ABSTRACT
Today, information security is particularly relevant when considering the
increasing risk of information security when exchanging data on the Internet
between applications and web services. In this article, we analyze the
information security risks of web services, evaluate existing solutions, and
then select the most effective policies for the education database system. We
have implemented security policies including authentication, authorization.
In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).
We have also implemented two authorization filters with the roles of raw
authorization filter and fine-grained authorization filter for improving the
effectiveness of the authorization. Experimental results show that the running
time of fine-grained authorization filter is negligible
8 trang |
Chia sẻ: thanhle95 | Lượt xem: 486 | Lượt tải: 1
Bạn đang xem nội dung tài liệu Implementing web service security policies for education database system, để tải tài liệu về máy bạn click vào nút DOWNLOAD ở trên
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
74
IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION
DATABASE SYSTEM
Nguyen Hoang Tung1, Nguyen Van Hoa1
1An Giang University, VNU - HCM
Information:
Received: 20/02/2019
Accepted: 29/03/2019
Published: 11/2019
Keywords:
Web service, security,
identification, authentication,
authorization
ABSTRACT
Today, information security is particularly relevant when considering the
increasing risk of information security when exchanging data on the Internet
between applications and web services. In this article, we analyze the
information security risks of web services, evaluate existing solutions, and
then select the most effective policies for the education database system. We
have implemented security policies including authentication, authorization.
In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).
We have also implemented two authorization filters with the roles of raw
authorization filter and fine-grained authorization filter for improving the
effectiveness of the authorization. Experimental results show that the running
time of fine-grained authorization filter is negligible.
1. INTRODUCTION
Today, the exchange of information on the
Internet is ever-expanding. Therefore, the need for
information security when exchanging
information is an urgent and vital requirement for
robust information systems. The exchange of
information on the Internet often contains a lot of
risks because of the constant attacks of many
parties in order to eavesdrop on the content of
information, change messages, impersonate and
replay information. According to an
announcement by the Information Security
Department on May 9, 2016, Vietnam only is
ranked 76 over 196 countries and territories on
information security metrics. Therefore, in order
to minimize the risks of information exchange on
the Internet when deploying a new information
system, we need to analyze and assess
information security risks from which we will
select and implement synchronous information
security policies.
In the era of the information explosion, web
technology has become a familiar and widely-
used platform. Many large organizations, such as
Google, Amazon, Ebay, Paypal, and Facebook,
have made substantial strides thanks to the
development of the website based on the web
service platform. Web services support web
developers to build distributed applications with a
large number of users in many different locations
which client/server models can not be solved by
(Bruijn et al. 2016). Unlike the traditional
client/server models, a web service doesn’t
provide a graphical interface. Instead, a web
service provides standard methods to share and
process data through the interface of the
application. A web service is a systematic
application designed to support interoperability
between applications running on the platform of
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
75
different information technology adoption XML
or JSON, SOAP, WSDL, UDDI and internet
protocols (Ardagna et al. 2006).
Web service resources have been defined by the
URL to perform functions and provide
information to other applications when required.
A web service is established by synthesis
functions and packaged so that other applications
can easily access, and it also can send information
requests to another.
As we know, common security standards for
information systems transactions on the Internet
often have to focus on the criteria such as
identification, authentication, authorization,
integrity, auditing and confidentiality (Peltier
2014 ). Therefore, the following security standard
is the standard for web service security for access
protocol (SOAP) and the extension of this
protocol (Bhandari and Wadhe 2014).
The trend of developing information systems
based on web services is inevitable because of its
advantages. However, this particular trend faces
many challenges, many of which are related to
information security. In this article, we will focus
on introducing the challenges of information
security system's web services as well as common
solutions. Based on that, we select and implement
effective policies for the education database
system of An Giang province.
The next section presents the existing information
security policies’s web service. The third section
is composed of an analysis of security
requirements, and a resulting selection and
construction of security policies for the education
database system of An Giang province.
Conclusions and directions are addressed in the
final section.
2. WEB SERVICE SECURITY POLICIES
2.1 Web service component model
Web services include 3 main components: SOAP,
WSDL and UDDI. The relationship between three
standards organizes web service architecture is
presented in Figure 1.
The web service architecture includes a set of
network protocols to define, locate, implement
and create a web service to interact with other
applications or services. In particular, UDDI is
used to register and discover web service that has
been described specifically in WSDL. Transaction
UDDI uses SOAP to communicate with the UDDI
server, then the SOAP requests a web service.
SOAP messages are sent exactly by protocol
HTTP and TCP/IP. Two of the four main
components of the web service protocols are
Service Transport and XML messages. Transport
service transmits messages between
Figure 1. web service overview
UDDI
(Service registry)
Service
consumer
Service Provider
Find service Publish
service
Describe service
(WDSL)
SOAP
Messages
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
76
network applications, including protocols such as
HTTP, SMTP, FTP, and protocol JSM given
constant expansion blocks (Blocks Extensible
Exchange Protocol- BEEP). XML messages are
responsible for decoding messages in XML
format so that they can be understood at the
application level to interact with the user.
