Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecMarcus L. Cutts
s.
ht
rig
ull
f
ns
Secure Wireless Application Protocol (WAP)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
in the Enterprise, Ready or Not?
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Created By: Marcus L. Cutts
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
Abstract
The initial advent of wireless infrastructures and associated technologies were
originally overlooked by most within the technological community. This was mostly due
to the infantile nature of the technology, as well as its failure to address absolute critical
issues such as security. Other variables such as cost and reliability also played a part in
s.
the shunning of wireless technology. However, the astounding acceptance and
ht
ingraining of the Internet into the everyday operations of life have spawned an
rig
overwhelming requirement and desire for access to unlimited amounts of information
under virtually no restraints. We now find that being able to receive email and access
ull
calendar information among numerous other data only from the confines of ones office
or home PC is not only unacceptable, but also a serious detriment to business and
f
enterprises alike. Once again the endless possibilities of wireless communications and
ns
technology enters=the
Key fingerprint stage,
AF19 FA27but this998D
2F94 time FDB5
it is unquestionably
DE3D F8B5 06E4here to stay.
A169 4E46
tai
At the dawning of the 21st century we see an overwhelming interest in wireless
re
technologies. This interest is not only for the luxuries and conveniences that they
or
promise, but also for the sheer magnitude in which they can and probably will change
th
the way in which enterprises are run and maintained in future generations. One such
technology that has grabbed the communities’, as well as the general public’s attention
Au
is the Wireless Application Protocol (WAP). WAP is an open industry-established world
standard that is based upon successful Internet standards such as, but not limited to the
2,
eXtensible Markup Language (XML) and the Internet Protocol (IP). By being
00
established using already existing and accepted protocols WAP was destined to gain a
-2
tremendous amount of recognition from the start. However, regardless of the glitz and
glamour the protocol still must meet certain requirements and be capable of certain
00
functionality before it will be deemed suitable for the enterprise. One important issue, if
not the most relevant of these requirements is the concern of adequate security within
20
the technology. For, if the potential implementers of this protocol are not guaranteed
te
secure communications and transactions all of the aforementioned glamour will be lost.
tu
The intent of this thesis is to examine the WAP, and more specifically deal with
sti
security measures that have been included within the protocol. The document will
In
provide an in-depth look at how this technology is structured and implemented, as well
as how secure it is perceived throughout the industry within enterprise environments.
NS
Upon reviewing this paper the reader should develop an informed opinion on whether or
not the WAP is ready for enterprise operations. That is not to conclude that more in-
SA
depth research should not be conducted, but is simply implying that the document could
serve as an introduction and foundation of knowledge on the subject topic.
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
WAP Architecture
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
1
00
The image above depicts the architectural model of the WAP. It was designed to
20
be extremely similar in nature to the existing protocols that make up the World Wide
Web (WWW); this is further substantiated by the following comments that exist within
te
the WAP architectural specification. “The WAP programming model is similar to the
tu
WWW programming model. This provides several benefits to the application developer
sti
community, including a familiar programming model, a proven architecture, and the
ability to leverage existing tools (e.g., Web servers, XML tools, etc.). Optimizations and
In
extensions have been made in order to match the characteristics of the wireless
environment. Wherever possible, existing standards have been adopted or have been
NS
used as the starting point for the WAP technology.”2
SA
The components of the WAP architecture are illustrated in the image below. As
one can see the protocol has taken into consideration the concerns of security from the
©
beginning, this was not the case when wireless functions were initially introduced.
However, although the creators of the WAP specification have addressed security, it is
the industry consensus that the initial release of the protocol did not sufficiently cover
security concerns and that it should definitely be given the utmost attention within
Key fingerprint
subsequent = AF19
releases. TheFA27 2F94
image 998Dshows
below FDB5 DE3D
how theF8B5 06E4protocol
subject A169 4E46capitalizes on
already existing, proven standards to achieve its end goals. Specifically, in the area of
1
WAP Forum
2
WAP Architecture Specification
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
security the Wireless Transport Layer Security (WTLS) component of the WAP
architecture builds upon the industry standard Secure Sockets Layer (SSL) or Transport
Layer Security (TLS) to provide the necessary Bedrock Principles functionality.
