IIR-tutorial-4

IIR-tutorial-4

Documents
12 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

“application” layer securityTim WrightCommunications Security and AdvancedDevelopment GroupVodafone LimitedSecurity and Fraud, 2000 the word is09.03.00ContentsIntroduction to public key cryptographyWAP securityMExE and MExE securityIntroduction to Java / J2MEIssues and challenges for application layer securitySecurity and Fraud, 2000 the word is09.03.00Digital signatures and PKSecret key cryptography - good where you trust whoyou’re talking toPublic key crypto where you don’t or have problemstransmitting keysA private key for every public keyEncrypt with public key and decrypt with privateOr the reverse - sign with private key, verify withpublicSecurity and Fraud, 2000 the word is09.03.00CertificatesPublic keys can be public but could be changedPossibility of spoofingCertificate is a public key signed with a “higher”private keyNeed a public key to verify that private keyEnd up with a root at the topPublic Key Infrastructure, PKI, is:Certification Authorities (CA), from which certificates areobtainedRegistration Authorities (RA), that check identity of clientbefore certificate is issuedinterfaces between these and other nodesSecurity and Fraud, 2000 the word is09.03.00WAP - servicesInitially just browsingFuture:mobile e-commercedownloaded scripts and applicationstelephony control (WTA)links to external devicesSecurity and Fraud, 2000 the word is09.03.00WAP - ...

Subjects

Informations

Published by
Reads 37
Language English
Report a problem
“application” layer security
Tim Wright Communications Security and Advanced Development Group Vodafone Limited
Security and Fraud, 2000
the word is
Contents
09.03.00
Introduction to public key cryptography WAP security MExE and MExE security Introduction to Java / J2ME Issues and challenges for application layer security
Security and Fraud, 2000
the word is
09.03.00
Digital signatures and PK
Secret key cryptography  good where you trust who you’re talking to Public key crypto where you don’t or have problems transmitting keys A private key for every public key Encrypt with public key and decrypt with private Or the reverse signwith private key,verifywith public
Security and Fraud, 2000
the word is
Certificates
09.03.00
Public keys can be public but could be changed Possibility of spoofing Certificate is a public key signed with a “higher” private key Need a public key to verify that private key End up with a root at the top Public Key Infrastructure, PKI, is: Certification Authorities (CA), from which certificates are obtained Registration Authorities (RA), that check identity of client before certificate is issued interfaces between these and other nodes the word is Security and Fraud, 2000 09.03.00
WAP  services
Initially just browsing Future: mobile ecommerce downloaded scripts and applications telephony control (WTA) links to external devices
Security and Fraud, 2000
the word is
WAP  security
09.03.00
Transport security WTLS Application security WMLScript support for digital signature (SignText), end to end client authentication WAP identity module Storage and processing of sensitive security parameters Wireless PKI To support transport security and application security
Security and Fraud, 2000
the word is
09.03.00
WTLS
WTLS is the wireless equivalent of SSL/TLS Extends from WAP client to WAP gateway or WAP server New certificate format “WTLS certificate” compact, but can only be used for WAP gateway/server authentication WAP clients need to be initialised with appropriate root public keys by trusted means  preferably on a SIM or at terminal manufacture end to end transport layer security is still WTLS, re directed to a new gateway
Security and Fraud, 2000
the word is
Digital signatures in WAP
09.03.00
WMLScript function in WML pages to call signing or client authentication function Allows users to sign web documents and forms and/or be authenticated to end point WML provider can receive and verify signed documents from users Can be used to secure ecommerce transactions Could provide non repudiation
Security and Fraud, 2000
the word is
09.03.00
WIM
Specification of aninterfaceto a security module No specification of hardware security (best solution is IC card) WIM uses RSA PKCS#15 specification for directory structure and ASN.1 encoding of cryptographic parameters WIM can be on separate IC card (ICC) same ICC as SIM integrated into SIM
Security and Fraud, 2000
the word is
WPKI
09.03.00
Definition of certificate profiles for WAP applications Standardised way for client to obtain a certificate Specifies installation of trusted root keys Provides method of securing WTA PKI not required if just WAP gateway/server authentication and traffic encryption is needed
Security and Fraud, 2000
the word is
09.03.00
Signed content in WAP
EFI  External Function Interface (WAP 1.4) Framework for WMLScripts to access functions external to the phone  second ICC, IrDA, Bluetooth, GPS Signed content may be the security mechanism Signed content is to be used for WTA security in the long term
Security and Fraud, 2000
the word is
WAP security  issues
Few roots on the browser Will there be at least one root that is on all terminals? Or will VASP’s need multiple certificates? Operator provided root on the SIM Installation of new roots on the terminal opens up PKI commercially opens up holes in WAP security Effect of false base station MSISDN pass through for user/client id Few roots  means no restrictions on what root certificates can be used for?
Security and Fraud, 2000
the word is
09.03.00
09.03.00
MExE
Mobile Execution Environment Framework for download of scripts, applets, applications and phone softwaretomobile phones Making the phone more like a PC/PDA Standardised environment  write once, run anywhere MExE classmarks Classmark 1: applications are written in WMLScript Classmark 2: applications are written in Java
Security and Fraud, 2000
the word is
MExE security
09.03.00
Mobile code for mobile phones Downloaded code can make calls, change MMI, look at user data, …. Dangerous! MExE therefore hasuntrustedandtrusted applications Trusted applications are digitally signed by their originator and can do much more than untrusted applications
Security and Fraud, 2000
the word is
09.03.00
MExE trusted domains
Three trusted execution domains Operator Manufacture Third party Trusted application can only execute if signature can be verified on the client Root public keys loaded onto terminal by secure means Operator and third party keys can be loaded onto SIM
Security and Fraud, 2000
the word is
User permission in MExE
09.03.00
Applications cannot be installed without user permission Applications cannot carry out functions without user permission Three types of user permission Single action Session Blanket Tradeoff between flexibility of security architecture and usability of the service How much will user understand? How easy is it to fool the user?
Security and Fraud, 2000
the word is
09.03.00
A bit about Java
Write once, run anywhere  platform independent Anywhere that has the “Java Virtual Machine” Code transmitted is small Designed to be secure, in that the JVM can control what functions and memory can be accessed by an application
Security and Fraud, 2000
the word is
A bit more
Java
Java Application Programming Interfaces (API’s)
Java Virtual Machine
Security and Fraud, 2000
Platform OS
the word is
09.03.00
09.03.00
Java Phone
Phone manufacturers could write all the phone software in Java Enable easier software reuse, and easier development through standard O/S environment Download of upgrades via MExE PersonalJava is too big  kJava, KVM developed
Security and Fraud, 2000
the word is
KVM
09.03.00
Virtual Machine rewritten from scratch devicesAPI’s rewritten and optimised for “limited” Core API’s have been defined “Profiles”, sets of mandatory and optional API’s are being defined via Java Specification Requests (JSR’s)
Security and Fraud, 2000
the word is
09.03.00
KVM uses
KVM will bring phone and PDA together Download of applications to phone will be a reality Opportunities for services for fraud Security architecture not yet clear Untrusted code can still be dangerous
Security and Fraud, 2000
the word is
09.03.00
The future’s bright, it’s a rainbow
There are no issues with application layer security? Mobile network operator provides bearer services Security at the application layer provided by the value added service provider (VASP) Terminal and infrastructure manufacturers want terminals to support many services Increased terminal value Increased numbers of service providers Increased network usage  operators should be happy
Security and Fraud, 2000
the word is
09.03.00