Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010            Architecting Secure Service Oriented Web             ...
ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010Refer to Table 2. Which consists of Web Services Security        ...
ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010security token as proof of successful authentication. The        ...
ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010using session key. KDC validates and creates new session         ...
Upcoming SlideShare
Loading in …5
×

Architecting Secure Service Oriented Web Services

563 views

Published on

The importance of the software security has been
profound, since most attacks to software systems are based on
vulnerabilities caused by poorly designed and developed
software. Design flaws account for fifty percent of security
problems and risk analysis plays essential role in solid security
problems. Service Web Services are an integral part of next
generation Web applications. The development and use of
these services is growing at an incredible rate, and so too
security issues surrounding them. If the history of interapplication
communication repeats itself, the ease with which
web services architectures publish information about
applications across the network is only going to result in more
application hacking. At the very least, it’s going to put an even
greater burden on web architects and developers to design
and write secure code. Developing specification like WSSecurity
should be leveraged as secure maturity happens over
firewalls. In this paper, we want to discuss security
architectures design patterns for Service Oriented Web
Services. Finally, we validated this by implementing a case
study of a Service Oriented Web Services application
StockTrader Security using WS-Security and WS-Secure
Conversation.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Architecting Secure Service Oriented Web Services

  1. 1. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010 Architecting Secure Service Oriented Web Services D.Shravani1 P.Radhika2 Dr.P.Suresh Varma3 Dr.D.Sravan Kumar4 M.Upendra Kumar 5 1 Research Scholar R.U. Kurnool and Assistant Professor CS MIPGS Hyderabad A.P. India Email: sravani.mummadi@yahoo.co.in 2 Research Scholar R.U. Kurnool and Assistant Professor CSE VNR VJIET Hyderabad A.P. India Email: jyothisree.manne@gmail.com 3 Principal and Professor Department of Computer Science Adikavi Nannaya University Rajamundry A.P. India Email: vermaps@yahoo.com 4 Principal and Professor CSE KITE Women’s College of Professional Engineering Sciences Hyderabad A.P. India Email: dasojusravan@yahoo.co.in 5 Research Scholar JNTUH and Associate Professor CSE MGIT Hyderabad A.P. India Email: uppi_shravani@rediffmail.comAbstract—The importance of the software security has been the security characteristics of composites and applicationsprofound, since most attacks to software systems are based on using services is an active research. Organizations shouldvulnerabilities caused by poorly designed and developed also identify the deployment strategies for the SOAsoftware. Design flaws account for fifty percent of security infrastructure, services, composites, and applicationsproblems and risk analysis plays essential role in solid securityproblems. Service Web Services are an integral part of next because different deployment strategies can entail differentgeneration Web applications. The development and use of security verification practices. Finally, all elements shouldthese services is growing at an incredible rate, and so too be verified in their operational contexts.security issues surrounding them. If the history of inter- Web Services are the most popular implementationapplication communication repeats itself, the ease with which approach for SOA. The elements of a Web Service from aweb services architectures publish information about security perspective are the service interface, serviceapplications across the network is only going to result in more implementation, message payload, and service levelapplication hacking. At the very least, it’s going to put an even agreement (SLA). All of these elements are visible togreater burden on web architects and developers to design participating parties except for the service implementation,and write secure code. Developing specification like WS-Security should be leveraged as secure maturity happens over which is usually hidden and known only to the servicefirewalls. In this paper, we want to discuss security provider. Refer to Table 1.architectures design patterns for Service Oriented Web TABLE 1. WEB SERVICES SECURITY THREATServices. Finally, we validated this by implementing a case FRAMEWORKstudy of a Service Oriented Web Services application Web Services Attacks and ThreatsStockTrader Security using WS-Security and WS-Secure LayerConversation. Layer 1: Web 1. In transit Sniffing or Spoofing Services in Transit 2. WS-Routing security concernIndex Terms— Security Architectures, Service Oriented 3. Replay attacksArchitectures, Web Services Security, WS-Security, WS- Lauer 2: Web 1. Buffer OverflowSecure Conversation. Services Engine 2. XML parsing attacks 3. Spoiling Schema 4. Complex or Recursive structure as I. SERVICE ORIENTED WEB SERVICES SECURITY payload ARCHITECTURES 5. Denial of Services 6. Large payload Service-Oriented Architectures (SOA) represents a Layer 3: Web 1. Fault Code Leaksnew evolving model for building distributed applications. Services 2. Permissions and Access issuesServices are distributed components that provide well- Deployment 3. Poor Policiesdefines interfaces that process and deliver XML 4. Customized error leakage 5. Authentication and Certificationmessages.