404 Not Found
404 Not FoundReferencesSee all >9 Figures
more authorsAbstractThis thesis is about the Wireless Application Protocol (WAP) version 1.1 and the development of services based on that protocol. It is both a study on the WAP protocol and its different parts, as well as a description of various methods to provide information to users through WAP enabled devices. The studies of the protocol include an overview of the architecture, a description of the different layers of the protocol stack and an introduction to how the security layer works. Some advantages with WAP as well as alternatives to the protocol within the wireless domain are also included. For the future development of WAP services there is furthermore a closer look at the page describing language WML, some programming tools, environments and techniques. Some implementations are also included within the thesis. Those are about session management with WAP, conversion of a web application into a WAP solution and a stand-alone system with a complete WAP structure on a single computer. The last-mentioned technique is useful to achieve higher security or to enable access control. iv Master's Thesis in Computer Science Development of WAP-services v Contents 1Discover the world's research13+ million members100+ million publications700k+ research projects
Master’s Thesis in
Computer Science
Approved September 19, 2000
Development of WAP-services
by Fredrik Axelsson The Royal Institute of Technology Kungliga Tekniska H?gskolan
Prof. Seif Haridi Department of Teleinformatics Royal Institute of Technology Supervisor: Thomas Sj?land Department of Teleinformatics Royal Institute of Technology Supervisor: Lennart ?hman Sj?land & Thyselius Telecom AB
Master’s Thesis in Computer Science
Development of WAP-services
iii Abstract This thesis is about the Wireless Application Protocol (WAP) version 1.1 and the development of services based on that protocol. It is both a study on the WAP protocol and its different parts, as well as a description of various methods to provide information to users through WAP enabled devices. The studies of the protocol include an overview of the architecture, a description of the different layers of the protocol stack and an introduction to how the security layer works. Some advantages with WAP as well as alternatives to the protocol within the wireless domain are also included. For the future development of WAP services there is furthermore a closer look at the page describing language WML, some programming tools, environments and techniques. Some implementations are also included within the thesis. Those are about session management with WAP, conversion of a web application into a WAP solution and a stand-alone system with a complete WAP structure on a single computer. The last-mentioned technique is useful to achieve higher security or to enable access control.
Master’s Thesis in Computer Science
Development of WAP-services
v Contents 1
Introduction ......................................................................................................................... 1 1.1
Summary........................................................................................................................ 1 1.1.1
WAP at a glance....................................................................................................1 1.1.2
Development of WAP services..............................................................................1 1.2
Goals of this project ...................................................................................................... 1 1.2.1
WAP studies..........................................................................................................1 1.2.2
Implementations .................................................................................................... 2 1.3
Organization of this report............................................................................................ 2 2
Background to WAP ........................................................................................................... 5 2.1
Motivation ..................................................................................................................... 5 2.2
WAP Forum................................................................................................................... 5 3
Architecture overview......................................................................................................... 7 3.1
The World Wide Web model.......................................................................................... 7 3.2
The WAP model ............................................................................................................. 7 4
Wireless Application Environment, WAE ........................................................................ 9 4.1
Addressing model .......................................................................................................... 9 4.2
Wireless Markup Language, WML................................................................................ 9 4.3
WMLScript..................................................................................................................... 9 4.4
Wireless Telephony Application, WTA .......................................................................... 9 5
The protocol stack ............................................................................................................. 11 5.1
General........................................................................................................................ 11 5.2
Session layer (Wireless Session Protocol, WSP)......................................................... 11 5.3
Transaction layer (Wireless Transaction Protocol, WTP).......................................... 12 5.4
Security layer (Wireless Transport Layer Security, WTLS) ........................................ 12 5.5
Transport layer (Wireless Datagram Protocol, WDP) ............................................... 13 5.6
Bearers ........................................................................................................................ 13 5.6.1
Circuit Switched Data, CSD................................................................................ 13 5.6.2
Short Message Service, SMS...............................................................................13 5.7
Future bearers............................................................................................................. 13 5.7.1
General Packet Radio Service, GPRS ................................................................. 13 5.7.2
Universal Mobile Telecommunications System, UMTS..................................... 13 5.7.3
Conclusions ......................................................................................................... 14 5.8
Stack configuration...................................................................................................... 14 6
Advantages with WAP ...................................................................................................... 15 7
Alternatives to WAP..........................................................................................................17 8
Security............................................................................................................................... 19
Master’s Thesis in Computer Science 8.1
Security in general.......................................................................................................19 8.1.1
Public key cryptography......................................................................................19 8.1.2
Bulk encryption algorithms .................................................................................19 8.1.3
Hashing algorithms..............................................................................................20 8.1.4
Digital certificates................................................................................................20 8.1.5
Digital signatures.................................................................................................20 8.2
Secure Socket Layer (SSL)...........................................................................................20 8.3
Wireless Transport Layer Security (WTLS).................................................................21 8.4
WAP security model.....................................................................................................21 8.5
Drawbacks with WTLS ................................................................................................22 8.6
Computer viruses and WAP.........................................................................................22 9
WML...................................................................................................................................23 9.1
XML inheritance ..........................................................................................................23 9.1.1
Unicode character set...........................................................................................23 9.1.2
Character entities .................................................................................................23 9.1.3
Case sensitivity ....................................................................................................24 9.1.4
Document header .................................................................................................24 9.1.5
Elements and tags ................................................................................................24 9.1.6
Hierarchical structure...........................................................................................24 9.1.7
