In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system. We have implemented security policies including authentication, authorization. In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).
Trang 1IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION
DATABASE SYSTEM
Nguyen Hoang Tung1, Nguyen Van Hoa1
1 An Giang University, VNU - HCM
Information:
Received: 20/02/2019
Accepted: 29/03/2019
Published: 11/2019
Keywords:
Web service, security,
identification, authentication,
authorization
ABSTRACT
Today, information security is particularly relevant when considering the increasing risk of information security when exchanging data on the Internet between applications and web services In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system We have implemented security policies including authentication, authorization
In which authentication is based on OAuth 2.0 and JSON web tokens (JWT)
We have also implemented two authorization filters with the roles of raw authorization filter and fine-grained authorization filter for improving the effectiveness of the authorization Experimental results show that the running time of fine-grained authorization filter is negligible
1 INTRODUCTION
Today, the exchange of information on the
Internet is ever-expanding Therefore, the need for
information security when exchanging
information is an urgent and vital requirement for
robust information systems The exchange of
information on the Internet often contains a lot of
risks because of the constant attacks of many
parties in order to eavesdrop on the content of
information, change messages, impersonate and
replay information According to an
announcement by the Information Security
Department on May 9, 2016, Vietnam only is
ranked 76 over 196 countries and territories on
information security metrics Therefore, in order
to minimize the risks of information exchange on
the Internet when deploying a new information
system, we need to analyze and assess
information security risks from which we will
select and implement synchronous information security policies
In the era of the information explosion, web technology has become a familiar and widely-used platform Many large organizations, such as Google, Amazon, Ebay, Paypal, and Facebook, have made substantial strides thanks to the development of the website based on the web service platform Web services support web developers to build distributed applications with a large number of users in many different locations which client/server models can not be solved by (Bruijn et al 2016) Unlike the traditional client/server models, a web service doesn’t provide a graphical interface Instead, a web service provides standard methods to share and process data through the interface of the application A web service is a systematic application designed to support interoperability between applications running on the platform of
Trang 2different information technology adoption XML
or JSON, SOAP, WSDL, UDDI and internet
protocols (Ardagna et al 2006)
Web service resources have been defined by the
URL to perform functions and provide
information to other applications when required
A web service is established by synthesis
functions and packaged so that other applications
can easily access, and it also can send information
requests to another
As we know, common security standards for
information systems transactions on the Internet
often have to focus on the criteria such as
identification, authentication, authorization,
integrity, auditing and confidentiality (Peltier
2014 ) Therefore, the following security standard
is the standard for web service security for access
protocol (SOAP) and the extension of this
protocol (Bhandari and Wadhe 2014)
The trend of developing information systems
based on web services is inevitable because of its
advantages However, this particular trend faces
many challenges, many of which are related to
information security In this article, we will focus
on introducing the challenges of information
security system's web services as well as common
solutions Based on that, we select and implement
effective policies for the education database
system of An Giang province
The next section presents the existing information security policies’s web service The third section
is composed of an analysis of security requirements, and a resulting selection and construction of security policies for the education database system of An Giang province Conclusions and directions are addressed in the final section
2 WEB SERVICE SECURITY POLICIES
2.1 Web service component model
Web services include 3 main components: SOAP, WSDL and UDDI The relationship between three standards organizes web service architecture is presented in Figure 1
The web service architecture includes a set of network protocols to define, locate, implement and create a web service to interact with other applications or services In particular, UDDI is used to register and discover web service that has been described specifically in WSDL Transaction UDDI uses SOAP to communicate with the UDDI server, then the SOAP requests a web service SOAP messages are sent exactly by protocol HTTP and TCP/IP Two of the four main components of the web service protocols are Service Transport and XML messages Transport service transmits messages between
Figure 1 web service overview
UDDI
(Service registry)
