180 likes | 395 Views
ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009. ITU-T Security Standardization on Mobile Web Services. Lee, Jae Seung Special Fellow, Information Security Research Department, ETRI. Introduction – Web Services.
E N D
ITU-T Workshop on“New challenges for Telecommunication Security Standardizations"Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow, Information Security Research Department, ETRI
Introduction – Web Services • SOA (Service Oriented Architecture) • An architectural style that supports integration of business processes as linked services that may be accessed when needed over a network • A service interacts with other services and/or applications by using a loosely coupled, message based communication model • Web Services • The most common technology standards used to implement SOA • A major focus of Web Services is to make functional building blocks accessible over standard Internet protocols. that are independent from platforms and programming languages • SOA/Web Services enable enterprise to create and connect applications with far less development time, expense, and expertise
Introduction – Web Services • Web Services • SOAP: defines the message format in XML contains the service request and response • WSDL: describes a Web service • UDDI: A standard for service discovery together with a registry facility that facilitates the publishing and discovery processes Service Registry Publish via UDDI Find via UDDI Service Provider Connect via SOAP Service Consumer Web Service Description
Introduction – Mobile Web Services • The Mobile industry has started to apply Web Services technologies to expose and integrate the services in the mobile domain • Web Services • simple/low cost integration of different systems, can be build on top of existing systems • Simplifies integration problems between operators, services, and content providers and third party integrators • Creating effective mobile Web Services requires an architecture that addresses issues related to Security, Identity Management, machine readable description of Web Services, methods for discovering Web Services Instances
ITU-T X.1143 (X.websec-3) • Title: Security architecture for message security in mobile web services • X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services
Requirements (1/3) • Maintaining security between multiple Web Services • Persisting security data in the SOAP message itself is necessary for end-to-end security • Transport Level security protocol such as SSL cannot satisfy this requirement • Message Security Architecture for Mobile Web Services has to be based on Web Services security technologies SOAP Request SOAP Request Web Service 2 Web Service 1 Client SOAP Response SOAP Response Security Context 1 Security Context 2
Requirements (2/3) • Message Filtering • Web Services uses the HTTP ports (TCP ports 80) • Most firewalls are unable to distinguish Web Services messages • Message filtering based on message contents is necessary • filter malformed SOAP messages, schema validation, policy conformance check, etc… • make only the validated messages pass into/out of one domain from/to the other network domain or mobile clients • Integrated security policy mechanism for Message Security • Integrated security policy mechanism for specify security processing requirements for Web Services message security • Integrated security policy mechanism for message filtering
Requirements (3/3) • Interworking Scenario • Interworking scenarios for message security processing for Web Services • Interworking scenarios between mobile Web Services and mobile clients that do not support WS protocol • Interworking scenarios between mobile Web Services and legacy non-Web Services based applications • most of the mobile terminals do not have the enough processing power to fully support Web services protocol stack • many backend application servers are not based on Web services
Scope • Integrated security architecture for message security in mobile Web Services that consist of various mobile terminals and networks • Interworking mechanisms and service scenarios between applications that support full Web Services Security protocol stacks and legacy applications • Integrated security architecture that utilizes security policy for message security on mobile Web Services environment • A message filtering mechanism based on message contents for the message security architecture • Reference message security architecture and security service scenarios for mobile Web Services
ITU-T X.websec-4 • Title: Security Framework for enhanced Web based Telecommunication Services • Under development in ITU-T SG17 WP2 since September 2008 Geneva meeting • X.websec-4 describes security threats and security requirements of the enhanced Web based Telecommunication Services • It also describes security functions and technologies that satisfy the security requirements
Enhanced Web Technologies • A trend in the use of World Wide Web technology and Web design that aims to facilitate creativity, information sharing, and collaboration among users • In Web 2.0, composite services are called mashups. • A mashup is a Web application that combines data from more than one source into a single integrated tool • Content used in mashups is typically sourced from a third party via a public interface or API
Enhanced Web based Services • Enhanced Web technologies are being applied to telecommunication environment since they enable developers to efficiently and cost-effectively develop and deploy new services, and to easily and rapidly integrate content from a variety of sources to form composite services: • decouple applications from IT server, storage, network resources • Flexibly compose new services using standards-based technologies and protocols • Reuse architectural components to lower costs
Security Threats • General Security threats • Masquerade, Eavesdropping, Replay, Modification of messages, Main in the Middle attack… • Security threats to AJAX • XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), JSON Hijacking, DoS Attack.. • Security threats to Web APIs • Injection Flaws, Session hijacking and theft.. • Security threats to data syndication • RSS Injection, XML-DoS (XML Denial of Service), XML message injection and manipulation… • Mashup applications often allow arbitrary third party mashup components from different domain. • A malicious mashup component can inject malicious code into the application to achieve all kinds of attacks including XSS, CSRF, and DoS
Conclusion • Web technologies such as SOA, Web 2.0, and mashups are being applied to telecommunication domain including mobile services • X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services • X.websec-4 will be developed in the new study period of ITU-T SG17 and it will describe: • Security threats to the telecommunication services using enhanced Web technologies such as Web APIs and mashups • Security requirements of the telecommunication services using enhanced Web technologies • Security functions that satisfy the security requirements • Security technologies to provide secure telecommunication services using enhanced Web technologies