VOCAL’s software library Wireless Transport Layer Security (WTLS) module provides communication security with the Wireless Application Protocol (WAP). WTLS is the security layer protocol that operates above the transport layer as shown in Figure 1. Contact us to discuss your wireless application requirements.
WTLS
The primary job of WTLS is to provide privacy, data integrity and authentication between applications communicating using WAP. WTLS is based on and provides similar functionality to the Transport Layer Security (TLS) protocol but is optimized for low bandwidth mobile devices. The three major differences between TLS and WTLS are:
- Compressed Data Structures – Packet size was reduced by using bit-fields, discarding redundancy and truncating cryptographic elements when ever possible
- Compressed Certificate Format – The format follows the X.509v3 certificate structure but uses smaller data structures
- Packet Based Instead of Stream Based – TLS is designed to be used over a data stream and a significant part of the design of WTLS was to allow it to be used in a data packet environment so that protocols such
as Short Message Service (SMS) could be used as data transport.
WTLS Primitives
WTLS has seven service Primitives listed below with their description:
- Unitdata – Primitive for exchanging data between peers when there is an existing secure
connection between the peers transport addresses - Create – Primitive for initiation of the establishment of the secure connection
- Exchange – Primitive for public-key authentication or key exchange with the client in the
creation of a secure connection - Commit – Primitive for switching to the newly negotiated secure connection once the handshake
is complete - Terminate – Primitive for terminating the connection
- Exception – Primitive for information about warning level alerts
- Create-Request – Primitive for the server to request the client to initiate a new handshake
The service Primitives can be one of four different types listed below with their description:
- request – used when a higher layer is requesting a service from a lower layer
- indication – used by the service providing layer to notify the next higher layer of activities related
to the request type of the peer or to the provider of the service - response – used to acknowledge receipt of the indication type from the next lower layer
- confirm – used by the service providing layer to report that activity has been completed successfully
WTLS Parameters
The matrix below lists the parameters with each service Primitive and defines the requirement of the parameters
presence in each parameter type. The entries under the types across from the parameters is defined in the list before
the matrix.
- MUST – Presence of the parameter is mandatory and MUST be present
- CONDITIONAL – Presence of the parameter is conditional depending on other parameters
- OPTION – Presence of the parameter is a user option and MAY be omitted
- – A blank space means the parameter is absent
- X – Primitive type is not possible for that service Primitive
- * – The value of the parameter is identical to the value of the corresponding parameter
of the proceeding service Primitive
WTLS uses algorithms for Key Exchange, Encryption, and Message Authentication Code (MAC) calculations. The tables
below list the specific algorithms along with needed parameter information.
| Service Primitive | Parameter | Parameter Description | Primitive Types | |||
|---|---|---|---|---|---|---|
| request | indication | response | confirm | |||
| Unitdata | Source Address | Identifies the originator | MUST | MUST* | X | X |
| Source Port | Identifies the port the message is sent from | MUST | MUST* | |||
| Destination Address | Identifies the peer user data is sent to | MUST | OPTION* | |||
| Destination Port | Identifies the to which the data is sent | MUST | OPTION* | |||
| User Data | The data to be transmitted | MUST | MUST* | |||
| Create | Source Address | Identifies the originator | MUST | MUST* | ||
| Source Port | Identifies the port the message is sent from | MUST | MUST* | |||
| Destination Address | Identifies the peer user data is sent to | MUST | OPTION* | |||
| Destination Port | Identifies the to which the data is sent | MUST | OPTION* | |||
| Client Identities | Independent originator identity, may be used by server to look up certificates | OPTION | CONDITIONAL* | |||
| Proposed Key Exchange Suites | Key Exchange Suites proposed by client | MUST | MUST* | |||
| Proposed Cipher Suites | Cipher Suites proposed by client | MUST | MUST* | |||
| Proposed Compression Methods | Compression Methods proposed by client | MUST | MUST* | |||
| Sequence Number Mode | Defines how the Sequence Number is used in a secure connection | OPTION | CONDITIONAL* | MUST | MUST* | |
| Key Refresh | Defines how often the encryption and protection keys are refreshed in a secure connection | OPTION | CONDITIONAL* | MUST | MUST* | |
| Session ID | Is unique per server and identifies the secure session | OPTION | CONDITIONAL* | MUST | MUST* | |
| Selected Key Exchange Suite | Identifies the Key Exchange Suite selected by the server | MUST | MUST* | |||
| Selected Cipher Suite | Identifies the Cipher Suite selected by the server | MUST | MUST* | |||
| Selected Compression Method | Identifies the Compression Method selected by the server | MUST | MUST* | |||
| Server Certificate | Public-Key Certificate of the server | OPTION | CONDITIONAL* | |||
| Exchange | Client Certificate | Public-Key Certificate of the client | MUST | MUST* | ||
| Commit | No parameters, just an empty packet | |||||
| Terminate | Alert Description | Identifies the reason for termination | MUST | MUST* | X | X |
| Alert Level | Defines whether the session (fatal) or connection (critical) is terminated | MUST | MUST* | |||
| Exception | Alert Description | Identifies what caused the warning | MUST | MUST* | X | X |
| Create-Request | Source Address | Identifies the originator | OPTION | CONDITIONAL* | X | X |
| Source Port | Identifies the port the message is sent from | OPTION | CONDITIONAL* | |||
| Destination Address | Identifies the peer user data is sent to | OPTION | CONDITIONAL* | |||
| Destination Port | Identifies the to which the data is sent | OPTION | CONDITIONAL* | |||
WTLS uses algorithms for Key Exchange, Encryption, and Message Authentication Code (MAC) calculations. The tables
below list the specific algorithms along with needed parameter information.
