A Multilayer Secured Messaging Protocol for REST-based Services
Idongesit Eteng2019, Journal of International Technology and Information Management
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
The lack of a descriptive language and security guidelines poses a big challenge to implementing security in Representational State Transfer (REST) architecture. There is over reliance on Secure Socket Layer/Transport Layer Security (SSL/TLS), which in recent times has proven to be fallible. Some recent attacks against SSL/TLS include: POODLE, BREACH, CRIME, BEAST, FREAK etc. A secure messaging protocol is implemented in this work. The protocol is further compiled into a reusable library which can be called by other REST services. The library can be reused by .NET applications and the implementation steps can also be followed by other REST services developers using other platforms.
Related papers
Design of a security mechanism for RESTful Web Service communication through mobile clients
Security is not taken into account by default in the Representational State Transfer (REST) architecture, but its layered architecture provides many opportunities for implementing it. In this paper, a security mechanism for Web Service communication through mobile clients devices is proposed, that conforms to the REST architecture as much as possible. This approach has been inspired by some known security mechanisms, but implemented in such a way that it focusses on statelessness and aims to be lightweight. Results indicate that the custom security mechanism outperforms the Transport Layered Security (TLS) based system. Because of the genericness of REST, the proposed security mechanism can be adopted by a wide variety of other RESTful Web Services.
Poly2 Paradigm: A Secure Network Service Architecture
2003
General-purpose operating systems provide a rich computing environment both to the user and the attacker. The declining cost of hardware and the growing security concerns of software necessitate a revalidation of the many assumptions made in network service architectures. Enforcing sound design principles while retaining usability and flexibility is key to practical security. Poly 2 is an approach to build a hardened framework for network services from commodity hardware and software. Guided by well-known security design principles such as least common mechanism and economy of mechanism, and driven by goals such as psychological acceptability and immediate usability, Poly 2 provides a secure platform for network services. It also serves as a testbed for several security-related research areas such as intrusion detection, forensics, and high availability. This paper discusses the overall design and philosophy of Poly 2 , presents an initial implementation, and outlines future work.
Innovative Technologies of Web Services and Security Protocols
Media Dialogues, 2022
The research paper on "Innovative Web Services Technologies and Security Protocols" will explore: (a) the purpose of the SOAP protocol, (b) the shortcomings of the SOAP protocol, (c) the existence of possible security vulnerabilities within the SOAP protocol and (d) protection options. In addition to the research part, the paper will also apply the scientific method of content analysis based on which certain definitions of WEB services will be given, such as: XML, XACML, JSON, AJAX and REST. Also, theoretically will be explained in detail: web services, web services model with security standards and protocols such as: AJAX protocol, SOAP protocol, IPSec protocol and REST state transfer. In addition to these protocols and XML as an extensible language for tagging data and documents, an indispensable part of web services are formats such as: HTML 5.3 and JSON open standard for formatting data when transferring between applications that will also be covered by research. In addition to the above, various protocols used by IPSec will be presented in the paper, such as: AH protocol, ESP protocol and IKEv2 protocol. The paper will also present the results of a survey on the topic: "Web application programming".
SecureWS - A Secure, Application Layer Communication Channel for Web Services
2006
The process of transmitting information on the Internet over an insecure channel is vulnerable to many attacks. The significant growth of Web Services for information sharing on the Internet highlights the need of a communications channel security solution. Existing solutions are designed to work at the network layer, leaving higher layers prone to vulnerabilities. This research addresses these security limitations by providing a communication channel security solution at the application layer. The proposed solution, SecureWS provides an encrypted and authenticated communication channel without introducing substantial latency in communication.