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
Wireless Transport Layer Security (WTLS)
-2
“WTLS is intended for use with the WAP transport protocols and has been
optimized for use over narrow-band communication channels. WTLS provides the
00
following features:
20
· Data integrity – WTLS contains facilities to ensure that data sent between the terminal
and an application server is unchanged and uncorrupted.
te
· Privacy – WTLS contains facilities to ensures that data transmitted between the
tu
terminal and an application server is private and cannot be understood by any
sti
intermediate parties that may have intercepted the data stream.
· Authentication – WTLS contains facilities to establish the authenticity of the terminal
In
and application server.
· Denial-of-service protection – WTLS contains facilities for detecting and rejecting data
NS
that is replayed or not successfully verified. WTLS makes many typical denial-of-service
SA
attacks harder to accomplish and protects the upper protocol layers. WTLS may also be
used for secure communication between terminals, e.g., for authentication of electronic
©
business card exchange. Applications are able to selectively enable or disable WTLS
features depending on their security requirements and the characteristics of the
underlying network (e.g., privacy may be disabled on networks already providing this
service at a lower layer).”2
KeyWTLS
fingerprint
was=created
AF19 FA27 2F94to998D
in order FDB5secure
facilitate DE3D wireless
F8B5 06E4 A169 4E46without the
transactions
need for extensive processing power and large sums of memory. WTLS promotes the
fast processing of security algorithms. This is accomplished by reducing protocol
2
WAP Architecture Specification
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
overhead and enabling increased data compression in comparison to that of traditional
SSL solutions. The resulting effect is that WTLS can conduct appropriate security within
a wireless network. These advances allow portable, wireless devices to communicate
securely over the Internet.
s.
“A secure WAP conversation occurs in two stages. First the transmission
ht
between the web server and the WAP gateway occurs over SSL. The onward
rig
transmission of this message over the air interface to and from the WAP browser device
is over wireless networks using WTLS. Essentially the WAP gateway serves as a bridge
ull
between the WTLS and SSL security protocols. There are considerations (some say
limitations) in the introduction of a bridging protocol like WTLS. The current WAP
f
security model requires a strong relationship between the network operator and the
ns
content provider. The
Key fingerprint WAP
= AF19 Forum
FA27 2F94has
998Drecognized
FDB5 DE3D thatF8B5
as the market
06E4 A169for highly secure
4E46
tai
applications increases, a more flexible and extensible solution will be needed. When
re
working across many different wireless networks, application developers must be
assured that their content remains encrypted from the time it leaves their application
or
server until it arrives at the WAP handset. As a result there is a process underway to
th
develop this more advanced security solution, which must address the enterprise's need
for higher security and the operator's need for proper integration with WAP gateways in
Au
the wireless network.”3
2,
The previous paragraph, which provides an overview of a secure WAP
00
conversation or transaction, describes the WAP gateway as a bridge between WTLS
-2
and SSL protocols. This gateway or bridge to many is also considered a possible
security vulnerability to enterprises that utilize WAP based applications. The gateway is
00
generally supplied by outside carriers who provide these capabilities externally to
normal corporate operations. Thus, removing the assurance of secured operation from
20
a portion of the WAP infrastructure. However, though these security concerns exist the
te
WAP forum has diligently addressed such issues and has intent on easing these
tu
concerns in later releases of the WAP specification.
sti
WTLS Certificates
In
In recent years one of the most effective and accepted ways of providing secure
authentication has been through the usage of digital certificates. This has proven to be
NS
sufficient for hard-wired systems, and wireless equivalents are definitely not the
exception. The wireless certificates have been produced and vigorously promoted by
SA
several independent vendors who actively support this technology as a means to
provide wireless consumers with secure interactions, this is further substantiated by the
©
following technical comments provided by Verisign.
From the security perspective, the most significant WAP specification is the
Wireless Transport Layer Security (WTLS) protocol. WTLS is a close relative of SSL,
the Key
primary protocol
fingerprint usedFA27
= AF19 to secure the wired
2F94 998D FDB5Web.
DE3DFor PKI,06E4
F8B5 WTLS uses
A169 two types of
4E46
certificates.
