ITU-T Workshop on
“New challenges for Telecommunication
Security Standardizations"
Geneva, 9(pm)-10 February 2009
ITU-T Security Standardization
on Mobile Web Services
Lee, Jae Seung
Special Fellow, Information
Security Research
Department, ETRI
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
Introduction – Web Services
SOA (Service Oriented Architecture)
An architectural style that supports integration of
business processes as linked services that may be
accessed when needed over a network
A service interacts with other services and/or applications by
using a loosely coupled, message based communication model
Web Services
The most common technology standards used to
implement SOA
A major focus of Web Services is to make functional building
blocks accessible over standard Internet protocols. that are
independent from platforms and programming languages
SOA/Web Services enable enterprise to create
and connect applications with far less
development time, expense, and expertise
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
2
Introduction – Web Services
Web Services
SOAP: defines the message format in XML contains the
service request and response
WSDL: describes a Web service
UDDI: A standard for service discovery together with a
registry facility that facilitates the publishing and
discovery processes
Service Registry
Publish via UDDI
Find via UDDI
Service Consumer
Geneva, 9(pm)-10 February 2009
Connect via
SOAP
Service Provider
Web Service
Description
International
Telecommunication
Union
3
Introduction – Mobile Web Services
The Mobile industry has started to apply Web
Services technologies to expose and integrate the
services in the mobile domain
Web Services
simple/low cost integration of different systems, can be
build on top of existing systems
Simplifies integration problems between operators,
services, and content providers and third party
integrators
Creating effective mobile Web Services requires
an architecture that addresses issues related to
Security, Identity Management, machine readable
description of Web Services, methods for
discovering Web Services Instances
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
4
ITU-T X.1143 (X.websec-3)
Title: Security architecture for message
security in mobile web services
X.1143 describes the security architecture and
security service scenarios for message security
in mobile Web Services
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
5
Requirements (1/3)
Maintaining security between multiple Web
Services
SOAP Request
SOAP Request
Web
Service 2
Web
Service 1
Client
SOAP Response
Security Context 1
SOAP Response
Security Context 2
Persisting security data in the SOAP message itself is
necessary for end-to-end security
Transport Level security protocol such as SSL cannot
satisfy this requirement
Message Security Architecture for Mobile Web Services
has to be based on Web Services security technologies
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
6
Requirements (2/3)
Message Filtering
Web Services uses the HTTP ports (TCP ports 80)
Most firewalls are unable to distinguish Web Services
messages
Message filtering based on message contents is
necessary
filter malformed SOAP messages, schema validation, policy conformance
check, etc…
make only the validated messages pass into/out of one domain from/to the
other network domain or mobile clients
Integrated security policy mechanism for
Message Security
Integrated security policy mechanism for specify security
processing requirements for Web Services message
security
Integrated security policy mechanism for message
filtering
International
Geneva, 9(pm)-10 February 2009
Telecommunication
Union
7
Requirements (3/3)
Interworking Scenario
Interworking scenarios for message security processing
for Web Services
Interworking scenarios between mobile Web Services
and mobile clients that do not support WS protocol
Interworking scenarios between mobile Web Services
and legacy non-Web Services based applications
most of the mobile terminals do not have the enough processing
power to fully support Web services protocol stack
many backend application servers are not based on Web services
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
8
Scope
Integrated security architecture for message security in
mobile Web Services that consist of various mobile
terminals and networks
Interworking mechanisms and service scenarios between
applications that support full Web Services Security protocol
stacks and legacy applications
Integrated security architecture that utilizes security policy
for message security on mobile Web Services environment
A message filtering mechanism based on message contents
for the message security architecture
Reference message security architecture and security
service scenarios for mobile Web Services
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
9
Security Architecture for MWS
WSDL, Security Policy,
Access Control
Policy...
