ImageVerifierCode 换一换
格式:PDF , 页数:20 ,大小:164.59KB ,
资源ID:803447      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-803447.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T SERIES X SUPP 17-2012 ITU-T X 1143 C Supplement on threats and security objectives for enhanced web-based telecommunication services (Study Group 17)《ITU-T X 1143 增强型网络电信业务的威.pdf)为本站会员(周芸)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T SERIES X SUPP 17-2012 ITU-T X 1143 C Supplement on threats and security objectives for enhanced web-based telecommunication services (Study Group 17)《ITU-T X 1143 增强型网络电信业务的威.pdf

1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 17(09/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunication services IT

2、U-T X-series Recommendations Supplement 17 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI

3、 NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometr

4、ics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199

5、 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.15

6、19 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-

7、T Recommendations. X series Supplement 17 (09/2012) i Supplement 17 to ITU-T X-series Recommendations ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunication services Summary Supplement 17 to the ITU-T X-series Recommendations describes threats to, and sec

8、urity objectives for, enhanced web-based telecommunication services using technologies such as Web 2.0 and mashups. Threats to enhanced web-based applications are identified, as are threats to traditional web-based applications. Moreover, security objectives for enhanced web-based application servic

9、es are provided. History Edition Recommendation Approval Study Group 1.0 ITU-T X Suppl. 17 2012-09-07 17 ii X series Supplement 17 (09/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communica

10、tion technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The Wo

11、rld Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. I

12、n some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recogni

13、zed operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall

14、“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practic

15、e or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development pro

16、cess. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urg

17、ed to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 17 (09/2012) iii Table of Contents Page 1 Scope 1 2 References

18、. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this supplement . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Introduction 3 7 Architecture of enhanced web-based telecommunication services 3 8 Threats of enhanced web-based telecommunication services 4 8.1 General securi

19、ty threats 4 8.2 Security threats to asynchronous script 5 8.3 Security threats to web application programming interfaces . 6 8.4 Security threats to data syndication 7 8.5 Security threats to mashup 7 9 Security objectives of enhanced web-based telecommunication services 8 9.1 Access control 8 9.2

20、Authentication 8 9.3 Authorization 8 9.4 Availability . 8 9.5 Communication security . 8 9.6 Data confidentiality 8 9.7 Data integrity 8 9.8 Guarantee of efficiency 8 9.9 Non-repudiation 8 9.10 Privacy 9 9.11 Secure remote backup of device . 9 9.12 Secure user management 9 9.13 Separating key manage

21、ment . 9 9.14 Trust service . 9 9.15 Relationship between security objectives and security threats . 9 Bibliography. 11 X series Supplement 17 (09/2012) 1 Supplement 17 to ITU-T X-series Recommendations ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunicati

22、on services 1 Scope This supplement describes threats to, and security objectives for, enhanced web-based telecommunication services using technologies such as Web 2.0 and mashups. There are many web service standards and web service security standards. These are partially developed by vendors and s

23、ervice providers, and not organized. This supplement provides an overview of the threats to, and security objectives for, enhanced web-based telecommunication services and is a baseline document for designers or implementers to analyse the vulnerabilities of web application services and to consider

24、and improve the security aspects of web applications. The threats identified for enhanced web-based applications are not the only ones being investigated, but also those of traditional web applications, as these are still potential threats to enhanced applications. Moreover, the security objectives

25、provided cope with the threats and would be applied to wired/wireless web-based application services. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This supplement uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a r

26、esource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.3 availability b-ITU-T X.800: The property of being accessible and useable upon demand by an

27、authorized entity. 3.1.4 confidentiality b-ITU-T X.800: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.1.5 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.6

28、data origin authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.7 hypertext markup language (HTML) b-ITU-T M.3030: A system of coding information from a wide range of domains (e.g., text, graphics, database query results) for display by World Wide Web

29、browsers. Certain special codes, called tags, are embedded in the document so that the browser can be told how to render the information. 3.1.8 privacy b-ITU-T X.800: The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom

30、 that information may be disclosed. 2 X series Supplement 17 (09/2012) 3.1.9 repudiation b-ITU-T X.800: Denial by one of the entities involved in a communication of having participated in all or part of the communication. 3.2 Terms defined in this supplement This supplement defines the following ter

31、ms: 3.2.1 authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in a web-based service context is taken to mean entity authentication. 3.2.2 JavaScript Object Notation (JSON): A lightweight, t

