Implementing web service security policies for education database system

AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 74 IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION DATABASE SYSTEM Nguyen Hoang Tung1, Nguyen Van Hoa1 1An Giang University, VNU - HCM Information: Received: 20/02/2019 Accepted: 29/03/2019 Published: 11/2019 Keywords: Web service, security, identification, authentication, authorization ABSTRACT Today, information security is particularly relevant when considering the increasing risk of information security when exchanging data on the Internet between applications and web services. In this article, we analyze the information security risks of web services, evaluate existing solutions, and then select the most effective policies for the education database system. We have implemented security policies including authentication, authorization. In which authentication is based on OAuth 2.0 and JSON web tokens (JWT). We have also implemented two authorization filters with the roles of raw authorization filter and fine-grained authorization filter for improving the effectiveness of the authorization. Experimental results show that the running time of fine-grained authorization filter is negligible. 1. INTRODUCTION Today, the exchange of information on the Internet is ever-expanding. Therefore, the need for information security when exchanging information is an urgent and vital requirement for robust information systems. The exchange of information on the Internet often contains a lot of risks because of the constant attacks of many parties in order to eavesdrop on the content of information, change messages, impersonate and replay information. According to an announcement by the Information Security Department on May 9, 2016, Vietnam only is ranked 76 over 196 countries and territories on information security metrics. Therefore, in order to minimize the risks of information exchange on the Internet when deploying a new information system, we need to analyze and assess information security risks from which we will select and implement synchronous information security policies. In the era of the information explosion, web technology has become a familiar and widely- used platform. Many large organizations, such as Google, Amazon, Ebay, Paypal, and Facebook, have made substantial strides thanks to the development of the website based on the web service platform. Web services support web developers to build distributed applications with a large number of users in many different locations which client/server models can not be solved by (Bruijn et al. 2016). Unlike the traditional client/server models, a web service doesn’t provide a graphical interface. Instead, a web service provides standard methods to share and process data through the interface of the application. A web service is a systematic application designed to support interoperability between applications running on the platform of AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 75 different information technology adoption XML or JSON, SOAP, WSDL, UDDI and internet protocols (Ardagna et al. 2006). Web service resources have been defined by the URL to perform functions and provide information to other applications when required. A web service is established by synthesis functions and packaged so that other applications can easily access, and it also can send information requests to another. As we know, common security standards for information systems transactions on the Internet often have to focus on the criteria such as identification, authentication, authorization, integrity, auditing and confidentiality (Peltier 2014 ). Therefore, the following security standard is the standard for web service security for access protocol (SOAP) and the extension of this protocol (Bhandari and Wadhe 2014). The trend of developing information systems based on web services is inevitable because of its advantages. However, this particular trend faces many challenges, many of which are related to information security. In this article, we will focus on introducing the challenges of information security system's web services as well as common solutions. Based on that, we select and implement effective policies for the education database system of An Giang province. The next section presents the existing information security policies’s web service. The third section is composed of an analysis of security requirements, and a resulting selection and construction of security policies for the education database system of An Giang province. Conclusions and directions are addressed in the final section. 2. WEB SERVICE SECURITY POLICIES 2.1 Web service component model Web services include 3 main components: SOAP, WSDL and UDDI. The relationship between three standards organizes web service architecture is presented in Figure 1. The web service architecture includes a set of network protocols to define, locate, implement and create a web service to interact with other applications or services. In particular, UDDI is used to register and discover web service that has been described specifically in WSDL. Transaction UDDI uses SOAP to communicate with the UDDI server, then the SOAP requests a web service. SOAP messages are sent exactly by protocol HTTP and TCP/IP. Two of the four main components of the web service protocols are Service Transport and XML messages. Transport service transmits messages between Figure 1. web service overview UDDI (Service registry) Service consumer Service Provider Find service Publish service Describe service (WDSL) SOAP Messages AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 76 network applications, including protocols such as HTTP, SMTP, FTP, and protocol JSM given constant expansion blocks (Blocks Extensible Exchange Protocol- BEEP). XML messages are responsible for decoding messages in XML format so that they can be understood at the application level to interact with the user. Currently, the protocols that perform this task are SOAP and REST (Fielding 2000). 