WAP Overview
Download
Report
Transcript WAP Overview
WAP Overview
CSCI 5939.02 – Independent Study
Fall 2002
Yasir Zahur
Presentation No 1
1
Agenda
Background / Motivation
Architectural Overview
Protocol Layers
Push Technology
Current WAP Status
Security Limitations
2
Lessons from the World Wide
Web
WWW Limitations
1.
2.
Requires at least some computer skills
If you don’t already own a computer, entrance costs are
relatively high
However it would be foolish on the other extreme
to ignore the Internet as a mean of data
transportation
3
Wireless Industry Before 1998
(Some serious problems)
Handheld mobile devices could access
network based content but the technologies
were incompatible
Not much use of existing Internet
infrastructure
No single global standard for data access for
all handheld mobile devices
4
Searching for the answer…
Omnipoint issues a tender for the definition of a
common standard for the supply of mobile
information services, early 1997
WAP Forum founded by Ericsson, Nokia, Motorola
and Phone.com.
Importance of a common technical base was realized
Strong belief that existing technology did not meet the
needs of the market
5
Searching for the
answer…(cont)
Work started June, 1997
Architecture published September, 1997
Membership opened in January, 1998
Draft specifications published January, 1998
WAP 1.0 available April 30, 1998
6
What is WAP?
WAP is an effort, with broad industry support,
to define a standard for communicating
Internet – type information to devices that
have roughly the same form factor and
processing power as the average mobile
telephone.
7
What sort of devices is WAP
designed for?
Primarily includes mobile phones, pagers and PDAs
Low bandwidth and high latency environments
Unpredictable stability and availability
Limited processing power and battery life
Less memory (ROM and RAM)
Smaller displays
8
WAP Architectural Objectives
Create global wireless protocol specifications that work
across differing wireless technologies
Facilitate network-operator and third party service
provisioning
Define a layered, scalable and extensible architecture
Bring Internet/Intranet information and advanced data
services to wireless terminals
Optimize for efficient use of device resources
9
WAP Architectural Objectives
(cont)
Provide support for secure applications and communication
Embrace and extend existing standards where possible
Optimize for efficient use of device resources
Optimize for narrowband bearers with potentially high
latency
Enable personalization and customization of the device, the
content delivered to it and presentation of the content
10
The World – Wide Web Model
WWW standards specify many mechanisms to
build a general purpose application environment
including:
Standard naming model
Content typing
Standard content formats
Standard protocols
11
The World – Wide Web Model
(cont)
12
The WAP Model
Based on WWW programming model
stable architecture
ability to embrace and enhance existing tools including
web-servers, XML tools etc
Enhancements
Push technology
Telephony Support (WTA)
13
The WAP Model (cont)
Components that enable communication between
mobile terminals and network servers include:
Standard naming model
Content typing
Standard content formats
Standard communication protocols
14
The WAP Model (cont)
Based on Version 30-Apr-1998
15
WAP Proxy
WAP Architectural specification (version 12-July2001) specifies the term WAP Proxy.
WAP utilizes proxy technology to optimize and
enhance the connection between wireless domain
and WWW. WAP proxy provides various
functions including:
16
WAP Proxy (cont)
Protocol Gateway: Translates requests from a wireless
protocol stack to the WWW protocols. Also performs
DNS look up
Content Encoders and Decoders: Translate WAP
content into a compact format due to slow underlying
wireless link and vice versa
User Agent Profile Management: Enable
personalization and customization of the device
Caching proxy: Improves perceived performance and
network utilization by maintaining a cache of
frequently accessed resources
17
WAP Client
Primarily include wireless phones, PDAs and pagers
Beginning to support more memory, faster processing power
and longer battery life
Contains a user agent or a mini-browser that implements
WAE specification and can execute any WAP compliant
application.
