SlideShare a Scribd company logo

Unified Security Architectures for Web and WAP

Oliver Pfaff, profile picture
Oliver Pfaff

The document discusses the feasibility of unified security architectures for web and WAP-based services. It analyzes application and infrastructure aspects, finding that transport-bound security, information-bound security, and security tokens can be integrated. With advances in WAP 2.0, web and WAP security may be largely unified at the application level, while infrastructure-level requirements like WPKI can be accommodated at the network border. This allows businesses to avoid investing in separate security infrastructures for web and WAP services.

TechnologyEducation
Related topics:
Web Security Overview
1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Unified Security Architectures for Web and WAP: Vision or Fiction? Oliver Pfaff Siemens AG
E-/M-Business Paradigms Business process owners implement multiple distribution channels to supply services to their customers. E-/M-Business represents business processes digitally. Public networks and corresponding terminals are integrated to enable ubiquitous service access. E-/M-Business architectures separate actual business logic implementation from service presentation/delivery: To avoid business process re-implementation when augmenting service provisioning means. To accommodate different system life cycles which may be driven by different factors. Retail Call-Center Kiosk Web WAP ...
Service frontend E-/M-Business service User agent PSTN IP network Considered E-/M-Business Architecture PSTN Intranet Network operator Home, hotel ,... Office Mobile Business logic Service backend Service portals E-/M-Business transaction span
State-of-the-Art in Web and WAP Security Web and WAP security comply to the same technology paradigms: Transport-bound security: transient data encapsulation Web: SSL/TLS WAP: WTLS Information-bound security: persistent data encapsulation Web: PKCS#7 SignedData via JavaScript ‘crypto.signText’ or MS-CAPICOM ‘Sign’ WAP: WMLScript Crypto SignedContent via ‘Crypto.signText’ Security token: storing and employing cryptographic keys Web: PKCS#11/MS-CSP module WAP: WIM Public key infrastructure: binding entity identifiers to public keys Web: PKIX WAP: WPKI WAP security defines formats, protocols, and procedures which deviate from Web technologies.
E-/M-Business Owner Concerns The provision of business processes over public infrastructure such as the Internet and mobile networks requires adequate IT-security: To which extend should business process owners invest in different security technologies when serving the same business processes via different provisioning means such as Web and WAP? In particular: do they need to invest in different security infrastructures? To examine the feasibility of unified security architectures for Web and WAP-based business services in the sequel, we are going to distinguish: Application from infrastructure aspects Application aspects according to client and server-side issues Infrastructure aspects according to PKI and security token issues
Integration of Transport-Bound Security Services SSL/TLS and WTLS should terminate in the same network infrastructure sector to offer homogeneous services. An implementation option is: Private network Business logic Web server Subnet IP TCP SSL/TLS HTTP DMZ WAP gateway Subnet IP UDP WTLS WTP WSP SSL/TLS TCP IP Subnet HTTP Web client Dial-in server WAP client Public networks SSL/TLS TCP IP PPP PSTN PPP Subnet PSTN HTTP SSL/TLS TCP IP Subnet HTTP Subnet Subnet WSP WTP WTLS UDP IP PPP CSD CSD PSTN PPP Subnet PSTN Dial-in server Base station HTTP TCP IP HTTP TCP IP Web proxy
Client-Specific Authentication Services E-/M-Business service User agent PKI ‘ Application plane’ ‘ Infrastructure plane’ PKCS#11 MS-CAPI WIM Sign Security token Signed nonce (WTLS) Signed text (WMLScript Crypto) Sign Signed nonce (SSL/TLS) Signed text (PKCS#7) Sign Security module Validate Entity-ID (PKI domain) Entity-ID (E-/M-Business domain)
Default WPKI Client Certificate Types PKI Certificate provision Certificate delivery Status information Y/N X.509-WAPCert Based on PKIX (RFC 2459); defines additional constraints to achieve compactness. Profile applies to certificates sent over-the-air. Relying parties receive client certificates in-band. WAP client E-/M-Business X.509-PKIX Profile applies to certificates not sent over-the-air. Relying parties have to fetch client certificates by ID (e.g. URL or hash value). Allows to offload client certificate handling from mobile devices. PKI Certificate ID provision Certificate ID delivery Certificate fetch by ID ID ID
ICC-Based WIM Options WPKI domain E-/M-Business owner concerns WIM owner E-/M-Business’s discretion May security tokens and PKI be deployed for Web and WAP services simultaneously? E-/M-Business’s discretion Operator’s discretion May WIM resources be re-used for Web applications? Wireless operator Integrated SIM/WIM card SIM plus WIM via internal secondary reader (dual-slot) SIM plus WIM via external reader
Integrated SIM/WIM Card in Web Security To employ SIM/WIM cards owned by wireless operators in Web security, E-/M-Businesses need to adopt PKI domains which are deployed at the discretion of wireless operators: X.509-PKIX client certificates imply certificate IDs which are currently not defined in SSL/TLS and PKCS#7. Thus, signers have to do certificate fetch operations. X.509-WAPCert client certificates support in-band delivery straight-forward. They require relying parties to support the X.509-WAPCert profile. Integration with PC-based Web clients is a subject of current R&D efforts. The sketched stack employs the mobile as a personal security device. PKCS#11 MS-CAPI PKCS#11/MS-CSP module Air interface (e.g. Bluetooth) ISO 7816 SIM/WIM PC Mobile WIM module
