462 Chapter 10 • Securing Your Wireless Web to take to provide an appropriate degree of security; bear in mind that the more secure the solution is, the less accessible information is to legitimate users. Security Models of the Wireless Web ; There are two basic models for wireless security: point-to-point, and end- to-end. Point-to-point security means that information is protected at each leg of the journey by the appropriate security technologies for that part of the communication. End-to-end security means that a single security technology is at work all the way from the end device to the application regardless of the various networks that the communication may traverse. ; Point-to-point security is only as strong as the weakest link. ; With end-to-end security, there are several different PKI technologies supported only in specific mobile devices, browsers and applications. ; Point-to-point and end-to-end security solutions both involve some form of cryptography. ; SSL uses several well-defined encryption ciphers including RC5, the Data Encryption Standard (DES), 3DES and the International Data Encryption Algorithm (IDEA). WTLS and Point-to-Point Security Models ; The most important technology in the point-to-point security model is WTLS.WTLS is the WAP equivalent of SSL, and it provides encryption between wireless browsers and WAP gateways. ; The most standard form of WTLS (WTLS Class I) is designed to work together with SSL so that WTLS operates on the wireless network side of the WAP gateway and SSL operates on the Internet side.WTLS and SSL together ensure that information is encrypted from point to point all the way from a wireless browser to a Web server ; The three main components of WTLS are the handshaking protocol that provides for key exchange, a record structure for encrypted information, and the Wireless Identity Module (WIM). www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 462 Securing Your Wireless Web • Chapter 10 463 ; WAP gateways decrypt WTLS communication and then re-encrypt the communication using SSL.This means that inside the WAP gateway the information is at one point unencrypted. It is possible, at least in theory, for the WAP gateway to malfunction and establish unencrypted Hypertext Transfer Protocol (HTTP) communication rather than using SSL.This flaw is referred to as the WAP gap. ; The seven layers of point-to-point security are Embedded Security Technology, Secure Air-Connect Technologies, Mobile Operator Network Security, Secure Mobile operator Gateways,Authentication, Data Center and Network Security, and Secure Application Interfaces. ; Although a point-to-point security model sounds reasonable, it is a funda- mentally flawed and limited approach.Whenever data is unencrypted it is vulnerable. PKI Technology and End-to-End Security Models ; In contrast to the point-to-point security model of WTLS, PKI security provides end-to-end security by deploying digital certificates to client applications such as wireless browsers. ; There is no dominant standard for wireless digital certificates and PKI technologies.The lack of standards also limits geographical coverage. ; To deploy a PKI, you have to first select a wireless PKI technology and a vendor.The technology and vendor you select depends on the applica- tion and on the wireless browser and devices that you wish to deploy. ; Every organization that deploys a PKI must decide what Certificate Authority (CA) to use. ; The most powerful handheld mobile devices with the most capacity, flexibility, and readily available security technologies are Personal Digital Assistants (PDAs), not phones. In the future, the problems of PKI secu- rity will be eased by the introduction of new networks, such as General Packet Radio Service (GPRS), and of new mobile phones either with built-in support for digital certificates or flexible software configurations similar to today’s PDAs. www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 463 464 Chapter 10 • Securing Your Wireless Web The Future of Security on the Wireless Web ; The future of wireless security lies in its convergence with Internet and Web security. ; There will hopefully be further standardization on wireless browsers and a single dominant PKI standard—there should also be a standard means of installing digital certificates and of managing wireless PKIs. ; Many of the issues that are seen as challenging today will be resolved when 2.5G and 3G networks replace the current wireless infrastructure on a large scale. 