Proper nesting of elements...................................................................................24 9.2
WML elements .............................................................................................................25 10
WMLScript ....................................................................................................................29 10.1
Character set ...............................................................................................................29 10.2
Accessing WMLScript..................................................................................................29 10.3
Script libraries .............................................................................................................30 11
Development tools..........................................................................................................31 11.1
Nokia WAP Toolkit 1.3beta .........................................................................................31 11.2
Nokia WAP Server 1.0 .................................................................................................31 11.3
Ericsson WapIDE SDK 2.1..........................................................................................31 11.4
Ericsson R380 Emulator..............................................................................................32 11.5
Ericsson Test Area.......................................................................................................32 11.6
Ericsson WAP Gateway/Proxy Demo 1.0....................................................................33 11.7
WAPDrive Waptor 2.3 .................................................................................................33 11.8
Web servers..................................................................................................................33 11.9
Conclusions..................................................................................................................33 12
Dynamic WAP applications ..........................................................................................35 12.1
Common Gateway Interface (CGI)..............................................................................35 12.2
Active Server Pages (ASP)...........................................................................................36 12.3
Java Server Pages (JSP)..............................................................................................36 12.4
Personal Home Page (PHP)........................................................................................36
Development of WAP-services
Servlet.......................................................................................................................... 36 13
Session management...................................................................................................... 37 14
Implementation 1:
Session management in ASP ....................................................... 39 14.1
Generating the WML code...........................................................................................39 14.2
Writing the script code ................................................................................................ 39 14.3
Saving session data......................................................................................................40 15
Implementation 2:
Calculate pension ......................................................................... 43 15.1
Background ................................................................................................................. 43 15.2
Purpose and problems................................................................................................. 43 15.3
Session management.................................................................................................... 44 15.4
Special input methods.................................................................................................. 45 15.5
Erroneous user input ................................................................................................... 47 15.6
Running the calculation............................................................................................... 47 15.7
Conclusions for future development............................................................................ 48 16
Implementation 3:
Own WAP gateway with a modem............................................. 49 16.1
Windows NT and Nokia WAP Server .......................................................................... 50 16.2
Red Hat Linux and Kannel Gateway........................................................................... 51 17
Final conclusions............................................................................................................ 55 17.1
Usability ...................................................................................................................... 55 17.2
Power consumption and user costs ............................................................................. 55 17.3
The WAP gateway........................................................................................................ 55 17.4
Security........................................................................................................................55 17.5
User sessions ............................................................................................................... 56 17.6
Service provider........................................................................................................... 56 17.7
Reasons to use or not to use WAP ............................................................................... 56 17.8
Development of services.............................................................................................. 57 Appendix A:
XML................................................................................................................ 59 Document Type Definition, DTD............................................................................................. 59 Appendix B:
Abbreviations................................................................................................. 61 Appendix C:
References ...................................................................................................... 63
Master’s Thesis in Computer Science
Development of WAP-services
ix List of figures Figure 3.1: The World Wide Web model...................................................................................... 7 Figure 3.2: The WAP model. ........................................................................................................8 Figure 4.1: WTA access control..................................................................................................10 Figure 5.1: The WAP protocol stack........................................................................................... 11 Figure 8.1: The WAP security model.......................................................................................... 21 Figure 9.1: The element hierarchy of WML................................................................................27 Figure 11.1: The mobile phone Ericsson R380. .......................................................................... 32 Figure 14.1: An example of the session management implementation....................................... 40 Figure 15.1: The first part of the web version of the pension calculations..................................43 Figure 15.2: The second part of the web version of the pension calculations............................. 44 Figure 15.3: Example of the menu in the pension calculations................................................... 45 Figure 15.4: The input field for income in the web version........................................................ 46 Figure 15.5: An example of the input page for future salary.......................................................46 Figure 15.6: The result of a calculation in the web version. ....................................................... 47 Figure 15.7: The result of a calculation in the WAP version. ..................................................... 48 Figure 16.1: Different service provider approaches. ................................................................... 49
Master’s Thesis in Computer Science
Development of WAP-services
xi List of tables Table 5.1: Stack configuration and the corresponding ports....................................................... 14 Table 6.1: Comparison between WWW and WAP bandwidth requirement............................... 15 Table 11.1: WAP MIME types.................................................................................................... 34
Master’s Thesis in Computer Science
Development of WAP-services
1 1 Introduction 1.1 Summary 1.1.1
WAP at a glance The Wireless Application Protocol (WAP) is an effort to make Internet available to mobile phones and similar devices, which are communicating over a wireless network. It is designed to use as much as possible of existing technologies, with the World Wide Web as the main component. Other important factors in the protocol design are the differences between desktop computers and handheld devices. Examples of such differences are the limited power, display and input capabilities. Since WAP is using the web, the service providers do not need to buy new servers or any other hardware devices at all. Instead the company’s existing web server is fully capable of delivering WAP contents after some minor configuration of the web server software. Between the wireless domain and the web there is a gateway that converts the WAP requests into HTTP ditto. The gateway also converts the information returned by the web server back to the WAP protocol. The documents containing the information sent over the wireless domain are encoded to save bandwidth and workload on the client. The page describing language for ordinary web browsers is replaced by a simpler one more adapted to the user interface of a mobile phone. This language is based on the Extensible Markup Language (XML) and is called Wireless Markup Language, or WML. 1.1.2
