ITU-T SERIES X SUPP 21-2014 ITU-T X 1143 C Supplement on security framework for web mashup services (Study Group 17)《ITU-T X 1143-网络聚合服务安全框架补充(研究组17)》.pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T Series X TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 21 (01/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1143 Supplement on security framework for web mashup services ITU-T X

2、-series Recommendations Supplement 21 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETW

3、ORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X

4、.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBE

5、RSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vu

6、lnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing secur

7、ity X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. X

8、 series Supplement 21 (01/2014) i Supplement 21 to ITU-T X-series Recommendations ITU-T X.1143 Supplement on security framework for web mashup services Summary Supplement 21 to the ITU-T X-series Recommendations describes the security framework for web mashup services and also describes web mashup t

9、ypes and a reference architecture. Security principles and measures for secure web mashup services are provided for mitigating security threats and addressing security challenges for the web mashup services. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X Suppl. 21 2014-01

10、-24 17 11.1002/1000/12155 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii X series Supplement 21 (01/2014) FOREWORD The International

11、Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating a

12、nd tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce

13、Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this pu

14、blication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g. interoperability

15、 or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance

16、with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicabi

17、lity of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had received notice of intellectual property, protected by patents, which may be required to implement this publ

18、ication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, w

19、ithout the prior written permission of ITU. X series Supplement 21 (01/2014) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this supplement . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Overview of web mashup services

20、 . 3 6.1 Web mashup types and style 3 6.2 Web mashup reference architecture . 5 7 Security architecture of web mashup service . 6 7.1 Web mashup security principles . 7 7.2 Measures for secure web mashup services . 8 Bibliography. 12 X series Supplement 21 (01/2014) 1 Supplement 21 to ITU-T X-series

21、 Recommendations ITU-T X.1143 Supplement on security framework for web mashup services 1 Scope This Supplement addresses the security framework for web mashup services including the following items: Overview of mashup web services; security principles and measures for secure web mashup. 2 References

22、 None. 3 Definitions 3.1 Terms defined elsewhere This Supplement uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 authorization b-ITU-T X.80

23、0: The granting of rights, which includes the granting of access based on access rights. 3.1.3 availability b-ITU-T X.800: The property of being accessible and useable upon demand by an authorized entity. 3.1.4 confidentiality b-ITU-T X.800: The property that information is not made available or dis

24、closed to unauthorized individuals, entities, or processes. 3.1.5 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.6 data origin authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.7

25、hyper text markup language (HTML) b-ITU-T M.3030: A system of coding information from a wide range of domains (e.g. text, graphics, database query results) for display by World Wide Web browsers. Certain special codes, called tags, are embedded in the document so that the browser can be told how to

26、render the information. 3.1.8 origin b-IETF RFC 6454: The origin of a URI is the value computed by the algorithm of RFC 6454s section 4. Two URIs are part of the same origin if they have the same scheme, host, and port. 3.1.9 repudiation b-ITU-T X.800: Denial by one of the entities involved in a com

27、munication of having participated in all or part of the communication. 3.1.10 privacy b-ITU-T X.800: The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. 2 X series Supplement 21 (01/2

28、014) 3.2 Terms defined in this supplement This Supplement defines the following terms: 3.2.1 authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in a web-based service context is taken to me

29、an entity authentication. 3.2.2 javascript object notation (JSON): A lightweight, text-based, language-independent data interchange format. 3.2.3 mashup: A web application that combines content (data and code) or services from multiple origins to create a new service. 3.2.4 screen scraping: Screen s

30、craping is the use of manual or automatic means to harvest content from a website. NOTE Under normal circumstances, a legacy application is either replaced by a new program or brought up to date by rewriting the source code. In some cases, it is desirable to continue using a legacy application but t

31、he lack of availability of source code, programmers or documentation makes it impossible to rewrite or update the application. In such a case, the only way to continue using the legacy application may be to write screen scraping software to translate it into a more up-to-date user interface. 3.2.5 w

32、eb 2.0: Web technology and applications that facilitate participatory information sharing, interoperability, user-centred design and collaboration on the world wide web (WWW). 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: AJAX/Ajax Asynchronous Javascrip

33、t and XML API Application Programming Interface CSRF Cross-Site Request Forgery CSS Cascading Style Sheets DOM Document Object Model HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol iframe Inline Frame JSON Javascript Object Notation JSON-RPC Javascript Object Notation-Remote Procedur

34、e Call KML Keyhole Markup Language PC Personal Computer REST Representational State Transfer RPC Remote Procedure Call SOAP Simple Object Access Protocol SOP Same-Origin Policy SQL Structured Query Language UI User Interface URI Uniform Resource Identifier X series Supplement 21 (01/2014) 3 WWW Worl

