Security Challenges of the Wireless Web ; Unlike Secure Sockets Layer SSL and the x.509 standard for Public Key Infrastructures PKIs on the Internet today, there is no single standard fo
Trang 1Optimizing Content Distribution
; Regardless of the technical issues of how you manage your content, take a critical look at your current Web site and consider what you want to pro-vide to your wireless users
; It is possible to automatically format existing sites, but with dubious results
; WAP sites may be set up with the same flexibility as Web sites
Delivering Wireless Data
; Mobile users are more often in need of data rather than content
; It is important to separate content from presentation for data applications
; Build modules that enable device profiling and accordingly allow for dif-ferent presentations of dynamic data from the same source
Implementing Wireless Graphics
; Several different formats are supported, including common Web formats for some devices
; Ensure accessibility by using <ALT> tags on all images, and conserve band-width by only using graphics when necessary
; Online and desktop converters are available to automatically convert your existing images
❖ Chapter 9: Microsoft Mobile Internet Toolkit
Overview of the NET Mobile Architecture
; The Mobile Internet Toolkit is built on the Microsoft ASP.NET Web Forms and supports languages like VB NET, C#, and JScript.NET It is an exten-sion to the ASP.NET model
; The toolkit includes a set of Mobile Controls that is executed by the
Mobile Internet Controls runtime during the execution phase
Trang 2; The key feature of the runtime is its ability to recognize the different types
of devices accessing the forms and to generate dynamically the codes that the device can understand
; The current release of the Microsoft Mobile Internet Toolkit is Beta 2
Before installing the Microsoft Mobile Internet Toolkit, you must first install the NET framework SDK
Introduction to ASP.NET
; Current ASP technology contains a mixture of HTML and scripting codes and does not provide a clean separation of display from content, which often results in bugs and difficulties
; HTTP is a stateless protocol Preserving state in ASP requires substantial effort by the developer
; In ASP.NET, normal HTML elements are converted to HTML Server con-trols so that they can be programmed on the server Besides the HTML Server controls, ASP.NET provides a different set of server controls known
as ASP.NET server controls
; A Web Form in ASP.NET contains two components: Code and Content
; The Content component of a Web Form can contain Web Form Server controls.Web Form Server controls contain the HTML Server control, ASP.NET Server control,Validation controls, and User controls
; One important difference between ASP.NET and ASP is that ASP.NET applications are parsed and compiled once and then cached, so that subse-quent requests do not go through the same time-consuming steps
Developing Mobile Web Forms
; During runtime when the form is requested, the NET runtime automati-cally will detect the type of devices (our examples use Pocket PC, IE 5.5 and UP.SDK) requesting that page, and will perform a dynamic generation
of the target markup languages Unlike WAP applications developed using WML and ASP, the same ASP.NET application can be displayed on different devices, with no effort on your part for customization
Trang 3; In ASP.NET pages, there can be only a single form; however, you can have multiple mobile forms in a Mobile Web form.To link the two forms, you
use the <Mobile:Link> control.The navigateURL attribute contains the ID
of the form to link to
; Linking to forms on another page is not so straightforward.The form in the first page links to the second page by specifying the filename in the
navigateURL attribute Subsequent steps involve adding another parameter
called Form, retrieving its value using the Request.QueryString collection, ver-ifying the form ID in that value, and using the ActiveForm property to set
and return the active page
; The Microsoft Mobile Internet Toolkit supports user input controls
TextBox, Command, and List
; To input text into a Mobile Web Form, use the <Mobile:TextBox> control.
To display a command button so that an action can be performed, use the
<Mobile:Command> control.To display lists of items either as a static list or
interactive selection, use the <Mobile:List> control.You can also dynamically
bind a list of items using the ArrayList class.
