Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

Published byPeregrine Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,"— Presentation transcript:

1 International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow, Information Security Research Department, ETRI ITU-T Workshop on “New challenges for Telecommunication Security Standardizations" Geneva, 9(pm)-10 February 2009

2 International Telecommunication Union Geneva, 9(pm)-10 February 2009 2 Introduction – Web Services SOA (Service Oriented Architecture) An architectural style that supports integration of business processes as linked services that may be accessed when needed over a network A service interacts with other services and/or applications by using a loosely coupled, message based communication model Web Services The most common technology standards used to implement SOA A major focus of Web Services is to make functional building blocks accessible over standard Internet protocols. that are independent from platforms and programming languages SOA/Web Services enable enterprise to create and connect applications with far less development time, expense, and expertise

3 International Telecommunication Union Geneva, 9(pm)-10 February 2009 3 Introduction – Web Services Web Services SOAP: defines the message format in XML contains the service request and response WSDL: describes a Web service UDDI: A standard for service discovery together with a registry facility that facilitates the publishing and discovery processes Service Registry Service Consumer Service Provider Web Service Description Find via UDDI Publish via UDDI Connect via SOAP

4 International Telecommunication Union Geneva, 9(pm)-10 February 2009 4 Introduction – Mobile Web Services The Mobile industry has started to apply Web Services technologies to expose and integrate the services in the mobile domain Web Services simple/low cost integration of different systems, can be build on top of existing systems Simplifies integration problems between operators, services, and content providers and third party integrators Creating effective mobile Web Services requires an architecture that addresses issues related to Security, Identity Management, machine readable description of Web Services, methods for discovering Web Services Instances

5 International Telecommunication Union Geneva, 9(pm)-10 February 2009 5 ITU-T X.1143 (X.websec-3) Title: Security architecture for message security in mobile web services X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services

6 International Telecommunication Union Geneva, 9(pm)-10 February 2009 6 Requirements (1/3) Maintaining security between multiple Web Services Persisting security data in the SOAP message itself is necessary for end-to-end security Transport Level security protocol such as SSL cannot satisfy this requirement Message Security Architecture for Mobile Web Services has to be based on Web Services security technologies Client Web Service 1 Web Service 2 SOAP Request SOAP Response Security Context 1 Security Context 2

7 International Telecommunication Union Geneva, 9(pm)-10 February 2009 7 Requirements (2/3) Message Filtering Web Services uses the HTTP ports (TCP ports 80) Most firewalls are unable to distinguish Web Services messages Message filtering based on message contents is necessary filter malformed SOAP messages, schema validation, policy conformance check, etc… make only the validated messages pass into/out of one domain from/to the other network domain or mobile clients Integrated security policy mechanism for Message Security Integrated security policy mechanism for specify security processing requirements for Web Services message security Integrated security policy mechanism for message filtering

8 International Telecommunication Union Geneva, 9(pm)-10 February 2009 8 Requirements (3/3) Interworking Scenario Interworking scenarios for message security processing for Web Services Interworking scenarios between mobile Web Services and mobile clients that do not support WS protocol Interworking scenarios between mobile Web Services and legacy non-Web Services based applications most of the mobile terminals do not have the enough processing power to fully support Web services protocol stack many backend application servers are not based on Web services

9 International Telecommunication Union Geneva, 9(pm)-10 February 2009 9 Scope Integrated security architecture for message security in mobile Web Services that consist of various mobile terminals and networks Interworking mechanisms and service scenarios between applications that support full Web Services Security protocol stacks and legacy applications Integrated security architecture that utilizes security policy for message security on mobile Web Services environment A message filtering mechanism based on message contents for the message security architecture Reference message security architecture and security service scenarios for mobile Web Services

