paper 7 (PDF)

Document Sample
paper 7 (PDF) Powered By Docstoc
					                                                                                 International Journal of Computer Information Systems,
                                                                                                                      Vol. 3, No.2, 2011

    Design of Web 2.0 Services Security Architectures
D.Shravani                            Dr.P.Suresh Varma              Dr.B.Padmaja Rani                    K.Venkateswar Rao
Research Scholar CS        Principal and Professor CS                Professor CSE                Associate Professor CSE
Rayalaseema University   Adikavi Nannaya University                  JNTU CEH                                  JNTU CEH
Kurnool A.P. India          Rajahmundry A.P. India                   Hyderabad A.P. India            Hyderabad A.P. India
sravani.mummadi@yahoo.co.in    vermaps@yahoo.com                     padmaja_jntuh@yahoo.co.in venkateawarrao@jntuh.ac.in



Abstract— Web 2.0 increases web based access to data processing      which has a large number of participants including many of the
particularly on the client side (AJAX Asynchronous JavaScript        large software companies such as IBM and MICROSOFT.
and XML) that enables web applications which contain enriched
functionality. Web 2.0 technologies have wide range of               In this implementation we take a look at WS-security
technologies and protocols which enable Web architectures to         agreements and use the Microsoft implementation, known as
have greater access to data and functions. Traditional enterprises   WSE 3.0, in conjunction with visual studio 2005 to produce a
are sceptical in adopting Web 2.0 applications for internal and      web service that requires authentication. There are a number of
commercial use in public facing situations, with customers and       ways to secure a web service. A simple way might be to use
partners. One of the prime concerns for this is lack of security     SSL together with client side certificates to ensure that the
over public networks. This paper discusses the design of Web 2.0
                                                                     potential user is some one allowed to call the services method.
Services Security Architectures along with their appropriate
implementations of authentication over SSL/TLS. Also we provide      The problem with this approach would be to pass the user
dependability of data and application layers for Web 2.0 Security    credentials as part of the method call. This can be overcome by
Architectures. Finally we provide dependable privacy                 using SOAP protocol along with Secure Socket Layer (SSL).
requirements of Web 2.0 Services Security Architectures.             In this implementation we want to implement web 2.0 services
                                                                     security using visual studio 2005/2008
Keywords- Web 2.0 Services; Security Architectures; Agile
Modeling; Authentication; SSL / TLS                                  In this implementation, we take a look at WS-security (Web
                                                                     Services Security) agreements and use the Microsoft
                                                                     implementation, known as WSE 3.0(Web Services
     I.      INTRODUCTION TO WEB 2.0 SERVICES SECURITY               Enhancements), in conjunction with visual studio 2005 to
                       ARCHITECTURES                                 produce a web service that requires authentication. There are a
According to WWW Consortium a web service is defined as,             number of ways to secure a web service. A simple way might
―A Web Service is a software application identified by a URI         be to use Secure Socket Layer (SSL) together with client side
(Uniform Resource Identifier), whose interface and bindings          certificates to ensure that the potential user is someone allowed
are capable of being identified, described and discovered by         to call the services method. The problem with this approach
XML artifacts and supports direct interactions with other            would be to pass the user credentials as part of the method call.
software applications using XML based messages via Internet-         Here we implemented web 2.0 services security using visual
based protocols‖. Web Services Security Architectures have           studio 2005 with modules: Adding Policy, Adding the Custom
three layers viz. Web Service Layer, Web Services Framework          Authentication (using traditional X.509 certificates and XML
Layer (.NET or J2EE), Web Server Layer.                              counterpart), creating a Client. SSL provides a secure tunnel
                                                                     through which Simple Object Access Protocol (SOAP)
Web 2.0 increases web based access to data processing                message will pass while WS-Security provides message
particularly on the client side (AJAX Asynchronous JavaScript        protection by extending SOAP. The main advantages of this
and XML) that enables web applications which contain                 are simplicity of software design and code, correctness, while
enriched functionality. Web 2.0 technologies have wide range         providing security against sniffing and confidentiality attacks.
of technologies and protocols which enable Web architectures         We validated the results using correctness testing.
to have greater access to data and functions. Traditional
enterprises are skeptical in adopting Web 2.0 applications for       A Web Service is a software entity deployed on the Web whose
internal and commercial use in public facing situations, with        public interface is described XML (eXtensible Markup
customers and partners. One of the prime concerns for this is        Language). It can interact with other systems by exchanging
lack of security over public networks.                               XML-based messages, using standard Internet standard
                                                                     protocols. The web services standards are groups of agreements
Securing Web 2. 0 Services                                           designed to facilitate interaction and provide common
―If we think implementing security is expensive, see how much        protocols in all areas of web services. There are a number of
a breach it will cost us‖. The web services standards are a          ways to secure web service. Here we will use SOAP to access
group of agreements designed to facilitate interaction and           the web service and include the security related information in
provide common protocols in all areas of web services. They          the SOAP Header.
are produced by the OASIS organization, www.oasis-open.org,




