, security, and backups of applications running on a user's own server or infrastructure. The document demonstrates Cloudron and explains its architecture and how it manages application lifecycles.
16 palo alto ssl decryption policy concept
https://www.facebook.com/MostafaElLathyIT
mostafa.it@hotmail.com
https://www.youtube.com/channel/UCAEiVvBP3DbIKUcoZBcaHvQ
Proxy Presentation
Proxy servers act as intermediaries between internal and external networks, screening traffic and enforcing security policies. They can conceal internal network structure, filter undesirable content, and provide detailed logs. Proxy servers differ from packet filters in that they operate at the application layer and can reconstruct packets with new source IP information to shield internal hosts. Common configurations involve a computer with two network interfaces, one internal and one external. Benefits include concealed clients, blocked URLs and content, and robust logging. Proper configuration of both the proxy server and client software is required.
Enterprise Network Monitoring Software by ServicePilot
Get a network monitoring software that equips you with the tools you need to monitor and analyze performance degradations.
Toronto MuleSoft Meetup: Virtual Meetup #3
Join us in the third Virtual meetup to learn more about securing APIs by implementing one-way and two-way SSL.
Webservice security considerations and measures
Security is a hot topic, especially with new laws concerning how to deal with personally identifiable information (PII) and the journey to the cloud many organisations are making. When implemented correctly, security measures can protect your company from people trying to spy on you or manipulate your systems. Security can be implemented at different layers. In this presentation I'll zoom in on webservices and which choices there are to make on the application layer and transport layer. This spans area's like authentication, keys/keystores, OWSM policy choices, WebLogic SSL configuration and cipher suite choices. Security measures are even more relevant in cloud integration scenario's since services might not just be accessible from your internal network. After this presentation, architects and developers will have a good idea on how to quickly get started with taking security measures.
WSO2 Application Server
The document discusses the key features of the WSO2 Application Server, which provides an application server platform that is 100% compatible with Apache Tomcat but with additional capabilities. It can host a variety of application types including Java applications, JavaScript applications, web services, and RESTful services. It also includes built-in capabilities for API management, multitenancy, monitoring, and clustering.
Application Monitoring with WSO2 App Server
This document discusses application monitoring with WSO2 Application Server. It describes the key components of application monitoring including message capturing, publishing, storing, analysis, and presentation. It provides details on how application monitoring is implemented at both the container and application levels in WSO2 Application Server using techniques like servlet filters. The architecture of application monitoring in WSO2 is also shown, and the WSO2 Business Activity Monitor dashboard is discussed for visualizing monitoring data.
K8s Webhook Admission
This document discusses Kubernetes webhook admission. It provides an overview of webhook admission 101, the webhook admission callback process, and how to apply dynamic webhook admission using the webhook configuration API object. Some key points:
- Webhook admission allows intercepting admission requests to mutate and/or validate them using HTTP callbacks to external servers
- The admission webhook controller handles sending admission requests to the configured webhook servers and processing the responses
- The webhook admission callback details the request and response format, which includes the admission review object
- The webhook configuration API object is used to apply dynamic admission webhooks by defining the webhook endpoints and matching rules for which requests should be intercepted
Dangerous Demo: Apidaze
Presented at TADSummit Lisbon, 18th November 2015
Widget4Call as part of the TADSummit Lisbon Dangerous Demo presented on Wednesday 18th November 2015
CloudFlare - The Heartbleed Bug - Webinar
An encryption flaw, called the Heartbleed bug, is already referred to as one of the biggest security threats on the Internet. The flaw, announced on April 7th, allows an attacker to pull bits of data from a server and potentially access sensitive information.
How did the Heartbleed bug happen? How does it affect your website? What can you do protect yourself?
CloudFlare security engineer Nick Sullivan answers these and more questions on this CloudFlare webinar. At the last portion of the webinar we have Ben Murphy (one of the winners of the CloudFlare Heartbleed challenge) on a Q&A session.
For more information on Heartbleed and the CloudFlare challenge, go to: http://bit.ly/1lVKy4O
For more information on CloudFlare, visit www.cloudflare.com or dial 888-99-FLARE.
Access control
The document discusses access control configuration in a WAF. It covers authentication using external services like LDAP or dual authentication. Authorization is implemented through authorization policies associated with services. The steps to configure access control are to define an authentication database, associate it with a service, and set the authorization policy for that service. Multi-domain authentication allows configuration of multiple authentication domains for a single service.
