Implementing web service security policies for education database system

AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> <br /> <br /> <br /> IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION<br /> DATABASE SYSTEM<br /> Nguyen Hoang Tung1, Nguyen Van Hoa1<br /> 1<br /> An Giang University, VNU - HCM<br /> <br /> Information: ABSTRACT<br /> Received: 20/02/2019<br /> Today, information security is particularly relevant when considering the<br /> Accepted: 29/03/2019<br /> increasing risk of information security when exchanging data on the Internet<br /> Published: 11/2019<br /> between applications and web services. In this article, we analyze the<br /> Keywords: information security risks of web services, evaluate existing solutions, and<br /> Web service, security, then select the most effective policies for the education database system. We<br /> identification, authentication, have implemented security policies including authentication, authorization.<br /> authorization In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).<br /> We have also implemented two authorization filters with the roles of raw<br /> authorization filter and fine-grained authorization filter for improving the<br /> effectiveness of the authorization. Experimental results show that the running<br /> time of fine-grained authorization filter is negligible.<br /> <br /> <br /> <br /> 1. INTRODUCTION select and implement synchronous information<br /> security policies.<br /> Today, the exchange of information on the<br /> Internet is ever-expanding. Therefore, the need for In the era of the information explosion, web<br /> information security when exchanging technology has become a familiar and widely-<br /> information is an urgent and vital requirement for used platform. Many large organizations, such as<br /> robust information systems. The exchange of Google, Amazon, Ebay, Paypal, and Facebook,<br /> information on the Internet often contains a lot of have made substantial strides thanks to the<br /> risks because of the constant attacks of many development of the website based on the web<br /> parties in order to eavesdrop on the content of service platform. Web services support web<br /> information, change messages, impersonate and developers to build distributed applications with a<br /> replay information. According to an large number of users in many different locations<br /> announcement by the Information Security which client/server models can not be solved by<br /> Department on May 9, 2016, Vietnam only is (Bruijn et al. 2016). Unlike the traditional<br /> ranked 76 over 196 countries and territories on client/server models, a web service doesn’t<br /> information security metrics. Therefore, in order provide a graphical interface. Instead, a web<br /> to minimize the risks of information exchange on service provides standard methods to share and<br /> the Internet when deploying a new information process data through the interface of the<br /> system, we need to analyze and assess application. A web service is a systematic<br /> information security risks from which we will application designed to support interoperability<br /> between applications running on the platform of<br /> <br /> <br /> <br /> 74<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> different information technology adoption XML The next section presents the existing information<br /> or JSON, SOAP, WSDL, UDDI and internet security policies’s web service. The third section<br /> protocols (Ardagna et al. 2006). is composed of an analysis of security<br /> Web service resources have been defined by the requirements, and a resulting selection and<br /> URL to perform functions and provide construction of security policies for the education<br /> information to other applications when required. database system of An Giang province.<br /> A web service is established by synthesis Conclusions and directions are addressed in the<br /> functions and packaged so that other applications final section.<br /> can easily access, and it also can send information 2. WEB SERVICE SECURITY POLICIES<br /> requests to another. 2.1 Web service component model<br /> As we know, common security standards for Web services include 3 main components: SOAP,<br /> information systems transactions on the Internet WSDL and UDDI. The relationship between three<br /> often have to focus on the criteria such as standards organizes web service architecture is<br /> identification, authentication, authorization, presented in Figure 1.<br /> integrity, auditing and confidentiality (Peltier<br /> The web service architecture includes a set of<br /> 2014 ). Therefore, the following security standard<br /> network protocols to define, locate, implement<br /> is the standard for web service security for access<br /> and create a web service to interact with other<br /> protocol (SOAP) and the extension of this<br /> applications or services. In particular, UDDI is<br /> protocol (Bhandari and Wadhe 2014).