mobile security. security is hard just this year: denial of service credit card compromise i love...
TRANSCRIPT
Mobile Security
Security is Hard
• Just this year:• Denial of service
• Credit card compromise
• I Love you
• Cost to manage security quickly becomes prohibitive
• How do we do it?
“The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angles The wireless is the same only without the cat.”
Albert Einstein
Wireless is Complex
Speed is Everything
0102030405060708090
100
OnTime
2Months
4Months
6Months
TIME LATE TO MARKET Source: McKinsey & Co
GR
OS
S P
RO
FIT
%
Recommendations
• Consolidate as much as possible the security mechanisms necessary to perform commerce
• Standards-based, vendor neutral, global scope, legal framework
• Leverage the work already done in e-Business, e-Security
• After all, wireless is just an extension of technology
Trust in the Digital World
Trust in the Physical World
Trust in the Digital World
Passports Check Books Credit Cards PKI Encryption Authentication
Public Key Infrastructure(PKI)
• Allow unknown parties to communicate securely
• “Parties” can be:• Employees
• Devices
• Suppliers
• Partners
And most importantly, PKI can scale to millions of customers . . .
Market is Huge
0
200,000,000
400,000,000
600,000,000
800,000,000
1,000,000,000
1,200,000,000
1,400,000,000
1999 2000 2001 2002 2003 2004
WAP-capable
Total Cellular/PCS
Wired
Source: IDC, 2000
Infrastructure Investments Yield Benefits Beyond Commerce
Cisco realized $825 million in financial benefits in 1999• Customer Service $269
• E-Commerce $37
• Supply Chain $444
• Employee Resources $55
• Dell enjoying similar rewards• Dell generates more working capitol than it consumes
• Customers pay for product before Dell pays suppliers• Inventory turns over 60 times/year, 6 times/year in 1994
Wireless Network Architecture
Internet
NetworkOperator
Users
E-businesses
Evolution of WAP Security
WTLS 1.1 WIM WTLS 1.2
Wireless PKI
TelepathyPKI ValidationSystem
TelepathyWAP Security Toolkit
TelepathyDigital SignatureToolkit
TelepathyWAP Security Gateway
TelepathyWAP Certificates
TelepathyWAP CA
Q1 2000 Q3 2000 Q4 2000Q3 1999
July Jan July Oct
TelepathyPKI RegistrationSystem
WML Script Crypto Library
WAP 1.1 WAP 1.2 WAP 1.2+
WTLS Layer in WAP Stack
WTLS is thewireless equivalent of SSL/TLS
Wireless ApplicationEnvironment (WAE)Wireless ApplicationEnvironment (WAE)
Wireless SessionProtocol (WSP)
Wireless SessionProtocol (WSP)
Wireless TransactionProtocol (WTP)
Wireless TransactionProtocol (WTP)
Wireless TransportLayer Security (WTLS)
Wireless TransportLayer Security (WTLS)
Datagrams (UDP/IP)Datagrams (UDP/IP)
ApplicationLayer
SessionLayer
TransactionLayer
SecurityLayer
Transport Layer
NetworkLayer
Datagrams (WDP)Datagrams (WDP)
PDC-P PCS CDMA TDMAW-
CDMAEtc..
Wireless Bearer Network
Servicesand
Applications
HTML/Java/JavaScript
HTTP
SSL/TLS
TCP/IP
Low-levelNetwork
Layer
OSI Model WAP Model Internet Model
Web & WAP Architecture
HTML pages
Web
HTTP
Web Server
WMLpagesWAP
WAP
WAPGateway Web ServerWML
pages
Web & WAP Session Security
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity - Confidentiality
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity - Confidentiality
Web Web Server
Wireless TLS (WTLS)Authentication -
Integrity - Confidentiality
Wireless TLS (WTLS)Authentication -
Integrity - Confidentiality
WAP WAP Gateway/Server
SSLTLSSSLTLS
Web Server
WTLS Authentication Levels
• Three levels of authentication
• All levels have privacy and integrity
• Class I- Anonymous• No authentication
• Class II• Server authentication only
• Class III• Client and server authentication
? ?
?
• WAP gateways/server need to provide WAP certificates for authentication
• Need to obtain WTLS certificate• Web servers use X.509
• The same ones they use today• Mobile users use X.509
• Wireless PKI
WAP Gateway Web ServerMobile User
X.509 X.509WTLS
Which Certificates Do I Use for Authentication?
How to Achieve End-to-End Security
• Move everything to a secure domain
• WAP end-to-end security solution
• SIM toolkit-based solution
• WAP application layer security
Baltimore Telepathy WAP Solution
Conclusion
• Partner with a leader who has the completeness of vision and the ability to execute
• PKI solutions can help move security from enterprise to extranet, high value customers and suppliers, and m-Commerce world