Download MIDP Application Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Dependency injection wikipedia , lookup

Java performance wikipedia , lookup

Application Interface Specification wikipedia , lookup

Transcript 
MIDP Application Security
Ying Hong
Wireless Security
Spring 2003
Contents

Introduction to MIDP

Overview of TLS

Samples

Current Research Status
5/24/2017
MIDP Application Security
2
Introduction To MIDP

What is MIDP


An approach to develop wireless applications.
The MIDlet structure



It extends MIDlet.
It Has startApp(), parseApp(), and destroyApp().
It may have commandAction() if it implements
CommandListener.
5/24/2017
MIDP Application Security
3
Introduction To MIDP

MIDP 1.0


MIDP 2.0


MIDP 1.0 provides a standards APIs.
MIDP 2.0 provides several new features, including secure
networking.
Extended Network Connectivity

Connection using the HTTPS and SSL/TLS protocols.
5/24/2017
MIDP Application Security
4
Overview of TLS

What is TLS




TLS is an updated version of the SSLv3 protocol.
They are protocols enabling authentication and data
encryption over insecure networks.
They are implemented layer b/w TCP/IP and higherlevel network protocols.
One of the strengths of TLS is that it operates directly
on top of TCP/IP sockets.
5/24/2017
MIDP Application Security
5
Overview of TLS

How does it work – handshake
Step 1
client_hello
server_hello
certificate
(certificate_request)
server_hello_done
Client
Step 3
(certificate)
client_key_exchange
(certificate_verify)
change_cipher_spec
finished
change_cipher_spec
finished
5/24/2017
Step 2
MIDP Application Security
Server
Step 4
6
Overview of TLS

Step1

client_hello





5/24/2017
The SSL versions supported by the client
32 bytes of random data that the client creates
A session ID that it makes up
A list of supported ciphers
A list of supported compression methods
MIDP Application Security
7
Overview of TLS

Step2

server_hello





5/24/2017
The SSL version the server selects from the client’s list;
32 bytes of random data that the server creates;
The session ID;
The ciphers chosen from the client’s list;
The compression method selected.
MIDP Application Security
8
Overview of TLS

Step 2 (cont.)

server’s certificate



request for client’s certificate


It’s an X.509 certificate signed by a certificate authority.
It includes server’s public key.
It’s not required.
server_hello_done

5/24/2017
It indicates communication is finished.
MIDP Application Security
9
Overview of TLS

Step3

client’s certificate, if server required it


client_key_exchange



It’s a client’s X.509 certificate.
It’s 48 bytes of random data.
It’s encrypted using server’s public key.
ceritificate_verify, if client’s certificate is sent

5/24/2017
Hashed messages and signed using client’s private key.
MIDP Application Security
10
Overview of TLS

Step 3 (cont.)

change_cipher_spec


Finished


It’s an indication that future communication will be encrypted.
It’s encrypted with the session key and including a MAC for
integrity.
Step4

change_cipher_spec


Server’s indication about future secured communication.
Finished
5/24/2017
MIDP Application Security
11
Overview of TLS

Algorithms used in handshake

Key exchange
RSA, Fixed Diffie-Hellman, Ephemeral Diffie-Hellman,
Anonymous Diffie-Hellman, Fortezza

Ciphers
RC4, 3DES, IDEA, Fortezza, DES, DES40, RC2

MAC (message authentication code)
MD5, SHA
5/24/2017
MIDP Application Security
12
Samples

Sample 1: Creating a secure connection and getting
information about the secure connection.

Create secure connection:


Javax.microedition.io.HttpsConnection
Get information about the secure connection


Get an instance of SecurityInfo using getSecurityInfo()
SecurityInfo provides:
getProtocolName()
getProtocolVersion()
getCipherSuite()
getServerCertificate() (return a Certificate object)
5/24/2017
MIDP Application Security
13
Samples

Sample 1



Code of HttpsExample
Screen snapshots of running HttpsExample
Question left:

5/24/2017
Since HttpsConnection takes care of all secure action explained
in TLS handshake, then how the server side code is
implemented?
MIDP Application Security
14
Samples

Sample 2

JSSE (Java Secure Sockets Extension)



An API for using SSL in Java
A reference implementation of that API
Installing JSSE

5/24/2017
Read installing_jsse.txt to learn how to install JSSE or read
chapter 9 in Professional Java Security by Jess Garms and
Daniel Somerfield.
MIDP Application Security
15
Samples

Sample 2: creating a pair of https server and client

Coding HTTPSServer


Create server socket through
javax.net.ssl.SSLServerSocketFactory
Running HTTPSServer:


5/24/2017
Create a certificate and private key to the SSL server with
keytool.
Set two system properties: keyStore and keyStorePassword in
command line or coding it in the program.
MIDP Application Security
16
Samples

Sample 2:


Coding HTTPSClient
Running HTTPSClient


Authentication and encryption will be done transparently.
Question left:

5/24/2017
Find the corresponding implementation in MIDP 2.0, especially
server side coding.
MIDP Application Security
17
Samples

Sample 3: SSL socket example instead of HTTPS



Coding SSLSocketServer
Coding SSLSocketClient
Difference between SSL socket and plain socket

5/24/2017
Underlying SSLSocket implementation will take care of
authentication of the server and encryption of the data
transmitted.
MIDP Application Security
18
Current Research Status

What we know:




How to connect a server which support HTTPS.
How to build a server supporting HTTPS in java
application.
How to build a server and client over SSL layer in java
application.
What we need to search:


How to build a server supporting HTTPS in servlet?
Is it possible to rewrite HTTPSClient (in sample 2) in
MIDP and still make sample working?
5/24/2017
MIDP Application Security
19
References










“MIDP Application Security 2: Understanding SSL and TLS”,
http://wireless.java.sun.com/midp/articles/security2
“MIDP Application Security 3: Authentication in MIDP”,
http://wireless.java.sun.com/midp/articles/security3
“Wireless Application Programming”,
http://wireless.java.sun.com/midp/articles/getstart
“Introduction to Wireless Technologies”,
http://wireless.java.sun.com/getstart/articles/intro
“J2ME MIDP and WAP complementary technologies”,
http://wireless.java.sun.com/midp/articles/midpwap
“What’s new in MIDP 2.0”, http://wireless.java.sun.com/midp/articles/midp20
“SSL, and TLS page”, http://www3.tsl.uu.se/~micke/ssl_links.html
“Programming Wireless Devices Samples”,
http://java.sun.com/docs/books/j2mewireless/examples/README.html
“Introducing MIDP 2.0”,
http://www.onjava.com/pub/a/onjava/2002/12/18/midp.html
“Professional Java Security”, Jess Garms and Daniel Somerfield, ISBN:
1861004257
5/24/2017
MIDP Application Security
20
Related documents
Configurations
Configurations
Java ME Exercises Student Book
Java ME Exercises Student Book
Overview of Java
Overview of Java
Enhanced mobile services in Java enabled phones
Enhanced mobile services in Java enabled phones
Development of applications for embedded devices is a daunting
Development of applications for embedded devices is a daunting
Association for Molecular Pathology Certificate of
Association for Molecular Pathology Certificate of
Webinar - Association for Molecular Pathology
Webinar - Association for Molecular Pathology
This was my first publication
This was my first publication
Instructor Rubric for Presentations
Instructor Rubric for Presentations
Java on Wireless Devices (J2ME)
Java on Wireless Devices (J2ME)
WWW Lab1
WWW Lab1
Document
Document