International Journal of Computer Science and Mobile Computing An Enhanced Security for TCP/IP Protocol Suite
— Network and internet applications are growing rapidly in the recent past. These applications are used by thousands of users and controlled by different administrative entities. It is mainly used as an efficient means for communication, entertainment and education. With the rapid growth of internet, there is a need for protecting confidential data. The Internet was however originally designed for research and educational purpose, not for commercial applications. So internet was not designed with security in mind. As the internet grows the existing security framework was not adequate for modern day applications. The main reason was due to the lack of security services in the TCP/IP Protocol Suite. The lack of authentication mechanism of TCP/IP Protocol Suite is mainly due to the poor protection mechanism of packets and broadcast nature of the lower layer protocols. Moreover there is no protection for the application layer of the network model. This paper presents the proposed security architecture for the TCP/IP Protocol Suite. I. INTRODUCTION This work aims to investigate a large number of security approaches adopted in the TCP/IP Protocol Suite and to propose a new architecture for the existing model. The first contribution of this work was to provide the security for applications of the application layer protocols Second aspect of the work was to enhance the security for the internet control message protocol which is one of the main protocols that was used by the network managers for troubleshooting the networks. The third and very important aspect of this research was to provide the security for Real Time Applications. The Internet today is being used by billions of users for a large variety of commercial and non commercial purposes. It is controlled by different entities. [1] pointed out that Internet is mainly used as an efficient means for communication, entertainment and education. There is a need for protecting confidential data because of the rapid growth of Internet. The current version of IP Protocol namely IPv6 comes with built in security mechanism called IPSec [2]. IPSec provides security services at the IP layer by enabling a system to select required security protocols to determine the cryptographic algorithms to use for the services and put in place of any cryptographic keys required to provide the security services. But IPSec do not provide any security for applications in application layer. Internet Control Message Protocol attacks is still possible which a major setback of IPv6. The usage of current version of Internet and TCP/IP Suite results in many flaws such as: Spoofing is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Repudiation is the ability of users to deny that they performed specific actions
Secured RESTful Sensor Web Enablement Services for Wireless Sensor Networks
Journal of Telecommunications System & Management, 2016
The security and interoperability of an adopted and advanced architecture within heterogeneous components, based on the Open Geospatial Consortium (OGC) Sensor Web Enablement Architecture (SWE) and RESTful web service, requires integrity and confidentiality in the different communication protocol. The work in this paper aims to propose a security protocol of communication between the sensors based on SWE services and the adopted RESTful interface. RESTful services are considered a versatile lightweight solution relied upon by a number of advanced web services, at the same time, RESTful services suffer from a lack of meta-data description concerning security requirements. In this way, we introduce the REST security protocol to provide secure data transfer service which will implement a secure lightweight sensor message, together with its quality and its performance analysis when compared to equivalent WS-security configuration. As a result of this study, a new approach has been presented to providing security for an adopted RESTful architecture model with OGC's SWE services. The security approach presented demonstrated the efficiency of the secured JSON message in terms of communication time and size reduction.
Efficient Prototype of Secure SOAP Message Transmission in Web Service
With the growth of web services security issues based on heterogeneous platform have become gradually more prominent. Web services Security provides basic means to secure SOAP messages. Secure transmission of SOAP messages play an essential task for the applicability of Web Services. The main confront to the secure transmission of SOAP messages includes: confidentiality, authentication, integrity, and both-party no repudiation. We explored and procure advantage of existing technologies to propose a Prototype of Secure Transmission (POST) for the main mechanism of Web Services security and secure communication between client and web server in heterogeneous platform. The study in this paper indicates that for the basic requirement towards secure transmission of SOAP messages, our Prototype of Secure Transmission (POST) is ensuring a high level security to SOAP message transmission over heterogeneous platform.
A Novel Approach to the Design of a New Hybrid Security Protocol Architecture
This research paper is simply the gathering of recent developments in the field of Hybrid cryptography and its application in the designing of a hybrid security protocol for online transaction based on Hybrid cryptography. A new security protocol for on-line transaction can be designed using combination of both symmetric and asymmetric cryptographic techniques known as Hybrid cryptography. This protocol serves three very important cryptographic primitives-integrity, confidentiality and authentication. Each of the so called cryptographic primitive is provided or fulfilled by the particular symmetric or asymmetric cryptographic techniques. The symmetric cryptographic algorithms are fast as compared to asymmetric cryptographic algorithms, so when both symmetric and asymmetric algorithms are used in tandem or together in a proper way, then the result is very encouraging in terms of providing high security with fast speed. With the help of this survey paper, we tried to encapsulate all the developments introduce in the designing of new security protocol for On-line transaction and its importance is very much evident from the fact that Communication has a major impact on today's business. It is desired to communicate data with high security and in less amount of time. At present, various types of cryptographic algorithms provide high security to information on controlled networks. These algorithms are required to provide data security and users authenticity. A Hybrid security protocol has been designed for better security using a combination of both symmetric and asymmetric cryptographic algorithms.
