ADVISOR Home Boomer Advisor DataBased Advisor FileMaker Advisor Advisor Basics of FileMaker Pro How-To CDs Advisor Store: Subscriptions & CDs Help
My.ADVISOR.com Sign-In
ID
Password

Member Center / Sign-Up
Go to Article
Advanced Search 
Link to DataBased Advisor 
Submit your How To tips and advice 

ADVISOR VIEW

WTLS: The Good and Bad of WAP Security

An understanding of the Wireless Transport Layer Security (WTLS) protocol will help you get a grasp on threats and potential weaknesses of WAP security.

By Philip Mikal

As an increasing number of organizations deploy services using the Wireless Application Protocol (WAP), they must seriously consider the security issues present in such an environment. This is especially true in systems that involve financial information or sensitive personal data. The WAP specification, created by the WAP Forum, partly addresses such concerns with the introduction of the Wireless Transport Layer Security (WTLS) protocol.

WTLS is based on the Transport Layer Security (TLS) protocol, a derivative of the Secure Sockets Layer (SSL) protocol. The goal of WTLS is very much like that of SSL: to provide privacy and reliability for client-server communications over a network. While SSL primarily provides security over the Internet, WTLS is specific to wireless applications using WAP. The need for WTLS over TLS and SSL is due to the restrictions present in the wireless application environment. Specifically, TLS and SSL don't offer the necessary support for the limited memory and processing capabilities of WAP-enabled phones, support for multiple transport protocol layers, or capabilities to address low-bandwidth environments.

Start with WAP

To gain a better understanding of WTLS, you have to understand the basics of the WAP network architecture. The WAP client, typically a cellular phone, communicates directly with a gateway. A gateway is a proxy server that provides protocol translations, compression of WML/WML Script, and additional services. The gateway receives the request from a WAP client, and translates it into HTTP to communicate with the appropriate content server. In the implementation of a secure WAP system, WTLS encrypts the communication between the WAP client and gateway. The gateway decrypts WTLS and re-encrypts using SSL to connect to the content server. The SSL connection is similar to what you find in a traditional secure Internet application.

The dangers

This process has its weaknesses. The first is that WTLS allows for weak encryption algorithms -- with some WAP clients, users can even disable WTLS encryption entirely. The availability of such options severely limits the security of a WAP application.

Other WTLS security problems were brought to light by Markku-Juhani Saarinen in his paper "Attacks Against the WAP WTLS Protocol," including the chosen plain-text data recovery attack, the datagram truncation attack, the message forgery attack, and the exportable key-search shortcut. (The paper is available at http://www.jyu.fi/~mjos/wtls.pdf.)

Finally, there could be a compromise of the WAP gateway. As the gateway decrypts the data between a WAP client and content server, the data becomes vulnerable if the gateway is compromised. In cases where you're providing your own gateway, you should take steps to prevent this from occurring, via firewalls, operating system hardening, or even physical location security features. However, many companies have yet to realize security concerns exist in WTLS.

Future improvements

Future versions of the WAP specification may address shortcomings in WTLS. A WAP Forum draft called "The WAP Transport Layer E2E Security Specification" presents a scheme to eliminate the need for decryption/re-encryption at the WAP gateway. Here, a WAP client's request is redirected using an XML document. This document supplies the WAP client with instructions on how to make a direct, secure connection with a secondary proxy, which provides direct access to the content server. This method inherently bypasses the WAP client's default gateway.

Widespread implementation and deployment of WAP client security certificates will bring additional improvements. Security certificates digitally identify a WAP client and let it send and receive encrypted information. Currently, the content provider's application must handle digital signing of WAP client requests, or the WML Script Crypto library can create the digital signature.

WTLS is just one piece of a secure WAP application architecture. But you have to understand it fully, along with the full WAP specification, to recognize the pertinent threats, issues, and potential weaknesses.


WTLS: The Good and Bad of WAP Security

5 reader comments:

What do YOU think about this topic? Share your advice and thoughts using this form.

Your Name

REQUIRED : PUBLIC

Your E-Mail

REQUIRED : PRIVATE

Job, Company

OPTIONAL : PUBLIC

City, State, Country

OPTIONAL : PUBLIC

Your Web Site

OPTIONAL : PUBLIC

Your Comment

Please help everyone by keeping your comments on-topic, using clean language, and not defaming or making personal attacks.


Your e-mail address is required, but it will not be displayed to the public or given to anyone. See our Privacy Policy. Comments become visible after they pass our spam filter, and spammers and abusers are permanently blocked. Please report spam or abuse.

