MIDP Application Security

1
MIDP Application Security

• Ying Hong
• Wireless Security
• Spring 2003

2
Contents

• Introduction to MIDP
• Overview of TLS
• Samples
• Current Research Status

3
Introduction To MIDP

• What is MIDP
• An approach to develop wireless applications.
• The MIDlet structure
• It extends MIDlet.
• It Has startApp(), parseApp(), and destroyApp().
• It may have commandAction() if it implements
  CommandListener.

4
Introduction To MIDP

• MIDP 1.0
• MIDP 1.0 provides a standards APIs.
• MIDP 2.0
• MIDP 2.0 provides several new features, including
  secure networking.
• Extended Network Connectivity
• Connection using the HTTPS and SSL/TLS protocols.

5
Overview of TLS

• What is TLS
• TLS is an updated version of the SSLv3 protocol.
• They are protocols enabling authentication and
  data encryption over insecure networks.
• They are implemented layer b/w TCP/IP and
  higher-level network protocols.
• One of the strengths of TLS is that it operates
  directly on top of TCP/IP sockets.

6
Overview of TLS

• How does it work handshake

7
Overview of TLS

• Step1
• client_hello
• The SSL versions supported by the client
• 32 bytes of random data that the client creates
• A session ID that it makes up
• A list of supported ciphers
• A list of supported compression methods

8
Overview of TLS

• Step2
• server_hello
• The SSL version the server selects from the
  clients list
• 32 bytes of random data that the server creates
• The session ID
• The ciphers chosen from the clients list
• The compression method selected.

9
Overview of TLS

• Step 2 (cont.)
• servers certificate
• Its an X.509 certificate signed by a certificate
  authority.
• It includes servers public key.
• request for clients certificate
• Its not required.
• server_hello_done
• It indicates communication is finished.

10
Overview of TLS

• Step3
• clients certificate, if server required it
• Its a clients X.509 certificate.
• client_key_exchange
• Its 48 bytes of random data.
• Its encrypted using servers public key.
• ceritificate_verify, if clients certificate is
  sent
• Hashed messages and signed using clients private
  key.

11
Overview of TLS

• Step 3 (cont.)
• change_cipher_spec
• Its an indication that future communication will
  be encrypted.
• Finished
• Its encrypted with the session key and including
  a MAC for integrity.
• Step4
• change_cipher_spec
• Servers indication about future secured
  communication.
• Finished

12
Overview of TLS

• Algorithms used in handshake
• Key exchange
• RSA, Fixed Diffie-Hellman, Ephemeral
  Diffie-Hellman, Anonymous Diffie-Hellman,
  Fortezza
• Ciphers
• RC4, 3DES, IDEA, Fortezza, DES, DES40, RC2
• MAC (message authentication code)
• MD5, SHA

13
Samples

• Sample 1 Creating a secure connection and
  getting information about the secure connection.
• Create secure connection
• Javax.microedition.io.HttpsConnection
• Get information about the secure connection
• Get an instance of SecurityInfo using
  getSecurityInfo()
• SecurityInfo provides
• getProtocolName()
• getProtocolVersion()
• getCipherSuite()
• getServerCertificate() (return a Certificate
  object)

14
Samples

• Sample 1
• Code of HttpsExample
• Screen snapshots of running HttpsExample
• Question left
• Since HttpsConnection takes care of all secure
  action explained in TLS handshake, then how the
  server side code is implemented?

15
Samples

• Sample 2
• JSSE (Java Secure Sockets Extension)
• An API for using SSL in Java
• A reference implementation of that API
• Installing JSSE
• Read installing_jsse.txt to learn how to install
  JSSE or read chapter 9 in Professional Java
  Security by Jess Garms and Daniel Somerfield.

16
Samples

• Sample 2 creating a pair of https server and
  client
• Coding HTTPSServer
• Create server socket through javax.net.ssl.SSLSer
  verSocketFactory
• Running HTTPSServer
• Create a certificate and private key to the SSL
  server with keytool.
• Set two system properties keyStore and
  keyStorePassword in command line or coding it in
  the program.

17
Samples

• Sample 2
• Coding HTTPSClient
• Running HTTPSClient
• Authentication and encryption will be done
  transparently.
• Question left
• Find the corresponding implementation in MIDP
  2.0, especially server side coding.

18
Samples

• Sample 3 SSL socket example instead of HTTPS
• Coding SSLSocketServer
• Coding SSLSocketClient
• Difference between SSL socket and plain socket
• Underlying SSLSocket implementation will take
  care of authentication of the server and
  encryption of the data transmitted.

19
Current Research Status

• What we know
• How to connect a server which support HTTPS.
• How to build a server supporting HTTPS in java
  application.
• How to build a server and client over SSL layer
  in java application.
• What we need to search
• How to build a server supporting HTTPS in
  servlet?
• Is it possible to rewrite HTTPSClient (in sample
  2) in MIDP and still make sample working?

20
References

• MIDP Application Security 2 Understanding SSL
  and TLS, http//wireless.java.sun.com/midp/articl
  es/security2
• MIDP Application Security 3 Authentication in
  MIDP, http//wireless.java.sun.com/midp/articles/
  security3
• Wireless Application Programming,
  http//wireless.java.sun.com/midp/articles/getstar
  t
• Introduction to Wireless Technologies,
  http//wireless.java.sun.com/getstart/articles/int
  ro
• J2ME MIDP and WAP complementary technologies,
  http//wireless.java.sun.com/midp/articles/midpwap
  
• Whats new in MIDP 2.0, http//wireless.java.sun
  .com/midp/articles/midp20
• SSL, and TLS page, http//www3.tsl.uu.se/micke/
  ssl_links.html
• Programming Wireless Devices Samples,
  http//java.sun.com/docs/books/j2mewireless/exampl
  es/README.html
• Introducing MIDP 2.0, http//www.onjava.com/pub/
  a/onjava/2002/12/18/midp.html
• Professional Java Security, Jess Garms and
  Daniel Somerfield, ISBN 1861004257