[1-3]. A service-based approach makes sense for Layer 4: Web 1. Parameter tamperingbuilding solutions that cross organizational, departmental, Services User 2. WSDL probingand corporate domain boundaries. A business with multiple Code 3. SQL/LDAP/XPATH/OS commandsystems and applications on different platforms can use injection 4. Virus/Spyware/Malware injectionSOA to build a loosely coupled integration solution that 5. Brute forceimplements unified workflows. Security in an SOA 6. Data type mismatchenvironment involves verifying several elements and 7. Content spoofingmaintaining confidence as the environment evolves. 8. Session tampering 9. Format stringOrganizations deploying SOA implementations should 10. Information Leakageidentify practical strategies for security verification of 11. Authorizationindividual elements, but should be aware that establishing 14© 2010 ACEEEDOI: 01.IJCOM.01.03.181
  2. 2. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010Refer to Table 2. Which consists of Web Services Security Step 3: Create the Web Service Based on the TypePatterns. Definition Assembly TABLE 2. WEB SERVICES SECURITY PATTERNS Step 4: Implement the Business Interface in the Web ServiceCategory Pattern Step 5: Generate a Web Service Proxy Class File Based onAuthentication Brokered Authentication Brokered Authentication: Kerberos the WSDL Document Brokered Authentication: X509 PKI Step 6: Create a Web Service Client Brokered Authentication: STS Direct Authentication III. ARCHITECTING SECURE SOA WEB SERVICESAuthorization Trusted Subsystem ARCHITECTURESException Management Exception ShieldingMessage Encryption Data Confidentiality Web as a media and Web Services as a technology isMessage Replay Detection Message Replay Detection emerging as a mode of business-to-business and e-Message Signing Data Origin Authentication commerce transactions. Most of these transactions willMessage Validation Message Validator carry business-critical and sensitive information that mustDeployment Perimeter Service Router be secured. Like any other technology domain, secure Web Web as a media and Web Services as a technology is Services is complex and possibly overwhelming.emerging as a mode of business-to-business and e- Addressing a breach-in that includes cost of liability, publiccommerce transactions. Most of these transactions will relations, and loss of business could be more expensivecarry business-critical and sensitive information that must than implementing security measures in advance. Also,be secured. Like any other technology domain, secure Web security should be enforced throughout the infrastructure.Services is complex and possibly overwhelming. Research issues include Web Services technology, itsAddressing a breach-in that includes cost of liability, public vulnerabilities, enforcing security in this media, emergingrelations, and loss of business could be more expensive security standards incorporating into Web Servicesthan implementing security measures in advance. Also, applications. [9]security should be enforced throughout the infrastructure.Research issues include Web Services technology, its IV. SECURE SOA WEB SERVICES WITH WS_SECURITYvulnerabilities, enforcing security in this media, emerging – A CASE STUDYsecurity standards incorporating into Web Servicesapplications. [4-6] Companies have started the adoption of Web Service technology and the WS-Security specification as an II. DESIGN PATTERNS FOR SOA WEB SERVICES approach to ensure the integrity of transmitted messages and data. [10-13] The WS-Security specification is a joint A. Design Patterns for Building Message-Oriented Web effort by Microsoft, IBM, and VeriSign to address this Services most important issue. The WS-Security specification is There are six steps involved in building message-oriented designed to provide an extensible security implementationWeb services, which is simply a Web service that that will evolve as Web Services technology becomes moreexchanges XML schema-based input and output messages sophisticated. Both WS-Security and WSE 3.0 plays anrather than simple parameter-oriented values. The steps are important role when building Microsoft .NET-based Webdescribed in the following sections.