Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
tw/ijns/) 161
WAP protocol stack. It also explains some basis issues encrypt it again (using SSL/TLS), as shown in Figure 2.
of the WTLS protocol and the Wireless Identity Module This has some security consequences, which will be dis-
(WIM). There are however some security problems with cussed in Section 3.
WAP and WTLS. The most important ones are discussed
in Section 3. Some solutions and good practices how to
use WAP are proposed in Section 4. Finally, Section 5 2.2 WAP Protocol Stack
concludes the paper. Many years ago, a theoretical protocol stack was devel-
oped by the OSI (Open Systems Initiative). This was
done to facilitate a common understanding of the func-
2 How Does WAP Work? tionality provided by a protocol stack and to facilitate
comparisons between different vendor’s implementations.
WAP has a very specific architecture which has some se- The mapping of the WAP protocol stack to the OSI model
curity consequences. This architecture will be discussed is shown in Figure 3.
first. Then, the WAP protocol stack, the WTLS protocol
The WAP protocol stack contains the following ele-
and the Wireless Identity Module will be explained.
ments [3]:
2.1 WAP Architecture • Physical and Data Link Layer: In WAP, Point
to Point Protocols (PPP) are used over one or more
Figure 1 shows the basic WAP architecture [1]. There Over–The–Air (OTA) bearer protocols.
are three participating entities: the WAP browser, the
WAP gateway (also called WAP proxy) and a server on • Network Layer: IP is the network layer of choice.
the Internet. However, not all wireless networks are capable of
When the mobile device wants to connect to the In- transmitting IP. That is why SMS or some other non-
ternet, all the communication passes through the WAP packet network protocol can be used.
gateway. This WAP gateway translates all the protocols
used in WAP to the protocols used on the Internet. For • Transport Layer: The protocol used in the trans-
example, the WAP proxy encodes (and decodes) the con- port layer is UDP. However, this may not be feasible
tent to reduce the size of the data that has been sent over over non–IP networks. That is why (there are also
the wireless link. Another example is the WTLS proto- other reasons) that WAP defines an additional trans-
col. The communication between the mobile device and port layer protocol, WDP, which can be used when
the WAP gateway is secured with WTLS. WTLS is only UDP can not.
used between the mobile device and the WAP gateway,
while SSL/TLS can be used between the gateway and the • Session Layer: The functionality of the session
Internet. This means that the WAP gateway first has layer is partially included in WTP. Other aspects of
to decrypt the encrypted WTLS–traffic and then has to the functionality are implemented in WSP.
International Journal of Network Security, Vol.1, No.3, PP.161–165, Nov. 2005 (http://isrc.nchu.edu.tw/ijns/) 163
3.2 WTLS Allows for Weak Encryption not yet widespread. But experts agree that it is just a
Algorithms matter of time before they will strike massively.
and WAP servers (they have to “understand WTLS” in [7] Wireless Application Protocol Forum, WAP Wire-
this solution) is much easier than upgrading all WAP de- less Transport Layer Security,
vices! http://www1.wapforum.org/tech/documents/
There are also some good practices when using WAP. WAP-261-WTLS-20010406-a.pdf.
It is a good idea not to use WAP in very sensitive services [8] Wireless Application Protocol Forum,
and to make sure that your system does not support weak WAP WMLScript Crypto Library,
encryption algorithms. Also use a secure PIN number http://www1.wapforum.org/tech/documents/
(so not 1234) to protect your mobile phone from being WAP-161-WMLScriptCrypto-20010%620-a.pdf.
misused in case it has got lost.