12 pages

English

IIR-tutorial-4

Islue

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

12 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

“application” layer securityTim WrightCommunications Security and AdvancedDevelopment GroupVodafone LimitedSecurity and Fraud, 2000 the word is09.03.00ContentsIntroduction to public key cryptographyWAP securityMExE and MExE securityIntroduction to Java / J2MEIssues and challenges for application layer securitySecurity and Fraud, 2000 the word is09.03.00Digital signatures and PKSecret key cryptography - good where you trust whoyou’re talking toPublic key crypto where you don’t or have problemstransmitting keysA private key for every public keyEncrypt with public key and decrypt with privateOr the reverse - sign with private key, verify withpublicSecurity and Fraud, 2000 the word is09.03.00CertificatesPublic keys can be public but could be changedPossibility of spoofingCertificate is a public key signed with a “higher”private keyNeed a public key to verify that private keyEnd up with a root at the topPublic Key Infrastructure, PKI, is:Certification Authorities (CA), from which certificates areobtainedRegistration Authorities (RA), that check identity of clientbefore certificate is issuedinterfaces between these and other nodesSecurity and Fraud, 2000 the word is09.03.00WAP - servicesInitially just browsingFuture:mobile e-commercedownloaded scripts and applicationstelephony control (WTA)links to external devicesSecurity and Fraud, 2000 the word is09.03.00WAP - ...

Informations

Publié par	Islue
Nombre de lectures	38
Langue	English

Extrait

“application” layer security

Tim Wright Communications Security and Advanced Development Group Vodafone Limited

Security and Fraud, 2000

the word is

Contents

09.03.00

●Introduction to public key cryptography ●WAP security ●MExE and MExE security ●Introduction to Java / J2ME ●Issues and challenges for application layer security

Security and Fraud, 2000

the word is

09.03.00

Digital signatures and PK

●Secret key cryptography  good where you trust who you’re talking to ●Public key crypto where you don’t or have problems transmitting keys ●A private key for every public key ●Encrypt with public key and decrypt with private ●Or the reverse signwith private key,verifywith public

Security and Fraud, 2000

the word is

Certificates

09.03.00

●Public keys can be public but could be changed ●Possibility of spoofing ●Certificate is a public key signed with a “higher” private key ●Need a public key to verify that private key ●End up with a root at the top ●Public Key Infrastructure, PKI, is: ●Certification Authorities (CA), from which certificates are obtained ●Registration Authorities (RA), that check identity of client before certificate is issued ●interfaces between these and other nodes the word is Security and Fraud, 2000 09.03.00

WAP  services

●Initially just browsing ●Future: ●mobile ecommerce ●downloaded scripts and applications ●telephony control (WTA) ●links to external devices

Security and Fraud, 2000

the word is

WAP  security

09.03.00

●Transport security ●WTLS ●Application security ●WMLScript support for digital signature (SignText), end to end client authentication ●WAP identity module ●Storage and processing of sensitive security parameters ●Wireless PKI ●To support transport security and application security

Security and Fraud, 2000

the word is

09.03.00

WTLS

●WTLS is the wireless equivalent of SSL/TLS ●Extends from WAP client to WAP gateway or WAP server ●New certificate format “WTLS certificate” ●compact, but can only be used for WAP gateway/server authentication ●WAP clients need to be initialised with appropriate root public keys by trusted means  preferably on a SIM or at terminal manufacture ●end to end transport layer security is still WTLS, re directed to a new gateway

Security and Fraud, 2000

the word is

Digital signatures in WAP

09.03.00

●WMLScript function in WML pages to call signing or client authentication function ●Allows users to sign web documents and forms and/or be authenticated to end point ●WML provider can receive and verify signed documents from users ●Can be used to secure ecommerce transactions ●Could provide non repudiation

Security and Fraud, 2000

the word is

09.03.00

WIM

●Specification of aninterfaceto a security module ●No specification of hardware security (best solution is IC card) ●WIM uses RSA PKCS#15 specification for directory structure and ASN.1 encoding of cryptographic parameters ●WIM can be ●on separate IC card (ICC) ●same ICC as SIM ●integrated into SIM