| Key Exchange Suite | Assigned Number | Description | Key SizeLimit (bits) |
|---|---|---|---|
| NULL | 0 | No key exchange is done | N/A |
| SHARED_SECRET | 1 | Symmetric-key based handshake | None |
| DH_anon | 2 | Diffie-Hellman (DH) Key Exchange without authentication | None |
| DH_anon_512 | 3 | Diffie-Hellman (DH) Key Exchange without authentication | 512 |
| DH_anon_768 | 4 | Diffie-Hellman (DH) Key Exchange without authentication | 768 |
| RSA_anon | 5 | RSA Key Exchange without authentication | None |
| RSA_anon_512 | 6 | RSA Key Exchange without authentication | 512 |
| RSA_anon_768 | 7 | RSA Key Exchange without authentication | 768 |
| RSA | 8 | RSA Key Exchange with RSA based certificates | None |
| RSA_512 | 9 | RSA Key Exchange with RSA based certificates | 512 |
| RSA_768 | 10 | RSA Key Exchange with RSA based certificates | 768 |
| ECDH_anon | 11 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication | None |
| ECDH_anon_113 | 12 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication | 113 |
| ECDH_anon_131 | 13 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication | 131 |
| ECDH_ECDSA | 14 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange with Elliptical Curve Digital Signature Algorithm (ECDSA) Certificates | None |
| ECDH_anon_uncomp | 15 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication where all Public keys MUST be uncompressed points | None |
| ECDH_anon_uncomp_113 | 16 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication where all Public keys MUST be uncompressed points | 113 |
| ECDH_anon_uncomp_131 | 17 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange without authentication where all Public keys MUST be uncompressed points | 131 |
| ECDH_ECDSA_uncomp | 18 | Elliptical Curve Diffie-Hellman (ECDH) Key Exchange with Elliptical Curve Digital Signature Algorithm (ECDSA) Certificateswhere all Public keys MUST be uncompressed points | None |
| Cipher | Assigned Number | Description | Type | Key Material (bytes) | Expanded Key Material (bytes) | Effective Key Bits (bits) | IV Size (bytes) | Block Size (bytes) |
|---|---|---|---|---|---|---|---|---|
| NULL | 0 | No encryption | Stream | 0 | 0 | 0 | 0 | N/A |
| RC5_CBC_40 | 1 | RC5 in CBC mode | Block | 5 | 16 | 40 | 8 | 8 |
| RC5_CBC_56 | 2 | RC5 in CBC mode | Block | 7 | 16 | 56 | 8 | 8 |
| RC5_CBC | 3 | RC5 in CBC mode | Block | 16 | 16 | 128 | 8 | 8 |
| DES_CBC_40 | 4 | Data Encryption Standard (DES) in CBC mode | Block | 5 | 8 | 40 | 8 | 8 |
| DES_CBC | 5 | Data Encryption Standard (DES) in CBC mode | Block | 8 | 8 | 56 | 8 | 8 |
| 3DES_CBC_EDE | 6 | 3 key TripleDES in CBC mode | Block | 24 | 24 | 168 | 8 | 8 |
| IDEA_CBC_40 | 7 | IDEA in CBC mode | Block | 5 | 16 | 40 | 8 | 8 |
| IDEA_CBC_56 | 8 | IDEA in CBC mode | Block | 7 | 16 | 56 | 8 | 8 |
| IDEA_CBC | 9 | IDEA in CBC mode | Block | 16 | 16 | 128 | 8 | 8 |
| RC5_CBC_64 | 10 | RC5 in CBC mode | Block | 8 | 16 | 64 | 8 | 8 |
| IDEA_CBC_64 | 11 | IDEA in CBC mode | Block | 8 | 16 | 64 | 8 | 8 |
| Hash Function | Assigned Number | Description | Key Size (bytes) | MAC Size (bytes) |
|---|---|---|---|---|
| SHA_0 | 0 | No keyed MAC is calculated | 0 | 0 |
| SHA_40 | 1 | Keyed MAC calculated with SHA-1 but only 1st 5 bytes of output are used | 20 | 5 |