3
Mobile Management
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
“WTLS server certificates, defined as part of WAP 1.1, are used to authenticate
a WTLS server to a WTLS client (handset) and to provide a basis for establishing a key
to encrypt a client-server session. They are like SSL server certificates, except that two
different certificate formats are defined - X.509 certificates (as in SSL) and WTLS mini-
certificates, which are functionally similar to X.509 but are smaller and simpler than
s.
X.509 to facilitate their processing in resource-constrained handsets. The mini-
ht
certificate is mandatory to implement and the X.509 certificate is optional to implement.
rig
WTLS client certificates, defined as part of WAP 1.2, are used to authenticate a
ull
WTLS client (handset) to a WTLS server. They also can be formatted as either X.509
certificates or mini-certificates. WAP 1.2 also defines an interesting PKI-based function
f
that is not part of WTLS. This function, which allows a WAP client to digitally sign a
ns
transaction, is known
Key fingerprint as the
= AF19 WML2
FA27 2F94 Script Sign Text
998D FDB5 DE3Dfunction, andA169
F8B5 06E4 is intended
4E46 for
tai
applications that require non-reputable signatures from clients.”4
re
As stated earlier the initial release of the WAP specification was ridiculed due to
or
its lack of consideration for security concerns. However, the WAP forum has
th
meticulously progressed in the area of security and continues to make strides in
providing secure wireless applications. This is evident in the ability provided in WAP 1.2
Au
to handle wireless client authentication. With providing this functionality the WAP
Forum has also made it possible for independent wireless security providers to expound
2,
upon the newest specification. This is further verified in the following comments.
00
-2
“In a WAP environment, client-to-gateway authentication is provided within WTLS
in WAP 1.2. Client-to-application authentication requires functions at a higher layer than
00
WTLS. VeriSign favors an extension to the WAP WML Script standard to include a
client authentication function akin to the Sign Text function. In essence, this function will
20
work by having the client send to the server a digitally signed copy of a fresh challenge
te
received from that server. The nature of PKI support for client authentication is
tu
essentially the same as for client digital signatures. X.509-format certificates are issued
through VeriSign OnSite or related VeriSign service provider products, and are stored
sti
and used in the wired infrastructure and, optionally, in the client device or SIM.”4
In
In addition to the aforementioned SIM, it is also evident that the industry is
NS
progressing in the area of wireless security, infrastructures, and applications simply by
the onslaught of new standards, products, and concepts being introduced. One of
SA
these new innovations is the Wireless Public Key Infrastructure (WPKI), which will
continue to aid in the progression of wireless efforts. The chart below provided by
©
Baltimore Technologies demonstrates the promised capabilities of WPKI in comparison
to SIM.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
4
Secure Wireless E-Commerce with PKI from VeriSign
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
5
Au
2,
Cryptographic Algorithms for Wireless Environments
00
Any adequate security solution must guarantee absolute confidentiality for its
-2
users, the most common way of achieving this requirement is through the use of
encryption. Over the years many different algorithms have been introduced and utilized
00
for encryption functions. One of the more prevalent cryptographic technologies has
20
been the RSA crypto-system; this is especially true for the wired Internet environments.
Although, RSA has proven to be an extremely valuable and reliable solution the
te
question has often been posed, is there a better solution out there. To answer this
tu
question developers and integrators alike have begun extensive research into other
sti
potential encryption algorithms. One of the formidable competitors of RSA is Elliptic
Curve Cryptography (ECC), which can perform the same basic functions as RSA but
In
which demands fewer CPU resources and smaller data items that need to be
communicated or stored.
NS
SA
Furthermore, the question is now frequently asked, which algorithm is more
efficient for wireless environments? While all organizations must come to their own
©
conclusion on the subject Verisign has chosen to take a path that will probably be less
traveled. Verisign has chosen to implement both algorithms, this is illustrated in the
following statements. “VeriSign possesses both RSA and ECC technologies and can
apply either, as governed by market demand and service deployment costs.”4
KeyVerisign
fingerprint = AF19
also FA27
makes 2F94when
it clear 998D the
FDB5 DE3D
issue F8B5 06E4
of selecting A169
one 4E46
of the two algorithms
is absolutely necessary, and the associated determining factors involved in the following
5
Comparison of WPKI and SIM Toolkit
4
Secure Wireless E-Commerce with PKI from VeriSign
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
comments. “However, when considered in terms of the cryptography used in server key
pairs and certificates (that is, the certificates processed by mobile clients), the question
becomes moot. The RSA public-key operation, such as that used in verifying a digital
signature, is no more resource intensive than the corresponding ECC operation.
