Compaq Evo n800c Wireless Security - Page 21

Wireless Security White Paper 21 Figure 10 illustrates the wireless access protocol. The "WAP GAP" Mobile Device WTLS WAP GATEWAY TLS Web Server WAP GAP ƒ Security protocol must be translated from WAP "WTLS" to standard Internet "TLS" ƒ Data is unencrypted for a brief period of time Figure 10: Wireless Access Protocol (WAP) WAP does not provide end-to-end encryption between the wireless client and the application server. The wireless transport layer security (WTLS) on which WAP is based encrypts information only as it travels from the wireless client to the WAP gateway. The WAP gateway often re-encrypts the information, using Secure Socket Layer (SSL), as it continues to the application server. However, this does not change the fact that there is not end-to-end encryption in the information's trip from wireless client device to application server. This characteristic is often called the "WAP gap." The newest ratified version of WAP is 2.0 (June 2001).WAP 2.0 is radically different from previous versions and represents a strong flow of convergence with the IETF and W3C. The WAP gateway is optional and WAP has now adopted the Internet standards TCP, HTTP, and TLS with wireless-specific profiles. Similarly, WML is effectively a profile of XHTML. Much work has been done, as well, on end-to-end security. It may be some time, however, before implementations of WAP 2.0 appear on the market. Such implementations may appear first on the PocketPC rather than on telephones, since all they would require is a software change rather than new hardware.