SIM-Independent WIM in Web/WAP Security PKCS#15-based PSEs may be defined such that PSE-carrying ICCs can simultaneously be used as security tokens for Web and WAP clients: Web client integration requires a PKCS#11/MS-CSP module with PKCS#15 interpreter. PC/SC provides reader independence. WAP client integration requires a WIM and a PKCS#15 interpreter. These software modules may supply different features (e.g. certificate in-band and out-of-band delivery) on base of the same cryptographic keys under the effective security policies. The sketched design shows a sample layout. PKCS#11 MS-CAPI WIM service primitives Prop. MF DF(PKCS15) DF(PKCS15) Reference system AID: WAP-WIM AID: PKCS-15 ISO 7816 PKCS#11 MS-CSP module ICC application Security objects Reference system PKCS#15 interpreter (AID: WAP-WIM) EF(Certificate) EF(Private key) WIM EF(Certificate ID) PKCS#15 interpreter (AID: PKCS-15)
WAP 1.x Impact on E-/M-Business Security Transport-bound security WTLS is part of WAP releases since WAP 1.0 (1998): Class 1/2: best current practice; limited E-/M-Business service impact. Class 3: no wide deployment until now; infrastructure impact through client-side PKI and tokens. Information-bound security WMLScript Crypto is part of WAP releases since 1.2 (1999): ‘ Crypto.signText’ and SignedContent : no wide deployment until now; infrastructure impact through client-side PKI and tokens. Note: SignedContent may be transformed into PKCS#7 SignedData . Security token WIM is part of WAP releases since 1.2 (1999): ISO 7816/PKCS#15-based token: no wide deployment until now; SIM/WIM integration with Web clients is a subject of R&D efforts, SIM-independent WIM may be used with Web and WAP applications. Public key infrastructure Until the ‘June 2000 Release’, WPKI specifications were not part of WAP releases (preliminary WAPCert and WPKI documents already existed).
Advances Through WAP 2.0 (‘June 2001 Release’) Transport-bound security WTLS persists and is being augmented by transport level end-to-end security for enhanced enterprise WAP gateway support. TLS support is added for end-to-end security between mobiles and Web servers: WAPCert is going to replace the WTLS server certificate format. Due to TLS and HTTP support, WAP gateways are becoming optional. Information-bound security WMLScript Crypto persists; constraints remain as described before. Security token WIM persists; constraints remain as described before. Public key infrastructure WAPCert and WPKI advance to ‘conformance release’ specifications: WPKI constraints may largely be accommodated at infrastructure border (cf. next slide).
WPKI Integration WPKI portal WPKI service consumers PKI service providers WPKI specific processing: Client certificates POP during PKI registration based upon WAP security mechanisms. WAP in-band delivery requires X.509-WAPCert certificates. WAP out-of-band delivery is based on IDs; certificates comply to PKIX. Server certificates Currently based upon the WTLS certificate format; likely to become replaced by the X.509-WAPCert profile. Trusted certificates Provisioning and update are based upon WPKI structures delivered with specific MIME types. Thus, WPKI requirements may largely be accommodated at PKI border. RA CA Repository
Conclusions Private key operations upon mobiles are no common practice in today’s M-Business services. Required technologies currently emerge. The IT-strategy of E-/M-Businesses is significantly impacted by the advent of client-specific entity and message authentication services. Web and WAP security may be unified to a large extend: ‘ Application plane’: WAP specific formats and protocols are of limited impact: With WAP 2.0, WAP gateways and WTLS are becoming optional. WAP signature format can be transformed into PKCS#7. ‘ Infrastructure plane’: WIMs may be integrated with non-WAP applications. WPKI requirements may largely be accommodated at PKI border. Appropriate solution design allows E-/M-Businesses to avoid investments in separate security infrastructures (i.e. PKI and security tokens) when providing services via Web and WAP.
AID Application ID API Application Programming Interface CA Certification Authority CMS Cryptographic Message Syntax CSD Circuit Switched Data DF Dedicated File DMZ De-Militarized Zone EF Elementary File HTTP Hypertext Transfer Protocol ICC Integrated Circuit Card ID Identifier IETF Internet Engineering Task Force IP Internet Protocol ISO International Standards Organization MF Master File MIME Multipurpose Internet Mail Extensions MS Microsoft MS-CAPI MS Cryptographic API MS-CSP MS Cryptographic Service Provider PC/SC Personal Computer/Smart Card PKCS Public Key Cryptography Standards PKI Public Key Infrastructure PKIX PKI-X.509 Abbreviations POP Proof Of Possession PPP Point-to-Point Protocol PSE Personal Security Environment PSTN Public Switched Telephone Network RA Registration Authority RFC Request For Comment SIM Subscriber Identity Module SSL Secure Sockets Layer TCP Transmission Control Protocol TLS Transport Layer Security UDP User Datagram Protocol URL Uniform Resource Locator W3C World Wide Web Consortium WAP Wireless Application Protocol WIM Wireless Identity Module WML Wireless Markup Language WMLScript WML Script WPKI Wireless PKI WSP Wireless Session Protocol WTP Wireless Transaction Protocol WTLS Wireless TLS WWW World Wide Web
Author Information Dr. Oliver Pfaff Siemens AG Information and Communication Networks Charles-De-Gaulle-Str. 2 D-81730 Munich E-Mail: oliver.pfaff@icn.siemens.de Telephone: +49.89.722.53227 Mobile: +49.172.8250805

