Global Information Assurance Certification Paper - GIAC Certifications
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec
Marcus L. Cutts s. ht rig ull f ns Secure Wireless Application Protocol (WAP) Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai in the Enterprise, Ready or Not? re or th Au 2, 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Created By: Marcus L. Cutts © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts Abstract The initial advent of wireless infrastructures and associated technologies were originally overlooked by most within the technological community. This was mostly due to the infantile nature of the technology, as well as its failure to address absolute critical issues such as security. Other variables such as cost and reliability also played a part in s. the shunning of wireless technology. However, the astounding acceptance and ht ingraining of the Internet into the everyday operations of life have spawned an rig overwhelming requirement and desire for access to unlimited amounts of information under virtually no restraints. We now find that being able to receive email and access ull calendar information among numerous other data only from the confines of ones office or home PC is not only unacceptable, but also a serious detriment to business and f enterprises alike. Once again the endless possibilities of wireless communications and ns technology enters=the Key fingerprint stage, AF19 FA27but this998D 2F94 time FDB5 it is unquestionably DE3D F8B5 06E4here to stay. A169 4E46 tai At the dawning of the 21st century we see an overwhelming interest in wireless re technologies. This interest is not only for the luxuries and conveniences that they or promise, but also for the sheer magnitude in which they can and probably will change th the way in which enterprises are run and maintained in future generations. One such technology that has grabbed the communities’, as well as the general public’s attention Au is the Wireless Application Protocol (WAP). WAP is an open industry-established world standard that is based upon successful Internet standards such as, but not limited to the 2, eXtensible Markup Language (XML) and the Internet Protocol (IP). By being 00 established using already existing and accepted protocols WAP was destined to gain a -2 tremendous amount of recognition from the start. However, regardless of the glitz and glamour the protocol still must meet certain requirements and be capable of certain 00 functionality before it will be deemed suitable for the enterprise. One important issue, if not the most relevant of these requirements is the concern of adequate security within 20 the technology. For, if the potential implementers of this protocol are not guaranteed te secure communications and transactions all of the aforementioned glamour will be lost. tu The intent of this thesis is to examine the WAP, and more specifically deal with sti security measures that have been included within the protocol. The document will In provide an in-depth look at how this technology is structured and implemented, as well as how secure it is perceived throughout the industry within enterprise environments. NS Upon reviewing this paper the reader should develop an informed opinion on whether or not the WAP is ready for enterprise operations. That is not to conclude that more in- SA depth research should not be conducted, but is simply implying that the document could serve as an introduction and foundation of knowledge on the subject topic. © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts WAP Architecture s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2, 00 -2 1 00 The image above depicts the architectural model of the WAP. It was designed to 20 be extremely similar in nature to the existing protocols that make up the World Wide Web (WWW); this is further substantiated by the following comments that exist within te the WAP architectural specification. “The WAP programming model is similar to the tu WWW programming model. This provides several benefits to the application developer sti community, including a familiar programming model, a proven architecture, and the ability to leverage existing tools (e.g., Web servers, XML tools, etc.). Optimizations and In extensions have been made in order to match the characteristics of the wireless environment. Wherever possible, existing standards have been adopted or have been NS used as the starting point for the WAP technology.”2 SA The components of the WAP architecture are illustrated in the image below. As one can see the protocol has taken into consideration the concerns of security from the © beginning, this was not the case when wireless functions were initially introduced. However, although the creators of the WAP