A Secure Middleware Architecture for Web Services
Current web service platforms (WSPs) often perform all web servicesrelated processing, including security-sensitive information handling, in the same protection domain. Consequently, the entire WSP may have access to securitysensitive information such as credit card numbers, forcing us to trust a large and complex piece of software. To address this problem, we propose ISO-WSP, a new middleware architecture that decomposes current WSPs into two parts executing in separate protection domains: (1) a small trusted T-WSP to handle security-sensitive data, and (2) a large, legacy untrusted U-WSP that provides the normal WSP functionality, but uses the T-WSP for security-sensitive data handling. By restricting security-sensitive data access to T-WSP, ISO-WSP reduces the software complexity of trusted code, thereby improving the testability of ISO-WSP. To achieve end-to-end security, the application code is also decomposed into two parts, isolating a small trusted part from the remaining untrusted code. The trusted part encapsulates all accesses to security-sensitive data through a Secure Functional Interface (SFI). To ease the migration of legacy applications to ISO-WSP, we developed tools to translate direct manipulations of security-sensitive data by the untrusted part into SFI invocations. Using a prototype implementation based on the Apache Axis2 WSP, we show that ISO-WSP reduces software complexity of trusted components by a factor of five, while incurring a modest performance overhead of few milliseconds per request. We also show that existing applications can be migrated to run on ISO-WSP with minimal effort: a few tens of lines of new and modified code.
On the Relationship Between Web Services Security and Traditional Protocols
Electronic Notes in Theoretical Computer Science, 2006
XML and Web Services security specifications define elements to incorporate security tokens within a SOAP message. We propose a method for mapping such messages to an abstract syntax in the style of Dolev-Yao, and in particular Casper notation. We show that this translation preserves flaws and attacks. Therefore we provide a way for all the methods, and specifically Casper and FDR, that have been developed in the last decade by the theoretical community for the analysis of cryptographic protocols to be used for analysing WS-Security protocols. Finally, we demonstrate how this technique can be used to prove properties and discover attacks upon a proposed Microsoft WS-SecureConversation protocol.
Extending WS-Security to Implement Security Protocols for Web Services
International Conference on Recent Achievements in …, 2009
Web services use tokens provided by the WS-Security standard to implement security protocols. We propose several extensions to the WS-Security standard, including name types, key and random number extensions. The extensions are used to implement existing protocols such as ISO9798, Kerberos or BAN-Lowe. The advantages of using these implementations rather than the existing, binary ones, are inherited from the advantages of using Web service technologies, such as extensibility and end-to-end security across multiple environments that do not support a connectionbased communication.
DESIGN AND DEVELOPMENT OF SECURITY FRAMEWORK BY USING APPLICATION LAYER PROTOCOL
Internet of Things (IoT), a revolution in the ordinary life of people, transforming the global IT landscape, the development strategy of different types of businesses in various sectors and much more. Due to the various flaws like limited energy, low processing power, lossy wireless links, constrained storage of the IoT devices; it's the need of the hour that security should be the trivial enabler of IoT. Till date, no silver bullet exists that can effectively implement security in IoT on devices. The closed source security solutions do not help to inculcate security in IoT so that they can communicate securely. The proposed system aims at the implementation of security for authentication and communication of the constrained as well as non-constrained devices in a network. The communication between the devices is established through a proxy server. Depending on various factors like timestamp, the developed application using .net framework detects and blocks the access to the attacker.
Internet Protocol Security for Secure Communication: Fundamentals, Services and Application
The world has become increasingly interconnected in terms of technology. The use of internet has grown dramatically. Internet plays an important role for the today's business. Every organization wants to secure their moving data because significant data loss can damage the business continuity. So the necessity of network security became obvious. The goal of this paper is to overview the network layer security mechanisms, Internet Protocols Security (IPSec), standard framework and end-to-end architecture .This paper also identifies the services , operation modes of IPSec and discusses the Virtual Private Network (VPN) as an application of IPSec.