10 International Telecommunication Union Geneva, 9(pm)-10 February 2009 10 Security Architecture for MWS

11 International Telecommunication Union Geneva, 9(pm)-10 February 2009 11 Message Security Service Scenario

12 International Telecommunication Union Geneva, 9(pm)-10 February 2009 12 Message Filtering Mechanism

13 International Telecommunication Union Geneva, 9(pm)-10 February 2009 13 ITU-T X.websec-4 Title: Security Framework for enhanced Web based Telecommunication Services Under development in ITU-T SG17 WP2 since September 2008 Geneva meeting X.websec-4 describes security threats and security requirements of the enhanced Web based Telecommunication Services It also describes security functions and technologies that satisfy the security requirements

14 International Telecommunication Union Geneva, 9(pm)-10 February 2009 14 Enhanced Web Technologies A trend in the use of World Wide Web technology and Web design that aims to facilitate creativity, information sharing, and collaboration among users In Web 2.0, composite services are called mashups. A mashup is a Web application that combines data from more than one source into a single integrated tool Content used in mashups is typically sourced from a third party via a public interface or API

15 International Telecommunication Union Geneva, 9(pm)-10 February 2009 15 Enhanced Web based Services Enhanced Web technologies are being applied to telecommunication environment since they enable developers to efficiently and cost-effectively develop and deploy new services, and to easily and rapidly integrate content from a variety of sources to form composite services: decouple applications from IT server, storage, network resources Flexibly compose new services using standards- based technologies and protocols Reuse architectural components to lower costs

16 International Telecommunication Union Geneva, 9(pm)-10 February 2009 16 Enhanced Web based Convergence Services

17 International Telecommunication Union Geneva, 9(pm)-10 February 2009 17 General Security threats Masquerade, Eavesdropping, Replay, Modification of messages, Main in the Middle attack… Security threats to AJAX XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), JSON Hijacking, DoS Attack.. Security threats to Web APIs Injection Flaws, Session hijacking and theft.. Security threats to data syndication RSS Injection, XML-DoS (XML Denial of Service), XML message injection and manipulation… Mashup applications often allow arbitrary third party mashup components from different domain. A malicious mashup component can inject malicious code into the application to achieve all kinds of attacks including XSS, CSRF, and DoS Security Threats

18 International Telecommunication Union Geneva, 9(pm)-10 February 2009 18 Conclusion Web technologies such as SOA, Web 2.0, and mashups are being applied to telecommunication domain including mobile services X.1143 describes the security architecture and security service scenarios for message security in mobile Web Services X.websec-4 will be developed in the new study period of ITU-T SG17 and it will describe: Security threats to the telecommunication services using enhanced Web technologies such as Web APIs and mashups Security requirements of the telecommunication services using enhanced Web technologies Security functions that satisfy the security requirements Security technologies to provide secure telecommunication services using enhanced Web technologies

Download ppt "International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,"

Similar presentations

웹 서비스 개요.

웹 서비스 개요.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Web Service Architecture

Web Service Architecture
Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Overview of Web Services

Overview of Web Services
Chapter 19 – Service-oriented Architecture

Chapter 19 – Service-oriented Architecture
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
General introduction to Web services and an implementation example

General introduction to Web services and an implementation example
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,

Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Leveraging Technology to Enhance PeopleSoft Web Services (SOA) System Efficiency Lorne Kaufman, Managing Director.

Leveraging Technology to Enhance PeopleSoft Web Services (SOA) System Efficiency Lorne Kaufman, Managing Director.
Distributed components

Distributed components
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that Web services are likely.

A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.

Web Services Andrea Miller Ryan Armstrong Alex. Web services are an emerging technology that offer a solution for providing a common collaborative architecture.
Web Services Seppo Heikkinen MITA seminar/TUT 5.11.2003.

Web Services Seppo Heikkinen MITA seminar/TUT
Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.

Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.
Web services A Web service is an interface that describes a collection of operations that are network-accessible through standardized XML messaging. A.

Web services A Web service is an interface that describes a collection of operations that are network-accessible through standardized XML messaging. A.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Similar presentations

Ads by Google