<br /> used to register and discover web service that has<br /> The trend of developing information systems been described specifically in WSDL. Transaction<br /> based on web services is inevitable because of its UDDI uses SOAP to communicate with the UDDI<br /> advantages. However, this particular trend faces server, then the SOAP requests a web service.<br /> many challenges, many of which are related to SOAP messages are sent exactly by protocol<br /> information security. In this article, we will focus HTTP and TCP/IP. Two of the four main<br /> on introducing the challenges of information components of the web service protocols are<br /> security system's web services as well as common Service Transport and XML messages. Transport<br /> solutions. Based on that, we select and implement service transmits messages between<br /> effective policies for the education database<br /> system of An Giang province.<br /> <br /> <br /> <br /> UDDI<br /> (Service registry)<br /> Describe service<br /> (WDSL)<br /> <br /> Find service Publish<br /> service<br /> SOAP<br /> <br /> Service Service Provider<br /> consumer Messages<br /> <br /> <br /> <br /> <br /> Figure 1. web service overview<br /> <br /> <br /> 75<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> network applications, including protocols such as Web services may be public or have access points<br /> HTTP, SMTP, FTP, and protocol JSM given available for public data, but there are also many<br /> constant expansion blocks (Blocks Extensible access points that need to be controlled in<br /> Exchange Protocol- BEEP). XML messages are resource intensive applications. In order to<br /> responsible for decoding messages in XML enforce access control, the issuing entity must<br /> format so that they can be understood at the first be identified and authenticated, which is a<br /> application level to interact with the user. process known as identity management. Identity<br /> Currently, the protocols that perform this task are management includes two important elements:<br /> SOAP and REST (Fielding 2000). authentication and authorization.<br /> 2.2 Web service security policies Authentication is the process of identifying an<br /> Web services allow linking and interacting with entity through an identifier and verifying identity<br /> the applications via the Internet, so security is an through the authentication of information<br /> issue of top concern for combining applications provided by the competent authority. Users can<br /> with a web service. Implementing security authenticate identity through one of three types of<br /> policies for web services is very important to login information: what the person<br /> protect information from unauthorized access. A knows/remembers (such as passwords, PINs);<br /> security information system is a system where the what users own (such as certificates, USB<br /> processed information must ensure three dongles); and what belongs to the user (such as<br /> characteristics (Stallings 2011): fingerprints).<br /> <br /> - Confidentiality: Preserving authorized When an identity authentication is set, the<br /> restrictions on information access and application can access and control resources based<br /> disclosure, including means for protecting on this identity. This process is called<br /> personal privacy and proprietary information. authorization. A simple application can allow<br /> A loss of confidentiality is characterized by access to significant resources entirely based on<br /> the unauthorized disclosure of information. identity. However, most of the applications that<br /> have policies allowing access based on attributes<br /> - Integrity: Guarding against improper<br /> such as role, are linked with the identity and<br /> information modification or destruction,<br /> authenticated.<br /> including ensuring information nonrepudiation<br /> and authenticity. A loss of integrity is Role-based security is the most commonly used<br /> constituted by the unauthorized modification security model in organizations or business<br /> or destruction of information. applications. Key benefits of using a model with<br /> this layout is that it is easy to organize users.<br /> - Availability: Ensuring timely and reliable<br /> Access rights are not granted directly to an<br /> access to and use of information. A loss of<br /> individual user, but to an abstraction called a role.<br /> availability is comprised of the disruption of<br /> The user is assigned to one or more roles, through<br /> access to or use of information or an<br /> which the user will have access to the resources.<br /> information system.<br /> 2.2.2 Authentication and authorization methods<br /> Based on the three characteristics of a security<br /> information system, the security policies of the - Basic authentication is partially a description of<br /> proposed web service include identity the HTTP protocol (Lakshmiraghavan 2013). This<br /> management, authentication and authorization, authentication process occurs when the client<br /> encryption and digital certificates. requests resources that need to be authenticated.