Introduction to M-COMMETRCE

Overview
What is M-Commerce?
Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples

What is M-Commerce?
E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) Different than E-Commerce? No, but additional challenges:
Security Usability Heterogeneous Technologies Business Model Issues

But first, lets learn a little about wireless technologies

Wireless Technologies
Link Layer (examples)
WAN:

Analog / AMPS CDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe) CDMA: Code Division Multiple Access Mobitex (TDMA-based) LAN: 802.11 Bluetooth

Devices: Cell Phones, Palm, WinCE, Symbian, Blackberry,

Application Layer Technologies

Micro-browser based:

WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.net XHTML: W3C Voice-browser based: VoiceXML: W3C Client-side: J2ME: Java 2 Micro Edition (Sun) WMLScript: Openwave Messaging: SMS: Part of GSM Spec.

Example: WAP
WAP: Wireless Application Protocol Created by WAP Forum Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com 500+ member companies Goal: Bring Internet content to wireless devices WTLS: Wireless Transport Layer Security

Basic WAP Architecture

WTLS SSL Web Server

Internet

WAP Gateway

Example: WAP application

Security Challenges
Less processing power on devices
Slow Modular exponentiation and Primality Checking (i.e.,

RSA) Crypto operations drain batteries (CPU intensive!)

Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for

biometric authentication No tamper resistance (memory can be tampered with, no secure storage) Primitive operating systems w/ no support for access control (Palm OS)

Wireless Security Approaches

Link Layer Security GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption Application Layer Security WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A

Example: Security Concerns

Performance:

well do an example: should we use RSA or ECC for WTLS mutual auth?
Control: WAP Gap

data in the clear at gateway while re-encryption takes place

Example: WTLS ECC vs. RSA?

WTLS Goals
Authentication Privacy Data Integrity

Authentication: Public-Key Crypto (CPU intensive!!!) Privacy: Symmetric Crypto Data Integrity: MACs

WTLS Handshake Timings (Palm VII)

Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time (ms) Required

Server Certificate Verification Session Establishment Key

RSA Signature Verification (Public decrypt, e=3) RSA Encryption encrypt) (Public

598

622

Client Authentication

RSA Signature Generation (Private encrypt)

21734

TOTAL

22954

WTLS Handshake Timings (Palm VII)

Mutual-Authentication: ECC
Operation Server Certificate Verification Cryptographic Primitive(s) CA Public Key Expansion ECC-DSA Signature Verification Server Public Key Expansion Key Agreement ECC-DSA Signature Generation Time Required (ms) 254.8 1254 254.8 335.6 514.8 2614

Session Key Establishment

Client Authentication TOTAL

The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.

WAP Gap: One Alternative Dynamic Gateway Connection

WTLS Class 2 SSL

Operator

WAP Gateway

Internet

Content Other alternatives also exist Provider

WAP Gateway

SSL

Web Server

Usability Challenges
Hard Data Entry
Poor Handwriting Recognition Numeric Keypads for text entry is error-prone Poor Voice Recognition

Further complicates security (entering passwords /

speaking pass-phrases is hard!)

Small Screens
i.e., cant show users everything in shopping cart at

once!

Voice Output time consuming

Usability Approaches
Graffiti (Scaled-down handwriting recognition, Palm devices) T9 Text Input (Word completion, most cell phones) Full alphanumeric keypad & scrollbar (Blackberry) Restricted VoiceXML grammars for better voice recognition Careful task-based Graphical User Interface & Dialog Design Lots of room for improvement!

Heterogeneity Challenges
Many link layer protocols (different security available in each) Many application layer standards Businesses need to write to one or more standards or hire a company to help them! Many device types:
Many operating systems (Palm OS, Win CE, Symbian,

Epoch, ) Wide variation in capabilities

Heterogeneity Approaches
HTML/Web screen scraping
Protocol & Mark-up language translators Standardization

Business Models Issues

Possible Models:
Slotting fees Wireless advertising (text) Pay per application downloaded

Pay per page downloaded

Flat-fees for service & applications Revenue share on transactions

Trust issues between banks, carriers, and portals Lack of content / services

Case Studies
NTT DoCoMos I-Mode
Palm.net

NTT DoCoMo I-Mode

20 million users in Japan HTML-based microbrowser (supports HTTPS/SSL) on CDMA-based network 10s of thousands of content sites, ring tones, and screen savers Pay per application downloaded and pay per page models Invested in AT&T Wireless so we may see it here in US in next few years!

Palm.Net
Low 100K users in USA Web Clipping (specialized HTML) microbrowser on Mobitex (TDMA) based network run by BellSouth (>98% coverage in urban areas) 100s of content sites (typically no charge for applications) Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)

THANK YOU
By SARTHAK SINGH BBS 1ST YEAR 8339