intTypePromotion=1

Implementing web service security policies for education database system

Chia sẻ: Nguyễn Đức Nghĩa | Ngày: | Loại File: PDF | Số trang:8

0
9
lượt xem
0
download

Implementing web service security policies for education database system

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system. We have implemented security policies including authentication, authorization. In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).

Chủ đề:
Lưu

Nội dung Text: Implementing web service security policies for education database system

AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> <br /> <br /> <br /> IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION<br /> DATABASE SYSTEM<br /> Nguyen Hoang Tung1, Nguyen Van Hoa1<br /> 1<br /> An Giang University, VNU - HCM<br /> <br /> Information: ABSTRACT<br /> Received: 20/02/2019<br /> Today, information security is particularly relevant when considering the<br /> Accepted: 29/03/2019<br /> increasing risk of information security when exchanging data on the Internet<br /> Published: 11/2019<br /> between applications and web services. In this article, we analyze the<br /> Keywords: information security risks of web services, evaluate existing solutions, and<br /> Web service, security, then select the most effective policies for the education database system. We<br /> identification, authentication, have implemented security policies including authentication, authorization.<br /> authorization In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).<br /> We have also implemented two authorization filters with the roles of raw<br /> authorization filter and fine-grained authorization filter for improving the<br /> effectiveness of the authorization. Experimental results show that the running<br /> time of fine-grained authorization filter is negligible.<br /> <br /> <br /> <br /> 1. INTRODUCTION select and implement synchronous information<br /> security policies.<br /> Today, the exchange of information on the<br /> Internet is ever-expanding. Therefore, the need for In the era of the information explosion, web<br /> information security when exchanging technology has become a familiar and widely-<br /> information is an urgent and vital requirement for used platform. Many large organizations, such as<br /> robust information systems. The exchange of Google, Amazon, Ebay, Paypal, and Facebook,<br /> information on the Internet often contains a lot of have made substantial strides thanks to the<br /> risks because of the constant attacks of many development of the website based on the web<br /> parties in order to eavesdrop on the content of service platform. Web services support web<br /> information, change messages, impersonate and developers to build distributed applications with a<br /> replay information. According to an large number of users in many different locations<br /> announcement by the Information Security which client/server models can not be solved by<br /> Department on May 9, 2016, Vietnam only is (Bruijn et al. 2016). Unlike the traditional<br /> ranked 76 over 196 countries and territories on client/server models, a web service doesn’t<br /> information security metrics. Therefore, in order provide a graphical interface. Instead, a web<br /> to minimize the risks of information exchange on service provides standard methods to share and<br /> the Internet when deploying a new information process data through the interface of the<br /> system, we need to analyze and assess application. A web service is a systematic<br /> information security risks from which we will application designed to support interoperability<br /> between applications running on the platform of<br /> <br /> <br /> <br /> 74<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> different information technology adoption XML The next section presents the existing information<br /> or JSON, SOAP, WSDL, UDDI and internet security policies’s web service. The third section<br /> protocols (Ardagna et al. 2006). is composed of an analysis of security<br /> Web service resources have been defined by the requirements, and a resulting selection and<br /> URL to perform functions and provide construction of security policies for the education<br /> information to other applications when required. database system of An Giang province.<br /> A web service is established by synthesis Conclusions and directions are addressed in the<br /> functions and packaged so that other applications final section.<br /> can easily access, and it also can send information 2. WEB SERVICE SECURITY POLICIES<br /> requests to another. 2.1 Web service component model<br /> As we know, common security standards for Web services include 3 main components: SOAP,<br /> information systems transactions on the Internet WSDL and UDDI. The relationship between three<br /> often have to focus on the criteria such as standards organizes web service architecture is<br /> identification, authentication, authorization, presented in Figure 1.