<br /> The authentication server then sends the code<br /> 2.2.1 Identity management<br /> containing the status of unauthorized access. The<br /> <br /> 76<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> client must then send an authorization header - Access token (Access Token) is a string<br /> containing the login credentials. If the login representing the authorization given to the client.<br /> information is valid, the server will reply with the Because the access token is issued by an<br /> status of a successful login. authorized server and used by the resource server,<br /> - Authentication messages are also part of the OAuth 2.0 does not specify how the access token<br /> HTTP protocol, but they differ from basic should be structured or formatted. This depends<br /> authentication because the actual password is not on the resource server and the authorized server.<br /> sent to the server, and instead a hash code, Access tokens can be generated according to some<br /> message authentication code, or a message code is specifications such as simple web tokens (SWT)<br /> sent (Lakshmiraghavan 2013). When the server or JSON web tokens (JWT) ( Bradley 2016).<br /> receives the message sent from the client along 2.2.3 Encryption and digital certificate<br /> with the user's name, it will hash the user's Applications conduct transactions with the web<br /> password stored on the server to get the hash service through sending access requests to<br /> value. If the hash value matches the message the resources. After identifying and checking access,<br /> user sent, the authentication is successful. data exchange will be performed between the<br /> - Open authorization (OAuth) is proposed when client application and the web service. The typical<br /> the need to share resources between applications, format of information is now either XML or<br /> also known as resource sharing to third parties, JSON. They are two plain texts so the information<br /> without having to share that user's credentials. can be read by anyone. Therefore, the data<br /> The first version of OAuth is 1.0 and it is a transmission channel between client application<br /> protocol. This version works in three steps: (1) and web service must be secured through HTTPS<br /> The client sends a temporary confirmation request protocol. The HTTPS protocol is designed to<br /> to the server; (2) The server performs a temporary secure HTTP by allowing it to work over<br /> validation process and allows the real access SSL/TLS protocols (IBM 2018).<br /> request to be granted a temporary token (token); 3. IMPLEMENTING WEB SERVICE<br /> (3) The server returns the client access token SECURITY POLICIES FOR<br /> (Access token) based on provisional credentials EDUCATION DATABASE SYSTEM<br /> and temporary tokens. Version OAuth 2.0 was<br /> 3.1 Education database system of An Giang<br /> released in 2012 to improve the limitations of<br /> province<br /> OAuth 1.0. Version 2.0 is seen as a framework<br /> and is used today (Hardt 2012).<br /> <br /> <br /> APPLICATIONS<br /> RESTFUL WEB SERVICE<br /> <br /> AGEDU AGEDU AGEDU AGEDU<br /> HRM SCHOOL EAM FM<br /> <br /> Figure 2. Achitecture model of education database system<br /> <br /> <br /> <br /> <br /> 77<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> The education database system of An Giang employee group have access only to resources<br /> province, referred to as the “database system,” belonging to this user level.<br /> aims to support the management and In addition, each user will be assigned to one or<br /> administration of the provincial education sector. more roles. Each role is linked to the right to<br /> The system includes a database of four access one of the four components of the<br /> components: human resource management database. For example, users who are teachers in<br /> (HRM), school management, equipment - asset the employee group should only be allowed to<br /> management (EAM), and financial management access the school database, while the accountants<br /> (FM) such as Figure 2. The database system is in the staff group should also have access to the<br /> designed on the basis of RESTFul web service financial database.<br /> architecture (Lakshmiraghavan 2013). In this<br /> 3.3 Design and implement security policies for<br /> architectural model, applications will not directly<br /> education database system<br /> access databases, but they will operate through<br /> API calls in order to access resources on web Based on reality requirement, there must be<br /> services. security policies for database system to ensure the<br /> resource access right through identifying,<br /> The number of users of the database system is<br /> verifying levels of management access, assigned<br /> substantial, with 26.000 user at various levels<br /> position and secure data exchange channel<br /> ranging from the province to districts, schools, or<br /> between applications and web services.