ericssonhistory.com

More documents

Recommendations

Info

TRADEMARKSRC4 and RC4 are registered trademark of RSASecurity Inc. All rights reserved.management, and scalable trust mechanisms.Various PKI solutions will have a keyrole. The AAA functions will be based onIP protocols. However, the new, IP-basedAAA protocols must be adapted to handlethe huge amount of previously implementedAAA functions in cellular systems.PKIPKI is an essential technology that can meetthe scalability requirements for managingkeys in networks and for supporting networkservices such as e-commerce. In thiscontext, the role of the CA role is vital. PKIbasedsubscriptions put this role on a parwith that of an operator. The lack of strongCAs is a potential threat to operators andISPs. Ericsson will work to develop and promotetechnical solutions that pave the wayfor a large number of independent CAs.Ericsson participates in all major forumsthat deal with PKI standardization and development.E-commerce applications will acceleratePKI deployment. But technical solutionsare not enough; a legal framework fore-commerceis also necessary. One example is theongoing European Electronic SignatureStandardization Initiative (EESSI), whichrecently developed a framework for legal andsecurity requirements for the use of electronicsignatures within the EuropeanUnion. At the same time, several countriesare introducing personal electronic identitycards, which involve nationwide PKIs. InSeptember 1999, Ericsson supported thefounding of Radicchio, a global partnershipof companies and organizations that arecommitted to the development of securewireless e-commerce and the promotion ofpublic key infrastructure for wireless devicesand networks. This important step is expectedto boost the acceptance of wireless e-commerce services, many of which will bebased on WAP technology.Another fundamental component is themanagement of roaming agreements. Functionalityis being sought that will introduceautomatic procedures for establishing agreements.In all likelihood, the managementwill rely on trusted third parties that usePKIs and certificate polices and practices.For roaming purposes (between AAAs), securecommunication is best handled withIKE/IPsec and PKI. The distribution of keysin mobile IP is best handled with PKI.Although PKI standards based on X.509(PKIX) are mature and several products areavailable, PKIX handles authorization in aninefficient way. Better alternatives (such asauthorization-based certificates like thoseaddressed by AAA) that are better suited tocomplex trust-management scenarios areneeded.WAPWith the advent of wireless networks, severalcompanies have identified the necessityof designing protocols that are suitablefor narrowband communications. The wirelessapplication protocol, for example, wasdesigned for this purpose. WAP securityprotocols are influenced by security technologiesused on the Internet; for example,the TLS protocol was enhanced to supportconnectionless bearers and compact MACsand signatures, resulting in the WTLS protocol.The Internet PKIX standard is alsounder revision by the WAP Forum, and apreliminary proposal of a Wireless PKI(WPKI) has been developed and will soonbe released. Certificate handling in WPKIhas been adapted to wireless conditions. Acompact certificate format is supported anda universal resource locator (URL) pointerto X.509 certificates can be used instead ofstoring and sending the certificate to thewireless terminal. WPKI contains descriptionsof how a PKI is to be handled in theWAP environment. WTLS and WPKI willbe important parts of future secure WAPservices.Internet standardsThe IKE/IPsec combination of communicationprotocols is more secure and generalthan its predecessors, SSL and SSH.Notwithstanding, because IKE/IPsec is acomplex protocol, it has not gained wide acceptance.One problem with IKE/IPsec isthat it does not fully address the new requirementsof the all-IP world, which includereal-time traffic optimizations, proxyservices, narrowband channels, and legacyauthentication. Consequently, a new protocolneeds to be designed that addresses theseissues.Ericsson actively supports the developmentof security solutions that meet requirementsfrom large IP-based core networksand mass services. Most of these technologiesare standardized by the InternetEngineering Task Force (IETF), of whichEricsson is an increasingly active participant.Ericsson also participates in3GPP/3GPP2 standardization.We believe that openness plays a majorpart in gaining wide acceptance for securi-106 Ericsson Review No. 2, 2000