<br /> integrity, auditing and confidentiality (Peltier<br /> The web service architecture includes a set of<br /> 2014 ). Therefore, the following security standard<br /> network protocols to define, locate, implement<br /> is the standard for web service security for access<br /> and create a web service to interact with other<br /> protocol (SOAP) and the extension of this<br /> applications or services. In particular, UDDI is<br /> protocol (Bhandari and Wadhe 2014).<br /> used to register and discover web service that has<br /> The trend of developing information systems been described specifically in WSDL. Transaction<br /> based on web services is inevitable because of its UDDI uses SOAP to communicate with the UDDI<br /> advantages. However, this particular trend faces server, then the SOAP requests a web service.<br /> many challenges, many of which are related to SOAP messages are sent exactly by protocol<br /> information security. In this article, we will focus HTTP and TCP/IP. Two of the four main<br /> on introducing the challenges of information components of the web service protocols are<br /> security system's web services as well as common Service Transport and XML messages. Transport<br /> solutions. Based on that, we select and implement service transmits messages between<br /> effective policies for the education database<br /> system of An Giang province.<br /> <br /> <br /> <br /> UDDI<br /> (Service registry)<br /> Describe service<br /> (WDSL)<br /> <br /> Find service Publish<br /> service<br /> SOAP<br /> <br /> Service Service Provider<br /> consumer Messages<br /> <br /> <br /> <br /> <br /> Figure 1. web service overview<br /> <br /> <br /> 75<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> network applications, including protocols such as Web services may be public or have access points<br /> HTTP, SMTP, FTP, and protocol JSM given available for public data, but there are also many<br /> constant expansion blocks (Blocks Extensible access points that need to be controlled in<br /> Exchange Protocol- BEEP). XML messages are resource intensive applications. In order to<br /> responsible for decoding messages in XML enforce access control, the issuing entity must<br /> format so that they can be understood at the first be identified and authenticated, which is a<br /> application level to interact with the user. process known as identity management. Identity<br /> Currently, the protocols that perform this task are management includes two important elements:<br /> SOAP and REST (Fielding 2000). authentication and authorization.<br /> 2.2 Web service security policies Authentication is the process of identifying an<br /> Web services allow linking and interacting with entity through an identifier and verifying identity<br /> the applications via the Internet, so security is an through the authentication of information<br /> issue of top concern for combining applications provided by the competent authority. Users can<br /> with a web service. Implementing security authenticate identity through one of three types of<br /> policies for web services is very important to login information: what the person<br /> protect information from unauthorized access. A knows/remembers (such as passwords, PINs);<br /> security information system is a system where the what users own (such as certificates, USB<br /> processed information must ensure three dongles); and what belongs to the user (such as<br /> characteristics (Stallings 2011): fingerprints).<br /> <br /> - Confidentiality: Preserving authorized When an identity authentication is set, the<br /> restrictions on information access and application can access and control resources based<br /> disclosure, including means for protecting on this identity. This process is called<br /> personal privacy and proprietary information. authorization. A simple application can allow<br /> A loss of confidentiality is characterized by access to significant resources entirely based on<br /> the unauthorized disclosure of information. identity. However, most of the applications that<br /> have policies allowing access based on attributes<br /> - Integrity: Guarding against improper<br /> such as role, are linked with the identity and<br /> information modification or destruction,<br /> authenticated.<br /> including ensuring information nonrepudiation<br /> and authenticity. A loss of integrity is Role-based security is the most commonly used<br /> constituted by the unauthorized modification security model in organizations or business<br /> or destruction of information. applications. Key benefits of using a model with<br /> this layout is that it is easy to organize users.<br /> - Availability: Ensuring timely and reliable<br /> Access rights are not granted directly to an<br /> access to and use of information. A loss of<br /> individual user, but to an abstraction called a role.<br /> availability is comprised of the disruption of<br /> The user is assigned to one or more roles, through<br /> access to or use of information or an<br /> which the user will have access to the resources.<br /> information system.