<br /> staff. In addition, users in a unit, such as teachers,<br /> equipment managers, and accountants, will be We propose to divide the system's users into four<br /> allowed to access different resources depending user groups (Privilege): the province department<br /> on the areas assigned to them. group, the district department group, the school<br /> group and the staff group. Each user only belongs<br /> 3.2 Analysis security requirements of education<br /> to one of four user groups. The province<br /> database system<br /> department user group has the highest level of<br /> Based on reality requirement, there must be access as the access to the catalog tables of the<br /> security policies for database system to ensure the databases with all rights (read, add, delete and<br /> resource access right through identifying, edit) but the rest of the user groups are only<br /> verifying levels of management access, assigned allowed to access directory resources with read-<br /> position and secure data exchange channel only permission. District department user group,<br /> between applications and web services. only the access to the resources of the department<br /> We propose to divide the system's users into four level. Meanwhile, users belonging to the<br /> user groups (Privilege): the province department employee group have access only to resources<br /> group, the district department group, the school belonging to this user level.<br /> group and the staff group. Each user only belongs In addition, each user will be assigned to one or<br /> to one of four user groups. The province more roles. Each role is linked to the right to<br /> department user group has the highest level of access one of the four components of the<br /> access as the access to the catalog tables of the database. For example, users who are teachers in<br /> databases with all rights (read, add, delete and the employee group should only be allowed to<br /> edit) but the rest of the user groups are only access the school database, while the accountants<br /> allowed to access directory resources with read- in the staff group should also have access to the<br /> only permission. District department user group, financial database.<br /> only the access to the resources of the department<br /> level. Meanwhile, users belonging to the<br /> <br /> <br /> 78<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> 3.3. Design and implement security policies for education database system<br /> <br /> <br /> <br /> Web API<br /> Password<br /> <br /> Token Authorizatio<br /> n<br /> Password server OWIN<br /> Authentication Middleware<br /> Token<br /> filter<br /> User OAuth<br /> Web Database<br /> Appli- Authorization<br /> cation filter 1<br /> <br /> <br /> Authorization<br /> filter 2<br /> <br /> <br /> Resources<br /> API action AGEDU<br /> Database<br /> <br /> <br /> <br /> Figure 3. Model of authentication and authorization of the educational data system<br /> <br /> <br /> To encode content exchange between applications (d) the authorization filter 1 acts as a coarse filter,<br /> and web service as XML or JSON, we use the and will conduct inspection role of users with<br /> HTTPS protocol with the digital certificate database is accessible; (e) if users pass through<br /> provider DigiCert for the web server running the the filter 1, authorization filter 2 acts as fine-<br /> home page of the web service. We have also set grained filter, and will verify access right to the<br /> up Auditing for important tables. required API Action.<br /> Besides the security policies, the major focus of To build the proposed model, we designed an<br /> our work is improving authentication OAuth 2.0 OAuth database with 7 tables to store user<br /> model by implementing the Authorization filter 2 information (tblUsers), user roles (tblUserRoles<br /> in authorization and validation model in order to and tblRoles) and user groups and access rights to<br /> meet requirements security for web service as API's Action of each user group (tblPrivilege,<br /> Figure 3. In this model, the process of tblBusiness, tbl Permission and<br /> authentication and authorization is done according tblGrantPermission) as shown in Figure 4. In<br /> through the following steps: (a) users conduct the which tblBusiness stores information tables<br /> login process with their username and password of four database components, tbl Permission<br /> information; (b) the authorization server stores the information about the API Action of<br /> (Authorization server) confirms the login, creates data tables, tblGrantPermission stores access<br /> an access token, and sends it to applications; (c) rights each user group (Privilege) on each API<br /> the access token is sent to the authentication filter Action.