WAP Security Testing - Guidelines

  • Published on
    23-Nov-2014

  • View
    110

  • Download
    4

Embed Size (px)

Transcript

GUIDELINE DOCUMENT FOR WAP SECURITY TESTING

1. INTRODUCTION......................................................................................................................................3 2. THE ROLE OF SECURITY.....................................................................................................................3 3. TYPES OF SECURITY SESSIONS.........................................................................................................3 4. SCOPE OF THE DOCUMENT................................................................................................................3 5. BASIC WAP SECURITY TESTING CONCEPTS.................................................................................3 5.1 TYPES OF SECURE CONNECTIONS..................................................................................................................4 5.1.1 Class 1: Anonymous Connection 4 5.1.2 Class 2: Server Authentication 5 5.1.3 Class 3: Client and Server Authentication 5 6 FEASIBILITY OF WAP SECURITY TESTING................................................................................6 7.1 CLASS 1 WTLS CONNECTION..................................................................................................................6 7.1.1 Settings to be made in the Gateway to establish WTLS connection: 6 7.1.2 Settings to be made in the mobile to establish WTLS connection: 6 7.2 CLASS 2 WTLS CONNECTION..................................................................................................................8 7.2.1 Using Nokia Active Server Certificate Tool 8 7.2.2 Creating a CSR using Nokia Active Server Certificate Tool 8 7.2.3 Installing Signed Server Certificate created by a CA 10 7.2.4 Creating a Self-signed Server certificate 11 7.2.5 Ethereal trace for Client Hello Message in the WTLS session 13 7.2.6 Ethereal trace for Server Hello message in a WTLS session 13 8 ESTABLISHING TLS SECURE SESSIONS ........................................................................................14 8.1 PROCEDURE TO CREATE SERVER CERTIFICATES USING OPENSSL.......................................................................14 8.2 CONFIGURING TLS SESSIONS....................................................................................................................18 8.2.1 SSL directives in ModSSL (Apache) 18 8.2.3 Ethereal trace for Server Hello Message in a TLS session 21 9 ESTABLISHING SSL CONNECTIONS USING IIS SERVER .........................................................23 9.1 IMPORTING THE SERVER CERTIFICATE INTO THE CERTIFICATE CONSOLE.............................................................23 9.2 CREATING A SERVER CERTIFICATE FROM THE INTERNET.................................................................................27 9.3 IMPORT THE CERTIFICATE INTO IIS ............................................................................................................30 9.3 CHANGES TO BE MADE IN THE REGISTRY:....................................................................................................32 9.4 ETHEREAL TRACES FOR CLIENT HELLO MESSAGE IN SSL SESSION:.................................................................32 9.5 ETHEREAL TRACE FOR SERVER HELLO MESSAGE IN SSL SESSION:.................................................................33 10 ABBREVIATED HANDSHAKE IN SECURE SESSIONS...............................................................34 10.1 CREATING ABBREVIATED HANDSHAKE SESSIONS........................................................................................34 11 ABBREVIATIONS AND ACRONYMS...............................................................................................36 7. ESTABLISHING WTLS CONNECTIONS..........................................................................................6

1. IntroductionSecurity has an obvious role to play with regard to m-commerce and the ability to secure transactions. Secure sessions provide reliability, privacy, integrity and repudiation for the data.

2. The Role of SecuritySecurity is both an enabling and disabling technology. Its purpose is to enable communications and transactions to take place in a secure environment without fear of compromise, while at the same time disabling non-legitimate activities and access to information and facilities. Non-legitimate activities include eavesdropping, pretending to be another party (also known as impostering or spoofing), or tampering with data during transmission. In general these activities are either unacceptable or illegal outside of the digital environment, so security simply helps to enforce the status quo in that sense.

3. Types of Security SessionsThe different types of secure sessions that can be established are WTLS, TLS and SSL. Security can be checked either at the Gateway or at the Server depending on the type of secure session that is established

4. Scope of the documentThis document describes in detail the procedures to be followed to establish secure WAP sessions using WTLS, TLS and SSL. It also describes how to create various certificates and install them on the Gateway and Server machines. The Ethereal traces and screen shots are also provided for the various connections like WTLS, TLS and SSL to provide more clarity and to enhance the understandability of the reader.

