Wireless Web Services Security

1
Wireless Web Services Security

• Christopher Lo

2
Overview

• Main differences between wired and wireless web
  services
• Network connection method
• Format supported on mobile devices
• Size of screen on mobile devices
• Mobile Devices
• PDAs Wireless LAN
• Mobile phones WAP WML

3
Wireless LAN

• Most PDAs can handle 802.11i technology allowing
  them to access web services through wireless LAN
• Issues with Wireless LAN
• Uncontrolled range with radio signal
• Exposed setup allows for drive by hacking
• Constantly Changing IPs

4
Wireless LAN Encryption Standards

• WEP - Wired Equivalent Privacy
• WPA - WiFi Protected Access
• RSN - Robust Security Network

5
WEP

• The most problematic of the three
• UC Berkleys study has shown the RC4 stream
  cipher can be broken using a series of
  computation.
• Small keys and need to manually change keys poses
  maintenance problems
• Dictionary attacks can find keys

6
WPA

• Compatible with existing 802.11i
• Temporal Key Integrity Protocol (TKIP)
• Uses a master key to create encryption values
  which are then changed and automatically
  distributed.
• Key mixing for each packet
• A 64-bit message integrity code
• Offers the means to re-key the packet.

7
RSN

• Encrypts with AES-CCMP (AES Counter-Mode Cipher
  Block Chaining Message Authentication Code
  Protocol)
• TKIP is used to handle the older systems
• User authentication and key management is handled
  using the IEEE 802.1x Port Based Network
  Authentication
• Authentication system is based on Extensible
  Authentication Protocol (EAP).
• The authentication server is located on the wired
  network and may also be the same as the Remote
  Authentication Dial-In User Service (RADIUS).

8
WML

• Mobile phones are primarily restricted to WAP for
  accessing web services
• Older mobile phones are mostly restricted to
  black and white screens.
• Size restrictions even with colored screens
• WML is the primary format for wireless web
  services
• WML is an XML application but with much less the
  processing power
• Limited user input available

9
XML to WML

• Most companies write their own WML versions of
  the web service
• Translation should be moved to the portal/web
  server (Phone.com, SprintPCS, etc)
• IBM WebSphere currently supports translation to
  WML

10
WAP

• Wireless Application Protocol
• WAP Gateway translates WTLS to SSL

11
WAP Server

• The WTLS support is built into the web server

12
Issues with XML

• Size is generally too large for mobile devices
• Increased size Increased airtime
• Problem with constantly changing IPs
• Need for compression before encryption

13
Other Concerns Tracking Web Services

• FollowUs, Fleetstar-Online, Kids OK
• Rely on tracking GSM or GPS
• A cell ID must first be registered with a service
  in order to be tracked.
• GPS tracking relies on 24 civilian usable
  satellites that circle the earth.
• Assisted GPS system (AGPS)
• GSM - the SIM card is tracked instead of the
  actual phone.
• The legal stipulations are mapped out in a set of
  Code of Practices.