Understanding WAP Wireless Applications, Devices, and Services phần 4 pot

Page 73

4.5 WTA services and WTA service providers

A WTA service consists of executable content that uses the features provided by the WTA and WAE frameworks.

Content building a WTA service is typically stored in the repository and triggered by events in the mobile network, using

the event-handling mechanism defined in WTA and accessing the mobile device's functionality through WTAI.

A WTA service is delivered by a WTA service provider, who could be the mobile telephony service provider (the

operator) to which the user subscribes, or a content or service provider that is authorized by the mobile telephony service

provider to deliver WTA services. A WTA service provider offers enhanced telephony services to a WTA user agent by

providing content and services accessible on a WTA server.

4.6 WTA security model and access control

When transferred from a WTA server to a client, WTA service content is separated from other content by the use of

different WDP port numbers on the WAP gateway. A WTA user agent always uses specific WDP ports on the WAP

gateway when establishing a WSP session, and such a session is the only one allowed to transfer WTA content to a WTA

user agent. Content that is not related to WTA services is to be transferred through the WAP gateway using other

predefined ports. This mechanism is pictured in Figure 4.3.

The security mechanism presently available in WAP provides transport layer security. This security is implemented

using WTLS between two WTLS connection endpoints of which a client is one and a WAP gateway, or an origin server

with built-in gateway functionality, is the other. WTLS allows for the WTA user agent to authenticate a WAP gateway

and have WTA service content encrypted when transferred between the WAP gateway and the WTA user agent. A WTA

user agent uses this authentication to identify specified gateways that are supervised by the mobile telephony service

provider and trusted for delivery of WTA services. At the time of writing this chapter (early 2000), there is no

standardized mechanism defined in WAP for delivering the identities of these trusted gateways to a client. There is,

however, work going on to specify how provisioning of such information should be done.

To extend the chain of trust beyond the WAP gateway and to the WTA server that delivers the actual WTA services,

the WAP gateway, or

Page 74

Figure 4.3 Security model and access control.

its supervising telephony service provider, must ensure that there is a trust relationship between the WAP gateway and

the WTA server. Only a WTA server managed by a WTA service provider is approved to access the trusted gateway.

How this trust is achieved or what technique should be used to enforce security between these entities is up to the mobile

telephony service provider. It might be appropriate to use SSL/TLS, the protocols from which WTLS is derived.

This solution does not provide end-to-end security since it resides on the transport layer level, and the WAP gateway

has to translate between protocols when transferring content. Content is thereby revealed to the possessor of the gateway.

This is probably not a problem when the operator guards the WAP gateway. But there might be other solutions where

security has to be maintained even if the WAP gateway is not trusted. The WAP Forum is currently driving several

efforts to define end-to-end security solutions. When completed, these will be a part of the WAP overall framework and

available to application frameworks such as WTA.

4.7 WTAI— interfacing WAP with the mobile network

4.7.1 The WTA interface design

The WTA framework is targeting mobile devices that have built-in functionality for managing phone calls. Some of these

devices also have