More Related Content

PDF
APIC/DataPower security
Shiu-Fun Poon
 
PDF
Using IBM DataPower for rapid security and application integration with an op...
Gennadiy Civil
 
PDF
Data Power For Pci Webinar Aug 2012
gaborvodics
 
PDF
Common DataPower use cases, incl Caching with XC-10 appliance.
sflynn073
 
PPTX
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
Rui Santos
 
PDF
Whats new in data power
sflynn073
 
PDF
Datapowercommonusecases 130509114200-phpapp02
Krystel Hery
 
PDF
M11 - Securing your MQ environment. Integration technical conference 2019
Robert Parker
 
APIC/DataPower security
Shiu-Fun Poon
 
Using IBM DataPower for rapid security and application integration with an op...
Gennadiy Civil
 
Data Power For Pci Webinar Aug 2012
gaborvodics
 
Common DataPower use cases, incl Caching with XC-10 appliance.
sflynn073
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
Rui Santos
 
Whats new in data power
sflynn073
 
Datapowercommonusecases 130509114200-phpapp02
Krystel Hery
 
M11 - Securing your MQ environment. Integration technical conference 2019
Robert Parker
 

What's hot (20)

PPTX
Web Api services using IBM Datapower
Sigortam.net
 
PPT
Data power use cases
sflynn073
 
PDF
Datapowercommonusecases 130509114200-phpapp02
Cristina Garrido Lema
 
PDF
WebSphere Integration User Group 13 July 2015 : DataPower session
Hugh Everett
 
PPT
WebSphere DataPower B2B Appliance overview
Sarah Duffy
 
PDF
Datasheet: WebSphere DataPower Service Gateway XG45
Sarah Duffy
 
PPTX
The Enterprise wants WebRTC -- and it needs Middleware to get it! (IIT RTC Co...
Brian Pulito
 
