Introduction to M-Commerce

Overview
 What is M-Commerce?
 Security Issues
 Usability Issues
 Heterogeneity Issues
 Business Model Issues
 Case Studies / Examples
 Q&A
What is M-Commerce?
 E-Commerce with mobile devices (PDAs, Cell
Phones, Pagers, etc.)
 Different than E-Commerce?
 No, but additional challenges:
 Security
 Usability
 Heterogeneous Technologies
 Business Model Issues
 But first, let’s learn a little about wireless
technologies…
Wireless Technologies
 Link Layer (examples…)
 WAN:
Analog / AMPS
CDPD: Cellular Digital Packet Data TDMA/GSM: Time Division
Multiple Access, Global System for Mobile Communications
(Europe)
CDMA: Code Division Multiple Access
Mobitex (TDMA-based)
 LAN:
802.11
Bluetooth
 Devices: Cell Phones, Palm, WinCE, Symbian,
Blackberry, …
Examples of PDA Devices
PDA Microprocessor Speed

Palm, Handspring Motorola Dragonball 16.6 – 20 MHz

RIM Interactive Intel 386 10 MHz

Pager
Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz

HP Jornada 820 Intel/StrongARM RISC SA- 190 MHz

1100
Casio Cassiopeia E- NEC/VR4121 MIPS 131 MHz
100
Psion Revo ARM 710 36 MHz

Psion Series 5 Digital/Arm 7100 18 MHz

Application Layer Technologies
 Micro-browser based:
WAP/WML, HDML: Openwave
iMode (HTML): NTT DoCoMo
Web Clipping: Palm.net
XHTML: W3C
 Voice-browser based:
VoiceXML: W3C
 Client-side:
J2ME: Java 2 Micro Edition (Sun)
WMLScript: Openwave
 Messaging:
SMS: Part of GSM Spec.
Example: WAP
 WAP: Wireless Application Protocol
 Created by WAP Forum
 Founded June 1997 by Ericsson, Motorola,
Nokia, Phone.com
 500+ member companies
 Goal: Bring Internet content to wireless
devices
 WTLS: Wireless Transport Layer Security
  
Basic WAP Architecture
                 
                              
WTLS SSL

Web Server

Internet

WAP
Gateway

             
                           
Example: WAP application
Security Challenges
 Less processing power on devices
 Slow Modular exponentiation and Primality Checking (i.e., RSA)
 Crypto operations drain batteries
(CPU intensive!)
 Less memory (keys, certs, etc. require storage)
 Few devices have crypto accelerators, or support for
biometric authentication
 No tamper resistance (memory can be tampered with, no
secure storage)
 Primitive operating systems w/ no support for access
control (Palm OS)
Wireless Security Approaches
 Link Layer Security
 GSM: A3/A5/A8 (auth, key agree, encrypt)
 CDMA: spread spectrum + code seq
 CDPD: RSA + symmetric encryption
 Application Layer Security
 WAP: WTLS, WML, WMLScript, & SSL
 iMode: N/A
 SMS: N/A
Example: Security Concerns
 Performance:
we’ll do an example:
should we use RSA or ECC
for WTLS mutual auth?

 Control: WAP Gap

data in the clear at gateway while
re-encryption takes place
Example: WTLS– ECC vs. RSA?
 WTLS Goals
 Authentication
 Privacy
 Data Integrity

 Authentication: Public-Key Crypto (CPU

intensive!!!)
 Privacy: Symmetric Crypto
 Data Integrity: MACs
WTLS: Crypto Basics
 Public-Key Crypto
 RSA (Rivest-Shamir-Adelman)
 ECC (Elliptic Curve)

 Certificates

 Authentication
 None, Client, Server, Mutual
WTLS w/ Mutual-Authentication

• Mutual-Authentication
Client Hello ----------->
ServerHello
Certificate
CertificateRequest
<----------- ServerHelloDone
1. Verify Server Certificate
Certificate
ClientKeyExchange (only for RSA) 2. Establish Session Key
CertificateVerify
ChangeCipherSpec
3. Generate Signature
Finished ----------->

<----------- Finished

Application Data <----------> Application Data

WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required
(ms)

Server Certificate RSA Signature Verification 598

Verification (Public decrypt, e=3)  

Session Key RSA Encryption (Public 622

Establishment encrypt)

Client Authentication RSA Signature Generation

(Private encrypt) 21734

TOTAL   22954
WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: ECC
Operation Cryptographic Primitive(s) Time Required
(ms)
Server Certificate CA Public Key Expansion 254.8
Verification
ECC-DSA Signature 1254
Verification
Session Key Server Public Key 254.8
Establishment Expansion
Key Agreement 335.6

Client Authentication ECC-DSA Signature 514.8

Generation
TOTAL   2614

The cryptographic execution time for mutually-authenticated 163-bit ECC

handshakes is at least 8.64 times as fast as the cryptographic execution time
for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.
WAP Gap: One Alternative…
 Dynamic Gateway Connection
WTLS Class 2 SSL

Operator WAP
Gateway

Internet

WAP Web
Content Gateway
SSL

Server
Provider

 Other alternatives also exist…

Usability Challenges
 Hard Data Entry
 Poor Handwriting Recognition
 Numeric Keypads for text entry is error-prone
 Poor Voice Recognition
 Further complicates security (entering passwords /
speaking pass-phrases is hard!)
 Small Screens
 i.e., can’t show users everything in “shopping cart” at
once!
 Voice Output time consuming
Usability Approaches
 Graffiti (Scaled-down handwriting recognition, Palm
devices)
 T9 Text Input (Word completion, most cell phones)
 Full alphanumeric keypad & scrollbar (Blackberry)
 Restricted VoiceXML grammars for better voice
recognition
 Careful task-based Graphical User Interface &
Dialog Design
 Lots of room for improvement!
Heterogeneity Challenges
 Many link layer protocols (different security
available in each)
 Many application layer standards
 Businesses need to write to one or more
standards or hire a company to help them!
 Many device types:
 Many operating systems (Palm OS, Win CE,
Symbian, Epoch, …)
 Wide variation in capabilities
Heterogeneity Approaches
 HTML/Web screen scraping
 Protocol & Mark-up language translators
 Standardization
Business Models Issues
 Possible Models:
 Slotting fees
 Wireless advertising (text)
 Pay per application downloaded
 Pay per page downloaded
 Flat-fees for service & applications
 Revenue share on transactions
 Trust issues between banks, carriers, and portals
 Lack of content / services
Case Studies
 NTT DoCoMo’s I-Mode
 Palm.net
 Sprint PCS Wireless Web
NTT DoCoMo I-Mode
 20 million users in Japan
 HTML-based microbrowser
(supports HTTPS/SSL) on CDMA-based network
 10’s of thousands of content sites, ring tones, and
screen savers
 Pay per application downloaded and pay per
page models
 Invested in AT&T Wireless so we may see it here
in US in next few years!
Palm.Net
 Low 100K users in USA
 Web Clipping (specialized HTML) microbrowser
on Mobitex (TDMA) – based network run by
BellSouth (>98% coverage in urban areas)
 100’s of content sites (typically no charge for
applications)
 Palm VII devices now selling for $100 due to
user adoption problems. (Service plans range
from $10 - $40 per month.)
Sprint PCS Wireless Web
 Low, single-digit millions of US users
 Multi-device strategy: WAP/HDML based
microbrowser on phones, Web Clipping on
Kyocera, both on CDMA network
 ~50 content sites slotted, many others available
(very hard to enter URLs, though)
 Slotting-fee + rev-share on xactions model
 $10 per month flat-fee to users, most phones
already have microbrowser installed.