Introduction to M-Commerce

Overview

What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples Q & A

What is M-Commerce?

E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.)

Different than E-Commerce? No, but additional challenges:

Security Usability Heterogeneous Technologies Business Model Issues

But first, let’s learn a little about wireless technologies…

Wireless Technologies

Link Layer (examples…) WAN:

Analog / AMPSCDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe)CDMA: Code Division Multiple AccessMobitex (TDMA-based)

LAN:802.11Bluetooth

Devices: Cell Phones, Palm, WinCE, Symbian, Blackberry, …

Examples of PDA DevicesPDA Microprocessor Speed

Palm, Handspring Motorola Dragonball 16.6 – 20 MHz

RIM Interactive Pager

Intel 386 10 MHz

Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz

HP Jornada 820 Intel/StrongARM RISC SA-1100

190 MHz

Casio Cassiopeia E-100

NEC/VR4121 MIPS 131 MHz

Psion Revo ARM 710 36 MHz

Psion Series 5 Digital/Arm 7100 18 MHz

Application Layer Technologies

Micro-browser based:WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.netXHTML: W3C

Voice-browser based:VoiceXML: W3C

Client-side: J2ME: Java 2 Micro Edition (Sun)WMLScript: Openwave

Messaging: SMS: Part of GSM Spec.

Example: WAP

WAP: Wireless Application Protocol Created by WAP Forum

Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com

500+ member companies Goal: Bring Internet content to wireless

devices WTLS: Wireless Transport Layer Security

Basic WAP Architecture

Web Server

WTLS SSL

Internet

WAP Gateway

                               

                                         

                 

Example: WAP application

Security Challenges

Less processing power on devices Slow Modular exponentiation and Primality Checking (i.e., RSA) Crypto operations drain batteries

(CPU intensive!) Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for

biometric authentication No tamper resistance (memory can be tampered with, no

secure storage) Primitive operating systems w/ no support for access

control (Palm OS)

Wireless Security Approaches

Link Layer Security GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption

Application Layer Security WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A

Example: Security Concerns

Performance: we’ll do an example:

should we use RSA or ECCfor WTLS mutual auth?

Control: WAP Gap data in the clear at gateway while

re-encryption takes place

Example: WTLS– ECC vs. RSA?

WTLS Goals Authentication Privacy Data Integrity

Authentication: Public-Key Crypto (CPU intensive!!!)

Privacy: Symmetric Crypto Data Integrity: MACs

WTLS: Crypto Basics

Public-Key Crypto RSA (Rivest-Shamir-Adelman) ECC (Elliptic Curve)

Certificates

Authentication None, Client, Server, Mutual

WTLS w/ Mutual-Authentication

• Mutual-AuthenticationClient Hello ----------->

ServerHelloCertificateCertificateRequest

<----------- ServerHelloDone

CertificateClientKeyExchange (only for RSA)CertificateVerifyChangeCipherSpecFinished ----------->

<----------- Finished

Application Data <----------> Application Data

1. Verify Server Certificate

2. Establish Session Key

3. Generate Signature

WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: RSA

Operation Cryptographic Primitive(s) Time Required (ms)

Server Certificate Verification

RSA Signature Verification(Public decrypt, e=3)

598 

Session Key Establishment

RSA Encryption (Public encrypt)

622

Client Authentication RSA Signature Generation (Private encrypt) 21734

TOTAL   22954

WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: ECCOperation Cryptographic Primitive(s) Time Required

(ms)Server Certificate Verification

CA Public Key Expansion 254.8

ECC-DSA Signature Verification

1254

Session Key Establishment

Server Public Key Expansion

254.8

Key Agreement 335.6

Client Authentication ECC-DSA Signature Generation

514.8

TOTAL   2614

The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.

WAP Gap: One Alternative… Dynamic Gateway Connection

Other alternatives also exist…

Internet

WAP Gateway

WTLS Class 2 SSL

Operator

WebServer

SSLContentProvider

WAP Gateway

Usability Challenges

Hard Data Entry Poor Handwriting Recognition Numeric Keypads for text entry is error-prone Poor Voice Recognition Further complicates security (entering passwords /

speaking pass-phrases is hard!) Small Screens

i.e., can’t show users everything in “shopping cart” at once!

Voice Output time consuming

Usability Approaches

Graffiti (Scaled-down handwriting recognition, Palm devices)

T9 Text Input (Word completion, most cell phones)

Full alphanumeric keypad & scrollbar (Blackberry) Restricted VoiceXML grammars for better voice

recognition Careful task-based Graphical User Interface &

Dialog Design Lots of room for improvement!

Heterogeneity Challenges

Many link layer protocols (different security available in each)

Many application layer standards Businesses need to write to one or more

standards or hire a company to help them! Many device types:

Many operating systems (Palm OS, Win CE, Symbian, Epoch, …)

Wide variation in capabilities

Heterogeneity Approaches

HTML/Web screen scraping Protocol & Mark-up language translators Standardization

Business Models Issues

Possible Models: Slotting fees Wireless advertising (text) Pay per application downloaded Pay per page downloaded Flat-fees for service & applications Revenue share on transactions

Trust issues between banks, carriers, and portals

Lack of content / services

Case Studies

NTT DoCoMo’s I-Mode Palm.net Sprint PCS Wireless Web

NTT DoCoMo I-Mode

20 million users in Japan HTML-based microbrowser

(supports HTTPS/SSL) on CDMA-based network

10’s of thousands of content sites, ring tones, and screen savers

Pay per application downloaded and pay per page models

Invested in AT&T Wireless so we may see it here in US in next few years!

Palm.Net

Low 100K users in USA Web Clipping (specialized HTML) microbrowser

on Mobitex (TDMA) – based network run by BellSouth (>98% coverage in urban areas)

100’s of content sites (typically no charge for applications)

Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)

Sprint PCS Wireless Web

Low, single-digit millions of US users Multi-device strategy: WAP/HDML based

microbrowser on phones, Web Clipping on Kyocera, both on CDMA network

~50 content sites slotted, many others available (very hard to enter URLs, though)

Slotting-fee + rev-share on xactions model $10 per month flat-fee to users, most phones

already have microbrowser installed.