134 J. Wei, L.C. Liu and K.S. Koong specification and authenticate users to enable a secure connection between the mobile device and the application server(Olden, 2002). WAP 1.2 can improve WAP security by using WIM and client/user certificates. WAP 1. 2 provides Wtls client authentication through WTLS Class 3, and non-repudiation through WMLScript Crypto Library signText. WIM includes key pairs, certificates, and PIN numbers. WIM stores the private key securely in the mobile device, which can be used for client authentication, secure session handling, and digital signatures. All key operations are performed inside the WIM. WIM can be incorporated in a GSM phone's SIM (Subscriber Identity Module smartcard to implement schemes such as SsL. Security is a key feature of siM Application Toolkit(SAT) technology, since data confidentiality and integrity are included in the sim standard. wap 1.2 also allows a wap client to add a signature solution by adding Sign Text function to WMLscript. This is an alternative to the SIM-based signature solution used in digital signatures The digital signature can then enable authentication of payments. WAPs next generation will provide end-to-end security via WAP gateway, WIM and client certificates, and WAP client's XHTML and WML browsers(Nokia, 2000) 2.4 M-commerce access management security The function of the fourth layer is to control authorised resource access, audit a users actions provide non-repudiation of transaction and access control for wireless web applications, and provide a scalable user administration model to support the much higher volume of mobile commerce users. In other words, there is a need for an application-level m-commerce access management system once a user has been allowed to access a mobile commerce network, enterprises and services, -to Control of resources that the user can access and the transactions he or she can execute Audit a users actions to provide non-repudiation of transaction; provide access control for both web and wireless web applications from the same infrastructure so that the organisation can deploy and manage one security system for both m-commerce and e-commerce and provides a single point of control for setting, Provide a scalable user administration model to support the much higher volume of Protect individual resources and control user access such as the rule-based model. to eliminate the need for human intervention every time a users profile changes Allow enterprises and service providers to delegate routine administration tasks such as adding, modifying and deleting users, changing passwords, and updating personal profiles Prevent fraudulent access in wireless applications through the real-time monitoring of business rule violations to track wireless web user activity (Olden, 2002) Again, the good news is there are already a variety of proven technologies that can fulfill these functions. Multiple authentication methods, including PINS, passwords, WTLS mini certificates and PKI. can control the resources and transactions that the user can134 J. Wei, L.C. Liu and K.S. Koong specification and authenticate users to enable a secure connection between the mobile device and the application server (Olden, 2002). WAP 1.2 can improve WAP security by using WIM and client/user certificates. WAP 1.2 provides WTLS client authentication through WTLS Class 3, and non-repudiation through WMLScript Crypto Library signText. WIM includes key pairs, certificates, and PIN numbers. WIM stores the private key securely in the mobile device, which can be used for client authentication, secure session handling, and digital signatures. All key operations are performed inside the WIM. WIM can be incorporated in a GSM phone’s SIM (Subscriber Identity Module) smartcard to implement schemes such as SSL. Security is a key feature of SIM Application Toolkit (SAT) technology, since data confidentiality and integrity are already included in the SIM standard. WAP 1.2 also allows a WAP client to add a digital signature solution by adding SignText function to WMLscript. This is an alternative to the SIM-based signature solution used in digital signatures. The digital signature can then enable authentication of payments. WAP’s next generation will provide end-to-end security via WAP gateway, WIM and client certificates, and WAP client’s XHTML and WML browsers (Nokia, 2000). 2.4 M-commerce access management security The function of the fourth layer is to control authorised resource access, audit a user’s actions provide non-repudiation of transaction and access control for wireless web applications, and provide a scalable user administration model to support the much higher volume of mobile commerce users. In other words, there is a need for an application-level m-commerce access management system – once a user has been allowed to access a mobile commerce network, enterprises and services, – to: • Control of resources that the user can access and the transactions he or she can execute • Audit a user’s actions to provide non-repudiation of transaction; provide access control for both web and wireless web applications from the same infrastructure so that the organisation can deploy and manage one security system for both m-commerce and e-commerce and provides a single point of control for setting, monitoring, and enforcing security policies • Provide a scalable user administration model to support the much higher volume of m-commerce users • Protect individual resources and control user access, such as the rule-based model, to eliminate the need for human intervention every time a user’s profile changes • Allow enterprises and service providers to delegate routine administration tasks such as adding, modifying and deleting users, changing passwords, and updating personal profiles • Prevent fraudulent access in wireless applications through the real-time monitoring of business rule violations to track wireless web user activity (Olden, 2002). Again, the good news is there are already a variety of proven technologies that can fulfill these functions. Multiple authentication methods, including PINs, passwords, WTLS mini certificates, and PKI, can control the resources and transactions that the user can