<br /> 2.2.2 Authentication and authorization methods<br /> Based on the three characteristics of a security<br /> information system, the security policies of the - Basic authentication is partially a description of<br /> proposed web service include identity the HTTP protocol (Lakshmiraghavan 2013). This<br /> management, authentication and authorization, authentication process occurs when the client<br /> encryption and digital certificates. requests resources that need to be authenticated.<br /> The authentication server then sends the code<br /> 2.2.1 Identity management<br /> containing the status of unauthorized access. The<br /> <br /> 76<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> client must then send an authorization header - Access token (Access Token) is a string<br /> containing the login credentials. If the login representing the authorization given to the client.<br /> information is valid, the server will reply with the Because the access token is issued by an<br /> status of a successful login. authorized server and used by the resource server,<br /> - Authentication messages are also part of the OAuth 2.0 does not specify how the access token<br /> HTTP protocol, but they differ from basic should be structured or formatted. This depends<br /> authentication because the actual password is not on the resource server and the authorized server.<br /> sent to the server, and instead a hash code, Access tokens can be generated according to some<br /> message authentication code, or a message code is specifications such as simple web tokens (SWT)<br /> sent (Lakshmiraghavan 2013). When the server or JSON web tokens (JWT) ( Bradley 2016).<br /> receives the message sent from the client along 2.2.3 Encryption and digital certificate<br /> with the user's name, it will hash the user's Applications conduct transactions with the web<br /> password stored on the server to get the hash service through sending access requests to<br /> value. If the hash value matches the message the resources. After identifying and checking access,<br /> user sent, the authentication is successful. data exchange will be performed between the<br /> - Open authorization (OAuth) is proposed when client application and the web service. The typical<br /> the need to share resources between applications, format of information is now either XML or<br /> also known as resource sharing to third parties, JSON. They are two plain texts so the information<br /> without having to share that user's credentials. can be read by anyone. Therefore, the data<br /> The first version of OAuth is 1.0 and it is a transmission channel between client application<br /> protocol. This version works in three steps: (1) and web service must be secured through HTTPS<br /> The client sends a temporary confirmation request protocol. The HTTPS protocol is designed to<br /> to the server; (2) The server performs a temporary secure HTTP by allowing it to work over<br /> validation process and allows the real access SSL/TLS protocols (IBM 2018).<br /> request to be granted a temporary token (token); 3. IMPLEMENTING WEB SERVICE<br /> (3) The server returns the client access token SECURITY POLICIES FOR<br /> (Access token) based on provisional credentials EDUCATION DATABASE SYSTEM<br /> and temporary tokens. Version OAuth 2.0 was<br /> 3.1 Education database system of An Giang<br /> released in 2012 to improve the limitations of<br /> province<br /> OAuth 1.0. Version 2.0 is seen as a framework<br /> and is used today (Hardt 2012).<br /> <br /> <br /> APPLICATIONS<br /> RESTFUL WEB SERVICE<br /> <br /> AGEDU AGEDU AGEDU AGEDU<br /> HRM SCHOOL EAM FM<br /> <br /> Figure 2. Achitecture model of education database system<br /> <br /> <br /> <br /> <br /> 77<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> The education database system of An Giang employee group have access only to resources<br /> province, referred to as the “database system,” belonging to this user level.<br /> aims to support the management and In addition, each user will be assigned to one or<br /> administration of the provincial education sector. more roles. Each role is linked to the right to<br /> The system includes a database of four access one of the four components of the<br /> components: human resource management database. For example, users who are teachers in<br /> (HRM), school management, equipment - asset the employee group should only be allowed to<br /> management (EAM), and financial management access the school database, while the accountants<br /> (FM) such as Figure 2. The database system is in the staff group should also have access to the<br /> designed on the basis of RESTFul web service financial database.