1. Technical Field
The present invention relates to providing secure access to data services for mobile devices.
2. Related Art
The Internet is an open system in which the identity of communicating users is not easy to determine and authenticate. Further, the communication channel is non-physical and therefore is vulnerable to eavesdropping and active interference. Thus, communicating over the Internet is much like communicating with anonymous postcards, which are open for anyone to read, or even alter.
The Internet may be used to carry messages between specific endpoints in a relatively secure and private way by using encryption. However, problems may still arise, for example, from a “man-in-the-middle” attack made to gain knowledge over data, or to gain access to data and resources. It is important to note that these problems do not disappear with encryption or even use of a secure protocol. If a user is led to connect with a site that only appears to be the desired site (a “spoofing site”), a secure connection made with this site will provide no protection. Thus, identity certification, or authentication, is needed to assure that communication is between the desired users.
The ITU-T Recommendation X.509 (the “X.509 standard”), which has been implemented as a de facto standard, defines a framework for providing authentication services under a central control paradigm represented by a directory. The X.509 standard describes two levels of authentication. The first, referred to as “simple authentication,” uses a password to verify claimed identity. The second, referred to as “strong authentication,” involves credentials that are formed using cryptographic techniques (a “certificate”).
A certificate, also known as a user certificate or public key certificate, includes the public keys of a user, and other information, which are rendered unforgeable by encipherment with the private key issued by a certification authority (“CA”). The certificate allows an association between a name for the user (a “unique distinguished name” or “DN”), and the user's public-key. The DN is denoted by a naming authority (“NA”) and accepted by a CA as unique within the CA's domain. The CA and the NA may be the same entity. The same user may have different DNs in different CAs. Alternately, the user may have the same DN in different CAs, even if a different user has already used the same DN in a CA. Therefore, different DNs in different CAs do not necessarily correspond to different users and vice-versa. Further, a DN does not have to contain the user's actual name or location. Thus, semantically, the CA certificate refers to a name; however, the certificate does not denote the name.
The X.509 standard focuses on defining a mechanism by which information can be made available to a user in a secure way. However, the X.509 standard is not meant to address the level of effort required to validate the information in a certificate, or define a global meaning to that information outside the CA's management acts. The main purpose of a CA is to bind a public key to the name contained in the certificate, and thus assure users that some measure of care was taken to ensure that this binding is valid for both the name and key. However, whether a user's DN actually corresponds to identity credentials that are linked to a person or to an e-mail address, and how such a link is verified is outside the scope of the X.509 standard. The resolution of these issues depends on each CA's self-defined rules, called CPS.
The Secure Sockets Layer (“SSL”) and hypertext transfer protocol over secure socket layer (“HTTP over SSL” or “HTTPS”) are protocols that support the use of digital certificates issued from a server under the X.509 standard (“X.509 certificates”). If necessary, a user can use the certificate to authenticate a sender. SSL is commonly-used for managing the security of message transmission over the Internet (see Freier et al, “The SSL protocol version 3.0,” Internet Draft, Nov. 18, 1996, available at http://www.ietf.org). SSL may provide a framework for defining an authentication procedure for users (the communication endpoints), and procedures for establishing encrypted communication between users. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (“HTTP”) and Transport Control Protocol (“TCP”) layers.
SSL is included as part of both the MICROSOFT® and NETSCAPE® browsers and most Web server products. Developed by NETSCAPE®, SSL also gained the support of MICROSOFT® and other Internet client/server developers and became the de facto standard until evolving into Transport Layer Security (“TLS”), which is based on SSL. The “sockets” in Secure Socket Layer refers to the sockets method of passing data back and forth between a client and a server program in a network, or between program layers in the same computer. SSL uses the public-and-private key encryption system by RSA (Rivest, Shamir and Adleman), which also uses digital certificates. TLS and SSL are an integral part of most Web browsers (“clients”) and Web servers. If a Web site is on a server that supports SSL and SSL is enabled, specific Web pages may be identified as requiring SSL access. Any Web server may be enabled by using NETSCAPE®'s SSLRef program library, which may be downloaded for commercial or noncommercial use.
HTTPS is a Web protocol developed by NETSCAPE® and built into the NETSCAPE® Web browser, which encrypts and decrypts user page requests and the Web pages that are returned by the Web server. HTTPS uses NETSCAPE®'s SSL as a sublayer under NETSCAPE®'s regular HTTP application layering, in which HTTPS may use port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP. SSL may use a 40-bit key size for the RC4 stream encryption algorithm, which may be considered an adequate degree of encryption for commercial communications.
Due to increasing available bandwidth for wireless communication, mobile users may gain access to the Internet and other data services with mobile devices. These mobile devices may integrate devices that provide various functions. For example, a mobile device for use in a vehicle may include a receiver for providing entertainment and a navigation system for providing trip planning. However, in using mobile devices to wirelessly access data services, security has become an issue. Protocols, such as the wireless application protocol (“WAP”), enable the users of mobile devices (such as devices that include integrated receivers) to gain access to Internet content. Access is gained, however, in a rather functionally reduced manner as compared to the access enabled by browsers on desktop computers. The browsers on desktop computers may use HTTP, Macromedia Flash, Java, JScript, and the like, for animating web page content and enabling enhanced navigation on web pages.