          August Issue                                      Page 37 of 107                                    ISSN 2229 5208
                                                                                International Journal of Computer Information Systems,
                                                                                                                     Vol. 3, No.2, 2011
Purpose of Securing Web 2.0 Services                                UserTokenDemo. Right-click the solution in the solution
                                                                    explorer and add a new website. You can choose the file
In this fast changing world of the web, Security is of paramount    system based one or one that resides in IIS, both will work
importance. There was no particular standard for Web Service        equally well. Name the Web Service StockQuote.
security (WS-Security) until April 2004, and Web service
developers had to rely on the transport layer to provide security   Adding Policy
(via SSL/TLS from HTTP) or develop their own custom
security mechanism sacrificing interoperability in the process.     In this module we add security policy to the web service by
The whole idea of developing web services is interoperability       using WSE 3.0. First enable the WSE settings and add the
across all platforms. In April 2004, WS-Security was                SOAP protocol factory, When prompted choose a name such as
established as an approved OASIS open standard. Web Service         Serverpolicy and then select secure a service application and
Enhancements (WSE) 2.0 is the first release of the software         select Username as authentication method. Now a policy has
from Microsoft implementing this approved standard version of       been created that the username will be used for authentication,
WS-Security. This means that applications built with WSE 2.0        the web service needs to be told to use the Policy.
security features will interoperate with other Web service          Adding Custom Authentication:
platforms as their WS-Security-compliant implementations
become available. This implementation shows us how to secure        At this moment, the service will accept a request with a
a web service using a User Name and password and also shows         username and password but will not perform custom
us how to secure the password with a password digest and            authentication. It will actually try to authenticate using
thwart man-in-the-middle and replay attacks. The User Name          Windows; in other words, it will try a log on with the
and password must be known before hand to both parties              credentials and unless the details happen to match a user on the
(Server and Client).                                                machine or a domain user the authentication will fail. When
                                                                    you want to authenticate from a known list of users you will
In the Existing system Web Services are secured by following        have to override the default behavior. There are two steps to do
methods.                                                            this process. First you have to create a class that inherits from
First way is to use SSL together with Client-Side certificates to   using      Microsoft       Web       Services     3      Security
ensure a potential user is someone allowed to call the service’s    TokenUserNameTokenManager. Secondly this class needs to
methods. The problem with this approach is the distribution of      be registered with this service.
the certificates, and the fact that not all the clients support     Creating Client:
them.
                                                                    In this module we will create and configure a client to use the
Second way to secure web services is to pass user credentials       service. Fire up a new instance of Visual Studio .NET and
as a part of method call. If SSL were also used, the username       create a Console Application. Name the project
and password would be protected and the method could                "SecureWSClient". Enable WSE support for this Console
perform authorization checks before returning the Stock price.      Application project by right clicking on the Project in Solution
The trouble with this approach is that it requires the developer    Explorer and selecting the WSE Setting 3.0 options on the
to know in advance all methods that require authentication.         context menu. Place a check mark in the first checkbox and
Solution to all the problems listed in the existing system          click OK. (The second checkbox will be grayed out since this is
methods is to use SOAP protocol along with Secure Socket            not an ASP.NET project file implementation.) Since we
Layer (SSL). SSL encrypts the user credentials to provide           enabled WSE support for this console application, Visual
confidentiality and we will use SOAP to access the web service      Studio generates a proxy which contains an additional object
and include security information in the SOAP header, separate       with the name Service1Wse. If there was no WSE support
from the data to be passed to the actual web methods. The main      enabled, we would have just had the standard Service1
advantage is that the actual data is separated from the data        object. UsernameToken is sent as part of the SOAP header.
related to security information because SOAP header will            The password is transmitted as a hash using the SHA1 hashing
consists of all security related information.                       algorithm. This ensures confidentiality and thwarts man-in-the-
                                                                    middle style of attacks. Authentication screen shot is shown in
In order to achieve the proposed system qualities we are            Figure 1 below.
implementing four modules. They are:
                                                                    For conclusion of this implementation, the Web Service
Creating a Web Service                                              Enhancements 3.0 library provides simple and powerful
Adding Policy                                                       methods to manage message level security in Web Services.
                                                                    The user authentication module can be updated without
Adding the Custom Authentication                                    recompiling the Web Service itself by making changes to the
Creating Client                                                     WSESecurity library and redeploying it in the GAC or just
                                                                    copying it into the bin folder of the Web Service. The web
The descriptions of these modules are given below.                  service code need not worry about security and can concentrate
Creating a Web Service:                                             on business logic. Refer to Figures 1, 2, 3 below which
                                                                    provides package diagram, sequence diagram and execution
In this module we create a web service as follows. First open       screen shot of authentication of this application.
Visual Studio and add a blank solution named