Available in thousands of different models and types. A
WAP compliant application written once can reach and be
executed on all of theses devices
18
Application Servers
Real power of WAP lies in the fact that it leverages existing
Internet infrastructure to extend reach of applications to
millions of users with wireless devices
Application servers typically consist of three tiers:
Web Server; understands HTTP protocol and responds to HTTP
requests from the clients. E.g. Apache, iPlanet, Microsoft IIS etc
Application Server; encodes elements like personalization,
commerce, security and data persistence logic. E.g. iPlanet,
WebLogic etc
Database Server; used for persistence storage of application data.
E.g. Oracle, Sybase, Informix etc
19
The WAP Model
Based on Version 12-July-2001
20
Supporting Servers
21
Typical WAP Network
22
WAP Architecture (protocols)
Based on Version 30-Apr-1998
23
Comparison between Web and
WAP Architectures
24
WAP Architecture (protocols)
Based on Version 12-July-2001
25
Bearer Networks
WAP specification is air-interface independent
WAP specification is intended to sit on top of existing bearer
channel standards so that any bearer standard can be used
with the WAP protocols to implement complete product
solutions
WAP operates over different bearer services including short
message, circuit-switched data and packet data
Since bearers offer service of varying throughput, delays and
error rate, WAP protocols are designed to compensate for or
tolerate these varying level of services
26
Bearer Networks (cont)
Some of the common bearers are:
SMS (Short Message Service); stateless and one of the slowest
bearers. Each SMS message is broken down into a short message of
maximum 160 characters, no session maintenance
CSD (Circuit Switched Data); uses circuit switching to establish
connection with WAP gateway at around 9600bps; much faster than
SMS
USSD (Unstructured supplementary Services Data); messages of
maximum 182 characters; session based
GPRS (General Packet Radio Service); one of the fastest bearers;
uses packet based data transmission with speeds of up to 171.2 kbps
27
Transport Services Layer
Offers set of consistent services to upper layer protocols and
maps those services to available bearer services.
Transport services include:
Datagrams; provides a connectionless, unreliable datagram service
where each datagram is routed independently. WDP and UDP are the
two protocols used. WDP is replaced by UDP when used over an IP
network layer i.e WDP over IP is UDP/IP
Connections; provides data transport service in which
communications proceed in three phases: connection establishment,
two way reliable data transfer and connection release. TCP (usually
profiled) is used to provide connection transport service
28
Transfer Services
Provides for structured transfer of information
Transfer services include:
Hypermedia Transfer: WSP and WTP provide the hypermedia
transfer service over secure and non-secure datagram transports.
HTTP provides same service over secure and non-secure connection
oriented transports
Streaming: provides a mean for transferring isochronous data such as
audio and video
Message Transfer: provides mean to transfer asynchronous
multimedia messages like email or instant messages
29
Wireless Transaction Protocol (WTP)
Based on Version 30-Apr-1998
Three classes of transaction service
Unreliable one-way requests,
Reliable one-way requests,
Reliable two-way request-reply transactions
Use of unique transaction identifiers, acknowledgements,
duplicate removal and retransmissions
PDU concatenation and delayed acknowledgment to reduce
the number of messages sent
Optional user to user reliability – WTP triggers the
confirmation of each received message
Asynchronous transactions
30
Session Services
Provide for the establishment of shared state between
network elements that span multiple network requests or
data transfers. It includes:
Capability Negotiation; includes specifications for describing,
transmitting and managing capabilities and preference information
about the client, user and network elements
Push-OTA; provides for network initiated transactions to be
delivered to wireless devices
Sync; provides for synchronization of replicated data
Cookies; allows applications to establish state on the client or proxy
that survives multiple hypermedia transfer transactions
31
Wireless Session Protocol (WSP)
Based on Version 30-Apr-1998
Provides WAE with a consistent interface for two session
