Jonathan Knudsen focuses on authentication in MIDP and techniques MIDP
clients can use for authentication. He covers using DNS to identify a
server and using TLS for server authentication.
Although the MIDP 1.0 specification does not mandate HTTPS support,
many MIDP 1.0 devices support HTTP over TLS and SSL. The MIDP 2.0
specification requires that implementations support HTTPS, Knudsen
Client authentication means the client must prove its identity to the
server. Attackers could modify traffic between you and the server or
impersonate the server. There are known techniques for spoofing DNS
lookups and IP addresses. In the absence of cryptographic
authentication techniques, clients are unable to distinguish a fake
server from the real one.
A server doesn't authenticate itself simply by presenting a
certificate, which contains only a public key. Knudsen explains how a
server authenticates itself to the client and how TLS handshakes work.
He recommends using TLS instead of making your own protocol. TLS is
widely deployed and is scrutinized by the security community over
several years. SSL and TLS are a good choice for MIDP because they are
time-tested and they meet the needs of wireless commerce applications.
Server authentication is much the same whether the client is a browser
or a MIDlet. "The difference stems from ownership," according to
Knudsen. "Most MIDP devices today are mobile phones, which are usually
the constant companions of their owners." He asserts it makes sense to
place authentication information directly on the device.
In MIDP, a simple password authentication scheme could be created by
adding the user name and password to an HTTP or HTTPS URL. Knudsen
provides some questions to consider when considering any authentication
scheme based on passwords: Does the client use a single password for
its lifetime? Is there a protocol for automatically changing passwords
within the protection of encrypted communication between the client and
server? He also covers client authentication using message digests and
using certificates. Knudsen also discusses the Bouncy Castle
Cryptography APIs and provides a link to download the lightweight
Read More ...