Knudsen on MIDP Application Security 3

Jonathan Knudsen focuses on authentication in MIDP and techniques MIDP clients can use for authentication. He covers using DNS to identify a server and using TLS for server authentication.

Although the MIDP 1.0 specification does not mandate HTTPS support, many MIDP 1.0 devices support HTTP over TLS and SSL. The MIDP 2.0 specification requires that implementations support HTTPS, Knudsen states.

Client authentication means the client must prove its identity to the server. Attackers could modify traffic between you and the server or impersonate the server. There are known techniques for spoofing DNS lookups and IP addresses. In the absence of cryptographic authentication techniques, clients are unable to distinguish a fake server from the real one.

A server doesn't authenticate itself simply by presenting a certificate, which contains only a public key. Knudsen explains how a server authenticates itself to the client and how TLS handshakes work.

He recommends using TLS instead of making your own protocol. TLS is widely deployed and is scrutinized by the security community over several years. SSL and TLS are a good choice for MIDP because they are time-tested and they meet the needs of wireless commerce applications.

Server authentication is much the same whether the client is a browser or a MIDlet. "The difference stems from ownership," according to Knudsen. "Most MIDP devices today are mobile phones, which are usually the constant companions of their owners." He asserts it makes sense to place authentication information directly on the device.

In MIDP, a simple password authentication scheme could be created by adding the user name and password to an HTTP or HTTPS URL. Knudsen provides some questions to consider when considering any authentication scheme based on passwords: Does the client use a single password for its lifetime? Is there a protocol for automatically changing passwords within the protection of encrypted communication between the client and server? He also covers client authentication using message digests and using certificates. Knudsen also discusses the Bouncy Castle Cryptography APIs and provides a link to download the lightweight APIs.

http://wireless.java.sun.com/midp/articles/security3

Read More ... [...read more...]

Keywords:

fullsource

Current

Profile

Archive

Blog

Generate newsletter

Other articles in the Java Technology section of Volume 59, Issue 4:

Knudsen on MIDP Application Security 3 (this article)
Java Technology Applications on the Mac OS X
Tutorial Guides Developers in Using Java 2 Platform, Micro Edition for Embedded Applications
Java API for XML-based RPC Brings Portability to Web Services

See all archived articles in the Java Technology section.

Most Popular Articles in Current Issue (Vol 184, Issue 2)
Comparing Solaris 11 Zones to Solaris 10 Zones Java Magazine May/June Java Platform Enterprise Edition 7 (Java EE 7) Best Practices - Live Migration on Oracle VM Server for SPARC SPARC T5-4 Produces World Record Single Server TPC-H @3000GB Benchmark Result	SPARC T5-8 Delivers Best Single System SPECjEnterprise2010 Benchmark running WebLogic 12c Cloud Computing: Concepts, Technology & Architecture Monitoring per Zone Filesystem activity Unbreakable Enterprise Kernel Release 2 Quarterly Update 4 Java Spotlight Episode 136: Paul Parkinson on JSR 907: Transaction API 1.2 @jcp