services:
Connection oriented service over WTP
Connectionless service over secure and non-secure WDP
Long lived session state
Common facility for reliable and unreliable data push
HTTP/1.1 functionality and semantics in a compact overthe-air encoding
Provides for session suspend/resume
32
Application Framework
Primary objective is to establish an interoperable
environment that will allow operators and service
providers to build applications and services that can
reach a wide variety of different wireless platforms
in an efficient and useful manner. It includes:
WAE/WTA User-Agent; WAE is a micro-browser
environment containing WML, XHTML, WML Script,
WTA, WTAI all optimized for handheld devices
Content Formats; WAE includes support for color, audio,
video, images, phone book records, animation etc
33
Application Framework (cont)
Push; provides a general mechanism for the network to
initiate the transmission of data to applications resident
on WAP devices
Multimedia Messaging; Multimedia Message Service
(MMS) provides for the transfer and processing of
multimedia messages such as email and instant messages
to WAP devices
34
Security Services
Privacy; to ensure that communication is private and cannot
be understood by any eavesdropper
Authentication; to establish the authenticity of parties to the
communication
Integrity; to ensure that communication is unchanged and
uncorrupted
Non-Repudiation; to ensure that parties cannot
deny that communication took place
Some examples include Authentication, Cryptographic
Libraries, Identity, PKI, Secure Transport and Secure Bearer
35
Service Discovery
Services are found at many layers. These include:
External Functionality Interface (EFI); allows
applications to discover what external functions/services
are available on the device
Provisioning; allows a device to be provisioned with the
parameters necessary to access network services
Navigation Discovery; allows a device to discover new
network services
Service Lookup; provides for the discovery of a service’s
parameters through a directory lookup by name
36
WAP 1.x Gateway
WAP 1.x Gateway
37
WAP HTTP Proxy with Profiled
TCP and HTTP
wireless profiled versions are interoperable with TCP and HTTP
38
Direct Access
wireless optimizations as defined by the Wireless Profiles for TCP and HTTP may not
be available
39
Dual Stack Support
useful when a device needs to interoperate with both old and new WAP servers
40
Push Architecture
Normal client–server model is ‘pull’ technology.
E.g. browsing the world wide web
In ‘push’ technology, there is no explicit request
from the client before the server transmits its
contents. E.g. SMS
Extremely beneficial for time and location based
services. E.g. to get traffic alerts up ahead on the
highway, weather alerts, listing of nearby
restaurants etc
41
Pull vs. Push
42
The Push Framework
43
The Push Framework (cont)
PPG usually needs WAP Gateway to communicate with cellular network
44
Push Initiator (PI)
Responsible for generating the message to be pushed and
passing it on to PPG.
Messages are all XML based
Commonly HTTP Post mechanism is used for
communication between PI and PPG
Responsible for authenticating itself with the PPG usually
using X.509 based digital client certificates
Also responsible for managing the workflow of the push
messages
45
Push Proxy Gateway (PPG)
Acts as access point for content pushes from Internet to the
mobile network
PI identification and authentication
Parsing of and error detection in push content
Translates client address provided by PI into a format
understood by mobile network
Store the content if client is currently unavailable
Notify PI about final outcome of push a submission
Protocol conversion
46
Push Access Protocol (PAP)
XML based communication protocol by which a PI pushes
content to mobile network addressing its PPG
Can be transported over virtually any protocol that allows
MIME types to be transported over the Internet
Supports following operations:
Push Submission (PI to PPG)
Result Notification (PPG to PI)
Push Cancellation (PI to PPG)
Push Replacement (PI to PPG)
Status Query (PI to PPG)
Client Capabilities Query (PI to PPG)
47
Push Over-The-Air Protocol
Responsible for transporting content from the PPG
to the client and its user agents
Provides both connectionless (mandatory) and
connection-oriented (optional) services
Connectionless service relies upon WSP
Connection-oriented service may be provided in
