T226 White Paper
July 2003 (Rev C)
16
Server authentication requires a server certificate
stored at the server side and a trusted certificate stored
at the client side.
Client authentication requires a client certificate stored
at the client side and a trusted certificate stored at the
server side.
A Wireless Identity Module (WIM) can contain both
trusted and client certificates, private keys and
algorithms needed for WTLS handshaking,
encryption/decryption and signature generation. The
WIM module can be placed on a SIM card which is
then referred to as a SWIM card.
Certificates
To use secure connections, the user needs to have
certificates stored in the phone. There are two types of
certificates:
• Trusted certificate
A certificate that guarantees that a WAP site is
genuine. If the phone has a stored certificate of
a certain type, it means that the user can trust
all WAP gateways that use the certificate.
Trusted certificates can be pre-installed in the
phone, in the SWIM or they can be downloaded
from the trusted supplier’s WAP page.
• Client certificate
A personal certificate that verifies the user’s
identity. A bank that the user has a contract
with may issue this kind of certificate. Client
certificates can be pre-installed in the SWIM
card.
WIM locks (PIN codes)
There are two types of WAP security locks (PIN
codes) for a SWIM, which protect the subscription
from unauthorized use. The PIN codes should
typically be provided by the supplier of the SWIM.
• Access lock
An access lock protects the data in the WIM.
The user is asked to enter the PIN code the first
time the SWIM card is accessed when estab-
lishing a connection.
• Signature lock
A signature lock is used for confirming transac-
tions, much like a digital signature.
In the T226, the user can check which transactions
have been made with the phone when browsing. Each
time the user confirms a transaction with a signature
lock code, a contract is stored in the phone. The
contract contains details about the transaction.
Configuration of WAP settings
An easy way to perform WAP configuration in the
T226 is to use the step-by-step WAP configurator
available on http://www.SonyEricsson.com. The
configurator utilizes OTA provisioning.
Manual configuration is done using the menu system
in the phone. This is described in the User’s Guide.
WAP settings can also be customized in the mobile
phone based on the operator’s preferences.
Over-the-air provisioning of WAP settings
To simplify the configuration of WAP settings in the
T226, all settings can be sent to the phone as an SMS
message. This makes it easy for an operator, a service
provider or a company to distribute settings for
Internet/intranet, and WAP, without the user having to
configure the phone manually. This also makes it easy
to upgrade services, as no manual configuration is
required.
• The OTA configuration message is distributed
via SMS point-to-point.
• The setup information is a binary encoded
XML message (WBXML). To receive informa-
tion about OTA specifications, please contact
your local Sony Ericsson representative for
consumer products. A configurator that utilizes
OTA provisioning can be tested on
www.SonyEricsson.com.
• The user is alerted about new settings when the
ongoing browsing session ends. Settings are
not changed during an ongoing browsing ses-
sion.
• User interaction is limited to receiving and
accepting/rejecting the configuration message,
and selecting which WAP profile to allocate the
settings to.
• Security can be handled using a keyword iden-
tifier displayed on the screen as a shared secret
between the SMS sender and recipient. It is
important that the user can verify that the con-
figuration message is authentic.
Push services
Examples of WAP services that can be pushed include:
• Notification of new email, voice mail, etc.
• News, sports results, weather forecasts, finan-
cial information (stock quotes etc.).
• Personal Information Manager (PIM) - delivery