Development of WAP services Both of the telecom corporations Ericsson and Nokia offer Software Development Kits to WAP application developers. They also provide WAP gateways and mobile phones as well as browser emulators. An emulator is a handy tool for the developer to check out the result of the development before it is released for use on the real devices. Besides those tools, all the development environments used in web programming is useful for development of WAP applications as well. However, there are some major differences between the browsers used by the web and WAP clients. This makes some of the features unusable in some of the development environments. 1.2
Goals of this project There were two primary goals with this project. The first goal was to look at the capabilities of WAP and to answer some questions. The second goal with the project was to develop a couple of applications using WAP. 1.2.1 WAP studies When studying available literature, these where the characteristics of WAP that had to be determined: o
Background of WAP and why it was developed o
Description of WAP, i.e. how does it work o
User interactivity o
Advantages and limitations o
Alternatives o
How to develop WAP services o
Future of WAP
Master’s Thesis in Computer Science Since this is a very young and changing technology there is a lack of printed literature on the market. Therefore much of the background material for this report had to be found on the Internet. Besides the above-mentioned characteristics there were also some questions asked that needed answers. Those questions were: o
Is WAP a good solution for the mobile Internet? o
Is there a future for WAP, e.g. with the new network bearers? o
Is WAP something for the company Sj?land & Thyselius to concentrate resources on? 1.2.2 Implementations The major application development was to convert a web site into a WAP site. The functionality of the web site is for Swedish citizens to calculate their future pension. Even if there might not be a need for a WAP implementation in this case, it will be a good example of the degree of reusability of advanced web applications. One of the other implementations was to realize a stand-alone system, which includes all the different parts that WAP is built upon. o
Session management
Since WAP did not inherit all the functionalities of the web, there is some comfortable functionality for the developer that is missing in the development of WAP services. One of those functionalities is the management of user sessions. This is made very easily for web development, e.g. when using the Active Server Pages. In WAP however, this session management must be handled completely by the developer and this implementation is an example of how to achieve such functionality. o
Pension calculation
The goal of this implementation was to provide a WAP service where people can calculate their future pension. This service was already available at the Internet through the web site http://www.pension.nu. In the web version of the pension calculations there was a client-side script that calculates a person’s upcoming pension based on values entered on the web page. The script that was used for the calculations was a very large script written in the programming language JavaScript. Since the mobile phones on the market have a very limited memory and lacks a JavaScript interpreter, a different solution seemed necessary. o
Own gateway with a modem
This implementation was about setting up a stand-alone WAP system. It includes a computer with a modem, a WAP gateway and a web server. This was to test the possibilities of offering WAP services without going through the Internet. The test was to be run on two different platforms, Windows NT and Linux. One practical use for this kind of service could be the need to avoid the security hazards with Internet traffic or to get faster data deliverance by avoiding the net. 1.3
Organization of this report In the first sections, i.e. 2 and 3, the background of WAP and an architecture overview is discussed. This discussion includes the base on which WAP is built and under which conditions the protocol was developed. The foundation of WAP is to use as much of existing technologies as possible as well as to adopt the standard to the capabilities of existing user devices. Sections 4 and 5 deals with the WAP protocol stack. It is a brief look at all the layers of the stack and their respective role. It begins with the uppermost layer, the application environment, which contains the user interface. At the bottom of the stack there is a datagram layer, which either operates above a network bearer or is replaced by the UDP protocol. The latter is the case if the bearer already supports UDP. In the session and transaction layers, different configurations are possible, i.e. connection-less mode or connection-oriented. If the connection-oriented mode is used, three levels of transactions can be selected, all with different reliability.
Development of WAP-services
3 This part of the report ends with a look at the current bearers on the market today as well as in the future. Advantages with WAP are discussed in Section 6, mostly in contrast to the HTTP protocol used by the web. The main advantages lies in the optimization of the numbers of datagram packets sent over the air and the power savings in the user’s device. Security is discussed in Section 8. It begins with an explanation of the encryption techniques used today and is followed by a description of how Internet security with the Secure Socket Layer, or shorter SSL, protocol is solved on the web. Since WAP is using the web as a vital part for its communication, it is also using the SSL to achieve security on the web. To solve the security issue on the wireless domain, WAP is using the Wireless Transport Layer Security (WTLS) protocol. This protocol is based on a descendant of SSL. The markup language used to describe the contents of WAP documents is called Wireless Markup Language (WML). This language and the script language WMLScript are described in Sections 9 and 10. Most of the tags available in WML 1.1, i.e. the WML version included in version 1.1 of WAP, are described as well as some characteristics of the language. Since WML is based on XML it is very strict on how the tags are placed in the document. HTML on the other hand is a much looser language, where the browsers are very forgiving to developers who write erroneous code. WMLScript is a script language related to JavaScript but adapted to the kind of devices WAP is normally used on. Several WAP development tools and test applications are reviewed in Sections 11 and 12. There are for instance two development kits from Nokia and Ericsson, which work very well to write static documents or the foundation of dynamic documents. If the WAP site contains documents with fluctuating data the document must be built at runtime on the web server. This can be managed with one of the server side scripts available, such as CGI or ASP. If there is a need for user sessions, e.g. on a site with multiple documents based on user related information, a session management functionality must be written. Since WAP lacks the cookie functionality a web browser uses, it is up to the developer to program the session management. This is described in Section 13, which is followed by a description of an implementation in ASP in Section 14. The two following sections are about the implementations Pension calculation and Own gateway with a modem, which are described above. The last section is about the conclusions of this thesis and the answers and solutions to the questions and problems stated above, within the project goals section.
Master’s Thesis in Computer Science
Development of WAP-services
5 2 Background to WAP 2.1 Motivation Internet has proven to be both an easy and efficient way to publish data and to offer services to millions of people. Most of the contents on Internet are designed for users running desktop computers with fast access to data and without limitations of power. The differences for the users with mobile handheld devices, such as mobile phones, to reach information on Internet are the limitations of capacity. Examples are less powerful CPUs, less memory, restricted power consumption, smaller displays and different input devices. The wireless networks also tend to have some major limitations in opposite to ordinary telephone- or broadband networks with less bandwidth, more latency, less stability in connections and that the availability is less predictable. 2.2 WAP Forum Ericsson, Motorola, Nokia and Unwired Planet took the initiative to create a standard for development of services for the wireless community on June 26 1997. At the end of the year WAP Forum was created and the first release of the WAP specification was released in February 1998. The goal of WAP Forum is to develop a license-free standard for bringing information and services to wireless devices [1]. Among the requirements of the WAP architecture is to use existing technologies wherever possible, support as many networks as possible and to optimize for narrowband bearers. By using existing technologies the standards will reach the market faster as well as keep the prices in developing and running applications down [18].
