Contenu connexe Similaire à Architecting Secure Service Oriented Web Services (20) Architecting Secure Service Oriented Web Services1. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010
Architecting Secure Service Oriented Web
Services
D.Shravani1 P.Radhika2 Dr.P.Suresh Varma3 Dr.D.Sravan Kumar4 M.Upendra Kumar 5
1
Research Scholar R.U. Kurnool and Assistant Professor CS MIPGS Hyderabad A.P. India
Email: sravani.mummadi@yahoo.co.in
2
Research Scholar R.U. Kurnool and Assistant Professor CSE VNR VJIET Hyderabad A.P. India
Email: jyothisree.manne@gmail.com
3
Principal and Professor Department of Computer Science Adikavi Nannaya University Rajamundry A.P. India
Email: vermaps@yahoo.com
4
Principal and Professor CSE KITE Women’s College of Professional Engineering Sciences Hyderabad A.P. India
Email: dasojusravan@yahoo.co.in
5
Research Scholar JNTUH and Associate Professor CSE MGIT Hyderabad A.P. India
Email: uppi_shravani@rediffmail.com
Abstract—The importance of the software security has been the security characteristics of composites and applications
profound, since most attacks to software systems are based on using services is an active research. Organizations should
vulnerabilities caused by poorly designed and developed also identify the deployment strategies for the SOA
software. Design flaws account for fifty percent of security infrastructure, services, composites, and applications
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
because different deployment strategies can entail different
generation Web applications. The development and use of security verification practices. Finally, all elements should
these services is growing at an incredible rate, and so too be verified in their operational contexts.
security issues surrounding them. If the history of inter- Web Services are the most popular implementation
application communication repeats itself, the ease with which approach for SOA. The elements of a Web Service from a
web services architectures publish information about security perspective are the service interface, service
applications across the network is only going to result in more implementation, message payload, and service level
application hacking. At the very least, it’s going to put an even agreement (SLA). All of these elements are visible to
greater burden on web architects and developers to design participating parties except for the service implementation,
and write secure code. Developing specification like WS-
Security should be leveraged as secure maturity happens over
which is usually hidden and known only to the service
firewalls. In this paper, we want to discuss security provider. Refer to Table 1.
architectures design patterns for Service Oriented Web TABLE 1. WEB SERVICES SECURITY THREAT
Services. Finally, we validated this by implementing a case FRAMEWORK
study of a Service Oriented Web Services application
Web Services Attacks and Threats
StockTrader Security using WS-Security and WS-Secure Layer
Conversation. Layer 1: Web 1. In transit Sniffing or Spoofing
Services in Transit 2. WS-Routing security concern
Index Terms— Security Architectures, Service Oriented 3. Replay attacks
Architectures, Web Services Security, WS-Security, WS- Lauer 2: Web 1. Buffer Overflow
Secure Conversation. Services Engine 2. XML parsing attacks
3. Spoiling Schema
4. Complex or Recursive structure as
I. SERVICE ORIENTED WEB SERVICES SECURITY payload
ARCHITECTURES 5. Denial of Services
6. Large payload
Service-Oriented Architectures (SOA) represents a Layer 3: Web 1. Fault Code Leaks
new evolving model for building distributed applications. Services 2. Permissions and Access issues
Services are distributed components that provide well- Deployment 3. Poor Policies
defines interfaces that process and deliver XML 4. Customized error leakage
5. Authentication and Certification
messages.[1-3]. A service-based approach makes sense for Layer 4: Web 1. Parameter tampering
building solutions that cross organizational, departmental, Services User 2. WSDL probing
and corporate domain boundaries. A business with multiple Code 3. SQL/LDAP/XPATH/OS command
systems and applications on different platforms can use injection
4. Virus/Spyware/Malware injection
SOA to build a loosely coupled integration solution that 5. Brute force
implements unified workflows. Security in an SOA 6. Data type mismatch
environment involves verifying several elements and 7. Content spoofing
maintaining confidence as the environment evolves. 8. Session tampering
9. Format string
Organizations deploying SOA implementations should 10. Information Leakage
identify practical strategies for security verification of 11. Authorization
individual elements, but should be aware that establishing
14
© 2010 ACEEE
DOI: 01.IJCOM.01.03.181
2. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010
Refer to Table 2. Which consists of Web Services Security Step 3: Create the Web Service Based on the Type
Patterns. Definition Assembly
TABLE 2. WEB SERVICES SECURITY PATTERNS
Step 4: Implement the Business Interface in the Web
Service
Category Pattern Step 5: Generate a Web Service Proxy Class File Based on
Authentication Brokered Authentication
Brokered Authentication: Kerberos
the WSDL Document
Brokered Authentication: X509 PKI Step 6: Create a Web Service Client
Brokered Authentication: STS
Direct Authentication III. ARCHITECTING SECURE SOA WEB SERVICES
Authorization Trusted Subsystem ARCHITECTURES
Exception Management Exception Shielding
Message Encryption Data Confidentiality Web as a media and Web Services as a technology is
Message Replay Detection Message Replay Detection emerging as a mode of business-to-business and e-
Message Signing Data Origin Authentication commerce transactions. Most of these transactions will
Message Validation Message Validator carry business-critical and sensitive information that must
Deployment Perimeter Service Router
be secured. Like any other technology domain, secure Web
Web as a media and Web Services as a technology is Services is complex and possibly overwhelming.