5. Basic WAP Security Testing ConceptsFor WTLS sessions, the security configuration and settings should be made in the machine (i.e. PC) in which the Gateway is running. TLS and SSL sessions are established using the secure HTTP protocol. For these sessions, security should be checked at the server machine. Some access configurations also use a proxy between the Server and the client. FreeProxy tool is a tool that acts as a proxy.

Using this tool, various users and groups can be created and authentications can be provided to them. The various kinds of authentication that can be tested are: 1. Basic authentication In this mechanism, the user id and password are passed in the HTTP messages using 'clear text' after being encoded (not encrypted). Although the password cannot be read by simply looking at the message, it can easily be decoded using the right tool by anyone intent on breaking into the message. 2. Digest authentication This mechanism is more secure than Basic as it does not send the password in the message but rather a 'digest' or mathematical hash of the password using standard hashing algorithms. It would be extremely difficult for anyone to masquerade or derive the password from the message.

5.1 Types of secure Connections 5.1.1 Class 1: Anonymous ConnectionIn these connections, the data will be encrypted but the parties communicating securely do not exchange their identity with each other. There will be no exchange of certificates in between the client (mobile) and the server (content server). The sequences of steps that occur in a Class 1 secure connection are: ClientHello -----------> ServerHello Certificate ServerHelloDone

ServerHello Certificate CertificateRequest ServerHelloDone

x509 -req -days 365 -CA \certs\cacert.pem CAkey \certs\cakey.key -CAcreateserial in \certs\clientcsr.csr extfile \certs\clientext.txt out \certs\clientcert.pem - Enter the passphrase used to protect the CAs key. 5. Convert the clients key and certificate into PKCS#12 format: - OpenSSL> pkcs12 -export -clcerts -in \certs\clientcert.pem inkey \certs\clientkey.key out \certs\clientpkcs12.pfx - Enter the passphrase used to protect the clients key. - Enter a complex export passphrase, and enter it again to confirm.

8.2 Configuring TLS sessionsTo establish TLS sessions, Apache should be running on the Server machine and the httpd.conf should be configured accordingly to cater the various needs and prerequisites of the test cases. The directive LoadModule ssl_module modules/mod_ssl.so should be enabled in order to allow SSL/TLS sessions on Apache.

8.2.1 SSL directives in ModSSL (Apache) SSL Protocol This directive mentions the SSL protocol to be used by Apache in order to establish SSL sessions. Eg: SSL Protocol ALL This directive enables all the protocols available in the Openssl and the protocol having the highest priority will be used,When all the protocols are enabled, Apache uses the latest protocol. Hence TLS protocol will be used and TLS sessions will be established. SSLCipherSuite This directive describes the cipher suite used for establishing SSL sessions. SSLCipherSuite ALL Indicates all the cipher suites can be used to establish secure sessions. To use only a particular cipher suite while establishing the sessions, use SSLCipherSuite RSA-RC4-MD5 (Key Exchange Encryption Integrity) The different Cipher Suites that can be used are: Key Exchange Algorithm: RSA or Diffie-Hellman variants. Authentication Algorithm: RSA, Diffie-Hellman, DSS or none.

Cipher/Encryption Algorithm: DES, Triple-DES, RC4, RC2, IDEA or none. MAC Digest Algorithm: MD5, SHA or SHA1.

SSLSessionCache This directive describes the type of the global/inter-process SSL Session Cache Example: SSLSessionCache none - disables the global/inter-process Session Cache. Example: SSLSessionCache dbm: /usr/local/apache/logs/ssl_gcache_data Enables Session cache and describes the location where the cache file will be stored.

SSLVerifyClient This directive sets the Certificate verification level for the Client Authentication. The following levels are available for level: none: no client Certificate is required at all optional: the client may present a valid Certificate require: the client has to present a valid Certificate optional_no_ca: the client may present a valid Certificate but has not to be (successfully) verifyable.