[7] Services or Web Services consumers. WS-SecurityStep 1: Design the Messages and Data Types integrates a set of popular security technologies, includingStep 2: Build the XSD Schema File for the Data Types digital signing and encryption based on security tokens,Step 3: Create a Class File of Interface Definitions for the including X.509 certificates. It is flexible and is designed toMessages and Data Types be used as the basis for the construction of a wide varietyOptions step 3A: Generate the WSDL Document Manually of security models, including PKI, Kerberos and SSL.Step 4: Implement the Interface in the Web Service Code- Particularly WS-Security provides support for multipleBehind File security tokens, multiple trust domains, multiple signatureStep 5: Generate a Proxy Class File for Clients Based on formats, and multiple encryption technologies.the WSDL Document A. Case StudyStep 6: Implement a Web Service Client Using a ProxyClass File We had implemented a case study, a simple example that secures the StockTrader application. WeB. Design Patterns for Building Service-Oriented Web implemented the UsernameForCertificate assertion that Services secures the WSE Security Settings wizard and created a Message-oriented web services are the building custom username token manager. Finally we authorizedblocks for service-oriented applications. There are six steps users using either code or a policy file.involved in building a message –oriented web service that Brokered Authentication:is compatible with SOA.[8]Step 1: Create a dedicated type definition Assembly The client and service do not attempt toStep 2: Create a Dedicated Business Assembly authenticate each other directly. They use an intermediary that validates the client’s identity and then provides a 15© 2010 ACEEEDOI: 01.IJCOM.01.03.181
  3. 3. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010security token as proof of successful authentication. The Refer to Figure 3 which consists of class diagram forclient attaches this token to the request and the service uses RequestQuote. Client requests for RequestQuote web page;this token to authenticate the client. There are some Trader replies with page by asking the client to enterauthentication brokers such as VeriSign, Windows Active "symbol, tradeType" values; Client enters the values andDirectory exists. invokes; Trader makes a security checkup with StockTraderSecure and sends the reply; Reply consists ofB. Implementation and Validation all the trade values of particular symbol. Refer to Figure 1 which consists of class diagramfor Place trade before UserNameToken. Client requests the StockTrader requestsweb page for placing the trade; Stock Trader sends the Client StockTraderrespond as web page along with the request to enter"accNo., symbol, share, price, tradeType" values; Client sends the pageenters the values and invokes the page; Trader sends the client sets the datarespond as an xml page acceptance.No security involves inthis approach. RequestQuote symbol : string StockTraderTyp tradeType : string PlaceTrader es accNo : string StockTraderTyp setData() field : string symbol : string es status : string share : int field : string price : double status : string tradeType : string setData() Figure 3. Class diagram for RequestQuote An Active Directory Kerberos ticket has a default client sets the trade details of ten hours duration. Client need to request the token once requests during the session. Brokered Authentication can be StockTrader responds StockTrader Client implemented in using WSE 3.0 in: Kerberos; X.509 certificates; Custom security token. Brokered Authentication using Mutual Certificate using X.509 certificate option is given as below. (Refer Figure 4) StockTraderSecure Figure 1. Class diagram for Place trade before UserNameToken. Refer to Figure 2 which consists of class diagram forPlace trade after UserNameToken. Client requests the webpage for placing the trade; Stock Trader sends the respondas web page along with the request to enter "accNo.,symbol, share, price, tradeType" values; Client enters thevalues and invokes the page; Trader requests for securitycheckup; StockTraderSecure checks the usernametokenvalue for specified client and generates reply to Trader;Trader sends the respond as an xml page. Security isinvolved as UserNameToken value. Figure 4. Class Diagram for Mutual Certificate assertion message flow. PlaceTrader The steps involved are given as: Attach X.509 accNo : string StockTraderTyp symbol : string es certificate to the message at client side; Sign the message share : int price : double tradeType : string field : string status : string using the client’s private key; Encrypt the message using setData() the service’s public key; Validate the client certificate; Decrypt the message at service side using private key of client sets the trade details service; Validate the signature by decrypting it using public StockTrader requests key of client. Brokered Authentication using Kerberos responds StockTrader C lie nt Protocol option is as follows: When user logs in, client encrypts the password using a symmetric key and sends a gives use rnam etoken request to the KDC (Key Distribution Center) for a Ticket Granting Ticket (TGT). If key matches the value stored in StockTraderSecure requests for security checkup Active Directory the KDC sends the TGT and session key. t okenValue : strin g cli entId : strin g This session key is encrypted by KDC using user’s long se tToke n() se curity Checkup() term key. The TGT is encrypted using KDC secret key. The client sends a request to KDC. The KDC decrypts the Figure 2. Class diagram for Place trade after UserNameToken. TGT with long term key, and decrypts the authenticator 16© 2010 ACEEEDOI: 01.IJCOM.01.03.181