Consequently, given the extensive installed base of RSA technology, the industry
s.
appears to be embracing the use of RSA in this situation.
ht
rig
The question is more valid when considering cryptography for client
authentication or digital signatures, because ECC private-key operations (such as
ull
digitally signing) can be much less resource-intensive than the corresponding RSA
operations. However, the temptation to adopt ECC is countered by the fact that the
f
installed base of Internet signature-verifying systems is RSA-based, hence
ns
leveragability of installed
Key fingerprint technology
= AF19 FA27 favors
2F94 998D RSA.
FDB5 VeriSign’s
DE3D position
F8B5 06E4 A169is4E46
that RSA
tai
cryptography is preferred because of the foregoing factor, unless the platform is simply
re
incapable of performing an RSA private-key operation in an acceptable time. In the
latter case ECC is a good choice. Our experience to date has indicated that very few
or
platforms have problems with RSA.”4
th
The previous paragraphs are pretty convincing in stating that RSA’s is the
Au
algorithm of choice within the Internet community, this is also proven by its enormous
acceptance by corporations and standards bodies within the same industry. However,
2,
that is not to imply that the possibility of ECC gaining ground is not feasible. This is
00
especially a consideration when one thinks about the opportunities and new
-2
technologies that will come to fruition in the years to come. Furthermore, events that
are to soon take place may play a significant role in deciding how relevant new
00
algorithms will be in the future. An example of such an event is the expiration of RSA’s
patent in the coming weeks. This may well be a leveraging point for other algorithms
20
and encryption technologies, as the relinquishing of RSA’s stronghold on the industry
te
may very well be in trouble. Only time will tell!
tu
Conclusion
sti
The underlying question that this document presents is, if WAP is ready for
In
extensive introduction into the mainstream of enterprise environments? The fact of the
matter is that the answer is totally dependent upon the enterprise that is seeking the
NS
functionality that the WAP specification can provide. One question that organizations
should first ask themselves before attempting to implement WAP functions is, are their
SA
infrastructures secure now; before the inclusion of wireless technologies? If the answer
to this question is no, then those companies definitely have a greater concern that
©
wireless capabilities.
The truth be told WAP is an extraordinary revelation for the industry, and
especially for the opportunities that exist for wireless communications. However, the
factKey
still fingerprint
remains that the protocol
= AF19 FA27 2F94is 998D
but a FDB5
babe, DE3D
and inF8B5
its infancy there4E46
06E4 A169 still exists some
4
Secure Wireless E-Commerce with PKI from VeriSign
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
areas that need improvement. It is also evident that the WAP Forum, as well as the
community that it serves also realizes this and has been working vigorously to address
these issues.
There is no doubt that WAP will play an important role within enterprises that
s.
desire its functions, the true task will be in corporations properly selecting appropriate
ht
areas to securely apply this technology. A suggestion to potential users is to first
rig
implement an exhaustive pilot program to test the performance and functionality within
their specific enterprise. Furthermore, it is probably even more important to guarantee
ull
that the security measures provided by WAP are sufficient for their intended programs.
Finally, it is my opinion that although the technology may be well on its way to being
f
ready for prime time it is currently not there yet. This is primarily due to the continuing
ns
security concerns=that
Key fingerprint exist
AF19 around
FA27 2F94 the
998Dstandard, as well
FDB5 DE3D F8B5as06E4
the fact that
A169 it is still
4E46
tai
extremely new and has not been repeatedly proven within the industry. I do however
re
expect this state to change rapidly, as major improvements and progressions are taking
place in this area, and I for one am extremely excited about the possibilities, but for the
or
time being I guess I will be left chomping at the bit!