3G networks and the devices that will run on them will provide better and more manageable security because they will support end-to-end SSL and installable software through technologies such as Java 2 Micro Edition (J2ME). Q: Is the wireless Web as secure as the Internet? A: Not currently. However, 2.5G and 3G networks will eventually offer equiva- lent security.Wireless PKIs can be considered as secure as SSL over the Internet, but they are not yet widely deployed. Q: What’s the most important factor in wireless security? A: Users. Users need to be careful with their mobile devices, follow security guidelines put forth by IT organizations, and be discrete in their communica- tions. No technology can protect information against careless users. Q: Why does wireless security seem more complex than security on the Internet? www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 159_wg_wi_10 10/22/01 5:47 PM Page 464 Securing Your Wireless Web • Chapter 10 465 A: Because it is more complex. Challenges such as limited device horsepower are exacerbated by a lack of standards on more than one level and by competing commercial interests. Q: What are the main security concerns for mobile applications? A:The main issues are unencrypted communication over the public Internet, the security risks facing wireless ASPs, and standardisation of WAP security models. Q: What’s the difference between public key and secret key cryptography? A: In public key cryptography, users have two keys: one that is public (to encrypt data) and one that is private and known only to the user (to decrypt data). In secret key cryptography users have single key known both to them and to the party with whom they are communicating. Q: Why are so-called point-to-point security models bad? A: A point-to-point security model is where the best available security technology is used for each part of the communication.The problem is that wherever there is a change in security technology the data must be unencrypted.At that point the data are potentially vulnerable.The more hops there are from point A to point B, the greater the overall risk. Q: Are wireless PDAs more secure than WAP phones? A:Yes. PDAs are more configurable and manageable for IT. PDAs can be easily upgraded to support new browsers, and PKIs can currently be deployed on PDAs with relative ease compared with phones. Q: What’s the best way to make sure that my wireless Web is secure? A: Deploy SSL on your servers and support only SSL connections. Standardize on devices and browsers if possible and consider a standard wireless PDA configuration. www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 465 159_wg_wi_10 10/22/01 5:47 PM Page 466 Webmaster’s Guide to the Wireless Internet Fast Track This Appendix will provide you with a quick, yet comprehensive, review of the most important concepts covered in this book. Appendix 467 159_wg_wi_AppFT 10/23/01 2:42 PM Page 467 468 Appendix • Webmaster’s Guide to the Wireless Internet Fast Track ❖ Chapter 1: Moving from the Web to Wireless Explaining Wireless ; The emphasis on mobility is one of the defining characteristics of this new wireless paradigm, and from a Webmaster’s point of view this mobility, not simply the lack of wires, is likely to be the most important aspect you have to deal with. ; Low bandwidth, differing standards, multiple network carriers, and a multitude of radically different devices means that the job of the wireless Webmaster just got immensely more complicated. Types of Wireless Connectivity ; The Wireless Application Protocol (WAP) is the first widely available method of accessing Internet content from a mobile device.WAP gateways enable legacy browsers to understand WML content. However, due to differences in the WAP gateway configuration, and the particular microbrowser installed on the handset, a WAP page may display differently on different handsets. ; With Short Message Service (SMS), users can send short text messages to each other at a fraction of the cost of a voice call. SMS can also be used to send configuration settings to your phone. SMS is a huge success in Europe, and it is gradually becoming available on U.S. wireless phone plans, although in a limited fashion. ; Japan’s NTT DoCoMo mobile data service i-Mode offers users the ability to browse a huge range of Web sites with cheap, full-color handsets that maintain an always-on connection to the Internet. It could possibly become an alternative to WAP but currently is in use only in Japan. ; The European wireless standard, Global System for Mobile Communications (GSM), is available on a limited basis in the US.The General Packet Radio System (GPRS) will soon offer higher data speeds and an always-on connection worldwide; it is already available in some European countries, and on a trial basis in a few U.S. cities. www.syngress.com 159_wg_wi_AppFT 10/23/01 2:42 PM Page 468 Webmaster’s Guide to the Wireless Internet Fast Track • Appendix 469 ; A recent option for wireless connectivity in the U.S. is Cellular Digital Packet Data (CDPD), a packet-switched network this is an always-on connection.The major drawback of CDPD is limited availability. ; The 802.11b standard has found ready acceptance as a short-range radio replacement for traditional Ethernet connections. Bluetooth is another short-range wireless standard. Evolving Mobile Devices ; The three main categories of mobile devices, mobile phones, PDAs, and laptop computers, are differentiated by connectivity, screen size, memory, and processing power. ; Data-capable phones use the WAP protocol, and content needs to be coded in Wireless Markup Language (WML).They have minimal requirements for memory and processing power.A mobile phone never communicates directly with your Web server; there is always a WAP gateway acting on its behalf (the gateway may alter the content somewhat on its way through). ; The market for Personal Digital Assistants (PDAs) is split mainly between those running the Palm operating system