Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000.

Slides:



Advertisements
Similar presentations
Web security: SSL and TLS
Advertisements

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Proposal for WAP-IETF co- operation on a wireless friendly TLS Tim Wright, Vodafone and chair WAP Security Group
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SMUCSE 5349/49 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
Performance and Efficiency in Wireless Security Terry Fletcher, Senior Security Architect Chrysalis-ITS
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)
Internet Security Protocols
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
A Survey of WAP Security Architecture Neil Daswani
Wireless Application Protocol and i-Mode By Sridevi Madduri Swetha Kucherlapati Sharrmila Jeyachandran.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
WAP-Wireless application Protocol
CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.
Chapter 8 Web Security.
WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Chapter 5 WIRELESS NETWORK SECURITY
Security in WAP and WTSL By Yun Zhou. Overview of WAP (Wireless Application Protocol)  Proposed by the WAP Forum (Phone.com, Ericsson, Nokia, Motorola)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Web Security Network Systems Security
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
SSL/TLS How to send your credit card number securely over the internet.
IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.
Security Standards. IEEE IEEE 802 committee for LAN standards IEEE formed in 1990’s – charter to develop a protocol & transmission specifications.
1 Understanding Secure Socket Layer (SSL) Advisor Advisor Prof. Tzonelih Hwang Presenter Prosanta Gope.
SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
Network and Internet Security Prepared by Dr. Lamiaa Elshenawy
1 SSL/TLS. 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
1 Secure Socket Layer Originally by Yu Yang and Lilly Wang Originally by Yu Yang and Lilly Wang Modified by T. A. Yang Modified by T. A. Yang.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.
- Richard Bhuleskar “At the end of the day, the goals are simple: safety and security” – Jodi Rell.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
CSCE 715: Network Systems Security
Visit for more Learning Resources
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Web Security (TRANSPORT-LEVEL SECURITY)
SSL (Secure Socket Layer)
Web Security (TRANSPORT-LEVEL SECURITY)
Security at the Transport Layer: SSL and TLS
SSL Protocol Figures used in the presentation
Transport Layer Security (TLS)
Presentation transcript:

Security in WAP Sanket Naik, Ameya Varde CS590F Fall 2000

Motivation and Goals To study the security issues in WAP To analyze an existing implementation and implement enhancements To investigate security holes in the implementation and WAP in general To suggest improvements for both

Implementation WAP stack from Kannel ( An on-going open source project implementing the WAP stack No WTLS support WTLS layer from 3ui.com ( We identified 2 security enhancements: SSL connection between WAP gateway and Content (HTML) server Authentication of the WAP gateway by the WAP client Both missing in WTLS patch from 3ui

Kannel architecture

Security Enhancements

Development tools Platform – Linux OpenSSL crypto library ( NOKIA WAP Toolkit ( Simulates a web-enabled NOKIA 7110 phone

WTLS optimizations Why optimize? Low bandwidth Less processing power Less memory Weaker power supply The optimizations Abbreviated handshake – using pre-master secret from previous session Optional steps – Client can send NULL reply to Certificate request, Anonymous key exchange etc.

The flaws Encryption not truly end-to-end Abbreviated handshake susceptible to replay attack Chosen plain-text attack: IV for each packet = Sequence number XOR Original IV DOS attack: Alerts are unauthenticated Man-in-the-middle attack: 40 bit XOR MAC allows even bit changes Impersonation: Anonymous key exchange methods allow key generation w/o Authentication (Kannel WTLS has only anonymous key exchange methods!) Weaker encryption mechanisms due to export regulations

Suggestions WAP specifications Enforce Client authentication rather than keep it optional Make WTLS layer mandatory whether people use it or not. Implementation Provide Gateway authentication in WAP clients Add stronger algorithms, keys and key exchange methods to the cipher suites

Conclusions WTLS Specs propose weak security Developers and Manufacturers are deploying WAP stacks which do not meet even these weak security requirements Mostly due to lack of security expertise Open source exposing these weaknesses Yet additional code review required Our 2 bits should be checked in soon…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.