Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000.

Published byVirginia King Modified over 8 years ago

Similar presentations

Presentation on theme: "Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000."— Presentation transcript:

1 Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000

2 Motivation and Goals To study the security issues in WAP To analyze an existing implementation and implement enhancements To investigate security holes in the implementation and WAP in general To suggest improvements for both

3 Implementation WAP stack from Kannel (www.kannel.org)www.kannel.org An on-going open source project implementing the WAP stack No WTLS support WTLS layer from 3ui.com (www.3ui.com)www.3ui.com We identified 2 security enhancements: SSL connection between WAP gateway and Content (HTML) server Authentication of the WAP gateway by the WAP client Both missing in WTLS patch from 3ui

4 Kannel architecture

5 Security Enhancements

6 Development tools Platform – Linux OpenSSL crypto library (http://www.openssl.org)http://www.openssl.org NOKIA WAP Toolkit (http://www.forum.nokia.com)http://www.forum.nokia.com Simulates a web-enabled NOKIA 7110 phone

7 WTLS optimizations Why optimize? Low bandwidth Less processing power Less memory Weaker power supply The optimizations Abbreviated handshake – using pre-master secret from previous session Optional steps – Client can send NULL reply to Certificate request, Anonymous key exchange etc.

8 The flaws Encryption not truly end-to-end Abbreviated handshake susceptible to replay attack Chosen plain-text attack: IV for each packet = Sequence number XOR Original IV DOS attack: Alerts are unauthenticated Man-in-the-middle attack: 40 bit XOR MAC allows even bit changes Impersonation: Anonymous key exchange methods allow key generation w/o Authentication (Kannel WTLS has only anonymous key exchange methods!) Weaker encryption mechanisms due to export regulations

9 Suggestions WAP specifications Enforce Client authentication rather than keep it optional Make WTLS layer mandatory whether people use it or not. Implementation Provide Gateway authentication in WAP clients Add stronger algorithms, keys and key exchange methods to the cipher suites

10 Conclusions WTLS Specs propose weak security Developers and Manufacturers are deploying WAP stacks which do not meet even these weak security requirements Mostly due to lack of security expertise Open source exposing these weaknesses Yet additional code review required Our 2 bits should be checked in soon…

Download ppt "Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group

Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Performance and Efficiency in Wireless Security Terry Fletcher, Senior Security Architect Chrysalis-ITS

Performance and Efficiency in Wireless Security Terry Fletcher, Senior Security Architect Chrysalis-ITS
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Internet Security Protocols

Internet Security Protocols
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani
Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.

Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.

Similar presentations

Ads by Google