For Internal Use Only | P800 Smartphone |
| White Paper, May 2002 |
Browser Security
World Wide Web
The P800 supports the TLS/SSL to provide a secure encrypted link between the browser and the website. This method is commonly used for secure transactions on the WWW.
WAP Security
When using certain WAP services the user may want a secure connection between the phone and the WAP gateway, for example when using banking services. An icon in the display indicates when a secure connection is used. The P800 is based on the WAP 2.0 specifications where security functionality is specified with a technology called Wireless Transport Layer Security (WTLS).
The WAP protocols that handle the connection, its transport and its security are structured in protocol layers. The security is handled by the WTLS layer operating above the transport protocol layer. There are 3 WTLS classes that define the levels of security for a WTLS connection:
•WTLS class 1 involves encryption with no authentication.
•WTLS class 2 involves encryption with server authentication.
•WTLS class 3 involves encryption with both server and client authentication
Server authentication | Requires a server certificate stored at the server side and a root |
| certificate stored at the client side. |
Client authentication | Requires a client certificate stored at the client side and a trusted |
| certificate stored at the server side. |
A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys and algorithms needed for WTLS handshaking, encryption/decryption and signature generation. The WIM module can be placed on a SIM card and will then be referred to as a SWIM card.
Certificates
To use secure connections, the user needs to have certificates saved in the phone. There are two types of certificates:
Certificate authority | A certificate used to verify that a WAP site is genuine. If the phone |
| has a stored certificate of a certain type, it means the user can trust |
| all WAP gateways which present a certificate that can be verified by |
| the trusted certificate. Certificates can be preinstalled in the phone, |
| |
| WAP page. |
User certificate | A personal certificate that verifies the user’s identity. A bank that the |
| user has a contract with may issue this kind of certificate. User |
| certificates can be |
43