Professional Documents
Culture Documents
IntrotoM Commerce
IntrotoM Commerce
Overview
What is M-Commerce? Security Issues Usability Issues Heterogeneity Issues Business Model Issues Case Studies / Examples Q&A
What is M-Commerce?
E-Commerce with mobile devices (PDAs, Cell Phones, Pagers, etc.) Different than E-Commerce? No, but additional challenges:
Wireless Technologies
WAN: Analog / AMPS CDPD: Cellular Digital Packet Data TDMA/GSM: Time Division Multiple Access, Global System for Mobile Communications (Europe) CDMA: Code Division Multiple Access Mobitex (TDMA-based) LAN: 802.11 Bluetooth
Palm, Handspring
RIM Interactive Pager Compaq Aero 1530 HP Jornada 820 Casio Cassiopeia E100 Psion Revo Psion Series 5
Motorola Dragonball
Intel 386 NEC/VR4111 MIPS RISC Intel/StrongARM RISC SA1100 NEC/VR4121 MIPS
16.6 20 MHz
10 MHz 70 MHz 190 MHz 131 MHz
ARM 710
Digital/Arm 7100
36 MHz
18 MHz
Micro-browser based: WAP/WML, HDML: Openwave iMode (HTML): NTT DoCoMo Web Clipping: Palm.net XHTML: W3C Voice-browser based: VoiceXML: W3C Client-side: J2ME: Java 2 Micro Edition (Sun) WMLScript: Openwave Messaging: SMS: Part of GSM Spec.
Example: WAP
Founded June 1997 by Ericsson, Motorola, Nokia, Phone.com 500+ member companies Goal: Bring Internet content to wireless devices
Web Server
Internet
WAP Gateway
Security Challenges
Slow Modular exponentiation and Primality Checking (i.e., RSA) Crypto operations drain batteries (CPU intensive!)
Less memory (keys, certs, etc. require storage) Few devices have crypto accelerators, or support for biometric authentication No tamper resistance (memory can be tampered with, no secure storage) Primitive operating systems w/ no support for access control (Palm OS)
GSM: A3/A5/A8 (auth, key agree, encrypt) CDMA: spread spectrum + code seq CDPD: RSA + symmetric encryption
WAP: WTLS, WML, WMLScript, & SSL iMode: N/A SMS: N/A
Performance: well do an example: should we use RSA or ECC for WTLS mutual auth? Control: WAP Gap data in the clear at gateway while re-encryption takes place
WTLS Goals
Authentication: Public-Key Crypto (CPU intensive!!!) Privacy: Symmetric Crypto Data Integrity: MACs
Public-Key Crypto
Certificates
Authentication
WTLS w/ Mutual-Authentication
Mutual-Authentication
Client Hello -----------> ServerHello Certificate CertificateRequest ServerHelloDone
<-----------
Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time (ms) Required
RSA Signature Verification (Public decrypt, e=3) RSA Encryption encrypt) (Public
598
622
Client Authentication
21734
TOTAL
22954
Mutual-Authentication: ECC
Operation Server Certificate Verification Cryptographic Primitive(s) CA Public Key Expansion ECC-DSA Signature Verification Server Public Key Expansion Key Agreement ECC-DSA Signature Generation Time Required (ms) 254.8 1254 254.8 335.6 514.8 2614
The cryptographic execution time for mutually-authenticated 163-bit ECC handshakes is at least 8.64 times as fast as the cryptographic execution time for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.
Operator
WAP Gateway
Internet
Content Provider
WAP Gateway
SSL
Web Server
Usability Challenges
Poor Handwriting Recognition Numeric Keypads for text entry is error-prone Poor Voice Recognition Further complicates security (entering passwords / speaking pass-phrases is hard!)
i.e., cant show users everything in shopping cart at once!
Small Screens
Usability Approaches
Graffiti (Scaled-down handwriting recognition, Palm devices) T9 Text Input (Word completion, most cell phones) Full alphanumeric keypad & scrollbar (Blackberry) Restricted VoiceXML grammars for better voice recognition Careful task-based Graphical User Interface & Dialog Design Lots of room for improvement!
Heterogeneity Challenges
Many link layer protocols (different security available in each) Many application layer standards Businesses need to write to one or more standards or hire a company to help them! Many device types:
Many operating systems (Palm OS, Win CE, Symbian, Epoch, ) Wide variation in capabilities
Heterogeneity Approaches
Possible Models:
Slotting fees Wireless advertising (text) Pay per application downloaded Pay per page downloaded Flat-fees for service & applications Revenue share on transactions
Trust issues between banks, carriers, and portals Lack of content / services
Case Studies
20 million users in Japan HTML-based microbrowser (supports HTTPS/SSL) on CDMA-based network 10s of thousands of content sites, ring tones, and screen savers Pay per application downloaded and pay per page models Invested in AT&T Wireless so we may see it here in US in next few years!
Palm.Net
Low 100K users in USA Web Clipping (specialized HTML) microbrowser on Mobitex (TDMA) based network run by BellSouth (>98% coverage in urban areas) 100s of content sites (typically no charge for applications) Palm VII devices now selling for $100 due to user adoption problems. (Service plans range from $10 - $40 per month.)
Low, single-digit millions of US users Multi-device strategy: WAP/HDML based microbrowser on phones, Web Clipping on Kyocera, both on CDMA network ~50 content sites slotted, many others available (very hard to enter URLs, though) Slotting-fee + rev-share on xactions model $10 per month flat-fee to users, most phones already have microbrowser installed.