international telecommunication union geneva, 9(pm)-10 february 2009 itu-t security standardization...

InternationalTelecommunicationUnion

Geneva, 9(pm)-10 February 2009

ITU-T Security Standardization on Mobile Web Services

Lee, Jae SeungSpecial Fellow, Information

Security Research Department, ETRI

ITU-T Workshop on“New challenges for Telecommunication

Security Standardizations"

Geneva, 9(pm)-10 February 2009

InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 2

Introduction – Web Services

SOA (Service Oriented Architecture)An architectural style that supports integration of business processes as linked services that may be accessed when needed over a networkA service interacts with other services and/or applications by using a loosely coupled, message based communication model

Web ServicesThe most common technology standards used to implement SOAA major focus of Web Services is to make functional building blocks accessible over standard Internet protocols. that are independent from platforms and programming languages

SOA/Web Services enable enterprise to create and connect applications with far less development time, expense, and expertise


Introduction – Web ServicesWeb Services

SOAP: defines the message format in XML contains the service request and responseWSDL: describes a Web serviceUDDI: A standard for service discovery together with a registry facility that facilitates the publishing and discovery processes

Service Registry

Service ConsumerService Provider

Web ServiceDescription

Find via UDDI Publish via UDDI

Connect via SOAP


Introduction – Mobile Web Services

The Mobile industry has started to apply Web Services technologies to expose and integrate the services in the mobile domain

Web Servicessimple/low cost integration of different systems, can be build on top of existing systemsSimplifies integration problems between operators, services, and content providers and third party integrators

Creating effective mobile Web Services requires an architecture that addresses issues related to Security, Identity Management, machine readable description of Web Services, methods for discovering Web Services Instances


ITU-T X.1143 (X.websec-3)

Title: Security architecture for message security in mobile web services

X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services


Requirements (1/3)

Maintaining security between multiple Web Services

Persisting security data in the SOAP message itself is necessary for end-to-end securityTransport Level security protocol such as SSL cannot satisfy this requirementMessage Security Architecture for Mobile Web Services has to be based on Web Services security technologies

Client Web Service 1

Web Service 2

SOAP Request SOAP Request

SOAP ResponseSOAP Response

Security Context 1 Security Context 2


Requirements (2/3)

Message FilteringWeb Services uses the HTTP ports (TCP ports 80)

Most firewalls are unable to distinguish Web Services messagesMessage filtering based on message contents is necessary

filter malformed SOAP messages, schema validation, policy conformance check, etc…make only the validated messages pass into/out of one domain from/to the other network domain or mobile clients

Integrated security policy mechanism for Message Security

Integrated security policy mechanism for specify security processing requirements for Web Services message security

Integrated security policy mechanism for message filtering


Requirements (3/3)

Interworking ScenarioInterworking scenarios for message security processing for Web Services

Interworking scenarios between mobile Web Services and mobile clients that do not support WS protocol Interworking scenarios between mobile Web Services and legacy non-Web Services based applications

most of the mobile terminals do not have the enough processing power to fully support Web services protocol stackmany backend application servers are not based on Web services


Scope

Integrated security architecture for message security in mobile Web Services that consist of various mobile terminals and networksInterworking mechanisms and service scenarios between applications that support full Web Services Security protocol stacks and legacy applications Integrated security architecture that utilizes security policy for message security on mobile Web Services environmentA message filtering mechanism based on message contents for the message security architectureReference message security architecture and security service scenarios for mobile Web Services


Security Architecture for MWS

Application Service

(WS Provider)MobileWeb

ServicesSecurityGateway

PolicyServer

Application Service

(WS Provider)Application

Service(WS Provider)

Mobile Terminal

(WS Client)

Mobile Terminal

(non- WS Client)Application

Service(non WS)

Application Service

Application Service

(non WS)

ExternalApplication

Service

Resources in mobile network operator

Resourcesof serviceproviders



OFS

OIGW

OIGN

OPG

OFSP

OCP

OIWS

OINWS

OIXG

RegistryServer

OFT

OFAP

DiscoveryService

WSDL, SecurityPolicy, etc

WSDL, Security Policy, Access Control

Policy...


