Secure Information Networks pp 209-215 | Cite as
Attacks Against the WAP WTLS Protocol
Chapter
Abstract
The WAP WTLS protocol was designed to provide privacy, data integrity, and authentication for wireless terminals. The protocol is currently being fielded, and it is expected that the protocol will be contained in millions of devices in a few years.
Even though the WTLS protocol is closely modeled after the well-studied TLS protocol, we have identified a number of potential security problems in it. In this note, we describe a chosen plaintext data recovery attack, a datagram truncation attack, a message forgery attack, and a key-search shortcut for some exportable keys.
Keywords
Block Cipher Stream Cipher Group Order Transport Layer Security Alert Message
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download
to read the full chapter text
References
- [1]M. Bellare, R. Canetti and H. Krawczyk, “Keying Hash Functions for Message Authentication,” Advances in Cryptology - Crypto ‘86 Proceedings, Springer-Verlag, 1996Google Scholar
- [2]M. Bellare, R. Guérin and P. Rogaway, “XOR MACS: New Methods for Authentication Using Finite Pseudorandom Functions,” Advances in Cryptology - Crypto ‘85 Proceedings, Springer-Verlag, 1995Google Scholar
- [3]S. Bellovin, “Problem Areas for the IP Security Protocols,” Proceedings of the Sixth USENIX Security Symposium, pp. 205–214, USENIX Association 1996Google Scholar
- [4]S. M. Bellovin, “Probable Plaintext Cryptanalysis of the IP Security Protocols,” Proceedings of the Symposium on Network and Distributed System Security, pp. 155–160, 1997Google Scholar
- [5]D. Bleichenbacher, “Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS 1,” Advances in Cryptology - Crypto ‘88 Proceedings, pp. 1–12, Springer-Verlag, 1998Google Scholar
- [6]D. Bleichenbacher, B. Kaliski and J. Staddon, “Recent results on PKCS 1: RSA Encryption Standard,” RSA Laboratories’ Bulletin, Number 7, June 26, 1998.Google Scholar
- [7]T. Dierks and C. Allen, “The TLS Protocol Version 1.0,” RFC 2246, http://ftp.isi.edu/in-notes/rfc2246.txt,1999
- [8]A. O. Freier, P. Karlton and P. C. Kocher, “The SSL Protocol Version 3.0,” http://www.netscape.com/eng/ssl3/draft302.txt,1996
- [9]B. Kaliski, “PKCS 1: RSA Encryption Version 1.5,” RFC 2313, http://ftp.isi.edu/in-notes/rfc2313.txt,1998
- [10]B. Kaliski and J. Staddon, “PKCS 1: RSA Cryptography Specifications Version 2.0,” RFC 2437, http://ftp.isi.edu/in-notes/rfc2437.txt 1999
- [11]National Institute of Standards and Technology, “Digital Signature Standard,” FIPS PUB 186, 1994Google Scholar
- [12]National Institute of Standards and Technology, “Secure Hash Standard,” FIPS PUB 180–1, 1995Google Scholar
- [13]National Security Agency, “Skipjack and KEA Algorithm Specifications Version 2.0,” http://csrc.nist.gov/encryption/skipjack-kea.htm,1998
- [14]S. Pohlig and M. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,” IEEE Transactions on Information Theory, Vol. 24, pp. 106–110, 1978MathSciNetMATHCrossRefGoogle Scholar
- [15]J. Pollard, “Monte Carlo Methods for Index Computation (mod p),” Mathematics of Computation, Vol 32., pp. 918 — 924, 1974Google Scholar
- [16]R. Rivest, “The MD5 Message-Digest Algorithm,” RFC1321, http://ftp.isi.edu/in-notes/rfc1321.txt,1992
- [17]M. Robshaw and J. Staddon, “A Note on the Security of the OAEPEnhanced RSA Public-Key Encryption Scheme,” RSA Laboratories’ Bulletin, Number 9, February 23, 1999Google Scholar
- [18]WAP Forum, “Wireless Application protocol - Wireless Transport Layer Security Specification, Version 12-Feb-1999,” available from http://www.wapforum.org,1999
- [19]D. Wagner and B. Schneier, “Analysis of the SSL 3.0 protocol,” Proceedings of the Second USENIX Workshop on Electronic Commerce, USENIX Press, pp. 29–40, 1996Google Scholar
Copyright information
© Springer Science+Business Media Dordrecht 1999