Introduction to M-Commerce

Overview
 What is M-Commerce?
 Security Issues
 Usability Issues
 Heterogeneity Issues
 Business Model Issues
 Case Studies / Examples
 Q&A
 What is M-Commerce?
 E-Commerce with mobile devices (PDAs,
Cell Phones, Pagers, etc.)
 Different than E-Commerce?
 No, but additional challenges:
• Security
• Usability
• Heterogeneous Technologies
• Business Model Issues
 But first, let’s learn a little about wireless
technologies…
 Wireless Technologies
 Link Layer (examples…)
• WAN:
Analog / AMPS
CDPD: Cellular Digital Packet Data TDMA/GSM:
Time Division Multiple Access, Global System for
Mobile Communications (Europe)
CDMA: Code Division Multiple Access
Mobitex (TDMA-based)
• LAN:
802.11
Bluetooth
 Devices: Cell Phones, Palm, WinCE, Symbian,
Blackberry, …
Examples of PDA Devices
PDA Microprocessor Speed

Palm, Handspring Motorola Dragonball 16.6 – 20 MHz

RIM Interactive Intel 386 10 MHz

Pager
Compaq Aero 1530 NEC/VR4111 MIPS RISC 70 MHz

HP Jornada 820 Intel/StrongARM RISC SA- 190 MHz

1100
Casio Cassiopeia E- NEC/VR4121 MIPS 131 MHz
100
Psion Revo ARM 710 36 MHz

Psion Series 5 Digital/Arm 7100 18 MHz

Application Layer Technologies
 Micro-browser based:
WAP/WML, HDML: Openwave
iMode (HTML): NTT DoCoMo
Web Clipping: Palm.net
XHTML: W3C
 Voice-browser based:
VoiceXML: W3C
 Client-side:
J2ME: Java 2 Micro Edition (Sun)
WMLScript: Openwave
 Messaging:
SMS: Part of GSM Spec.
 Example: WAP
 WAP: Wireless Application Protocol
 Created by WAP Forum
• Founded June 1997 by Ericsson,
Motorola, Nokia, Phone.com
• 500+ member companies
• Goal: Bring Internet content to wireless
devices
 WTLS: Wireless Transport Layer
Security
Basic WAP Architecture
                   
                              
WTLS SSL

Web Server

Internet

WAP
Gateway

             
                           
Example: WAP application
 Security Challenges
 Less processing power on devices
• Slow Modular exponentiation and Primality Checking
(i.e., RSA)
• Crypto operations drain batteries
(CPU intensive!)
 Less memory (keys, certs, etc. require storage)
 Few devices have crypto accelerators, or
support for biometric authentication
 No tamper resistance (memory can be
tampered with, no secure storage)
 Primitive operating systems w/ no support for
access control (Palm OS)
 Wireless Security Approaches
 Link Layer Security
• GSM: A3/A5/A8 (auth, key agree,
encrypt)
• CDMA: spread spectrum + code seq
• CDPD: RSA + symmetric encryption
 Application Layer Security
• WAP: WTLS, WML, WMLScript, & SSL
• iMode: N/A
• SMS: N/A
 Example: Security Concerns
 Performance:
we’ll do an example:
should we use RSA or ECC
for WTLS mutual auth?

 Control: WAP Gap

data in the clear at gateway while
re-encryption takes place
 Example: WTLS– ECC vs.
RSA?
 WTLS Goals
• Authentication
• Privacy
• Data Integrity

 Authentication: Public-Key Crypto (CPU

intensive!!!)
 Privacy: Symmetric Crypto
 Data Integrity: MACs
 WTLS: Crypto Basics
 Public-Key Crypto
• RSA (Rivest-Shamir-Adelman)
• ECC (Elliptic Curve)

 Certificates

 Authentication
• None, Client, Server, Mutual
WTLS w/ Mutual-Authentication

• Mutual-Authentication
Client Hello ----------->
ServerHello
Certificate
CertificateRequest
<----------- ServerHelloDone
1. Verify Server Certificate
Certificate
ClientKeyExchange (only for RSA) 2. Establish Session Key
CertificateVerify
ChangeCipherSpec
3. Generate Signature
Finished ----------->