ty solutions. Accordingly, we actively promotethe use of open and publicly scrutinizedprotocols, mechanisms and algorithms.ConclusionToday, malicious users can easily eavesdropIP traffic, redirect traffic, introduce falsepackets, modify packets, mount denial-ofserviceattacks, and introduce harmful softwareinto systems. One way of counteringthese attacks is to maintain strict control ofaccess to the network by means of firewallsand secure login procedures.To complement access control and obtainthe necessary level of security, the traffic itselfmust be protected. Cryptography providesthe basic techniques needed to buildsecure communications solutions. Protectionmechanisms authenticate users, encryptpackets and protect them from beingmodified.The most straightforward mechanism forregulating access consists of building trustrelationships. Cryptography is used tomaintain the confidentiality of messagesand to guarantee their integrity. Confidentialityis provided by encryption and integritycan be provided by authenticationcodes or digital signatures.Although cryptographic algorithmsmake up the basic mechanisms for securecommunication, standardized methods arebeing sought for authenticating users, ex-changing keys, deciding which algorithmand message formats to use, and so on. Thisis where protocols come into play:• Before a communication session canbegin, the communicating parties mustverify each other's identity. An authenticationprotocol does this. Authenticationcan be based on a public or secret key. Ifpublic keys are used, they are often obtainedusing some kind of public key infrastructure—thisis an essential technologythat can meet the scalability requirementsfor managing keys in networks andfor supporting network services such as e-commerce.• The communicating parties negotiate todetermine which cryptographic algorithmsshould be used for exchanging keysand protecting data.• The parties exchange cryptographic sessionkeys—this phase often includes publickey cryptography, which can be usedto authenticate users and machines and forthe secure exchange of session keys.• Symmetric session keys are calculated andused to encrypt all subsequent packets andto append a MAC field to each packet.Ericsson implements IPsec in many products,including Tigris access servers, Telebitrouters, and GPRS nodes. Ericsson's wirelessLAN solution uses IPsec to encrypt airbornetraffic, and TLS has been used in manyWeb-based applications—in particular, aWAP variant (WTLS) will play an importantrole in the future.REFERENCES1 Menezes, A. J., van Oorschot, P. C. and Vanstone,S. A.: Handbook of Applied Cryptography,CRC Press, 1997.2 Dierks, T. and Allen, C: "The TLS Protocol,"IETF RFC 2246, January 1999.3 Ylonen Et. Al., SSH protocols,http://www.ietf.org/html.charters/secshcharter.html.4 Kent, S. and Atkinson, R.: "Security Architecturefor the Internet Protocol," IETF RFC2401, November 1998.5 Harkins, D. and Carrel, D.: "The Internet KeyExchange (IKE)," IETF RFC 2409, November1998.6 ISO/IEC 9594-8 (1988). CCITT InformationTechnology - Open Systems Interconnection- The Directory: Authentication Framework.Standard X.509,1988.7 Curtin, P. and Whyte, B.: Tigris—A gatewaybetween circuit-switched and IP networks.Ericsson Review Vol 76 (1999):2,pp. 70-81.8 Saussy, G.: The AXI 540 router and the publicIP network edge. Ericsson Review Vol 76(1999):4, pp.182-189.9 Granbohm, H. and Wiklund J.: GPRS—Generalpacket radio service. Ericsson ReviewVol. 76 (1999): 2, pp. 82-88.Ericsson Review No. 2, 2000
Page 1:
Ericsson 2/2000REVIEWTHE TELECOMMUN
Page 4 and 5:
ContributorsIn this issueLuis Barri
Page 6 and 7: Ericsson Review is also published o
Page 8 and 9: Evolving from cdmaOne to third-gene
Page 10 and 11: Figure 2Operators Harmonization Agr
Page 12 and 13: more features, and greater reliabil
Page 14 and 15: Figure 7Ericsson's third-generation
Page 16 and 17: Figure 11Ericsson's timeline for ev
Page 18 and 19: Third-generation TDMAChristofer Lin
Page 20 and 21: TABLE 1 MODULATION AND CODING SCHEM
Page 22 and 23: Figure 3An example of a cell patter
Page 24 and 25: Figure 5Curves illustrating maximum
Page 26 and 27: TABLE 3. DYNAMIC PACKET DATA SIMULA
Page 28 and 29: erage can be achieved in existing c
Page 30 and 31: Business solutions for mobile e-com
Page 32 and 33: Figure 2Comparison of traditional a
Page 34 and 35: BOX B, THE E-COMMERCE TIMELINE1999E
Page 36 and 37: Figure 6Mobile e-Pay end-user servi
Page 38 and 39: Figure 8Access features with push-a
Page 40 and 41: AuthenticationTo verify that end-us
Page 42 and 43: BOX C, MARKET HARMONIZATIONOn Tuesd
Page 44 and 45: Figure 2The footprint of the RBS 22
Page 46 and 47: Communications security in an all-I
Page 48 and 49: BOX B, SYMMETRIC KEY SYSTEMSGood sy
Page 50 and 51: Figure 4Construction of an ESP-prot
Page 52 and 53: Figure 7An X.500 database structure
Page 54 and 55: Figure 9GPRS VPN scenarios.Figure 1
Page 58 and 59: HIPERLAN type 2 for broadband wirel
Page 60 and 61: Figure 3Typical usage of communicat
Page 62 and 63: Figure 6Mapping of higher layer pac
Page 64 and 65: TABLE 1PHYSICAL LAYER MODES OF HIPE
Page 66 and 67: Queen City WaterfrontEMERGING PROJE
Page 68 and 69: TABLE 2. IMPORTANT PARAMETERS FOR N
Page 70: Previous issuesNo. 1,2000IPv6—The
show all

ericssonhistory.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?