Master’s Thesis in Computer Science
Development of WAP-services
7 3 Architecture overview 3.1
The World Wide Web model The WWW model, or simply the web, used on the Internet gives a client the possibility to receive contents in a well-specified data format from web servers. The communication is handled through standard networking protocols such as HTTP and TCP/IP. To reach the content on the server the client uses addresses in a standard naming model called Uniform Resource Locator (URL) as shown in Figure 3.1 The client uses a Web Browser to view the content provided and among the formats supported are a language to describe the appearance of the content called HyperText Mark-up Language (HTML) and a script language to enhance the content functionality called JavaScript. Client Web ServerCGIScriptsetc.ContentHTTP Request (URL)HTTP Response (HTML)WWWBrowserInternet Figure 3.1: The World Wide Web model. 3.2
The WAP model The WAP protocol is designed to use as much of existing technologies and standards as possible. A browser in the WAP device communicates with a WAP gateway (or proxy) connected to the Internet. The gateway translates requests from the WAP protocol stack to the WWW protocol stack (HTTP and TCP/IP) and vice versa. Since all communication between the gateway and the WAP client is binary encoded to reduce network traffic, the gateway also encodes and decodes all messages respectively.
When the browser sends a request the gateway decodes it to plain text and then forwards the request to the web-server containing the desired content as illustrated in Figure 3.2. In this way a content provider only needs to add a few content types to the web server to enable WAP services to be developed since the user of the WAP device is always connected to the same gateway. This leads to the fact that WAP uses the same naming model as web applications to point out content on remote servers by using URLs. The standard content formats used by WAP applications is based on WWW technology including a markup language called Wireless Markup Language (WML), calendar information, a scripting language by the name WMLScript and so forth. When a server replies, the desired content is sent to the gateway. The gateway encodes the information into the binary form of WML it uses for the communication with the WAP device. The binary encoding compresses the tags and the header information of the WML document. Each tag in the document is replaced by a two-byte value, i.e. no more data than a single character. The textual content is not compressed but all unnecessary spaces and line breaks are removed. This saves both bandwidth on the communication channel and power on the client.
Master’s Thesis in Computer Science The latter since the document is much easier for the device to parse. If the content is in HTML the gateway tries to translate it to WML before the encoding.
WAPBrowserEncodersand DecodersHTTP Request (URL)Web ServerWAP GatewayWAP DeviceCGIScriptsetc.ContentHTTP Response (WML)WSP Encoded Request (URL)WSP EncodedResponse (WML)InternetWirelessNetwork Figure 3.2: The WAP model.
Development of WAP-services
9 4 Wireless Application Environment, WAE The Wireless Application Environment (WAE) is the uppermost layer in the WAP protocol stack. It combines World Wide Web and mobile telephony technologies and the effort is to provide a common environment. This will enable operators and service providers to reach different wireless platforms in an efficient and useful way. The WAE is divided in two logical layers, one for user agents and one for services and formats. The first layer is for user agents, e.g. browsers, phonebooks and message editors. In the second layer, the one with services and formats, there are different elements available such as WML, WMLScript, image formats, card and calendar formats and so forth. Those services and formats are accessible to and used by the different user agents. This logical view is assumed by the WAE but it is not necessary for an implementation to follow it, e.g. there can be a user agent that supports all the different services and functions. 4.1 Addressing model An important service in WAE is the URL service. WAE uses the same addressing model that is used on the Internet and relies therefore on the HTTP and HTML URL semantics. Beside the URL, which identifies resources on a server that can be reached by well-known protocols, the WAE also supports Uniform Resource Identifiers (URI), which is used to locate resources that are accessed without using well-known protocols, such as wireless devices& telephony functions. 4.2
Wireless Markup Language, WML The WML user agent is a fundamental user agent in WAE, even if an implementation of WAE is not limited to include one. It supports WML, WMLScript or both of them.
WML is a markup language derived from XML and similar to HTML used in the WWW model but it is optimized for small handheld devices with limited display and user input function. In the communication between a WAP gateway and a client, the WML code is encoded to a binary form to reduce the amount of data to transmit and therefore saves bandwidth. A WML document, called a deck, is divided into one or more cards. A card contains the data that is displayed at once on the client&s device, either to visualize data or to receive user input. The first card of a deck is automatically displayed when the deck is loaded and then the user can be allowed to continue to other cards in the deck. In this way the user can get moderately pieces of information for the limited display size on the device. At the same time the network traffic is reduced since several cards are downloaded simultaneously, which requires less requests and acknowledgements. 4.3 WMLScript WMLScript is a lightweight script based on ECMAScript and therefore similar to JavaScript. It is used to add intelligence to the client, improve the UI, reduce the needs for roundtrips etc. WMLScript also support libraries that contain functions that extend the basic functionality. This also provides the ability to expand the language without having to change the core of WMLScript. 4.4
Wireless Telephony Application, WTA The Wireless Telephony Application, WTA, is another user agent available in the WAE. It provides the ability to set up phone calls and enables network operators to provide advanced telephony services. Because of the nature of these services only the network operator or some service provider trusted by the network operator is allowed to present content to a WTA user-agent. For this reason there is a special WTA domain totally controlled by the network operator that provides WTA services. The separation between the domains is shown in Figure 4.1.