       August Issue                                        Page 38 of 107                                    ISSN 2229 5208
                                                                                      International Journal of Computer Information Systems,
                                                                                                                           Vol. 3, No.2, 2011


                                                                           Using SSL/TLS for Web 2.0 Services Security Architectures
                                                                           at SSL Layer
                                                                         The web is everywhere. ―Web services" is an effort to build a
                                                                         distributed computing platform for the web. One problem when
                                                                         we administer a network is securing the data across the wide
                                                                         web. While many of web services have been met wit the
                                                                         existing standards, there are still a number of challenges that
                                                                         have yet to be considered. In this implementation, we take a
                                                                         look at web 2.0 services security architecture's modification
                                                                         with the existing standard in order to overcome with the
                                                                         authentication attack. Authentication process deals with the
                                                                         SSL/TLS layer. In this implementation we want to implement
                                                                         with the web 2.0 services security in the SSL version 3.0(TLS)
                                                                         using java as technology. Initially, JCA and JCE will be
Figure 1. Package diagram of Web 2.0 Services Secutiy Architecture       studied. Next the provider bouncy castle is dealt with. Later
                   application implementation
                                                                         this Web Services will be secured by adding policy, custom
                                                                         authentication, certificate and key generation and storage etc.
                                                                         We     implemented        four    classes:     Factory   Classes
                                                                         (SSLSocketFactory, SSLServerSocketFactory) and Socket
                                                                         Classes (SSLSocket and SSLServerSocket). Here SSL protocol
                                                                         enables Client side to send back certificates chain and then a
                                                                         signature. Client side authentication also is same but we require
                                                                         making additional configuration to our defined classes. Class
                                                                         diagram for SSL/TLS security is shown in Figure 4.




                                                                                 Figure 4. Class diagram for SSL/TLS layer implementation

                                                                         Dependability of Data and Application Layers of Web 2.0
Figure 2. Sequence diagram of Web 2.0 Services Secutiy Architecture      Services Security Architectures
                    application implementation                              The increasing reliance put on networked computer systems
                                                                         demands higher levels of dependability specifically web
                                                                         services. This is even more relevant as new threats and forms
                                                                         of attack are constantly being revealed, compromising the
                                                                         security of systems. This implementation addresses this
                                                                         problem by presenting an attack injection methodology for the
                                                                         automatic discovery of vulnerabilities in software components.
                                                                         The observation of an unexpected behaviour suggests the
                                                                         presence of a vulnerability that was triggered by some
                                                                         particular attack (or group of attacks). This attack can then be
                                                                         used to reproduce the anomaly and to assist the removal of the
                                                                         error. The implementation presents a methodology and a tool
                                                                         for the discovery of vulnerabilities in server applications,
Figure 3. Error display when user enters wrong username / password
                                                                         which is based on the behaviour of malicious adversaries.




