Call Today 716.688.4675

Wireless Transport Layer Security (WTLS) Software

Wireless Application Protocol (WAP) Layers
VOCAL’s software library Wireless Transport Layer Security (WTLS) module provides communication security with the Wireless Application Protocol (WAP). WTLS is the security layer protocol that operates above the transport layer as shown in Figure 1. Contact us to discuss your wireless application requirements.

WTLS

The primary job of WTLS is to provide privacy, data integrity and authentication between applications communicating using WAP. WTLS is based on and provides similar functionality to the Transport Layer Security (TLS) protocol but is optimized for low bandwidth mobile devices. The three major differences between TLS and WTLS are:

  • Compressed Data Structures – Packet size was reduced by using bit-fields, discarding redundancy and truncating cryptographic elements when ever possible
  • Compressed Certificate Format – The format follows the X.509v3 certificate structure but uses smaller data structures
  • Packet Based Instead of Stream Based – TLS is designed to be used over a data stream and a significant part of the design of WTLS was to allow it to be used in a data packet environment so that protocols such
    as Short Message Service (SMS) could be used as data transport.

WTLS Primitives

WTLS has seven service Primitives listed below with their description:

  • Unitdata – Primitive for exchanging data between peers when there is an existing secure
    connection between the peers transport addresses
  • Create – Primitive for initiation of the establishment of the secure connection
  • Exchange – Primitive for public-key authentication or key exchange with the client in the
    creation of a secure connection
  • Commit – Primitive for switching to the newly negotiated secure connection once the handshake
    is complete
  • Terminate – Primitive for terminating the connection
  • Exception – Primitive for information about warning level alerts
  • Create-Request – Primitive for the server to request the client to initiate a new handshake

The service Primitives can be one of four different types listed below with their description:

  • request – used when a higher layer is requesting a service from a lower layer
  • indication – used by the service providing layer to notify the next higher layer of activities related
    to the request type of the peer or to the provider of the service
  • response – used to acknowledge receipt of the indication type from the next lower layer
  • confirm – used by the service providing layer to report that activity has been completed successfully

WTLS Parameters

The matrix below lists the parameters with each service Primitive and defines the requirement of the parameters
presence in each parameter type. The entries under the types across from the parameters is defined in the list before
the matrix.

  • MUST – Presence of the parameter is mandatory and MUST be present
  • CONDITIONAL – Presence of the parameter is conditional depending on other parameters
  • OPTION – Presence of the parameter is a user option and MAY be omitted
  •   – A blank space means the parameter is absent
  • X – Primitive type is not possible for that service Primitive
  • * – The value of the parameter is identical to the value of the corresponding parameter
    of the proceeding service Primitive
Service Primitive Types Parameter Matrix
Service Primitive Parameter Parameter
Description
Primitive Types
request indication response confirm
Unitdata Source Address Identifies the originator MUST MUST* X X
Source Port Identifies the port the message is sent from MUST MUST*
Destination Address Identifies the peer user data is sent to MUST OPTION*
Destination Port Identifies the to which the data is sent MUST OPTION*
User Data The data to be transmitted MUST MUST*
Create Source Address Identifies the originator MUST MUST*
Source Port Identifies the port the message is sent from MUST MUST*
Destination Address Identifies the peer user data is sent to MUST OPTION*
Destination Port Identifies the to which the data is sent MUST OPTION*
Client Identities Independent originator identity, may be used by server to look up certificates OPTION CONDITIONAL*
Proposed Key Exchange Suites Key Exchange Suites proposed by client MUST MUST*
Proposed Cipher Suites Cipher Suites proposed by client MUST MUST*
Proposed Compression Methods Compression Methods proposed by client MUST MUST*
Sequence Number Mode Defines how the Sequence Number is used in a secure connection OPTION CONDITIONAL* MUST MUST*
Key Refresh Defines how often the encryption and protection keys are refreshed in a secure connection OPTION CONDITIONAL* MUST MUST*
Session ID Is unique per server and identifies the secure session OPTION CONDITIONAL* MUST MUST*
Selected Key Exchange Suite Identifies the Key Exchange Suite selected by the server MUST MUST*
Selected Cipher Suite Identifies the Cipher Suite selected by the server MUST MUST*
Selected Compression Method Identifies the Compression Method selected by the server MUST MUST*
Server Certificate Public-Key Certificate of the server OPTION CONDITIONAL*
Exchange Client Certificate Public-Key Certificate of the client MUST MUST*
Commit No parameters, just an empty packet
Terminate Alert Description Identifies the reason for termination MUST MUST* X X
Alert Level Defines whether the session (fatal) or connection (critical) is terminated MUST MUST*
Exception Alert Description Identifies what caused the warning MUST MUST* X X
Create-Request Source Address Identifies the originator OPTION CONDITIONAL* X X
Source Port Identifies the port the message is sent from OPTION CONDITIONAL*
Destination Address Identifies the peer user data is sent to OPTION CONDITIONAL*
Destination Port Identifies the to which the data is sent OPTION CONDITIONAL*

 

WTLS uses algorithms for Key Exchange, Encryption, and Message Authentication Code (MAC) calculations. The tables
below list the specific algorithms along with needed parameter information.

