Intro to M-Commerce

Intro to M-Commerce

• 1. Slide2 Introduction to M-Commerce
• 2. Overview Overview nWhat is M-Commerce? nSecurity Issues nUsability Issues nHeterogeneity Issues nBusiness Model Issues nCase Studies / Examples
• 3. What is M-Commerce? What is M-Commerce? nE-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) nDifferent than E-Commerce? nNo, but additional challenges: nSecurity nUsability nHeterogeneous Technologies nBusiness Model Issues nBut first, let’s learn a little about wireless technologies…
• 4. Wireless Technologies Wireless Technologies nLink Layer (examples…) nWAN: Analog / AMPS CDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe) CDMA: Code Division Multiple Access Mobitex (TDMA-based) nLAN: 802.11 Bluetooth nDevices: Cell Phones, Palm, WinCE, Symbian, Blackberry, …
• 5. Examples of PDA Devices Examples of PDA Devices PDA Microprocessor Speed Palm, Handspring Motorola Dragonball 16.6 – 20 MHz RIM Interactive Pager Intel 386 10 MHz Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz HP Jornada 820 Intel/StrongARM RISC SA- 1100 190 MHz Casio Cassiopeia E- 100 NEC/VR4121 MIPS 131 MHz Psion Revo ARM 710 36 MHz Psion Series 5 Digital/Arm 7100 18 MHz
• 6. Application Layer Technologies Application Layer Technologies nMicro-browser based: WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.net XHTML: W3C nVoice-browser based: VoiceXML: W3C nClient-side: J2ME: Java 2 Micro Edition (Sun) WMLScript: Openwave nMessaging: SMS: Part of GSM Spec.
• 7. Example: WAP Example: WAP nWAP: Wireless Application Protocol nCreated by WAP Forum nFounded June 1997 by Ericsson, Motorola, Nokia, Phone.com n500+ member companies nGoal: Bring Internet content to wireless devices nWTLS: Wireless Transport Layer Security
• 8. Basic WAP Architecture Basic WAP Architecture Web Server WTLS SSL Internet WAP Gateway
• 9. Example: WAP application Example: WAP application
• 10. Security Challenges Security Challenges nLess processing power on devices nSlow Modular exponentiation and Primality Checking (i.e., RSA) nCrypto operations drain batteries (CPU intensive!) nLess memory (keys, certs, etc. require storage) nFew devices have crypto accelerators, or support for biometric authentication nNo tamper resistance (memory can be tampered with, no secure storage) nPrimitive operating systems w/ no support for access control (Palm OS)
• 11. Wireless Security Approaches Wireless Security Approaches nLink Layer Security nGSM: A3/A5/A8 (auth, key agree, encrypt) nCDMA: spread spectrum + code seq nCDPD: RSA + symmetric encryption nApplication Layer Security nWAP: WTLS, WML, WMLScript, & SSL niMode: N/A nSMS: N/A
• 12. Example: Security Concerns Example: Security Concerns nPerformance: we’ll do an example: should we use RSA or ECC for WTLS mutual auth? nControl: WAP Gap data in the clear at gateway while re-encryption takes place
• 13. Example: WTLS– ECC vs. RSA? Example: WTLS– ECC vs. RSA? nWTLS Goals nAuthentication nPrivacy nData Integrity nAuthentication: Public-Key Crypto (CPU intensive!!!) nPrivacy: Symmetric Crypto nData Integrity: MACs
• 14. WTLS: Crypto Basics WTLS: Crypto Basics nPublic-Key Crypto nRSA (Rivest-Shamir-Adelman) nECC (Elliptic Curve) nCertificates nAuthentication nNone, Client, Server, Mutual
• 15. Slide123 WTLS w/ Mutual-Authentication •Mutual-Authentication Client Hello -----------> ServerHello Certificate CertificateRequest <----------- ServerHelloDone Certificate ClientKeyExchange (only for RSA) CertificateVerify ChangeCipherSpec Finished -----------> <----------- Finished Application Data <----------> Application Data 1. Verify Server Certificate 2. Establish Session Key 3. Generate Signature