Ijesrt International Journal of Engineering Sciences & Research Technology Design and Development of Security Framework by Using Application Layer Protocol
Internet of Things (IoT), a revolution in the ordinary life of people, transforming the global IT landscape, the development strategy of different types of businesses in various sectors and much more. Due to the various flaws like limited energy, low processing power, lossy wireless links, constrained storage of the IoT devices; it's the need of the hour that security should be the trivial enabler of IoT. Till date, no silver bullet exists that can effectively implement security in IoT on devices. The closed source security solutions do not help to inculcate security in IoT so that they can communicate securely. The proposed system aims at the implementation of security for authentication and communication of the constrained as well as non-constrained devices in a network. The communication between the devices is established through a proxy server. Depending on various factors like timestamp, the developed application using .net framework detects and blocks the access to the att...
The Security of Web Services: Secure Communication and Identity Management
2015
Service Oriented Architectures have become the new trend in the world of communication on the web. Especially web services are the high-performance specification of service-oriented architectures. The use of confidential data on the Web becomes the primary problem in the secure communication over the web. The solution proposed in this paper is a secure communication tool OCS based on the principals of SAML standard and Single Sign-On. Our solution proposes a new approach which collaborates strong points of SAML standard and single sign-on method. The implementation of this approach is in the form of a platform or a tool which provide a secure communication between web services. Thus, a future approach that exceeds the level of authentication and address the level of access control, likewise and as a further step, prepare an evaluation of the most important technologies which provide Single Sign-On possibility and secure communication context between heterogeneous web services.
A Survey on Security of Web Services and its Implementations
EAI Endorsed Transactions on Cloud Systems, 2017
Web Services are software snippets that can be integrated in HTTP and XML based messages based on web technology. Security plays a crucial role in web services. Web services provide a basis for system integration without any programming language and operating system constraint. The security of web services are determined by the secrecy and reliability of the XML based SOAP message that are used for communication. The valuable data stored on computers and servers over the internet need to be secured based on information security features. The security of web services is an important part and security algorithms using encryption techniques are implemented in web services for key generation and encryption of the messages in SOAP and RESTful Services, to provide more secure communication between two electronic devices. Our work focuses on a systematic study on the security features provided by SOAP and RESTful Services and tries to address the different issues faced in security and presents the research scope in the area of web security
Design of New Architecture for Providing Secure Web Services
Proceedings of the World Congress on …, 2011
The main objective of this paper is to improve the end-to-end security properties of information flow in webbased applications which requires simple end-point software and extensions to existing security protocols. Web Service Platform(WSP) and ISO-WSP often perform all Web-servicerelated processing including security-sensitive information in the same protection domain, so the entire WSP may have access to security-sensitive information. To address this problem, an attempt is being made to develop a new architecture that decomposes the current WSPs into three parts executing in the separate protection domain.
Security Aspects of Rest Web Services
2018
Security is an important factor in every application but client, server and the communication channel in distributed applications (with distributed databases as back end) are even more exposed to outside attacks. When choosing REST service, many factors should be considered. The most important of these factors are confidentiality, Integrity, Authentication, Authorization, Non-repudiation, and Availability. When determining REST service model will be more secure for a particular application, the decision should not be made on the basis of available security features. In this paper we tried best to enlighten the design issues and security issues of REST web service and gave the suggestion to improve design and security issues of REST web services. This paper will observe the fundamental features of the REST web service model. The design will improve scalability, accessibility and flexibility. We suggested some solutions for security aspects such as confidentiality, Integrity, Authenti...
A Security Analysis Method for Security Protocol Implementations Based on Message Construction
Applied Sciences, 2018
Security protocols are integral to the protection of cyberspace against malicious attacks. Therefore, it is important to be confident in the security of a security protocol. In previous years, people have worked on security of security protocol abstract specification. However, in recent years, people have found that this is not enough and have begun focusing on security protocol implementation. In order to evaluate the security of security protocol implementations, in this paper, firstly, we proposed the Message Construction to Security Protocol Implementation (MCSPI), a message construction method based on application programming interface (API) traces, which automatically generates the constructed client valid request messages. Then, we presented the Security Analysis Scheme (SAS), a security analysis scheme that generates an abstract model of a security protocol server. Next, we proposed a security analysis method to evaluate the security of security protocol implementations on t...
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.