specification have addressed security, it is the industry consensus that the initial release of the protocol did not sufficiently cover security concerns and that it should definitely be given the utmost attention within Key fingerprint subsequent = AF19 releases. TheFA27 2F94 image 998Dshows below FDB5 DE3D how theF8B5 06E4protocol subject A169 4E46capitalizes on already existing, proven standards to achieve its end goals. Specifically, in the area of 1 WAP Forum 2 WAP Architecture Specification © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts security the Wireless Transport Layer Security (WTLS) component of the WAP architecture builds upon the industry standard Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to provide the necessary Bedrock Principles functionality. s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2, 00 Wireless Transport Layer Security (WTLS) -2 “WTLS is intended for use with the WAP transport protocols and has been optimized for use over narrow-band communication channels. WTLS provides the 00 following features: 20 · Data integrity – WTLS contains facilities to ensure that data sent between the terminal and an application server is unchanged and uncorrupted. te · Privacy – WTLS contains facilities to ensures that data transmitted between the tu terminal and an application server is private and cannot be understood by any sti intermediate parties that may have intercepted the data stream. · Authentication – WTLS contains facilities to establish the authenticity of the terminal In and application server. · Denial-of-service protection – WTLS contains facilities for detecting and rejecting data NS that is replayed or not successfully verified. WTLS makes many typical denial-of-service SA attacks harder to accomplish and protects the upper protocol layers. WTLS may also be used for secure communication between terminals, e.g., for authentication of electronic © business card exchange. Applications are able to selectively enable or disable WTLS features depending on their security requirements and the characteristics of the underlying network (e.g., privacy may be disabled on networks already providing this service at a lower layer).”2 KeyWTLS fingerprint was=created AF19 FA27 2F94to998D in order FDB5secure facilitate DE3D wireless F8B5 06E4 A169 4E46without the transactions need for extensive processing power and large sums of memory. WTLS promotes the fast processing of security algorithms. This is accomplished by reducing protocol 2 WAP Architecture Specification © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts overhead and enabling increased data compression in comparison to that of traditional SSL solutions. The resulting effect is that WTLS can conduct appropriate security within a wireless network. These advances allow portable, wireless devices to communicate securely over the Internet. s. “A secure WAP conversation occurs in two stages. First the transmission ht between the web server and the WAP gateway occurs over SSL. The onward rig transmission of this message over the air interface to and from the WAP browser device is over wireless networks using WTLS. Essentially the WAP gateway serves as a bridge ull between the WTLS and SSL security protocols. There are considerations (some say limitations) in the introduction of a bridging protocol like WTLS. The current WAP f security model requires a strong relationship between the network operator and the ns content provider. The Key fingerprint WAP = AF19 Forum FA27 2F94has 998Drecognized FDB5 DE3D thatF8B5 as the market 06E4 A169for highly secure 4E46 tai applications increases, a more flexible and extensible solution will be needed. When re working across many different wireless networks, application developers must be assured that their content remains encrypted from the time it leaves their application or server until it arrives at the WAP handset. As a result there is a process underway to th develop this more advanced security solution, which must address the enterprise's need for higher security and the operator's need for proper integration with WAP gateways in Au the wireless network.”3 2, The previous paragraph, which provides an overview of a secure WAP 00 conversation or transaction, describes the WAP gateway as a bridge between WTLS -2 and SSL protocols. This gateway or bridge to many is also considered a possible security vulnerability to enterprises that utilize WAP based applications. The gateway is 00 generally supplied by outside carriers who provide these capabilities externally to normal corporate operations. Thus, removing the assurance of secured operation from 20 a portion of the WAP infrastructure. However, though these security concerns exist the te WAP forum has diligently addressed such issues and