; To display images, you can use the <Mobile:Image> control Because various mobile devices display images of differing format, use the <DeviceSpecific> control (within which are the <Choice> elements) to send the correct image
type to the right device
; Validation controls available in the Microsoft Mobile Internet Toolkit SDK include CompareValidator, CustomValidator, RangeValidator,
RegularExpressionValidator, RequiredFieldValidator, and ValidationSummary
; Other features of the Mobile API are its records paging capability, using the
Paginate attribute, and also its Calendar control for date selection.
Accessing Data with ADO.NET
; Developers are familiar with using the ActiveX Data Objects (ADO) for accessing databases through OLE DB and ODBC ADO.NET was evolved
to support the need for remote data access
; In ADO, communication with the data source is through the OLE DB providers In ADO.NET, the communication is through Data providers
Trang 4ADO.NET contains two data providers—SQL Data providers and OLEDB Data providers
; It is possible to use OLEDB Data provider even if you are using SQL server
; ADO.NET provides the DataReader for retrieving records as a read-only, forward-only stream returned from the database for display on the client side.The DataReader stores only a single record in memory at any one time
to prevent storing a huge number of records in memory
; The more powerful Dataset object is used to access different tables in the database.The requested data can be retrieved, saved, and printed with the use of Tables collections
❖ Chapter 10: Securing Your Wireless Web
Comparing Internet and Wireless Security
; Security on the Web is less complex than security on the wireless Web because the Web represents a single paradigm both for application develop-ment and for security
; The Internet and the Web provide a somewhat coherent model for applica-tions and security with a handful of ubiquitous standards On the wireless Web there are many networks using different standards, multiple browser protocols, and several wireless markup languages
Security Challenges of the Wireless Web
; Unlike Secure Sockets Layer (SSL) and the x.509 standard for Public Key Infrastructures (PKIs) on the Internet today, there is no single standard for wireless digital certificates or wireless browser plug-ins
; The relatively weak encryption provided by wireless security technologies such as the Wireless Transport Layer Security (WTLS) protocol and lightweight wireless PKIs is directly related to the length of the keys used and the sophistication of the encryption algorithms.These in turn are a function
of device capacity, processing power, and wireless network bandwidth
Trang 5; User awareness and insecure devices pose a large challenge to the wireless Webmaster Password protection, encryption programs, and device configura-tion control are the keys to minimizing the risks when devices are lost or stolen
; Wireless Application Service Providers (WASPs) reduce customer infra-structure investment but require customers to trust their data to a network outside their control
; Along with the spread of new technologies comes the potential for new viruses, but the same diversity of wireless devices, browsers and standards that hampers security can also hamper the spread of viruses and worms
; Once you’ve determined what you’re going to make available wirelessly and how secure it needs to be, you can determine what steps you need to take
to provide an appropriate degree of security; bear in mind that the more secure the solution is, the less accessible information is to legitimate users
Security Models of the Wireless Web
; There are two basic models for wireless security: point-to-point, and
end-to-end Point-to-point security means that information is protected at each leg of
the journey by the appropriate security technologies for that part of the
communication End-to-end security means that a single security technology
is at work all the way from the end device to the application regardless of the various networks that the communication may traverse
; Point-to-point security is only as strong as the weakest link.
; With end-to-end security, there are several different PKI technologies sup-ported only in specific mobile devices, browsers and applications
; Point-to-point and end-to-end security solutions both involve some form of cryptography
; SSL uses several well-defined encryption ciphers including RC5, the Data Encryption Standard (DES), 3DES and the International Data Encryption Algorithm (IDEA)
Trang 6WTLS and Point-to-Point Security Models
; The most important technology in the point-to-point security model is WTLS.WTLS is the WAP equivalent of SSL, and it provides encryption between wireless browsers and WAP gateways
; The most standard form of WTLS (WTLS Class I) is designed to work together with SSL so that WTLS operates on the wireless network side of the WAP gateway and SSL operates on the Internet side.WTLS and SSL together ensure that information is encrypted from point to point all the way from a wireless browser to a Web server
; The three main components of WTLS are the handshaking protocol that provides for key exchange, a record structure for encrypted information, and the Wireless Identity Module (WIM)
; WAP gateways decrypt WTLS communication and then re-encrypt the communication using SSL.This means that inside the WAP gateway the information is at one point unencrypted It is possible, at least in theory, for the WAP gateway to malfunction and establish unencrypted Hypertext Transfer Protocol (HTTP) communication rather than using SSL.This flaw
is referred to as the WAP gap.