Philip Mikal is a provider of Internet technology solutions to companies at both the Fortune 500 and startup level. He can be reached via his Web site at http://www.mikal.org.

Printer-friendly
page layout

Keyword Tags: Mobile, Open Standards, Secure Sockets Layer (SSL), Security, Transport Layer Security (TLS), Wireless, Wireless Access Protocol (WAP), Wireless Markup Language (WML), Wireless Transport Layer Security (WTLS)

ADVISORAMA
You can only protect your liberties in this world by protecting the other man's freedom. You can only be free if I am free.
-- Clarence Darrow, American lawyer (1857-1938)
Refresh (F5) for more   Contribute

Advisor Solutions

ARTICLE INFO

DataBased Advisor

Web Edition: 2001.11.01, Doc #08980

FREE ACCESS FREE ACCESS
SUBSCRIPTION STATUS
You are not signed-in. If you are a subscriber to this publication, sign-in above to access locked articles. To subscribe or renew go to www.AdvisorStore.com.

MORE ADVISOR

Advisor on Mobile

Advisor on Open Standards

Advisor on Secure Sockets Layer (SSL)

Advisor on Security

Advisor on Transport Layer Security (TLS)

Advisor on Wireless

Advisor on Wireless Access Protocol (WAP)

Advisor on Wireless Markup Language (WML)

Advisor on Wireless Transport Layer Security (WTLS)

ARTICLE ACCESS
= free access
= subscriber-only
= not online (on CD or in print)
= has download

DataBased Advisor How-To Library by Topic Keywords

Subscribe to DataBased Advisor Magazine

Get subscriber online access to articles

DataBased Advisor Forum

Free enewsletters on business, technology & lifestyle

Special Offers

Subscribe to DATABASED.ADVISOR.com

Get it all -- every current and past ADVISOR tech/business publication, now all-in-one subscription, with new articles and a huge reference library packed with expert advice, how-to and downloads. Subscribe now to get it all.

DataBased.Advisor.com

Subscribe to FileMaker Advisor Magazine

Read the advanced guide to creating custom business database solutions with FileMaker software. Subscribe now to gain access to all the archives and downloads.

FileMaker.Advisor.com

Subscribe to Advisor Basics of FileMaker Pro

Learn the fundamentals of using FileMaker Pro software. Every issue gives you step-by-step instructions on creating the databases you need. Subscribe now!

FileMaker.AdvisorBasics.com

Showcase Your Smarts

Submit your tips, techniques and advice and let Advisor promote your business and build your career. Show the world what you know!

AdvisorTips.com
Site Map Advisor Store Privacy Terms of Use Trademarks Advertising About Advisor Media Advisor's San Diego
ADVISOR NETWORK
Advisor Basics of FileMaker Pro | Boomer Advisor | Business Advisor | Business Collaboration Advisor | Business Security Advisor | Caregiver Advisor | Community Advisor | Compliance Solutions Advisor | Computer Advisor | DataBased Advisor | DataBased Advisor | Dogs Advisor | E-Discovery Advisor | Entertainment Advisor | Family Advisor | FileMaker Advisor | Food Advisor | Fun Advisor | Generations Advisor | Health Advisor | HomeLiving Advisor | IBM Lotus Advisor | IBM WebSphere Advisor | Law Tech Advisor | Lifestyle Advisor | Microsoft Access Advisor | Microsoft Office Advisor | Microsoft Pro Development Advisor | Microsoft SharePoint Advisor | Microsoft Visual Basic .NET Advisor | Microsoft Visual FoxPro Advisor | Microsoft Visual Studio Advisor | Mobile Business Advisor | Money Advisor | Novell GroupWise Advisor | Pets Advisor | Recreation Advisor | Retirement Advisor | RV Advisor | Senior Solutions Advisor | Travel Advisor | Work Advisor
Use of this or any other site, content, product or service of Advisor Media constitutes acceptance of Terms of Use.
Portions copyright ©1983-2008 Advisor Media, Inc. All Rights Reserved.
Reuse or reproduction of any portion or quantity of Advisor Media's copyrighted content, in any form, for any purpose, requires written permission.
ADVISOR®, the ADVISOR logo, and other names and logos that incorporate ADVISOR are registered trademarks, trademarks or service marks of Advisor Media, Inc. in the United States and/or other countries.
Other trademarks are used for identification, editorial or descriptive purposes and are the property of their owners.
Hosted by Prominic.NET Website powered by
LOTUS SOFTWARE
MIKAP001 posted 11/01/2001 modified 01/07/2009 03:41:08 AM ztdbms/ztdbms
domino-144.advisor.com my.advisor.com 01/07/2009 02:08:20 PM