• 16. Slide124 WTLS Handshake Timings (Palm VII) •Mutual-Authentication: RSA Operation Cryptographic Primitive(s) Time Required (ms) Server Certificate Verification RSA Signature Verification (Public decrypt, e=3) 598 Session Key Establishment RSA Encryption (Public encrypt) 622 Client Authentication RSA Signature Generation (Private encrypt) 21734 TOTAL 22954
• 17. Slide125 WTLS Handshake Timings (Palm VII) •Mutual-Authentication: ECC The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII. Operation Cryptographic Primitive(s) Time Required (ms) Server Certificate Verification CA Public Key Expansion 254.8 ECC-DSA Signature Verification 1254 Session Key Establishment Server Public Key Expansion 254.8 Key Agreement 335.6 Client Authentication ECC-DSA Signature Generation 514.8 TOTAL 2614
• 18. WAP Gap: One Alternative… WAP Gap: One Alternative… nDynamic Gateway Connection nOther alternatives also exist… Internet WAP Gateway WTLS Class 2 SSL Operator Web Server SSL Content Provider WAP Gateway
• 19. Usability Challenges Usability Challenges nHard Data Entry nPoor Handwriting Recognition nNumeric Keypads for text entry is error-prone nPoor Voice Recognition nFurther complicates security (entering passwords / speaking pass-phrases is hard!) nSmall Screens ni.e., can’t show users everything in “shopping cart” at once! nVoice Output time consuming
• 20. Usability Approaches Usability Approaches nGraffiti (Scaled-down handwriting recognition, Palm devices) nT9 Text Input (Word completion, most cell phones) nFull alphanumeric keypad & scrollbar (Blackberry) nRestricted VoiceXML grammars for better voice recognition nCareful task-based Graphical User Interface & Dialog Design nLots of room for improvement!
• 21. Heterogeneity Challenges Heterogeneity Challenges nMany link layer protocols (different security available in each) nMany application layer standards nBusinesses need to write to one or more standards or hire a company to help them! nMany device types: nMany operating systems (Palm OS, Win CE, Symbian, Epoch, …) nWide variation in capabilities
• 22. Heterogeneity Approaches Heterogeneity Approaches nHTML/Web screen scraping nProtocol & Mark-up language translators nStandardization
• 23. Business Models Issues Business Models Issues nPossible Models: nSlotting fees nWireless advertising (text) nPay per application downloaded nPay per page downloaded nFlat-fees for service & applications nRevenue share on transactions nTrust issues between banks, carriers, and portals nLack of content / services
• 24. Case Studies Case Studies nNTT DoCoMo’s I-Mode nPalm.net nSprint PCS Wireless Web
• 25. NTT DoCoMo I-Mode NTT DoCoMo I-Mode n20 million users in Japan nHTML-based microbrowser (supports HTTPS/SSL) on CDMA-based network n10’s of thousands of content sites, ring tones, and screen savers nPay per application downloaded and pay per page models nInvested in AT&T Wireless so we may see it here in US in next few years!
• 26. Palm.Net Palm.Net nLow 100K users in USA nWeb Clipping (specialized HTML) microbrowser on Mobitex (TDMA) – based network run by BellSouth (>98% coverage in urban areas) n100’s of content sites (typically no charge for applications) nPalm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)
• 27. Sprint PCS Wireless Web Sprint PCS Wireless Web nLow, single-digit millions of US users nMulti-device strategy: WAP/HDML based microbrowser on phones, Web Clipping on Kyocera, both on CDMA network n~50 content sites slotted, many others available (very hard to enter URLs, though) nSlotting-fee + rev-share on xactions model n$10 per month flat-fee to users, most phones already have microbrowser installed.