has intent on easing these tu concerns in later releases of the WAP specification. sti WTLS Certificates In In recent years one of the most effective and accepted ways of providing secure authentication has been through the usage of digital certificates. This has proven to be NS sufficient for hard-wired systems, and wireless equivalents are definitely not the exception. The wireless certificates have been produced and vigorously promoted by SA several independent vendors who actively support this technology as a means to provide wireless consumers with secure interactions, this is further substantiated by the © following technical comments provided by Verisign. From the security perspective, the most significant WAP specification is the Wireless Transport Layer Security (WTLS) protocol. WTLS is a close relative of SSL, the Key primary protocol fingerprint usedFA27 = AF19 to secure the wired 2F94 998D FDB5Web. DE3DFor PKI,06E4 F8B5 WTLS uses A169 two types of 4E46 certificates. 3 Mobile Management © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts “WTLS server certificates, defined as part of WAP 1.1, are used to authenticate a WTLS server to a WTLS client (handset) and to provide a basis for establishing a key to encrypt a client-server session. They are like SSL server certificates, except that two different certificate formats are defined - X.509 certificates (as in SSL) and WTLS mini- certificates, which are functionally similar to X.509 but are smaller and simpler than s. X.509 to facilitate their processing in resource-constrained handsets. The mini- ht certificate is mandatory to implement and the X.509 certificate is optional to implement. rig WTLS client certificates, defined as part of WAP 1.2, are used to authenticate a ull WTLS client (handset) to a WTLS server. They also can be formatted as either X.509 certificates or mini-certificates. WAP 1.2 also defines an interesting PKI-based function f that is not part of WTLS. This function, which allows a WAP client to digitally sign a ns transaction, is known Key fingerprint as the = AF19 WML2 FA27 2F94 Script Sign Text 998D FDB5 DE3Dfunction, andA169 F8B5 06E4 is intended 4E46 for tai applications that require non-reputable signatures from clients.”4 re As stated earlier the initial release of the WAP specification was ridiculed due to or its lack of consideration for security concerns. However, the WAP forum has th meticulously progressed in the area of security and continues to make strides in providing secure wireless applications. This is evident in the ability provided in WAP 1.2 Au to handle wireless client authentication. With providing this functionality the WAP Forum has also made it possible for independent wireless security providers to expound 2, upon the newest specification. This is further verified in the following comments. 00 -2 “In a WAP environment, client-to-gateway authentication is provided within WTLS in WAP 1.2. Client-to-application authentication requires functions at a higher layer than 00 WTLS. VeriSign favors an extension to the WAP WML Script standard to include a client authentication function akin to the Sign Text function. In essence, this function will 20 work by having the client send to the server a digitally signed copy of a fresh challenge te received from that server. The nature of PKI support for client authentication is tu essentially the same as for client digital signatures. X.509-format certificates are issued through VeriSign OnSite or related VeriSign service provider products, and are stored sti and used in the wired infrastructure and, optionally, in the client device or SIM.”4 In In addition to the aforementioned SIM, it is also evident that the industry is NS progressing in the area of wireless security, infrastructures, and applications simply by the onslaught of new standards, products, and concepts being introduced. One of SA these new innovations is the Wireless Public Key Infrastructure (WPKI), which will continue to aid in the progression of wireless efforts. The chart below provided by © Baltimore Technologies demonstrates the promised capabilities of WPKI in comparison to SIM. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 4 Secure Wireless E-Commerce with PKI from VeriSign © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th 5 Au 2, Cryptographic Algorithms for Wireless Environments 00 Any adequate security solution must guarantee absolute confidentiality for its -2 users, the most common way of achieving this requirement is through the use of encryption. Over the years many different algorithms have been introduced and utilized 00 for encryption functions. One of the more prevalent cryptographic technologies has 20 been the RSA crypto-system; this is especially true for the wired Internet environments. Although, RSA has proven to be an extremely valuable and reliable solution the te question has often been posed, is there a better solution out there. To answer this tu question developers and integrators alike have begun extensive research into other sti potential encryption algorithms. One of the formidable competitors of RSA is Elliptic Curve Cryptography (ECC), which can perform the same basic functions as RSA but In which demands fewer CPU resources and smaller data items that need to be communicated or stored. NS SA Furthermore, the question is now frequently asked, which algorithm is more efficient for wireless environments? While all organizations must come to their own © conclusion on the subject Verisign has chosen to take a path that will probably be less traveled. Verisign has chosen to implement both algorithms, this is illustrated in the following statements. “VeriSign possesses both RSA and ECC technologies and can apply either, as governed by market demand and service deployment costs.”4 KeyVerisign fingerprint = AF19 also FA27 makes 2F94when it clear 998D the FDB5 DE3D issue F8B5 06E4 of selecting A169 one 4E46 of the two algorithms is absolutely necessary, and the associated determining factors involved in the following 5 Comparison of WPKI and SIM Toolkit 4 Secure Wireless E-Commerce with PKI from VeriSign © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts comments. “However, when considered in terms of the cryptography used in server key pairs and certificates (that is, the certificates processed by mobile clients), the question becomes moot. The RSA public-key operation, such as that used in verifying a digital signature, is no more resource intensive than the corresponding ECC operation. Consequently, given the extensive installed base of RSA technology, the industry s. appears to be embracing the use of RSA in this situation. ht rig The question is more valid when considering cryptography for client authentication or digital signatures, because ECC private-key operations (such as ull digitally signing) can be much less resource-intensive than the corresponding RSA operations. However, the temptation to adopt ECC is countered by the fact that the f installed base of Internet signature-verifying systems is RSA-based, hence ns leveragability of installed Key fingerprint technology = AF19 FA27 favors 2F94 998D RSA. FDB5 VeriSign’s DE3D position F8B5 06E4 A169is4E46 that RSA tai cryptography is preferred because of the foregoing factor, unless the platform is simply re incapable of performing an RSA private-key operation in an acceptable time. In the latter case ECC is a good choice. Our experience to date has indicated that very few or platforms have problems with RSA.”4 th The previous paragraphs are pretty convincing in stating that RSA’s is the Au algorithm of choice within the Internet community, this is also proven by its enormous acceptance by corporations and standards bodies within the same industry. However, 2, that is not to imply that the possibility of ECC gaining ground is not feasible. This is 00 especially a consideration when one thinks about the opportunities and new -2 technologies that will come to fruition in the years to come. Furthermore, events that are to soon take place may play a significant role in deciding how relevant new 00 algorithms will be in the future. An example of such an event is the expiration of RSA’s patent in the coming weeks. This may well be a leveraging point for other algorithms 20 and encryption technologies, as the relinquishing of RSA’s stronghold on the industry te may very well be in trouble. Only time will tell! tu Conclusion sti The underlying question that this document presents is, if WAP is ready for In extensive introduction into the mainstream of enterprise environments? The fact of the matter is that the answer is totally dependent upon the enterprise that is seeking the NS functionality that the WAP specification can provide. One question that organizations should first ask themselves before attempting to implement WAP functions is, are their SA infrastructures secure now; before the inclusion of wireless technologies? If the answer to this question is no, then those companies definitely have a greater concern that © wireless capabilities. The truth be told WAP is an extraordinary revelation for the industry, and especially for the opportunities that exist for wireless communications. However, the factKey still fingerprint remains that the protocol = AF19 FA27 2F94is 998D but a FDB5 babe, DE3D and inF8B5 its infancy there4E46 06E4 A169 still exists some 4 Secure Wireless E-Commerce with PKI from VeriSign © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts areas that need improvement. It is also evident that the