Introduction to M-Commerce

Overview
What is M-Commerce?
Security Issues
Usability Issues
Heterogeneity Issues
Business Model Issues
Case Studies / Examples
Q&A
What is M-Commerce?
E-Commerce with mobile devices (PDAs, Cell
Phones, Pagers, etc.)
Different than E-Commerce?
No, but additional challenges:
Security
Usability
Heterogeneous Technologies
Business Model Issues
But first, lets learn a little about wireless
technologies
Wireless Technologies
Link Layer (examples)
WAN:
Analog / AMPS
CDPD: Cellular Digital Packet Data TDMA/GSM:
Time Division Multiple Access, Global System for
Mobile Communications (Europe)
CDMA: Code Division Multiple Access
Mobitex (TDMA-based)
LAN:
802.11
Bluetooth
Devices: Cell Phones, Palm, WinCE, Symbian,
Blackberry,
Examples of PDA Devices
PDA Microprocessor Speed

Palm, Handspring Motorola Dragonball 16.6 20 MHz

RIM Interactive Intel 386 10 MHz

Pager
Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz

HP Jornada 820 Intel/StrongARM RISC SA- 190 MHz

1100
Casio Cassiopeia E- NEC/VR4121 MIPS 131 MHz
100
Psion Revo ARM 710 36 MHz

Psion Series 5 Digital/Arm 7100 18 MHz

Application Layer Technologies
Micro-browser based:
WAP/WML, HDML: Openwave
iMode (HTML): NTT DoCoMo
Web Clipping: Palm.net
XHTML: W3C
Voice-browser based:
VoiceXML: W3C
Client-side:
J2ME: Java 2 Micro Edition (Sun)
WMLScript: Openwave
Messaging:
SMS: Part of GSM Spec.
Example: WAP
WAP: Wireless Application Protocol
Created by WAP Forum
Founded June 1997 by Ericsson, Motorola,
Nokia, Phone.com
500+ member companies
Goal: Bring Internet content to wireless
devices
WTLS: Wireless Transport Layer Security
Basic WAP Architecture
WTLS SSL

Web Server

Internet

WAP
Gateway
Example: WAP application
Security Challenges
Less processing power on devices
Slow Modular exponentiation and Primality Checking
(i.e., RSA)
Crypto operations drain batteries
(CPU intensive!)
Less memory (keys, certs, etc. require storage)
Few devices have crypto accelerators, or
support for biometric authentication
No tamper resistance (memory can be tampered
with, no secure storage)
Primitive operating systems w/ no support for
access control (Palm OS)
Wireless Security Approaches
Link Layer Security
GSM: A3/A5/A8 (auth, key agree, encrypt)
CDMA: spread spectrum + code seq
CDPD: RSA + symmetric encryption
Application Layer Security
WAP: WTLS, WML, WMLScript, & SSL
iMode: N/A
SMS: N/A
Example: Security Concerns
Performance:
well do an example:
should we use RSA or ECC
for WTLS mutual auth?

Control: WAP Gap

data in the clear at gateway while
re-encryption takes place
Example: WTLS ECC vs. RSA?
WTLS Goals
Authentication
Privacy
Data Integrity

Authentication: Public-Key Crypto (CPU

intensive!!!)
Privacy: Symmetric Crypto
Data Integrity: MACs
WTLS: Crypto Basics
Public-Key Crypto
RSA (Rivest-Shamir-Adelman)
ECC (Elliptic Curve)

Certificates

Authentication
None, Client, Server, Mutual
WTLS w/ Mutual-Authentication

Mutual-Authentication
Client Hello ----------->
ServerHello
Certificate
CertificateRequest
<----------- ServerHelloDone
1. Verify Server Certificate
Certificate
ClientKeyExchange (only for RSA) 2. Establish Session Key
CertificateVerify
ChangeCipherSpec 3. Generate Signature
Finished ----------->

<----------- Finished

Application Data <----------> Application Data

WTLS Handshake Timings (Palm VII)

Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required
(ms)

Server Certificate RSA Signature Verification 598

Verification (Public decrypt, e=3)

Session Key RSA Encryption (Public 622

Establishment encrypt)

Client Authentication RSA Signature Generation

(Private encrypt) 21734

TOTAL 22954
WTLS Handshake Timings (Palm VII)

Mutual-Authentication: ECC
Operation Cryptographic Time Required
Primitive(s) (ms)
Server Certificate CA Public Key Expansion 254.8
Verification
ECC-DSA Signature 1254
Verification
Session Key Server Public Key 254.8
Establishment Expansion
Key Agreement 335.6

Client Authentication ECC-DSA Signature 514.8

Generation
TOTAL 2614

The cryptographic execution time for mutually-authenticated 163-bit ECC

handshakes is at least 8.64 times as fast as the cryptographic execution
time for mutually-authenticated 1024-bit RSA handshakes on the Palm
VII.
WAP Gap: One Alternative
Dynamic Gateway Connection
WTLS Class 2 SSL

Operator WAP
Gateway

Internet

WAP Web
Content Gateway
SSL

Server
Provider

Other alternatives also exist

Usability Challenges
Hard Data Entry
Poor Handwriting Recognition
Numeric Keypads for text entry is error-prone
Poor Voice Recognition
Further complicates security (entering passwords /
speaking pass-phrases is hard!)
Small Screens
i.e., cant show users everything in shopping cart at
once!
Voice Output time consuming
Usability Approaches
Graffiti (Scaled-down handwriting recognition,
Palm devices)
T9 Text Input (Word completion, most cell
phones)
Full alphanumeric keypad & scrollbar
(Blackberry)
Restricted VoiceXML grammars for better voice
recognition
Careful task-based Graphical User Interface &
Dialog Design
Lots of room for improvement!
Heterogeneity Challenges
Many link layer protocols (different security
available in each)
Many application layer standards
Businesses need to write to one or more
standards or hire a company to help them!
Many device types:
Many operating systems (Palm OS, Win CE,
Symbian, Epoch, )
Wide variation in capabilities
Heterogeneity Approaches
HTML/Web screen scraping
Protocol & Mark-up language translators
Standardization
Business Models Issues
Possible Models:
Slotting fees
Wireless advertising (text)
Pay per application downloaded
Pay per page downloaded
Flat-fees for service & applications
Revenue share on transactions
Trust issues between banks, carriers, and
portals
Lack of content / services
Case Studies
NTT DoCoMos I-Mode
Palm.net
Sprint PCS Wireless Web
NTT DoCoMo I-Mode
20 million users in Japan
HTML-based microbrowser
(supports HTTPS/SSL) on CDMA-based
network
10s of thousands of content sites, ring tones,
and screen savers
Pay per application downloaded and pay per
page models
Invested in AT&T Wireless so we may see it
here in US in next few years!
Palm.Net
Low 100K users in USA
Web Clipping (specialized HTML) microbrowser
on Mobitex (TDMA) based network run by
BellSouth (>98% coverage in urban areas)
100s of content sites (typically no charge for
applications)
Palm VII devices now selling for $100 due to
user adoption problems. (Service plans range
from $10 - $40 per month.)
Sprint PCS Wireless Web
Low, single-digit millions of US users
Multi-device strategy: WAP/HDML based
microbrowser on phones, Web Clipping on
Kyocera, both on CDMA network
~50 content sites slotted, many others available
(very hard to enter URLs, though)
Slotting-fee + rev-share on xactions model
$10 per month flat-fee to users, most phones
already have microbrowser installed.