Today communication is the most common and important process happens in every second. Now a days wireless Communication is also taking the place of wired networks. Mobile phones are the main device people use for wireless communication. With this strong presence of wireless networks and mobile phones the business and the life style of people have become much easier and dramatically changed. People can utilize these wireless networks to access the internet through mobile phones. But it is very important for the wireless internet to provide the following functions-Confidentiality and integrity of data, entity authentication, and non-repudiation. In 1997 wireless application forum was developed to improve the standard of wireless community. In the past mobile phones were used only for telephony services but today people use mobile phones as a pocket computer. It is mainly because of the wireless techniques that Internet is available now in mobile phones and people utilize the facilities very efficiently, commerce is now changing into M-commerce and in future Mobile phones will control the communication and business transactions in a commanding way. But it is very important to look in the security of these transactions especially in m-commerce. As the increase in the mobile networks, mobile phones are becoming very much exposed to the internet vulnerable. However, the security infrastructure based on wireless network is not perfect, which greatly restricts the promotion of mobile business.
In order to solve all the security problems in mobiles phones and specially the wireless area, modern technologies like WPKI's are used which is a form of PKI but designed for the wireless networks. The aim of this technology is to make a secure connection between each user end without the chance of any third unwanted signal intervening. But since a mobile technology being inferior compared to a powerful CPU which includes small size LCD, less processing power, and less memory which makes it difficult to implement WPKI. But also taking the fact than general user is not interested in
Binson Thambi - 29031753
Queens University Belfast
the security functionalities and features involved in it make it even harder to make use of this technology.
2.0 Public Key Infrastructure - Overview
Public Key Infrastructure (PKI) also known asymmetric Encryption is a cryptography-based technology used to secure electronic processes and transmissions. It is a process in which data is encrypted with one key and decrypted with another key where the encryption key is the PUBLIC KEY and decryption is the PRIVATE KEY. It is important to ensure that the private key is not determined from the public key.
[1] "PKI is a security platform on to which other applications, system, and network security components are built. This technology is an essential component of an overall security strategy that must work in concert with other security mechanisms, business practices, and risk management efforts. Issues related to the acquisition, recognition, revocation, distribution, and validation of public key is handled by Certification Authorities (CA). CA issue 'Digital Certificates' under the X.509 internet standard and are used in the collaboration of authenticity of a published 'Public' encryption and decryption (Sun Microsystems, 1998)."
PKI supports security mechanisms such as confidentiality, integrity, authentication, and non-repudiation. In order to successfully implement these security mechanisms, it is important to carefully plan an infrastructure to manage them.
There are four basic infrastructure components in PKI:
Certificate Authority (CA) - Issues digital certificates;
Registration Authority (RA) - Checks user's identity to ensure binding is correct
Subscriber - who owns and controls the certificate/private key, and
User - who relies on the certificate to verify the identity of the subscriber
2.0.1 Advantages
The use of digital signatures guarantees data integrity, and the provision for authentication and non-repudiation.
The fact that PKI uses a public key for encryption and private key for decryption and thus public key is only available to the user at the other end of data exchange.
Anybody with access to public key can decrypt a message encrypted with a private key and any message encrypted with a public key can only be decrypted with a private key.
Most importantly PKI provides,
Non-repudiation which is used in application like transactions, where the identity of buyer is bonded and where in he/she cannot later refuse the transaction,
Privacy by means of public key and private key encryption based on public key cryptography,
Integrity which helps to prove that the actual data is not tampered during transit, and finally,
Accountability by verifying the users' identity through digital signatures.
[2] "PKI is cost efficient operation for the deploying organization. It provides protection against impersonation for components that care about authorization. It also provides manageable persistence of signatures and encryption operations."
2.0.2 Disadvantages
PKI technology has slower computing speed as compared to symmetric encryption mainly due to computational complexity.
Also the fact, that secrecy and source authentication is made up of two encryption i.e. private and public key, it is sometimes difficult to prove that the public key is legitimate.
[1] "PKI's lack of transparency in many applications (e.g. e-mail clients) can often mean the use of encryption is bypassed entirely. The fact that many web browsers supporting SSL use digital certificates in an effectually transparent manner shows that this can be done. It would appear that many other implementations are made deliberately obvious."
3.0 General Overview of Wireless - Public Key Infrastructure (WPKI)
[3]"Wireless Public Key Infrastructure (WPKI) is a two-factor authentication scheme using mainly the mobile phone and a laptop. It is mainly promoted by banks, mobile operators, and mobile network manufacturers."
In simple terms it is an optimised extension of PKI for the wireless environment. WPKI Authenticates with certificates and encrypts with public-key cryptography
http://docs.google.com/File?id=dhtxv6v9_19cfqf52p2_b
Figure - WPKI Structure
The Wireless - PKI organizational structure can be divided into following roles:
1. Registration Authority (RA) - manages the user registration, usually acts on behalf of Certification Authority.
2. Certification Authority (CA) - Manages activation, suspension and revoking of certificates.
3. Trust Service Provider (TSP) - acts as a central interface in WPKI infrastructure; main tasks include accepting authentication and signing transaction from service provider, passing requests to mobile operators and certificate and signature validity checks.