emerging as a mode of business-to-business and e- Addressing a breach-in that includes cost of liability, public
commerce transactions. Most of these transactions will relations, and loss of business could be more expensive
carry business-critical and sensitive information that must than implementing security measures in advance. Also,
be secured. Like any other technology domain, secure Web security should be enforced throughout the infrastructure.
Services is complex and possibly overwhelming. Research issues include Web Services technology, its
Addressing a breach-in that includes cost of liability, public vulnerabilities, enforcing security in this media, emerging
relations, and loss of business could be more expensive security standards incorporating into Web Services
than implementing security measures in advance. Also, applications. [9]
security should be enforced throughout the infrastructure.
Research issues include Web Services technology, its IV. SECURE SOA WEB SERVICES WITH WS_SECURITY
vulnerabilities, enforcing security in this media, emerging – A CASE STUDY
security standards incorporating into Web Services
applications. [4-6] Companies have started the adoption of Web Service
technology and the WS-Security specification as an
II. DESIGN PATTERNS FOR SOA WEB SERVICES approach to ensure the integrity of transmitted messages
and data. [10-13] The WS-Security specification is a joint
A. Design Patterns for Building Message-Oriented Web effort by Microsoft, IBM, and VeriSign to address this
Services most important issue. The WS-Security specification is
There are six steps involved in building message-oriented designed to provide an extensible security implementation
Web services, which is simply a Web service that that will evolve as Web Services technology becomes more
exchanges XML schema-based input and output messages sophisticated. Both WS-Security and WSE 3.0 plays an
rather than simple parameter-oriented values. The steps are important role when building Microsoft .NET-based Web
described in the following sections.[7] Services or Web Services consumers. WS-Security
Step 1: Design the Messages and Data Types integrates a set of popular security technologies, including
Step 2: Build the XSD Schema File for the Data Types digital signing and encryption based on security tokens,
Step 3: Create a Class File of Interface Definitions for the including X.509 certificates. It is flexible and is designed to
Messages and Data Types be used as the basis for the construction of a wide variety
Options step 3A: Generate the WSDL Document Manually of security models, including PKI, Kerberos and SSL.
Step 4: Implement the Interface in the Web Service Code- Particularly WS-Security provides support for multiple
Behind File security tokens, multiple trust domains, multiple signature
Step 5: Generate a Proxy Class File for Clients Based on formats, and multiple encryption technologies.
the WSDL Document A. Case Study
Step 6: Implement a Web Service Client Using a Proxy
Class File We had implemented a case study, a simple
example that secures the StockTrader application. We
B. Design Patterns for Building Service-Oriented Web implemented the UsernameForCertificate assertion that
Services secures the WSE Security Settings wizard and created a
Message-oriented web services are the building custom username token manager. Finally we authorized
blocks for service-oriented applications. There are six steps users using either code or a policy file.
