Introduction to M-Commerce
Overview
What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples Q & A
What is M-Commerce?
E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.)
Different than E-Commerce? No, but additional challenges:
Security Usability Heterogeneous Technologies Business Model Issues
But first, let’s learn a little about wireless technologies…
Wireless Technologies
Link Layer (examples…) WAN:
Analog / AMPSCDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe)CDMA: Code Division Multiple AccessMobitex (TDMA-based)
LAN:802.11Bluetooth
Devices: Cell Phones, Palm, WinCE, Symbian, Blackberry, …
Examples of PDA DevicesPDA Microprocessor Speed
Palm, Handspring Motorola Dragonball 16.6 – 20 MHz
RIM Interactive Pager
Intel 386 10 MHz
Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz
HP Jornada 820 Intel/StrongARM RISC SA-1100
190 MHz
Casio Cassiopeia E-100
NEC/VR4121 MIPS 131 MHz
Psion Revo ARM 710 36 MHz
Psion Series 5 Digital/Arm 7100 18 MHz
Application Layer Technologies
Micro-browser based:WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.netXHTML: W3C
Voice-browser based:VoiceXML: W3C
Client-side: J2ME: Java 2 Micro Edition (Sun)WMLScript: Openwave
Messaging: SMS: Part of GSM Spec.
Example: WAP
WAP: Wireless Application Protocol Created by WAP Forum
Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com
500+ member companies Goal: Bring Internet content to wireless
devices WTLS: Wireless Transport Layer Security
Basic WAP Architecture
Web Server
WTLS SSL
Internet
WAP Gateway
Example: WAP application
Security Challenges
Less processing power on devices Slow Modular exponentiation and Primality Checking (i.e., RSA) Crypto operations drain batteries
(CPU intensive!) Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for
biometric authentication No tamper resistance (memory can be tampered with, no
secure storage) Primitive operating systems w/ no support for access
control (Palm OS)
Wireless Security Approaches
Link Layer Security GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption
Application Layer Security WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A
Example: Security Concerns
Performance: we’ll do an example:
should we use RSA or ECCfor WTLS mutual auth?
Control: WAP Gap data in the clear at gateway while
re-encryption takes place
Example: WTLS– ECC vs. RSA?
WTLS Goals Authentication Privacy Data Integrity
Authentication: Public-Key Crypto (CPU intensive!!!)
Privacy: Symmetric Crypto Data Integrity: MACs
WTLS: Crypto Basics
Public-Key Crypto RSA (Rivest-Shamir-Adelman) ECC (Elliptic Curve)
Certificates
Authentication None, Client, Server, Mutual
WTLS w/ Mutual-Authentication
• Mutual-AuthenticationClient Hello ----------->
ServerHelloCertificateCertificateRequest
<----------- ServerHelloDone
CertificateClientKeyExchange (only for RSA)CertificateVerifyChangeCipherSpecFinished ----------->
<----------- Finished
Application Data <----------> Application Data
1. Verify Server Certificate
2. Establish Session Key
3. Generate Signature
WTLS Handshake Timings (Palm VII)
• Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required (ms)
Server Certificate Verification
RSA Signature Verification(Public decrypt, e=3)
598
Session Key Establishment
RSA Encryption (Public encrypt)
622
Client Authentication RSA Signature Generation (Private encrypt) 21734
TOTAL 22954
WTLS Handshake Timings (Palm VII)
• Mutual-Authentication: ECCOperation Cryptographic Primitive(s) Time Required
(ms)Server Certificate Verification
CA Public Key Expansion 254.8
ECC-DSA Signature Verification
1254
Session Key Establishment
Server Public Key Expansion
254.8
Key Agreement 335.6
Client Authentication ECC-DSA Signature Generation
514.8
TOTAL 2614
The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.
WAP Gap: One Alternative… Dynamic Gateway Connection
Other alternatives also exist…
Internet
WAP Gateway
WTLS Class 2 SSL
Operator
WebServer
SSLContentProvider
WAP Gateway
Usability Challenges
Hard Data Entry Poor Handwriting Recognition Numeric Keypads for text entry is error-prone Poor Voice Recognition Further complicates security (entering passwords /
speaking pass-phrases is hard!) Small Screens
i.e., can’t show users everything in “shopping cart” at once!
Voice Output time consuming
Usability Approaches
Graffiti (Scaled-down handwriting recognition, Palm devices)
T9 Text Input (Word completion, most cell phones)
Full alphanumeric keypad & scrollbar (Blackberry) Restricted VoiceXML grammars for better voice
recognition Careful task-based Graphical User Interface &
Dialog Design Lots of room for improvement!
Heterogeneity Challenges
Many link layer protocols (different security available in each)
Many application layer standards Businesses need to write to one or more
standards or hire a company to help them! Many device types:
Many operating systems (Palm OS, Win CE, Symbian, Epoch, …)
Wide variation in capabilities
Heterogeneity Approaches
HTML/Web screen scraping Protocol & Mark-up language translators Standardization
Business Models Issues
Possible Models: Slotting fees Wireless advertising (text) Pay per application downloaded Pay per page downloaded Flat-fees for service & applications Revenue share on transactions
Trust issues between banks, carriers, and portals
Lack of content / services
Case Studies
NTT DoCoMo’s I-Mode Palm.net Sprint PCS Wireless Web
NTT DoCoMo I-Mode
20 million users in Japan HTML-based microbrowser
(supports HTTPS/SSL) on CDMA-based network
10’s of thousands of content sites, ring tones, and screen savers
Pay per application downloaded and pay per page models
Invested in AT&T Wireless so we may see it here in US in next few years!
Palm.Net
Low 100K users in USA Web Clipping (specialized HTML) microbrowser
on Mobitex (TDMA) – based network run by BellSouth (>98% coverage in urban areas)
100’s of content sites (typically no charge for applications)
Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)
Sprint PCS Wireless Web
Low, single-digit millions of US users Multi-device strategy: WAP/HDML based
microbrowser on phones, Web Clipping on Kyocera, both on CDMA network
~50 content sites slotted, many others available (very hard to enter URLs, though)
Slotting-fee + rev-share on xactions model $10 per month flat-fee to users, most phones
already have microbrowser installed.