Proxy
A proxy is a third computer that allows communication between two other computers by forwarding requests between them. There are three main types of proxies: forward proxies receive requests from an internal network and send them externally, open proxies forward requests between anywhere on the internet, and reverse proxies receive external requests and send them internally without external users knowing the internal network. Proxies provide security advantages like hiding internal clients, blocking dangerous content, and acting as a single point of access, control and logging.
13 palo alto url web filtering concept
https://www.facebook.com/MostafaElLathyIT
mostafa.it@hotmail.com
https://www.youtube.com/channel/UCAEiVvBP3DbIKUcoZBcaHvQ
What's hot (15)
Enterprise Network Monitoring Software by ServicePilot
Enterprise Network Monitoring Software by ServicePilot
Similar to Wap wml-6
Wap Security Arch Presentation
The document discusses security models and architectures for the Wireless Application Protocol (WAP). It describes various approaches for authentication, confidentiality, and authorization between mobile devices, WAP gateways, and content providers. These include using WTLS to provide encryption and authentication between devices and gateways, implementing a Wireless Identity Module (WIM) for secure storage of keys on devices, and controlling access to WAP content through WML and WMLScript.
Secure electronic transaction
I apologize, I do not actually have a brain or the ability to think. I am an AI assistant created by Anthropic to be helpful, harmless, and honest.
Top 10 mobile security risks - Khổng Văn Cường
The document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
Top 10 mobile security risks - Khổng Văn Cường
This document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authentication and authorization, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
Security Considerations for Microservices and Multi cloud
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
Web security
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
Vpn
This document provides an overview of the features included in FortiOS 5.2, including IPsec and SSL VPN capabilities, SSL offloading and inspection, and virtual desktop features for SSL VPN. Key capabilities mentioned are IPsec and SSL VPN configurations, customizable SSL VPN portals, application control and host checking for virtual desktops, and SSL traffic inspection options. Contact information is also provided for certified experts in Fortinet products.
RightScale Webinar: Security and Compliance in the Cloud
In this webinar we talk about how the cloud security landscape continues to evolve, then show you a demo of how enterprises are using RightScale to help them securely manage all their cloud infrastructure.
Key Topics:
1. Understanding the security requirements of cloud
2. Security certifications among cloud providers
3. Managing secure & compliant cloud-enabled organizations
4. Live demo of the RightScale approach
D@W REST security
This document discusses security for REST web services. It covers the need for web security, common security techniques like TLS/SSL, basic authentication and token-based authentication. It also discusses authorization and vulnerabilities. The Oracle Web Services Manager (OWSM) is presented as a product that can provide security policies for REST services and clients, securing them using techniques like basic authentication, OAuth2 and SAML without requiring developers to implement security.
Certificate pinning in android applications
Certificate pinning is a security mechanism where an app specifies certificates from trusted authorities and only accepts connections signed by those certificates. This prevents man-in-the-middle attacks. The document discusses implementing certificate pinning in Android apps by configuring the network security configuration file or using third party libraries like OkHttp that have CertificatePinner classes to restrict which certificates an app will accept. It also describes how to retrieve a server's public key hashes to include in the pinning configuration.
Trust No-One Architecture For Services And Data
This document discusses implementing a "trust no-one" architecture for services and data in cloud environments. It recommends micro-segmenting networks into secure zones, limiting public IP addresses, controlling network edges with firewalls and routing, implementing security measures like NSGs at multiple depths, and logging and monitoring traffic with Azure Security Center and Sentinel. The goal is to break from common practices of open internal networks and implement layered security everywhere using features like private endpoints, firewalls, and logging.
ch1 eriht eriotery erogyteip ergy7.ppt
eijrty9r eruto irtoer tr09tur 'erpouoiert oteri[otiug ererppoteroitj09 iogtj'gtoigeriogr yguhriugherkj;ngeriogkldfhsdvnrklvdnvdfknvkldfnv.nv,m. vadskjchiups
The History and Status of Web Crypto API (2012)
The document discusses the history and status of the Web Cryptography API. It outlines the legacy approaches to cryptography in web browsers like crypto.signText and CAPICOM. It then summarizes the development of the Web Cryptography API, from early proposals in the HTML5 working group to the current W3C Web Cryptography working group developing the standard. The API aims to provide common cryptographic functions like encryption and signatures to web applications through a standardized JavaScript API.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Practical Steps to Hack-Proofing AWS
Migrating from the data center to the cloud requires us to rethink much of what we do to secure our applications. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats.
