wtls.xml

The Kannel Open Source WAP and SMS gateway works as both an SMS gateway, for implementing keyword b

</title>

				<para>
				Alligata Secure supports all three WTLS implementation classes.
</para>
			</section>
			<section>
				<title>3.2.2 Supported Digital Certificate Formats
</title>
				<para>Alligata Secure supports both X.509 and WTLS certificates. Note, however, that X.509 certificates are not currently supported by WAP client devices.
</para>
			</section>
			<section>
				<title>3.2.3 Supported Encryption Algorithms
</title>
				<para>Alligata Secure supports asymmetric keys generated by the RSA alogorithm and symmetric keys generated by the MC5 algorithm. [check]
</para>
			</section>
		</section>
		<section>
			<title>3.3 End-to-End Mobile Internet Security 
</title>
			<para>As we have seen, WTLS provides security between the client device and the WAP gateway. Most secure Mobile Internet transactions will also require security between the WAP gateway and the HTTP server. This can be implemented using one of two arrangements:
</para>
			<itemizedlist>
				<listitem>
					<para>SSL can be used between the gateway and the HTTP server. This method presents a very slight security risk, because data is momentarily held unencrypted inside the gateway (a phenonmenon known as the &apos;WAP Gap&apos;). It is therefore important that administrative access to the gateway is strictly limited, that the relationship between the gateway host and the content provider is strong and trusting, and that the decrypted data is never stored outside the gateway&apos;s memory. This set-up is not recommended for operations requiring guaranteed security, such as online banking.
</para>
				</listitem>
				<listitem>
					<para>The gateway can be hosted by the content provider and placed behind the content provider&apos;s firewall. This set-up obviates both the &apos;WAP Gap&apos; and the need for SSL between the gateway and the HTTP server. The content provider can, if they want, act as an Internet service provider (ISP) to the whole of the Mobile Internet, once the secure transaction is over. Alternatively, the content provider can close the secure WAP connection after the secure transaction has taken place, in which case the client user must dial in to their usual gateway in order to view other WAP sites.
</para>
				</listitem>
			</itemizedlist>
			<para>Figure 10 outlines a secure Mobile Internet transaction of the second type, with the WAP gateway behind the content provider&apos;s firewall. Abigail is now the user of a WAP client device, communicating with Brian via the WAP gateway.</para>
			<mediaobject>
				<imageobject>
					<imagedata fileref="fig6out1&figtype;">
				</imageobject>
				<caption>
					<para>Figure 10: WTLS transaction, with the WAP gateway hosted by the content provider
</para>
				</caption>
			</mediaobject>
		</section>
	</chapter>
	<chapter>
		<title>4  Using Alligata Secure with OpenSSL</title>
		<para>NOTE: THIS SECTION IS INCOMPLETE AND IN PLACES INACCURATE. IT MAY, HOWEVER, BE USABLE AS THE BASIS FOR THE DOCUMENTATION FOR THE SECURE VERSION OF [KANNEL], WHEN THE LATTER IS RELEASED.</para>
		<para>Alligata Secure is supplied with the OpenSSL open source software toolkit. OpenSSL includes a library of general purpose security functions that you can use in conjunction with Alligata Secure to implement secure Mobile Internet services. OpenSSL enables you to:
</para>
		<itemizedlist>
			<listitem>
				<para>create symmetric or asymmetric keys
</para>
			</listitem>
			<listitem>
				<para>create [digital certificates]
</para>
			</listitem>
			<listitem>
				<para>encrypt messages
</para>
			</listitem>
			<listitem>
				<para>calculate message digests
</para>
			</listitem>
		</itemizedlist>
		<para>Of OpenSSL&apos;s features, creation of symmetric keys, message encryption and digest calculation are incorporated into the Alligata Secure software. You can customise them by changing the configuration variables described in Section 4.X. Before you do anything else, however, you must create an asymmetric key pair.
</para>
		<section>
			<title>4.1 Creating an Asymmetric Key Pair
</title>
			<para>An asymmetric key pair is required for WTLS connections between a WAP gateway and client devices (see Section 3). Alligata Secure supports keys generated by the RSA algorithm.
</para>
			<para>The following instructions show you how to create an RSA key pair using OpenSSL. Many additional options are also available: see the OpenSSL man pages (in particular openssl and genrsa) for details.
</para>
<FormalPara><Title>To create an asymmetric key pair:</Title>
<para>
