international telecommunication union geneva, 9(pm)-10 february 2009 itu-t security standardization...
TRANSCRIPT
InternationalTelecommunicationUnion
Geneva, 9(pm)-10 February 2009
ITU-T Security Standardization on Mobile Web Services
Lee, Jae SeungSpecial Fellow, Information
Security Research Department, ETRI
ITU-T Workshop on“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 2
Introduction – Web Services
SOA (Service Oriented Architecture)An architectural style that supports integration of business processes as linked services that may be accessed when needed over a networkA service interacts with other services and/or applications by using a loosely coupled, message based communication model
Web ServicesThe most common technology standards used to implement SOAA major focus of Web Services is to make functional building blocks accessible over standard Internet protocols. that are independent from platforms and programming languages
SOA/Web Services enable enterprise to create and connect applications with far less development time, expense, and expertise
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 3
Introduction – Web ServicesWeb Services
SOAP: defines the message format in XML contains the service request and responseWSDL: describes a Web serviceUDDI: A standard for service discovery together with a registry facility that facilitates the publishing and discovery processes
Service Registry
Service ConsumerService Provider
Web ServiceDescription
Find via UDDI Publish via UDDI
Connect via SOAP
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 4
Introduction – Mobile Web Services
The Mobile industry has started to apply Web Services technologies to expose and integrate the services in the mobile domain
Web Servicessimple/low cost integration of different systems, can be build on top of existing systemsSimplifies integration problems between operators, services, and content providers and third party integrators
Creating effective mobile Web Services requires an architecture that addresses issues related to Security, Identity Management, machine readable description of Web Services, methods for discovering Web Services Instances
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 5
ITU-T X.1143 (X.websec-3)
Title: Security architecture for message security in mobile web services
X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 6
Requirements (1/3)
Maintaining security between multiple Web Services
Persisting security data in the SOAP message itself is necessary for end-to-end securityTransport Level security protocol such as SSL cannot satisfy this requirementMessage Security Architecture for Mobile Web Services has to be based on Web Services security technologies
Client Web Service 1
Web Service 2
SOAP Request SOAP Request
SOAP ResponseSOAP Response
Security Context 1 Security Context 2
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 7
Requirements (2/3)
Message FilteringWeb Services uses the HTTP ports (TCP ports 80)
Most firewalls are unable to distinguish Web Services messagesMessage filtering based on message contents is necessary
filter malformed SOAP messages, schema validation, policy conformance check, etc…make only the validated messages pass into/out of one domain from/to the other network domain or mobile clients
Integrated security policy mechanism for Message Security
Integrated security policy mechanism for specify security processing requirements for Web Services message security
Integrated security policy mechanism for message filtering
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 8
Requirements (3/3)
Interworking ScenarioInterworking scenarios for message security processing for Web Services
Interworking scenarios between mobile Web Services and mobile clients that do not support WS protocol Interworking scenarios between mobile Web Services and legacy non-Web Services based applications
most of the mobile terminals do not have the enough processing power to fully support Web services protocol stackmany backend application servers are not based on Web services
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 9
Scope
Integrated security architecture for message security in mobile Web Services that consist of various mobile terminals and networksInterworking mechanisms and service scenarios between applications that support full Web Services Security protocol stacks and legacy applications Integrated security architecture that utilizes security policy for message security on mobile Web Services environmentA message filtering mechanism based on message contents for the message security architectureReference message security architecture and security service scenarios for mobile Web Services
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 10
Security Architecture for MWS
Application Service
(WS Provider)MobileWeb
ServicesSecurityGateway
PolicyServer
Application Service
(WS Provider)Application
Service(WS Provider)
Mobile Terminal
(WS Client)
Mobile Terminal
(non- WS Client)Application
Service(non WS)
Application Service
Application Service
(non WS)
ExternalApplication
Service
Resources in mobile network operator
Resourcesof serviceproviders
Resourcesof serviceproviders
Resourcesof serviceproviders
OFS
OIGW
OIGN
OPG
OFSP
OCP
OIWS
OINWS
OIXG
RegistryServer
OFT
OFAP
DiscoveryService
WSDL, SecurityPolicy, etc
WSDL, Security Policy, Access Control
Policy...
