80 Copyright © 2010 Open Geospatial Consortium, Inc. it should not necessary to hand-craft XML queries to perform searches it should not be a requirement that one has extensive knowledge of a given registry model in order to effectively query against it. 8 Quality of service considerations This section discusses Quality of Service aspects relevant in an Event Architecture. Emphasis is laid on security. Reliability is discussed shortly as well.

8.1 Event Security

8.1.1 Introduction

During OWS-7, initial work on Event Service Security was performed. The resulting discussions and findings are summarized in the following sections. Note that the presented results represent the start of much more intensive investigation and testing that is needed to achieve a clear understanding of the relevant aspects and solutions for enabling security in an Event Architecture.

8.1.2 General Event Service Security Measures and Threats

The Event Service is an information broker in a SOA environment that routes messages from event sources to information consumers that have expressed interest in a particular type of information by subscribing to it. The Event Service sends the information to the subscribers on behalf of the original event sources. The messages can travel over multiple physical nodes in a network communicating via a mixed LAN and WAN infrastructure using different transport protocols e.g. HTTP, JMS....

8.1.2.1 Security threats and vulnerabilities

A vulnerability in security sense is any weakness that could be exploited to violate a system or the data it contains. A threat can be described as a potential violation of security. The following threats might occur in the event service domain: Data destruction e.g. subscriptions, publications, notifications… Unauthorized creation of malicious subscriptions Unauthorized modification and corruption of data Theft and loss of data Unauthorized disclosure of data Copyright © 2010 Open Geospatial Consortium, Inc. 81 Service disruptions affecting SLA Service Level Agreement Threats can be classified as accidental or intentional thefts: Accidental threats are threats that exist with no explicit intention e.g. system errors and software defects. Intentional threats are threats which are explicitly planned and executed. They may range from using monitoring tools to very sophisticated security threats. In addition, threats may be active or passive: Passive threats would not result in any modification to any data contained in the event system and where neither the operation nor the state of the system is changed e.g. wire tapping. Active threats to a system involve the alteration of data changes or the state of the system e.g. modification, deletion and creation of notifications. Some specific threats and vulnerabilities are described in the following sections.

8.1.2.1.1 Denial of service

This attack may involve reducing traffic or it may generate extra traffic to the Event Service or broker. It is also possible to generate messages intended to disrupt the normal operations of the Event Service. For example, creation of too many subscriptions with complex filter may limit the processing power of an Event Service and as consequence critical subscriptions can no longer be handled properly or according to SLA.

8.1.2.1.2 Message replay

A message replay attack occurs when a recorded valid message, or any part of that message, is repeated to produce an unauthorized effect. For example, a valid message containing authentication information may be replayed by another entity in order to authenticate itself as something that it is not - spoofing identity. To detect and eliminate this attack, mechanisms should be used to identify replayed messages such as timestamps, nonces or message sequencing – these can also be used to prevent replay of messages.

8.1.2.1.3 Message modification

Modification of a message occurs when the content of a message or the whole message is altered without detection and results in an unauthorized effect. Even if a message is encrypted it might be possible to change it without even understanding it e.g. malleability property of cryptographic algorithm. To enable the receiver to detect alteration, a digital signature can be applied by the sender to the message hash.