MIDP Application Security

Download Report

Transcript MIDP Application Security 

MIDP Application Security
Ying Hong
Wireless Security
Spring 2003
Contents

Introduction to MIDP

Overview of TLS

Samples

Current Research Status
7/20/2015
MIDP Application Security
2
Introduction To MIDP

What is MIDP


An approach to develop wireless applications.
The MIDlet structure



It extends MIDlet.
It Has startApp(), parseApp(), and destroyApp().
It may have commandAction() if it implements
CommandListener.
7/20/2015
MIDP Application Security
3
Introduction To MIDP

MIDP 1.0


MIDP 2.0


MIDP 1.0 provides a standards APIs.
MIDP 2.0 provides several new features, including secure
networking.
Extended Network Connectivity

Connection using the HTTPS and SSL/TLS protocols.
7/20/2015
MIDP Application Security
4
Overview of TLS

What is TLS




TLS is an updated version of the SSLv3 protocol.
They are protocols enabling authentication and data
encryption over insecure networks.
They are implemented layer b/w TCP/IP and higherlevel network protocols.
One of the strengths of TLS is that it operates directly
on top of TCP/IP sockets.
7/20/2015
MIDP Application Security
5
Overview of TLS

How does it work – handshake
Step 1
client_hello
server_hello
certificate
(certificate_request)
server_hello_done
Client
Step 3
(certificate)
client_key_exchange
(certificate_verify)
change_cipher_spec
finished
change_cipher_spec
finished
7/20/2015
Step 2
MIDP Application Security
Server
Step 4
6
Overview of TLS

Step1

client_hello





7/20/2015
The SSL versions supported by the client
32 bytes of random data that the client creates
A session ID that it makes up
A list of supported ciphers
A list of supported compression methods
MIDP Application Security
7
Overview of TLS

Step2

server_hello





7/20/2015
The SSL version the server selects from the client’s list;
32 bytes of random data that the server creates;
The session ID;
The ciphers chosen from the client’s list;
The compression method selected.
MIDP Application Security
8
Overview of TLS

Step 2 (cont.)

server’s certificate



request for client’s certificate


It’s an X.509 certificate signed by a certificate authority.
It includes server’s public key.
It’s not required.
server_hello_done

7/20/2015
It indicates communication is finished.
MIDP Application Security
9
Overview of TLS

Step3

client’s certificate, if server required it


client_key_exchange



It’s a client’s X.509 certificate.
It’s 48 bytes of random data.
It’s encrypted using server’s public key.
ceritificate_verify, if client’s certificate is sent

7/20/2015
Hashed messages and signed using client’s private key.
MIDP Application Security
10
Overview of TLS

Step 3 (cont.)

change_cipher_spec


Finished


It’s an indication that future communication will be encrypted.
It’s encrypted with the session key and including a MAC for
integrity.
Step4

change_cipher_spec


Server’s indication about future secured communication.
Finished
7/20/2015
MIDP Application Security
11
Overview of TLS

Algorithms used in handshake

Key exchange
RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman,
Anonymous Diffie-Hellman, Fortezza

Ciphers
RC4, 3DES, IDEA, Fortezza, DES, DES40, RC2

MAC (message authentication code)
MD5, SHA
7/20/2015
MIDP Application Security
12
Samples

Sample 1: Creating a secure connection and getting
information about the secure connection.

Create secure connection:


Javax.microedition.io.HttpsConnection
Get information about the secure connection


Get an instance of SecurityInfo using getSecurityInfo()
SecurityInfo provides:
getProtocolName()
getProtocolVersion()
getCipherSuite()
getServerCertificate() (return a Certificate object)
7/20/2015
MIDP Application Security
13
Samples

Sample 1



Code of HttpsExample
Screen snapshots of running HttpsExample
Question left:

7/20/2015
Since HttpsConnection takes care of all secure action explained
in TLS handshake, then how the server side code is
implemented?
MIDP Application Security
14
Samples

Sample 2

JSSE (Java Secure Sockets Extension)



An API for using SSL in Java
A reference implementation of that API
Installing JSSE

7/20/2015
Read installing_jsse.txt to learn how to install JSSE or read
chapter 9 in Professional Java Security by Jess Garms and
Daniel Somerfield.
MIDP Application Security
15
Samples

Sample 2: creating a pair of https server and client

Coding HTTPSServer


Create server socket through
javax.net.ssl.SSLServerSocketFactory
Running HTTPSServer:


7/20/2015
Create a certificate and private key to the SSL server with
keytool.
Set two system properties: keyStore and keyStorePassword in
command line or coding it in the program.
MIDP Application Security
16
Samples

Sample 2:


Coding HTTPSClient
Running HTTPSClient


Authentication and encryption will be done transparently.
Question left:

7/20/2015
Find the corresponding implementation in MIDP 2.0, especially
server side coding.
MIDP Application Security
17
Samples

Sample 3: SSL socket example instead of HTTPS



Coding SSLSocketServer
Coding SSLSocketClient
Difference between SSL socket and plain socket

7/20/2015
Underlying SSLSocket implementation will take care of
authentication of the server and encryption of the data
transmitted.
MIDP Application Security
18
Current Research Status

What we know:




How to connect a server which support HTTPS.
How to build a server supporting HTTPS in java
application.
How to build a server and client over SSL layer in java
application.
What we need to search:


How to build a server supporting HTTPS in servlet?
Is it possible to rewrite HTTPSClient (in sample 2) in
MIDP and still make sample working?
7/20/2015
MIDP Application Security
19
References










“MIDP Application Security 2: Understanding SSL and TLS”,
http://wireless.java.sun.com/midp/articles/security2
“MIDP Application Security 3: Authentication in MIDP”,
http://wireless.java.sun.com/midp/articles/security3
“Wireless Application Programming”,
http://wireless.java.sun.com/midp/articles/getstart
“Introduction to Wireless Technologies”,
http://wireless.java.sun.com/getstart/articles/intro
“J2ME MIDP and WAP complementary technologies”,
http://wireless.java.sun.com/midp/articles/midpwap
“What’s new in MIDP 2.0”, http://wireless.java.sun.com/midp/articles/midp20
“SSL, and TLS page”, http://www3.tsl.uu.se/~micke/ssl_links.html
“Programming Wireless Devices Samples”,
http://java.sun.com/docs/books/j2mewireless/examples/README.html
“Introducing MIDP 2.0”,
http://www.onjava.com/pub/a/onjava/2002/12/18/midp.html
“Professional Java Security”, Jess Garms and Daniel Somerfield, ISBN:
1861004257
7/20/2015
MIDP Application Security
20