    August Issue                                                Page 39 of 107                                        ISSN 2229 5208
                                                                                                                                                                                                                                  International Journal of Computer Information Systems,
                                                                                                                                                                                                                                                                       Vol. 3, No.2, 2011
Refer to Figure 5,6,7 below, which provides the class diagram,
sequence diagram and execution screen shot of the case study
application respectively.

                                                                          Adding Customer
                                                                    +Customer Name
           Admin                                                    +Date of Birth
                                                                    +Age                                                                                   View Customers
  +username
                                                                    +Gender
  +password
                                                                    +Address                                                                 +Customer Name
  +submit()                                                         +Occupation                                                              +Account Number
  +Logout()                                                         +Account Type                                                            +Amount
                                                                    +Account Number
                                                                    +Pin Number                                                              +View Customer Details by Admin()
                                                                    +Contact Number
                                                                    +Initial Amount
                                                                    +Enter Customer Details()
                                                                    +View Customer Details()
                                                                    +Add Loan Details()




                                                                             Customer
                                                                      +username
                                                                      +password
                                                                                                                                                                                                                             Fig. 7 Execution Screen shot of the case study application
                                                                      +Customer Login()
                                                                                                                                                                                                                        Existing System To detect the vulnerabilities in the network
                                                                                                                                                                                                                     connected servers at present we have some of the
                                                                                                                                                                                                                     methodologies and tools like Fault injection, Vulnerability
                                                                                                                                                                                                                     scanners, fuzzers These tools have some of the constraints
                                   Fig. 5 Class diagram of the case study application                                                                                                                                which makes those tools less effective. Disadvantages of
                                                                                                                                                                                                                     Existing System When working with fault injection mechanism
                                                                                                                                                                                                                     it can identify the fault behaviour of a particular server which
                                                                                                                                                                                                                     are relatively simple. Vulnerability scanners we can detect the
                                                                                                                                                                                                                     vulnerabilities but those vulnerabilities are already predefined
                                                                                                                                                                                                                     in the database. With fuzzers, we can able to find out the
                                                                                                                                                                                                                     problems but it lacks throw monitoring mechanism. Proposed
      Admin                Login               New Registration                                                        Account no   Amount                 Attacks                            Customer
                                                                                                                                                                                                                     System This case study on web services security architectures
                                                                     Customer Details
                                                                                                  Amount Credit
                                                                                                                                                                                                                     describes an attack injection methodology that can be used for
                                                                                                                                                                                                                     vulnerability detection and removal. It mimics the behaviour
                                                                                                                                                                                                                     of an adversary by injecting attacks against a target system
   2 : Enter username and password()                                                                                                                                                                                 while inspecting its execution to determine if any of the
                                                                                                                                                           1 : Different attacks identified by customer()
                                                                                                                                                                                                                     attacks has caused a failure. After the identification of the
                   4 : Adding new customer()                                                                                                 3 : Enter Account Number()                                              problem, traditional debugging techniques can be employed,
                                                                                                                                                                                                                     for instance, by examining the application’s control flow while
                               6 : View all Customers()                                                                                                   5 : Enter Amount()                                         processing the offending attacks, to locate the origin of the
                                                                                                                                                                                                                     vulnerability and to proceed with its elimination. Advantages
                                   7 : View Amount credited by the customer()                                                                                                                                        of the Proposed System The modules advantage of this
                                                                                                                                                                                                                     application: tool, Which attacks the server and provides the
                                                                                                                                                                                                                     definition of attack that can be Performed; Attack Checking:
                                                8 : View Account details of customers()                                                                                                                              Checks the vulnerabilities like special character attack, taint
                                                          9 : View Amount Details of Customer()                                                                                                                      attack, syntax Attack; User Credentials: Provides logic of
                                                                                                                                                                                                                     authentication for user provided details. Advantages of these
                                                                                                                                                                                                                     modules are: Software development can be provide the
                                                                                                           10 : Customer Login()
                                                                                                                                                                                                                     increasing the number of useful applications, Improving the
                                                                                                                                                                                                                     functionality, and to increase the speedup development
                                                                                                                                                                                                              13
                                                                                                                                                                                                                     Privacy Requirements of Web 2.0 Services Security
                                                                                                                                                                                                                     Architectures
                             Fig. 6 Sequence diagram of the case study application                                                                                                                                   Privacy is a well recognized sticking point in the Web Services
                                                                                                                                                                                                                     network. In this case study implementation, we explore privacy