4. Service Provider - Third party that is interested in authentication and/or digital signature of the user.
3.0.1 Limitations of Mobile phones and wireless networks
Here we consider the limitations of wireless networks to implement the WPKI to enable the secure communication. In mobile phones and wireless networks many network problems are there such as less bandwidth, less powerful Processing Units, Memory size problems, battery power, small display and input devices. Considering these problems it is very difficult to implement a wired PKI system with mobile phones. Also it is important to implement the properties of PKI such as Key generation, signature, verification and validation in WPKI system. But with a less powerful processing system and small memory it is not possible to use the same PKI structure in mobile phones. Hence we need a new infrastructure with smaller data and smaller module size properties. WPKI is the solution for the problem.
3.0.2 WPKI design objectives:
WPKI provides a secure and trusting trading environment and it is important for security requirements must be met using cryptography, digital certificates [4], as shown below:
Confidentiality of exchanges - Making sure that nobody can interrupt the transferred signal.
Authentication - This certifies the identities of both clients and servers.
Data Integrity - making sure that the signal transferred is not tampered or edited during its journey.
Non-repudiation of transactions - Ensure that transactions are legally binding.
For further understanding in Wireless PKI (WPKI) is contained in [5].
3.0.3 Wireless Protocol
In wireless networks the transport layer security protocol is the Wireless Transport Layer Security (WTLS).The Language uses in wireless networks is wireless markup language script (WMLScript).WTLS is an optimized version of TLS use in wired networks and WMLScript is optimised from HTML. These are designed for securing the communication and transaction in the wireless networks. WTLS provides security on the transport layer between client mobile phone and the WAP server. WLTS provides authentication, confidentiality and data integrity. WTLS is being implemented in different WAP servers. WTLS supports different cryptographic algorithms to secure the connection in the wireless networks.
Authentication :
SHA-1, MD5
Key Exchange
:RSA, DF (Diffie-Hellman), DFEC (Diffie-Hellman
Elliptic Curve)
Encryption
:RC5, DES, 3DEA, IDEA
Table - Cryptography Algorithms used in wireless networks [3]
The architecture of WTLS is divided into 5 parts. One Record Protocol and 4 client protocols in conjunction with the record protocol [5]
Table - Wireless Transport Layer Security Protocols
WTLS has a record protocol. This record protocol is divided into 4 different protocols which are alert, application, Change Cipher and handshake protocols. Record protocol is responsible for the encryption and the transition of data. Also it receives the data and decrypts the data.
There are three types (or WTLS classes) of authentication [8]:
Class 1: Implies Anonymous Authentication, each party cannot be assured of the identity of the other party.
Class 2: Implies Server Authentication, the client is strongly assured of the server's identity (and thus trusts them to send them confidential data such as credit card numbers).
Class 3: Implies both Client and Server Authentication, the client is strongly assured of the server's identity as well as the server is assured of the client's identity.
3.0.4 Possible WPKI Architecture [6]
There are different types of infrastructures used in wireless networks.
Single CA.
Figure - Single Certification Authority
Hierarchical PKI
Figure - Hierarchical PKI
Mesh PKI
Figure - Mesh PKI
Trust Lists
Figure - Trust Lists
Bridge CAs
Figure - Bridge Certification Authority
3.0.5 Applications of WPKI [7]
Mobile Business(M-commerce)
M-commerce is the new version of E-commerce. With the fast development of mobile internet, people can do business with mobile phones at any time. Also mobile phones are usually attached to the individual and the device can provide privacy and people can use it for individual trading in the business world.
Mobile Banking
Another important advantage of WPKI is the Mobile banking services. With the help of WPKI it is possible do banking procedures as electronic money transfer and digital payments. Dynamic passwords are the latest development in the Mobile banking. In this technique we get a new password for every transaction. We request the password before the transactions and the bank will send the password in a encrypted format and user decrypt it with the private key. So the transaction is more secure and robust. But one disadvantage of this technique is the availability of wireless networks.
Internet securities.
With WPKI, we can increase the security level of the communication. Compared to wired networks, it reduces the operating time and improves the efficiency. Also in mobile networks user gets more effective information and point to point security since it uses individual digital certificates.
Information confidentiality.
WPKI can solve the problems with secret data transmission. In Mobile business the exchange of information is real time and frequent. So some information may be very secret. So it is very important to look into the data transfer security. WPKI provides robust security with strong cryptographic algorithms.
4.0 WPKI in mobile phones
4.0.1 Security Framework of WPKI based on WAP [7]
In this framework, WPKI is a foundation for security protocols to implement effectively. It provides a up-scale security by authenticating in a distributed network. Furthermore, it can combine with WTLS to achieve the function of digital signature and authentication. The top layer in this framework being the main entities, of which, the core is WAP gateway server. It works between mobile devices and internet. Main mission is to convert information requirements to HTTP requirements.
http://docs.google.com/File?id=dhtxv6v9_20fwbf9qct_b
Figure - Security Framework of WPKI
4.0.2 Security Mechanisms of WPKI in mobile business [7]
1. Application of Integrity
In WPKI it ensures the integrity of the information being transferred between the sender and receiver.