<br /> architecture (Lakshmiraghavan 2013). In this<br /> 3.3 Design and implement security policies for<br /> architectural model, applications will not directly<br /> education database system<br /> access databases, but they will operate through<br /> API calls in order to access resources on web Based on reality requirement, there must be<br /> services. security policies for database system to ensure the<br /> resource access right through identifying,<br /> The number of users of the database system is<br /> verifying levels of management access, assigned<br /> substantial, with 26.000 user at various levels<br /> position and secure data exchange channel<br /> ranging from the province to districts, schools, or<br /> between applications and web services.<br /> staff. In addition, users in a unit, such as teachers,<br /> equipment managers, and accountants, will be We propose to divide the system's users into four<br /> allowed to access different resources depending user groups (Privilege): the province department<br /> on the areas assigned to them. group, the district department group, the school<br /> group and the staff group. Each user only belongs<br /> 3.2 Analysis security requirements of education<br /> to one of four user groups. The province<br /> database system<br /> department user group has the highest level of<br /> Based on reality requirement, there must be access as the access to the catalog tables of the<br /> security policies for database system to ensure the databases with all rights (read, add, delete and<br /> resource access right through identifying, edit) but the rest of the user groups are only<br /> verifying levels of management access, assigned allowed to access directory resources with read-<br /> position and secure data exchange channel only permission. District department user group,<br /> between applications and web services. only the access to the resources of the department<br /> We propose to divide the system's users into four level. Meanwhile, users belonging to the<br /> user groups (Privilege): the province department employee group have access only to resources<br /> group, the district department group, the school belonging to this user level.<br /> group and the staff group. Each user only belongs In addition, each user will be assigned to one or<br /> to one of four user groups. The province more roles. Each role is linked to the right to<br /> department user group has the highest level of access one of the four components of the<br /> access as the access to the catalog tables of the database. For example, users who are teachers in<br /> databases with all rights (read, add, delete and the employee group should only be allowed to<br /> edit) but the rest of the user groups are only access the school database, while the accountants<br /> allowed to access directory resources with read- in the staff group should also have access to the<br /> only permission. District department user group, financial database.<br /> only the access to the resources of the department<br /> level. Meanwhile, users belonging to the<br /> <br /> <br /> 78<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> 3.3. Design and implement security policies for education database system<br /> <br /> <br /> <br /> Web API<br /> Password<br /> <br /> Token Authorizatio<br /> n<br /> Password server OWIN<br /> Authentication Middleware<br /> Token<br /> filter<br /> User OAuth<br /> Web Database<br /> Appli- Authorization<br /> cation filter 1<br /> <br /> <br /> Authorization<br /> filter 2<br /> <br /> <br /> Resources<br /> API action AGEDU<br /> Database<br /> <br /> <br /> <br /> Figure 3. Model of authentication and authorization of the educational data system<br /> <br /> <br /> To encode content exchange between applications (d) the authorization filter 1 acts as a coarse filter,<br /> and web service as XML or JSON, we use the and will conduct inspection role of users with<br /> HTTPS protocol with the digital certificate database is accessible; (e) if users pass through<br /> provider DigiCert for the web server running the the filter 1, authorization filter 2 acts as fine-<br /> home page of the web service. We have also set grained filter, and will verify access right to the<br /> up Auditing for important tables. required API Action.<br /> Besides the security policies, the major focus of To build the proposed model, we designed an<br /> our work is improving authentication OAuth 2.0 OAuth database with 7 tables to store user<br /> model by implementing the Authorization filter 2 information (tblUsers), user roles (tblUserRoles<br /> in authorization and validation model in order to and tblRoles) and user groups and access rights to<br /> meet requirements security for web service as API's Action of each user group (tblPrivilege,<br /> Figure 3. In this model, the process of tblBusiness, tbl Permission and<br /> authentication and authorization is done according tblGrantPermission) as shown in Figure 4. In<br /> through the following steps: (a) users conduct the which tblBusiness stores information tables<br /> login process with their username and password of four database components, tbl Permission<br /> information; (b) the authorization server stores the information about the API Action of<br /> (Authorization server) confirms the login, creates data tables, tblGrantPermission stores access<br /> an access token, and sends it to applications; (c) rights each user group (Privilege) on each API<br /> the access token is sent to the authentication filter Action.