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Marcus L. Cutts
Bibliography
1.) WAP Architecture, The WAP Forum,
http://www1.wapforum.org/member/developers/slides/WAP-
s.
ht
rig
Architecture/index.htm, 1999
ull
2.) WAP Architecture Specification, The WAP Forum,
f
http://www1.wapforum.org/tech/terms.asp?doc=WAP-100-WAPArch-19980430-
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
a.pdf, 2000
re
3.) Mobile Management, Market Drivers for the Foundation of The Open Group
or
Mobile Management Forum, The Open Group, 2000
th
4.) Secure Wireless E-Commerce with PKI from VeriSign, Verisign Inc.,
Au
https://www.verisign.com/server/rsc/wp/wap/index.html, 2000
2,
00
5.) Comparison of WPKI and SIM Toolkit, Mobile Internet Security, Baltimore
-2
Technologies, 2000
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: September 24th, 2018
Upcoming Training
SANS Seattle Fall 2018 Seattle, WA Oct 15, 2018 - Oct 20, 2018 Live Event
SANS London October 2018 London, United Oct 15, 2018 - Oct 20, 2018 Live Event
Kingdom
SANS Denver 2018 Denver, CO Oct 15, 2018 - Oct 20, 2018 Live Event
SANS October Singapore 2018 Singapore, Singapore Oct 15, 2018 - Oct 27, 2018 Live Event
Community SANS Ottawa SEC401 Ottawa, ON Oct 15, 2018 - Oct 20, 2018 Community SANS
Community SANS Madrid SEC401 (in Spanish) Madrid, Spain Oct 22, 2018 - Oct 27, 2018 Community SANS
SANS Houston 2018 Houston, TX Oct 29, 2018 - Nov 03, 2018 Live Event
Houston 2018 - SEC401: Security Essentials Bootcamp Style Houston, TX Oct 29, 2018 - Nov 03, 2018 vLive
SANS Gulf Region 2018 Dubai, United Arab Nov 03, 2018 - Nov 15, 2018 Live Event
Emirates
Community SANS Bethesda SEC401 Bethesda, MD Nov 05, 2018 - Nov 10, 2018 Community SANS
SANS London November 2018 London, United Nov 05, 2018 - Nov 10, 2018 Live Event
Kingdom
SANS Sydney 2018 Sydney, Australia Nov 05, 2018 - Nov 17, 2018 Live Event
SANS Dallas Fall 2018 Dallas, TX Nov 05, 2018 - Nov 10, 2018 Live Event
San Diego Fall 2018 - SEC401: Security Essentials Bootcamp San Diego, CA Nov 12, 2018 - Nov 17, 2018 vLive
Style
SANS Osaka 2018 Osaka, Japan Nov 12, 2018 - Nov 17, 2018 Live Event
SANS Mumbai 2018 Mumbai, India Nov 12, 2018 - Nov 17, 2018 Live Event
SANS San Diego Fall 2018 San Diego, CA Nov 12, 2018 - Nov 17, 2018 Live Event
Austin 2018 - SEC401: Security Essentials Bootcamp Style Austin, TX Nov 26, 2018 - Dec 01, 2018 vLive
SANS San Francisco Fall 2018 San Francisco, CA Nov 26, 2018 - Dec 01, 2018 Live Event
SANS Austin 2018 Austin, TX Nov 26, 2018 - Dec 01, 2018 Live Event
SANS Santa Monica 2018 Santa Monica, CA Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Nashville 2018 Nashville, TN Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Frankfurt 2018 Frankfurt, Germany Dec 10, 2018 - Dec 15, 2018 Live Event
SANS Cyber Defense Initiative 2018 Washington, DC Dec 11, 2018 - Dec 18, 2018 Live Event
SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 201812, Dec 11, 2018 - Jan 29, 2019 vLive
Community SANS Burbank SEC401 Burbank, CA Jan 07, 2019 - Jan 12, 2019 Community SANS
Community SANS Toronto SEC401 Toronto, ON Jan 14, 2019 - Jan 19, 2019 Community SANS
SANS Sonoma 2019 Santa Rosa, CA Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Amsterdam January 2019 Amsterdam, Netherlands Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Miami 2019 Miami, FL Jan 21, 2019 - Jan 26, 2019 Live Event
Community SANS Omaha SEC401 Omaha, NE Jan 21, 2019 - Jan 26, 2019 Community SANSYou can also read