Security and Fraud, 2000

the word is

WPKI

09.03.00

●Definition of certificate profiles for WAP applications ●Standardised way for client to obtain a certificate ●Specifies installation of trusted root keys ●Provides method of securing WTA ●PKI not required if just WAP gateway/server authentication and traffic encryption is needed

Security and Fraud, 2000

the word is

09.03.00

Signed content in WAP

●EFI  External Function Interface (WAP 1.4) ●Framework for WMLScripts to access functions external to the phone  second ICC, IrDA, Bluetooth, GPS ●Signed content may be the security mechanism ●Signed content is to be used for WTA security in the long term

Security and Fraud, 2000

the word is

WAP security  issues

●Few roots on the browser ●Will there be at least one root that is on all terminals? ●Or will VASP’s need multiple certificates? ●Operator provided root on the SIM ●Installation of new roots on the terminal ●opens up PKI commercially ●opens up holes in WAP security ●Effect of false base station ●MSISDN pass through for user/client id ●Few roots  means no restrictions on what root certificates can be used for?

Security and Fraud, 2000

the word is

09.03.00

MExE

●Mobile Execution Environment ●Framework for download of scripts, applets, applications and phone softwaretomobile phones ●Making the phone more like a PC/PDA ●Standardised environment  write once, run anywhere ●MExE classmarks ●Classmark 1: applications are written in WMLScript ●Classmark 2: applications are written in Java

Security and Fraud, 2000

the word is

MExE security

09.03.00

●Mobile code for mobile phones ●Downloaded code can make calls, change MMI, look at user data, . ●Dangerous! ●MExE therefore hasuntrustedandtrusted applications ●Trusted applications are digitally signed by their originator and can do much more than untrusted applications

Security and Fraud, 2000

the word is

09.03.00

MExE trusted domains

●Three trusted execution domains ●Operator ●Manufacture ●Third party ●Trusted application can only execute if signature can be verified on the client ●Root public keys loaded onto terminal by secure means ●Operator and third party keys can be loaded onto SIM

Security and Fraud, 2000

the word is

User permission in MExE

09.03.00

●Applications cannot be installed without user permission ●Applications cannot carry out functions without user permission ●Three types of user permission ●Single action ●Session ●Blanket ●Tradeoff between flexibility of security architecture and usability of the service ●How much will user understand? ●How easy is it to fool the user?

Security and Fraud, 2000

the word is

09.03.00

A bit about Java

●Write once, run anywhere  platform independent ●Anywhere that has the “Java Virtual Machine” ●Code transmitted is small ●Designed to be secure, in that the JVM can control what functions and memory can be accessed by an application

Security and Fraud, 2000

the word is

A bit more

Java

Java Application Programming Interfaces (API’s)

Java Virtual Machine

Security and Fraud, 2000

Platform OS

the word is

09.03.00

Java Phone

●Phone manufacturers could write all the phone software in Java ●Enable easier software reuse, and easier development through standard O/S environment ●Download of upgrades via MExE ●PersonalJava is too big  kJava, KVM developed

Security and Fraud, 2000

the word is

KVM

09.03.00

●Virtual Machine rewritten from scratch ●devicesAPI’s rewritten and optimised for “limited” ●Core API’s have been defined ●“Profiles”, sets of mandatory and optional API’s are being defined via Java Specification Requests (JSR’s)

Security and Fraud, 2000

the word is

09.03.00

KVM uses

●KVM will bring phone and PDA together ●Download of applications to phone will be a reality ●Opportunities ●for services ●for fraud ●Security architecture not yet clear ●Untrusted code can still be dangerous

Security and Fraud, 2000

the word is

09.03.00

The future’s bright, it’s a rainbow

●There are no issues with application layer security? ●Mobile network operator provides bearer services ●Security at the application layer provided by the value added service provider (VASP) ●Terminal and infrastructure manufacturers want terminals to support many services ●Increased terminal value ●Increased numbers of service providers ●Increased network usage  operators should be happy

Security and Fraud, 2000

the word is

09.03.00