Many of the applications destined for the Web require a secure connection between the client (mobile handset) and the application server. The WAP specification ensures that there is a secure protocol to support transactions between a wireless handset and the application server. This secure protocol is known as Wireless Transport Layer Security (WTLS) and is based on the industry-standard Transport Layer Security (TLS) Protocol, also known as Secure Sockets Layer (SSL). WTLS is designed to be used with WAP transport protocols and has been optimized for use over narrow-band communications channels. WTLS is designed to ensure data integrity, privacy, authentication, and denial-of-service protection. Where Web applications employ standard Internet security techniques using TLS, the WAP gateway automatically and transparently manages wireless security.
In the WAP environment, the WAP gateway serves to translate WAP to Web protocols, thereby enabling WAP devices to access the Web. WTLS encrypts transmission from the mobile handset to the gateway. However, before the gateway can encrypt the transmission into TLS/SSL, it must first decrypt the WTLS packets. In this situation, all of the data is briefly in the clear before being encrypted for its journey to the application server. This results in a weak link in the WAP transmission process. To correct this problem, the WAP Forum is working on a fix that may well appear in WAP Version 1.2 or 1.x in the near future.
There have been some half solutions proposed to combat this situation, such as securing one's own gateway in a locked facility. There are a number of software vendors (e.g., Entrust Technologies) that offer software suites that will provide end-to-end security. Utilizing PKI (public key infrastructure) software modules, such systems can issue WAP server certificates as well as client certificates for complete user-to-server authentication.
Baltimore Telepathy offers a security gateway that supports end-to-end security from the mobile user to the WAP/Web server. This is a stand-alone solution for content service providers that requires digital signatures for authentication.
Hardware manufacturers are starting to announce secure WAP servers that can be placed online and provide immediate security. Hewlett Packard has recently announced its Praesidium Virtual Vault, which is aimed at the financial arena. This trusted WAP solution sits at the edge of the network between the outside world and the enterprise to connect mobile users to corporate applications and databases.
To date, there have been a number of products that support securing WAP-based operations. Many of these developments have been in the software arena.
Certicom and 724 Solutions have joined forces to develop a wireless PKI solution for the financial industry. This will be an open standards-based security solution that enables secure communications and digital signatures via a variety of Internet-enabled devices such as PDAs, mobile telephones, and pagers. This system will serve to support the new legislation that went into effect October 1, 2000, which allows businesses and consumers the ability to close contracts with digital signatures. The new wireless PKI solution will provide financial institutions with the ability to offer consumers the confidence and convenience of performing secure "anytime, anywhere" high-value transactions.