Mobile News

In order to perform secure transactions and messaging, data encryption is paramount. This can be provided by symmetric and asymmetric (Public Key) encryption. The symmetric alternative uses the same key to encrypt and decrypt information–unfortunately the key must be transmitted to the recipient of the message, allowing interception by a third party. Public Key Infrastructure (PKI), the asymmetric solution, uses two sets of keys: public and private. Information encrypted using the public key can only be retrieved using the complementary private key. Thus public keys of all users can be published in open directories, guaranteeing secure communications as well as creating verifiable digital signatures. PKI is not the only solution–a YK Girobank trial for m-payments employs a Virtual Private Network (VPN) with Digital Mobility’s WAPHub product. Yet the unanimity with which PKI is championed can be garnered from the players across the value chain who implement PKI-based solutions, including the market leader, mobile operator Sonera, software manufacturer Brokat and smart card manufacturer Oberthur.

PKI is indispensable given the current flaws within WAP 1.1 specification–despite data encryption from the Wireless Transport Layer Security (WTLS) between the handset and the WAP gateway, sensitive data is momentarily unencrypted since the connection between WAP gateway and internet relies on SSL (Secure Socket Layer). Efforts by the WAP Forum have resulted in three current security specifications:

* WTLS layer specification (available since WAP 1.1)

* WML Script Crypto library specification (WAP 1.2)

* WAP Identity Module (WIM) (WAP 1.2).

There are three modes of operation for WTLS but limitations derive from both it and the version 1.1 of WAP protocol. WTLS does not provide end-to-end security–installing the WAP gateway with the content provider would solve this but cost is prohibitive. Moreover, private keys cannot be securely stored over a WAP 1.1 security stack, negating the use of WTLS class mode 3. WTLS, like SSL, does not feature non-repudiation of transactions at application level. Smart card integration within the WTLS layer would enable such private key storage since GSM SIMs are tamper-resistant.

WAP 1.2 specifications have been designed to overcome the limitations of WTLS. WMLScript Crypto Library performs the digital signature function in the WAP client while the WAP Identity Module (WIM) plays two strategic security roles:

* It performs WAP client authentication and session management at the client side within the WTLS layer

* It performs the digital signature for the WAP client within the application security layer (with WMLScript Crypto Library).

In both cases the WIM stores the cryptographic keys and protects the algorithms concerned with a PIN. The unique level of security depends upon the associated use of smart cards: for GSM networks it is likely that WIM and SIM will be combined within the same device, whether together on a single smart card or separately using a dual-card (dual-chip/dual-slot).