Currently, the protocols that perform this task are
SOAP and REST (Fielding 2000).
2.2 Web service security policies
Web services allow linking and interacting with
the applications via the Internet, so security is an
issue of top concern for combining applications
with a web service. Implementing security
policies for web services is very important to
protect information from unauthorized access. A
security information system is a system where the
processed information must ensure three
characteristics (Stallings 2011):
- Confidentiality: Preserving authorized
restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary information.
A loss of confidentiality is characterized by
the unauthorized disclosure of information.
- Integrity: Guarding against improper
information modification or destruction,
including ensuring information nonrepudiation
and authenticity. A loss of integrity is
constituted by the unauthorized modification
or destruction of information.
- Availability: Ensuring timely and reliable
access to and use of information. A loss of
availability is comprised of the disruption of
access to or use of information or an
information system.
Based on the three characteristics of a security
information system, the security policies of the
proposed web service include identity
management, authentication and authorization,
encryption and digital certificates.
2.2.1 Identity management
Web services may be public or have access points
available for public data, but there are also many
access points that need to be controlled in
resource intensive applications. In order to
enforce access control, the issuing entity must
first be identified and authenticated, which is a
process known as identity management. Identity
management includes two important elements:
authentication and authorization.
Authentication is the process of identifying an
entity through an identifier and verifying identity
through the authentication of information
provided by the competent authority. Users can
authenticate identity through one of three types of
login information: what the person
knows/remembers (such as passwords, PINs);
what users own (such as certificates, USB
dongles); and what belongs to the user (such as
fingerprints).
When an identity authentication is set, the
application can access and control resources based
on this identity. This process is called
authorization. A simple application can allow
access to significant resources entirely based on
identity. However, most of the applications that
have policies allowing access based on attributes
such as role, are linked with the identity and
authenticated.
Role-based security is the most commonly used
security model in organizations or business
applications. Key benefits of using a model with
this layout is that it is easy to organize users.
Access rights are not granted directly to an
individual user, but to an abstraction called a role.
The user is assigned to one or more roles, through
which the user will have access to the resources.
2.2.2 Authentication and authorization methods
- Basic authentication is partially a description of
the HTTP protocol (Lakshmiraghavan 2013). This
authentication process occurs when the client
requests resources that need to be authenticated.
The authentication server then sends the code
containing the status of unauthorized access. The
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
77
client must then send an authorization header
containing the login credentials. If the login
information is valid, the server will reply with the
status of a successful login.
- Authentication messages are also part of the
HTTP protocol, but they differ from basic
authentication because the actual password is not
sent to the server, and instead a hash code,
message authentication code, or a message code is
sent (Lakshmiraghavan 2013). When the server
receives the message sent from the client along
with the user's name, it will hash the user's
password stored on the server to get the hash
value. If the hash value matches the message the
user sent, the authentication is successful.
- Open authorization (OAuth) is proposed when
the need to share resources between applications,
also known as resource sharing to third parties,
without having to share that user's credentials.
The first version of OAuth is 1.0 and it is a
protocol. This version works in three steps: (1)
The client sends a temporary confirmation request
to the server; (2) The server performs a temporary
validation process and allows the real access
request to be granted a temporary token (token);
(3) The server returns the client access token
(Access token) based on provisional credentials
and temporary tokens. Version OAuth 2.0 was
released in 2012 to improve the limitations of
OAuth 1.0. Version 2.0 is seen as a framework
and is used today (Hardt 2012).
- Access token (Access Token) is a string
representing the authorization given to the client.
Because the access token is issued by an
authorized server and used by the resource server,
OAuth 2.0 does not specify how the access token
should be structured or formatted. This depends
on the resource server and the authorized server.
Access tokens can be generated according to some
specifications such as simple web tokens (SWT)
or JSON web tokens (JWT) ( Bradley 2016).
2.2.3 Encryption and digital certificate
Applications conduct transactions with the web
service through sending access requests to
resources. After identifying and checking access,
data exchange will be performed between the
client application and the web service. The typical
format of information is now either XML or
JSON. They are two plain texts so the information
can be read by anyone. Therefore, the data
transmission channel between client application
and web service must be secured through HTTPS
protocol. The HTTPS protocol is designed to
secure HTTP by allowing it to work over
SSL/TLS protocols (IBM 2018).
3. IMPLEMENTING WEB SERVICE
SECURITY POLICIES FOR
EDUCATION DATABASE SYSTEM
3.1 Education database system of An Giang
province
Figure 2. Achitecture model of education database system
APPLICATIONS
RESTFUL WEB SERVICE
AGEDU
HRM
AGEDU
SCHOOL
AGEDU
EAM
AGEDU
FM
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
78
The education database system of An Giang
province, referred to as the “database system,”
aims to support the management and
administration of the provincial education sector.
