1. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Introduction to M-Commerce

2. COURSE OUTLINE *Basic Concepts and Introductory Issues Mobile computing Infrastructure Wireless Communication Challenges facing M Commerce Current & Future Trends Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

3. COURSE ACTIVITIES Assigned Research Papers Seminar Topics Take Home Research Topics Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

4. What is M-Commerce? E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) M-commerce is a form of E-Commerce but additional challenges: Security Usability Heterogeneous Technologies Business Model Issues

5. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile- Commerce While m-commerce covers a broad range of services and applications, a common framework can be defined as: “the ability to perform an electronic transaction using a mobile terminal and a mobile or wireless access network, such as 2G, 3G, Wireless LAN or Bluetooth connection.

6. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Commerce: Overview Mobile commerce (m-commerce, m-business)—any e-commerce done in a wireless environment, especially via the Internet Can be done via the Internet, private communication lines, smart cards, etc. Creates opportunity to deliver new services to existing customers and to attract new ones

7. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile commerce from the Customer‘s point of view The customer wants to access information, goods and services any time and in any place on his mobile device. He can use his mobile device to purchase tickets for events or public transport, pay for parking, download content and even order books and CDs. He should be offered appropriate payment methods. They can range from secure mobile micropayment to service subscriptions.

8. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile commerce from the Provider‘s point of view The future development of the mobile telecommunication sector is heading more and more towards value-added services. Analysts forecast that soon half of mobile operators‘ revenue will be earned through mobile commerce. Consequently operators as well as third party providers will focus on value-added-services. To enable mobile services, providers with expertise on different sectors will have to cooperate. Innovative service scenarios will be needed that meet the customer‘s expectations and business models that satisfy all partners involved.

9. Change to Individual behavior Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

10. MOBILE EVOLUTION Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

11. MARKET GROWTH Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

12. Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet, intranet, extranet connections Instant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databases Personalization—preparation of information for individual consumers Localization of products and services—knowing where the user is located at any given time and match service to them

13. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce M-Commerce Evolution Generations 1G: 1979-1992 wireless technology 2G: current wireless technology; mainly accommodates text 2.5G: interim technology accommodates graphics 3G: 3 rd generation technology (2001-2005) supports rich media (video clips) 4G: will provide faster multimedia display (2006-2010)

14. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Terminology and Standards GPS: Satellite-based Global Positioning System PDA: Personal Digital Assistant—handheld wireless computer SMS: Short Message Service EMS: Enhanced Messaging Service MMS: Multimedia Messaging Service WAP: Wireless Application Protocol Smart-phones —Internet-enabled cell phones with attached applications

15. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet, intranet, extranet connections Instant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databases Personalization—preparation of information for individual consumers Localization of products and services—knowing where the user is located at any given time and match service to them

16. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Wireless Technologies Link Layer (examples…) WAN: Analog / AMPS CDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe) CDMA: Code Division Multiple Access Mobitex (TDMA-based) LAN: 802.11 Bluetooth Devices: Cell Phones, Palm, WinCE, Symbian, Blackberry, …

17. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Computing Infrastructure Screenphones—a telephone equipped with color screen, keyboard, e-mail, and Internet capabilities E-mail handhelds Wirelined—connected by wires to a network Cellular (mobile) phones Attachable keyboard PDAs Interactive pagers Other devices Notebooks Handhelds Smartpads Hardware

18. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Computing Infrastructure (cont.) Unseen infrastructure requirements Suitably configured wireline or wireless WAN modem Web server with wireless support Application or database server Large enterprise application server GPS locator used to determine the location of mobile computing device carrier

19. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Computing Infrastructure (cont.) Software Micro-browser Mobile client operating system (OS) Bluetooth—a chip technology and WPAN standard that enables voice and data communications between wireless devices over short-range radio frequency (RF) Mobile application user interface Back-end legacy application software Application middleware Wireless middleware

20. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Computing Infrastructure (cont.) Networks and access Wireless transmission media Microwave Satellites Radio Infrared Cellular radio technology Wireless systems

21. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Service Scenarios Financial Services. Entertainment. Shopping. Information Services. Payment. Advertising. And more...

22. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation. M- commerce Entertainment Music Games Graphics Video Pornography Communications Short Messaging Multimedia Messaging Unified Messaging e-mail Chatrooms Video - conferencing Transactions Banking Broking Shopping Auctions Betting Booking & reservations Mobile wallet Mobile purse Information News City guides Directory Services Maps Traffic and weather Corporate information Market data

23. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Classes of M-Commerce Applications

24. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Application: Financial Tool As mobile devices become more secure Mobile banking Bill payment services M-brokerage services Mobile money transfers Mobile micropayments Replace ATM’s and credit cards??

25. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Financial Tool: Wireless Electronic Payment Systems “transform mobile phones into secure, self-contained purchasing tools capable of instantly authorizing payments…” Types: Micropayments Wireless wallets (m-wallet) Bill payments

26. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Examples of Success Stories Swedish Postal Bank Check Balances/Make Payments & Conduct some transactions Dagens Industri Receive Financial Data and Trade on Stockholm Exchange Citibank Access balances, pay bills & transfer funds using SMS

27. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Applications : Marketing, Advertising, And Customer Service Shopping from Wireless Devices Have access to services similar to those of wire-line shoppers Shopping carts Price comparisons Order status Future Will be able to view and purchase products using handheld mobile devices

28. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Applications : Marketing, Advertising, And Customer Service Targeted Advertising Using demographic information can personalize wireless services (barnesandnoble.com) Knowing users’ preferences and surfing habits marketers can send: User-specific advertising messages Location-specific advertising messages

29. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Applications : Marketing, Advertising, And Customer Service CRM applications MobileCRM Comparison shopping using Internet capable phones Voice Portals Enhanced customer service improved access to data for employees

30. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Portals “A customer interaction channel that aggregates content and services for mobile users.” Charge per time for service or subscription based Example: I-Mode in Japan Mobile corporate portal Serves corporations customers and suppliers

31. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Intra-business and Enterprise Applications Support of Mobile Employees by 2005 25% of all workers could be mobile employees sales people in the field, traveling executives, telecommuters, consultants working on-site, repair or installation employees need same corporate data as those working inside company’s offices solution: wireless devices wearable devices: cameras, screen, keyboard, touch-panel display

32. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile B2B and Supply Chain Applications “ mobile computing solutions enable organizations to respond faster to supply chain disruptions by proactively adjusting plans or shifting resources related to critical supply chain events as they occur.” accurate and timely information opportunity to collaborate along supply chain must integrate mobile devices into information exchanges example: “telemetry” integration of wireless communications, vehicle monitoring systems, and vehicle location devices leads to reduced overhead and faster service responsiveness (vending machines)

33. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Applications of Mobile Devices for Consumers/Industries Personal Service Applications example airport Mobile Gaming and Gambling Mobile Entertainment music and video Hotels Intelligent Homes and Appliances Wireless Telemedicine Other Services for Consumers

34. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Payment for M-Commerce Mobile Payment can be offered as a stand-alone service. Mobile Payment could also be an important enabling service for other m-commerce services (e.g. mobile ticketing, shopping, gambling…) : It could improve user acceptance by making the services more secure and user-friendly. In many cases offering mobile payment methods is the only chance the service providers have to gain revenue from an m-commerce service.

35. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Payment (cont.) the consumer must be informed of: what is being bought, and how much to pay options to pay; the payment must be made payments must be traceable.

36. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Payment (cont.) Customer requirements :  a larger selection of merchants with whom they can trade  a more consistent payment interface when making the purchase with multiple payment schemes, like: Credit Card payment Bank Account/Debit Card Payment Merchant benefits: brands to offer a wider variety of payment Easy-to-use payment interface development Bank and financial institution benefits to offer a consistent payment interface to consumer and merchants

37. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Payment via Internet Payment Provider WAP GW/Proxy SSL tunnel MeP GSM Security SMS- C User Browsing (negotiation) Merchant Mobile Wallet CC/Bank IPP

38. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Payment via integrated Payment Server WAP GW/Proxy ISO8583 Based CP Mobile Commerce Server GSM Security SMS- C User Browsing (negotiation) CC/Bank Merchant Mobile Wallet Voice PrePaid VPP IF SSL tunnel

39. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Limitations of M-Commerce Usability Problem small size of mobile devices (screens, keyboards, etc) limited storage capacity of devices hard to browse sites Technical Limitations lack of a standardized security protocol insufficient bandwidth 3G liscenses

40. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Limitations of M-Commerce Technical Limitations… transmission and power consumption limitations poor reception in tunnels and certain buildings multipath interference, weather, and terrain problems and distance-limited connections WAP Limitations Speed Cost Accessibility

41. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Limiting technological factors Mobile Devices Battery Memory CPU Display Size Networks Bandwidth Interoperability Cell Range Roaming Localisation Upgrade of Network Upgrade of Mobile Devices Precision Mobile Middleware Standards Distribution Security Mobile Device Network Gateway

42. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Potential Health Hazards Cellular radio frequencies = cancer? No conclusive evidence yet could allow for myriad of lawsuits mobile devices may interfere with sensitive medical devices such as pacemakers

43. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Security in M-Commerce: Environment Operator centric model CA Bank (FI) Merchant Content Aggregation Internet SAT GW WAP GW Mobile Network Mobile Bank WAP1.1(+SIM where avail.) WAP1.2(WIM) (SIM) Security and Payment Mobile e-Commerce Server Mobile IP Service Provider Network

44. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WAP Architecture Web Server Content CGI Scripts etc. WML Decks with WML-Script WAP Gateway WML Encoder WMLScript Compiler Protocol Adapters Client WML WML- Script WTAI Etc. HTTPWSP/WTP

45. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Comparison between Internet and WAP technologies HTML JavaScript HTTP TLS - SSL TCP/IP UDP/IP Wireless Application Protocol Wireless Application Environment (WAE) Session Layer (WSP) Security Layer (WTLS) Transport Layer (WDP) Other Services and Applications Transaction Layer (WTP) SMSUSSDCSD IS-136 CDMA CDPDPDC-P Etc.. Bearers:

46. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WAP Risks WAP Gap Claim: WTLS protects WAP as SSL protects HTTP Problem: In the process of translating one protocol to another, information is decrypted and re-encrypted Recall the WAP ArchitectureWAP Architecture Solution: Doing decryption/re-encryption in the same process on the WAP gateway Wireless gateways as single point of failure

47. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Platform Risks Without a secure OS, achieving security on mobile devices is almost impossible Learned lessons: Memory protection of processes Protected kernel rings File access control Authentication of principles to resources Differentiated user and process privileges Sandboxes for untrusted code Biometric authentication

48. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WMLScript Scripting is heavily used for client-side processing to offload servers and reduce demand on bandwidth Wireless Markup Language (WML) is the equivalent to HTML, but derived from XML WMLScript is WAP’s equivalent to JavaScript Derived from JavaScript™

49. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WMLScript (cont.) Integrated with WML Reduces network traffic Has procedural logic, loops, conditionals, etc Optimized for small-memory, small-CPU devices Bytecode-based virtual machine Compiler in network Works with Wireless Telephony Application (WTA) to provide telephony functions

50. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Risks of WMLScript Lack of Security Model Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!! WML Script is not type-safe. Scripts can be scheduled to be pushed to the client device without the user’s knowledge Does not prevent access to persistent storage Possible attacks: Theft or damage of personal information Abusing user’s authentication information Maliciously offloading money saved on smart cards

51. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Bluetooth  Bluetooth is the codename for a small, low-cost, short range wireless technology specification  Enables users to connect a wide range of computing and telecommunication devices easily and simply, without the need to buy, carry, or connect cables.  Bluetooth enables mobile phones, computers and PDAs to connect with each other using short-range radio waves, allowing them to "talk" to each other  It is also cheap

52. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Bluetooth Security Bluetooth provides security between any two Bluetooth devices for user protection and secrecy  mutual and unidirectional authentication  encrypts data between two devices  Session key generation configurable encryption key length keys can be changed at any time during a connection

53. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Bluetooth Security-cont Authorization (whether device X is allowed to have access service Y) Trusted Device: The device has been previously authenticated, a link key is stored and the device is marked as “trusted” in the Device Database. Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device Database Unknown Device: No security information is available for this device. This is also an untrusted device. automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop

54. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce New Security Risks in M-Commerce Abuse of cooperative nature of ad-hoc networksAbuse of cooperative nature of ad-hoc networks An adversary that compromises one node can disseminate false routing information.An adversary that compromises one node can disseminate false routing information. Malicious domainsMalicious domains A single malicious domain can compromise devices by downloading malicious codeA single malicious domain can compromise devices by downloading malicious code Roaming (are you going to the bad guys ?)Roaming (are you going to the bad guys ?) Users roam among non-trustworthy domainsUsers roam among non-trustworthy domains

55. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce New Security Risks (cont.) Launching attacks from mobile devicesLaunching attacks from mobile devices With mobility, it is difficult to identify attackersWith mobility, it is difficult to identify attackers Loss or theft of deviceLoss or theft of device More private information than desktop computersMore private information than desktop computers Security keys might have been saved on the deviceSecurity keys might have been saved on the device Access to corporate systemsAccess to corporate systems Bluetooth provides security at the lower layers only: a stolen device can still be trustedBluetooth provides security at the lower layers only: a stolen device can still be trusted

56. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce New Security Risks (cont.) Problems with Wireless Transport Layer Security (WTLS) protocolProblems with Wireless Transport Layer Security (WTLS) protocol Security Classes:Security Classes: No certificates No certificates Server only certificate (Most Common) Server only certificate (Most Common) Server and client Certificates Server and client Certificates Re-establishing connection without re-authenticationRe-establishing connection without re-authentication Requests can be redirected to malicious sitesRequests can be redirected to malicious sites

57. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce New Privacy Risks Monitoring user’s private informationMonitoring user’s private information Offline telemarketingOffline telemarketing Who is going to read the “legal jargon”Who is going to read the “legal jargon” Value added services based on location awareness (Location-Based Services)Value added services based on location awareness (Location-Based Services)

58. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile devices The ever increasing use of the mobile devices/smart phones means a new concern for security threats. The technological capability of 3G mobile telephone devices makes their use of value to the criminal community as a data terminal in the facilitation of organized crime or terrorism. The effective targeting of these devices from criminal and security intelligence perspectives and subsequent detailed forensic examination of the targeted device will significantly enhance the evidence available to the law enforcement community.

59. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Development of mobile services Many players are involved in the provision and development of mobile services, thus forming an M-Commerce value chain. Business relations are established among these actors invoking different services within a specific geographical area. Aside from the mobile network operator which has been traditionally the data service provider (voice and messaging), other key actors are: Content providers; ring tones, movies, games, database or information on data are like many other contents, supplied by independent content owners (Radio station, software developers, financial or trading companies, etc…) and are aggregated by content providers. The wireless application service provider or directly the mobile operator maintains a certain number of business relationships with these content providers. Advertisers at the difference of the content providers pay the mobile operator for accessing the user.

60. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Development of wireless: continue Wireless application service providers (WASPs); the bridge between the enterprise servers (wired Internet) and the mobile consumer (wireless Internet), is supplied by the WASPs. They can work as content aggregator, hosting and providing applications and packages as outsourced service solutions for mobile and wireless operators. They develop application in-house or source them out to third parties.

61. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Development of mobile services Mobile portal providers; Two successful examples of are the i-mode of NTT DoCoMo in Japan, and Vodafone Live of Vodafone in UK. The success of these portals especially the i-mode, has brought many mobile content and service providers. But this is a double-edged sword; more and more site entries are reported in these portals making it less obvious for a user to find the accurate service. Therefore it has become more rewarding for some content providers, to be listed in an independent and specialized mobile portal rather than the operator’s official portal. This has led to the creation of an entire industry of independent and thematic portal providers.

62. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Development of mobile services-Continue crucial for the development of M-Commerce. From just a few and limited capabilities for application and data handling in the Global System for Mobile (GSM), handsets have then remarkably evolved first to WAP-enabled (to take advantage of the introduction of GPRS) and finally fully Internet compatible with the advent of 3G handsets. The market is lead by companies such Nokia, Motorola or Sony-Erickson. These companies work mostly as integrators, outsourcing the lower radio functions, and focusing more on the service platform and usability layers.

63. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce continue Software vendors; they supply the delivery platform supporting and running mobile applications on the handset. This includes operating systems, databases, browsers and other software providers enabling a secure and user-friendly access to mobile services. Major contenders include Microsoft Windows CE, PalmOS, or the Symbian consortium for operating systems and Openwave, Nokia, Microsoft for the browser market. It is worth to note that many handset manufacturers now support java-enabled browsers supplied by companies like 4thPass

64. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Continue Virtual mobile network operators (VMNO); we have witnessed the emergence of mobile and wireless operators of a new type. These operators do not possess any network infrastructures, but use the existing ones of traditional operators after a network access fee agreement. The objective for these network access providers is simply to constitute a lucrative base of mobile subscribers. This is the case of Virgin Mobile in UK, or Tele2 in France.

65. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Development of mobile services- Continue Infrastructure vendors; the network infrastructure is under the responsibility of companies such as Ericsson, Lucent, Nortel or Motorola which provide and maintains the core elements (Base station, access point, Mobile switching systems, etc…) in collaboration with the mobile or wireless operator. They play a major role in the standardisation and interoperability of m- commerce supporting technologies

66. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce I-Mode Feb. 1999i-mode service launched Dec. 1999i-mode compatible handsets with color screens are marketed Jan. 2001i-appli service launchedJul. 2001i-area service launched Nov. 2001i-motion service launched Jun. 2002i-shot service launched Jan. 2003i-motion mail service launched Jul. 2004"Osaifu-Keitai" (mobile phones with wallet functions) service launched Sep. 2005i-channel service launched Nov. 2005"ToruCa" info-capture function offering started Dec. 2005"iD" credit card brand launched

67. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce I-Mode Timeline

68. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile market beyond voice is growing rapidly (status in mid 2005)

69. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Handset Overview

70. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Examples of PDA Devices PDAMicroprocessorSpeed Palm, HandspringMotorola Dragonball16.6 – 20 MHz RIM Interactive Pager Intel 38610 MHz Compaq Aero 1530NEC/VR4111 MIPS RISC70 MHz HP Jornada 820Intel/StrongARM RISC SA- 1100 190 MHz Casio Cassiopeia E- 100 NEC/VR4121 MIPS131 MHz Psion RevoARM 71036 MHz Psion Series 5Digital/Arm 710018 MHz

71. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Application Layer Technologies Micro-browser based: WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.net XHTML: W3C Voice-browser based: VoiceXML: W3C Client-side: J2ME: Java 2 Micro Edition (Sun) WMLScript: Openwave Messaging: SMS: Part of GSM Spec.

72. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Example: WAP WAP: Wireless Application Protocol Created by WAP Forum Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com 500+ member companies Goal: Bring Internet content to wireless devices WTLS: Wireless Transport Layer Security

73. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Basic WAP Architecture Web Server WTLSSSL Internet WAP Gateway

74. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Example: WAP application

75. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Security Challenges Less processing power on devices Slow Modular exponentiation and Primality Checking (i.e., RSA) Crypto operations drain batteries (CPU intensive!) Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for biometric authentication No tamper resistance (memory can be tampered with, no secure storage) Primitive operating systems w/ no support for access control (Palm OS)

76. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Wireless Security Approaches Link Layer Security GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption Application Layer Security WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A

77. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Example: Security Concerns Performance: we’ll do an example: should we use RSA or ECC for WTLS mutual auth? Control: WAP Gap data in the clear at gateway while re-encryption takes place

78. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Example: WTLS– ECC vs. RSA? WTLS Goals Authentication Privacy Data Integrity Authentication: Public-Key Crypto (CPU intensive!!!) Privacy: Symmetric Crypto Data Integrity: MACs

79. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WTLS: Crypto Basics Public-Key Crypto RSA (Rivest-Shamir-Adelman) ECC (Elliptic Curve) Certificates Authentication None, Client, Server, Mutual

80. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WTLS w/ Mutual-Authentication Mutual-Authentication Client Hello-----------> ServerHello Certificate CertificateRequest <-----------ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished-----------> <-----------Finished Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature

81. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WTLS Handshake Timings (Palm VII) Mutual-Authentication: RSA OperationCryptographic Primitive(s)Time Required (ms) Server Certificate Verification RSA Signature Verification (Public decrypt, e=3) 598 Session Key Establishment RSA Encryption (Public encrypt) 622 Client AuthenticationRSA Signature Generation (Private encrypt) 21734 TOTAL 22954

82. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WTLS Handshake Timings (Palm VII) Mutual-Authentication: ECC OperationCryptographic Primitive(s) Time Required (ms) Server Certificate Verification CA Public Key Expansion 254.8 ECC-DSA Signature Verification 1254 Session Key Establishment Server Public Key Expansion 254.8 Key Agreement 335.6 Client AuthenticationECC-DSA Signature Generation 514.8 TOTAL 2614 The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.

83. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WAP Gap: One Alternative… Dynamic Gateway Connection Other alternatives also exist… Internet WAP Gateway WTLS Class 2SSL Operator Web Server SSL Content Provider WAP Gateway

84. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Usability Challenges Hard Data Entry Poor Handwriting Recognition Numeric Keypads for text entry is error-prone Poor Voice Recognition Further complicates security (entering passwords / speaking pass-phrases is hard!) Small Screens i.e., can’t show users everything in “shopping cart” at once! Voice Output time consuming

85. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Intranetwork Security To effectively understand the value of any subscriber information extracted from the network, knowledge of the management (and security) functional elements of the network is necessary. The elements and interfaces are broken down as follows; Home Location Register (HLR). The HLR provides a system management control over the authorized activities of a subscriber in respect of a subscriber’s profile, services registered and requested/purchased. Authentication Centre (AuC). The AuC manages all identification authorization and cryptographic key management within the system. Mobile Switching Centre (MSC). The MSCs are the most critical component of the 3G network handling all “calls” inbound to or outbound from, the network. Network Interfaces. These connect all inter and intra network elements. By their very nature their distribution and roles will be logically (and physically) different, ranging from internal content server interfaces to external microwave WAN links. Usually multihued. Billing Systems/Customer Care (Management) Systems. These provide extensive database records of individual subscriber details ranging from identity (where recorded), handset IMEI and USIM to billing and call record information.

86. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Biometrics Biometrics is divided into two types: behavioural (the traditional signature and voice) and physiological (face, fingerprint, hand, and iris recognition)

87. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce

88. Usability Approaches Graffiti (Scaled-down handwriting recognition, Palm devices) T9 Text Input (Word completion, most cell phones) Full alphanumeric keypad & scrollbar (Blackberry) Restricted VoiceXML grammars for better voice recognition Careful task-based Graphical User Interface & Dialog Design Lots of room for improvement!

89. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Heterogeneity Challenges Many link layer protocols (different security available in each) Many application layer standards Businesses need to write to one or more standards or hire a company to help them! Many device types: Many operating systems (Palm OS, Win CE, Symbian, Epoch, …) Wide variation in capabilities

90. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Heterogeneity Approaches HTML/Web screen scraping Protocol & Mark-up language translators Standardization

91. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Business Models Issues Possible Models: Slotting fees Wireless advertising (text) Pay per application downloaded Pay per page downloaded Flat-fees for service & applications Revenue share on transactions Trust issues between banks, carriers, and portals Lack of content / services

92. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Case Studies NTT DoCoMo’s I-Mode Palm.net Sprint PCS Wireless Web

93. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce NTT DoCoMo I-Mode 20 million users in Japan HTML-based microbrowser (supports HTTPS/SSL) on CDMA-based network 10’s of thousands of content sites, ring tones, and screen savers Pay per application downloaded and pay per page models Invested in AT&T Wireless so we may see it here in US in next few years!

94. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Palm.Net Low 100K users in USA Web Clipping (specialized HTML) microbrowser on Mobitex (TDMA) – based network run by BellSouth (>98% coverage in urban areas) 100’s of content sites (typically no charge for applications) Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)

95. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Sprint PCS Wireless Web Low, single-digit millions of US users Multi-device strategy: WAP/HDML based microbrowser on phones, Web Clipping on Kyocera, both on CDMA network ~50 content sites slotted, many others available (very hard to enter URLs, though) Slotting-fee + rev-share on xactions model $10 per month flat-fee to users, most phones already have microbrowser installed.

96. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce M-Commerce: A technological View Mobile Applications in Industry Wireless access: phone.com Alerting services: myalert.com Location services: airflash.com Intranet applications: imedeon.com Banking services: macalla.com Web access: wapforum.com Mobile agents: tryllian.com

97. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Outline Mobile applications Wireless networking Routing in mobile networks Transport in mobile networks Application adaptation for mobility WWW and mobility

98. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Limitations of Mobile Environment  Limitations of the Wireless Network  heterogeneity of fragmented networks  frequent disconnections  limited communication bandwidth  Limitations Imposed by Mobility  lack of mobility awareness by system/applications  Limitations of the Mobile Computer  short battery lifetime  limited capacities

99. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Effect of Mobility on Protocol Stack Application new applications and adaptations Transport congestion and flow control Network addressing and routing Link media access and handoff Physical transmission errors and interference

100. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Wireless Networks Infrastructure-based networks cellular systems (base station infrastructure) Ad hoc networks useful when infrastructure not available, impractical, or expensive military applications, rescue, home networking

101. Cellular system: GSM GSM formerly: Groupe Spéciale Mobile (founded 1982) now: Global System for Mobile Communication Communication: voice and data services Mobility: International access, access control Service Domains: bearer services: transfer of data between points telematic services: telephony, SMS messages supplementary services: forwarding, conferencing

102. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Architecture of the GSM system GSM is a PLMN (Public Land Mobile Netwk) Components MS (mobile station) BS (base station) MSC (mobile switching center) LR (location register) Subsystems RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): n/w management

103. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Cellular Wireless Space divided into cells A base station is responsible to communicate with hosts in its cell Mobile hosts can change cells while communicating Hand-off occurs when a mobile host starts communicating via a new base station

104. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Multi-Hop Wireless May need to traverse multiple links to reach destination Mobility causes route changes

105. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Hand-Off Procedure Each base station periodically transmits beacon Mobile host, on hearing stronger beacon from a new BS, sends it a greeting changes routing tables to make new BS its default gateway sends new BS identity of the old BS New BS acknowledges the greeting and begins to route MH’s packets

106. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Hand-Off Procedure New BS informs old BS Old BS changes routing table, to forward any packets for the MH to the new BS Old BS sends an ack to new BS New BS sends handoff-completion message to MH Old BS New BS MH 2 1 3 4 5,6 7

107. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Hand-off Issues Hand-offs may result in temporary loss of route to MH with non-overlapping cells, it may be a while before the mobile host receives a beacon from the new BS While routes are being reestablished during handoff, MH and old BS may attempt to send packets to each other, resulting in loss of packets

108. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Wireless LANs Infrared (IrDA) or radio links (Wavelan) Advantages very flexible within the reception area Ad-hoc networks possible (almost) no wiring difficulties Disadvantages low bandwidth compared to wired networks (1-10 Mbit/s) many proprietary solutions Infrastructure v/s ad-hoc networks (802.11)

109. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Bluetooth Consortium Ericsson, Intel, IBM, Nokia, Toshiba - many members Scenarios connection of peripheral devices loudspeaker, joystick, headset support of ad-hoc networking small devices, low-cost bridging of networks e.g., GSM via mobile phone - Bluetooth - laptop

110. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobility and Routing Finding a path from a source to destination Issues Frequent route changes: amount of data transferred between route changes may be much smaller than traditional networks Route changes related to host movement Goal of routing protocols ? decrease routing-related overhead find short routes find “stable” routes

111. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile IP Router 1 Router 3 Router 2 S MH Home agent

112. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile IP Router 1 Router 3 Router 2 SMH Home agent Foreign agent move Packets are tunneled using IP in IP

113. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile IP Mobile IP would need to modify the previous hand-off procedure to inform the home agent the identity of the new foreign agent Triangular optimization can reduce the routing delay route directly to foreign agent, instead of via home agent

114. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobility and Transport Transport protocols typically designed for fixed end-systems, wired networks Issues packet loss due to wireless characteristics packet loss due to mobility TCP assumes congestion if packet dropped acks, retransmissions and performance TCP cannot be changed fundamentally

115. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile TCP I-TCP segments the connection no changes to the TCP protocol for hosts connected to the wired Internet optimized TCP protocol for mobile hosts splitting of the TCP connection at, e.g., the foreign agent into 2 TCP connections, no real end-to-end connection any longer hosts in the fixed part of the net do not notice the characteristics of the wireless part

116. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile TCP Advantages no changes in the fixed network necessary transmission errors on the wireless link do not propagate into the fixed network simple to control, mobile TCP is used only for one hop between, e.g., a foreign agent and mobile host Disadvantages loss of end-to-end semantics higher latency possible due to buffering of data within the foreign agent and forwarding to a new foreign agent

117. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Application Adaptations for Mobility  System-transparent, application-transparent  the conventional, “unaware” client/server model  System-aware, application-transparent  the client/proxy/server model  the disconnected operation model  System-transparent, application-aware  dynamic client/server model  System-aware, application-aware  the mobile agent model

118. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce The Client/Proxy/Server Model Proxy functions as a client to the fixed network server, and as a mobility-aware server to the mobile client Proxy may be placed in the mobile host (Coda), or the fixed network, or both (WebExpress) Enables thin client design for resource- poor mobile computers

119. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce The Mobile Agent Model Mobile agent receives client request and moves into fixed network Mobile agent acts as a client to the server Mobile agent performs transformations and filtering Mobile agent returns back to mobile platform, when the client is connected

120. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Mobile Data Management Pull data delivery: clients request data by sending uplink msgs to server Push data delivery: servers push data (and validation reports) through a broadcast channel,to a community of clients Client caching strategies and cache invalidation algorithms are critical

121. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce World Wide Web and Mobility HTTP and HTML have not been designed for mobile applications/devices HTTP Characteristics stateless, client/server, request/response connection oriented, one connection per request primitive caching and security HTML Characteristics designed for computers with “high” performance, color high- resolution display, mouse, hard disk typically, web pages optimized for design, not for communication; ignore end-system characteristics

122. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce HTTP and Mobility HTTP designed for large bandwidth and low delay big protocol headers (stateless, ASCII) uncompressed content transfer TCP 3-way handshake, DNS lookup overheads Caching often disabled by information providers dynamic objects, customized pages, generated on request via CGI Security problems how to use SSL/TLS together with proxies?

123. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce System Support for Mobile WWW Enhanced browsers Client proxy pre-fetching, caching, off-line use Network proxy adaptive content transformation for connections Client and network proxy Enhanced servers HDML (handheld device markup language) HDTP (handheld device transport protocol)

124. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WAP - Wireless Application Protocol Forum: wapforum.org co-founded by Ericsson, Motorola, Nokia, Unwired Planet Goals deliver Internet services to mobile devices independence from wireless network standards Platforms e.g., GSM (900, 1800, 1900), CDMA IS-95, TDMA IS-136, 3 rd generation systems (IMT-2000, UMTS, W-CDMA)

125. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce WAP Overview Browser “micro browser”, similar to existing web browsers Script language similar to Java script, adapted to mobile devices Gateway transition from wireless to wired world Server “wap server”, similar to existing web servers Protocol layers transport layer, security layer, session layer etc.

126. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce Wireless Markup Language (WML) Cards and Decks WML document consists of many cards, cards are grouped to decks a deck is similar to an HTML page, unit of content transmission WML describes only intent of interaction in an abstract manner presentation depends on device capabilities Features text and images user interaction navigation context management

127. Prof. Nashaat El-Khameesy, SAMS Mobile-Commerce References J. Schiller, “Mobile Communications”, Addison Wesley, 1999 D. Johnson, D Maltz, “Protocols for Adaptive Wireless and Mobile Networking”, IEEE Personal Communication, 3(1), February 1996 R. Caceres, L. Iftode, “Improving the Performance of Reliable Transport Protocols in Mobile Computing Environments”, IEEE J. Selected Areas of Communications, June1995 J. Jing, A. Helal, A. Elmagarmid, "Client-Server Computing in Mobile Environments," ACM Computing Surveys, June 1999 R. Gray, D. Kotz, S. Nog, D. Rus, G. Cybenko, “Mobile Agents for Mobile Computing”, Dartmouth College, Technical Report PCS-TR96-285, May 2, 1996 http://www.wapforum.org