2.2 Web service security policies Web services allow linking and interacting with the applications via the Internet, so security is an issue of top concern for combining applications with a web service. Implementing security policies for web services is very important to protect information from unauthorized access. A security information system is a system where the processed information must ensure three characteristics (Stallings 2011): - Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is characterized by the unauthorized disclosure of information. - Integrity: Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss of integrity is constituted by the unauthorized modification or destruction of information. - Availability: Ensuring timely and reliable access to and use of information. A loss of availability is comprised of the disruption of access to or use of information or an information system. Based on the three characteristics of a security information system, the security policies of the proposed web service include identity management, authentication and authorization, encryption and digital certificates. 2.2.1 Identity management Web services may be public or have access points available for public data, but there are also many access points that need to be controlled in resource intensive applications. In order to enforce access control, the issuing entity must first be identified and authenticated, which is a process known as identity management. Identity management includes two important elements: authentication and authorization. Authentication is the process of identifying an entity through an identifier and verifying identity through the authentication of information provided by the competent authority. Users can authenticate identity through one of three types of login information: what the person knows/remembers (such as passwords, PINs); what users own (such as certificates, USB dongles); and what belongs to the user (such as fingerprints). When an identity authentication is set, the application can access and control resources based on this identity. This process is called authorization. A simple application can allow access to significant resources entirely based on identity. However, most of the applications that have policies allowing access based on attributes such as role, are linked with the identity and authenticated. Role-based security is the most commonly used security model in organizations or business applications. Key benefits of using a model with this layout is that it is easy to organize users. Access rights are not granted directly to an individual user, but to an abstraction called a role. The user is assigned to one or more roles, through which the user will have access to the resources. 2.2.2 Authentication and authorization methods - Basic authentication is partially a description of the HTTP protocol (Lakshmiraghavan 2013). This authentication process occurs when the client requests resources that need to be authenticated. The authentication server then sends the code containing the status of unauthorized access. The AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 77 client must then send an authorization header containing the login credentials. If the login information is valid, the server will reply with the status of a successful login. - Authentication messages are also part of the HTTP protocol, but they differ from basic authentication because the actual password is not sent to the server, and instead a hash code, message authentication code, or a message code is sent (Lakshmiraghavan 2013). When the server receives the message sent from the client along with the user's name, it will hash the user's password stored on the server to get the hash value. If the hash value matches the message the user sent, the authentication is successful. - Open authorization (OAuth) is proposed when the need to share resources between applications, also known as resource sharing to third parties, without having to share that user's credentials. The first version of OAuth is 1.0 and it is a protocol. This version works in three steps: (1) The client sends a temporary confirmation request to the server; (2) The server performs a temporary validation process and allows the real access request to be granted a temporary token (token); (3) The server returns the client access token (Access token) based on provisional credentials and temporary tokens. Version OAuth 2.0 was released in 2012 to improve the limitations of OAuth 1.0. Version 2.0 is seen as a framework and is used today (Hardt 2012). - Access token (Access Token) is a string representing the authorization given to the client. Because the access token is issued by an authorized server and used by the resource server, OAuth 2.0 does not specify how the access token should be structured or formatted. This depends on the resource server and the authorized server. Access tokens can be generated according to some specifications such as simple web tokens (SWT) or JSON web tokens (JWT) ( Bradley 2016). 2.2.3 Encryption and digital certificate Applications conduct transactions with the web service through sending access requests to resources. After identifying and checking access, data exchange will be performed between the client application and the web service. The typical format of information is now either XML or JSON. They are two plain texts so the information can be read by anyone. Therefore, the data transmission channel between client application and web service must be secured through HTTPS protocol. The HTTPS protocol is designed to secure HTTP by allowing it to work over SSL/TLS protocols (IBM 2018). 3. IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION DATABASE SYSTEM 3.1 Education database system of An Giang province Figure 2. Achitecture model of education database system APPLICATIONS RESTFUL WEB SERVICE AGEDU HRM AGEDU SCHOOL AGEDU EAM AGEDU FM AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 78 The education database system of An Giang province, referred to as the “database system,” aims to support the management and administration of the provincial education sector. The system includes a database of four components: human resource management (HRM), school management, equipment - asset management (EAM), and financial management (FM) such as Figure 2. The database system is designed on the basis of RESTFul web service architecture (Lakshmiraghavan 2013). In this architectural model, applications will not directly access databases, but they will operate through API calls in order to access resources on web services. The number of users of the database system is substantial, with 26.000 user at various levels ranging from the province to districts, schools, or staff. In addition, users in a unit, such as teachers, equipment managers, and accountants, will be allowed to access different resources depending on the areas assigned to them. 3.2 Analysis security requirements of education database system Based on reality requirement, there must be security policies for database system to ensure the resource access right through identifying, verifying levels of management access, assigned position and secure data exchange channel between applications and web services. We propose to divide the system's users into four user groups (Privilege): the province department group, the district department group, the school group and the staff group. Each user only belongs to one of four user groups. The province department user group has the highest level of access as the access to the catalog tables of the databases with all rights (read, add, delete and edit) but the rest of the user groups are only allowed to access directory resources with read- only permission. District department user group, only the access to the resources of the department level. Meanwhile, users belonging to the employee group have access only to resources belonging to this user level. In addition, each user will be assigned to one or more roles. Each role is linked to the right to access one of the four components of the database. For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants in the staff group should also have access to the financial database. 3.3 Design and implement security policies for education database system Based on reality requirement, there must be security policies for database system to ensure the resource access right through identifying, verifying levels of management access, assigned position and secure data exchange channel between applications and web services. We propose to divide the system's users into four user groups (Privilege): the province department group, the district department group, the school group and the staff group. Each user only belongs to one of four user groups. The province department user group has the highest level of access as the access to the catalog tables of the databases with all rights (read, add, delete and edit) but the rest of the user groups are only allowed to access directory resources with read- only permission. District department user group, only the access to the resources of the department level. Meanwhile, users belonging to the employee group have access only to resources belonging to this user level. In addition, each user will be assigned to one or more roles. Each role is linked to the right to access one of the four components of the database. For example, users who are teachers in the employee group should only be allowed to access the school database, while the accountants in the staff group should also have access to the financial database. AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 79 3.3. Design and implement security policies for education database system Figure 3. Model of authentication and authorization of the educational data system To encode content exchange between applications and web service as XML or JSON, we use the HTTPS protocol with the digital certificate provider DigiCert for the web server running the home page of the web service. We have also set up Auditing for important tables. Besides the security policies, the major focus of our work is improving authentication OAuth 2.0 model by implementing the Authorization filter 2 in authorization and validation model in order to meet requirements security for web service as Figure 3. In this model, the process of authentication and authorization is done according through the following steps: (a) users conduct the login process with their username and password information; (b) the authorization server (Authorization server) confirms the login, creates an access token, and sends it to applications; (c) the access token is sent to the authentication filter along with resource access (API action) requests; (d) the authorization filter 1 acts as a coarse filter, and will conduct inspection role of users with database is accessible; (e) if users pass through the filter 1, authorization filter 2 acts as fine- grained filter, and will verify access right to the required API Action. To build the proposed model, we designed an OAuth database with 7 tables to store user information (tblUsers), user roles (tblUserRoles and tblRoles) and user groups and access rights to API's Action of each user group (tblPrivilege, tblBusiness, tbl Permission and tblGrantPermission) as shown in Figure 4. In which tblBusiness stores information tables of four database components, tbl Permission stores the information about the API Action of data tables, tblGrantPermission stores access rights each user group (Privilege) on each API Action. Web Appli- cation Authorizatio n server Authentication filter OWIN Middleware Authorization filter 1 API action AGEDU Database OAuth Database User Password Password Token Token Resources Web API Authorization filter 2 AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81 80 Figure 4. Relational schema of OAuth database We designed the algorithm of authorization filter 2 with 3 input parameters: the name of the data table (tblName), the name of the API Action (actionName) and user groups (privilege). This algorithm has 2 steps: (1) find the ID of actionName in the tblPermission table by the parameters tblName and actionName, this step always returns the ID of the actionName to look for; (2) check the actionName access of the privilege user group if the data stream containing ID and privilege is found in the tblGrantPermission table. Authorization filter 2 Algorithm input: tblName, actionName privilege output: true|false foreach r in tblPermission if (r.ControllerName == tblName and r.ActionName == acti