Wide area mobile networks all over the world are about to take the next step on the ladder of evolution; GSM will be upgraded to GPRS (General Packet Radio Services) and later replaced by 3G. What is more important than just the names and the speed of data transmission is the paradigm shift in technology from circuit-switched networks (GSM) to packet-switched networks (GPRS and its successors). The WAP suite is best used in a packet-switched network where there is no longer a call set-up required, and this is what GPRS and its successors offer. This opens a new window for WAP.
The most successful form of PKI in the traditional wired Internet environment is the use of SSL for server authentication purposes and establishment of a secure channel ”that is, without client authentication. From a WAP perspective, this is almost identical to WTLS Class 2 sessions. Using a WTLS Class 3 session would include client authentication, but also raises the problem that many devices cannot handle Class 3 because of the lack of WAP client support or lack of WIM. This affects the number of clients able to gain initial access to the application.
However, there are some drawbacks to WAP, most of which emerge from the fact that the mobile device by definition is small enough to be mobile, and is also battery powered . Typical limitations are bandwidth, signal quality, physical size of the display, and processing capabilities. Although there are some disadvantages with using a traditional mobile phone, there is clearly a future for mobile applications executing in enhanced mobile devices, such as phones, PDAs, laptops, and so on.
Supporting digital signatures within WAP requires a tamperproof token for handling secure storage and algorithm execution using a private key. In WAP, this token is named WIM. A combined SIM and WIM would have a rather clear business model, with the operator being primarily responsible for deployment. Most devices today would support this, as a single-slot configuration is by far the most common hardware configuration for existing devices. From a hardware perspective, this solution would hardly affect the device manufacturer at all.
PKI provides several advantages, including encryption, tamper detection, authentication, and nonrepudiation. Unfortunately, while useful, PKI is not a security panacea.
In this chapter we reviewed the design of PKI. In addition, we demonstrated both real and potential vulnerabilities in the system. Finally, we looked at examples of wireless PKI, including WAP implementation. By understanding PKI's implications for wireless, you can more intelligently integrate it into your security policy.