WSDL, Security
Policy, etc
OFSP
OFAP
Policy
Server
Registry
Server
Discovery
Service
OPG
OFS
Mobile
Terminal
(WS Client)
Mobile
Terminal
(non-WS Client)
OFT
OCP
OIXG
Resources
of service
providers
Application
External
Service
Application
Service
OIGW
Mobile
Web
Services
Security
Gateway
OIGN
OIWS
OINWS
Application
Service
Application
(WS
Provider)
Service
Application
(WS
Provider)
Service
(WS Provider)
Application
Service
Application
(non
ServiceWS)
(non WS)
Resources
of service
providers
Resources
of service
providers
Resources in
mobile network operator
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
10
Message Security Service Scenario
Discovery
Service
Mobile
Terminal
Mobile Web
Services
Security
Gateway
Policy Server
Application
Service
(Internal)
Application
Service
(External)
(1) OFS (QUERY)
(2) OFS (WSDL,
Policy)
(3) OIGW (REQ_SOAP)
(3') OIGN (REQ_MSG)
OIXG (REQ_SOAP)
OIXG (REQ_MSG)
(4) Validate message
(5) OCP (REQ_SOAP,
ACCESS_REQ)
(5') OCP (REQ_MSG,
ACCESS_REQ)
(7) OCP (DECISION
_RESULT)
(6) Make a Policy
Decision
(8) Message Conversion
(if necessary)
(9) OIWS (REQ_SOAP)
(9') OINWS (REQ_MSG)
(10) Process the
Request
(11) OIWS (RESULT_SOAP)
(11') OINWS (REQ_MSG)
(12) Message Conversion
(if necessary)
OIXG (RESULT_SOAP)
(13) OIGW (RESULT
_SOAP)
OIXG (RESULT_MSG)
(13') OIGN (RESULT
_MSG)
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
11
Message Filtering Mechanism
MWSSG
Policy Server
Message Validator
Discovery
Service
Registry Server
(1) OVM (MSG)
(3) OVM (RESULT)
(2) Validate
message (content,
schema..)
(4) OCP(MSG)
(5) OFSP(MSG)
(5-1) OFSP(POLICY)
(7) OCP(CONF_RESULT)
(6) Conformance
check
(8) OCP(ACCESS_REQ)
(9) Check security Token
(10) OFAP(ACCESS_REQ)
(10-1) OFAP(ACCESS_POLICY)
(12) OCP(ACCESS_DECISION)
Geneva, 9(pm)-10 February 2009
(11) Make a policy decision
International
Telecommunication
Union
12
ITU-T X.websec-4
Title: Security Framework for enhanced
Web based Telecommunication Services
Under development in ITU-T SG17 WP2 since
September 2008 Geneva meeting
X.websec-4 describes security threats and
security requirements of the enhanced Web
based Telecommunication Services
It also describes security functions and
technologies that satisfy the security
requirements
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
13
Enhanced Web Technologies
A trend in the use of World Wide Web
technology and Web design that aims to
facilitate creativity, information sharing,
and collaboration among users
In Web 2.0, composite services are called
mashups.
A mashup is a Web application that combines data
from more than one source into a single integrated
tool
Content used in mashups is typically sourced
from a third party via a public interface or API
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
14
Enhanced Web based Services
Enhanced Web technologies are being
applied to telecommunication environment
since they enable developers to efficiently
and cost-effectively develop and deploy
new services, and to easily and rapidly
integrate content from a variety of sources
to form composite services:
decouple applications from IT server, storage,
network resources
Flexibly compose new services using standardsbased technologies and protocols
Reuse architectural components to lower costs
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
15
Enhanced Web based Convergence
Services
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
16
Security Threats
General Security threats
Masquerade, Eavesdropping, Replay, Modification of
messages, Main in the Middle attack…
Security threats to AJAX
XSS (Cross-Site Scripting), CSRF (Cross-Site Request
Forgery), JSON Hijacking, DoS Attack..
Security threats to Web APIs
Injection Flaws, Session hijacking and theft..
Security threats to data syndication
RSS Injection, XML-DoS (XML Denial of Service), XML
message injection and manipulation…
Mashup applications often allow arbitrary third
party mashup components from different domain.
A malicious mashup component can inject malicious
code into the application to achieve all kinds of attacks
International
including XSS, CSRF, and DoS
Telecommunication
Geneva, 9(pm)-10 February 2009
Union
17
Conclusion
Web technologies such as SOA, Web 2.0, and
mashups are being applied to telecommunication
domain including mobile services
X.1143 describes the security architecture and security
service scenarios for message security in mobile Web
Services
X.websec-4 will be developed in the new study period of
ITU-T SG17 and it will describe:
Security threats to the telecommunication services using
enhanced Web technologies such as Web APIs and
mashups
Security requirements of the telecommunication services
using enhanced Web technologies
Security functions that satisfy the security requirements
Security technologies to provide secure telecommunication
services using enhanced Web technologies
Geneva, 9(pm)-10 February 2009
International
Telecommunication
Union
18