Đang tải... (xem toàn văn)
In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system. We have implemented security policies including authentication, authorization. In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).
AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION DATABASE SYSTEM Nguyen Hoang Tung1, Nguyen Van Hoa1 An Giang University, VNU - HCM Information: Received: 20/02/2019 Accepted: 29/03/2019 Published: 11/2019 Keywords: Web service, security, identification, authentication, authorization ABSTRACT Today, information security is particularly relevant when considering the increasing risk of information security when exchanging data on the Internet between applications and web services In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system We have implemented security policies including authentication, authorization In which authentication is based on OAuth 2.0 and JSON web tokens (JWT) We have also implemented two authorization filters with the roles of raw authorization filter and fine-grained authorization filter for improving the effectiveness of the authorization Experimental results show that the running time of fine-grained authorization filter is negligible select and implement synchronous information security policies INTRODUCTION Today, the exchange of information on the Internet is ever-expanding Therefore, the need for information security when exchanging information is an urgent and vital requirement for robust information systems The exchange of information on the Internet often contains a lot of risks because of the constant attacks of many parties in order to eavesdrop on the content of information, change messages, impersonate and replay information According to an announcement by the Information Security Department on May 9, 2016, Vietnam only is ranked 76 over 196 countries and territories on information security metrics Therefore, in order to minimize the risks of information exchange on the Internet when deploying a new information system, we need to analyze and assess information security risks from which we will In the era of the information explosion, web technology has become a familiar and widelyused platform Many large organizations, such as Google, Amazon, Ebay, Paypal, and Facebook, have made substantial strides thanks to the development of the website based on the web service platform Web services support web developers to build distributed applications with a large number of users in many different locations which client/server models can not be solved by (Bruijn et al 2016) Unlike the traditional client/server models, a web service doesn’t provide a graphical interface Instead, a web service provides standard methods to share and process data through the interface of the application A web service is a systematic application designed to support interoperability between applications running on the platform of 74 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 different information technology adoption XML or JSON, SOAP, WSDL, UDDI and internet protocols (Ardagna et al 2006) The next section presents the existing information security policies’s web service The third section is composed of an analysis of security requirements, and a resulting selection and construction of security policies for the education database system of An Giang province Conclusions and directions are addressed in the final section Web service resources have been defined by the URL to perform functions and provide information to other applications when required A web service is established by synthesis functions and packaged so that other applications can easily access, and it also can send information requests to another WEB SERVICE SECURITY POLICIES 2.1 Web service component model As we know, common security standards for information systems transactions on the Internet often have to focus on the criteria such as identification, authentication, authorization, integrity, auditing and confidentiality (Peltier 2014 ) Therefore, the following security standard is the standard for web service security for access protocol (SOAP) and the extension of this protocol (Bhandari and Wadhe 2014) Web services include main components: SOAP, WSDL and UDDI The relationship between three standards organizes web service architecture is presented in Figure The web service architecture includes a set of network protocols to define, locate, implement and create a web service to interact with other applications or services In particular, UDDI is used to register and discover web service that has been described specifically in WSDL Transaction UDDI uses SOAP to communicate with the UDDI server, then the SOAP requests a web service SOAP messages are sent exactly by protocol HTTP and TCP/IP Two of the four main components of the web service protocols are Service Transport and XML messages Transport service transmits messages between The trend of developing information systems based on web services is inevitable because of its advantages However, this particular trend faces many challenges, many of which are related to information security In this article, we will focus on introducing the challenges of information security system's web services as well as common solutions Based on that, we select and implement effective policies for the education database system of An Giang province UDDI (Service registry) Describe service (WDSL) Publish service Find service SOAP Service consumer Messages Figure web service overview 75 Service Provider AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 network applications, including