involved in building a message –oriented web service that Brokered Authentication:
is compatible with SOA.[8]
Step 1: Create a dedicated type definition Assembly The client and service do not attempt to
Step 2: Create a Dedicated Business Assembly authenticate each other directly. They use an intermediary
that validates the client’s identity and then provides a
15
© 2010 ACEEE
DOI: 01.IJCOM.01.03.181
3. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010
security token as proof of successful authentication. The Refer to Figure 3 which consists of class diagram for
client attaches this token to the request and the service uses RequestQuote. Client requests for RequestQuote web page;
this token to authenticate the client. There are some Trader replies with page by asking the client to enter
authentication brokers such as VeriSign, Windows Active "symbol, tradeType" values; Client enters the values and
Directory exists. invokes; Trader makes a security checkup with
StockTraderSecure and sends the reply; Reply consists of
B. Implementation and Validation
all the trade values of particular symbol.
Refer to Figure 1 which consists of class diagram
for Place trade before UserNameToken. Client requests the
StockTrader requests
web page for placing the trade; Stock Trader sends the Client StockTrader
respond as web page along with the request to enter
"accNo., symbol, share, price, tradeType" values; Client sends the page
enters the values and invokes the page; Trader sends the client sets the data
respond as an xml page acceptance.No security involves in
this approach. RequestQuote
symbol : string StockTraderTyp
tradeType : string
PlaceTrader es
accNo : string StockTraderTyp setData() field : string
symbol : string
es status : string
share : int
field : string
price : double
status : string
tradeType : string
setData() Figure 3. Class diagram for RequestQuote
An Active Directory Kerberos ticket has a default
client sets the trade details
of ten hours duration. Client need to request the token once
requests during the session. Brokered Authentication can be
StockTrader
responds StockTrader
Client implemented in using WSE 3.0 in: Kerberos; X.509
certificates; Custom security token. Brokered
Authentication using Mutual Certificate using X.509
certificate option is given as below. (Refer Figure 4)
StockTraderSecure
Figure 1. Class diagram for Place trade before UserNameToken.
Refer to Figure 2 which consists of class diagram for
Place trade after UserNameToken. Client requests the web
page for placing the trade; Stock Trader sends the respond
as web page along with the request to enter "accNo.,
symbol, share, price, tradeType" values; Client enters the
values and invokes the page; Trader requests for security
checkup; StockTraderSecure checks the usernametoken
value for specified client and generates reply to Trader;
Trader sends the respond as an xml page. Security is
involved as UserNameToken value.
Figure 4. Class Diagram for Mutual Certificate assertion message flow.
PlaceTrader The steps involved are given as: Attach X.509
accNo : string StockTraderTyp
symbol : string es certificate to the message at client side; Sign the message
share : int
price : double
tradeType : string
field : string
status : string using the client’s private key; Encrypt the message using
setData() the service’s public key; Validate the client certificate;
Decrypt the message at service side using private key of
client sets the trade details service; Validate the signature by decrypting it using public
StockTrader
requests key of client. Brokered Authentication using Kerberos
responds StockTrader
C lie nt Protocol option is as follows: When user logs in, client
encrypts the password using a symmetric key and sends a
gives use rnam etoken request to the KDC (Key Distribution Center) for a Ticket
Granting Ticket (TGT). If key matches the value stored in
StockTraderSecure
requests for security checkup
Active Directory the KDC sends the TGT and session key.
t okenValue : strin g
cli entId : strin g This session key is encrypted by KDC using user’s long
se tToke n()
se curity Checkup()
term key. The TGT is encrypted using KDC secret key.
The client sends a request to KDC. The KDC decrypts the
Figure 2. Class diagram for Place trade after UserNameToken. TGT with long term key, and decrypts the authenticator
16
© 2010 ACEEE
DOI: 01.IJCOM.01.03.181
4. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010
using session key. KDC validates and creates new session REFERENCES
key. The server receives the request that has the Kerberos [1] Stephan Bode, Anja Fischer, Winfried Kuhnhauser and
security token attached to it. Server will use session key to Matthias Riebisch, “Software Architectural Design meets
decrypt the authenticator. Security Engineering”, 16 th Annual IEEE International
For details of implementation, source code and detailed Conference and Workshop on the Engineering of Computer
UML diagrams, Please refer to the web site, Based Systems, pp. 109 – 118, 2009.
http://sites.google.com/site/upendramgitcse [2] S.Michelle Oda, Huirong Fu and Ye Zhu, “Enterprise
Information Security Architecture A Review of Frameworks,
CONCLUSIONS Methodology, and Case Studies”, IEEE 2009 pp. 333 – 337,
IEEE.
