[118564] in Cypherpunks
RE: Radicchio PKI standards group for mobile phones
daemon@ATHENA.MIT.EDU (Lucky Green)
Sat Oct 2 14:14:21 1999
From: "Lucky Green" <shamrock@cypherpunks.to>
To: "John Gilmore" <gnu@toad.com>,
"cypherpunks@Algebra. COM" <cypherpunks@Algebra.COM>
Cc: <iang@cs.berkeley.edu>, "Dave Wagner" <daw@cs.berkeley.edu>
Date: Sat, 2 Oct 1999 10:51:06 -0700
Message-ID: <NDBBIFGOKODBCKDGJDKLAELECIAA.shamrock@cypherpunks.to>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <199910010621.XAA13578@toad.com>
Reply-To: "Lucky Green" <shamrock@cypherpunks.to>
John wrote:
> What the "3G" (third generation) mobile phone market needs is to stop
> treating them as phones and treat it like a network. I.e. publish a
> standard protocol for IP access to the network, like the spec for
> Ethernet cards and the RFC for IP over Ethernet (RFC 894). Let anyone
> build that interface into any device!
A sound proposal that has my full support, but unfortunately such an
architecture is not in line with the cellular providers' market strategy.
The providers are trying to take their product up the stack, where the
revenues are, rather than down the stack where providers just move packets.
The currently favored data-over-digital-cellular-telephony models all have
one component in common: a gateway operated by the cellular provider. It is
this gateway that translates WAP, spoken inside the cellular network, to the
standard Internet protocols spoken on the other side. By controlling the
gateway, the cellular provider controls which Internet content provider can
offer services to the cellular subscribers. Obtaining said access to the
market represented by cellular subscribers entails paying a fee to the
cellular provider.
A browser running on a 3G phone making a WTLS connection does not
authenticate itself to the content provider; the browser authenticates
itself to the WAP gateway operated by the cellular provider. It is the
gateway which then in turn authenticates itself to the content provider.
Though even you may be running 1024/128 WTLS on one side and 1024/128 TLS on
the other side of the gateway, inside the gateway the data is in the clear.
To the best of my knowledge, 3G browsers and wireless applications do not
currently provide for end-to-end encryption or authentication. Given that
your provider can thus read your data in the clear and spoof your identity
to the external servers, it is probably of little consequence that your
provider also might know your private key from back when they generated it
for you.
One solution to providing end-to-end security in 3G applications would for
external servers to implement WTLS (easy) and convincing the providers to
just pass the data (hard).
The alternative would be to use raw IP (provided by most 3G phones) and
build your applications on top of that, but now you just lost all the
integration and performance benefits that come with using WAP. And you again
end up with two devices.
I think it is sad that the providers have chosen to not implement end-to-end
security, but then I can't fault them too much for it, since not doing so is
at least temporarily good for their pocketbooks. In addition, the regulators
probably wouldn't have permitted it anyway.
See http://www.baltimore.com/library/whitepapers/wsecure.html for some
diagrams how WTLS and SSL interact at the gateway.
--Lucky