Master’s Thesis in Computer Science WMLUser-AgentWTA PortCommon WAE PortWTA ServicesCommonWAE ServicesWAP GatewayMobile ClientWTA ServerOptional FirewallTo theInternetWTAUser-Agent Figure 4.1: WTA access control. The WTA server might be an ordinary web server, which could be connected to e.g. a voice mail system, that provides different services. The functionality of WTA includes: o
Wireless Telephony Application Interface, WTAI
This is an interface for telephony related functions that can be invoked by WML and/or WMLScript. Some examples of such functions are call-management, handling of text messages and phonebook control. The functions are divided into three categories. First there is the network common functions that are available on all types of networks. Then it is the network specific functions are unique to a certain network type. Finally there are the public functions that can be invoked from the WML user-agent. Currently there is only one public function available and that is the ability to set up a phone call. To avoid surprises on the phone bill this function must be acknowledged by the user. o
Repository The repository stores WTA services persistently to allow access without any use of the network. This is useful for real-time handling when no delays are allowed. o
Event handling
Events on the network could be incoming calls, call disconnect, call answered etc. and the WTA must handle these events to provide telephony services. As a result of an event some service in the repository can be activated or some events can be bound to some action in the WML. o
WTA service indication
This is a notification using the push functions in WAP. It can be used to notify a user of voice mail etc. The service indication function sends a message and a URL to the device and the user has the ability to start some service with the use of this information.
Development of WAP-services
The protocol stack 5.1 General Four protocols, besides the application environment (WAE), forms the actual WAP protocol stack used for communication between a client and a WAP gateway. In Figure 5.1 the protocol stack is visualized with a comparison to the HTTP protocol stack used on the World Wide Web. HTTPInternet Wireless Application Protocol (WAP)HTMLTLS - SSLTCP/IPUDP/IPWireless Session Protocol (WSP)Wireless Application Environment (WAE) Other services and applicationsWireless Bearers:Wireless Transaction Protocol (WTP)Wireless Transport Layer Security (WTLS)User Datagram Protocol (UDP)Wireless Datagram Protocol(WDP)CSDUSSSMS IS-136 CDMA GPRS Etc... Figure 5.1: The WAP protocol stack. The protocols can be used in four different configurations [1]: o
Connectionless mode
In this mode the session protocol (WSP) runs directly on top of the datagram protocol (WDP) and offers an unreliable datagram service with no acknowledgements or resends. o
Connectionless mode with security
This is the same service as the one above with the addition of the security layer (WTLS) to provide authentication, encryption etc. o
Connection mode
This is the configuration where all protocol layers are involved in the communications. The session protocol (WSP) is in a mode to handle long-lived sessions, the transmission protocol (WTP) provides reliable connections with acknowledgements and, if necessary, retransmissions and the datagram protocol (WDP) provides a datagram service if the bearer doesn&t support it. o
Connection mode with security
Just as in the connectionless case this mode is the same as the connection mode but with the addition of security services provided by the WTLS layer. 5.2
Session layer (Wireless Session Protocol, WSP) The session layer offers two interfaces for the WAE. A connection-oriented service that operates above the transaction layer protocol and a connectionless service that operates above a
Master’s Thesis in Computer Science secure or nonsecure datagram service. The connection-oriented service provides a session between the client and a WAP gateway or proxy. It handles capability negotiation and communication interrupts, such as change of bearer. There is support for asynchronous requests and answers can be handled unordered. The connectionless service is basically a thin layer used by the WAE when there is no need for a reliable transaction of data. WSP is optimized for low-bandwidth bearer networks. The wireless session protocols currently consist of services suited for browsing applications named WSP/B. WSP/B is designed to allow a WAP proxy to connect a WAP client to a standard HTTP server and provides HTTP/1.1 functionality and semantics in a compact over-the-air encoding. The service is assumed to be a long-lived session that can be suspended and resumed at a later time without any need for a new capability negotiation, which results in less traffic. With the release of WAP/1.2 a function for both reliable and unreliable data push is fully included in the protocol [6]. 5.3
Transaction layer (Wireless Transaction Protocol, WTP) WTP runs on top of a datagram service and provides a lightweight transaction-oriented protocol that is suitable for mobile phones. It operates over secure or nonsecure wireless datagram networks and is a reliable way of communication with the ability to retransmit lost messages and avoid duplication. The communication sequence is only alive during the exchange of an individual message and therefore there is no relation between different messages. There are three classes of transactions: o
Unreliable one-way requests
A message is sent and nothing is returned. This can be useful e.g. for a push service but it is not intended for applications that use a datagram service as their primary way of communication. Such applications should use WDP. o
Reliable one-way requests
A message is sent and the recipient sends an acknowledgement. This is a reliable datagram service that can be used for, e.g. a reliable push service. o
Reliable two-way request-reply transactions
A message is sent and the recipient replies with exactly one result message. The initiator then finally acknowledges the result message. If the recipient knows that the message processing time will exceed the initiators timer interval the recipient may send a &hold on& message to prevent the initiator to resend the original message. In this way the initiator is prevented from unnecessary retransmissions. 5.4
Security layer (Wireless Transport Layer Security, WTLS) WTLS provides a transport layer security between the WAP client and the WAP Gateway/Proxy. It is based upon the industry standard Transport Layer Security (TLS) protocol, formerly known as Secure Socket Layer (SSL). WTLS is optimized for use over narrowband communication channels and each application can selectively enable security features. The security layer provides data integrity to ensure that the data is unchanged and uncorrupted. It grants privacy and ensures that any intermediate parties intercepting the data stream cannot understand the data. Authentication and a protection against Denial-of-service attacks are also parts of WTLS.
