Wireless Transport Layer Security
Encyclopedia
Wireless Transport Layer Security (WTLS) is a security protocol, part of the Wireless Application Protocol
(WAP) stack. It sits between the WTP
and WDP
layers in the WAP communications stack.
. WTLS uses similar semantics adapted for a low bandwidth mobile device. The main changes are…
WTLS has been superseded in the WAP Wireless Application Protocol
2.0 standard by the End-to-end Transport Layer Security Specification.
algorithms and in common with TLS allows negotiation of cryptographic suites between client and server.
Wireless Application Protocol
Wireless Application Protocol is a technical standard for accessing information over a mobile wireless network.A WAP browser is a web browser for mobile devices such as mobile phones that uses the protocol.Before the introduction of WAP, mobile service providers had limited opportunities to offer...
(WAP) stack. It sits between the WTP
Wireless transaction protocol
Wireless transaction protocol is a standard used in mobile telephony. It is a layer of the Wireless Application Protocol that is intended to bring Internet access to mobile phones.-External links:*...
and WDP
WAP Datagram Protocol
Wireless Datagram Protocol defines the movement of information from receiver to the sender and resembles the User Datagram Protocol in the Internet protocol suite....
layers in the WAP communications stack.
Overview
WTLS is derived from TLSTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
. WTLS uses similar semantics adapted for a low bandwidth mobile device. The main changes are…
- Compressed data structures — Where possible packet sizes are reduced by using bit-fields, discarding redundancy and truncating some cryptographic elements.
- New certificate format — WTLS defines a compressed certificate format. This broadly follows the X.509 v3X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
certificate structure, but uses smaller data structures. - Packet based design — TLS is designed for use over a data stream. WTLS adapts that design to be more appropriate on a packet based network. A significant amount of the design is based on a requirement that it be possible to use a packet network such as SMSShort message serviceShort Message Service is a text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices...
as a data transport.
WTLS has been superseded in the WAP Wireless Application Protocol
Wireless Application Protocol
Wireless Application Protocol is a technical standard for accessing information over a mobile wireless network.A WAP browser is a web browser for mobile devices such as mobile phones that uses the protocol.Before the introduction of WAP, mobile service providers had limited opportunities to offer...
2.0 standard by the End-to-end Transport Layer Security Specification.
Security
WTLS uses modern cryptographicCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
algorithms and in common with TLS allows negotiation of cryptographic suites between client and server.
Algorithms
An incomplete list…- Key Exchange and Signature
- RSA
- Elliptic Curve Cryptography (ECC)Elliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
- Symmetric Encryption
- DESData Encryption StandardThe Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
- Triple DESTriple DESIn cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
- RC5RC5In cryptography, RC5 is a block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code"...
- DES
- Message Digest
- MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
- SHA1
- MD5
Security criticisms
- Encryption/Decryption at the gateway — in the WAP architecture the content is typically stored on the server as uncompressed WMLWMLWML may stand for:* What's My Line?, a game show* White matter lesion, a lesion of the white matter* Wireless Markup Language, markup used for mobile phones with Wireless Application Protocol* Website Meta Language, Unix software for HTML generation...
(an XMLXMLExtensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
DTD). That content is retrieved by the gateway using HTTP and compressed into WBXMLWBXMLWAP Binary XML is a binary representation of XML. It was developed by the WAP Forum and is now maintained by the Open Mobile Alliance as a standard to allow XML documents to be transmitted in a compact manner over mobile networks and proposed as an addition to the World Wide Web Consortium's...
, in order to perform that compression the gateway must be able to handle the WML in cleartext, so even if there is encryption between the client and the gateway (using WTLS) and between the gateway and the originating server (using HTTPS) the gateway acts as a man-in-the-middleMan in the middleMan in the middle may refer to:* Man-in-the-middle attack, a form of cryptographic attack* Man in the Middle , a 1963 movie* Man In The Middle , a memoir of basketballer John Amaechi-In music:...
. This gateway architecture serves a number of purposes: transcoding between HTML and WML; content providers need not implement WBXML compression; removes reliance on DNS; enables a walled gardenWalled garden (media)A walled garden is an analogy used in various senses in information technology. In the telecommunications and media industries, a "walled garden" refers to a carrier or service provider's control over applications, content, and media on platforms and restriction of convenient access to... - Digest truncation — HMACHMACIn cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
message digests are truncated to reduce transmission overhead, this reduces the theoretical effectiveness of the HMAC potentially reducing the data integrityData integrityData Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
protection. - Inadequate review — WTLS is significantly different from TLS, it is not clear that the changes made to WTLS have not in some way weakened the security. The use of a new certificate format is an example of this. The format defined in the WTLS specification may not be appropriate for all the uses to which a certificate may be used.
- Client Implementation - As there are no official specifications which WTLS implementations must adhere to, many may use insecure cryptographic algorithms or key generation processes. In some client software, WTLS may even be disabled.