Research On The Security Of WAP Based On End-to-end Mode

With the development of mobile communications market, the kinds of mobile services are increasingly enriched, so the requirement of their security is continually rising. The WAP combines mobile communications with Internet and uses WTLS layer to implement security functions. In WAP 1.x editions, WAP gateway is used to transform WTLS with TLS protocol, so there is a problem of security gap in it. This paper adopts a scheme named "transparency gateway" to solve this problem and as a base of our research. Then we go further to analyze and improve the security of WTLS protocol.There are many limitations of WTLS protocol, for example, it lacks of forward secrecy in key exchange process and suffers from several attacks without mutual authentication under completely anonymous mode. While in un-anonymous mode, the client and server send their digital certificates to authenticate each other. It must rely on the WPKI system with a trusted CA party to distribute certificates. Though the WPKI technology is already well developed, it lacks of oneness and mutual manipulation, the distribution and management of certificates are very complex, and the cost is very high. At present most WAP operations are not based on WPKI, so it brings many hidden troubles on lacking of identity authentication. If certificates are used, there is another problem of user anonymity.This paper proposes a new protocol based on user password and encrypted key exchange for WTLS scheme. It can implement simple authentication using only the human memorable password. The new protocol doesn't need to use certificates and can be used in the completely anonymous mode with much more security properties. The user only needs to remember the password instead of storing it in mobile equipment, so as to save the storage and prevent other personate consumption even if the equipment has been stolen. Client and server have to agreement on some secret information beforehand, and when the protocol runs, their exchanging messages can be much reduced to save the wireless bandwidth and transmitting time. This paper validates the new protocol's security under the Random Oracle Model: it can satisfy many necessary security properties of general key exchange protocols and resist many attacks on password. Then we emulate the WTLS handshake process in OPNET, checking the capability of the new protocol in three aspects such as handshaking time, channel utilization, and queuing delay, thereby we validate that the new protocol is practical in mobile communications environment.Though the new protocol is proposed under anonymous mode, it can easily be used in the un-anonymous mode and can be compatible with the other cipher suites. In addition, the new key exchange algorithm can also be used in the TLS protocol of WAP2.0.