; The seven layers of point-to-point security are Embedded Security Technology, Secure Air-Connect Technologies, Mobile Operator Network Security, Secure Mobile operator Gateways, Authentication, Data Center and Network Security, and Secure Application Interfaces
; Although a point-to-point security model sounds reasonable, it is a fundamentally flawed and limited approach.Whenever data is unencrypted
it is vulnerable
PKI Technology and End-to-End Security Models
; In contrast to the point-to-point security model of WTLS, PKI security provides end-to-end security by deploying digital certificates to client appli-cations such as wireless browsers
; There is no dominant standard for wireless digital certificates and PKI tech-nologies.The lack of standards also limits geographical coverage
Trang 7; To deploy a PKI, you have to first select a wireless PKI technology and a vendor.The technology and vendor you select depends on the application and on the wireless browser and devices that you wish to deploy
; Every organization that deploys a PKI must decide what Certificate
Authority (CA) to use
; The most powerful handheld mobile devices with the most capacity, flexi-bility, and readily available security technologies are Personal Digital Assistants (PDAs), not phones In the future, the problems of PKI security will be eased by the introduction of new networks, such as General Packet Radio Service (GPRS), and of new mobile phones either with built-in sup-port for digital certificates or flexible software configurations similar to today’s PDAs
The Future of Security on the Wireless Web
; The future of wireless security lies in its convergence with Internet and Web security
; There will hopefully be further standardization on wireless browsers and a single dominant PKI standard—there should also be a standard means of installing digital certificates and of managing wireless PKIs
; Many of the issues that are seen as challenging today will be resolved when 2.5G and 3G networks replace the current wireless infrastructure on a large scale 3G networks and the devices that will run on them will provide better and more manageable security because they will support end-to-end SSL and installable software through technologies such as Java 2 Micro Edition (J2ME)
Trang 82.5G, 10
devices, 436, 459
networks, 63, 66, 459
systems, 34
2G See Second generation
3Com, 12
3DES See Triple Data Encryption
Standard
3G See Third generation
4thPass See Kbrowser
850 (Samsung), 369
6210 (Nokia), 220, 369
7110 (Nokia), 305, 369
7700 (Nokia), 88
A
a (element), 94, 96, 115
a (tag), usage, 255, 262–263
Absolute URLs, 147
access (element), 82, 95
Accessibility See Application
maintenance, 363
Acrobat Reader (Adobe), 189
Activ Server (Nokia), 190
Active Server Pages (ASP), 91, 139, 276
application design, 162–163
code, 372
database creation, 163
document, 165, 168
file, 156
lessons, 173–174
mistrust See Wireless ASPs
scripting, 118
usage, 162–174, 176 See also
WMLScript
ActiveX Data Objects (ADO), usage,
168, 169, 411
Add-on modules, 21 Address Book, 275 AddType section, 117
ADK See Mobile Application
Development Kit
ADO See ActiveX Data Objects Adobe See Acrobat Reader; Photoshop
ADO.NET DataReader, 414–417 code dissection, 415–417 Dataset, 417–422
examination, 411–413
usage See Data access
AdRotator (control), 409 Advanced Mobile Phone System (AMPS), 431
Agent and Speech Recognition software, 203
Air-connect security, 448
Air-Connect technologies See Secure
Air-Connect technologies Aladdin Expander, 190
Aladdin Stuffit Expander, 239 alert() function, 150, 170, 174
ALI See Automatic location
