Experiment 3: A Simple M-Commerce Application with Crypto.signText.61

with Crypto.signText

This experiment shows a simple m-commerce application to provide non-repudiation service via Crypto.signText method with the user certificate created by our toolkit.

5.3.1. Environment Configuration

The simple m-commerce application is modified from the sample provided by the Nokia Mobile Internet Toolkit (NMIT) 4.1 [21]. We use the same environment configuration in Experiment 2. The only difference is that the role of Tomcat server is changed to be a web fast-food store. The scenario of the simple m-commerce application is as follows. The user has ordered a pizza and a cup of coffee from the web fast-food store. The store sent the order back to the user for requesting confirmation. After make sure the order recorded in the web fast-food store is correct, the user signs the order by calling Crypto.signText() with his signature key stored in

the WIM and then submits the order with its signature to the web fast-food store to accomplish the transaction.

5.3.2. Experiment Result

The test items and result are shown in the following table.

Test Item Description Result download the order

for confirmation

download the order recorded in the web fast-food store

see Figure 5-13

sign the order and submit

confirm the order by signing it and send back to web fast-food store

see Figure 5-14

Table 5-3: Experiment 3 Result

Figure 5-13: download the order for confirmation

Figure 5-14: sign the order and submit

5.3.3. Evaluation

This experiment successfully illustrates how to use a private key and corresponding user certificate stored in the WIM with the Crypto.signText method to provide the non-repudiation service in a typical m-commerce application.

Chapter 6 Conclusions and Future Works

Conclusions

To promote more m-commerce applications developed on mobile devices, security undoubtedly plays the key role among them. To bring the public-key cryptography into wireless networks for mobile security, WAP has devoted itself for setting up several standards for it.

In this paper, we try to solve a problem related to the public-key cryptography in the wireless world. The problem is how to use existing Internet X.509 certificates on mobile devices. To figure it out, we consider three dimensions of the problem domain.

The first dimension is the compatibility over WAP versions. The second one is the limitations in the wireless environment and mobile devices. The last one is the current situation about PKI in the Internet. The solution we propose to address those issues is the design of WAP Certificate Converter Toolkit.

The main merits of our developed toolkit can be concluded as follows:

z It can produce certificates compatible over all of WAP versions.

z The existing Internet CAs can easily transform their issued X.509 certificates into WAP certificates.

z Each field of the certificate produced by it can be seen in variable views.

z It provides two interfaces – Library API and GUI – for programmers and

Future Works

With our toolkit, it is easy to build the skeleton of WPKI. However, to completely build up the WPKI to provide full support of mobile security for m-commerce applications, there are several things to be done. Some of them are concerning about the extension of our toolkit; the others are with respect to the implementations of related WPKI facilities.

The future development of our toolkit can go to three directions. First is the support of ECDSA. Even though RSA is the widely used signature algorithm in the Internet, the advantages of ECDSA, compared to RSA, show it is suitable to be applied in limited computing environments. Another reason to add ECDSA support is it is another signature algorithm specified by WAP. The second is the design of decoder for SignedContent structure generated by Crypto.signText function. Before the web server verifies the signature signed by the user, it need to first decode the structure to retrieve the signature and related information about the public key.

As to the related facilities to build a complete WPKI, storage for certificates saving, either a database or a LDAP directory, a PKI Portal to check and audit the identity of users, web interface to do all the management, and a real e-commerce application are considered important issues to be further solved.

Reference

[1] WAP Forum (2000), “Wireless Application Protocol White Paper”, June 2000.

URL: http://www.wapforum.org

[2] WAP Forum (2002), “Wireless Application Protocol WAP 2.0 Technical White Paper”, January 2002. URL: http://www.wapforum.org

[3] WAP Forum (2001), “WAP Architecture”, WAP-210-WAPArch-20010712-a, 12 July 2001. URL: http://www.wapforum.org

[4] WAP Forum (2001), “Wireless Transport Layer Security”,

WAP-261-WTLS-20010406-a, 6 April 2001. URL: http://www.wapforum.org [5] WAP Forum (2001), “WPKI”, WAP-217-WPKI-20010424-a, 24 April 2001.

URL: http://www.wapforum.org

[6] WAP Forum (2001), “Wireless Identity Module”, WAP-260-WIM-20010712-a, 12 July 2001. URL: http://www.wapforum.org

[7] WAP Forum (2001), “WMLScript Crypto Library”,

WAP-161-WMLScriptCrypto-20010620-a, 20 June 2001. URL:

http://www.wapforum.org

[8] WAP Forum (2001), “WAP Certificate and CRL Profiles”, WAP-211-WAPCert-20010522-a, 22 May 2001. URL:

http://www.wapforum.org

[9] G. Radhamani, K. Ramasamy, “Security Issues in WAP WTLS Protocol”, IEEE 2002 International Conference on Communications, Circuits and Systems and West Sino Expositions, Volume 1, Number 29, July 2002, 483-487.

[10] Thanh V. Do, “WAP Security: WTLS”, 2001. Available from http://ece.gmu.edu/courses/ECE636/project/reports/TDo.pdf

[11] RFC2459, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", January 1999.

[12] RFC3174,”US Secure Hash Algorithm 1 (SHA1)”, September 2001.

[13] Vladimir Silva, “Manage X.509 certificates in your grid with Java Certificate Services”, 2003. Available from

http://www-106.ibm.com/developerworks/grid/library/gr-jsc/?ca=dgr-lnxw06M anageX.509

[14] Chris Melnick, “How to translate into base64 and back”, 2004. Available from http://www.aardwulf.com/tutor/base64/index.asp

[15] R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Communications of the ACM, Volume 21, Issue 2, February 1978, 120-126.

[16] Don B. Johnson and Alfred J. Menezes, “Elliptic Curve DSA (ECDSA): An Enhanced DSA”, 1999. Available from http://www.certicom.com

[17] Bouncy Castle Crypto, http://www.bouncycastle.org [18] Cryptix JCE, http://www.cryptix.org

[19] Nokia, Nokia Mobile Browser 4.0 (NMB 4.0), http://www.forum.nokia.com [20] Nokia, Nokia WAP Gateway Simulator 4.0 (NWGS 4.0),

http://www.forum.nokia.com

[21] Nokia, Nokia Mobile Internet Toolkit (NMIT) 4.1, http://www.forum.nokia.com [22] Apache Jakarta Tomcat 4.1, http://jakarta.apache.org/tomcat

[23] Andrew Nash, Bill Duane, Derek Brink and Celia Joseph, PKI: implementing and managing E-security, McGraw-Hill, 2001.

[24] Li Gong, Gary Ellison and Mary Dageforde, Inside Java 2 Platform Security:

Architecture, API Design and Implementation, second version, Sun, 2003 [25] Rich Helton, Johennie Helton 著，楊松諺/上官飛鳳 譯，Java Security 全方

位解決方案，碁峰，2002.

[26] Alfred Menezes, Paul van Oorschot, Scott Vanstone, Handbook of Applied Cryptography, CRC, 1997

[27] Charlie Kaufman, Radia Perlman, Mike Speciner, Network Security, second version, Prentice Hall, 2002.

[28] Eric Rescorla, SSL and TLS, Addison Wesley, 2001.

[29] Olivier Dubuisson, translated from French by Philippe Fouquart, ASN.1 - Communication Between Heterogeneous Systems, , Morgan Kaufmann, 2001.