protocols such as HTTP, SMTP, FTP, and protocol JSM given constant expansion blocks (Blocks Extensible Exchange Protocol- BEEP) XML messages are responsible for decoding messages in XML format so that they can be understood at the application level to interact with the user Currently, the protocols that perform this task are SOAP and REST (Fielding 2000) Web services may be public or have access points available for public data, but there are also many access points that need to be controlled in resource intensive applications In order to enforce access control, the issuing entity must first be identified and authenticated, which is a process known as identity management Identity management includes two important elements: authentication and authorization 2.2 Web service security policies Authentication is the process of identifying an entity through an identifier and verifying identity through the authentication of information provided by the competent authority Users can authenticate identity through one of three types of login information: what the person knows/remembers (such as passwords, PINs); what users own (such as certificates, USB dongles); and what belongs to the user (such as fingerprints) Web services allow linking and interacting with the applications via the Internet, so security is an issue of top concern for combining applications with a web service Implementing security policies for web services is very important to protect information from unauthorized access A security information system is a system where the processed information must ensure three characteristics (Stallings 2011): - Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information A loss of confidentiality is characterized by the unauthorized disclosure of information - Integrity: Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity A loss of integrity is constituted by the unauthorized modification or destruction of information - When an identity authentication is set, the application can access and control resources based on this identity This process is called authorization A simple application can allow access to significant resources entirely based on identity However, most of the applications that have policies allowing access based on attributes such as role, are linked with the identity and authenticated Role-based security is the most commonly used security model in organizations or business applications Key benefits of using a model with this layout is that it is easy to organize users Access rights are not granted directly to an individual user, but to an abstraction called a role The user is assigned to one or more roles, through which the user will have access to the resources Availability: Ensuring timely and reliable access to and use of information A loss of availability is comprised of the disruption of access to or use of information or an information system 2.2.2 Authentication and authorization methods Based on the three characteristics of a security information system, the security policies of the proposed web service include identity management, authentication and authorization, encryption and digital certificates - Basic authentication is partially a description of the HTTP protocol (Lakshmiraghavan 2013) This authentication process occurs when the client requests resources that need to be authenticated The authentication server then sends the code containing the status of unauthorized access The 2.2.1 Identity management 76 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 client must then send an authorization header containing the login credentials If the login information is valid, the server will reply with the status of a successful login - Access token (Access Token) is a string representing the authorization given to the client Because the access token is issued by an authorized server and used by the resource server, OAuth 2.0 does not specify how the access token should be structured or formatted This depends on the resource server and the authorized server Access tokens can be generated according to some specifications such as simple web tokens (SWT) or JSON web tokens (JWT) ( Bradley 2016) - Authentication messages are also part of the HTTP protocol, but they differ from basic authentication because the actual password is not sent to the server, and instead a hash code, message authentication code, or a message code is sent (Lakshmiraghavan 2013) When the server receives the message sent from the client along with the user's name, it will hash the user's password stored on the server to get the hash value If the hash value matches the message the user sent, the authentication is successful 2.2.3 Encryption and digital certificate Applications conduct transactions with the web service through sending access requests to resources After identifying and checking access, data exchange will be performed between the client application and the web service The typical format of information is now either XML or JSON They are two plain texts so the information can be read by anyone Therefore, the data transmission channel between client application and web service must be secured through HTTPS protocol The HTTPS protocol is designed to secure HTTP by allowing it to work over SSL/TLS protocols (IBM 2018) - Open authorization (OAuth) is proposed when the need to share resources between applications, also known as resource sharing to third parties, without having to share that user's credentials The first version of OAuth is 1.0 and it is a protocol This version works in three steps: (1) The client sends a temporary