1. FAQSABOUTWAP Presented By Abhilash Pillai CSCI 5939-Independent Study

2. Topics Covered

Definition of a WAP gateway

Architecture of a WAP gateway

Configuration of WAP gateway

Security over a WAP gateway

Definition of WAP server

Role of a WAP server

3. Definition of WAP gateway

A WAP gateway is a piece of software that has several functions in the chain between the WAP device and the web server.

When implementing services in Wireless Application Protocol(WAP),information is translated into Wireless Markup language(WML) by a two way device called a WAP gateway

4. Architecture of WAP Gateway

Components ofarchitecture

Wireless Device

WAP Gateway

HTTP Server

5. Explanation Of Architecture

The data transfer procedure is as follows

Client sends a WSP request to WAP gateway

WAP gateway decodes the WSP request into HTTP request

WAP gateway sends the HTTP request to HTTP server

WAP gateway receives the HTTP reply from HTTP server

WAP gateway encodes the HTTP reply headers into WSP reply headers

WAP gateway uses WML compiler to encode the received WML data to WMLC format ,which is more compact

WAP gateway sends WSP reply

Client parses WSP reply and presents data.

6. Architecture cont.

From the previous procedure we can see the main tasks for a WAP gateway are

Communication with clients (based on WSP)

Decoding WSP requests into HTTP requests

Communication with HTTP server (based on HTTP)

Encoding HTTP reply headers into WSP Reply headers

Compile WML data into WMLC format

7. Configuration of WAP gateway

The WAP gateway and web server together form the WAP server are placed in outside the content providers domain

System is less secure

8. Configuration Cont..

The WAP server ie the WAP gateway and the web server are placed in the content providers domain

System is more secure

9. How the configuration works

Mobile user types in the URL for a site on the WAP device

The WAP device first checks if it already has an open connection.

If not it dials the modem attached to a dial-in server (RAS, or Remote Access Service). This server gives the WAP device access to the protocols it needs.

These protocols are the same lower level protocols as a normal Internet Service Provider will give you, i.e. PPP (Point-to-Point Protocol).

10. DescriptionCont.

After the PPP provider has given the WAP device the required protocols and assigned it an IP address, the request for the URL is then sent to the WAP Gateway.

The WAP Gateway, now under "control" of the WAP device requests the URL with a normal HTTP request.

The WAP Gateway is the link between the wireless and the Internet, basically giving the WAP device access to the common Internet.

11. DescriptionCont.

On the Internet, the web server receives the request from WAP Gateway and sends out the contents located at the URL back.

Finally, back at the WAP device that requested the URL, the WML browser, when receiving the tokenized WML code renders the contents on the WAP device's display to present the first card off of the deck on the screen for the user

To sum up, the client makes a request. This request is received by a WAP gateway that then processes the request and formulates a reply using WML and send back to the client for display. This process is very similar in concept to the standard HTTP transaction involving client Web browsers

12. Security Issues

For a short span of time when the data is unencrypted in the WAP gateway; is major security issue

It is upto the vendors discretion to make the gateway as secure as possible

13. Security issues Contd..

The second issue with security is that of certificates that are provide for the device

This certificate is used to access the various services for a particular user

If the mobile device is lost it is possible for any user who possess that mobile device to access the various services

Thus for this purpose in the new WTLS specification the idea of pins were introduced ie a secure token id.thus the user is supposed to reveal the token before using the services.

14. What is a WAP server

A WAP Server is nothing more than a normal web server and a WAP gateway-like device built into one.

The WAP server can plug a few holes that are currently unplugged in the WAP environment .

Since the WAP server contains a gateway, the third party gateway usually hosted by the mobile operator can be skipped, and the host of the WAP content will have full control over the encrypted stream

15. Is WAP secure with SSL and WTLS?

SSL or Secure Sockets Layer which is widely used in the "web" world to encrypt the data stream between the browser and the webserver is actually also used in the WAP environment.

SSL is only used between the webserver and the WAP gateway. Between the WAP gateway and the WAP device, a similar system called WTLS or Wireless Transport Layer Security. WTLS is specialized for the wireless environment.

SSL and WTLS on their own provide adequate security for most applications. However, there is a potential security problem where the two protocols meet, and that's inside the WAP gateway .

16. Models of WAP system

||

[WAP device]--|------[WAP gateway]---| [Content Server]

-|--- | {unprotected} -|-

WTLS|SSL

(Firewall)||(Firewall)

SSL is not directly compatible with WTLS, so the WAP gateway must decrypt the SSL protected data stream coming from the webserver and then re-encrypt it using WTLS before passing the data on to the WAP device

Inside the memory of the WAP gateway, the data is unprotected

17. Models Cont.

A more secure model but with tradeoff

[WAP device]--|-----------| [WAP Server acting asWAP gateway]

-|--------

WTLS|

(Firewall)||(Firewall)

WAP players are developing solutions to the problem posed in the earlier model, but for now these solutions create other problems

"WAP servers", provide end-to-end security in a way because the data stream leaves the "WAP server" already encrypted with WTLS

18. Proposed solution for the future

Pass Through Model of WAP system

[WAP device]--|[WAP gateway}---| [WAP Server]| ----------------- |

WTLS

(Firewall)||(Firewall)

19. What is a proxy server?

A proxy-server plays the role of an agent between the web-browser or another web-client and the internet. With the help of a proxy-server users can use the internet in a controlled way, e.g. through a firewall.

Furthermore, a proxy can be used as a filter (e.g. suppressing the referrer-header for security) or to cache documents.

It is possible to create "off-line" caches and to index them for later searching. Because WAP Proxy-Server can also act as a web-server, it is possible to create virtual sites or to hide real sites

20. References

Proxy servers- www checkcom.com/products

WAP faqs www.wirelessfaq.com

Ric Howell,Concise Group-WAP security

Architecture of WAP Gateway-http://weblog.cs.uiowa.edu/22C178f01/uploads/acct/ntang/architecture.html