                August Issue                                                                                                                                                                                Page 40 of 107                                         ISSN 2229 5208
                                                                                             International Journal of Computer Information Systems,
                                                                                                                                  Vol. 3, No.2, 2011
protection brings about many new security challenges. Web
Services extended Cloud computing is the long dreamed vision                                         Sender                  Transaction
of computing as a utility, where users can remotely store their
data into the cloud so as to enjoy the on-demand high quality          : Sender                                                                      : Third Party               : Receiver
                                                                                     1: Login                                                           Auditor
applications and services from a shared pool of configurable
computing resources. By data outsourcing, users can be                        2: Invalid details
relieved from the burden of local data storage and maintenance.                   3: Valid Details
Here data (i.e., message/file) is transferred between the sender                                        4: Enter sender name, sender password, receiver name & send
and the receiver in a extensively secure manner. Hence the
communication between the sender and receiver is guaranteed                                             5: Enter the text or file and send
by the Third Party Auditor (TPA).The software is designed in
                                                                                                                                     6: keys created, signature generated, enter system name
such a way that the user can easily interact with the screen
because they are GUI and screen has several buttons with                                                                             7: Send data to TPA
captions indicating the functionality like Sender details,
                                                                                                                                                             8: Verify details
message typed, searching for a file, keys and signatures
generated, shows the encrypted data, verification of data,
system name details, Receiver details. Business layer of this                                                                                                  9: Send to receiver

application are to be developed in such a way they must be                                                                                                                             10: Enter sender name, receiver name
easily maintainable and extensible. Software developed will
                                                                                                                                                                                       11: Open/Retrieve message/file
able to do ant type of data transfer between sender and receiver
in an authenticated, privacy of data contents.
Refer to the Figure 8,9,10 which provides the class diagram,
sequence diagram and execution screen shot respectively of the
privacy web services application implemented.
                                                                     Figure 9. Sequence diagram of the Privacy Web Services
                                                                                           application

                                                                       K eys , s ig natures are verified and the rec eiver rec eived
                                                                       the file.




                                                                   Figure 10. Execution Screen shot of the Privacy Web Services
                                                                                           application

    Figure 8. Class diagram of the Privacy Web Services
                         application                                                                   CONCLUSIONS AND FUTURE WORK
                                                                   In this paper we discussed about design of Web 2.0 Services
                                                                   Security Architectures for authentication using SSL. We also
                                                                   discussed about dependability of data and application layers of
                                                                   this layered security architectures and finally about
                                                                   dependable privacy requirements implementations of this
                                                                   security architectures. Future work includes Web Services
                                                                   Security Architectures design of Security Policies and Trust
                                                                   negotiations.