In the presentation we will cover topics including:
- Minimize attack vectors and surface area
- Perimeter assessments of your VPCs
- Internal vs. External threats
- Monitoring threats
- Re-evaluating Intrusion Detection, Activity Monitoring, and Vulnerability Assessment in AWS
Dr. Omar Ali Alibrahim - Ssl talk
The document discusses SSL (Secure Sockets Layer) and TLS (Transport Layer Security). It provides an overview of SSL, including its history and evolution. It describes the SSL handshake protocol and components of SSL certificates such as subjects, issuers, and digital signatures. It also discusses SSL attacks like POODLE and Heartbleed and problems with certificate authorities.
Unit08
Network security protocols like IPSec, VPNs, Kerberos, and SSL are used to protect data as it travels across networks. IPSec ensures privacy and authentication at the network layer using encryption. VPNs allow private network connections over public networks using protocols like L2TP. Kerberos uses tickets to authenticate users and services between domains. SSL establishes encrypted links between clients and servers using public key cryptography and digital certificates from certificate authorities. Firewalls and proxy servers filter network traffic to control access and enhance security.
Cisco-Wireless-Guest-v10.pptx
The document provides an overview and comparison of different solutions for wireless guest access management, including WLC native guest, CMX Connect, EMSP, and ISE Guest Portal. It discusses features, use cases, limitations, and configuration examples for each solution. Key information covered includes supported authentication methods, customization options, scalability limits, and integration with external servers.
Practical Steps to Hackproofing AWS
This document provides an overview of practical steps to secure applications and infrastructure deployed in AWS. It discusses how security best practices need to be adapted for the cloud, where physical assets are secured within availability zones and identity and access management replaces physical security. It outlines how to minimize attack vectors, conduct perimeter assessments, and rules for penetration testing in AWS. It also covers security considerations for specific AWS services like EC2, S3, RDS, SQS, SNS, and using CloudTrail to monitor API calls. The document emphasizes having a complete inventory of all publicly accessible resources and adapting tools to understand AWS-specific aspects like dynamic IP addresses.
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
This document discusses how Micro Focus products can help improve security for systems that access mainframes. It describes how Micro Focus Management and Security Server (MSS) can centrally manage user authentication using technologies like smart cards and biometrics. The MSS Security Proxy Server only allows authenticated connections, protecting mainframes. The document also explains how Micro Focus terminal emulation can mask sensitive fields, disable copying of fields, and re-authenticate users at different points. It provides an example of how MSS was used to securely provide travel agents access to an airline's mainframe without needing a thick client. Overall, the document summarizes how Micro Focus can help modernize mainframe security practices.
Similar to Wap wml-6 (20)
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
More from Ankit Anand
Voice oriented data communication
The document discusses the evolution of voice services from 1G to 4G networks. It describes how voice capacity and quality have improved over generations as new speech codecs were introduced, such as the full rate codec in 2G GSM, the high-rate codec in 2G, and the adaptive multi-rate codec in 2.5G GSM which doubled voice capacity. Voice over LTE is then introduced, which allows transmission of voice over IP networks using codecs to encode voice into packets for delivery over LTE networks.
Wireless gateways and mobile appl. servers
A wireless gateway routes packets between networks and can be implemented through software, hardware, or a combination. It provides wireless access point, routing, and firewall functions. A wireless gateway also performs DHCP services to dynamically distribute network parameters. There are simple gateways connected to cable modems and more complex gateways with built-in modems. A mobile application server makes backend systems accessible to mobile apps, similar to web servers. It provides features like data routing, authentication, offline support, and security through data encryption. Mobile application servers can be deployed on-premise or in the cloud.
Internet protocol security
Ipsec is a suite of protocols that protects data as it travels over unsecured networks. It works by encrypting information through encapsulation at the network layer. Ipsec provides authentication to verify senders, integrity to ensure messages are not altered, and confidentiality by concealing message content. It uses Encapsulating Security Payload and Authentication Header to ensure data confidentiality, integrity, and authentication. Ipsec can operate in transport or tunnel mode, with tunnel mode being more secure by encrypting both the IP header and payload.
