||Wireless Identity Module
||The Wireless Application Protocol (WAP) is a result of continuous work to define an industry-wide specification for
developing applications that operate over wireless communication networks. The scope for the WAP Forum is to define a set
of specifications to be used by service applications. The wireless market is growing very quickly, and reaching new
customers and services. To enable operators and manufacturers to meet the challenges in advanced services, differentiation
and fast/flexible service creation WAP Forum defines a set of protocols in transport, security, transaction, session and
application layers. For additional information on the WAP architecture, please refer to “Wireless Application Protocol
Architecture Specification” [WAPARCH].
WAP security functionality includes the Wireless Transport Layer Security [WAPWTLS] and application level security,
accessible using the Wireless Markup Language Script [WMLScript]. For optimum security, some parts of the security
functionality need to be performed by a tamper-resistant device, so that an attacker cannot retrieve sensitive data. Such data
is especially the permanent private keys used in the WTLS handshake with client authentication, and for making application
level electronic signatures (such as confirming an application level transaction). In WTLS, also the master secrets, protecting
secure sessions, are relatively long living ?C which could be several days. This is in order to avoid frequent full handshakes
which are relatively heavy both computationally and due to large data transfer. Master secrets are used as a source of
entropy, to calculate MAC keys and message encryption keys which are used to secure a limited number of messages,
depending on usage of WTLS.
The WAP Identity Module (WIM) is used in performing WTLS and application level security functions, and especially, to
store and process information needed for user identification and authentication. The functionality presented here is based on
the requirement that sensitive data, especially keys, can be stored in the WIM, and all operations where these keys are
involved can be performed in the WIM.
An example of a WIM implementation is a smart card. In the phone, it can be the Subscriber Identity Module (SIM) card or
an external smart card. The way which a phone and a smart card interact is specified as a command-response protocol, using
Application Protocol Data Units (APDU) specific to this application. This specification is based on ISO7816 series of
standards on smart cards and the related GSM specifications [GSM11.11], where applicable.
This specification concentrates on defining an interface between the part of a WAP client device that is not considered
tamper-resistant, and a tamper-resistant component, the WIM.
A basic requirement for WIM implementation is that it is tamper-resistant. This means that certain physical hardware
protection is used, which makes it unfeasible to extract or modify information in the module (volatile, non-volatile memory
and other parts). Technology used in smart cards are examples of this kind of protection. Regular mobile phones and PDAs
cannot be considered tamper-resistant. For these devices, e.g. extracting information from the module may be difficult but
still feasible with a proper equipment.
This specification does not define exact requirements for tamper-resistance. Businesses can enforce certain requirements and
policies using PKI based mechanisms. Applications should only accept certificates signed by Certification Authorities that
are know to fullfil the requirements and policies.
PKI functionality (including WTLS client authentication with private keys, and WMLScript digital signatures) can be
implemented in pure software in normal PDAs or phones, using password protection, encryption etc. However, such
implementations cannot be considered as WIM implementations, and are out of scope of this specification. At the same time,
service interfaces defined in this specification may be useful for designing internal software interfaces for these