White Paper M600
•
Browser security
M600 supports the TLS/SSL to provide a secure encrypted link between the browser and the web site. This method is commonly used for secure transactions on the web. An icon in the display indicates when a secure connection is in use.
TLS Security
When using certain Internet services the user may require a secure connection between the phone and the web site, such as, when using banking services. An icon in the display indicates when a secure connection is used. M600 is based on the WAP 2.0 specifications where security functionality is specified with a technology called WAP TLS Pro- file (Wireless Application Protocol Transport Layer Security).
The Internet protocols that handle the connection, its transport and its security are structured in proto- col layers. The security is handled by the TLS layer operating above the transport protocol layer. There are three TLS classes that define the levels of secu- rity for a TLS connection:
•Anonymous TLS involves encryption with no authentication.
•Server authentication involves encryption with server authentication.
•Client authentication involves encryption with both server and client authentication
Server | Requires a server certificate |
authentication | stored at the server side and a |
| trusted certificate stored at the |
| client side. |
|
|
Client | Requires a client certificate |
authentication | stored at the client side and a |
| trusted certificate stored at the |
| server side. |
|
|
Certificates
To use secure connections, the user needs to have certificates saved in the phone. Certificates can be downloaded and installed when required. There are two types of certificates:
Certificate | A trusted certificate used to ver- |
authority | ify that a web site is genuine. If |
| the phone has a stored trusted |
| certificate of a certain type, it |
| means the user can trust all web |
| sites which present a certificate |
| that can be verified by the |
| trusted certificate. Certificates |
| are preinstalled in the phone and |
| can be downloaded from the |
| trusted supplier's web page. |
|
|
User | A personal certificate that veri- |
certificate | fies the user's identity. A bank |
| that the user has a contract with |
| may issue this kind of certificate. |
|
|
M600 is preinstalled with X.509 certificates from Baltimore, Entrust, Geotrust, GlobalSign, GTE Cybertrust, RSA, Sony Ericsson, Thawte and Veri- Sign.
40 | February 2006 |
