T300/T302
White Paper, August 2002
18
Server authentication requires a server certificate
stored at the server side and a trusted certificate
stored at the client side.
Client authentication requires a client certificate
stored at the client side and a trusted certificate
stored at the server side.
A Wireless Identity Module (WIM) can contain
both trusted and client certificates, private keys
and algorithms needed for WTLS handshaking,
encryption/decryption and signature generation.
The WIM module can be placed on a SIM card
and is then referred to as a SWIM card.
Certificates
To use secure connections, the user needs to
have certificates stored in the phone. There are
two types of certificates:
• Trusted certificate
A certificate that guarantees that a WAP
site is genuine. If the phone has a stored
certificate of a certain type, it means that
the user can trust all WAP gateways that
use the certificate. Trusted certificates can
be pre-installed in the phone, in the SWIM
or they can be downloaded from the
trusted supplier’s WAP page.
• Client certificate
A personal certificate that verifies the
user’s identity. A bank that the user has a
contract with may issue this kind of certifi-
cate. Client certificates can be pre-
installed in the SWIM card.
WIM locks (PIN codes)
There are two types of WAP security locks (PIN
codes) for a SWIM, which protect the
subscription from unauthorized use. The PIN
codes should typically be provided by the
supplier of the SWIM.
• Access lock
An access lock protects the data in the
WIM. The user is asked to enter the PIN
code the first time the SWIM card is
accessed when establishing a connection.
• Signature lock
A signature lock is used for confirming
transactions, much like a digital signature.
In the T300/T302, the user can check which
transactions have been made with the phone
when browsing. Each time the user confirms a
transaction with a signature lock code, a
contract is stored in the phone. The contract
contains details about the transaction.
Configuration of WAP
settings
An easy way to perform WAP configuration in the
T300/T302 is to use the step-by-step WAP
configurator available on http://
www.SonyEricsson.com. The configurator
utilizes OTA provisioning.
Manual configuration is done using the menu
system in the phone. This is described in the
User’s guide.
Over-the-air provisioning
of WAP settings
To simplify the configuration of WAP settings in
the T300/T302, all settings can be sent to the
phone as an SMS message. This makes it easy
for an operator, a service provider or a company
to distribute settings for Internet/intranet, and
WAP, without the user having to configure the
phone manually. This also makes it easy to
upgrade services, as no manual configuration is
required.
• The OTA configuration message is distrib-
uted via SMS point-to-point.
• The setup information is a binary encoded
XML message (WBXML). To receive infor-
mation about OTA specifications, please
contact your local Sony Ericsson repre-
sentative for consumer products. A config-
urator that utilizes OTA provisioning can be
tested on www.SonyEricsson.com.
• The user is alerted about new settings
when the ongoing browsing session ends.
Settings are not changed during an ongo-
ing browsing session.
• User interaction is limited to receiving and
accepting/rejecting the configuration mes-
sage, and selecting which WAP profile to
allocate the settings to.
• Security can be handled using a keyword
identifier displayed on the screen as a
shared secret between the SMS sender
and recipient. It is important that the user
can verify that the configuration message
is authentic.