<----------- Finished

Application Data <----------> Application Data

WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: RSA
Operation Cryptographic Primitive(s) Time Required
(ms)

Server Certificate RSA Signature Verification 598

Verification (Public decrypt, e=3)  

Session Key RSA Encryption (Public 622

Establishment encrypt)

Client Authentication RSA Signature Generation

(Private encrypt) 21734

TOTAL   22954
WTLS Handshake Timings (Palm VII)

• Mutual-Authentication: ECC
Operation Cryptographic Primitive(s) Time Required
(ms)
Server Certificate CA Public Key Expansion 254.8
Verification
ECC-DSA Signature 1254
Verification
Session Key Server Public Key 254.8
Establishment Expansion
Key Agreement 335.6

Client Authentication ECC-DSA Signature 514.8

Generation
TOTAL   2614

The cryptographic execution time for mutually-authenticated 163-bit ECC

handshakes is at least 8.64 times as fast as the cryptographic execution time
for mutually-authenticated 1024-bit RSA handshakes on the Palm VII.
WAP Gap: One Alternative…
 Dynamic Gateway Connection
WTLS Class 2 SSL

Operator WAP
Gateway

Internet

WAP Web
Content Gateway
SSL

Server
Provider

 Other alternatives also exist…

 Usability Challenges
 Hard Data Entry
• Poor Handwriting Recognition
• Numeric Keypads for text entry is error-prone
• Poor Voice Recognition
• Further complicates security (entering
passwords / speaking pass-phrases is hard!)
 Small Screens
• i.e., can’t show users everything in “shopping
cart” at once!
 Voice Output time consuming
 Usability Approaches
 Graffiti (Scaled-down handwriting
recognition, Palm devices)
 T9 Text Input (Word completion, most cell
phones)
 Full alphanumeric keypad & scrollbar
(Blackberry)
 Restricted VoiceXML grammars for better
voice recognition
 Careful task-based Graphical User Interface
& Dialog Design
 Lots of room for improvement!
 Heterogeneity Challenges
 Many link layer protocols (different
security available in each)
 Many application layer standards
 Businesses need to write to one or more
standards or hire a company to help them!
 Many device types:
• Many operating systems (Palm OS, Win CE,
Symbian, Epoch, …)
• Wide variation in capabilities
 Heterogeneity Approaches
 HTML/Web screen scraping
 Protocol & Mark-up language
translators
 Standardization
 Business Models Issues
 Possible Models:
• Slotting fees
• Wireless advertising (text)
• Pay per application downloaded
• Pay per page downloaded
• Flat-fees for service & applications
• Revenue share on transactions
 Trust issues between banks, carriers, and
portals
 Lack of content / services
 Case Studies
 NTT DoCoMo’s I-Mode
 Palm.net
 Sprint PCS Wireless Web
 NTT DoCoMo I-Mode
 20 million users in Japan
 HTML-based microbrowser
(supports HTTPS/SSL) on CDMA-based
network
 10’s of thousands of content sites, ring
tones, and screen savers
 Pay per application downloaded and pay
per page models
 Invested in AT&T Wireless so we may see
it here in US in next few years!
 Palm.Net
 Low 100K users in USA
 Web Clipping (specialized HTML)
microbrowser on Mobitex (TDMA) – based
network run by BellSouth (>98% coverage
in urban areas)
 100’s of content sites (typically no charge
for applications)
 Palm VII devices now selling for $100 due
to user adoption problems. (Service plans
range from $10 - $40 per month.)
 Sprint PCS Wireless Web
 Low, single-digit millions of US users
 Multi-device strategy: WAP/HDML based
microbrowser on phones, Web Clipping on
Kyocera, both on CDMA network
 ~50 content sites slotted, many others
available (very hard to enter URLs, though)
 Slotting-fee + rev-share on xactions model
 $10 per month flat-fee to users, most phones
already have microbrowser installed.