Mobile Security

Security is Hard

• Just this year:• Denial of service

• Credit card compromise

• I Love you

• Cost to manage security quickly becomes prohibitive

• How do we do it?

“The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angles The wireless is the same only without the cat.”

Albert Einstein

Wireless is Complex

Speed is Everything

0102030405060708090

100

OnTime

2Months

4Months

6Months

TIME LATE TO MARKET Source: McKinsey & Co

GR

OS

S P

RO

FIT

%

Recommendations

• Consolidate as much as possible the security mechanisms necessary to perform commerce

• Standards-based, vendor neutral, global scope, legal framework

• Leverage the work already done in e-Business, e-Security

• After all, wireless is just an extension of technology

Trust in the Digital World

Trust in the Physical World

Trust in the Digital World

Passports Check Books Credit Cards PKI Encryption Authentication

Public Key Infrastructure(PKI)

• Allow unknown parties to communicate securely

• “Parties” can be:• Employees

• Devices

• Suppliers

• Partners

And most importantly, PKI can scale to millions of customers . . .

Market is Huge

0

200,000,000

400,000,000

600,000,000

800,000,000

1,000,000,000

1,200,000,000

1,400,000,000

1999 2000 2001 2002 2003 2004

WAP-capable

Total Cellular/PCS

Wired

Source: IDC, 2000

Infrastructure Investments Yield Benefits Beyond Commerce

Cisco realized $825 million in financial benefits in 1999• Customer Service $269

• E-Commerce $37

• Supply Chain $444

• Employee Resources $55

• Dell enjoying similar rewards• Dell generates more working capitol than it consumes

• Customers pay for product before Dell pays suppliers• Inventory turns over 60 times/year, 6 times/year in 1994

Wireless Network Architecture

Internet

NetworkOperator

Users

E-businesses

Evolution of WAP Security

WTLS 1.1 WIM WTLS 1.2

Wireless PKI

TelepathyPKI ValidationSystem

TelepathyWAP Security Toolkit

TelepathyDigital SignatureToolkit

TelepathyWAP Security Gateway

TelepathyWAP Certificates

TelepathyWAP CA

Q1 2000 Q3 2000 Q4 2000Q3 1999

July Jan July Oct

TelepathyPKI RegistrationSystem

WML Script Crypto Library

WAP 1.1 WAP 1.2 WAP 1.2+

WTLS Layer in WAP Stack

WTLS is thewireless equivalent of SSL/TLS

Wireless ApplicationEnvironment (WAE)Wireless ApplicationEnvironment (WAE)

Wireless SessionProtocol (WSP)

Wireless SessionProtocol (WSP)

Wireless TransactionProtocol (WTP)

Wireless TransactionProtocol (WTP)

Wireless TransportLayer Security (WTLS)

Wireless TransportLayer Security (WTLS)

Datagrams (UDP/IP)Datagrams (UDP/IP)

ApplicationLayer

SessionLayer

TransactionLayer

SecurityLayer

Transport Layer

NetworkLayer

Datagrams (WDP)Datagrams (WDP)

PDC-P PCS CDMA TDMAW-

CDMAEtc..

Wireless Bearer Network

Servicesand

Applications

HTML/Java/JavaScript

HTTP

SSL/TLS

TCP/IP

Low-levelNetwork

Layer

OSI Model WAP Model Internet Model

Web & WAP Architecture

HTML pages

Web

HTTP

Web Server

WMLpagesWAP

WAP

WAPGateway Web ServerWML

pages

Web & WAP Session Security

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity - Confidentiality

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity - Confidentiality

Web Web Server

Wireless TLS (WTLS)Authentication -

Integrity - Confidentiality

Wireless TLS (WTLS)Authentication -

Integrity - Confidentiality

WAP WAP Gateway/Server

SSLTLSSSLTLS

Web Server

WTLS Authentication Levels

• Three levels of authentication

• All levels have privacy and integrity

• Class I- Anonymous• No authentication

• Class II• Server authentication only

• Class III• Client and server authentication

? ?

?

• WAP gateways/server need to provide WAP certificates for authentication

• Need to obtain WTLS certificate• Web servers use X.509

• The same ones they use today• Mobile users use X.509

• Wireless PKI

WAP Gateway Web ServerMobile User

X.509 X.509WTLS

Which Certificates Do I Use for Authentication?

How to Achieve End-to-End Security

• Move everything to a secure domain

• WAP end-to-end security solution

• SIM toolkit-based solution

• WAP application layer security

Baltimore Telepathy WAP Solution

Conclusion

• Partner with a leader who has the completeness of vision and the ability to execute

• PKI solutions can help move security from enterprise to extranet, high value customers and suppliers, and m-Commerce world