442 Chapter 10 • Securing Your Wireless Web
WTLS and Point-to-Point
Security Models
The term point-to-point security describes an approach where information is pro-
tected at each leg of the journey from a user to a Web server by the appropriate
security technology for each part of the communication.As we have seen, this
approach has inherent weaknesses at the points where the security methods
www.syngress.com
cyclic redundancy check (CRC) algorithm, which represents
the integrity of information as a number.
■
Privacy Privacy means that information communicated
between two people or computers is inscrutable to third par-
ties. Encrypting information so that only the sender and
recipient understand it ensures privacy.
■
Public Key In public-key cryptography the sender and recip-
ient each get two keys: a private key and a public key. The
public key is made accessible while the private key remains
secret. The sender of a message encrypts the information
using the recipient’s public key but the information can only
be decrypted using the recipient’s private key.
■
Secret Key In secret key cryptography the sender and recip-
ient use the same method of encrypting and decrypting
information. A shared piece of information or secret known
only to a message’s sender and recipient can be used to
encrypt and decrypt the message. This is known as secret key
or symmetric cryptography.
■
Trojan A program that appears to be legitimate but is

designed to have destructive effects on the programs and
data of the computer onto which the Trojan program has
been loaded.
■
Virus A program that replicates itself by infecting other pro-
grams. Viruses are typically programmed to append their exe-
cutable code to other programs, resulting in their propagation.
■
Worm A malicious program that replicates itself over a net-
work and that typically fills all of the storage space or net-
work capacity. Worms typically exploit a specific vulnerability,
such as a buffer overflow in a particular network application,
in order to execute their own code on remote machines.
159_wg_wi_10 10/22/01 5:47 PM Page 442
Securing Your Wireless Web • Chapter 10 443
change between legs of the data’s journey.The most important technology in the
point-to-point security model is WTLS.WTLS is the equivalent of SSL for WAP,
and it provides encryption between wireless browsers and WAP gateways.The
most standard form of WTLS (WTLS Class I) is designed to work together with
SSL so that WTLS operates on the wireless network side of the WAP gateway
and SSL operates on the Internet side.WTLS and SSL together ensure that infor-
mation is encrypted from point to point all the way from a wireless browser to a
Web server (see Figure 10.4).
How WTLS Works
WTLS is the part of the WAP specification designed to ensure the privacy,
authenticity, and integrity of communication. Communications traffic in the air
may also be encrypted depending on the wireless network and air-connect tech-
nology but, like WTLS, this does not provide true end-to-end encryption.
The three main components of WTLS are: (1) the handshaking protocol that
provides for key exchange; (2) a record structure for encrypted information; and

(3) the Wireless Identity Module (WIM).The handshaking protocol is used when
a client and server (a WAP gateway) initiate a session. During the handshaking
www.syngress.com
Figure 10.4 Point-to-Point Security Model
Internet
Wireless
Network
WAP
Phone
Web
Server
WAP
Gateway
WTLS works
between
devices and
WAP gateways.
SSL works
between WAP
gateways and
Web servers.
159_wg_wi_10 10/22/01 5:47 PM Page 443
444 Chapter 10 • Securing Your Wireless Web
process, the client lists supported cryptographic and key exchange methods, and
the server chooses a preferred method.After authenticating each other ,the client
and server select a protocol version and cipher.WTLS borrows from the SSL
standard and supports the RC5, DES, 3DES and IDEA ciphers, although the
DES and 3DES ciphers are the more typically used.Three key exchange methods
are supported including RSA, Diffie-Hellman, and Elliptic Curve Diffie-Hellman,
with the RSA method being the most commonly used.WTLS also provides a