identification
Aliases See Server-side aliases
align (attribute), 259
Allaire See Homesite
ALT attribute, 363 Always-on connection, 9
AMPS See Advanced Mobile Phone
System; Analog Mobile Phone System
Analog Mobile Phone System (AMPS), 62
anchor (element), 94–96 Anchor tag, 262
489
Trang 9Angle brackets, 222
Animated GIFs, 253
Animations, support, 290
Anti-virus technology, 437
Apache configuration file, 342
Apache Web Server, configuration,
341–343
Apple, 29 See also MacOS
Macintosh users, 127
Application
accessibility, 360–362
client/server type, 52
developers, 65
functionality, 87
interfaces See Secure application
interfaces testing, devices (usage), 59–60
Application Designer, 209
ArrayList class, 396, 399
Artus NetGate (Nokia), 75
ASCII text, 88
ASP See Active Server Pages
asp:input (element), 378
ASP.NET, 370
architecture, 380–381
introduction, 371–381, 424
runtime, 380
server, 400
controls, 377–378
Web Forms, 368
Asymmetric algorithms, 440
AT&T, 10, 238
!ATTLIST, 83
Attributes, 76 See also Core attributes
addition, 93–94
Auditing See Security
Authentication, 269, 430, 441, 446,
448–449 See also Digital
Authoring, guidelines See World Wide
Web clipping Automatic location identification (ALI), 37
mandate, 37 Auto-paging capability, 407
AWT See Java AWT
B
b (element), 88, 89, 96–97
b (tag), usage, 255, 260 Back-end applications, 452 Backus Naur Form (BNF), 82 Bandwidth, 338, 434–435
components See High-bandwidth
components
connection See Small-bandwidth
connection limitation, 455 optimization, 299–303 reduction, 294
site construction, wireless usage, 337 FAQs, 366
solutions, 364–365 waste, 293–294
Base station See Mobitex
handset connection, 16 Basic Input/Output System (BIOS), 447 BBEdit, 245
Bell Atlantic, 10 BellSouth, 25 big (element), 88, 97
Binary encoded request See Compact
binary encoded request Binary format, 17
Binary Runtime Environment for Wireless (BREW) (Qualcomm), 432
Trang 10Bit depth, 248
Bitmap See One-bit depth bitmap
Blackberry (RIM), 20, 26
950, 369
957, 20, 26, 236, 320, 369 Block ciphers, 440
Blueprint phone (Nokia), 193, 194, 198 Bluetooth, 12, 31
Bluetooth-equipped laptops, 29 BMP file, 402
BNF See Backus Naur Form
Body, 275 body (tag), usage, 255, 257 bold (element), 96
Bookmarking, 92 control, 92 Boolean data types, 142
br (element), 78, 94 br/ (element), 97 Branded Web-like terminology, usage,
293, 296–297 Breadcrumb, 291 Break (keyword), usage, 146–147
BREW See Binary Runtime
Environment for Wireless British Rail, 13
Browser, 209 Browser-based applications, 30 Browser-like interface, 234
Browsers See Desktop browser;
Ericsson; HyperText Markup Language; Mobile Explorer; Nokia;
Openwave; Opera; Pocket PC;
Third-party browser cache information, 172 display differences, examination, 320–331, 334
global standards, 455
environment
market See Wireless
usability differences, 321 version/brand, 140 wars, 3
window, 255 Built-in interpreters, 436 Built-in wireless LAN, 29
Bytecode, 195 See Compiled bytecode;
WMLScript
C
C#, 368
C (programming language), 181 C++ (Solaris), notification, 181 C-35i (Siemens), 369
CA See Certificate Authority Cache information See Browsers Caching See WAP-Integrated
Development Environment control, 91–92
problems, 171, 174 Calculate() function, 152 Calendar control, 409–411 card (element), 78–79, 97–98, 325 Card One, 129
Card Phone (Nokia), 8, 30
Cards See Deck of cards approach See Multi-card approach
concept, 93 naming conventions, usage, 299–300 Carriage returns, collapsing, 86–87 Cascading Style Sheets (CSS), 41, 77,
253, 257 delivery, 345 style sheets, 78
Case sensitivity, 86 See also Elements