Service
service
Describe service (WDSL)
SOAP
Messages
Trang 3network applications, including protocols such as
HTTP, SMTP, FTP, and protocol JSM given
constant expansion blocks (Blocks Extensible
Exchange Protocol- BEEP) XML messages are
responsible for decoding messages in XML
format so that they can be understood at the
application level to interact with the user
Currently, the protocols that perform this task are
SOAP and REST (Fielding 2000)
2.2 Web service security policies
Web services allow linking and interacting with
the applications via the Internet, so security is an
issue of top concern for combining applications
with a web service Implementing security
policies for web services is very important to
protect information from unauthorized access A
security information system is a system where the
processed information must ensure three
characteristics (Stallings 2011):
- Confidentiality: Preserving authorized
restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary information
A loss of confidentiality is characterized by
the unauthorized disclosure of information
- Integrity: Guarding against improper
information modification or destruction,
including ensuring information nonrepudiation
and authenticity A loss of integrity is
constituted by the unauthorized modification
or destruction of information
- Availability: Ensuring timely and reliable
access to and use of information A loss of
availability is comprised of the disruption of
access to or use of information or an
information system
Based on the three characteristics of a security
information system, the security policies of the
proposed web service include identity
management, authentication and authorization,
encryption and digital certificates
2.2.1 Identity management
Web services may be public or have access points available for public data, but there are also many access points that need to be controlled in resource intensive applications In order to enforce access control, the issuing entity must first be identified and authenticated, which is a process known as identity management Identity management includes two important elements: authentication and authorization
Authentication is the process of identifying an entity through an identifier and verifying identity through the authentication of information provided by the competent authority Users can authenticate identity through one of three types of login information: what the person knows/remembers (such as passwords, PINs); what users own (such as certificates, USB dongles); and what belongs to the user (such as fingerprints)
When an identity authentication is set, the application can access and control resources based
on this identity This process is called authorization A simple application can allow access to significant resources entirely based on identity However, most of the applications that have policies allowing access based on attributes such as role, are linked with the identity and authenticated
Role-based security is the most commonly used security model in organizations or business applications Key benefits of using a model with this layout is that it is easy to organize users Access rights are not granted directly to an individual user, but to an abstraction called a role The user is assigned to one or more roles, through which the user will have access to the resources
2.2.2 Authentication and authorization methods
- Basic authentication is partially a description of
the HTTP protocol (Lakshmiraghavan 2013) This authentication process occurs when the client requests resources that need to be authenticated The authentication server then sends the code containing the status of unauthorized access The
Trang 4client must then send an authorization header
containing the login credentials If the login
information is valid, the server will reply with the
status of a successful login
- Authentication messages are also part of the
HTTP protocol, but they differ from basic
authentication because the actual password is not
sent to the server, and instead a hash code,
message authentication code, or a message code is
sent (Lakshmiraghavan 2013) When the server
receives the message sent from the client along
with the user's name, it will hash the user's
password stored on the server to get the hash
value If the hash value matches the message the
user sent, the authentication is successful
- Open authorization (OAuth) is proposed when
the need to share resources between applications,
also known as resource sharing to third parties,
without having to share that user's credentials
The first version of OAuth is 1.0 and it is a
protocol This version works in three steps: (1)
The client sends a temporary confirmation request
to the server; (2) The server performs a temporary
validation process and allows the real access
request to be granted a temporary token (token);
(3) The server returns the client access token
(Access token) based on provisional credentials
and temporary tokens Version OAuth 2.0 was
released in 2012 to improve the limitations of
OAuth 1.0 Version 2.0 is seen as a framework
and is used today (Hardt 2012)
- Access token (Access Token) is a string
representing the authorization given to the client Because the access token is issued by an authorized server and used by the resource server, OAuth 2.0 does not specify how the access token should be structured or formatted This depends