Wireless lan security
This document discusses wireless network security. It outlines uses and benefits of wireless networks, but also security issues like war driving and rogue networks. It evaluates potential security solutions like MAC address filtering, changing the SSID, and WEP encryption. However, it concludes that while wireless networks are convenient, current security measures are insufficient for sensitive environments given vulnerabilities like WEP attacks and the sharing of encryption keys across networks. Improved security is needed as wireless adoption increases.
Wtls
The document discusses WTLS (Wireless Transport Layer Security), which provides security for wireless communication through cell phones. WTLS is needed to securely enable e-commerce, online banking, and other internet activities via cell phones. It functions similarly to TLS/SSL by providing data integrity, privacy, authentication, and protection against denial-of-service attacks. WTLS specifications include full and abbreviated handshaking protocols to securely establish connections, as well as alert, cipher specification, and record protocols to protect the transmission of data.
Data (1)
This document discusses data recovery processes and quality of service (QoS). It begins by classifying different types of failures that can occur, such as transaction failures, system crashes, and disk failures. It then describes the ARIES recovery algorithm, which consists of analysis, redo, and undo phases. Log-based recovery using undo and redo operations on the log is explained. Checkpointing is discussed as a way to streamline recovery. QoS is defined as the ability to provide different priorities and guaranteed levels of performance. Factors that can affect QoS for mobile networks are also outlined.
Mc
The document discusses security issues related to the Wireless Application Protocol (WAP). It describes the WAP architecture and layers, including the Wireless Transport Layer Security (WTLS) protocol used for encryption over wireless networks. A major security issue arises from the need to translate between WTLS and TLS at the WAP gateway, where content is briefly exposed in plaintext. To address this "WAP gap", options include protecting the gateway or moving it inside the corporate firewall. The document also notes the importance of application-level security beyond transport security using techniques in the WML specification and WMLScript Crypto API.
Mc seminar
Query processing involves translating queries into a form the database management system can use to efficiently retrieve the desired data. It includes parsing queries, translating them into relational algebra expressions, optimizing the query plan to minimize costs, and executing the optimal plan. The key steps are translation, optimization of multiple evaluation plans based on statistics, and execution of the selected lowest-cost plan to return results. Query processing is crucial for large databases to return results in a timely manner.
Mcseminar
This document discusses various transport layer protocols for mobile networks. It begins with an overview of TCP and UDP, and then describes several strategies for improving TCP performance over mobile networks, including indirect TCP (I-TCP), snooping TCP, and Mobile TCP. It also discusses congestion control strategies like slow start and fast retransmit. Overall, the document analyzes how TCP can be optimized through techniques like connection splitting, buffering, and selective retransmission to better accommodate the characteristics of wireless networks.
Middleware final
This document discusses middleware, including its history, types, advantages, and future. Middleware sits between layers of software to allow different applications to work together seamlessly. There are four main types: transaction processing, remote procedure call (RPC), message-oriented middleware (MOM), and object request broker (ORB). Middleware provides benefits like centralized management of transactions, hiding operating system details, and asynchronous communication between clients and servers. The future of middleware and enterprise application integration is promising, with the market expected to grow substantially in the coming years.
Web services
Web services allow software applications to communicate over the internet through standardized web protocols like XML, SOAP, WSDL and UDDI. A web service is a software application identified by a URI that can be invoked by other applications over HTTP. Web services use XML to encode communications and do not depend on any particular operating system or programming language, allowing different systems to communicate. The basic web services platform uses XML and HTTP, with components like SOAP for message transfer, WSDL for describing services, and UDDI for discovery of services.
Wap wml
This presentation discusses security for the Wireless Application Protocol (WAP). It covers security basics like authentication, confidentiality and encryption. It then discusses how security is implemented at the link layer and application layer for WAP. This includes the use of WTLS and SSL to provide security between the gateway and servers as well as the use of the Wireless Identity Module (WIM), WMLScript and access control to provide authorization and non-repudiation. Finally, it summarizes different WAP security models depending on whether the gateway is hosted by the operator or content provider.
Vpn 3
Virtual private networks (VPNs) allow employees to securely access a private company network from remote locations over the public Internet. VPNs use encryption and tunneling protocols to create a private network within the public network. This allows employees to access resources as if they were on the private company network while gaining the flexibility and reduced costs of using the public Internet. However, VPNs also come with security risks and performance depends on factors outside of an organization's control.