  4. 4. ACEEE Int. J. on Communication, Vol. 01, No. 03, Dec 2010using session key. KDC validates and creates new session REFERENCESkey. The server receives the request that has the Kerberos [1] Stephan Bode, Anja Fischer, Winfried Kuhnhauser andsecurity token attached to it. Server will use session key to Matthias Riebisch, “Software Architectural Design meetsdecrypt the authenticator. Security Engineering”, 16 th Annual IEEE International For details of implementation, source code and detailed Conference and Workshop on the Engineering of ComputerUML diagrams, Please refer to the web site, Based Systems, pp. 109 – 118, 2009.http://sites.google.com/site/upendramgitcse [2] S.Michelle Oda, Huirong Fu and Ye Zhu, “Enterprise Information Security Architecture A Review of Frameworks, CONCLUSIONS Methodology, and Case Studies”, IEEE 2009 pp. 333 – 337, IEEE. In this paper, we implemented and validated architecting [3] E.Bertino et al., Security for Web Services and Service-secure SOA Web Services, with a case study of an Oriented Architectures, Springer-Verlag Berlin Heidelbergapplication StockTrader Security using WS-Security. 2010.Extensions of this work includes usage of WS-Secure [4] Jeremy Epstein, Scott Matsumotto and Gary McGraw, “Software Security and SOA: Danger, Will Robinson”, IEEEconversation. Security and Privacy, January/February 2006, pp. 80–83. Future work includes, Web Service security represents a [5] Gunnar Peterson and Deborah A.Frincke, “Service-Orientedkey requirement for today’s distributed interconnected Security Indications for Use”, IEEE Security and Privacy,digital world and for the new Web generations, such as March/April 2009, pp. 91–93.Web 2.0 and the Semantic Web. To date, the problem of [6] Asoke K. Talukder and Manish Chaitanya, Architectingsecurity has been investigated very much in the context of Secure Software System. CRC Press, 2009.standardization efforts; these efforts, however, have dealt [7] Soumya Simanta, Ed Morris, Sriram Balasubramaniam, Jeffmainly with adapting existing security techniques, such as Davenport and Dennis B.Smith, “Information Assuranceencryption, for use in Web Services. The standards have Challenges and Strategies for Securing SOA Environments and Web Services”, IEEE SysCon 2009—3 rd Annual IEEEalso focused on addressing the problem of security International Systems Conference, Vancouver, Canada,interoperability through the development of standard March 23 – 26 2009.formats for security assertions, tokens and credentials. [8] K.V.S.N.Rama Rao, Anirban Pal, and Manas Ranjan Patra,Interoperability is certainly an important issue for Web “A Service Oriented Architectural Design for BuildingServices in that easy and flexible service composition Intrusion Detection Systems”, International Journal ofrequires that security-relevant information be seamlessly Recent Trends in Engineering, Vol. 1, No. 2, May 2009transmitted across different services. ACEEE Academy Publishers Poster Paper pp. 11— 14. However, several key issues have not yet been [9] G.Rayana Gouds, M.Sriivasa Rao and Akhilesh Soni ,addressed, such as crucial security techniques in the “Semantic Firewall: An approach towards Autonomouos Web Security in Service Oriented Environments”,presence of highly fragmented service systems; metrics and International Journal of Recent Trends in Engineering, Vol.methodologies to assess the security provided by an 1, No. 1, May 2009 ACEEE Academy Publishers pp. 454—application or system organized according to the SOA 458.paradigm; understanding the impact of security and privacy [10] Eduardo B.Fernandez, Michael Thomsen, and Minjieon service composition; and identifying security and H.Fernandez, “Comparing the Security Architectures of Sunprivacy requirements for novel collaborative environments ONE and Microsoft .NET”, Idea Group Inc. 2004.and social networks enabled by the Web and devising [11] Massimo Bartoletti, Pierpaolo Degano, Gian Luigi Ferrarisolutions to address these requirements. and Roberto Zunino, “Semantics Based Design for Secure Web Services,” IEEE Transactions on Software Engineering, vol. 34 no. 1, pp. 33–49, January-February 2008. ACKNOWLEDGMENT [12] Anoop Singhal and Theodore Winograd, Guide to Secure The authors wish to thank the following for Web Services. NIST Draft (800-95), September 2006.implementing these concepts: A.Madhuri, Lavanya, [13] David Chappell, Introducing Service Component Architecture (SCA), July 2007, Computer Society of IndiaCh.Venkatabhilash, Anusha Joga, Y.Apoorva Rani and CommunicationsAugust2009,pp.30–39.S.Vamshidher Reddy. 17© 2010 ACEEEDOI: 01.IJCOM.01.03.181

×