<br /> along with resource access (API action) requests;<br /> <br /> <br /> 79<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> <br /> <br /> <br /> Figure 4. Relational schema of OAuth database<br /> We designed the algorithm of authorization filter always returns the ID of the actionName to look<br /> 2 with 3 input parameters: the name of the data for; (2) check the actionName access of the<br /> table (tblName), the name of the API Action privilege user group if the data stream containing<br /> (actionName) and user groups (privilege). This ID and privilege is found in the<br /> algorithm has 2 steps: (1) find the ID of tblGrantPermission table.<br /> actionName in the tblPermission table by the Authorization filter 2 Algorithm<br /> parameters tblName and actionName, this step<br /> <br /> input:<br /> tblName, actionName<br /> privilege<br /> output:<br /> true|false<br /> foreach r in tblPermission<br /> if (r.ControllerName == tblName and r.ActionName == actionName)<br /> then PermisID = r.PermissionID<br /> foreach r in tblGrantPermission<br /> if (r.Privilege == privilege and r.PermissionID == PermisID)<br /> then granted = r<br /> if (granted is not empty) then return true<br /> else return false<br /> <br /> <br /> <br /> We set up authentication and authorization authentication server and authorization filter 1 use<br /> policies in Microsoft Visual Studio 2017 the OWIN library (IBM 2018). This library is<br /> environment, C # programming language, based on OAuth 2.0 architecture. We also use the<br /> ASP.NET MVC platform. Four education JWT access token and use Identity framework 2.0.<br /> database components are designed and installed Authorization filter 2 is installed on the LINQ<br /> on the SQL Server 2012 with 258 tables. The<br /> <br /> <br /> 80<br /> AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81<br /> <br /> platform to control access to resources for the four number of data lines in the tblGrantPermission<br /> user groups mentioned in section 3.2. table is 5.580. Experimental results on the average<br /> We have carried out the running time of the running time of the authorization filter 2<br /> algorithm of Authorization filter 2 through algorithm for four user groups are shown in Table<br /> execution time of SQL query statement in SQL 1. Table 1 shows that the average running time of<br /> Server Management Studio. Information about the authorization filter 2 is negligible but the access<br /> experimental data is as follows: actionName control role of this filter is very important in<br /> number in table tblPermission is 1.540; The total controlling access to API Action resources.<br /> Table 1. Average running time of authorization filter 2 algorithm<br /> <br /> District Province<br /> User group Staff School<br /> department department<br /> <br /> Running time 15 ms 15 ms 15 ms 15 ms<br /> <br /> <br /> 4. CONCLUSION AND FUTURE WORKS De Bruijn J., Lausen H., Polleres A., & Fensel D.<br /> We have presented a solution to implement (2006) The Web Service Modeling Language<br /> security policies for education database system of WSML: An Overview. ESWC 2006.<br /> An Giang province based on web service Fielding Roy Thomas. (2000). Architectural<br /> platform. The policies include authentication, Styles and the Design of Network-based<br /> authorization, encryption and auditing. The Software Architectures (doctoral dissertation).<br /> authentication and authorization policies are University of California, Irvine.<br /> deployed in the OAuth 2.0 model with token Hardt D. (2012). The OAuth 2.0 Authorization<br /> access web JSON. We have also implemented two Framework.<br /> authorization filters with coarse and fine filtering<br /> IBM. (2018). An overview of the SSL or TLS<br /> functions into the OAuth 2.0 model to improve<br /> handshake.<br /> the efficiency of the authorization policies. In the<br /> future we will develop additional security policies Lakshmiraghavan Badrinarayanan. (2013). Pro<br /> such as those designed to combat distributed ASP.NET Web API Security.<br /> denial-of-service (DDoS) attacks. Lekha V. Bhandari and Avinash P. Wadhe (2014).<br /> REFERENCES Review Paper on Web Service Security.<br /> International Journal on Computer Science and<br /> Ardagna Claudio Agostino., Ernesto Damiani<br /> Engineering.<br /> Sabrina., De Capitani di Vimercati and<br /> Pierangela Samarati. (2006). A Web Service Peltier Thomas R. (2014). Information Security<br /> Architecture for Enforcing Access Control Fundamentals (2nd ed). New York: CRC<br /> Policies. Electronic Notes in Theoretical Press.<br /> Computer Science, 142, 47–62 William Stallings. (2011). Cryptography and<br /> Bradley J., Nat. Sakimura., Michael., & Jones. Network Security: Principles and Practice (5th<br /> (2016). JSON Web Token (JWT). ed). Prentice Hall.<br /> <br /> <br /> <br /> <br /> 81<br />