SSLSessionCacheTimeout This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache and the SSLeay internal memory cache Example: SSLSessionCacheTimeout 600 SSLLog This primitive describes the name of the dedicated SSL engine log file Example: SSLLog logs/SSL.log Example: SSLLog none No log file will be created for the SSL Engine.

SSLLogLevel This directive sets the verbosity degree of the dedicated SSL protocol engine logfile None

no dedicated SSL logging is done, but messages of level ``error'' are still written to the general Apache error logfile. Error

log messages of error type only, i.e. messages which show fatal situations (processing is stopped). Those messages are also duplicated to the general Apache error logfile. Warn

log also warning messages, i.e. messages which show non-fatal problems (processing is continued). Info

log also informational messages, i.e. messages which show major processing steps. Trace

log also tace messages, i.e. messages which show minor processing steps. Debug

log also debugging messages, i.e. messages which show development and low-level I/O information. SSLCertificateChainFile This directive points to the SSL Certificate Chain file Example: SSLCertificateChainFile"C:/Apache/conf/ssl.crt/ca.crt

Access a page from the server (with TLS configured). The TLS session is established and the page is loaded into the EUT.

8.2.2 Ethereal trace for Client Hello message in a TLS session

In the Ethereal trace under the Secure Sockets Layer, the record layer for the Client hello message is shown as TLS Record Layer.

8.2.3 Ethereal trace for Server Hello Message in a TLS session

Once the secure session is established, have a look at the Page information in the mobile. The Algoritms field should list TLS indicating that the secure session is created using TLS protocol.

In the certificates dialog will have the server and the client tabs.

The Server tabs displays the server certificate information where as the client tab displays the text User anonymous.

9 Establishing SSL connections using IIS serverTo establish SSL sessions, SSL server certificate should be generated, and imported into the server. The SSL server certificate can be obtained in two ways: 1. Create an SSL Server certificate using OpenSSL Commands and import them into IIS Server 2. Create a Certificate request, process it, create a server certificate and install it into the IIS Server Use the openssl commands mentioned above to create the SSL server certificates and their keys.

9.1 Importing the server certificate into the Certificate console1. In the IIS server machine, click the Start Button then select Run and type mmc (Microsoft Maanagent Console). 2. Click Console and select Add/Remove Snap in 3. Select Add, select Certificates from the Add Standalone Snap-in box and click Add

4. Select Computer Account from the Certificates Snap-in and click Finish 5. Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap-in 6. Expand the Certificates entry in the MMC and right click the Trusted Root Authorities, select All Tasks, select Import. 7. Using the Import wizard import the certificate into the Certificates console.

Import the server certificate into Personal console also. Now, open the IIS Server and right-click on it. Select the Properties option. Open the Directory security and tap on the Server Certificate button. Select the option Assign an existing certificate and tap on Next. The list of certificates available for installation in the IIS Server is listed. Select the newly created certificate and tap on Next.

Once the certificate is installed, select the directory, for which security settings are to be made, Select the properties option for this directory and enable SSL Connections.

Once this is done, the user will be able to establish secure sessions with the IIS server.

9.2 Creating a server certificate from the InternetRequest a certificate for a web server Before you can use SSL, you have to first install a certificate on your IIS web server. 1. In IIS, right-click on the site you want to secure. 2. Select Properties

The Website properties dialog is shown. 3. Select the Directory Security tab, and click on Server Certificate

The Welcome to web server certificate wizard is shown.

4. 5. 6. 7.

Click Next and select Create a New Certificate Select Prepare the Request Now, But Send It Later and click Next Type a name for the certificate and bit length, and then click Next. Type your organizational name and organizational unit in the box provided and click Next. 8. Enter your Web server name and click Next. 9. In the next dialog box, provide some geographical information and click Next. 10. Enter the location and the name for the certification request and then click Next. 11. Verify the information and click Next, and then click Finish. 12. Open the Certificate Wizard again and choose to submit the created certificate request. 13. Open the certificate request file you created previously, copy and paste its contents into the form provided, and click Submit. 14. In the Administrative Tool folder,...