ITUT Security Standardization on Mobile Web Services

1
ITU-T Security Standardization on Mobile Web
Services
ITU-T Workshop onNew challenges for
Telecommunication Security Standardizations"
Geneva, 9(pm)-10 February 2009

• Lee, Jae Seung
• Special Fellow, Information Security Research
  Department, ETRI

2
Introduction Web Services

• SOA (Service Oriented Architecture)
• An architectural style that supports integration
  of business processes as linked services that may
  be accessed when needed over a network
• A service interacts with other services and/or
  applications by using a loosely coupled, message
  based communication model
• Web Services
• The most common technology standards used to
  implement SOA
• A major focus of Web Services is to make
  functional building blocks accessible over
  standard Internet protocols. that are independent
  from platforms and programming languages
• SOA/Web Services enable enterprise to create and
  connect applications with far less development
  time, expense, and expertise

3
Introduction Web Services

• Web Services
• SOAP defines the message format in XML contains
  the service request and response
• WSDL describes a Web service
• UDDI A standard for service discovery together
  with a registry facility that facilitates the
  publishing and discovery processes

Service Registry
Publish via UDDI
Find via UDDI
Service Provider
Connect via SOAP
Service Consumer
Web Service Description
4
Introduction Mobile Web Services

• The Mobile industry has started to apply Web
  Services technologies to expose and integrate the
  services in the mobile domain
• Web Services
• simple/low cost integration of different systems,
  can be build on top of existing systems
• Simplifies integration problems between
  operators, services, and content providers and
  third party integrators
• Creating effective mobile Web Services requires
  an architecture that addresses issues related to
  Security, Identity Management, machine readable
  description of Web Services, methods for
  discovering Web Services Instances

5
ITU-T X.1143 (X.websec-3)

• Title Security architecture for message security
  in mobile web services
• X.1143 describes the security architecture and
  security service scenarios for message security
  in mobile Web Services

6
Requirements (1/3)

• Maintaining security between multiple Web
  Services
• Persisting security data in the SOAP message
  itself is necessary for end-to-end security
• Transport Level security protocol such as SSL
  cannot satisfy this requirement
• Message Security Architecture for Mobile Web
  Services has to be based on Web Services security
  technologies

SOAP Request
SOAP Request
Web Service 2
Web Service 1
Client
SOAP Response
SOAP Response
Security Context 1
Security Context 2
7
Requirements (2/3)

• Message Filtering
• Web Services uses the HTTP ports (TCP ports 80)
• Most firewalls are unable to distinguish Web
  Services messages
• Message filtering based on message contents is
  necessary
• filter malformed SOAP messages, schema
  validation, policy conformance check, etc
• make only the validated messages pass into/out of
  one domain from/to the other network domain or
  mobile clients
• Integrated security policy mechanism for Message
  Security
• Integrated security policy mechanism for specify
  security processing requirements for Web Services
  message security
• Integrated security policy mechanism for message
  filtering

8
Requirements (3/3)

• Interworking Scenario
• Interworking scenarios for message security
  processing for Web Services
• Interworking scenarios between mobile Web
  Services and mobile clients that do not support
  WS protocol
• Interworking scenarios between mobile Web
  Services and legacy non-Web Services based
  applications
• most of the mobile terminals do not have the
  enough processing power to fully support Web
  services protocol stack
• many backend application servers are not based on
  Web services

9
Scope

• Integrated security architecture for message
  security in mobile Web Services that consist of
  various mobile terminals and networks
• Interworking mechanisms and service scenarios
  between applications that support full Web
  Services Security protocol stacks and legacy
  applications
• Integrated security architecture that utilizes
  security policy for message security on mobile
  Web Services environment
• A message filtering mechanism based on message
  contents for the message security architecture
• Reference message security architecture and
  security service scenarios for mobile Web Services

10
Security Architecture for MWS
11
Message Security Service Scenario
12
Message Filtering Mechanism
13
ITU-T X.websec-4

• Title Security Framework for enhanced Web based
  Telecommunication Services
• Under development in ITU-T SG17 WP2 since
  September 2008 Geneva meeting
• X.websec-4 describes security threats and
  security requirements of the enhanced Web based
  Telecommunication Services
• It also describes security functions and
  technologies that satisfy the security
  requirements

14
Enhanced Web Technologies

• A trend in the use of World Wide Web technology
  and Web design that aims to facilitate
  creativity, information sharing, and
  collaboration among users
• In Web 2.0, composite services are called
  mashups.
• A mashup is a Web application that combines data
  from more than one source into a single
  integrated tool
• Content used in mashups is typically sourced from
  a third party via a public interface or API

15
Enhanced Web based Services

• Enhanced Web technologies are being applied to
  telecommunication environment since they enable
  developers to efficiently and cost-effectively
  develop and deploy new services, and to easily
  and rapidly integrate content from a variety of
  sources to form composite services
• decouple applications from IT server, storage,
  network resources
• Flexibly compose new services using
  standards-based technologies and protocols
• Reuse architectural components to lower costs

16
Enhanced Web based Convergence Services
17
Security Threats

• General Security threats
• Masquerade, Eavesdropping, Replay, Modification
  of messages, Main in the Middle attack
• Security threats to AJAX
• XSS (Cross-Site Scripting), CSRF (Cross-Site
  Request Forgery), JSON Hijacking, DoS Attack..
• Security threats to Web APIs
• Injection Flaws, Session hijacking and theft..
• Security threats to data syndication
• RSS Injection, XML-DoS (XML Denial of Service),
  XML message injection and manipulation
• Mashup applications often allow arbitrary third
  party mashup components from different domain.
• A malicious mashup component can inject malicious
  code into the application to achieve all kinds of
  attacks including XSS, CSRF, and DoS

18
Conclusion

• Web technologies such as SOA, Web 2.0, and
  mashups are being applied to telecommunication
  domain including mobile services
• X.1143 describes the security architecture and
  security service scenarios for message security
  in mobile Web Services
• X.websec-4 will be developed in the new study
  period of ITU-T SG17 and it will describe
• Security threats to the telecommunication
  services using enhanced Web technologies such as
  Web APIs and mashups
• Security requirements of the telecommunication
  services using enhanced Web technologies
• Security functions that satisfy the security
  requirements
• Security technologies to provide secure
  telecommunication services using enhanced Web
  technologies