1、 International Telecommunication Union ITU-T Series XTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 17(09/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunication services IT
2、U-T X-series Recommendations Supplement 17 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI
3、 NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometr
4、ics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199
5、 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.15
6、19 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details, please refer to the list of ITU-
7、T Recommendations. X series Supplement 17 (09/2012) i Supplement 17 to ITU-T X-series Recommendations ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunication services Summary Supplement 17 to the ITU-T X-series Recommendations describes threats to, and sec
8、urity objectives for, enhanced web-based telecommunication services using technologies such as Web 2.0 and mashups. Threats to enhanced web-based applications are identified, as are threats to traditional web-based applications. Moreover, security objectives for enhanced web-based application servic
9、es are provided. History Edition Recommendation Approval Study Group 1.0 ITU-T X Suppl. 17 2012-09-07 17 ii X series Supplement 17 (09/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communica
10、tion technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The Wo
11、rld Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. I
12、n some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recogni
13、zed operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall
14、“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practic
15、e or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development pro
16、cess. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urg
17、ed to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 17 (09/2012) iii Table of Contents Page 1 Scope 1 2 References
18、. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this supplement . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 Introduction 3 7 Architecture of enhanced web-based telecommunication services 3 8 Threats of enhanced web-based telecommunication services 4 8.1 General securi
19、ty threats 4 8.2 Security threats to asynchronous script 5 8.3 Security threats to web application programming interfaces . 6 8.4 Security threats to data syndication 7 8.5 Security threats to mashup 7 9 Security objectives of enhanced web-based telecommunication services 8 9.1 Access control 8 9.2
20、Authentication 8 9.3 Authorization 8 9.4 Availability . 8 9.5 Communication security . 8 9.6 Data confidentiality 8 9.7 Data integrity 8 9.8 Guarantee of efficiency 8 9.9 Non-repudiation 8 9.10 Privacy 9 9.11 Secure remote backup of device . 9 9.12 Secure user management 9 9.13 Separating key manage
21、ment . 9 9.14 Trust service . 9 9.15 Relationship between security objectives and security threats . 9 Bibliography. 11 X series Supplement 17 (09/2012) 1 Supplement 17 to ITU-T X-series Recommendations ITU-T X.1143 Supplement on threats and security objectives for enhanced web-based telecommunicati
22、on services 1 Scope This supplement describes threats to, and security objectives for, enhanced web-based telecommunication services using technologies such as Web 2.0 and mashups. There are many web service standards and web service security standards. These are partially developed by vendors and s
23、ervice providers, and not organized. This supplement provides an overview of the threats to, and security objectives for, enhanced web-based telecommunication services and is a baseline document for designers or implementers to analyse the vulnerabilities of web application services and to consider
24、and improve the security aspects of web applications. The threats identified for enhanced web-based applications are not the only ones being investigated, but also those of traditional web applications, as these are still potential threats to enhanced applications. Moreover, the security objectives
25、provided cope with the threats and would be applied to wired/wireless web-based application services. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This supplement uses the following terms defined elsewhere: 3.1.1 access control b-ITU-T X.800: The prevention of unauthorized use of a r
26、esource, including the prevention of use of a resource in an unauthorized manner. 3.1.2 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.3 availability b-ITU-T X.800: The property of being accessible and useable upon demand by an
27、authorized entity. 3.1.4 confidentiality b-ITU-T X.800: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. 3.1.5 data integrity b-ITU-T X.800: The property that data has not been altered or destroyed in an unauthorized manner. 3.1.6
28、data origin authentication b-ITU-T X.800: The corroboration that the source of data received is as claimed. 3.1.7 hypertext markup language (HTML) b-ITU-T M.3030: A system of coding information from a wide range of domains (e.g., text, graphics, database query results) for display by World Wide Web
29、browsers. Certain special codes, called tags, are embedded in the document so that the browser can be told how to render the information. 3.1.8 privacy b-ITU-T X.800: The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom
30、 that information may be disclosed. 2 X series Supplement 17 (09/2012) 3.1.9 repudiation b-ITU-T X.800: Denial by one of the entities involved in a communication of having participated in all or part of the communication. 3.2 Terms defined in this supplement This supplement defines the following ter
