WAP Security Testing - Guidelines

Embed Size (px)

Text of WAP Security Testing - Guidelines

GUIDELINE DOCUMENT FOR WAP SECURITY TESTING

1. INTRODUCTION......................................................................................................................................3 2. THE ROLE OF SECURITY.....................................................................................................................3 3. TYPES OF SECURITY SESSIONS.........................................................................................................3 4. SCOPE OF THE DOCUMENT................................................................................................................3 5. BASIC WAP SECURITY TESTING CONCEPTS.................................................................................3 5.1 TYPES OF SECURE CONNECTIONS..................................................................................................................4 5.1.1 Class 1: Anonymous Connection 4 5.1.2 Class 2: Server Authentication 5 5.1.3 Class 3: Client and Server Authentication 5 6 FEASIBILITY OF WAP SECURITY TESTING................................................................................6 7.1 CLASS 1 WTLS CONNECTION..................................................................................................................6 7.1.1 Settings to be made in the Gateway to establish WTLS connection: 6 7.1.2 Settings to be made in the mobile to establish WTLS connection: 6 7.2 CLASS 2 WTLS CONNECTION..................................................................................................................8 7.2.1 Using Nokia Active Server Certificate Tool 8 7.2.2 Creating a CSR using Nokia Active Server Certificate Tool 8 7.2.3 Installing Signed Server Certificate created by a CA 10 7.2.4 Creating a Self-signed Server certificate 11 7.2.5 Ethereal trace for Client Hello Message in the WTLS session 13 7.2.6 Ethereal trace for Server Hello message in a WTLS session 13 8 ESTABLISHING TLS SECURE SESSIONS ........................................................................................14 8.1 PROCEDURE TO CREATE SERVER CERTIFICATES USING OPENSSL.......................................................................14 8.2 CONFIGURING TLS SESSIONS....................................................................................................................18 8.2.1 SSL directives in ModSSL (Apache) 18 8.2.3 Ethereal trace for Server Hello Message in a TLS session 21 9 ESTABLISHING SSL CONNECTIONS USING IIS SERVER .........................................................23 9.1 IMPORTING THE SERVER CERTIFICATE INTO THE CERTIFICATE CONSOLE.............................................................23 9.2 CREATING A SERVER CERTIFICATE FROM THE INTERNET.................................................................................27 9.3 IMPORT THE CERTIFICATE INTO IIS ............................................................................................................30 9.3 CHANGES TO BE MADE IN THE REGISTRY:....................................................................................................32 9.4 ETHEREAL TRACES FOR CLIENT HELLO MESSAGE IN SSL SESSION:.................................................................32 9.5 ETHEREAL TRACE FOR SERVER HELLO MESSAGE IN SSL SESSION:.................................................................33 10 ABBREVIATED HANDSHAKE IN SECURE SESSIONS...............................................................34 10.1 CREATING ABBREVIATED HANDSHAKE SESSIONS........................................................................................34 11 ABBREVIATIONS AND ACRONYMS...............................................................................................36 7. ESTABLISHING WTLS CONNECTIONS..........................................................................................6

1. IntroductionSecurity has an obvious role to play with regard to m-commerce and the ability to secure transactions. Secure sessions provide reliability, privacy, integrity and repudiation for the data.

2. The Role of SecuritySecurity is both an enabling and disabling technology. Its purpose is to enable communications and transactions to take place in a secure environment without fear of compromise, while at the same time disabling non-legitimate activities and access to information and facilities. Non-legitimate activities include eavesdropping, pretending to be another party (also known as impostering or spoofing), or tampering with data during transmission. In general these activities are either unacceptable or illegal outside of the digital environment, so security simply helps to enforce the status quo in that sense.

3. Types of Security SessionsThe different types of secure sessions that can be established are WTLS, TLS and SSL. Security can be checked either at the Gateway or at the Server depending on the type of secure session that is established

4. Scope of the documentThis document describes in detail the procedures to be followed to establish secure WAP sessions using WTLS, TLS and SSL. It also describes how to create various certificates and install them on the Gateway and Server machines. The Ethereal traces and screen shots are also provided for the various connections like WTLS, TLS and SSL to provide more clarity and to enhance the understandability of the reader.