on the resource server and the authorized server Access tokens can be generated according to some specifications such as simple web tokens (SWT)
or JSON web tokens (JWT) ( Bradley 2016)
2.2.3 Encryption and digital certificate
Applications conduct transactions with the web service through sending access requests to resources After identifying and checking access, data exchange will be performed between the client application and the web service The typical format of information is now either XML or JSON They are two plain texts so the information can be read by anyone Therefore, the data transmission channel between client application and web service must be secured through HTTPS protocol The HTTPS protocol is designed to secure HTTP by allowing it to work over SSL/TLS protocols (IBM 2018)
EDUCATION DATABASE SYSTEM
3.1 Education database system of An Giang province
Figure 2 Achitecture model of education database system
APPLICATIONS RESTFUL WEB SERVICE
AGEDU
HRM
AGEDU SCHOOL
AGEDU EAM
AGEDU FM
Trang 5The education database system of An Giang
province, referred to as the “database system,”
aims to support the management and
administration of the provincial education sector
The system includes a database of four
components: human resource management
(HRM), school management, equipment - asset
management (EAM), and financial management
(FM) such as Figure 2 The database system is
designed on the basis of RESTFul web service
architecture (Lakshmiraghavan 2013) In this
architectural model, applications will not directly
access databases, but they will operate through
API calls in order to access resources on web
services
The number of users of the database system is
substantial, with 26.000 user at various levels
ranging from the province to districts, schools, or
staff In addition, users in a unit, such as teachers,
equipment managers, and accountants, will be
allowed to access different resources depending
on the areas assigned to them
3.2 Analysis security requirements of education
database system
Based on reality requirement, there must be
security policies for database system to ensure the
resource access right through identifying,
verifying levels of management access, assigned
position and secure data exchange channel
between applications and web services
We propose to divide the system's users into four
user groups (Privilege): the province department
group, the district department group, the school
group and the staff group Each user only belongs
to one of four user groups The province
department user group has the highest level of
access as the access to the catalog tables of the
databases with all rights (read, add, delete and
edit) but the rest of the user groups are only
allowed to access directory resources with
read-only permission District department user group,
only the access to the resources of the department
level Meanwhile, users belonging to the
employee group have access only to resources belonging to this user level
In addition, each user will be assigned to one or more roles Each role is linked to the right to access one of the four components of the database For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants
in the staff group should also have access to the financial database
3.3 Design and implement security policies for education database system
Based on reality requirement, there must be security policies for database system to ensure the resource access right through identifying, verifying levels of management access, assigned position and secure data exchange channel between applications and web services
We propose to divide the system's users into four user groups (Privilege): the province department group, the district department group, the school group and the staff group Each user only belongs
to one of four user groups The province department user group has the highest level of access as the access to the catalog tables of the databases with all rights (read, add, delete and edit) but the rest of the user groups are only allowed to access directory resources with read-only permission District department user group, only the access to the resources of the department level Meanwhile, users belonging to the employee group have access only to resources belonging to this user level
In addition, each user will be assigned to one or more roles Each role is linked to the right to access one of the four components of the database For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants
in the staff group should also have access to the financial database
Trang 63.3 Design and implement security policies for education database system
Figure 3 Model of authentication and authorization of the educational data system
To encode content exchange between applications
and web service as XML or JSON, we use the
HTTPS protocol with the digital certificate
provider DigiCert for the web server running the
home page of the web service We have also set
up Auditing for important tables
Besides the security policies, the major focus of
our work is improving authentication OAuth 2.0
model by implementing the Authorization filter 2
in authorization and validation model in order to
meet requirements security for web service as
Figure 3 In this model, the process of
authentication and authorization is done according