PDF
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway
 
PPTX
531: Controlling access to your IBM MQ system
Robert Parker
 
PDF
DataPower API Gateway Performance Benchmarks
Ozair Sheikh
 
PPT
MQ Messaging
Carolyn Crowe
 
PPT
Securing your IBM MQ environment.
Robert Parker
 
PPTX
WebSphere Liberty Rtcomm: WebRTC Middleware for the Enterprise
Brian Pulito
 
PPTX
Gateway/APIC security
Shiu-Fun Poon
 
PDF
Forti os ngfw
Nicolas su
 
PPT
Identifying How WAP Can Be Used For Secure mBusiness
Oliver Pfaff
 
PDF
Enterprise grade cloud services with data power virtual
sflynn073
 
PPTX
Friendly Technologies- Cloud-Based TR-069 Device Management Suite
Friendly Technologies
 
PDF
Realtime mobile&iot solutions using mqtt and message sight
floridawusergroup
 
PDF
Datasheet: WebSphere DataPower B2B Appliance XB62
Sarah Duffy
 
Web Api services using IBM Datapower
Sigortam.net
 
Data power use cases
sflynn073
 
Datapowercommonusecases 130509114200-phpapp02
Cristina Garrido Lema
 
WebSphere Integration User Group 13 July 2015 : DataPower session
Hugh Everett
 
WebSphere DataPower B2B Appliance overview
Sarah Duffy
 
Datasheet: WebSphere DataPower Service Gateway XG45
Sarah Duffy
 
The Enterprise wants WebRTC -- and it needs Middleware to get it! (IIT RTC Co...
Brian Pulito
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway
 
531: Controlling access to your IBM MQ system
Robert Parker
 
DataPower API Gateway Performance Benchmarks
Ozair Sheikh
 
MQ Messaging
Carolyn Crowe
 
Securing your IBM MQ environment.
Robert Parker
 
WebSphere Liberty Rtcomm: WebRTC Middleware for the Enterprise
Brian Pulito
 
Gateway/APIC security
Shiu-Fun Poon
 
Forti os ngfw
Nicolas su
 
Identifying How WAP Can Be Used For Secure mBusiness
Oliver Pfaff
 
Enterprise grade cloud services with data power virtual
sflynn073
 
Friendly Technologies- Cloud-Based TR-069 Device Management Suite
Friendly Technologies
 
Realtime mobile&iot solutions using mqtt and message sight
floridawusergroup
 
Datasheet: WebSphere DataPower B2B Appliance XB62
Sarah Duffy
 
Ad

Similar to Unified Security Architectures for Web and WAP (20)

PDF
Ip tunnelling and_vpn
Rajesh Porwal
 
DOCX
Comprehensive AAP
Melvin Dickerson
 
PDF
Ip tunneling and vpns
DAVID RAUDALES
 
PPT
Web Services and Devices Profile for Web Services (DPWS)
Jorgen Thelin
 
PPTX
F5 Distributed Cloud.pptx
abenyeung1
 
PPT
Wireless Application Protocol ppt
go2project
 
PDF
WebRTC Infrastructure Design
Neeraj Chandra
 
PDF
Presentation cisco service oriented infrastructure
xKinAnx
 
PDF
Managing and Implementing Network Function Virtualization with Intelligent OSS
Comarch
 
PPTX
Monetizing The Enterprise: Borderless Networks
Cisco Service Provider
 
PDF
Is your MQTT broker IoT ready?
Eurotech
 
PDF
Wireless application protocol
Prachi Sasankar
 
PDF
7th SDN Expert Group Seminar - Session2
NAIM Networks, Inc.
 
PDF
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Canada
 
PPTX
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
PDF
Secure Your Network for Scale & the Cloud
VeloCloud Networks, Inc.
 
PPTX
Customer Highleveloverview
rehanf5
 
PDF
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Cisco Service Provider Mobility
 
PPT
Cisco Sona
jayconde
 
PDF
Soracom iot hands-on workshop in Montreal
Soracom Global, Inc.
 
Ip tunnelling and_vpn
Rajesh Porwal
 
Comprehensive AAP
Melvin Dickerson
 
Ip tunneling and vpns
DAVID RAUDALES
 
Web Services and Devices Profile for Web Services (DPWS)
Jorgen Thelin
 
F5 Distributed Cloud.pptx
abenyeung1
 
Wireless Application Protocol ppt
go2project
 
WebRTC Infrastructure Design
Neeraj Chandra
 
Presentation cisco service oriented infrastructure
xKinAnx
 
Managing and Implementing Network Function Virtualization with Intelligent OSS
Comarch
 
Monetizing The Enterprise: Borderless Networks
Cisco Service Provider
 
Is your MQTT broker IoT ready?
Eurotech
 
Wireless application protocol
Prachi Sasankar
 
7th SDN Expert Group Seminar - Session2
NAIM Networks, Inc.
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Canada
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
Secure Your Network for Scale & the Cloud
VeloCloud Networks, Inc.
 
