Wireless Application Protocol (WAP) Layers
VOCAL’s software library Wireless Transport Layer Security (WTLS) module provides communication security with the Wireless Application Protocol (WAP). WTLS is the security layer protocol that operates above the transport layer as shown in Figure 1. Contact us to discuss your wireless application requirements.

WTLS

The primary job of WTLS is to provide privacy, data integrity and authentication between applications communicating using WAP. WTLS is based on and provides similar functionality to the Transport Layer Security (TLS) protocol but is optimized for low bandwidth mobile devices. The three major differences between TLS and WTLS are:

  • Compressed Data Structures – Packet size was reduced by using bit-fields, discarding redundancy and truncating cryptographic elements when ever possible
  • Compressed Certificate Format – The format follows the X.509v3 certificate structure but uses smaller data structures
  • Packet Based Instead of Stream Based – TLS is designed to be used over a data stream and a significant part of the design of WTLS was to allow it to be used in a data packet environment so that protocols such
    as Short Message Service (SMS) could be used as data transport.

WTLS Primitives

WTLS has seven service Primitives listed below with their description:

  • Unitdata – Primitive for exchanging data between peers when there is an existing secure
    connection between the peers transport addresses
  • Create – Primitive for initiation of the establishment of the secure connection
  • Exchange – Primitive for public-key authentication or key exchange with the client in the
    creation of a secure connection
  • Commit – Primitive for switching to the newly negotiated secure connection once the handshake
    is complete
  • Terminate – Primitive for terminating the connection
  • Exception – Primitive for information about warning level alerts
  • Create-Request – Primitive for the server to request the client to initiate a new handshake

The service Primitives can be one of four different types listed below with their description:

  • request – used when a higher layer is requesting a service from a lower layer
  • indication – used by the service providing layer to notify the next higher layer of activities related
    to the request type of the peer or to the provider of the service
  • response – used to acknowledge receipt of the indication type from the next lower layer
  • confirm – used by the service providing layer to report that activity has been completed successfully

WTLS Parameters

The matrix below lists the parameters with each service Primitive and defines the requirement of the parameters
presence in each parameter type. The entries under the types across from the parameters is defined in the list before
the matrix.

  • MUST – Presence of the parameter is mandatory and MUST be present
  • CONDITIONAL – Presence of the parameter is conditional depending on other parameters
  • OPTION – Presence of the parameter is a user option and MAY be omitted
  •   – A blank space means the parameter is absent
  • X – Primitive type is not possible for that service Primitive
  • * – The value of the parameter is identical to the value of the corresponding parameter
    of the proceeding service Primitive

WTLS uses algorithms for Key Exchange, Encryption, and Message Authentication Code (MAC) calculations. The tables
below list the specific algorithms along with needed parameter information.

Service Primitive Types Parameter Matrix
Service PrimitiveParameterParameter
Description
Primitive Types
requestindicationresponseconfirm
UnitdataSource AddressIdentifies the originatorMUSTMUST*XX
Source PortIdentifies the port the message is sent fromMUSTMUST*
Destination AddressIdentifies the peer user data is sent toMUSTOPTION*
Destination PortIdentifies the to which the data is sentMUSTOPTION*
User DataThe data to be transmittedMUSTMUST*
CreateSource AddressIdentifies the originatorMUSTMUST*  
Source PortIdentifies the port the message is sent fromMUSTMUST*  
Destination AddressIdentifies the peer user data is sent toMUSTOPTION*  
Destination PortIdentifies the to which the data is sentMUSTOPTION*  
Client IdentitiesIndependent originator identity, may be used by server to look up certificatesOPTIONCONDITIONAL*  
Proposed Key Exchange SuitesKey Exchange Suites proposed by clientMUSTMUST*  
Proposed Cipher SuitesCipher Suites proposed by clientMUSTMUST*  
Proposed Compression MethodsCompression Methods proposed by clientMUSTMUST*  
Sequence Number ModeDefines how the Sequence Number is used in a secure connectionOPTIONCONDITIONAL*MUSTMUST*
Key RefreshDefines how often the encryption and protection keys are refreshed in a secure connectionOPTIONCONDITIONAL*MUSTMUST*
Session IDIs unique per server and identifies the secure sessionOPTIONCONDITIONAL*MUSTMUST*
Selected Key Exchange SuiteIdentifies the Key Exchange Suite selected by the server  MUSTMUST*
Selected Cipher SuiteIdentifies the Cipher Suite selected by the server  MUSTMUST*
Selected Compression MethodIdentifies the Compression Method selected by the server  MUSTMUST*
Server CertificatePublic-Key Certificate of the server  OPTIONCONDITIONAL*
ExchangeClient CertificatePublic-Key Certificate of the client  MUSTMUST*
Commit No parameters, just an empty packet    
TerminateAlert DescriptionIdentifies the reason for terminationMUSTMUST*XX
Alert LevelDefines whether the session (fatal) or connection (critical) is terminatedMUSTMUST*
ExceptionAlert DescriptionIdentifies what caused the warningMUSTMUST*XX
Create-RequestSource AddressIdentifies the originatorOPTIONCONDITIONAL*XX
Source PortIdentifies the port the message is sent fromOPTIONCONDITIONAL*
Destination AddressIdentifies the peer user data is sent toOPTIONCONDITIONAL*
Destination PortIdentifies the to which the data is sentOPTIONCONDITIONAL*

WTLS uses algorithms for Key Exchange, Encryption, and Message Authentication Code (MAC) calculations. The tables
below list the specific algorithms along with needed parameter information.