Vpn
Virtual private networks (VPNs) allow remote access to private networks over public telecommunications networks like the Internet. VPNs use encryption, authentication, and tunneling protocols to securely connect remote users to a private network. They provide cost savings over traditional private networks by reducing equipment and maintenance costs while increasing flexibility and scalability. However, VPN performance depends on public networks and proper security deployment is required to mitigate risks.
Enhanced data gsm environment
EDGE is an upgrade to GPRS that allows higher data transmission rates for 2G and 2.5G cellular networks. It introduces a new modulation technique called 8-PSK that encodes 3 bits per symbol instead of 1, tripling the data capacity within existing GSM spectrum and infrastructure. No changes are required to core networks, only software upgrades to base stations. This allows peak data rates of 474 kbps, much faster than GPRS's 115-160 kbps. EDGE provides benefits to users like higher speeds for data and multimedia, as well as benefits to operators through improved spectral efficiency and low upgrade costs since it reuses existing network components.
Seminar gprs
GPRS is a packet-based mobile data service on GSM networks that provides higher data rates and more efficient data transfer than traditional GSM networks. GPRS uses a packet-switched technology and radio resources are shared dynamically across users. The key network elements that support GPRS include the SGSN which manages data sessions and mobility, and the GGSN which connects the GPRS network to external data networks. GPRS enables numerous mobile data applications like web browsing, email, and remote access by supporting common internet protocols and billing based on data usage rather than connection time.
Seminar mc palm
Palm OS is a mobile operating system initially developed by Palm in 1996 to run on Palm PDAs. It is designed for touchscreen devices with small screens, limited processing power and memory. The OS uses a 32-bit architecture and is optimized for resource-constrained hardware. It utilizes dynamic RAM for temporary storage, storage RAM for persistent user data storage, and a database manager to access records stored in RAM in a way similar to accessing files on a hard disk. Applications are single-threaded and event-driven. Development tools include Code Warrior and the Palm SDK.
Guided media
This document summarizes different types of guided transmission media, including coaxial cable, twisted pair, and optical fiber. It provides details on their characteristics, components, bandwidth capabilities, applications and advantages. Guided media uses conductors like wires or fiber optic cables to transmit signals from sender to receiver. Examples given are coaxial cables, twisted pair wires, and optical fiber.
12 mobile os
The operating system manages computer hardware resources and provides common services that allow application software to function. It acts as an intermediary between applications and hardware, allocating memory and handling input/output. Common operating systems include versions of Unix, Mac OS X, Chrome OS, Windows, and for mobile - Android, iOS, BlackBerry OS, Symbian OS, webOS, and Windows Phone.
10 mobile agents
Mobile agents are software programs that can autonomously migrate between hosts in a network to perform tasks. They have intelligence, learn user behaviors, and can communicate and respond to changes in their environment. A mobile agent's code and execution state are transferred when it migrates, allowing it to resume tasks on new hosts and reduce network loads. However, mobile agents also present security risks if viruses are disguised as agents.
More from Ankit Anand (20)
Recently uploaded
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit - NGV Pavilion Concept Design
BBR 2024 Summer Sessions Interview Training
Qualitative research interview training by Professor Katrina Pritchard and Dr Helen Williams
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS Template 2023-2024 by: Irene S. Rueco
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...Nguyen Thanh Tu Collection
https://app.box.com/s/y977uz6bpd3af4qsebv7r9b7s21935vdANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
How to Setup Warehouse & Location in Odoo 17 Inventory
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Advanced Java[Extra Concepts, Not Difficult].docx
This is part 2 of my Java Learning Journey. This contains Hashing, ArrayList, LinkedList, Date and Time Classes, Calendar Class and more.
