VPNs and WAP.

Robert Moskowitz rgm at ICSA.NET
Thu Jul 20 13:23:38 EDT 2000 

At 09:18 AM 7/20/2000 -0500, Jason Zann wrote:

My  latest conversation with Baltimore people is that they have only gotten
the WAP people to put the URL for the cert and private key location (on the
WAP server) in the phones.  The phones it seems does not have the umph to
do public key operations on the phones.  At least not the ones out
today.  Stephen Farrel showed my the smart card in his phone and said all
it had was the URL in it.  No certs.

so this limits WAP usage of security significantly  for the current
generation of phones.

:(

>I have been hunting down WAP security issues for the past 6 months or so and
>I have one issue that I am finding nearly impossible to get a straight
>answer about. I realize that my question is on the edge of what this mailing
>list is designed for, but none the less, I feel it to be very important
>(read: please bare with me).
>
>Background:
>As many applications and functions race to have their data more and more
>available, the obvious outlet seems to be a WAP enabled devices (PDAs,
>digital phones, and the like). As far as informational based transfers
>(stock quotes, buying prices, and so on) I really am not worried. Now with
>personal / corporate information (emails, financial information, ...) I am
>finding difficulty understanding how the integrity of this information is
>handled. I feel confident in the fact that from the personal device to the
>'mobile network' (SprintPCS, palmnet, etc.) the information is secure from
>the personal device to the network (that is secure from the proverbial
>hacker, but not SprintPCS or palmnet for obvious reasons, namely because
>they 'own' the network!). I am still in question as to what is available to
>protect sensitive information that travels out of the 'secure network of PCS
>or palmnet' to individual corporate WAP gateways. It would seem to me that
>this would be an opportune place (between PCS / palmnet and the WAP gateway)
>for an attacker to sit and intercept all information that is being
>transmitted.
>
>Wireless browsers in the US (to the best of my knowledge) cannot support
>digital certificates because of the size of an x.509v3 cert. I would view
>this as the easiest course of action to solve my dilemma (I am using the
>logic that browsers have SSL, and the equivalent needs to be available in
>the mobile world). I know that Ericson recalled tens of thousands of phones
>in Europe to actually put certs on them; but, I never fully heard what the
>reason / result was. I also know that Baltimore is suppose to be a market
>leader with their WTLS developments, but once again, I have been unable to
>generate any answers has to how this will solve my issue. An RSA logo comes
>up on some PCS phones when they are powered up, but no information is
>provided for what RSA is doing for PCS (I am referring to the technical
>side, not the market blitz).
>
>With no further introduction, here is my question... What, if anything is
>available for end to end security (integrity of the data being transferred)
>from a PDA / digital phone to a WAP gateway?
>
>
>Zann
>
>VPN is sponsored by SecurityFocus.COM

Robert Moskowitz
ICSA.net
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list