A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure Conversation

A Proposed SOAP Model in WS-Security to Avoid Rewriting Attacks and Ensuring Secure Conversation

Rajni Mohana (Jaypee University of Information Technology, Solan, India)
Copyright: © 2018 |Pages: 15
DOI: 10.4018/IJISP.2018010107
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Service oriented architecture is a current and popular software engineering paradigm providing agile web services to consumers in a dynamically changing enterprise environment. The SOAP messages are used to establish communication between the web services which are vulnerable to rewriting attacks and insecure conversation. XML Signature as specified in WS-Security provides security to the contents of the SOAP messages but is insufficient. This paper proposes a SOAP model where rewriting attacks can be avoided and a secure conversation can be established as well. This paper recommends three steps, firstly using shared key for encrypting timestamp in the message body for generating corresponding signature; Secondly, using value referencing both for signature validation and message processing; and finally encrypting the whole SOAP body instead of sending an open SOAP Message in the network to prevent unauthorized access. The paper concludes that the proposed model successfully detects rewriting attacks and establishes secure conversation in the to-and-fro message transmission.
Article Preview

Introduction

Service-Oriented Architecture (SOA) is a new paradigm for reorganizing or reusing old applications into web services. Web services are self-describing platform independent computational elements, which are accessible through standard interfaces. It can be assembled in complex compositions using standard messaging protocols (Rolland, 2010). In SOA environment, one has to integrate various web services and enable a secure conversation among them, to provide a better Business to Business (B2B) / Business to Business (B2C) application with agility. One of the ways of communication between web services is based on Extensible Markup Language (XML) message called Simple Object Access Protocol (SOAP) given in w3.org/TR/xpath20/. Web services make use of SOAP to tie heterogeneous business systems together. This provides an opportunity for organizations to create and deploy distributed applications without being concerned about the hardware platform, the operating system (OS), the programming language, or the network topology (Liu, 2008). Thus, SOAP provides platform and language neutrality.

The challenging part of system integration is SOAP message exchange in a secured and meaningful manner. These messages are very well prone to attacks leading to several issues such as unauthorized access and identity theft. These attacks are basically referred as XML rewriting attacks (Sinha 2008). Rewriting attacks are also called as wrapping attacks because it involves changing the content of the SOAP message without invalidating the signature (Gajek, 2009). Rewriting attacks are done by injecting a faked element inside the structure of the SOAP message so that a valid signature covers the unmodified element whereas faked one processes the application logic. The message is processed according to the path whereas the signature is validated according to the Message body ID. This method is called as Id referencing which creates a scope for the rewriting attacks. As a result, an attacker can easily perform an arbitrary web service request pretending as a legitimate user. The challenge is to provide a solution to rewriting attacks. (McIntosh, 2005) showed that the content of a SOAP message is protected by an XML Signature as specified in WS-Security which can be easily altered without invalidating the signature. The XML rewriting attack is possible because the referencing schemes used to locate parts of a SOAP message document differ between the signature verification function and the application logic (Gajek, 2009). Replay attack, redirection attack and multiple security header attack are the three types of attacks. (Sinha, 2008) lists out types of rewriting attacks their impact on SOAP messages.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing