Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

(An HTTP-Based Application Layer Security Protocol for Wireless Internet Services)

무선 인터넷 서비스를 위한 HTTP 기반의 응용 계층 보안 프로토콜

  • Published : 2003.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we present an application layer protocol to support secure wireless Internet services, called Application Layer Security(ALS). The drawbacks of the two traditional approaches to secure wireless applications motivated the development of ALS. One is that in the conventional application-specific security protocol such as Secure HyperText Transfer Protocol(S-HTTP), security mechanism is included in the application itself. This gives a disadvantage that the security services are available only to that particular application. The other is that a separate protocol layer is inserted between the application and transport layers, as in the Secure Sockets Layer(SSL)/Transport Layer Security(TLS). In this case, all channel data are encrypted regardless of the specific application's requirements, resulting in much waste of network resources. To overcome these problems, ALS is proposed to be implemented on top of HTTP so that it is independent of the various transport layer protocols, and provides a common security interface with security applications so that it greatly improves the portability of security applications. In addition, since ALS takes advantages of well-known TLS mechanism, it eliminates the danger of malicious attack and provides applications with various security services such as authentication, confidentiality integrity and digital signature, and partial encryption. We conclude this paper with an example of applying ALS to the solution of end-to-end security in a present commercial wireless protocol stack, Wireless Application Protocol.

현재 무선 인터넷에서 안전한 서비스를 제공하기 위하여 Secure HyperText Transfer Protocol(S-HTTP), Secure/Multipurpose Internet Mail Extensions(S/MIME), Secure Sockets Layer(SSL)/Transport Layer Security(TLS)와 Wireless TLS(WTLS) 등의 여러 가지 보안 프로토콜이 사용되고 있다. 그러나 S-HTTP와 S/MIME은 특정 응용에 한정적으로 사용 가능하며 SSL/TLS와 WTLS는 채널 보안으로 인하여 자원 낭비가 심할 뿐만 아니라 전자 서명 기능 또한 제공하지 못한다. 본 논문에서는 S-HTTP와 SSL/TLS의 장점을 수용하고 HTTP 기반에서 TLS 보안 메커니즘을 이용한 새로운 형태의 응용 계층 보안 프로토콜인 Application Layer Security(ALS)를 제안한다. ALS는 HTTP 기반에서 동작하므로 다양한 하부 전송망에 독립적이고, 보안을 필요로 하는 응용에 대하여 보안 인터페이스를 제공하는 방법을 통하여 특정 응용에 종속적이지 않는 특성을 가진다. 또한, TLS의 검증된 보안 메커니즘을 적용하여 안전성을 확보하였고, 인증, 기밀성, 무결성, 전자 서명 서비스 및 부분 암호화를 지원함으로써 응용에서 요구하는 다양한 서비스를 제공할 수 있다. 마지막으로 본 논문에서는 ALS를 이용한 Wireless Application Protocol의 단대단 보안 구현 내용을 기술한다.

Keywords

References

  1. i-mode, 'DoCoMo i-mod', NTT, November 1999
  2. Alan O. Freier, Philip Karlton, Paul C. Kocher, 'The SSL Protocol version 3.0, Internet-Dreft,' 1996, http://home.netscape.com/eng/ssl3/
  3. WTLS, 'Wireless Transport Layer Security Protocol SPecification,' WAP Forum, November 8, 1999, http://www.wapforum.org/
  4. 원유재, '무선 응용 프로토콜 보안 기술', 한국정보과학회 정보통신연구회 정보통신기술지, 14권, 1호, pp. 34-35, 2000년 5월
  5. T. Dierks, C. Allen, 'The TLS Protocol,' January 1999, http://ww.ietf.org/rfc/rfc2246.txt
  6. E. Rescorla, A.Schiffman, 'The Secure HyperText Transfer Protocol,' August 1999, http://www.ietf.org/rfc/rfc2660.txt
  7. B. Ramsdell, 'S/MIME Version 3 Message Specification,' June 1999, http://www.ietf.org/rfc/rfc2633, txt
  8. WMLScript Crypto, 'WMLScript Crypto API Library,' WAP Forum, November 1999, http://www.wapforum.org/
  9. Vodafone, Telstar, Certicom, 'Change Request WMLScript Crypto API,' WAP Forum, June 2001, http://www.wapforum.org/
  10. Entrust, 'Change Request WMLScript Crypto Specification,' June 2001, http://www.wapforum.org/
  11. VeriSign, 'Change Request WMLScript Crypto Library Specification,' August 2001, http://www.wapforum.org/
  12. 이동근, 김기조, 임경식, 이석준, 정병호, '무선응용 프로토콜 보안기술', 한국정보과학회 정보과학회학회지, 제20권, 제4호, pp. 58-65, 2002년 4월
  13. S. Lawrence, 'Upgrading to TLS Within HTTP/1.1,' May 2000, http://www.ietf.org.rfc.rfc2817.txt
  14. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, 'HyperText Transfer Protocol-HTTP 1.1,' June 1999, http://www.ietf.org.rfc.rfc2616.txt
  15. Stephen A. Thomas, 'SSL & TLS Essentials Securing the Web,' ISBN:0-471-38354-6, Wiley Computer Publishing, 2000
  16. J. Franks, S. Lawrence, 'HTTP Authentication: Basic and Digest Access Authentication,' http://www.ietf.org/rfc/rfc2617.txt
  17. WAP, 'Wireless Application Protocol Architecture,' WAP Forum, April 1998, http://www.wapforum.org/
  18. WMLScript Crypto, 'WMLScirpt Crypto API Library,' WAP Forum, November 1999, http://www/wapforum.org/
  19. Miguel Soriano, Diego Ponce, 'A Security and Usability Proposal for Mobile electonic Commerce,' IEEE Communication Magazine, August 2002 https://doi.org/10.1109/MCOM.2002.1024416
  20. COM, 'The Component Object Model Specification,' Microsoft Corporation, April 1999, http://www.microsoft.com/com/resources/comdocs.asp
  21. WML, 'Wireless Markup Language,' WAP Forum, November 8, 1999, http://www.wapforum.org/
  22. WMLScript, 'Wireless Markup Language Scirpt,' WAP Forum, November 8, 1999, http://www.wapforum.org/
  23. M. Hardee, 'Why Wireless Needs javaTM Technology,' 2000 javaOne SM Dev. Conf., July 2000
  24. Jepsen, T., 'SOAP Clean up Interoperability Problems on the Web,' IT Professional, Volume: 3, Issue: 1, January-February 2001