confirmation request to the server; (2) The server performs a temporary validation process and allows the real access request to be granted a temporary token (token); (3) The server returns the client access token (Access token) based on provisional credentials and temporary tokens Version OAuth 2.0 was released in 2012 to improve the limitations of OAuth 1.0 Version 2.0 is seen as a framework and is used today (Hardt 2012) IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION DATABASE SYSTEM 3.1 Education database system of An Giang province APPLICATIONS RESTFUL WEB SERVICE AGEDU HRM AGEDU SCHOOL AGEDU EAM AGEDU FM Figure Achitecture model of education database system 77 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 The education database system of An Giang province, referred to as the “database system,” aims to support the management and administration of the provincial education sector The system includes a database of four components: human resource management (HRM), school management, equipment - asset management (EAM), and financial management (FM) such as Figure The database system is designed on the basis of RESTFul web service architecture (Lakshmiraghavan 2013) In this architectural model, applications will not directly access databases, but they will operate through API calls in order to access resources on web services employee group have access only to resources belonging to this user level In addition, each user will be assigned to one or more roles Each role is linked to the right to access one of the four components of the database For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants in the staff group should also have access to the financial database 3.3 Design and implement security policies for education database system Based on reality requirement, there must be security policies for database system to ensure the resource access right through identifying, verifying levels of management access, assigned position and secure data exchange channel between applications and web services The number of users of the database system is substantial, with 26.000 user at various levels ranging from the province to districts, schools, or staff In addition, users in a unit, such as teachers, equipment managers, and accountants, will be allowed to access different resources depending on the areas assigned to them We propose to divide the system's users into four user groups (Privilege): the province department group, the district department group, the school group and the staff group Each user only belongs to one of four user groups The province department user group has the highest level of access as the access to the catalog tables of the databases with all rights (read, add, delete and edit) but the rest of the user groups are only allowed to access directory resources with readonly permission District department user group, only the access to the resources of the department level Meanwhile, users belonging to the employee group have access only to resources belonging to this user level 3.2 Analysis security requirements of education database system Based on reality requirement, there must be security policies for database system to ensure the resource access right through identifying, verifying levels of management access, assigned position and secure data exchange channel between applications and web services We propose to divide the system's users into four user groups (Privilege): the province department group, the district department group, the school group and the staff group Each user only belongs to one of four user groups The province department user group has the highest level of access as the access to the catalog tables of the databases with all rights (read, add, delete and edit) but the rest of the user groups are only allowed to access directory resources with readonly permission District department user group, only the access to the resources of the department level Meanwhile, users belonging to the In addition, each user will be assigned to one or more roles Each role is linked to the right to access one of the four components of the database For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants in the staff group should also have access to the financial database 78 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 3.3 Design and implement security policies for education database system Web API Password Token Password Token User Authorizatio n server Authentication filter OWIN Middleware OAuth Database Web Application Authorization filter Authorization filter Resources API action AGEDU Database Figure Model of authentication and authorization of the educational data system To encode content exchange between applications and web service as XML or JSON, we use the HTTPS protocol with the digital certificate provider DigiCert for the web server running the home page of the web service We have also set up Auditing for important tables (d) the authorization filter acts as a coarse filter, and will conduct inspection role of users with database is accessible; (e) if users pass through the filter 1, authorization filter acts as finegrained filter, and will verify access right to the required API Action Besides the security policies, the major focus of our work is improving authentication OAuth 2.0 model by implementing the Authorization filter in authorization and validation model in order to meet requirements security for web service as Figure In this model, the process of authentication and authorization is done according through the following steps: (a) users conduct the login