Browser security – Sony Ericsson P802 User Manual
Page 43
 
For Internal Use Only
P800 Smartphone
White Paper, May 2002
43
Browser Security
World Wide Web
The P800 supports the TLS/SSL to provide a secure encrypted link between the browser and the 
website. This method is commonly used for secure transactions on the WWW. 
WAP Security
When using certain WAP services the user may want a secure connection between the phone 
and the WAP gateway, for example when using banking services. An icon in the display indicates 
when a secure connection is used. The P800 is based on the WAP 2.0 specifications where 
security functionality is specified with a technology called Wireless Transport Layer Security 
(WTLS). 
 
The WAP protocols that handle the connection, its transport and its security are structured in 
protocol layers. The security is handled by the WTLS layer operating above the transport protocol 
layer. There are 3 WTLS classes that define the levels of security for a WTLS connection: 
• WTLS class 1 involves encryption with no authentication.
• WTLS class 2 involves encryption with server authentication.
• WTLS class 3 involves encryption with both server and client authentication
 
Server authentication 
Requires a server certificate stored at the server side and a root 
certificate stored at the client side. 
 
Client authentication
Requires a client certificate stored at the client side and a trusted 
certificate stored at the server side. 
 
A Wireless Identity Module (WIM) can contain both trusted and client certificates, private keys 
and algorithms needed for WTLS handshaking, encryption/decryption and signature generation. 
The WIM module can be placed on a SIM card and will then be referred to as a SWIM card. 
Certificates
To use secure connections, the user needs to have certificates saved in the phone. There are two 
types of certificates: 
 
Certificate authority 
A certificate used to verify that a WAP site is genuine. If the phone 
has a stored certificate of a certain type, it means the user can trust 
all WAP gateways which present a certificate that can be verified by 
the trusted certificate. Certificates can be preinstalled in the phone, 
pre-installed in the SWIM, or downloaded from the trusted supplier’s 
WAP page. 
 
User certificate
A personal certificate that verifies the user’s identity. A bank that the 
user has a contract with may issue this kind of certificate. User 
certificates can be pre-installed in the SWIM card.