Development of WAP-services
Transport layer (Wireless Datagram Protocol, WDP) WDP provides a datagram layer for different types of bearers without User Datagram Protocol (UDP) support, such as GSM SMS. This gives the upper layers a common interface to different types of wireless networks. If the bearer supports UDP the WDP layer is not needed because WAP is then given a datagram service anyway. 5.6 Bearers The WAP protocols are designed to operate on different bearer services, such as short message, circuit-switched data and packed data. The protocols compensate for the varying levels of service. On the existing GSM networks there are two possible bearers: 5.6.1
Circuit Switched Data, CSD This is a traditional &dial up& connection where the user connects to a WAP Gateway and stays online while browsing the pages on Internet. Since GSM is designed for voice traffic there are several drawbacks with using CSD. First of all i the best-case scenario is a connection of 14400 bps but 9600 bps is a far more common data speed. The connection lacks all sorts of immediacy too. To connect to a WAP Gateway the user has to wait for at least 10 seconds but connection times of 30 seconds is common [7]. 5.6.2
Short Message Service, SMS SMS is a text message service on GSM networks. It is useful to notify the user of things like the arrival of new voice mail or to send short notes between different users on the network. The size of the messages is limited to 160 characters, which limits the use of SMS for WAP services dramatically. Even if the transaction is small it can be both time consuming and expensive since the network operators charge the user per sent message [7][15]. 5.7 Future bearers 5.7.1
General Packet Radio Service, GPRS GPRS is a packet based communication service that is based on GSM. It will be available from the year 2000 and promises a connection speed of 56 - 114 kbps. The technique takes advantage of the unused time slots on GSM channels to transmit data. In one GSM channel there are eight time slots for voice traffic, i.e. there can be eight voice calls at the same time on the channel. When some of those slots are free those can be used for transmission of packets. The great advantage with GPRS is that the user is always on-line and has a device that is ready to start to send and receive packets at any time. In this way the time to dial a number to get a connection is eliminated but on the other hand the network operators cannot charge the user per minute but instead they will need to charge per byte. The drawback with the technique is that voice traffic is prioritized so the data speed will be very limited if there are only a few free time slots available [7][10][15]. 5.7.2
Universal Mobile Telecommunications System, UMTS The third generation of mobile phone communication standard will be UMTS. It is a packet based broadband system with a possibility to transfer data at rates of 2 megabits per second. The high speed of the data communication is possible by using a bandwidth that is 25 times bigger than the one on GSM. UMTS is based on the GSM communication standard and is planned to be up and running in the year 2002. By using packets to communicate UMTS gives the user the ability to be on-line all the time in the same way as on GPRS [7][10][15].
Master’s Thesis in Computer Science 5.7.3 Conclusions For WAP these new bearers will mean a more flexible and practical use of the WAP devices. The user will be able to download information much faster and will therefore get faster access to the services. 5.8 Stack configuration In the practical use there are four different combinations of the protocol layers. The simplest way is to use the session layer right on top of a datagram protocol, i.e. WDP or UDP. This is the combination that normally is called the connection-less mode. Sometimes, though, it is desirable to achieve a more reliable way of communication. By including the transaction protocol a reliable communication channel is achieved which is called connection-oriented mode. This protocol is added between the session and the datagram layer and handles acknowledgements, message resending etc. Both of the mentioned combinations can be combined with the security layer on top of the datagram protocol, to enhance the traffic privacy or to be able to use certificates. Since different devices can use different stack configurations they can also generate different types of requests. To be able to separate those configurations at the server, the requests are sent to different ports. Since there are four different combinations of protocol layers there are also four different ports a device can use to make a request from a server. The relationship between the stack configurations and the port numbers are shown in Table 5.1. Table 5.1: Stack configuration and the corresponding ports. WAP stack layers PortWSP WDP 9200WSP WTP WDP 9201WSP WTLS WDP 9202WSP WTP WTLS WDP 9203 If there is a firewall between the WAP gateway and the client it can be necessary to open up the above mentioned ports in the firewall. An example could be a client that is connected to a modem, which resides within a Local Area Network (LAN). The gateway on the other hand is accessible somewhere on the Internet. Between the LAN and the Internet there is usually a firewall and in some cases there are just a few ports open for communication, e.g. the HTTP and POP port. Therefore it is important that none of the ports used by the client’s WAP device is closed for traffic, or the user will not be able to use the device at all.
Development of WAP-services
15 6 Advantages with WAP Even if the new bearers mentioned above will give the client a connection speed similar to ordinary telephone modems there are still some major advantages with WAP in front of ordinary WWW communication with the TCP/IP and HTTP suites. The list below is some of the functionalities that reduce the workload and the power consumption for the client. It will give the user more operating time as well as a cheaper device, since it does not need as much computing power. o
All information, including the HTTP headers, is binary encoded by the WAP gateway. The amount of data to deliver between the client and the gateway is therefore significantly reduced in contrast to the plain text used by the HTTP protocol. The encoding also saves power on the client device since the content is easier to parse. o
Sessions can be suspended and resumed without the overhead of initial establishment. This is useful, besides saving power, to free up network resources. o
The number of packages needed by the transaction protocol is reduced, since there is only one route between the gateway and the client. Therefore the need to manage unordered packages does not exist. o
The gateway handles all the DNS services to resolve domain names used in the URLs. This means that no extra packages for name translation have to be sent over the wireless domain.