Customer Highleveloverview
rehanf5
 
Service Provider Wi-Fi Networks: Scaling Signaling Transactions (White Paper)
Cisco Service Provider Mobility
 
Cisco Sona
jayconde
 
Soracom iot hands-on workshop in Montreal
Soracom Global, Inc.
 
Ad

More from Oliver Pfaff (17)

PDF
Trends in IIoT and OT Security
Oliver Pfaff
 
PDF
Web-of-Things and Services Security
Oliver Pfaff
 
PDF
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
PDF
IT-Security@Contemporary Life
Oliver Pfaff
 
PDF
OAuth Base Camp
Oliver Pfaff
 
PDF
New Trends in Web Security
Oliver Pfaff
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
PDF
Does REST Change the Game for IAM?
Oliver Pfaff
 
PDF
Analyzing OAuth
Oliver Pfaff
 
PPT
Trust in E- and M-Business - Advances Through IT-Security
Oliver Pfaff
 
PPT
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
PPT
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
PPT
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
PDF
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
PPT
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
PPT
Identity 2.0, Web services and SOA in Health Care
Oliver Pfaff
 
PPT
SOA Security - So What?
Oliver Pfaff
 
Trends in IIoT and OT Security
Oliver Pfaff
 
Web-of-Things and Services Security
Oliver Pfaff
 
Deciphering 'Claims-based Identity'
Oliver Pfaff
 
IT-Security@Contemporary Life
Oliver Pfaff
 
OAuth Base Camp
Oliver Pfaff
 
New Trends in Web Security
Oliver Pfaff
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Does REST Change the Game for IAM?
Oliver Pfaff
 
Analyzing OAuth
Oliver Pfaff
 
Trust in E- and M-Business - Advances Through IT-Security
Oliver Pfaff
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
State-of-the-Art in Web Services Federation
Oliver Pfaff
 
Real-Time-Communications Security-How to Deploy Presence and Instant Messagin...
Oliver Pfaff
 
Identity 2.0, Web services and SOA in Health Care
Oliver Pfaff
 
SOA Security - So What?
Oliver Pfaff
 

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KodekX | Application Modernization Development
KodekX
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Encapsulation theory and applications.pdf
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 

