Contact:[email protected]
By Benjamin J. Field ([email protected]) April 25, 2000 - Wireless networks are adopting online commerce at a dizzying pace, reminiscent of the Internet's adoption of ecommerce during the last two years. Applications such as stock trading, shopping, and banking are now available on wireless networks (Ameritrade, Amazon.com, Bank of Montreal). It is the market of the future, but wireless is worth paying attention to right now. According to the Strategis Group (www.strategisgroup.com), the number of professional mobile data users in the United States is upwards of 32 million, and growing. Ericsson (www.ericsson.com) predicts that there will be around 600 million mobile Internet subscribers worldwide by 2004. Why this sudden growth? In part, it springs from consumers and developers getting better at thinking alike. But the wireless growth phenomenon ultimately comes down to security. Here's how it happened. Early on, demand was easily met for wireless information such as weather and stock tickers, because for these basic applications, security is no concern. The problem was that professionals wanted more than a portable weather watch. They wanted the functionality of the Internet merged with the convenience of the telephone. A great deal of security is required for financial transactions, though, and a trustworthy standard for wireless network security was absent. This meant slow growth for the wireless industry, until the WAP. WAP The Wireless Application Protocol (WAP) is the standard for wireless applications. It was developed by the WAP Forum -- a group of more than 200 telecommunications and software companies who see the need to cooperate. The WAP addresses a lot of subjects, but the chief concern is, and will continue to be security. A robust and reliable security model was defined, to be usable on existing wireless networks. This move has instilled real confidence in wireless developers and consumers alike. WAP Security Model The WAP Security model relies upon WTLS (see Wireless Transport Layer Security below) and SSL (see The Internet Security Model below). The central component in the model is the WAP Gateway, a virtual gatekeeper between the worlds of WTLS and SSL. Picture this progression: Wireless Device Wireless Network WAP Gateway Internet Network Content Server A wireless phone communicates with the WAP Gateway over a wireless network, using WTLS. The WAP Gateway then communicates with the Web server over the Internet, using SSL. WTLS is built on the Internet Security Model. A quick review-- Internet Security Model Just as the wireless world, the Internet world experienced a push for stronger security, only it happened in the mid-90s. The wish couldn't become a reality, though, until Secure Sockets Layer (SSL) came along. Here's a typical scenario for the SSL security mechanism: 1. A Web browser requests a secure conversation with a Web server. 2. The server provides the browser with its server certificate. 3. The browser authenticates the server by confirming that a valid certificate authority issued the certificate. 4. The browser uses the public key stored in the certificate to encrypt a shared secret key. 5. The browser sends the encrypted shared secret key to the server. 6. The (more efficient) shared secret key encrypts the rest of the conversation. Some web servers require a client certificate, but usually, a server relies on a simple username/password system for authentication and non-repudiation. The Internet Security Model is the basis for WTLS. WTLS Wireless Transport Layer Security (WTLS) was formulated specifically to enable super-secure transactions, yet avoid the power- and memory-hungry security solutions used on the Web. It does this by minimizing protocol overhead, utilizing better compression, and employing more efficient cryptography, such as RSA (RC5) or ECC (Elliptical Curve Cryptography). The kernel of WTLS security is the WIM (Wireless Identity Module). The WIM performs optimized cryptography during handshake, especially for client authentication, and forges long-term, secure WTLS connections. WTLS came out of TLS 1.0 (Transport Layer Security), the Internet standard security protocol. TLS 1.0 is based on SSL 3.0. WTLS goes above and beyond TLS 1.0, offering such features as datagram support, dynamic key refreshing, and optimized handshake. Summary The WAP is allowing the Internet to expand rapidly on wireless networks. The WAP is vital because it offers a robust and reliable security model, centered around WTLS and descended from TLS and SSL. This article doesn't even scratch the surface on the real nitty-gritty of wireless security. For that, take a look at the links below, particularly the WAP Forum. And if you plan on developing WAP applications, the best place to start is Phone.com, an early mover in the world of wireless application developement. Links The WAP Forum http://www.wapforum.org/ The WAP Specifications http://www.wapforum.org/what/technical.htm Phone.com, co-founder of the WAP Forum http://www.phone.com/ The Phone.com WAP Development Kit (UP.SDK) http://updev.phone.com/dev/ts/ Most Phone.com developer pages require a developer's account. Get one at http://devadmin.uplanet.com/DevAddForm.cgi Back to the Index