Security Using WAP

When using certain WAP services the user may want a secure connection between the phone and the WAP gateway, for example when using banking services. An icon in the display indi- cates when a secure connection is used. The T39 is based on the WAP June2000 (WAP 1.2.1) specifications where security functionality is specified with a technology called Wireless Trans- port Layer Security (WTLS).

The WAP protocols that handle the connection, its transport and its security are structured in protocol layers. The security is handled by the WTLS layer operating above the transport proto- col layer. There are WTLS classes that define the levels of security for a WTLS connection:

WTLS class 1 involves encryption with no authentication.

WTLS class 2 involves encryption with server authentication.

WTLS class 3 involves encryption with both server and client authentication

Server authentication

Requires a server certificate stored at the server side and a root certifi-

 

cate stored at the client side.

Client authentication

Requires a client certificate stored at the client side and a trusted certif-

 

icate stored at the server side.

A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys and algorithms needed for WTLS handshaking, encryption/decryption and signature generation. The WIM module can be placed on a SIM card and will then be referred to as a SWIM card.

Certificates

To use secure connections, the user needs to have certificates saved in the phone. There are two types of certificates:

Trusted certificate

A certificate that guarantees that a WAP site is genuine. If the phone

 

has a stored certificate of a certain type, it means the user can trust all

 

WAP gateways that use the certificate. Trusted certificates can be pre-

 

installed in the phone, pre-installed in the SWIM, or downloaded from

 

the trusted supplier’s WAP page.

Client certificate

A personal certificate that verifies the user’s identity. A bank that the

 

user has a contract with may issue this kind of certificate. Client certif-

 

icates can be pre-installed in the SWIM card.

WIM Locks (PIN Codes)

There are two types of WAP security locks (PIN codes) for the WIM on SIM. The locks protect the subscription from unauthorized use when browsing. The locks should typically be supplied from the supplier of the SWIM.

Access lock

An access lock protects the data in the WIM. The user is asked to enter

 

the PIN code the first time the SWIM card is accessed when establish-

 

ing a connection.

Signature lock

A signature lock is used for confirming transactions - like a digital sig-

 

nature.

In the T39, the user can check which transactions have been made with the phone when brows- ing. Each time the user confirms a transaction with a signature lock code, a contract is saved in the phone. The contract contains details about the transaction.

15

Page 15
Image 15
Ericsson T39 manual Security Using WAP, Certificates, WIM Locks PIN Codes