However, this is not a unique advantage of WAP since it can be achieved with a HTTP proxy as well. o
From version 1.2 of the WAP protocol push functionality will be available. This means that a content provider can push information to the user whenever it is appropriate, e.g. to inform the user of changes or events. As seen in Table 6.1 the improvements made to the protocol stack lead to significant savings in bandwidth. Here is a query from a HTTP 1.0 compatible browser compared to a query from a WAP browser. With a typical handset session with three requests and three responses less than half the number of packages is needed by the WAP protocol stack, which leads to the fact that while the HTTP 1.0 stack have 65% overhead the WAP stack only needs 14% overhead [18]. Table 6.1: Comparison between WWW and WAP bandwidth requirement. 1 ? TCP SYN 1 ? Data Request2 <= TCP SYN, ACK of SYN 2 <=ACK, Reply3 ?ACK of SYN, Data Request3 ?ACK, Data Request4 <= ACK of Data 4 <=ACK, Reply5 ? Reply 5 ?ACK, Data Request6 <= ACK of Reply 6 <=ACK, Reply7 ? Data Request 7 ? ACK8 <= ACK of Data9 ? Reply10 <= ACK of Reply11 ? Data Request12 <= ACK of Data13 ? Reply14 <= ACK of Reply15 ? TCP FIN16 <= TCP FIN, ACK of FIN17 ? ACK of FIN HTTP/TCP/IP
WSP/WTP/UDPBold packets contain payloadNon-bold items are overhead Furthermore the content written in WML is designed for a device with a smaller screen and a more limited input device than an ordinary computer. Since traditional web pages written in
Master’s Thesis in Computer Science HTML are designed for desktop computers those are not practical for small handheld devices, such as pocket computers and mobile phones. This kind of devices is called Personal Digital Assistants, or PDAs.
Development of WAP-services
17 7 Alternatives to WAP For the European GSM market there are no real alternatives to WAP to get mobile Internet access. The only option is the ordinary dial-up connections with a mobile phone and a laptop computer or a PDA such as PalmPilot or Cassiopeia. The drawbacks with the classical computer-and-phone concept are the clumsiness of the computer and if you are using a PDA you still have to carry two devices. A common thing for these two alternatives is the higher overhead an ordinary HTTP and TCP/IP connection results in which leads to higher power consumption etc. Casio&s PDA Cassiopeia will in a future model include a GSM telephone and will in that way eliminate the need for two devices. Casio will however not support the WAP protocol in this PDA. Instead they believe in faster mobile networks and wireless communications with traditional WEB services [9], which ought-to lead to the same problems as discussed above. In Japan the mobile phones are operating on a network standard called PDC. This network supports packet-based communication services and has the ability to charge the user per amount of data instead of minutes. An operator, by the name Docomo, has released a very popular service called I-mode that has more than 7000 different services provided by 356 companies in Mars 2000. Many phones have color displays and future models will be able to run small Java applications that can be downloaded over the network [4][5].
Master’s Thesis in Computer Science
Development of WAP-services
19 8 Security 8.1
Security in general Internet has become a more and more important part of people’s lives. It is no longer only used as an information resource or an electronic mail system but also an important place to shop or manage bank and stock transactions. This leads to the need for a highly secure network where credit card numbers and bank accounts are kept secret from anyone else but the user and the service provider. Exactly the same need for security applies to the mobile use of the Internet but it has to take a slightly different approach. As mentioned before the wireless devices usually do not have the same bandwidth and computing power as the wired ones. This is therefore something the security implementation must take into consideration. There are four different aspects a security system can address [14]. Those are: oooo
All messages sent between two parties must be protected from any intermediating accesses. This means that no one else except the sender and the receiver shall be able to see, access or use the information sent. The information can be addresses, credit card numbers, phone numbers or any other kind of sensitive data. oooo
Any changes to the content must be detected by the receiver to prevent that any other party than the sender give the receiver information. If the receiver finds out that a message has been altered between herself and the sender it often results in a resend request from the receiver. oooo
Authentication
Ensures that the corresponding party is who it claims to be. In the real world this can be compared to the need for a drivers license or an ID. If a person for instance wants to withdraw money from a bank account the bank cashier require to see some proper identification to assure it is the owner of the account that does the withdrawal. oooo
Non-repudiation
Guarantees that a party cannot claim it never participated in a transaction. This can be compared to a signature in the real world, e.g. if a person has signed a check the signature proves that the person and no one else approved the transaction. There are some different techniques used to implement those security aspects and the techniques used by the security protocols will be described below. 8.1.1
Public key cryptography This technique is based on pairs of keys and algorithms. Each individual has one private and one public key and there is one algorithm for encryption and one for decryption. To send an encrypted message to a person one uses that person’s public key and the encryption algorithm. That message can then only be read if it is decrypted with the receiver’s private key and the decryption algorithm. In this way the messages are hidden to all other users but the receiver. It is also possible to encrypt a message with one’s own private key. This message is then only readable after decryption with the sender’s public key. In this way everyone reading the message knows that it really came from the owner of the public key and not from anyone else. 8.1.2
Bulk encryption algorithms Since public key cryptography uses very advanced algorithms to encrypt small amounts of data it is unpractical to use with larger quantities of information. A better alternative can be faster bulk encryption algorithms that use a shared secret key to exchange the data between the parties.