WAP Forum, as well as the community that it serves also realizes this and has been working vigorously to address these issues. There is no doubt that WAP will play an important role within enterprises that s. desire its functions, the true task will be in corporations properly selecting appropriate ht areas to securely apply this technology. A suggestion to potential users is to first rig implement an exhaustive pilot program to test the performance and functionality within their specific enterprise. Furthermore, it is probably even more important to guarantee ull that the security measures provided by WAP are sufficient for their intended programs. Finally, it is my opinion that although the technology may be well on its way to being f ready for prime time it is currently not there yet. This is primarily due to the continuing ns security concerns=that Key fingerprint exist AF19 around FA27 2F94 the 998Dstandard, as well FDB5 DE3D F8B5as06E4 the fact that A169 it is still 4E46 tai extremely new and has not been repeatedly proven within the industry. I do however re expect this state to change rapidly, as major improvements and progressions are taking place in this area, and I for one am extremely excited about the possibilities, but for the or time being I guess I will be left chomping at the bit! th Au 2, 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Marcus L. Cutts Bibliography 1.) WAP Architecture, The WAP Forum, http://www1.wapforum.org/member/developers/slides/WAP- s. ht rig Architecture/index.htm, 1999 ull 2.) WAP Architecture Specification, The WAP Forum, f http://www1.wapforum.org/tech/terms.asp?doc=WAP-100-WAPArch-19980430- ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai a.pdf, 2000 re 3.) Mobile Management, Market Drivers for the Foundation of The Open Group or Mobile Management Forum, The Open Group, 2000 th 4.) Secure Wireless E-Commerce with PKI from VeriSign, Verisign Inc., Au https://www.verisign.com/server/rsc/wp/wap/index.html, 2000 2, 00 5.) Comparison of WPKI and SIM Toolkit, Mobile Internet Security, Baltimore -2 Technologies, 2000 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Last Updated: September 24th, 2018 Upcoming Training SANS Seattle Fall 2018 Seattle, WA Oct 15, 2018 - Oct 20, 2018 Live Event SANS London October 2018 London, United Oct 15, 2018 - Oct 20, 2018 Live Event Kingdom SANS Denver 2018 Denver, CO Oct 15, 2018 - Oct 20, 2018 Live Event SANS October Singapore 2018 Singapore, Singapore Oct 15, 2018 - Oct 27, 2018 Live Event Community SANS Ottawa SEC401 Ottawa, ON Oct 15, 2018 - Oct 20, 2018 Community SANS Community SANS Madrid SEC401 (in Spanish) Madrid, Spain Oct 22, 2018 - Oct 27, 2018 Community SANS SANS Houston 2018 Houston, TX Oct 29, 2018 - Nov 03, 2018 Live Event Houston 2018 - SEC401: Security Essentials Bootcamp Style Houston, TX Oct 29, 2018 - Nov 03, 2018 vLive SANS Gulf Region 2018 Dubai, United Arab Nov 03, 2018 - Nov 15, 2018 Live Event Emirates Community SANS Bethesda SEC401 Bethesda, MD Nov 05, 2018 - Nov 10, 2018 Community SANS SANS London November 2018 London, United Nov 05, 2018 - Nov 10, 2018 Live Event Kingdom SANS Sydney 2018 Sydney, Australia Nov 05, 2018 - Nov 17, 2018 Live Event SANS Dallas Fall 2018 Dallas, TX Nov 05, 2018 - Nov 10, 2018 Live Event San Diego Fall 2018 - SEC401: Security Essentials Bootcamp San Diego, CA Nov 12, 2018 - Nov 17, 2018 vLive Style SANS Osaka 2018 Osaka, Japan Nov 12, 2018 - Nov 17, 2018 Live Event SANS Mumbai 2018 Mumbai, India Nov 12, 2018 - Nov 17, 2018 Live Event SANS San Diego Fall 2018 San Diego, CA Nov 12, 2018 - Nov 17, 2018 Live Event Austin 2018 - SEC401: Security Essentials Bootcamp Style Austin, TX Nov 26, 2018 - Dec 01, 2018 vLive SANS San Francisco Fall 2018 San Francisco, CA Nov 26, 2018 - Dec 01, 2018 Live Event SANS Austin 2018 Austin, TX Nov 26, 2018 - Dec 01, 2018 Live Event SANS Santa Monica 2018 Santa Monica, CA Dec 03, 2018 - Dec 08, 2018 Live Event SANS Nashville 2018 Nashville, TN Dec 03, 2018 - Dec 08, 2018 Live Event SANS Frankfurt 2018 Frankfurt, Germany Dec 10, 2018 - Dec 15, 2018 Live Event SANS Cyber Defense Initiative 2018 Washington, DC Dec 11, 2018 - Dec 18, 2018 Live Event SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 201812, Dec 11, 2018 - Jan 29, 2019 vLive Community SANS Burbank SEC401 Burbank, CA Jan 07, 2019 - Jan 12, 2019 Community SANS Community SANS Toronto SEC401 Toronto, ON Jan 14, 2019 - Jan 19, 2019 Community SANS SANS Sonoma 2019 Santa Rosa, CA Jan 14, 2019 - Jan 19, 2019 Live Event SANS Amsterdam January 2019 Amsterdam, Netherlands Jan 14, 2019 - Jan 19, 2019 Live Event SANS Miami 2019 Miami, FL Jan 21, 2019 - Jan 26, 2019 Live Event Community SANS Omaha SEC401 Omaha, NE Jan 21, 2019 - Jan 26, 2019 Community SANS
You can also read
NEXT SLIDES ... Cancel