Professional Documents
Culture Documents
Overview
What is M-Commerce?
Security Issues
Usability Issues
Heterogeneity Issues
Business Model Issues
Case Studies / Examples
Q&A
What is M-Commerce?
E-Commerce with mobile devices (PDAs,
Cell Phones, Pagers, etc.)
Different than E-Commerce?
No, but additional challenges:
• Security
• Usability
• Heterogeneous Technologies
• Business Model Issues
But first, let’s learn a little about wireless
technologies…
Wireless Technologies
Link Layer (examples…)
• WAN:
Analog / AMPS
CDPD: Cellular Digital Packet Data TDMA/GSM:
Time Division Multiple Access, Global System for
Mobile Communications (Europe)
CDMA: Code Division Multiple Access
Mobitex (TDMA-based)
• LAN:
802.11
Bluetooth
Devices: Cell Phones, Palm, WinCE, Symbian,
Blackberry, …
Examples of PDA Devices
PDA Microprocessor Speed
Web Server
Internet
WAP
Gateway
Example: WAP application
Security Challenges
Less processing power on devices
• Slow Modular exponentiation and Primality Checking
(i.e., RSA)
• Crypto operations drain batteries
(CPU intensive!)
Less memory (keys, certs, etc. require storage)
Few devices have crypto accelerators, or
support for biometric authentication
No tamper resistance (memory can be
tampered with, no secure storage)
Primitive operating systems w/ no support for
access control (Palm OS)
Wireless Security Approaches
Link Layer Security
• GSM: A3/A5/A8 (auth, key agree,
encrypt)
• CDMA: spread spectrum + code seq
• CDPD: RSA + symmetric encryption
Application Layer Security
• WAP: WTLS, WML, WMLScript, & SSL
• iMode: N/A
• SMS: N/A
Example: Security Concerns
Performance:
we’ll do an example:
should we use RSA or ECC
for WTLS mutual auth?
Certificates
Authentication
• None, Client, Server, Mutual
WTLS w/ Mutual-Authentication
• Mutual-Authentication
Client Hello ----------->
ServerHello
Certificate
CertificateRequest
<----------- ServerHelloDone
1. Verify Server Certificate
Certificate
ClientKeyExchange (only for RSA) 2. Establish Session Key
CertificateVerify
ChangeCipherSpec
3. Generate Signature
Finished ----------->
<----------- Finished
• Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required
(ms)
TOTAL 22954
WTLS Handshake Timings (Palm VII)
• Mutual-Authentication: ECC
Operation Cryptographic Primitive(s) Time Required
(ms)
Server Certificate CA Public Key Expansion 254.8
Verification
ECC-DSA Signature 1254
Verification
Session Key Server Public Key 254.8
Establishment Expansion
Key Agreement 335.6
Operator WAP
Gateway
Internet
WAP Web
Content Gateway
SSL
Server
Provider