<br /> along with resource access (API action) requests;<br /> <br /> <br /> 79<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> <br /> <br /> <br /> Figure 4. Relational schema of OAuth database<br /> We designed the algorithm of authorization filter always returns the ID of the actionName to look<br /> 2 with 3 input parameters: the name of the data for; (2) check the actionName access of the<br /> table (tblName), the name of the API Action privilege user group if the data stream containing<br /> (actionName) and user groups (privilege). This ID and privilege is found in the<br /> algorithm has 2 steps: (1) find the ID of tblGrantPermission table.<br /> actionName in the tblPermission table by the Authorization filter 2 Algorithm<br /> parameters tblName and actionName, this step<br /> <br /> input:<br /> tblName, actionName<br /> privilege<br /> output:<br /> true|false<br /> foreach r in tblPermission<br /> if (r.ControllerName == tblName and r.ActionName == actionName)<br /> then PermisID = r.PermissionID<br /> foreach r in tblGrantPermission<br /> if (r.Privilege == privilege and r.PermissionID == PermisID)<br /> then granted = r<br /> if (granted is not empty) then return true<br /> else return false<br /> <br /> <br /> <br /> We set up authentication and authorization authentication server and authorization filter 1 use<br /> policies in Microsoft Visual Studio 2017 the OWIN library (IBM 2018). This library is<br /> environment, C # programming language, based on OAuth 2.0 architecture. We also use the<br /> ASP.NET MVC platform. Four education JWT access token and use Identity framework 2.0.<br /> database components are designed and installed Authorization filter 2 is installed on the LINQ<br /> on the SQL Server 2012 with 258 tables. The<br /> <br /> <br /> 80<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> platform to control access to resources for the four number of data lines in the tblGrantPermission<br /> user groups mentioned in section 3.2. table is 5.580. Experimental results on the average<br /> We have carried out the running time of the running time of the authorization filter 2<br /> algorithm of Authorization filter 2 through algorithm for four user groups are shown in Table<br /> execution time of SQL query statement in SQL 1. Table 1 shows that the average running time of<br /> Server Management Studio. Information about the authorization filter 2 is negligible but the access<br /> experimental data is as follows: actionName control role of this filter is very important in<br /> number in table tblPermission is 1.540; The total controlling access to API Action resources.<br /> Table 1. Average running time of authorization filter 2 algorithm<br /> <br /> District Province<br /> User group Staff School<br /> department department<br /> <br /> Running time 15 ms 15 ms 15 ms 15 ms<br /> <br /> <br /> 4. CONCLUSION AND FUTURE WORKS De Bruijn J., Lausen H., Polleres A., & Fensel D.<br /> We have presented a solution to implement (2006) The Web Service Modeling Language<br /> security policies for education database system of WSML: An Overview. ESWC 2006.<br /> An Giang province based on web service Fielding Roy Thomas. (2000). Architectural<br /> platform. The policies include authentication, Styles and the Design of Network-based<br /> authorization, encryption and auditing. The Software Architectures (doctoral dissertation).<br /> authentication and authorization policies are University of California, Irvine.<br /> deployed in the OAuth 2.0 model with token Hardt D. (2012). The OAuth 2.0 Authorization<br /> access web JSON. We have also implemented two Framework.<br /> authorization filters with coarse and fine filtering<br /> IBM. (2018). An overview of the SSL or TLS<br /> functions into the OAuth 2.0 model to improve<br /> handshake.<br /> the efficiency of the authorization policies. In the<br /> future we will develop additional security policies Lakshmiraghavan Badrinarayanan. (2013). Pro<br /> such as those designed to combat distributed ASP.NET Web API Security.<br /> denial-of-service (DDoS) attacks. Lekha V. Bhandari and Avinash P. Wadhe (2014).<br /> REFERENCES Review Paper on Web Service Security.<br /> International Journal on Computer Science and<br /> Ardagna Claudio Agostino., Ernesto Damiani<br /> Engineering.<br /> Sabrina., De Capitani di Vimercati and<br /> Pierangela Samarati. (2006). A Web Service Peltier Thomas R. (2014). Information Security<br /> Architecture for Enforcing Access Control Fundamentals (2nd ed). New York: CRC<br /> Policies. Electronic Notes in Theoretical Press.<br /> Computer Science, 142, 47–62 William Stallings. (2011). Cryptography and<br /> Bradley J., Nat. Sakimura., Michael., & Jones. Network Security: Principles and Practice (5th<br /> (2016). JSON Web Token (JWT). ed). Prentice Hall.<br /> <br /> <br /> <br /> <br /> 81<br />
ADSENSE
ADSENSE

CÓ THỂ BẠN MUỐN DOWNLOAD

 

Đồng bộ tài khoản
2=>2