Message Security Service ScenarioPolicy ServerMobile

Terminal

Mobile Web Services Security Gateway

DiscoveryService

(1) OFS (QUERY)

(2) OFS (WSDL, Policy)

(3) OIGW (REQ_SOAP)

(3') OIGN (REQ_MSG)

(4) Validate message

(5) OCP (REQ_SOAP, ACCESS_REQ)

(5') OCP (REQ_MSG, ACCESS_REQ)

(6) Make a Policy Decision(7) OCP (DECISION

_RESULT)

ApplicationService

(Internal)

ApplicationService

(External)

OIXG (REQ_SOAP)

OIXG (REQ_MSG)

(9) OIWS (REQ_SOAP)

(9') OINWS (REQ_MSG)(10) Process the Request

(11) OIWS (RESULT_SOAP)

(11') OINWS (REQ_MSG)

(8) Message Conversion (if necessary)

(12) Message Conversion (if necessary)OIXG (RESULT_SOAP)

OIXG (RESULT_MSG)(13) OIGW (RESULT _SOAP)

(13') OIGN (RESULT _MSG)


Message Filtering MechanismMWSSG

Message Validator

DiscoveryService Registry Server

(2) Validatemessage (content, schema..)

Policy Server

(6) Conformance check

(11) Make a policy decision

(1) OVM (MSG)

(3) OVM (RESULT)

(4) OCP(MSG) (5) OFSP(MSG)

(5-1) OFSP(POLICY)

(7) OCP(CONF_RESULT)

(8) OCP(ACCESS_REQ)

(10) OFAP(ACCESS_REQ)

(10-1) OFAP(ACCESS_POLICY)

(12) OCP(ACCESS_DECISION)

(9) Check security Token


ITU-T X.websec-4

Title: Security Framework for enhanced Web based Telecommunication Services

Under development in ITU-T SG17 WP2 since September 2008 Geneva meetingX.websec-4 describes security threats and security requirements of the enhanced Web based Telecommunication ServicesIt also describes security functions and technologies that satisfy the security requirements


Enhanced Web Technologies

A trend in the use of World Wide Web technology and Web design that aims to facilitate creativity, information sharing, and collaboration among users

In Web 2.0, composite services are called mashups.

A mashup is a Web application that combines data from more than one source into a single integrated tool

Content used in mashups is typically sourced from a third party via a public interface or API


Enhanced Web based Services

Enhanced Web technologies are being applied to telecommunication environment since they enable developers to efficiently and cost-effectively develop and deploy new services, and to easily and rapidly integrate content from a variety of sources to form composite services:

decouple applications from IT server, storage, network resources

Flexibly compose new services using standards-based technologies and protocols

Reuse architectural components to lower costs


Enhanced Web based Convergence Services


General Security threatsMasquerade, Eavesdropping, Replay, Modification of messages, Main in the Middle attack…

Security threats to AJAXXSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), JSON Hijacking, DoS Attack..

Security threats to Web APIs Injection Flaws, Session hijacking and theft..

Security threats to data syndicationRSS Injection, XML-DoS (XML Denial of Service), XML message injection and manipulation…

Mashup applications often allow arbitrary third party mashup components from different domain.

A malicious mashup component can inject malicious code into the application to achieve all kinds of attacks including XSS, CSRF, and DoS

Security Threats


Conclusion

Web technologies such as SOA, Web 2.0, and mashups are being applied to telecommunication domain including mobile services

X.1143 describes the security architecture and security service scenarios for message security in mobile Web ServicesX.websec-4 will be developed in the new study period of ITU-T SG17 and it will describe:

Security threats to the telecommunication services using enhanced Web technologies such as Web APIs and mashupsSecurity requirements of the telecommunication services using enhanced Web technologiesSecurity functions that satisfy the security requirementsSecurity technologies to provide secure telecommunication services using enhanced Web technologies

international telecommunication union geneva, 9(pm)-10 february 2009 itu-t security standardization...

Documents