process with their username and password information; (b) the authorization server (Authorization server) confirms the login, creates an access token, and sends it to applications; (c) the access token is sent to the authentication filter along with resource access (API action) requests; To build the proposed model, we designed an OAuth database with tables to store user information (tblUsers), user roles (tblUserRoles and tblRoles) and user groups and access rights to API's Action of each user group (tblPrivilege, tblBusiness, tbl Permission and tblGrantPermission) as shown in Figure In which tblBusiness stores information tables of four database components, tbl Permission stores the information about the API Action of data tables, tblGrantPermission stores access rights each user group (Privilege) on each API Action 79 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 Figure Relational schema of OAuth database always returns the ID of the actionName to look for; (2) check the actionName access of the privilege user group if the data stream containing ID and privilege is found in the tblGrantPermission table We designed the algorithm of authorization filter with input parameters: the name of the data table (tblName), the name of the API Action (actionName) and user groups (privilege) This algorithm has steps: (1) find the ID of actionName in the tblPermission table by the parameters tblName and actionName, this step Authorization filter Algorithm input: tblName, actionName privilege output: true|false foreach r in tblPermission if (r.ControllerName == tblName and r.ActionName == actionName) then PermisID = r.PermissionID foreach r in tblGrantPermission if (r.Privilege == privilege and r.PermissionID == PermisID) then granted = r if (granted is not empty) then return true else return false We set up authentication and authorization policies in Microsoft Visual Studio 2017 environment, C # programming language, ASP.NET MVC platform Four education database components are designed and installed on the SQL Server 2012 with 258 tables The authentication server and authorization filter use the OWIN library (IBM 2018) This library is based on OAuth 2.0 architecture We also use the JWT access token and use Identity framework 2.0 Authorization filter is installed on the LINQ 80 AGU International Journal of Sciences – 2019, Vol (4), 74 – 81 platform to control access to resources for the four user groups mentioned in section 3.2 number of data lines in the tblGrantPermission table is 5.580 Experimental results on the average running time of the authorization filter algorithm for four user groups are shown in Table Table shows that the average running time of authorization filter is negligible but the access control role of this filter is very important in controlling access to API Action resources We have carried out the running time of the algorithm of Authorization filter through execution time of SQL query statement in SQL Server Management Studio Information about the experimental data is as follows: actionName number in table tblPermission is 1.540; The total Table Average running time of authorization filter algorithm User group Staff School District department Province department Running time 15 ms 15 ms 15 ms 15 ms CONCLUSION AND FUTURE WORKS De Bruijn J., Lausen H., Polleres A., & Fensel D (2006) The Web Service Modeling Language WSML: An Overview ESWC 2006 We have presented a solution to implement security policies for education database system of An Giang province based on web service platform The policies include authentication, authorization, encryption and auditing The authentication and authorization policies are deployed in the OAuth 2.0 model with token access web JSON We have also implemented two authorization filters with coarse and fine filtering functions into the OAuth 2.0 model to improve the efficiency of the authorization policies In the future we will develop additional security policies such as those designed to combat distributed denial-of-service (DDoS) attacks Fielding Roy Thomas (2000) Architectural Styles and the Design of Network-based Software Architectures (doctoral dissertation) University of California, Irvine Hardt D (2012) The OAuth 2.0 Authorization Framework IBM (2018) An overview of the SSL or TLS handshake Lakshmiraghavan Badrinarayanan (2013) Pro ASP.NET Web API Security Lekha V Bhandari and Avinash P Wadhe (2014) Review Paper on Web Service Security International Journal on Computer Science and Engineering REFERENCES Ardagna Claudio Agostino., Ernesto Damiani Sabrina., De Capitani di Vimercati and Pierangela Samarati (2006) A Web Service Architecture for Enforcing Access Control Policies Electronic Notes in Theoretical Computer Science, 142, 47–62 Peltier Thomas R (2014) Information Security Fundamentals (2nd ed) New York: CRC Press William Stallings (2011) Cryptography and Network Security: Principles and Practice (5th ed) Prentice Hall Bradley J., Nat Sakimura., Michael., & Jones (2016) JSON Web Token (JWT) 81 ... used today (Hardt 2012) IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION DATABASE SYSTEM 3.1 Education database system of An Giang province APPLICATIONS RESTFUL WEB SERVICE AGEDU HRM AGEDU... to the financial database 3.3 Design and implement security policies for education database system Based on reality requirement, there must be security policies for database system to ensure... the Internet, so security is an issue of top concern for combining applications with a web service Implementing security policies for web services is very important to protect information from