way keys to be exchanged anonymously based on the servier’s public key.When
authenticating anonymously, the client encrypts a secret key using the server’s
public key, and sends a Client Key Exchange message.The record structure of
WTLS provides a mechanism for the data’s privacy and integrity to be checked,
and the WIM is the core software logic that performs all of the actual cryptog-
raphy, including handshaking, authentication, and encryption.
WTLS Classes
The version 2.0 WAP specification incorporates three classes of WTLS security,
offering successively stronger levels of security.WTLS Class I only provides encryp-
tion between the wireless browser and the WAP gateway, after which the gateway is
responsible for the data’s security.WTLS Class II is a close analog of SSL on the
Internet because it allows SSL-like encryption directly between wireless browsers
and Web servers.WTLS Class III provides a framework for PKI security.
The WAP Gap
Mobile devices using WAP do not connect directly to Web sites or applications nor
do they directly support the HTTP protocol or SSL. In effect,WAP gateways act
like proxy servers for mobile devices.A gateway translates one kind of communica-
tion to another kind. In this case a WAP gateway translates communication from
the WAP protocol to HTTP over the Internet.When a WAP gateway relays a
request to a Web server on behalf of a mobile device, it uses the WAP protocol to
communicate with the device and HTTP to communicate with the Web server.
Like Web browsers,WAP gateways support SSL, which is the standard method of
encrypting HTTP communications. SSL is normally used between Web browsers
and Web servers. Communication between a mobile device and a WAP gateway is
secured using WTLS. and communication between the WAP gateway and Web
servers is secured using SSL.WAP gateways decrypt WTLS communication and
then re-encrypt the communication using SSL.This means that inside the WAP
gateway, the information is unencrypted at one point. It is theoretically possible for
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 444

Securing Your Wireless Web • Chapter 10 445
the WAP gateway to malfunction and establish unencrypted HTTP communication
rather than using SSL.This flaw is referred to as the WAP gap (see Figure 10.5) and
it is the ideal point for a man-in-the-middle attack.
How Likely is a WAP Gateway Compromise?
WTLS Class I is the most widely deployed security standard on the wireless Web
for WAP devices (there are currently many more DoCoMo i-mode devices in
use).WTLS Class I communication is theoretically flawed because it is possible,
however improbable, that a mobile operator’s WAP gateway can be compromised
or that it might not initiate SSL connections over the Internet. However, what is
more important to you as a wireless Webmaster , is that the software and configu-
ration of the mobile operator’s WAP gateway and the security of the WAP
gateway itself are totally outside your control; you have no way of knowing if one
or more of these machines has been compromised or if you are being victimized
by a man in the middle attack. Experts disagree about how serious the WAP gap
really is or whether it can be successfully exploited. However, the fact that the
WAP gap exists means that the design of WTLS Class I, and of the wireless Web
today, is imperfect at best.
www.syngress.com
Figure 10.5 The WAP Gap
Internet
Wireless
Network
WAP
Gateway
WTLS works
between
devices and
WAP gateways.
Potentially

unencrypted
HTTP
communication.
Web
Server
WAP
Phone
The "WAP Gap"
is between
WTLS and SSL.
159_wg_wi_10 10/22/01 5:47 PM Page 445
446 Chapter 10 • Securing Your Wireless Web
SECURITY ALERT
There are two methods of testing SSL between a WAP gateway and a
Web server or Web-based application. The first is to directly enter an
HTTPS Universal Resource Locator (URL) on the device and see if the WAP
gateway successfully connects. The more secure method is to restrict all
communications to SSL (TCP/IP port 443). Enforcing SSL at the Web
server is the best way to guarantee that information is secure.
The Seven Layers of Point-to-Point Security
Point-to-point security can be broken down into seven layers, corresponding to
the steps in the communication path between mobile devices and Web servers or
applications. Despite concerns like the WAP gap and mistrust of WASPs, these
seven security layers provide practical assurance that applications and transactions
are reasonably secure. For most organizations, content and information such as e-
mail that are made available through wireless devices are adequately served by a
point-to-point security model.This is only because the security requirements are
low. For banking solutions such as consumer banking and mobile credit card
applications, point-to-point security as it exists today (primarily using WTLS
Class I security) is not acceptable. Nonetheless, in the fierce competition to reach