through the following steps: (a) users conduct the
login process with their username and password
information; (b) the authorization server
(Authorization server) confirms the login, creates
an access token, and sends it to applications; (c)
the access token is sent to the authentication filter
along with resource access (API action) requests;
(d) the authorization filter 1 acts as a coarse filter, and will conduct inspection role of users with database is accessible; (e) if users pass through the filter 1, authorization filter 2 acts as fine-grained filter, and will verify access right to the required API Action
To build the proposed model, we designed an OAuth database with 7 tables to store user information (tblUsers), user roles (tblUserRoles and tblRoles) and user groups and access rights to API's Action of each user group (tblPrivilege,
tblGrantPermission) as shown in Figure 4 In which tblBusiness stores information tables
of four database components, tbl Permission stores the information about the API Action of data tables, tblGrantPermission stores access rights each user group (Privilege) on each API Action
Web Appli-cation
Authorizatio
n server Authentication filter
OWIN
Middleware
Authorization filter 1
Database
OAuth Database User
Password
Password Token
Token
Resources
Web API
Authorization filter 2
Trang 7Figure 4 Relational schema of OAuth database
We designed the algorithm of authorization filter
2 with 3 input parameters: the name of the data
table (tblName), the name of the API Action
(actionName) and user groups (privilege) This
algorithm has 2 steps: (1) find the ID of
actionName in the tblPermission table by the
parameters tblName and actionName, this step
always returns the ID of the actionName to look for; (2) check the actionName access of the privilege user group if the data stream containing
ID and privilege is found in the tblGrantPermission table
Authorization filter 2 Algorithm
input:
tblName, actionName
privilege
output:
true|false
foreach r in tblPermission
if (r.ControllerName == tblName and r.ActionName == actionName) then PermisID = r.PermissionID
foreach r in tblGrantPermission
if (r.Privilege == privilege and r.PermissionID == PermisID)
then granted = r
if (granted is not empty) then return true
else return false
We set up authentication and authorization
policies in Microsoft Visual Studio 2017
environment, C # programming language,
ASP.NET MVC platform Four education
database components are designed and installed
on the SQL Server 2012 with 258 tables The
authentication server and authorization filter 1 use the OWIN library (IBM 2018) This library is based on OAuth 2.0 architecture We also use the JWT access token and use Identity framework 2.0 Authorization filter 2 is installed on the LINQ
Trang 8platform to control access to resources for the four
user groups mentioned in section 3.2
We have carried out the running time of the
algorithm of Authorization filter 2 through
execution time of SQL query statement in SQL
Server Management Studio Information about the
experimental data is as follows: actionName
number in table tblPermission is 1.540; The total
number of data lines in the tblGrantPermission table is 5.580 Experimental results on the average running time of the authorization filter 2 algorithm for four user groups are shown in Table
1 Table 1 shows that the average running time of authorization filter 2 is negligible but the access control role of this filter is very important in controlling access to API Action resources
Table 1 Average running time of authorization filter 2 algorithm
department
Province department
4 CONCLUSION AND FUTURE WORKS
We have presented a solution to implement
security policies for education database system of
An Giang province based on web service
platform The policies include authentication,
authorization, encryption and auditing The
authentication and authorization policies are
deployed in the OAuth 2.0 model with token
access web JSON We have also implemented two
authorization filters with coarse and fine filtering
functions into the OAuth 2.0 model to improve
the efficiency of the authorization policies In the
future we will develop additional security policies
such as those designed to combat distributed
denial-of-service (DDoS) attacks
REFERENCES
Ardagna Claudio Agostino., Ernesto Damiani
Sabrina., De Capitani di Vimercati and
Pierangela Samarati (2006) A Web Service
Architecture for Enforcing Access Control
Policies Electronic Notes in Theoretical
Computer Science, 142, 47–62
Bradley J., Nat Sakimura., Michael., & Jones
(2016) JSON Web Token (JWT)
De Bruijn J., Lausen H., Polleres A., & Fensel D (2006) The Web Service Modeling Language WSML: An Overview ESWC 2006
Fielding Roy Thomas (2000) Architectural Styles and the Design of Network-based Software Architectures (doctoral dissertation) University of California, Irvine
Hardt D (2012) The OAuth 2.0 Authorization Framework
IBM (2018) An overview of the SSL or TLS handshake
Lakshmiraghavan Badrinarayanan (2013) Pro ASP.NET Web API Security
Lekha V Bhandari and Avinash P Wadhe (2014) Review Paper on Web Service Security International Journal on Computer Science and Engineering
Peltier Thomas R (2014) Information Security Fundamentals (2nd ed) New York: CRC Press
William Stallings (2011) Cryptography and Network Security: Principles and Practice (5th ed) Prentice Hall