32、ext-based, language-independent data interchange format. 3.2.3 mashup: A web application that combines content (data and code) or services from multiple origins to create a new service. 3.2.4 Web 2.0: Web technology and applications that facilitate participatory information sharing, interoperability

33、, user-centred design and collaboration on the World Wide Web (WWW). 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: API Application Programming Interface CSRF Cross-Site Request Forgery DOM Document Object Model DoS Denial of Service HTTP Hypertext Transf

34、er Protocol HTTPS Hypertext Transfer Protocol Security JSON Javascript Object Notation MitB Man-in-the-Browser MitM Man-in-the-Middle OOP Object-Oriented Programming PKI Public Key Infrastructure REST Representational State Transfer RSS Really Simple Syndication SDU Service Data Unit SNS Social Netw

35、orking Service SOAP Simple Object Access Protocol SSL Secure Socket Layer URL Uniform Resource Locator WS Web Service WWW World Wide Web XML eXtensible Markup Language XSS Cross-Site Scripting X series Supplement 17 (09/2012) 3 5 Conventions None. 6 Introduction The benefits of web services have an

36、important effect on human societies and become a part of human lives. Enhanced web-based technologies, such as Web 2.0 and mashups, are trends in the use of WWW technology that aim to facilitate creativity, information sharing and collaboration among users. The major technical changes of the trends

37、are asynchronous script, data syndication, an open application programming interface and mashup. Although web designers and implementers support the interoperability among these technologies and service, the interoperability is not complied with. It is the same situation in the case of security stan

38、dardization. In Web 2.0, composite services are called mashups. A mashup is a web application that combines data from more than one source into a single integrated tool. Figure 1 is an example of the mashup service. Content used in mashups is typically sourced from a third party via a public interfa

39、ce or API. When a non-secure service and a secure service converge into a mashup service, the mashup service is influenced by an attacker. Figure 1 gives an example of why the security levels of every web service and domain conforming to the mashup should be provided equally. If the real estate web

40、site is unsecure, the whole mashup service and domain would not be secure and the other parts of the service network would be gradually affected. X.Suppl.17(12)_F01UserWhat are theavailable flatsnear here?Map with availableflats markedMashup websiteRequest foravailableflat listFlat listMaprequestAre

41、a mapReal estate websiteMap serviceFigure 1 Example of a mashup service 7 Architecture of enhanced web-based telecommunication services Enhanced web-based technologies are being applied to telecommunication services since they enable developers to efficiently and cost-effectively develop and deploy

42、new services, and to easily and rapidly integrate content from a variety of sources to form composite services. Figure 2 illustrates the architecture of an enhanced web-based convergence service. Web 2.0 services provided by the third party on the Internet, and services provided by the network opera

43、tor in the telecommunication domain, are combined to provide a convergence service using mashup. A user of the mashup client can check the presence of a friend and find their location via the mashup server that invokes the presence server and location server in the telecommunication domain. The mash

44、up client can find their geographic location on the map using the Web 2.0 service that provides a map service. The client can also access the user profile provided via the mashup server. Web protocols such as representational state transfer (REST) b-Fielding, simple object access protocol (SOAP) b-W

45、3C and really simple syndication (RSS) b-RSS are used for such mashups. 4 X series Supplement 17 (09/2012) The core network gateway provides access to the network elements of the network operator. An example of the core network gateway is the Parlay/OSA gateway b-GSMA employed to link applications b

46、y exploiting the Parlay/OSA APIs with the existing network elements. The Parlay/OSA gateway consists of several functional entities that provide Parlay/OSA interfaces to the applications. The Parlay/OSA gateway is under the control of the network operator or service provider, and is a single point t

47、hrough which all Parlay/OSA interactions pass. If the telecommunication application server does not provide support of a web protocol, then the mashup server can call functional objects using such a gateway. Web service(e.g., map service)Mashup server(community service)Web service(e.g., user profile

48、)e.g., user profilee.g., mape.g., device locatione.g., presenceinformationCore networkgatewayMessagingserverLocationserverPresenceserverTelecom application serversControl layerAccess network(Map + location + presence + .MashupclientX.Suppl.17(12)_F02Figure 2 Architecture of the enhanced web-based co

49、nvergence service 8 Threats of enhanced web-based telecommunication services Threats have been classified into five categories: general security threats, security threats to asynchronous script, security threats to web APIs, security threats to data syndication and security threats to mashups. 8.1 General security threats 8.1.1 Denial of service (DoS) Denial of service occurs when an entity fails to perform its proper function or acts in a way that prevents other entities from perf

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1