P800/P802

White Paper, January 2003

Browser Security

World Wide Web

The P800 supports the TLS/SSL to provide a secure encrypted link between the browser and the website. This method is commonly used for secure transactions on the WWW. An icon in the display indicates when a secure connection is in use.

WAP Security

When using certain WAP services the user may want a secure connection between the phone and the WAP gateway, for example when using banking services. An icon in the display indicates when a secure connection is used. The P800 is based on the WAP 2.0 specifications where security functionality is specified with a technology called Wireless Transport Layer Security (WTLS) and WAP TLS Profile..

The WAP protocols that handle the connection, its transport and its security are structured in protocol layers. The security is handled by the WTLS layer operating above the transport protocol layer. There are 3 WTLS classes that define the levels of security for a WTLS connection:

WTLS class 1 involves encryption with no authentication.

WTLS class 2 involves encryption with server authentication.

WTLS class 3 involves encryption with both server and client authentication

Server authentication

Requires a server certificate stored at the server side and a root

 

certificate stored at the client side.

Client authentication

Requires a client certificate stored at the client side and a trusted

 

certificate stored at the server side.

A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys and algorithms needed for WTLS handshaking, encryption/decryption and signature generation. The WIM module can be placed on a SIM card and will then be referred to as a SWIM card.

Certificates

To use secure connections, the user needs to have certificates saved in the phone. User certificates can be downloaded. There are two types of certificates:

Certificate authority

A certificate used to verify that a WAP site is genuine. If the phone

 

has a stored certificate of a certain type, it means the user can trust

 

all WAP gateways which present a certificate that can be verified by

 

the trusted certificate. Certificates can be preinstalled in the phone,

 

pre-installed in the SWIM, or downloaded from the trusted supplier’s

 

WAP page.

User certificate

A personal certificate that verifies the user’s identity. A bank that the

 

user has a contract with may issue this kind of certificate. User

 

certificates can be pre-installed in the SWIM card.

The P800 is loaded with WTLS/X509 certificates from Baltimore, CTE Cybertrust, Entrust, GlobalSign and VeriSign.

68