5. Basic WAP Security Testing ConceptsFor WTLS sessions, the security configuration and settings should be made in the machine (i.e. PC) in which the Gateway is running. TLS and SSL sessions are established using the secure HTTP protocol. For these sessions, security should be checked at the server machine. Some access configurations also use a proxy between the Server and the client. FreeProxy tool is a tool that acts as a proxy.

Using this tool, various users and groups can be created and authentications can be provided to them. The various kinds of authentication that can be tested are: 1. Basic authentication In this mechanism, the user id and password are passed in the HTTP messages using 'clear text' after being encoded (not encrypted). Although the password cannot be read by simply looking at the message, it can easily be decoded using the right tool by anyone intent on breaking into the message. 2. Digest authentication This mechanism is more secure than Basic as it does not send the password in the message but rather a 'digest' or mathematical hash of the password using standard hashing algorithms. It would be extremely difficult for anyone to masquerade or derive the password from the message.

5.1 Types of secure Connections 5.1.1 Class 1: Anonymous ConnectionIn these connections, the data will be encrypted but the parties communicating securely do not exchange their identity with each other. There will be no exchange of certificates in between the client (mobile) and the server (content server). The sequences of steps that occur in a Class 1 secure connection are: ClientHello -----------> ServerHello Certificate ServerHelloDone

ServerHello Certificate CertificateRequest ServerHelloDone

x509 -req -days 365 -CA \certs\cacert.pem CAkey \certs\cakey.key -CAcreateserial in \certs\clientcsr.csr extfile \certs\clientext.txt out \certs\clientcert.pem - Enter the passphrase used to protect the CAs key. 5. Convert the clients key and certificate into PKCS#12 format: - OpenSSL> pkcs12 -export -clcerts -in \certs\clientcert.pem inkey \certs\clientkey.key out \certs\clientpkcs12.pfx - Enter the passphrase used to protect the clients key. - Enter a complex export passphrase, and enter it again to confirm.

8.2 Configuring TLS sessionsTo establish TLS sessions, Apache should be running on the Server machine and the httpd.conf should be configured accordingly to cater the various needs and prerequisites of the test cases. The directive LoadModule ssl_module modules/mod_ssl.so should be enabled in order to allow SSL/TLS sessions on Apache.

8.2.1 SSL directives in ModSSL (Apache) SSL Protocol This directive mentions the SSL protocol to be used by Apache in order to establish SSL sessions. Eg: SSL Protocol ALL This directive enables all the protocols available in the Openssl and the protocol having the highest priority will be used,When all the protocols are enabled, Apache uses the latest protocol. Hence TLS protocol will be used and TLS sessions will be established. SSLCipherSuite This directive describes the cipher suite used for establishing SSL sessions. SSLCipherSuite ALL Indicates all the cipher suites can be used to establish secure sessions. To use only a particular cipher suite while establishing the sessions, use SSLCipherSuite RSA-RC4-MD5 (Key Exchange Encryption Integrity) The different Cipher Suites that can be used are: Key Exchange Algorithm: RSA or Diffie-Hellman variants. Authentication Algorithm: RSA, Diffie-Hellman, DSS or none.

Cipher/Encryption Algorithm: DES, Triple-DES, RC4, RC2, IDEA or none. MAC Digest Algorithm: MD5, SHA or SHA1.

SSLSessionCache This directive describes the type of the global/inter-process SSL Session Cache Example: SSLSessionCache none - disables the global/inter-process Session Cache. Example: SSLSessionCache dbm: /usr/local/apache/logs/ssl_gcache_data Enables Session cache and describes the location where the cache file will be stored.

SSLVerifyClient This directive sets the Certificate verification level for the Client Authentication. The following levels are available for level: none: no client Certificate is required at all optional: the client may present a valid Certificate require: the client has to present a valid Certificate optional_no_ca: the client may present a valid Certificate but has not to be (successfully) verifyable.

SSLSessionCacheTimeout This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session C