WTLS Key Exchange Suites
Key Exchange SuiteAssigned NumberDescriptionKey SizeLimit
(bits)
NULL0No key exchange is doneN/A
SHARED_SECRET1Symmetric-key based handshakeNone
DH_anon2Diffie-Hellman (DH) Key Exchange without authenticationNone
DH_anon_5123Diffie-Hellman (DH) Key Exchange without authentication512
DH_anon_7684Diffie-Hellman (DH) Key Exchange without authentication768
RSA_anon5RSA Key Exchange without authenticationNone
RSA_anon_5126RSA Key Exchange without authentication512
RSA_anon_7687RSA Key Exchange without authentication768
RSA8RSA Key Exchange with
RSA based certificates
None
RSA_5129RSA Key Exchange with
RSA based certificates
512
RSA_76810RSA Key Exchange with
RSA based certificates
768
ECDH_anon11Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
None
ECDH_anon_11312Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
113
ECDH_anon_13113Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication
131
ECDH_ECDSA14Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
with
Elliptical Curve Digital Signature Algorithm (ECDSA) Certificates
None
ECDH_anon_uncomp15Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be uncompressed points
None
ECDH_anon_uncomp_11316Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be
uncompressed points
113
ECDH_anon_uncomp_13117Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
without authentication where all Public keys MUST be uncompressed points
131
ECDH_ECDSA_uncomp18Elliptical Curve Diffie-Hellman (ECDH) Key Exchange
with
Elliptical Curve Digital Signature Algorithm (ECDSA) Certificateswhere all Public keys MUST be uncompressed points
None
WTLS Bulk Cipher Suites
CipherAssigned
Number
DescriptionTypeKey
Material
(bytes)
Expanded
Key
Material
(bytes)
Effective
Key Bits
(bits)
IV Size
(bytes)
Block Size
(bytes)
NULL0No encryptionStream0000N/A
RC5_CBC_401RC5 in CBC modeBlock5164088
RC5_CBC_562RC5 in CBC modeBlock7165688
RC5_CBC3RC5 in CBC modeBlock161612888
DES_CBC_404Data Encryption Standard (DES) in CBC modeBlock584088
DES_CBC5Data Encryption Standard (DES) in CBC modeBlock885688
3DES_CBC_EDE63 key TripleDES in CBC modeBlock242416888
IDEA_CBC_407IDEA in CBC modeBlock5164088
IDEA_CBC_568IDEA in CBC modeBlock7165688
IDEA_CBC9IDEA in CBC modeBlock161612888
RC5_CBC_6410RC5 in CBC modeBlock8166488
IDEA_CBC_6411IDEA in CBC modeBlock8166488
WTLS Keyed Message Authentication Code (MAC) Algorithms
Hash
Function
Assigned
Number
DescriptionKey
Size
(bytes)
MAC
Size
(bytes)
SHA_00No keyed MAC is calculated00
SHA_401Keyed MAC calculated with SHA-1 but
only 1st 5 bytes of output are used
205
SHA_802Keyed MAC calculated with SHA-1 but
only 1st half (10 bytes) of output are used
2010
SHA3Keyed MAC calculated with SHA-12020
MD5_405Keyed MAC calculated with MD5 but
only 1st 5 bytes of output are used
165
MD5_806Keyed MAC calculated with MD5 but
only 1st half (10 bytes) of output are used
1610
MD57Keyed MAC calculated with MD51616
Service Primitive Parameter Parameter Description Primitive Types
Request
Indication
Response
Confirm
Unidata
Source Address
Identifies the originator
MUST
MUST*

×

×

Source Port
Identifies the port the message is sent from
MUST
MUST*
Destination Address
Identifies the peer user data is sent to
MUST
OPTION*
Destination Port
Identifies the to which the data is sent
MUST
OPTION*
User Data
The data to be transmitted
MUST
OPTION*
Create
Source Address
Identifies the originator
MUST
MUST*
Source Port
Identifies the port the message is sent from
MUST
MUST*
Destination Address
Identifies the peer user data is sent to
MUST
OPTION*
Destination Port
Identifies the to which the data is sent
MUST
OPTION*
Client Identities
Independent originator identity, may be used by server to look up certificates
OPTION
CONDITIONAL*
Proposed Key Exchange Suites
Key Exchange Suites proposed by client
MUST
MUST*
Proposed Cipher Suites
Cipher Suites proposed by client
MUST
MUST*
Proposed Compression Methods
Compression Methods proposed by client
MUST
MUST*
Sequence Number Mode
Defines how the Sequence Number is used in a secure connection
OPTION
CONDITIONAL*
MUST
MUST*
Session ID
Is unique per server and identifies the secure session
OPTION
CONDITIONAL*
MUST
MUST*
Key Refresh
Defines how often the encryption and protection keys are refreshed in a secure connection
OPTION
CONDITIONAL*
MUST
MUST*
Selected Key Exchange Suite
Identifies the Key Exchange Suite selected by the server
MUST
MUST*
Selected Cipher Suite
Identifies the Cipher Suite selected by the server
MUST
MUST*
Selected Compression Method
Identifies the Compression Method selected by the server
MUST
MUST*
Server Certificate
Public-Key Certificate of the server
OPTION
CONDITIONAL*
Exchange
Client Certificate
Public-Key Certificate of the client
MUST
MUST*
Commit
No parameters, just an empty packet
Terminate
Alert Description
Identifies the reason for termination
MUST
MUST*

×

×

Alert Level
Defines whether the session (fatal) or connection (critical) is terminated
MUST
MUST*
Exception
Alert Description
Identifies what caused the warning
MUST
MUST*

×

×

Create Request
Source Address
Identifies the originator
OPTION
CONDITIONAL*

×

×

Source Port
Identifies the port the message is sent from
OPTION
CONDITIONAL*
Destination Address
Identifies the peer user data is sent to
OPTION
CONDITIONAL*
Destination Port
Identifies the to which the data is sent
OPTION
CONDITIONAL*