35、d Wide Web XHR XMLHttpRequest XHTML Extensible Hypertext Markup Language XML Extensible Markup Language XML-RPC Extensible Markup Language-Remote Procedure Call XSS Cross-Site Scripting 5 Conventions None. 6 Overview of web mashup services 6.1 Web mashup types and style In web 2.0, composite service

36、s are called mashups. A mashup is a web application that combines data or functionality from two or more sources to create new services. Data used in mashups is typically sourced from a third party via a public interface, an application programming interface (API) and screen scraping. The main chara

37、cteristics of a mashup are combination, visualization and aggregation to make existing data more useful for personal and professional use. This means that mashup technically provides sharing public data, common user interface (UI) to data and new, interesting and valuable, data by aggregation. There

38、 are many types of mashups, such as presentation mashup, client-side data mashup, client-side software mashup, server-side software mashup and server-side data mashup. Figure 1 shows the mashup types. The presentation mashup is where information and layout is retrieved from and either remixed or jus

39、t placed next to each other. The client-side data mashup takes information from remote web services, feeds or even just plain Hypertext Markup Language (HTML) and combines it with data from another source. The client-side software mashup is where a code is integrated in the browser to result in a di

40、stinct new capability. The server-side software mashup is where software is recombined on the server since web services can use more easily other web services where there are less security restrictions and cross-domain issues. The server-side data mashup uses relatively powerful mechanisms to join o

41、r mashup data from databases on the server side. 4 X series Supplement 21 (01/2014) X Su p p l. 2 1 (1 4 )_ F 0 1P r es en t a t i o nD a t aF u n ct i o n a l i t yD a t aW eb s er vi cesC l i en t WebHTML, DOM,CSS, flashXML, JSON, t extScr ipt,flashRelational ,XML,multimedi a, etcSOAP, REST,HTTP,

42、RSSVerticalintegrationVerticalintegrationFigure 1 Web mashup types The structure of a mashup is divided into three layers: Presentation/user interaction: This is the user interface of mashups. The technologies which are used are HTML/Extensible Hypertext Markup Language (XHTML), cascading style shee

43、ts (CSS), script, asynchronous javascript and XML (Ajax) b-W3C CSS, b-AJAX. Web services: The products functionality can be accessed using the API services. The technologies used are XMLHttpRequest (XHR), Extensible Markup Language (XML) remote procedure call (RPC), javascript object notation (JSON)

44、-RPC, simple object access protocol (SOAP) and representational state transfer (REST) b-W3C SOAP, b-REST. Data: Handling the data such as sending, storing and receiving. The technologies used are XML, JSON and Keyhole Markup Language (KML) b-W3C XML, b-JSON, b-OGC KML. Web mashup security is based o

45、n the same-origin policy (SOP). The SOP states that scripts from an origin should not be able to access content from other origins. This prevents scripts from spoofing data, cookie credentials from other origins. According to SOP, loading components from different origins causes them to be separated

46、. Because of these mechanisms, there are two styles of mashups: web-based and server-based. Whereas web-based mashups typically use the users web browser to combine and reformat the data, server-based mashups analyse and reformat the data on a remote server and transmit the data to the users browser

47、 in its final form. Figure 2 shows styles of mashup application. X series Supplement 21 (01/2014) 5 X Su p p l. 2 1 (1 4 )_ F 0 2D a t a s o u r ce (A P I)3A JA X ca p a b i l i t y(S cr i p t i n g , X M L p r o ces s i n gCS S , r en d er i n g )B r o w s erM a s h u p s i t esD a t a s o u r ce 1

48、 D a t a s o u r ce 2D a t a s o u r ce (A P I)4P l a t f o r m A P I(G r a p h i c, co m m u n i ca t i o n . . . )Cl i ent : Br o ws erSer vi ce ma s hu p : W eb s er ver s i d eCl i ent : Ma s hup a p p l i ca t i o nSer vi ce ma s hup : Ser ve r / cl i entM a s h u p a p p l i ca t o nX M L a n

49、d W eb s er vi cesp r o ces s i n g A P IFigure 2 Styles of mashup application 6.2 Web mashup reference architecture X S u p p l. 2 1 (1 4 )_ F 0 3C o n s u m e rW e b b r o w s e r P r o v i d e rU s e ri n t e rf a c eC o m p o n e n tO p e ra t i o nD a t ap ro v i d e rS e rv i c ep ro v i d e rC o n t e n tp ro v i d e rFigure 3 Mashup reference architecture Before the emergence of mashup services, a user c