21.4.2 WAP Identity Module
The WAP Identity Module (WIM ) performs the WTLS and applica-tion layer security functions (e.g., digital signature for authentication, key exchange) and serves as a secure storage of a users personal and security-related information (e.g., private and secure cryptographic keys). WIM mustbe implemented as a tamper-resistant device, so the logical choice is a smartcard (e.g., SIM card) which can be inserted into a mobile device. The struc-ture of the card information is based on the PKCS
15 cryptographic tokenspecification .
21.4.3 WML Security Issues
Wireless Markup Language (WML) is a markup language based on XML(see Section 15.1) and designed for use in mobile devices . A WML
, which consists of one or more WML
, is similar to an HTML page: It isalso identified by a URI and comprises a transmission unit. After loading a deck, the microbrowser displays the first card. WML has a mechanism for user agent (i.e., microbrowser) state man-agement including
that can change the characteristics and contentof a WML card or deck. Their values are stored in the
. Theuser may consider the values of certain variables private, however, so it mustnot be possible for a malicious service to retrieve the private information.The
element specifies access control for the entire deck (i.e.,deck-level access control). The
define which other decks are allowed to access this deck. When the user navi-gates from one deck to another, the access control mechanism defines whether the destination deck may be accessed from the current (i.e., refer-ring) deck. If the
attribute is set to TRUE, the microbrowser mustspecify the URI of the referring deck. Specifically, the server (providing thedestination deck) may perform URI-based access control and thus limit theset of URIs whose decks are allowed to refer to the servers deck.
21.5 SIM Application Toolkit
The SIM card initially played a passive role, providing the user with theauthentication necessary to access the network and encryption keys toachieve speech confidentiality. SIM Application Toolkit, a part of the GSMstandard (GSM 11.14), extends the cards role such that it becomes the inter-face between the mobile device and the network. SIM Toolkit supports the
364 Security Fundamentals for E-Commerce