conjunction with WSP (OTA-WSP) and HTTP
(OTA-HTTP)
48
Current Successes
Over 18 million WAP users (Cahners-In-Stat / Gartner
Dataquest / Strategis, eTforecasts)
Close to 200 carriers deployed or in final testing (Mobile
Lifestreams)
50 million WAP-enabled handsets shipped worldwide
(International Data Corp)
Tens of thousands of developers creating apps and content
(WAP Forum)
12,000 WAP sites from 100+ countries (Cellmania.com)
7.8 million WAP-readable pages (Pinpoint Networks
49
Consumer Successes
Sprint “wireless Web” users reached 1.3 M in
1Q01
Telesp Celular - 323,000 out of 623,000
subscribers with WAP-enabled phone
accessed WAP services (EYO2000)
Digital Bridges – 30 Million hits on WAP
game site from 1 Million games played in a
six month period
50
The Survey FACTS
Survey of 500+ users in Scandinavia:
61% of WAP users: satisfied with their WAP
experience (Strand Consult)
Survey of 250 users in UK (on all networks)
71% of WAP users: WAP is meeting or
exceeding expectations (Teleconomy)
51
WAP 2.0
Launched July 31, 2001
What the Developers see:
XHTML (fully backwards compatible)
TCP
Supported User Features:
Color Graphics
Animation
Large File Downloading
Location-Smart Services
Pop-up/Context Sensitive Menus
Data Synchronization with Desktop PIM
52
WAP Roadmap 1999-2001
53
Secure From Day One
Security meets most extreme demands
End-to-end encryption
Supports PKI (new in 2.0)
Secure proxies in handset and gateway
Transactions are as secure as PC sites
54
A Secure Foundation For
Wireless Commerce
Transactions demanding security already happening
over WAP
Banking (Citicorp, Deutche, Allied Irish Bank, Schwab)
Finance (Abbey National and Halifax Bank mortgages
online)
M-Commerce (Amazon.com, MySimon)
Basing their future mobile commerce plans on
WAP:
Certicom, VeriSign, Entrust.com
55
Security Loop Holes
A generic m-commerce transaction using WAP
56
Security Loop Holes (cont)
Security zones showing standard security services (WTLS and TSL)
57
Security Loop Holes (cont)
Data flows between WAP device and application server through WAP
gateway
All TSL/SSL encrypted content is decrypted at the WAP gateway before
being re-encrypted using WTLS for transmission over wireless network
and vice versa
Thus data exists in the memory of gateway for a brief period of time in
human-readable plain text format……….SECURITY RISK
Conversion between WTLS and TLS is one of the most controversial
features of the WAP gateway because it violates the concept of end-toend security between the WAP client and the application or content
server
58
Proposed Solutions
Host the gateway within the secure intranet of application
server
However users need to configure their WAP devices to
communicate with the new gateway
Application level security on top of WAP
Introduce security at a software layer above WAP and consider
WAP merely as a potential insecure communication means.
Security is solely taken care of by means of dedicated software
running at two ends i.e. mobile phone and web server
No use of WAP security features neutralizes most of optimizations
offered by WAP gateway including data conversion and
compression to accommodate for the limited bandwidth
59
Proposed Solutions (cont)
Enabling Internet on the Mobile Device
Proposed by WAP Forum for WAP 2.0
Re-design the WAP protocol to not to use a gateway
Employ the existing Internet standards, including TCP for entire
wired and wireless part of a connection
Disregarding WAP gateway makes it possible to attain same high
level of security for an m-commerce transaction as an e-commerce
transaction on ordinary web using end-to-end encryption
However this change will cause compatibility problems and will
neutralize optimizations offered by WAP gateway
60
Proposed Solutions (cont)
Hosting the gateway within the secure intranet of application server
61
Proposed Solutions (cont)
Application Level Security on Top of WAP
62
Bibliography
[1] Technical specifications and presentations by Scott Goldman
http://www.wapforum.org
[2] Damon Hougland, Khurram Zafar.2001. essential WAP FOR WEB
PROFESSIONALS. Upper Saddle River (NJ): Prentice Hall; 234 p.
[3] Wei Meng, Soo Mee, Karli Watson, Ted Wugofski. 2000. Beginning WAP, WML
& WMLScript. Birmigham (UK): Wrox Press; 650p
[4] Niels Christian Juul and Niels Jorgensen
“Security Limitations in the WAP Architecture”
Position Paper
[5] Presentation by Bruce Martin
http://www.w3.org
[6] Presentation by Owen Sullivan
http://www.ietf.org
63