Security using wap – Ericsson T39 User Manual

15

When using certain WAP services the user may want a secure connection between the phone
and the WAP gateway, for example when using banking services. An icon in the display indi-
cates when a secure connection is used. The T39 is based on the WAP June2000 (WAP 1.2.1)
specifications where security functionality is specified with a technology called Wireless Trans-
port Layer Security (WTLS).

The WAP protocols that handle the connection, its transport and its security are structured in
protocol layers. The security is handled by the WTLS layer operating above the transport proto-
col layer. There are WTLS classes that define the levels of security for a WTLS connection:

•

WTLS class 1 involves encryption with no authentication.

•

WTLS class 2 involves encryption with server authentication.

•

WTLS class 3 involves encryption with both server and client authentication

Server authentication

Requires a server certificate stored at the server side and a root certifi-
cate stored at the client side.

Client authentication

Requires a client certificate stored at the client side and a trusted certif-
icate stored at the server side.

A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys
and algorithms needed for WTLS handshaking, encryption/decryption and signature generation.
The WIM module can be placed on a SIM card and will then be referred to as a SWIM card.

C

C

C

Ce

e

e

errrrttttiiiiffffiiiicc

c

ca

a

a

atttte

e

e

ess

s

s

To use secure connections, the user needs to have certificates saved in the phone. There are two
types of certificates:

Trusted certificate

A certificate that guarantees that a WAP site is genuine. If the phone
has a stored certificate of a certain type, it means the user can trust all
WAP gateways that use the certificate. Trusted certificates can be pre-
installed in the phone, pre-installed in the SWIM, or downloaded from
the trusted supplier’s WAP page.

Client certificate

A personal certificate that verifies the user’s identity. A bank that the
user has a contract with may issue this kind of certificate. Client certif-
icates can be pre-installed in the SWIM card.

W

W

W

WIIIIM

M

M

M L

L

L

Lo

o

o

occ

c

ckk

k

kss

s

s ((((P

P

P

PIIIIN

N

N

N C

C

C

Co

o

o

od

d

d

de

e

e

ess

s

s))))

There are two types of WAP security locks (PIN codes) for the WIM on SIM. The locks protect
the subscription from unauthorized use when browsing. The locks should typically be supplied
from the supplier of the SWIM.

Access lock

An access lock protects the data in the WIM. The user is asked to enter
the PIN code the first time the SWIM card is accessed when establish-
ing a connection.

Signature lock

A signature lock is used for confirming transactions - like a digital sig-
nature.

In the T39, the user can check which transactions have been made with the phone when brows-
ing. Each time the user confirms a transaction with a signature lock code, a contract is saved in
the phone. The contract contains details about the transaction.

S

S

S

Se

e

e

ec

c

c

cu

u

u

urrrriiiitttty

y

y

y U

U

U

Us

s

s

siiiin

n

n

ng

g

g

g W

W

W

WA

A

A

AP

P

P

P