WTLS Key Exchange Suites
Key Exchange Suite Assigned Number Description Key SizeLimit
(bits)
NULL 0 No key exchange is done N/A
SHARED_SECRET 1 Symmetric-key based handshake None
DH_anon 2 Diffie-Hellman (DH) Key Exchange without authentication None
DH_anon_512 3 Diffie-Hellman (DH) Key Exchange without authentication 512
DH_anon_768 4 Diffie-Hellman (DH) Key Exchange without authentication 768
RSA_anon 5 RSA Key Exchange without authentication None
RSA_anon_512 6 RSA Key Exchange without authentication 512
RSA_anon_768 7 RSA Key Exchange without authentication 768
RSA 8 RSA Key Exchange with
RSA based certificates
None
RSA_512 9 RSA Key Exchange with
RSA based certificates
512
RSA_768 10 RSA Key Exchange with
RSA based certificates
768
ECDH_anon 11 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
None
ECDH_anon_113 12 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
113
ECDH_anon_131 13 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
131
ECDH_ECDSA 14 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
with
Elliptical Curve Digital Signature Algorithm (ECDSA) Certificates
None
ECDH_anon_uncomp 15 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be uncompressed points
None
ECDH_anon_uncomp_113 16 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be
uncompressed points
113
ECDH_anon_uncomp_131 17 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be uncompressed points
131
ECDH_ECDSA_uncomp 18 Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
with
Elliptical Curve Digital Signature Algorithm (ECDSA) Certificateswhere all Public keys MUST be uncompressed points
None

 

WTLS Bulk Cipher Suites
Cipher Assigned
Number
Description Type Key
Material
(bytes)
Expanded
Key
Material
(bytes)
Effective
Key Bits
(bits)
IV Size
(bytes)
Block Size
(bytes)
NULL 0 No encryption Stream 0 0 0 0 N/A
RC5_CBC_40 1 RC5 in CBC mode Block 5 16 40 8 8
RC5_CBC_56 2 RC5 in CBC mode Block 7 16 56 8 8
RC5_CBC 3 RC5 in CBC mode Block 16 16 128 8 8
DES_CBC_40 4 Data Encryption Standard (DES) in CBC mode Block 5 8 40 8 8
DES_CBC 5 Data Encryption Standard (DES) in CBC mode Block 8 8 56 8 8
3DES_CBC_EDE 6 3 key TripleDES in CBC mode Block 24 24 168 8 8
IDEA_CBC_40 7 IDEA in CBC mode Block 5 16 40 8 8
IDEA_CBC_56 8 IDEA in CBC mode Block 7 16 56 8 8
IDEA_CBC 9 IDEA in CBC mode Block 16 16 128 8 8
RC5_CBC_64 10 RC5 in CBC mode Block 8 16 64 8 8
IDEA_CBC_64 11 IDEA in CBC mode Block 8 16 64 8 8

 

WTLS Keyed Message Authentication Code (MAC) Algorithms
Hash
Function
Assigned
Number
Description Key
Size
(bytes)
MAC
Size
(bytes)
SHA_0 0 No keyed MAC is calculated 0 0
SHA_40 1 Keyed MAC calculated with SHA-1 but
only 1st 5 bytes of output are used
20 5
SHA_80 2 Keyed MAC calculated with SHA-1 but
only 1st half (10 bytes) of output are used
20 10
SHA 3 Keyed MAC calculated with SHA-1 20 20
MD5_40 5 Keyed MAC calculated with MD5 but
only 1st 5 bytes of output are used
16 5
MD5_80 6 Keyed MAC calculated with MD5 but
only 1st half (10 bytes) of output are used
16 10
MD5 7 Keyed MAC calculated with MD5 16 16
VOCAL Technologies, Ltd.
520 Lee Entrance, Suite 202
Amherst New York 14228
Phone: +1-716-688-4675
Fax: +1-716-639-0713
Email: sales@vocal.com