1 / 18

ITU-T Security Standardization on Mobile Web Services

ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009. ITU-T Security Standardization on Mobile Web Services. Lee, Jae Seung Special Fellow, Information Security Research Department, ETRI. Introduction – Web Services.

chinara
Download Presentation

ITU-T Security Standardization on Mobile Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITU-T Workshop on“New challenges for Telecommunication Security Standardizations"Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow, Information Security Research Department, ETRI

  2. Introduction – Web Services • SOA (Service Oriented Architecture) • An architectural style that supports integration of business processes as linked services that may be accessed when needed over a network • A service interacts with other services and/or applications by using a loosely coupled, message based communication model • Web Services • The most common technology standards used to implement SOA • A major focus of Web Services is to make functional building blocks accessible over standard Internet protocols. that are independent from platforms and programming languages • SOA/Web Services enable enterprise to create and connect applications with far less development time, expense, and expertise

  3. Introduction – Web Services • Web Services • SOAP: defines the message format in XML contains the service request and response • WSDL: describes a Web service • UDDI: A standard for service discovery together with a registry facility that facilitates the publishing and discovery processes Service Registry Publish via UDDI Find via UDDI Service Provider Connect via SOAP Service Consumer Web Service Description

  4. Introduction – Mobile Web Services • The Mobile industry has started to apply Web Services technologies to expose and integrate the services in the mobile domain • Web Services • simple/low cost integration of different systems, can be build on top of existing systems • Simplifies integration problems between operators, services, and content providers and third party integrators • Creating effective mobile Web Services requires an architecture that addresses issues related to Security, Identity Management, machine readable description of Web Services, methods for discovering Web Services Instances

  5. ITU-T X.1143 (X.websec-3) • Title: Security architecture for message security in mobile web services • X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services

  6. Requirements (1/3) • Maintaining security between multiple Web Services • Persisting security data in the SOAP message itself is necessary for end-to-end security • Transport Level security protocol such as SSL cannot satisfy this requirement • Message Security Architecture for Mobile Web Services has to be based on Web Services security technologies SOAP Request SOAP Request Web Service 2 Web Service 1 Client SOAP Response SOAP Response Security Context 1 Security Context 2

  7. Requirements (2/3) • Message Filtering • Web Services uses the HTTP ports (TCP ports 80) • Most firewalls are unable to distinguish Web Services messages • Message filtering based on message contents is necessary • filter malformed SOAP messages, schema validation, policy conformance check, etc… • make only the validated messages pass into/out of one domain from/to the other network domain or mobile clients • Integrated security policy mechanism for Message Security • Integrated security policy mechanism for specify security processing requirements for Web Services message security • Integrated security policy mechanism for message filtering

  8. Requirements (3/3) • Interworking Scenario • Interworking scenarios for message security processing for Web Services • Interworking scenarios between mobile Web Services and mobile clients that do not support WS protocol • Interworking scenarios between mobile Web Services and legacy non-Web Services based applications • most of the mobile terminals do not have the enough processing power to fully support Web services protocol stack • many backend application servers are not based on Web services

  9. Scope • Integrated security architecture for message security in mobile Web Services that consist of various mobile terminals and networks • Interworking mechanisms and service scenarios between applications that support full Web Services Security protocol stacks and legacy applications • Integrated security architecture that utilizes security policy for message security on mobile Web Services environment • A message filtering mechanism based on message contents for the message security architecture • Reference message security architecture and security service scenarios for mobile Web Services

  10. Security Architecture for MWS

  11. Message Security Service Scenario

  12. Message Filtering Mechanism

  13. ITU-T X.websec-4 • Title: Security Framework for enhanced Web based Telecommunication Services • Under development in ITU-T SG17 WP2 since September 2008 Geneva meeting • X.websec-4 describes security threats and security requirements of the enhanced Web based Telecommunication Services • It also describes security functions and technologies that satisfy the security requirements

  14. Enhanced Web Technologies • A trend in the use of World Wide Web technology and Web design that aims to facilitate creativity, information sharing, and collaboration among users • In Web 2.0, composite services are called mashups. • A mashup is a Web application that combines data from more than one source into a single integrated tool • Content used in mashups is typically sourced from a third party via a public interface or API

  15. Enhanced Web based Services • Enhanced Web technologies are being applied to telecommunication environment since they enable developers to efficiently and cost-effectively develop and deploy new services, and to easily and rapidly integrate content from a variety of sources to form composite services: • decouple applications from IT server, storage, network resources • Flexibly compose new services using standards-based technologies and protocols • Reuse architectural components to lower costs

  16. Enhanced Web based Convergence Services

  17. Security Threats • General Security threats • Masquerade, Eavesdropping, Replay, Modification of messages, Main in the Middle attack… • Security threats to AJAX • XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), JSON Hijacking, DoS Attack.. • Security threats to Web APIs • Injection Flaws, Session hijacking and theft.. • Security threats to data syndication • RSS Injection, XML-DoS (XML Denial of Service), XML message injection and manipulation… • Mashup applications often allow arbitrary third party mashup components from different domain. • A malicious mashup component can inject malicious code into the application to achieve all kinds of attacks including XSS, CSRF, and DoS

  18. Conclusion • Web technologies such as SOA, Web 2.0, and mashups are being applied to telecommunication domain including mobile services • X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services • X.websec-4 will be developed in the new study period of ITU-T SG17 and it will describe: • Security threats to the telecommunication services using enhanced Web technologies such as Web APIs and mashups • Security requirements of the telecommunication services using enhanced Web technologies • Security functions that satisfy the security requirements • Security technologies to provide secure telecommunication services using enhanced Web technologies

More Related