| SHA_80 | 2 | Keyed MAC calculated with SHA-1 but only 1st half (10 bytes) of output are used | 20 | 10 |
| SHA | 3 | Keyed MAC calculated with SHA-1 | 20 | 20 |
| MD5_40 | 5 | Keyed MAC calculated with MD5 but only 1st 5 bytes of output are used | 16 | 5 |
| MD5_80 | 6 | Keyed MAC calculated with MD5 but only 1st half (10 bytes) of output are used | 16 | 10 |
| MD5 | 7 | Keyed MAC calculated with MD5 | 16 | 16 |
| Service Primitive | Parameter | Parameter Description | Primitive Types | |||
|---|---|---|---|---|---|---|
Request | Indication | Response | Confirm | |||
Unidata | Source Address | Identifies the originator | MUST | MUST* | × | × |
Source Port | Identifies the port the message is sent from | MUST | MUST* | |||
Destination Address | Identifies the peer user data is sent to | MUST | OPTION* | |||
Destination Port | Identifies the to which the data is sent | MUST | OPTION* | |||
User Data | The data to be transmitted | MUST | OPTION* | |||
Create | Source Address | Identifies the originator | MUST | MUST* | ||
Source Port | Identifies the port the message is sent from | MUST | MUST* | |||
Destination Address | Identifies the peer user data is sent to | MUST | OPTION* | |||
Destination Port | Identifies the to which the data is sent | MUST | OPTION* | |||
Client Identities | Independent originator identity, may be used by server to look up certificates | OPTION | CONDITIONAL* | |||
Proposed Key Exchange Suites | Key Exchange Suites proposed by client | MUST | MUST* | |||
Proposed Cipher Suites | Cipher Suites proposed by client | MUST | MUST* | |||
Proposed Compression Methods | Compression Methods proposed by client | MUST | MUST* | |||
Sequence Number Mode | Defines how the Sequence Number is used in a secure connection | OPTION | CONDITIONAL* | MUST | MUST* | |
Session ID | Is unique per server and identifies the secure session | OPTION | CONDITIONAL* | MUST | MUST* | |
Key Refresh | Defines how often the encryption and protection keys are refreshed in a secure connection | OPTION | CONDITIONAL* | MUST | MUST* | |
Selected Key Exchange Suite | Identifies the Key Exchange Suite selected by the server | MUST | MUST* | |||
Selected Cipher Suite | Identifies the Cipher Suite selected by the server | MUST | MUST* | |||
Selected Compression Method | Identifies the Compression Method selected by the server | MUST | MUST* | |||
Server Certificate | Public-Key Certificate of the server | OPTION | CONDITIONAL* | |||
Exchange | Client Certificate | Public-Key Certificate of the client | MUST | MUST* | ||
Commit | No parameters, just an empty packet | |||||
Terminate | Alert Description | Identifies the reason for termination | MUST | MUST* | × | × |
Alert Level | Defines whether the session (fatal) or connection (critical) is terminated | MUST | MUST* | |||
Exception | Alert Description | Identifies what caused the warning | MUST | MUST* | × | × |
Create Request | Source Address | Identifies the originator | OPTION | CONDITIONAL* | × | × |
Source Port | Identifies the port the message is sent from | OPTION | CONDITIONAL* | |||
Destination Address | Identifies the peer user data is sent to | OPTION | CONDITIONAL* | |||
Destination Port | Identifies the to which the data is sent | OPTION | CONDITIONAL* | |||