From the image below, a sender firstly sends a message 'M' into the digital digest 'A' by Hash operation, and then encrypts 'A' into ciphertext 'D(A)' in the private key.
The original message 'M' along with the ciphertext 'D(A)' to the recipient.
After this, the recipient will then use the senders public key to decrypt 'D(A)' which will enable him to obtain the digital digest 'A'.
Then finally, the recipient can then Hash the message 'A' sent by the user into digital digest A'.
Now, by comparing A with A', if the message was found to be different it would prove that the message was tampered with during transfer. Since the integrity of the message cannot be ensured, then no doubt it should be dropped.
http://docs.google.com/File?id=dhtxv6v9_21qkqs3sfh_b
Figure - Security Mechanisms
2. Application of confidentiality
Important public key encryptions are RSA and Elliptic Curve Cryptosystems (ECC). The main being RSA in PKI system while ECC in WPKI [7]. RSA is considered safe once it reaches 1024 but whereas in mobile terminal it will required half a minute at least which is unacceptable so ECC is more susceptible as it uses less computational power and memory resources.
3. Application of Identification
Identification is an important factor in mobile business. In WPKI system, it mainly identifies user's identity in the method of authentication.
4. Application of Non-repudiation
This is mainly achieved mainly by implementing technology of digital signature.
4.0.3 Proposed Design and Implementation of Wireless PKI technology
In this paper [9] they propose a wireless PKI structure shown in below figure.
Figure - Proposed Design for Implementing WPKI in Mobile Phones
In this model they use 1 CA (Certificate Authority) and x.509 certificate as certificate of mobile phones. For the server side of this structure they use X.509 and short lived certificate [OMA].
This model satisfies the following requirements.
Optimal digital signature algorithm to be calculated in mobile phones.
Minimize the data size to be stored in mobile phones and to be transmitted through wireless bandwidth.
Optimize CMP protocol to be processed
Optimize certification validation scheme. [12]
4.0.4 Secure mobile payment
In this [10] it introduces a bridge CA authentication model instead of hierarchical CA architecture to secure the mobile payment through wireless networks. This model is very helpful for business transactions and feasible to implement in the current online trading environment.
In this paper they explain why the current widely adopted Secure Electronic Transfer (SET) is not feasible and propose a new mobile payment model.
Figure - Proposed Bridge CA model
This model overcomes the present weakness of communication between the participants in the M-commerce and improves the scalability and robustness.
4.0.5 E-commerce security model based on WPKI
In this [11] it introduces a new WPKI enabled model to improve the E-commerce.
This system is used for the security transaction services for the customers of the bank or any other business industry. With this system customers can check the balance, history and also can make money transfers from one account to another with a very high security.
The following figure shows the architecture of the system.
Figure - Proposed WPKI enabled model to improve the e-commerce
4.0.6 WPKI Mobile E-commerce security system designs [8]
The following step explains security transmission for data in mobile phones using WPKI is shown below:
Firstly, the terminal encrypts data message MO to get M1 with the public key PA of the application server, further then encrypts M1 with the key Ke1 which gets M2 and sent to WAP gateway.
Here, WAP gateway decrypts the message M2 with Ke1 and gets the encrypted file M1.
After, the WAP gateway again encrypts M1 by TLS/SSL's key Ke2 and gets M3, then sends it to the application server.
Similarly, application server decrypts M3 with Ke2 and gets M1, then decrypts M1 with its own private key dA and gets clear text M0.
4.0.7 Mobile Banking using WPKI [12]
This explains how WPKI technology is used in Mobile Banking in order to make it secure.
Most banks, setup a WAP site using Wireless Markup Language (WML) pages which contain functions embedded in the code which then makes the customer/user to digitally sign the content and requiring the use of the public key and private key.
The following explains the procedures:
Customer goes to the website, fills in the details on the electronic form which will then direct me to click on a button associated with the signing function. After this button is submitted by the customer it initiates the transaction signing process.
Now, the customer will get prompted to 'Enter PIN'. This PIN will help in unlocking the Private Key which is typically stored in the mobiles Wireless Identity Module (WIM), and used to sign the form. Once the form is digitally signed it is sent back to the server for authenticity and integrity. In order to check this bank retrieves a certificate issued by a trusted third party Certificate Authority (CA).
After the verification of the signature, the bank then processes the transaction and sends a message back to the user for confirmation of the exchange.
5.0 Conclusion
The solution for the secure wireless communication will be WPKI. The importance of secure communication is increasing and people always look into make things easier than ever before. WPKI is the key technology to get the answer for these secure communication problems. This technology is very simple and the implementation cost is economic. Mobile phones are going to be the preferred medium for the communication and the data transfer in future and it is very important to make sure that the security of the communication is robust and confidentiality of the system. Now too many applications have been built for mobile phones and the percentage of mobile users are increasing day by day. However the infrastructure can be improved with other solution like biometrics for user identification. WPKI in mobile phones will accomplish all the possibilities of strong secure communication and the wide internet applications in future.