the wireless market first, even a theoretically flawed security solution may pose an
acceptable risk when balanced with other business considerations. Device limita-
tions and the lack of common global standards mean that relatively high levels of
security cannot be widely deployed today. Point-to-point security forms the only
real alternative because it can be widely deployed.The seven layers of point-to-
point security are:
1. Embedded Security Technology
2. Secure Air-Connect Technologies
3. Mobile Operator Network Security
4. Secure Mobile operator Gateways
5. Authentication
6. Data Center and Network Security
7. Secure Application Interfaces
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 446
Securing Your Wireless Web • Chapter 10 447
Embedded Security Technology
The first layer of defense in a computer system is always the end terminal.
Physical access to the device must be controlled. If the device is a phone, it will
often have a lock code or password feature that prevents it from being used unless
a code is entered. PDAs such as Palm OS devices have password and lock features
to prevent unauthorized access in the event that the device is lost or stolen.
Notebook computers have the same capabilities either as a Basic Input/Output
System (BIOS) feature orbuilt in to the operating system. In order to be effective,
all of these features require configuration.As a wireless Webmaster, it is up to you
to set security policies and to define standard configurations for the devices used
to access your network and servers. Unlike desktop workstations, you have to
expect that mobile devices will inevitably be lost or stolen. Guidelines covering
what and how to communicate can protect confidential information when all
else fails. Security policies are your final line of defense: users must be told what

can be communicated through mobile devices and what can be stored on mobile
devices such as PDAs. Users should be advised to treat their wireless communica-
tions in the same way they would a private conversation with a coworker in a
public place.
www.syngress.com
Security Policies
An excellent example of security guidelines comes from the world of
investment banking, where security is of supreme importance because
of the ramifications for transactions. Unlike most corporate users,
investment banking professionals are keenly aware of security issues and
that the ultimate responsibility for confidentiality rests upon the bankers
themselves.
Investment banking professionals must observe a strict standard
and adhere to protocols that ensure the highest level of confidentiality
possible. They must always use caution when discussing business, par-
ticularly in a public place such as an airport, elevator, or restaurant. As
with products that are not yet announced in other industries, invest-
ment bankers often use code names for their projects and clients even
in internal discussions.
Developing & Deploying…
Continued
159_wg_wi_10 10/22/01 5:47 PM Page 447
448 Chapter 10 • Securing Your Wireless Web
Mobile Operator Network Security
WTLS extends security beyond the inherent air-connect security, across the
entire mobile operator network, right to the edge of the Internet at the WAP
gateway. Once traffic leaves the WAP gateway it is no longer secured by the air-
connect technology,WTLS, or the network operator’s internal network security.
At the same time, users may roam to areas where they do not have the same cov-
erage or may use a less secure air-connect technology like the analog AMPS

system.The security technologies implemented in air interfaces such as CDMA
are designed to protect the network and subscribers from misuse such as stolen
phone numbers or unauthorized network use. Security of the air interface itself
and the mobile operator’s network enhances the security of wireless data services
such as WAP browsing, but were designed to protect data communications.
Secure Mobile Operator Gateways
The WAP gap and the potential for man-in-the-middle attacks mean that the secu-
rity of mobile operator WAP gateways is critical. Inside the WAP gateway, informa-
tion encrypted through WTLS Class I security is decrypted and then re-encrypted
using SSL.The information is vulnerable at that point; ss a wireless Webmaster you
have no control of the mobile operator’s WAP gateway and no way of knowing if
one or more of these machines has been compromised. For organizations buying
network service from a carrier, it is reasonable to request a description of network
security as would normally be provided by an Internet service provider.The only
way to be certain that WAP gateway security is not an unmanaged risk is not to
depend on it, relying instead on end-to-end SSL or PKI security.
Authentication
Exposing applications and information on the Web means providing more than
one line of defense against unauthorized access and malicious hacking.The sim-
plest strategy is to support a single authentication standard such as Remote
www.syngress.com
When using mobile devices to communicate, investment banking
professionals must rely first and foremost upon the established best
practices within their field and observe the same precautions they would
when sending e-mail outside the company or when traveling. Regardless
of the security technology used, any communication technology is only
as secure as the policies and practices observed by users.
159_wg_wi_10 10/22/01 5:47 PM Page 448
Securing Your Wireless Web • Chapter 10 449
Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access