Unified Security Architectures for Web and WAP

  • 1. Unified Security Architectures for Web and WAP: Vision or Fiction? Oliver Pfaff Siemens AG
  • 2. E-/M-Business Paradigms Business process owners implement multiple distribution channels to supply services to their customers. E-/M-Business represents business processes digitally. Public networks and corresponding terminals are integrated to enable ubiquitous service access. E-/M-Business architectures separate actual business logic implementation from service presentation/delivery: To avoid business process re-implementation when augmenting service provisioning means. To accommodate different system life cycles which may be driven by different factors. Retail Call-Center Kiosk Web WAP ...
  • 3. Service frontend E-/M-Business service User agent PSTN IP network Considered E-/M-Business Architecture PSTN Intranet Network operator Home, hotel ,... Office Mobile Business logic Service backend Service portals E-/M-Business transaction span
  • 4. State-of-the-Art in Web and WAP Security Web and WAP security comply to the same technology paradigms: Transport-bound security: transient data encapsulation Web: SSL/TLS WAP: WTLS Information-bound security: persistent data encapsulation Web: PKCS#7 SignedData via JavaScript ‘crypto.signText’ or MS-CAPICOM ‘Sign’ WAP: WMLScript Crypto SignedContent via ‘Crypto.signText’ Security token: storing and employing cryptographic keys Web: PKCS#11/MS-CSP module WAP: WIM Public key infrastructure: binding entity identifiers to public keys Web: PKIX WAP: WPKI WAP security defines formats, protocols, and procedures which deviate from Web technologies.
  • 5. E-/M-Business Owner Concerns The provision of business processes over public infrastructure such as the Internet and mobile networks requires adequate IT-security: To which extend should business process owners invest in different security technologies when serving the same business processes via different provisioning means such as Web and WAP? In particular: do they need to invest in different security infrastructures? To examine the feasibility of unified security architectures for Web and WAP-based business services in the sequel, we are going to distinguish: Application from infrastructure aspects Application aspects according to client and server-side issues Infrastructure aspects according to PKI and security token issues
  • 6. Integration of Transport-Bound Security Services SSL/TLS and WTLS should terminate in the same network infrastructure sector to offer homogeneous services. An implementation option is: Private network Business logic Web server Subnet IP TCP SSL/TLS HTTP DMZ WAP gateway Subnet IP UDP WTLS WTP WSP SSL/TLS TCP IP Subnet HTTP Web client Dial-in server WAP client Public networks SSL/TLS TCP IP PPP PSTN PPP Subnet PSTN HTTP SSL/TLS TCP IP Subnet HTTP Subnet Subnet WSP WTP WTLS UDP IP PPP CSD CSD PSTN PPP Subnet PSTN Dial-in server Base station HTTP TCP IP HTTP TCP IP Web proxy
  • 7. Client-Specific Authentication Services E-/M-Business service User agent PKI ‘ Application plane’ ‘ Infrastructure plane’ PKCS#11 MS-CAPI WIM Sign Security token Signed nonce (WTLS) Signed text (WMLScript Crypto) Sign Signed nonce (SSL/TLS) Signed text (PKCS#7) Sign Security module Validate Entity-ID (PKI domain) Entity-ID (E-/M-Business domain)
  • 8. Default WPKI Client Certificate Types PKI Certificate provision Certificate delivery Status information Y/N X.509-WAPCert Based on PKIX (RFC 2459); defines additional constraints to achieve compactness. Profile applies to certificates sent over-the-air. Relying parties receive client certificates in-band. WAP client E-/M-Business X.509-PKIX Profile applies to certificates not sent over-the-air. Relying parties have to fetch client certificates by ID (e.g. URL or hash value). Allows to offload client certificate handling from mobile devices. PKI Certificate ID provision Certificate ID delivery Certificate fetch by ID ID ID
  • 9. ICC-Based WIM Options WPKI domain E-/M-Business owner concerns WIM owner E-/M-Business’s discretion May security tokens and PKI be deployed for Web and WAP services simultaneously? E-/M-Business’s discretion Operator’s discretion May WIM resources be re-used for Web applications? Wireless operator Integrated SIM/WIM card SIM plus WIM via internal secondary reader (dual-slot) SIM plus WIM via external reader
  • 10. Integrated SIM/WIM Card in Web Security To employ SIM/WIM cards owned by wireless operators in Web security, E-/M-Businesses need to adopt PKI domains which are deployed at the discretion of wireless operators: X.509-PKIX client certificates imply certificate IDs which are currently not defined in SSL/TLS and PKCS#7. Thus, signers have to do certificate fetch operations. X.509-WAPCert client certificates support in-band delivery straight-forward. They require relying parties to support the X.509-WAPCert profile. Integration with PC-based Web clients is a subject of current R&D efforts. The sketched stack employs the mobile as a personal security device. PKCS#11 MS-CAPI PKCS#11/MS-CSP module Air interface (e.g. Bluetooth) ISO 7816 SIM/WIM PC Mobile WIM module
