White Paper T630/T628

Security using the WAP

For certain WAP services, such as banking serv- ices, a secure connection between the phone and WAP gateway is necessary. An icon in the display of the T630/T628 indicates when a secure connec- tion is in use.

The T630/T628 is based on the WAP 2.0 (WML 1.3) specification suite, in which security functionality is specified by a technology called Wireless Transport Layer Security (WTLS). The WAP protocols for han- dling connection, transport and security are struc- tured in layers, with security handled by the WTLS layer, operating above the transport protocol layer. WTLS classes define the levels of security for a WTLS connection:

WTLS class 1 – encryption with no authentica- tion.

WTLS class 2 – encryption with server authenti- cation.

WTLS class 3 – encryption with both server and client authentication.

Server authentication requires a server certificate stored at the server side and a trusted certificate stored at the client side.

Client authentication requires a client certificate stored at the client side and a trusted certificate stored at the server side.

A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys and algorithms needed for WTLS handshaking, encryp- tion/decryption and signature generation. The WIM module can be placed on a SIM card and is then referred to as a SWIM card.

Certificates

To use secure connections, the user needs to have certificates stored in the phone. There are two types of certificates:

Trusted certificate

A certificate that guarantees that a WAP site is gen- uine. If the phone has a stored certificate of a cer- tain type, it means that the user can trust all WAP gateways that use the certificate. Trusted certifi- cates can be pre-installed in the phone, in the SWIM or they can be downloaded from the trusted supplier’s WAP page.

Client certificate

A personal certificate that verifies the user’s iden- tity. A bank that the user has a contract with may issue this kind of certificate. Client certificates can be pre-installed in the SWIM card.

WIM locks (PIN codes)

There are two types of WAP security locks (PIN codes) for a SWIM, which protect the subscription from unauthorized use. The PIN codes should typi- cally be provided by the supplier of the SWIM.

Access lock

An access lock protects the data in the WIM. The user is asked to enter the PIN code the first time the SWIM card is accessed when establishing a connection.

Signature lock

A signature lock is used for confirming transac- tions, much like a digital signature.

In the T630/T628, the user can check which trans- actions have been made with the phone when browsing. Each time the user confirms a transac- tion with a signature lock code, a contract is stored in the phone. The contract contains details about the transaction.

Configuration of WAP settings

An easy way to perform WAP configuration in the T630/T628 is to use the step-by-step WAP config- urator available on http://www.SonyEricsson.com. The configurator utilizes OTA provisioning.

Manual configuration is done using the menu sys- tem in the phone. This is described in the User’s guide.

31

October 2003

Page 31
Image 31
Sony Ericsson T628, T630 manual Security using the WAP, Configuration of WAP settings