31、ms: 3.2.1 authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. NOTE Use of the term authentication in a web-based service context is taken to mean entity authentication. 3.2.2 JavaScript Object Notation (JSON): A lightweight, t
32、ext-based, language-independent data interchange format. 3.2.3 mashup: A web application that combines content (data and code) or services from multiple origins to create a new service. 3.2.4 Web 2.0: Web technology and applications that facilitate participatory information sharing, interoperability
33、, user-centred design and collaboration on the World Wide Web (WWW). 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: API Application Programming Interface CSRF Cross-Site Request Forgery DOM Document Object Model DoS Denial of Service HTTP Hypertext Transf
34、er Protocol HTTPS Hypertext Transfer Protocol Security JSON Javascript Object Notation MitB Man-in-the-Browser MitM Man-in-the-Middle OOP Object-Oriented Programming PKI Public Key Infrastructure REST Representational State Transfer RSS Really Simple Syndication SDU Service Data Unit SNS Social Netw
35、orking Service SOAP Simple Object Access Protocol SSL Secure Socket Layer URL Uniform Resource Locator WS Web Service WWW World Wide Web XML eXtensible Markup Language XSS Cross-Site Scripting X series Supplement 17 (09/2012) 3 5 Conventions None. 6 Introduction The benefits of web services have an
36、important effect on human societies and become a part of human lives. Enhanced web-based technologies, such as Web 2.0 and mashups, are trends in the use of WWW technology that aim to facilitate creativity, information sharing and collaboration among users. The major technical changes of the trends
37、are asynchronous script, data syndication, an open application programming interface and mashup. Although web designers and implementers support the interoperability among these technologies and service, the interoperability is not complied with. It is the same situation in the case of security stan
38、dardization. In Web 2.0, composite services are called mashups. A mashup is a web application that combines data from more than one source into a single integrated tool. Figure 1 is an example of the mashup service. Content used in mashups is typically sourced from a third party via a public interfa
39、ce or API. When a non-secure service and a secure service converge into a mashup service, the mashup service is influenced by an attacker. Figure 1 gives an example of why the security levels of every web service and domain conforming to the mashup should be provided equally. If the real estate web
40、site is unsecure, the whole mashup service and domain would not be secure and the other parts of the service network would be gradually affected. X.Suppl.17(12)_F01UserWhat are theavailable flatsnear here?Map with availableflats markedMashup websiteRequest foravailableflat listFlat listMaprequestAre
41、a mapReal estate websiteMap serviceFigure 1 Example of a mashup service 7 Architecture of enhanced web-based telecommunication services Enhanced web-based technologies are being applied to telecommunication services since they enable developers to efficiently and cost-effectively develop and deploy
42、new services, and to easily and rapidly integrate content from a variety of sources to form composite services. Figure 2 illustrates the architecture of an enhanced web-based convergence service. Web 2.0 services provided by the third party on the Internet, and services provided by the network opera
43、tor in the telecommunication domain, are combined to provide a convergence service using mashup. A user of the mashup client can check the presence of a friend and find their location via the mashup server that invokes the presence server and location server in the telecommunication domain. The mash
44、up client can find their geographic location on the map using the Web 2.0 service that provides a map service. The client can also access the user profile provided via the mashup server. Web protocols such as representational state transfer (REST) b-Fielding, simple object access protocol (SOAP) b-W
45、3C and really simple syndication (RSS) b-RSS are used for such mashups. 4 X series Supplement 17 (09/2012) The core network gateway provides access to the network elements of the network operator. An example of the core network gateway is the Parlay/OSA gateway b-GSMA employed to link applications b
46、y exploiting the Parlay/OSA APIs with the existing network elements. The Parlay/OSA gateway consists of several functional entities that provide Parlay/OSA interfaces to the applications. The Parlay/OSA gateway is under the control of the network operator or service provider, and is a single point t
47、hrough which all Parlay/OSA interactions pass. If the telecommunication application server does not provide support of a web protocol, then the mashup server can call functional objects using such a gateway. Web service(e.g., map service)Mashup server(community service)Web service(e.g., user profile
48、)e.g., user profilee.g., mape.g., device locatione.g., presenceinformationCore networkgatewayMessagingserverLocationserverPresenceserverTelecom application serversControl layerAccess network(Map + location + presence + .MashupclientX.Suppl.17(12)_F02Figure 2 Architecture of the enhanced web-based co
49、nvergence service 8 Threats of enhanced web-based telecommunication services Threats have been classified into five categories: general security threats, security threats to asynchronous script, security threats to web APIs, security threats to data syndication and security threats to mashups. 8.1 General security threats 8.1.1 Denial of service (DoS) Denial of service occurs when an entity fails to perform its proper function or acts in a way that prevents other entities from perf