Master’s Thesis in Computer Science These algorithms are extremely difficult to decode when the shared key contains a large number of bits and this method is therefore used to encrypt most of the secure messages on the Internet. 8.1.3 Hashing algorithms By using hashing algorithms the integrity can be provided since they do a small mathematical fingerprint of a message. If any content in the message has been altered the fingerprint will no longer match and the receiver must ask the sender to retransmit the message. 8.1.4 Digital certificates Anyone can put up a web server, generate key pairs and falsely give oneself out as being another web site. To prevent this from happening there are digital certificates used to provide an authenticated way of distributing public and private keys. The certificates can also be used to authenticate a party so clients and servers know whom they are really communicating with. There are two types of digital certificates: server certificates and client certificates. As the names indicate the server certificate is used to authenticate a web server and a client certificate is used to authenticate an individual user on the Internet. The certificate holds information such as the party’s identity and public key. It is also encrypted with the private key of a certificate authority to verify the certificate’s authenticity. Companies like VeriSign and RSA Security operate as certificate authorities and is providing a respected and independent third part resource to issue keys and certificates to their holders. 8.1.5 Digital signatures An authorization from a user can be a message encrypted with the user’s private key from the client certificate. This ensures that no one else but the specific user has sent the authorization and it can therefore be compared to a written signature in the real world. 8.2
Secure Socket Layer (SSL) The best way to understand the security features of WAP is to look at how security is implemented on the Internet, which often uses the Secure Socket Layer (SSL) protocol. The security model used by WAP is not only based on SSL but it also uses it as an intimate part for its communication since the WAP communication model is highly integrated with the World Wide Web. Over the Internet the most common way to provide security is with the combination of SSL, digital certificates and either username and password pairs or digital signatures. To encrypt the traffic between different parties SSL uses the public key cryptography to exchange the shared keys necessary to use the bulk algorithm. The public key cryptography is a secure and reliable way of exchanging keys during the handshake process. The bulk algorithm is used for the rest of the communication since it provides both fast and secure transmitting of large quantities of data. In this way it is ensured that the shared secret keys are kept secret during the whole conversation. The technique with encryption algorithms is used to provide the privacy aspect to the communication while hashing algorithms and digital certificates are used to grant the integrity. When a web browser requests a secure document it first downloads a server certificate from the web server. This certificate is then validated and decrypted with the certificate authority’s public key in order to get the server’s public key. With this public key the browser then encrypts and sends a shared secret key to the server to be used for the rest of the communication. By following this procedure the browser and the server can rely on a secure conversation that is both private, authenticated and provides complete integrity. To achieve non-repudiation, most of the services rely on the username and password pairs used by the client to log in, but to authorize a transaction a digital signature can be requested by the server.
Development of WAP-services
Wireless Transport Layer Security (WTLS) While SSL is designed for high bandwidth communication channels with low latency and access to high processing capabilities it is by its nature unsuitable for the principles of data traffic with wireless handheld devices. If the SSL protocol were to be implemented in the WAP security model it would lead to the need of powerful and expensive devices and therefore violating the goals of WAP Forum. Instead there is a protocol developed called Wireless Transport Layer Security (WTLS). This protocol is based on the Internet standard security protocol Transport Layer Security (TLS) 1.0, which in turn is based on SSL 3.0. This provides strong Internet security over the wireless communication domain. WTLS minimizes the protocol overhead and enables more compression than SSL. Compared to TLS it also adds functionality such as datagram support, optimized handshake and dynamic refreshing. WTLS is fully optional in a WAP session and operates above the datagram layer of the WAP stack. It can be used in a connection-oriented mode as well as in a connection-less mode. Just like its ancestors WTLS provides guaranteed privacy and prevents manipulation by any third party. It is not required to use client authentication or the non-repudiation mechanisms but it is easily implemented by using standard web development practice using usernames and passwords. If so the sender can be identified and a party cannot falsely deny having sent its messages. Just like SSL, the confidentiality is maintained using encryption and the authentication and non-repudiation functionalities by using digital certificates. A secure connection is set up during an establishment phase where the parties are negotiating about parameter settings, key exchange and authentication. Both parties can abort the connection at any time, during the establishment phase as well as later on. 8.4
WAP security model Since WAP is using existing technologies as much as possible there is a lot of communication over the World Wide Web domain and not just only over the wireless community. This leads to the need of two different security protocols, SSL for the web and WTLS for the wireless part. The WAP gateway becomes the link between those two parts as shown in Figure 8.1. Web ServerWAP GatewayWAP DeviceInternetWirelessNetworkSSLWTLS Figure 8.1: The WAP security model Since all traffic must be decoded and re-encoded in the gateway there are some strict rules for the gateway to follow. First of all it is not allowed to store any decrypted information on secondary media. The whole conversion process has to occur in volatile memory and all information must be deleted as soon as the conversion is finished. The only access to the gateway that can be allowed is authenticated logins by an administrator within the gateways domain. This is to ensure the users and service providers that the information will still be secure and not fall into any other party’s hands despite the conversion process.
Master’s Thesis in Computer Science 8.5
Drawbacks with WTLS The security protocols are frameworks of different configurations and algorithms. In the implementations of SSL there are a number of limited combinations of algorithms that can be used but there are no such limitations in WTLS. According to Magnus Nystr?m at RSA Laboratories, who is specialized on wireless security, this lack of limitations opens the system for attacks [2]. If the wrong combination of the algorithms is used, a third party can both listen to and change the contents of the transferred data without any possibilities for the communicating parties to notice it. There are warnings for the combinations that are not suitable in the WAP specification but Magnus Nystr?m thinks it would be better if there were limitations in which combinations that can be used. Instead, it is now up to the software developers to keep track of the dangerous combinations. 8.6
Computer viruses and WAP Today there are small possibilities to write any severe computer viruses for WAP enabled devices. The functionalities in WAP are still quite limited and there are no uniform operating systems between different manufacturers. But in the future there might be other features in the WAP specification and if there will be similar and more powerful operating systems on the devices there is also an increasing risk of virus attacks. One possible attack could be a virus that copies itself to all contacts in the client’s phonebook like the recent Melissa and Love-Letter mail viruses. The only antivirus software manufacturer that have developed any program for WAP virus attacks up until today is the Finnish based F-Secure. According to Risto Siilasma