White Paper Z600
28 September 2003
Security using the WAP
For certain WAP services, such as banking serv-
ices, a secure connection between the phone and
WAP gateway is necessary. An icon in the display
of the Z600 indicates when a secure connection is
in use.
The Z600 is based on the WAP 2.0 (WML 1.3)
specification suite, in which security functionality is
specified by a technology called Wireless Transport
Layer Security (WTLS). The WAP protocols for han-
dling connection, transport and security are struc-
tured in layers, with security handled by the WTLS
layer, operating above the transport protocol layer.
WTLS classes define the levels of security for a
WTLS connection:
• WTLS class 1 – encryption with no authentica-
tion.
• WTLS class 2 – encryption with server authenti-
cation.
• WTLS class 3 – encryption with both server and
client authentication.
Server authentication requires a server certificate
stored at the server side and a trusted certificate
stored at the client side.
Client authentication requires a client certificate
stored at the client side and a trusted certificate
stored at the server side.
A Wireless Identity Module (WIM) can contain both
trusted and client certificates, private keys and
algorithms needed for WTLS handshaking, encryp-
tion/decryption and signature generation. The WIM
module can be placed on a SIM card and is then
referred to as a SWIM card.
Certificates
To use secure connections, the user needs to have
certificates stored in the phone. There are two
types of certificates:
Trusted certificate
A certificate that guarantees that a WAP site is gen-
uine. If the phone has a stored certificate of a cer-
tain type, it means that the user can trust all WAP
gateways that use the certificate. Trusted certifi-
cates can be pre-installed in the phone, in the
SWIM or they can be downloaded from the trusted
supplier’s WAP page.
Client certificate
A personal certificate that verifies the user’s iden-
tity. A bank that the user has a contract with may
issue this kind of certificate. Client certificates can
be pre-installed in the SWIM card.
WIM locks (PIN codes)
There are two types of WAP security locks (PIN
codes) for a SWIM, which protect the subscription
from unauthorized use. The PIN codes should typi-
cally be provided by the supplier of the SWIM.
Access lock
An access lock protects the data in the WIM. The
user is asked to enter the PIN code the first time
the SWIM card is accessed when establishing a
connection.
Signature lock
A signature lock is used for confirming transac-
tions, much like a digital signature.
In the Z600, the user can check which transactions
have been made with the phone when browsing.
Each time the user confirms a transaction with a
signature lock code, a contract is stored in the
phone. The contract contains details about the
transaction.
Configuration of WAP settings
An easy way to perform WAP configuration in the
Z600 is to use the step-by-step WAP configurator
available on http://www.SonyEricsson.com. The
configurator utilizes OTA provisioning.
Manual configuration is done using the menu sys-
tem in the phone. This is described in the User’s
guide.