In this paper, we implemented and validated architecting [3] E.Bertino et al., Security for Web Services and Service-
secure SOA Web Services, with a case study of an Oriented Architectures, Springer-Verlag Berlin Heidelberg
application StockTrader Security using WS-Security. 2010.
Extensions of this work includes usage of WS-Secure [4] Jeremy Epstein, Scott Matsumotto and Gary McGraw,
“Software Security and SOA: Danger, Will Robinson”, IEEE
conversation.
Security and Privacy, January/February 2006, pp. 80–83.
Future work includes, Web Service security represents a [5] Gunnar Peterson and Deborah A.Frincke, “Service-Oriented
key requirement for today’s distributed interconnected Security Indications for Use”, IEEE Security and Privacy,
digital world and for the new Web generations, such as March/April 2009, pp. 91–93.
Web 2.0 and the Semantic Web. To date, the problem of [6] Asoke K. Talukder and Manish Chaitanya, Architecting
security has been investigated very much in the context of Secure Software System. CRC Press, 2009.
standardization efforts; these efforts, however, have dealt [7] Soumya Simanta, Ed Morris, Sriram Balasubramaniam, Jeff
mainly with adapting existing security techniques, such as Davenport and Dennis B.Smith, “Information Assurance
encryption, for use in Web Services. The standards have Challenges and Strategies for Securing SOA Environments
and Web Services”, IEEE SysCon 2009—3 rd Annual IEEE
also focused on addressing the problem of security
International Systems Conference, Vancouver, Canada,
interoperability through the development of standard March 23 – 26 2009.
formats for security assertions, tokens and credentials. [8] K.V.S.N.Rama Rao, Anirban Pal, and Manas Ranjan Patra,
Interoperability is certainly an important issue for Web “A Service Oriented Architectural Design for Building
Services in that easy and flexible service composition Intrusion Detection Systems”, International Journal of
requires that security-relevant information be seamlessly Recent Trends in Engineering, Vol. 1, No. 2, May 2009
transmitted across different services. ACEEE Academy Publishers Poster Paper pp. 11— 14.
However, several key issues have not yet been [9] G.Rayana Gouds, M.Sriivasa Rao and Akhilesh Soni ,
addressed, such as crucial security techniques in the “Semantic Firewall: An approach towards Autonomouos
Web Security in Service Oriented Environments”,
presence of highly fragmented service systems; metrics and
International Journal of Recent Trends in Engineering, Vol.
methodologies to assess the security provided by an 1, No. 1, May 2009 ACEEE Academy Publishers pp. 454—
application or system organized according to the SOA 458.
paradigm; understanding the impact of security and privacy [10] Eduardo B.Fernandez, Michael Thomsen, and Minjie
on service composition; and identifying security and H.Fernandez, “Comparing the Security Architectures of Sun
privacy requirements for novel collaborative environments ONE and Microsoft .NET”, Idea Group Inc. 2004.
and social networks enabled by the Web and devising [11] Massimo Bartoletti, Pierpaolo Degano, Gian Luigi Ferrari
solutions to address these requirements. and Roberto Zunino, “Semantics Based Design for Secure
Web Services,” IEEE Transactions on Software Engineering,
vol. 34 no. 1, pp. 33–49, January-February 2008.
ACKNOWLEDGMENT [12] Anoop Singhal and Theodore Winograd, Guide to Secure
The authors wish to thank the following for Web Services. NIST Draft (800-95), September 2006.
implementing these concepts: A.Madhuri, Lavanya, [13] David Chappell, Introducing Service Component
Architecture (SCA), July 2007, Computer Society of India
Ch.Venkatabhilash, Anusha Joga, Y.Apoorva Rani and
CommunicationsAugust2009,pp.30–39.
S.Vamshidher Reddy.
17
© 2010 ACEEE
DOI: 01.IJCOM.01.03.181