Security in WAP and WTSL

1
Security in WAP and WTSL By Yun Zhou
2
Overview of WAP (Wireless Application Protocol)

• Proposed by the WAP Forum (Phone.com, Ericsson,
  Nokia, Motorola) in 1997.
• A wireless communication model, similar to the
  ISO OSI model
• An application environment for deploying wireless
  services regardless of different types of
  services, wireless bearers, and devices.
• WAP provides a series of security measures
• However, there are still various security
  loopholes in WAP.

3
WAP Architecture
Components WAP device (cell phone), WAP
client/browser, User agent, Network operator
(companies that provides bearer services),
Bearer services (SMS, CDMA), Application server
4
WAP Protocols

• Recall the ISO OSI model

• WAE (Wireless Application Environment) WML,
  WMLScript
• WSP (Wireless Session Protocol) and WTP
  (Wireless
• Transaction Protocol) together provide session
  layer services
• connection oriented sessions or connectionless
  sessions. Reliable
• sessions can be resumed.
• WTLS (Wireless Transport Layer Security)
  (Optional)

5
Overview of WTLS

• Based on TLS
• Provides client-server mutual authentication,
• privacy, data integrity, non-repudiation
• But not the same as TLS
• Modifications due to
• Narrow-bandwidth communication channel
• Much less processing power
• Much less memory
• High loss ratio
• Unexpected disconnections
• Restrictions on exported encryption algorithms
• Built on top of WDP and UDP (unreliable data
  transfer)
• More security problems

6
WTLS Sub-Protocols

• WTLS contains four sub-protocols
• Handshake protocol
• Client and server negotiate over the security
• parameters to be used for later message
  exchanges
• Alert protocol
• Specifies the types of alerts and how to
  handle them.
• warning, critical, fatal
• Alerts can be sent by either the client or the
  server.
• Application protocol interface for the upper
  layer
• Change Cipher Spec Protocol
• Usually used towards the end of the handshake
  when the
• negotiation succeeds

7
What does the handshake specify?
8
Handshake Procedure
Resume connection
Complete handshake
9
How Security Functions Are Achieved

• Authentication
• Supports X.509v3 and X9.68 certificates,
  optimized sizes.
• Key exchange RSA, DH, ECC-DH (Preferable
  algorithm for WAP)
• Bulk encryption algorithms
• RC5 with 40, 56 or 128 bit keys, DES with 40
  or 56 bit keys, 3DES, IDEA with 40, 56 or 128 bit
  keys, and ECC. (No stream ciphers)
• master_secret PRF(pre_master_secret, "master
  secret", ClientHello.random ServerHello.random)
  
• key_block PRF(master_secret expansion_label
  seq_num server_random client_random)
• Keys and IVs are all generated from key_blocks.
• Keys are refreshed according to the negotiated
  frequency.
• MAC algorithms SHA-1, MD5, and SHA_XOR_40

10
Security Loopholes, Threats, Solutions - WAP
Gateway

• Decrypts and re-encrypts data White spot
• End-to-end security, but the ends are actually
• the web client and the gateway.
• Solution by the network operators
• Decrypts and re-encrypts only in the memory
• Cannot solve the problem entirely
• still uses swapfiles, hackers can do core
  dumps
• Some companies try to completely get rid of the
• WAP gateway.

11
Deploy the Gateway in the Servers network
Decryption and re-encryption are done on the
server side.
12
Security Loopholes, Threats, Solutions - WTLS

• Has to use keys of small sizes
• 40-bit DES -gt 35 bits are actually used
• Allows weak algorithms to be chosen
• exchanges unauthorized messages or unencrypted
  packet fields, such as alert messages and
  recode_type field.
• Vulnerable to viruses, Trojan horses, and worms.
• Saarinen discussed a chosen plaintext data
  recovery attack, a datagram truncation attack, a
  message forgery attack, and a key-search shortcut
  for some exportable keys

13
Attack against SHA_XOR_40

• SHA_XOR_40
• Padded messages are divided into 5-byte
  blocks. All blocks are XORed to get the digest.
• Attack
• Flip a bit in one block, flip the bit in the
• corresponding position in the digest
• Tada! Message modification succeeds!

14
User Authentication vs. Device Authentication -
WIM

• Mobile devices are easy to lose
• One British article reported that for the first
  time of this century the umbrella has been
  overtaken as the most popular item to leave on a
  train by mobile phones.
• Cannot authenticate user if the passwords and
• certificates are stored locally
• Use WIM (Wireless Identity Module), which can be
  a smart card or a SIM card.
• Dedicated memory
• Provides user authentication
• Need to keep it separately from the device. Hard
  to
• achieve.

15
References

• Arehart, C., Professional WAP, Wrox Press Ltd,
  2000.
• Jormalainen, S., Laine, J. Security in WTLS,
  10/1/2000. Referred on 3/24/2004,
  lthttp//www.hut.fi/jtlaine2/wtls/gt
• Nicolas, R., Lekkas, P. Wireless security
  models, threats, and solutions. McGraw-Hill.
  2002.
• Saarinen, Markku-Juhani, Attacks against the WAP
  WTLS Protocol, 9/221999 Referred on 3/24/2004,
  lt http//www.jyu.fi/mjos/wtls.pdfgt
• Schneier, B., Applied Cryptography, Second
  Edition, John Wiley Sons, Inc, p. 758, 1996.
• WAP Forum, WAP Security Group (WSG) Charter,
  6/12/2002 Referred on 3/24/2004.