Protocol (LDAP)-based user ID/password authentication.Technologies such as
SecureID can easily be added to wireless applications but are cumbersome for
users because of the constraints of entering information quickly using a mobile
phone or wireless PDA.
SECURITY ALERT
As with local area network (LAN) or host access user IDs and passwords,
wireless user IDs and passwords should follow standard guidelines for
length and composition. Users may wish to simplify their passwords to
make wireless applications more usable, but as a wireless Webmaster
you must consider that cracking will be done over the Internet and not
from mobile devices. Weak passwords can be quickly broken, and this is
especially true for numeric personal identification number (PIN)-based
passwords, which are the easiest passwords to enter on a phone.
Data Center and Network Security
If you are using a WASP you must make sure that the WASP data center facility
is secure.This means physical security, security policies, operational methodology
and procedures, and tools to detect and protect against intrusion attempts.Your
WASP should be able to clearly articulate their security architecture and practices
including:
1. Secure Data Center Design
2. Customer Network Isolation
3. Secure Router Configurations
4. VPNs and Private Pipes
5. Secure Methodology
6. Security Management
7. Security Auditing
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 449
450 Chapter 10 • Securing Your Wireless Web
Secure Data Center Design

A secure data center design involves a physical network architecture (see Figure
10.6) that isolates servers and customer information from access over the
Internet.This is commonly accomplished through a double firewall scheme
where Internet-accessible servers are separated from other machines, and where
access to machines through a second firewall is restricted in any of several ways,
such as being limited to a particular network address and application.
Customer Network Isolation
Isolating customer networks means that firewalls are configured to compartmen-
talize each customer’s servers and data.This mitigates the risk that another cus-
tomer’s application might receive secure information if it were unencrypted for
any reason within the service provider’s network.
www.syngress.com
Figure 10.6 Typical Secure Data Center Network Design
DMZ Network
Back-End
Applications
Wireless Application
(Front-end Web Server)
Data Center Network
Internal
Firewall
Content Sources
(Database Servers, etc.)
Load
Balancer
VPN
Server
Internet
External
Firewall

Router
159_wg_wi_10 10/22/01 5:47 PM Page 450
Securing Your Wireless Web • Chapter 10 451
Secure Router Configurations
Like any service provider, a WASP must have secure network router and device
configurations.This means that devices are properly configured following well-
defined security guidelines.The best way to ensure that your WASP’s network
router configurations are secure is through an independent audit.
VPNs and Private Pipes
Availability of Virtual Private Network technology or private network connec-
tions (“private pipes”) is an important consideration.A VPN acts like a conduit
over the Internet. Information passing through the conduit is encrypted, but the
encryption is transparent to applications on either end of the connection.VPNs
allow information to be passed over the Internet with no practical risk of a com-
promise.Another method involves establishing private network connections
between the WASP data center and customer networks.This approach is more
costly than a VPN, but is also theoretically more secure since it bypasses the
Internet completely.
Secure Methodology
Secure deployment methodologies and remote administration protocols such as
SSH are necessary to ensure that there is no exposure of secure information or
systems at any point, even when new system components are being deployed.
Secure methodology can include administration procedures and tools so that only
authorized personnel can perform administrative tasks. Secure methodology guards
against accidental exposure and malicious activity within the WASPs network.
Security Management
Designing and deploying a secure system does not mean that it will remain
secure indefinitely. Security flaws in software applications and computer or net-
work router operating systems are discovered and corrected over time.
Monitoring and timely deployment of security patches will correct known vul-

nerabilities, and all service providers should have clear procedures to accom-
plishing this on an ongoing basis.
Security Auditing
You should negotiate independent auditing as a term of your contract with a
WASP.A WASP will not give you direct access to their network, firewalls, or
routers, therefore you must rely on their self-report or obtain the contractual right
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 451