      August Issue                                        Page 41 of 107                                                                                                ISSN 2229 5208
                                                                                       International Journal of Computer Information Systems,
                                                                                                                            Vol. 3, No.2, 2011
                              REFERENCES
[1] Athula Ginge and San Murugesan, ―Web Engineering: A Methodology for
Developing Scalable, Maintainable Web Applications‖, Cutter IT Journal
Vol.14, No.7 pp. 24-35, July 2001
[2] Cenzic Inc., ―Web Application Security Trend Reports‖, 2009.
[3] David Geer, ―Taking Steps to Secure Web Services‖, IEEE, October 2003.
[4] D.K.Smetters, R.E.Grinter, ―Moving from the design of usable security
technologies to the design of useful secure applications‖, ACM New Security
paradigms workshop September 2002 pp 82 – 89
[5] Durai Pandian M et.al., ―Information Security Architecture – Context
aware Access control model for Educational applications‖, International
Journal of Computer Science and Network Security, December 2006
[6] Ferda Tartanoglu et al, ‖Dependability in the Web Services Architecture‖,
Architecting Dependable Systems, LNCS 2677, pp. 90 – 109, 2003
[7] Gunnar Peterson, ―Security Architecture Blueprint‖, Arctec Group, LLC,
2007
[8] Halvard Skogsrud,‖ Modeling Trust Negotiation for Web Services‖, IEEE
February 2009
[9] Heiko Tillwick, Martin S Olivier, ―A Layered Security Architecture:
Design Issues‖, in Proceedings of the Fourth Annual Information Security
South Africa Conference (ISSA 2004), July 2004.
[10] Jim Highsmith, Alistair Cockburn ―Agile Software Development: The
Business of Innovation‖, IEEE Computer September’2001 pp: 120:122
[11] J.J.Whitmore,‖A method for designing secure solutions‖, IBM systems
Journal, Vol 40 No 3 2001 pp. 747-768
[12] John Hunt, ―Agile Software Construction‖, Springer Verlag publishers
2006
[13] Lorenzo D Martino, Elisa Bertino, ― Security for Web Services:
Standards and Research Issues‖, International Journal of Web Services
Research, Oct-Dec 2009, pp. 48-74, Idea Group Publishing USA 2009
[14] Mark Harman, Afshin Mansouri,‖Search based Software Engineering:
Introduction to the special issue of the IEEE Transactions on Software
Engineering‖, November December 2010, pp. 737 – 741
[15] Martin Naedele, ―Standards for XML and Web Services Security‖, IEEE
April 2003
[16] Massimo Barloletti, et. al.‖ Semantics-Based Design for Secure Web
Services‖, IEEE Transactions on Software Engineering, Vol 34, No.1, January
2008
[17] Matt Bishop, ―Computer Security: Art and Science‖, Pearson Education,
2003
[18] NIST Draft, ― Guide to Secure Web Services‖, September 2006
[19] Ross Anderson,‖ Security Engineering: A guide to building Dependable
Distributed Systems‖, Wiley publishers, 2003.
[20] Satoshi Makino, Takeshi Imamura, Yuichi Nakamura. ‖Implementation
and Performance of WS-Security‖, International Journal of Web Services
Research, Jan-March 2004, pp. 58-72, Idea Group Publishing USA 2004
[21] Sasikanth Avancha, ―A Framework for Trustworthy Service Oriented
Computing‖, ICISS 2008, pp. 124 – 132.
[22] Sandeep Chatterjee,‖ Developing Enterprises Web Services an Architects
Guide‖, Pearson, 2004
[23] Sarah Spiekermann, Lorrie Cranor,‖Engineering Privacy‖, IEEE
Transactions on Software Engineering‖, Vol 35 No 1 January February 2009
pp. 67 – 82
[24] Spyros T Halkidis et. al., ―Architecture Risk Analysis of Software
Systems based on Security Patterns‖, IEEE Transactions on Dependable and
Secure Computing Vol 5 No. 3, July – September 2008, pp. 129 – 142
[25] Vipul Gupta, et. al., ―Sizzle: A standards-based end-to-end security
architecture for the embedded Internet‖, Elsevier, Pervasive and Mobile
Computing, 2005
[26] Wei She, et. al. ,‖Enhancing Security Modeling for Web Services using
Delegation and Pass-on‖, International Journal of Web Services Research,
Jan-March 2010, pp. 1-21, Idea Group Publishing USA 2010
[27]Wembo Mao, ―Modern Cryptography: Theory and Practice‖, Pearson
education, 2004




        August Issue                                                  Page 42 of 107                                ISSN 2229 5208

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:96
posted:9/17/2011
language:English
pages:6