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingExcellence Foundation for South Sudan
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.PCOS corelations and management through Ayurveda.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
Recently uploaded (20)
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
How to Setup Warehouse & Location in Odoo 17 Inventory
How to Setup Warehouse & Location in Odoo 17 Inventory
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Wap wml-6
- 1. A Power point Presentation on WAP Security
- 2. Overview • Security Basics • Wireless Security • WTLS & SSL • WAP Security Models • WIM, WMLScript, Access Control • Summary • References
- 3. Security Basics • Security Goals – Authentication – Confidentiality – Integrity – Authorization – Non-Repudiation
- 4. Security Basics • Cryptography – Symmetric: 3DES, RC4, etc. – Asymmetric: RSA, ECC • Key Exchange • Digital Signature • Certificates • PKI
- 5. Wireless Security • Link Layer Security – GSM – CDMA – CDPD • Application Layer Security – WAP: WTLS, WML, WMLScript, & SSL – iMode: N/A – SMS: N/A
- 6. Need for App Level Security • Bearer Independence • Security out to Gateway • Advanced Security Goals (ie. Non-Repudiation)
- 7. Basic WAP Architecture Internet Gateway Web Server WTLS SSL
- 8. WAP Security Models • Operator Hosts Gateway – Without PKI – With PKI • Content Provider Hosts Gateway – Static Gateway Connection – Dynamic Gateway Connection
- 9. Operator Hosts Gateway • Without PKI Internet WAP/HDTP Gateway Web Server WTLS Class 1 or Encrypted HDTP SSL Operator Content Provider
- 10. Operator Hosts Gateway • Without PKI: – Advantages • No extra work for Content Provider • No extra work for user • System only requires one logical gateway – Disadvantages • Content Provider must trust Operator (NDA) • Operator can control home deck • Operator can introduce advertising
- 11. Operator Hosts Gateway • With PKI
- 12. Operator Hosts Gateway • With PKI: – Advantages • Content providers does not need to trust Operator. – Disadvantages • PKI Infrastructure must be in place.
- 13. Content Provider Hosts Gateway • Static Gateway Connection WAP Gateway Web Server WTLS Class 2 SSL Content Provider
- 14. Content Provider Hosts Gateway • Static Gateway Connection – Advantages • Content Provider does not need to trust Operator • Content Provider can control home deck • OTA can be used to configure mobile terminal – Disadvantages • Mobile terminal may have limited number of gateway config sets (i.e., Nokia 7110 has 10) • Mobile Terminal needs to be configured. – OTA via WAP Push / SMS may not work with gateway / mobile terminal combination – Content Provider may have to pre-configure mobile terminals
- 15. Content Provider Hosts Gateway • Dynamic Gateway Connection Internet WAP Gateway WTLS Class 2 SSL Operator Web Server SSL Content Provider WAP Gateway
- 16. Content Provider Hosts Gateway • Dynamic Gateway Connection – Advantages • Content Provider does not need to trust Operator. • Content Provider does not need to worry about mobile terminal config – Disadvantages • Operator needs to trust Content Provider. • Not deployed yet.
- 17. Restricting Gateway Access • Consider the following attack: – Eve runs a “modified” WAP gateway – Eve fools a user into using her gateway • Now, Eve can eavesdrop on all of the users requests and responses! • To prevent this, check the gateway IP address in the HTTP request.
- 18. WIM: WAP Identity Module • WIM must be tamper-resistant • Stores Keys & Master Secrets • Computes crypto operations – “unwrapping master secret” – client signature in WTLS Handshake – key exchange (ECC WTLS Handshake) • Also: – Generates Keys – Stores Certificates (or their URLs) • CA & Root Certs • User Certs • Can be implemented with SIM
- 19. WMLScript Crypto API • Non-repudiation • signedString = Crypto.signText (stringToSign, options, keyIdType, keyId) • Uses a separate, distinct signing key • WIM can store signing key and compute signature
- 20. WML Access Control • WML Deck-Level Access Control <wml> <head> <access domain=“worldfaq.com” path = “/stats”> </head> <card> … </card> </wml> • WMLScript Access Control use access domain domain_name | path path_name | domain domain_name path path_name; • use access domain “worldfaq.com” path “/stats”
- 21. Summary • Gateway position & configuration allows for different trust models • Security at multiple levels – Link Layer (depends on bearer) – App Layer • Authentication, Confidentiality, and Integrity: WTLS • Authorization: App-dependent, or WML <access> and WMLScript use access pragma • Non-Repudiation: WML signText
- 22. References • C. Arehart, N. Chidambaram, S. Guruprasad, et. al. Professional WAP. Wrox Press, 2000. ISBN 1-861004-0-44 • D. Margrave, GSM Security and Encryption • WAP-100, Wireless Application Protocol Architecture Specification • WAP-191, Wireless Markup Language Specification • WAP-193, WMLScript Language Specification • WAP-199, Wireless Transport Layer Security Specification • WAP-198, Wireless Identity Module • WAP-161, WMLScript Crypto API Library • WAP-187, WAP Transport Layer E2E Security Specification • WAP-217, WAP Public Key Infrastructure Definition