The system includes a database of four
components: human resource management
(HRM), school management, equipment - asset
management (EAM), and financial management
(FM) such as Figure 2. The database system is
designed on the basis of RESTFul web service
architecture (Lakshmiraghavan 2013). In this
architectural model, applications will not directly
access databases, but they will operate through
API calls in order to access resources on web
services.
The number of users of the database system is
substantial, with 26.000 user at various levels
ranging from the province to districts, schools, or
staff. In addition, users in a unit, such as teachers,
equipment managers, and accountants, will be
allowed to access different resources depending
on the areas assigned to them.
3.2 Analysis security requirements of education
database system
Based on reality requirement, there must be
security policies for database system to ensure the
resource access right through identifying,
verifying levels of management access, assigned
position and secure data exchange channel
between applications and web services.
We propose to divide the system's users into four
user groups (Privilege): the province department
group, the district department group, the school
group and the staff group. Each user only belongs
to one of four user groups. The province
department user group has the highest level of
access as the access to the catalog tables of the
databases with all rights (read, add, delete and
edit) but the rest of the user groups are only
allowed to access directory resources with read-
only permission. District department user group,
only the access to the resources of the department
level. Meanwhile, users belonging to the
employee group have access only to resources
belonging to this user level.
In addition, each user will be assigned to one or
more roles. Each role is linked to the right to
access one of the four components of the
database. For example, users who are teachers in
the employee group should only be allowed to
access the school database, while the accountants
in the staff group should also have access to the
financial database.
3.3 Design and implement security policies for
education database system
Based on reality requirement, there must be
security policies for database system to ensure the
resource access right through identifying,
verifying levels of management access, assigned
position and secure data exchange channel
between applications and web services.
We propose to divide the system's users into four
user groups (Privilege): the province department
group, the district department group, the school
group and the staff group. Each user only belongs
to one of four user groups. The province
department user group has the highest level of
access as the access to the catalog tables of the
databases with all rights (read, add, delete and
edit) but the rest of the user groups are only
allowed to access directory resources with read-
only permission. District department user group,
only the access to the resources of the department
level. Meanwhile, users belonging to the
employee group have access only to resources
belonging to this user level.
In addition, each user will be assigned to one or
more roles. Each role is linked to the right to
access one of the four components of the
database. For example, users who are teachers in
the employee group should only be allowed to
access the school database, while the accountants
in the staff group should also have access to the
financial database.
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
79
3.3. Design and implement security policies for education database system
Figure 3. Model of authentication and authorization of the educational data system
To encode content exchange between applications
and web service as XML or JSON, we use the
HTTPS protocol with the digital certificate
provider DigiCert for the web server running the
home page of the web service. We have also set
up Auditing for important tables.
Besides the security policies, the major focus of
our work is improving authentication OAuth 2.0
model by implementing the Authorization filter 2
in authorization and validation model in order to
meet requirements security for web service as
Figure 3. In this model, the process of
authentication and authorization is done according
through the following steps: (a) users conduct the
login process with their username and password
information; (b) the authorization server
(Authorization server) confirms the login, creates
an access token, and sends it to applications; (c)
the access token is sent to the authentication filter
along with resource access (API action) requests;
(d) the authorization filter 1 acts as a coarse filter,
and will conduct inspection role of users with
database is accessible; (e) if users pass through
the filter 1, authorization filter 2 acts as fine-
grained filter, and will verify access right to the
required API Action.
To build the proposed model, we designed an
OAuth database with 7 tables to store user
information (tblUsers), user roles (tblUserRoles
and tblRoles) and user groups and access rights to
API's Action of each user group (tblPrivilege,
tblBusiness, tbl Permission and
tblGrantPermission) as shown in Figure 4. In
which tblBusiness stores information tables
of four database components, tbl Permission
stores the information about the API Action of
data tables, tblGrantPermission stores access
rights each user group (Privilege) on each API
Action.
Web
Appli-
cation
Authorizatio
n
server
Authentication
filter
OWIN
Middleware
Authorization
filter 1
API action AGEDU
Database
OAuth
Database
User
Password
Password
Token
Token
Resources
Web API
Authorization
filter 2
AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81
80
Figure 4. Relational schema of OAuth database
We designed the algorithm of authorization filter
2 with 3 input parameters: the name of the data
table (tblName), the name of the API Action
(actionName) and user groups (privilege). This
algorithm has 2 steps: (1) find the ID of
actionName in the tblPermission table by the
parameters tblName and actionName, this step
always returns the ID of the actionName to look
for; (2) check the actionName access of the
privilege user group if the data stream containing
ID and privilege is found in the
tblGrantPermission table.
Authorization filter 2 Algorithm
input:
tblName, actionName
privilege
output:
true|false
foreach r in tblPermission
if (r.ControllerName == tblName and r.ActionName == acti