			<orderedlist inheritnum="ignore" continuation="restarts">
				<listitem>
					<para>Create three or four files containing random data. You can do this by using the command
</para>
					<para>
						<userinput moreinfo="none">echo <replaceable>random_string </replaceable>&gt;<replaceable> file_name</replaceable></userinput>
					</para>
					<para>for each file.
</para>
					<para>For example:</para>
					<para>
						<userinput moreinfo="none">echo ;st509tjjm[4t#~{sa{)8EHjhjOSFOhoij &gt; rand1.txt
</userinput>
					</para>
					<para>These files will be used, together with the random data file $HOME/.rnd, to generate the key pair.
</para>
				</listitem>
				<listitem>
					<para>Type
</para>
					<para>
						<userinput moreinfo="none">openssl genrsa -rand <replaceable>random_data_files</replaceable> -out <replaceable>output_file -storage_encryption_algorithm</replaceable> -passout <replaceable>password_source</replaceable>
</userinput>
					</para>
					<variablelist>
						<title>Notes:
</title>
						<varlistentry>
							<term><userinput><replaceable>random_data_file:</replaceable></userinput></term>
							<listitem>
								<para>the file names should be separated by colons :.
</para>
							</listitem>
						</varlistentry>
						<varlistentry>
							<term><userinput><replaceable>output_file:</replaceable></userinput></term>
							<listitem>
								<para>the name of the file to which the public and private keys will be output. Conventionally, the file name should have a <filename>.pem</filename> extension.
</para>
							</listitem>
						</varlistentry>
						<varlistentry>
							<term><userinput><replaceable>-storage_encryption_algorithm:</replaceable></userinput></term>
							<listitem>
									<para>the symmetric algorithm used to encrypt the key file. Possible values are <userinput>-des, -des3</userinput> and <userinput>-idea</userinput>. This parameter is nominally optional, but should always be used except for testing.
</para>
							</listitem>
						</varlistentry>
						<varlistentry>
							<term><userinput><replaceable>password_source:</replaceable> </userinput></term>
							<listitem>
								<para>the source of the password that will be used to decrypt the key file. This parameter is formatted as follows:
</para>
								<variablelist>
									<varlistentry>
										<term><userinput>pass:<replaceable>password</replaceable>
</userinput></term>
										<listitem>
											<para><replaceable>password</replaceable> is the password. Avoid except for testing, as Linux utilities such as <command>ps</command> can see the password.
</para>
										</listitem>
									</varlistentry>
									<varlistentry>
										<term><userinput>env:environment_variable
</userinput></term>
										<listitem>
											<para>The denoted environment variable&apos;s value is the password.
</para>
										</listitem>
									</varlistentry>
									<varlistentry>
										<term><userinput>file:<replaceable>file_name</replaceable>
</userinput></term>
										<listitem>
											<para>The first line of the denoted file is the password. Ensure that the file&apos;s read permissions are limited to those who will need the password.
</para>
										</listitem>
									</varlistentry>
									<varlistentry>
										<term><userinput>fd:<replaceable>file_descriptor_number</replaceable>
</userinput></term>
										<listitem>
											<para>The password is read from the denoted file descriptor. 
</para>
										</listitem>
									</varlistentry>
									<varlistentry>
										<term><userinput>stdin</userinput></term>
										<listitem>
											<para>The password is read from the standard input.
</para>
										</listitem>
									</varlistentry>
								</variablelist>
								<para>Example key generation command:
</para>
								<para>
									<userinput moreinfo="none">openssl genrsa -rand rand1:rand2:rand3 -out abigailskeys.pem -des3 -passout file:/var/keypass
</userinput>
								</para>
							</listitem>
						</varlistentry>
					</variablelist>
				</listitem>
				<listitem>
					<para>Delete the files of random data that you created in Step 1.
</para>
				</listitem>
				<listitem>
					<para>To generate a file containing just the public key, type
</para>
					<para>
						<userinput moreinfo="none">openssl rsa -in <replaceable>source_file</replaceable> -out <replaceable>output_file</replaceable> -pubout
</userinput>
					</para>
					<para>For example:
</para>
					<para>
						<userinput moreinfo="none">openssl rsa -in abigailskeys.pem -out abipub.pem -pubout
</userinput>
					</para>
				</listitem>
			</orderedlist>
			</para>
			</FormalPara>
		</section>
	</chapter>
</book>