from both Palm, Inc. and its licensees, and devices based on Microsoft’s Pocket PC or Windows CE. One feature of Pocket PCs that’s especially relevant to wireless is that most come with an industry-standard expansion slot, either CF or PCMCIA Type II. ; PDAs come in a wide range of configurations of connectivity, screen size, memory, and processing power. ; Several manufacturers have begun shipping laptops with built-in wireless LAN (802.11b) cards, with antennas integrated into the casing.These same manufacturers will soon begin offering Bluetooth-equipped laptops. However, with larger screens, keyboards, and more memory and storage, Handheld PCs are beginning to offer a viable alternative to bulky laptops. ; Also, several devices are available that seek to combine aspects of each category—a mobile phone with an integrated Palm screen, PDAs that can be used as phones, and laptop-size devices without keyboards that you use by writing directly on the screen. www.syngress.com Chapter 1 Continued 159_wg_wi_AppFT 10/23/01 2:42 PM Page 469 470 Appendix • Webmaster’s Guide to the Wireless Internet Fast Track Something Old, Something New ; TCP/IP has been able to adapt and grow with the increasing demands of the Internet; both the Palm and Pocket PC use the same HTTP to communicate with your content server; and HTML has also proven to be extremely adaptable and long-lasting.Another Web concept that has been maintained in the wireless realm is the browser. ; WAP provides for a mapping between all layers of HTTP and the corresponding layers of WAP.This translation is performed transparently by the WAP gateway, so as a Webmaster you really don’t have to worry too much about it. ; Microbrowsers installed on mobile phones tend to be proprietary to the handset manufacturer and impossible to change, but in the future it’s likely that they will coalesce around a common standard, and be user-changeable. Moving from a Wired to a Wireless Internet ; The new wireless medium requires a change in perspective from a large- screen desktop browser to a small mobile device with limited user- interaction mechanisms and, for now, a slow wireless connection. ; Probably the main adjustment Webmasters will need to make to the wireless Web is to realize that users of mobile devices need quick access to relevant information only. ; You’ll need to test and verify your code on a variety of handsets, through as many carrier gateways as you can. Similarly,Web Clipping applications can look quite different depending on the transcoding proxy server used. On Pocket Internet Explorer, you’ll need to test how your content looks with the different view settings and different user preferences. ; The best way to deal with differing browser capabilities, and build a truly scalable Web site publishing system, is to completely separate content from presentation. www.syngress.com Chapter 1 Continued 159_wg_wi_AppFT 10/23/01 2:42 PM Page 470 Webmaster’s Guide to the Wireless Internet Fast Track • Appendix 471 ❖ Chapter 2: Wireless Architecture Components of a Wireless Network ; You can use your existing Web server to provide WAP services with only minor configuration changes. ; WAP introduces a gateway between your server and the WAP browser.The gateway helps the limited memory, low bandwidth device browse the Internet by validating WML files and compiling them for quicker transmittal. Adjusting the Metaphor for the Wireless Internet ; Just as the Web required a different approach than print publishing, the wireless Internet requires a different approach than the Web.The capabilities of the mobile device are quite different than that of a desktop computer. ; The mobile user is, by definition, on the move and will not tolerate difficult-to-navigate sites or extra fluff that just gets in the way of helping her find what she is looking for. ; Your Web site and WAP site should work together to provide an experience that never inconveniences the user. Long signup forms and surveys should be reserved for the Web site, and the WAP site should help the user find the information he is looking for as quickly as possible. Accepting the Challenge of WAP-Enabled Devices ; The form factor and capabilities of WAP devices can vary greatly—ranging from pocket-sized to handheld, and possibly to the size of a large-screen television. ; Some components are in place to help you determine device capabilities as they hit your site.These are not pervasive yet, but may be in the near future. ; Testing is important. Each device has its own peculiar set of “features” that make it behave differently from every other browser. www.syngress.com 159_wg_wi_AppFT 10/23/01 2:42 PM Page 471 . known only to the user (to decrypt data). In secret key cryptography users have single key known both to them and to the party with whom they are communicating. Q: Why are so-called point -to- point. on the Internet side.WTLS and SSL together ensure that information is encrypted from point to point all the way from a wireless browser to a Web server ; The three main components of WTLS are the. Guide to the Wireless Internet Fast Track Something Old, Something New ; TCP/IP has been able to adapt and grow with the increasing demands of the Internet; both the Palm and Pocket PC use the