  • 11. SIM-Independent WIM in Web/WAP Security PKCS#15-based PSEs may be defined such that PSE-carrying ICCs can simultaneously be used as security tokens for Web and WAP clients: Web client integration requires a PKCS#11/MS-CSP module with PKCS#15 interpreter. PC/SC provides reader independence. WAP client integration requires a WIM and a PKCS#15 interpreter. These software modules may supply different features (e.g. certificate in-band and out-of-band delivery) on base of the same cryptographic keys under the effective security policies. The sketched design shows a sample layout. PKCS#11 MS-CAPI WIM service primitives Prop. MF DF(PKCS15) DF(PKCS15) Reference system AID: WAP-WIM AID: PKCS-15 ISO 7816 PKCS#11 MS-CSP module ICC application Security objects Reference system PKCS#15 interpreter (AID: WAP-WIM) EF(Certificate) EF(Private key) WIM EF(Certificate ID) PKCS#15 interpreter (AID: PKCS-15)
  • 12. WAP 1.x Impact on E-/M-Business Security Transport-bound security WTLS is part of WAP releases since WAP 1.0 (1998): Class 1/2: best current practice; limited E-/M-Business service impact. Class 3: no wide deployment until now; infrastructure impact through client-side PKI and tokens. Information-bound security WMLScript Crypto is part of WAP releases since 1.2 (1999): ‘ Crypto.signText’ and SignedContent : no wide deployment until now; infrastructure impact through client-side PKI and tokens. Note: SignedContent may be transformed into PKCS#7 SignedData . Security token WIM is part of WAP releases since 1.2 (1999): ISO 7816/PKCS#15-based token: no wide deployment until now; SIM/WIM integration with Web clients is a subject of R&D efforts, SIM-independent WIM may be used with Web and WAP applications. Public key infrastructure Until the ‘June 2000 Release’, WPKI specifications were not part of WAP releases (preliminary WAPCert and WPKI documents already existed).
  • 13. Advances Through WAP 2.0 (‘June 2001 Release’) Transport-bound security WTLS persists and is being augmented by transport level end-to-end security for enhanced enterprise WAP gateway support. TLS support is added for end-to-end security between mobiles and Web servers: WAPCert is going to replace the WTLS server certificate format. Due to TLS and HTTP support, WAP gateways are becoming optional. Information-bound security WMLScript Crypto persists; constraints remain as described before. Security token WIM persists; constraints remain as described before. Public key infrastructure WAPCert and WPKI advance to ‘conformance release’ specifications: WPKI constraints may largely be accommodated at infrastructure border (cf. next slide).
  • 14. WPKI Integration WPKI portal WPKI service consumers PKI service providers WPKI specific processing: Client certificates POP during PKI registration based upon WAP security mechanisms. WAP in-band delivery requires X.509-WAPCert certificates. WAP out-of-band delivery is based on IDs; certificates comply to PKIX. Server certificates Currently based upon the WTLS certificate format; likely to become replaced by the X.509-WAPCert profile. Trusted certificates Provisioning and update are based upon WPKI structures delivered with specific MIME types. Thus, WPKI requirements may largely be accommodated at PKI border. RA CA Repository
  • 15. Conclusions Private key operations upon mobiles are no common practice in today’s M-Business services. Required technologies currently emerge. The IT-strategy of E-/M-Businesses is significantly impacted by the advent of client-specific entity and message authentication services. Web and WAP security may be unified to a large extend: ‘ Application plane’: WAP specific formats and protocols are of limited impact: With WAP 2.0, WAP gateways and WTLS are becoming optional. WAP signature format can be transformed into PKCS#7. ‘ Infrastructure plane’: WIMs may be integrated with non-WAP applications. WPKI requirements may largely be accommodated at PKI border. Appropriate solution design allows E-/M-Businesses to avoid investments in separate security infrastructures (i.e. PKI and security tokens) when providing services via Web and WAP.
  • 16. AID Application ID API Application Programming Interface CA Certification Authority CMS Cryptographic Message Syntax CSD Circuit Switched Data DF Dedicated File DMZ De-Militarized Zone EF Elementary File HTTP Hypertext Transfer Protocol ICC Integrated Circuit Card ID Identifier IETF Internet Engineering Task Force IP Internet Protocol ISO International Standards Organization MF Master File MIME Multipurpose Internet Mail Extensions MS Microsoft MS-CAPI MS Cryptographic API MS-CSP MS Cryptographic Service Provider PC/SC Personal Computer/Smart Card PKCS Public Key Cryptography Standards PKI Public Key Infrastructure PKIX PKI-X.509 Abbreviations POP Proof Of Possession PPP Point-to-Point Protocol PSE Personal Security Environment PSTN Public Switched Telephone Network RA Registration Authority RFC Request For Comment SIM Subscriber Identity Module SSL Secure Sockets Layer TCP Transmission Control Protocol TLS Transport Layer Security UDP User Datagram Protocol URL Uniform Resource Locator W3C World Wide Web Consortium WAP Wireless Application Protocol WIM Wireless Identity Module WML Wireless Markup Language WMLScript WML Script WPKI Wireless PKI WSP Wireless Session Protocol WTP Wireless Transaction Protocol WTLS Wireless TLS WWW World Wide Web
  • 17. Author Information Dr. Oliver Pfaff Siemens AG Information and Communication Networks Charles-De-Gaulle-Str. 2 D-81730 Munich E-Mail: oliver.pfaff@icn.siemens.de Telephone: +49.89.722.53227 Mobile: +49.172.8250805