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 11
Message Security Service ScenarioPolicy ServerMobile
Terminal
Mobile Web Services Security Gateway
DiscoveryService
(1) OFS (QUERY)
(2) OFS (WSDL, Policy)
(3) OIGW (REQ_SOAP)
(3') OIGN (REQ_MSG)
(4) Validate message
(5) OCP (REQ_SOAP, ACCESS_REQ)
(5') OCP (REQ_MSG, ACCESS_REQ)
(6) Make a Policy Decision(7) OCP (DECISION
_RESULT)
ApplicationService
(Internal)
ApplicationService
(External)
OIXG (REQ_SOAP)
OIXG (REQ_MSG)
(9) OIWS (REQ_SOAP)
(9') OINWS (REQ_MSG)(10) Process the Request
(11) OIWS (RESULT_SOAP)
(11') OINWS (REQ_MSG)
(8) Message Conversion (if necessary)
(12) Message Conversion (if necessary)OIXG (RESULT_SOAP)
OIXG (RESULT_MSG)(13) OIGW (RESULT _SOAP)
(13') OIGN (RESULT _MSG)
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 12
Message Filtering MechanismMWSSG
Message Validator
DiscoveryService Registry Server
(2) Validatemessage (content, schema..)
Policy Server
(6) Conformance check
(11) Make a policy decision
(1) OVM (MSG)
(3) OVM (RESULT)
(4) OCP(MSG) (5) OFSP(MSG)
(5-1) OFSP(POLICY)
(7) OCP(CONF_RESULT)
(8) OCP(ACCESS_REQ)
(10) OFAP(ACCESS_REQ)
(10-1) OFAP(ACCESS_POLICY)
(12) OCP(ACCESS_DECISION)
(9) Check security Token
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 13
ITU-T X.websec-4
Title: Security Framework for enhanced Web based Telecommunication Services
Under development in ITU-T SG17 WP2 since September 2008 Geneva meetingX.websec-4 describes security threats and security requirements of the enhanced Web based Telecommunication ServicesIt also describes security functions and technologies that satisfy the security requirements
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 14
Enhanced Web Technologies
A trend in the use of World Wide Web technology and Web design that aims to facilitate creativity, information sharing, and collaboration among users
In Web 2.0, composite services are called mashups.
A mashup is a Web application that combines data from more than one source into a single integrated tool
Content used in mashups is typically sourced from a third party via a public interface or API
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 15
Enhanced Web based Services
Enhanced Web technologies are being applied to telecommunication environment since they enable developers to efficiently and cost-effectively develop and deploy new services, and to easily and rapidly integrate content from a variety of sources to form composite services:
decouple applications from IT server, storage, network resources
Flexibly compose new services using standards-based technologies and protocols
Reuse architectural components to lower costs
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 16
Enhanced Web based Convergence Services
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 17
General Security threatsMasquerade, Eavesdropping, Replay, Modification of messages, Main in the Middle attack…
Security threats to AJAXXSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), JSON Hijacking, DoS Attack..
Security threats to Web APIs Injection Flaws, Session hijacking and theft..
Security threats to data syndicationRSS Injection, XML-DoS (XML Denial of Service), XML message injection and manipulation…
Mashup applications often allow arbitrary third party mashup components from different domain.
A malicious mashup component can inject malicious code into the application to achieve all kinds of attacks including XSS, CSRF, and DoS
Security Threats
InternationalTelecommunicationUnionGeneva, 9(pm)-10 February 2009 18
Conclusion
Web technologies such as SOA, Web 2.0, and mashups are being applied to telecommunication domain including mobile services
X.1143 describes the security architecture and security service scenarios for message security in mobile Web ServicesX.websec-4 will be developed in the new study period of ITU-T SG17 and it will describe:
Security threats to the telecommunication services using enhanced Web technologies such as Web APIs and mashupsSecurity requirements of the telecommunication services using enhanced Web technologiesSecurity functions that satisfy the security requirementsSecurity technologies to provide secure telecommunication services using enhanced Web technologies