The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - October-December (2011 vol.4)
pp: 272-285
Nils Gruschka , NEC Europe Ltd., Heidelberg
Meiko Jensen , Ruhr University Bochum, Germany
Luigi Lo Iacono , European University of Applied Sciences, Brühl,
Norbert Luttenberger , University of Kiel, Kiel
ABSTRACT
With SOAP-based web services leaving the stadium of being an explorative set of new technologies and entering the stage of mature and fundamental building blocks for service-driven business processes—and in some cases even for mission-critical systems—the demand for nonfunctional requirements including efficiency as well as security and dependability commonly increases rapidly. Although web services are capable of coupling heterogeneous information systems in a flexible and cost-efficient way, the processing efficiency and robustness against certain attacks do not fulfill industry-strength requirements. In this paper, a comprehensive stream-based WS-Security processing system is introduced, which enables a more efficient processing in service computing and increases the robustness against different types of Denial-of-Service (DoS) attacks. The introduced engine is capable of processing all standard-conforming applications of WS-Security in a streaming manner. It can handle, e.g., any order, number, and nesting degree of signature and encryption operations, closing the gap toward more efficient and dependable web services.
INDEX TERMS
Web services, SOAP, WS-Security, streaming processing, DoS robustness, efficient processing.
CITATION
Nils Gruschka, Meiko Jensen, Luigi Lo Iacono, Norbert Luttenberger, "Server-Side Streaming Processing of WS-Security", IEEE Transactions on Services Computing, vol.4, no. 4, pp. 272-285, October-December 2011, doi:10.1109/TSC.2010.61
REFERENCES
[1] T. Erl, Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall, 2005.
[2] G. Alonso, F. Casati, H. Konu, and V. Machiraju, Web Services. Springer, 2004.
[3] M.P. Papazoglou, "Service-Oriented Computing: Concepts, Characteristics and Directions," Proc. Int'l Conf. Web Information Systems Eng., p. 3, 2003.
[4] M. Turner, D. Budgen, and P. Brereton, "Turning Software into a Service," Computer, vol. 36, no. 10, pp. 38-44, 2003.
[5] R. Buyya, C.S. Yeo, and S. Venugopal, "Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities," Proc. 10th IEEE Int'l Conf. High Performance Computing and Comm., pp. 5-13, 2008.
[6] M. Govindaraju, A. Slominski, K. Chiu, P. Liu, R. van Engelen, and M.J. Lewis, "Toward Characterizing the Performance of SOAP Toolkits," Proc. Fifth IEEE/ACM Int'l Workshop Grid Computing (GRID '04), pp. 365-372, 2004.
[7] H. Liu, S. Pallickara, and G. Fox, "Performance of Web Services Security," Proc. 13th Ann. Mardi Gras Conf., Feb. 2005.
[8] J. Kangasharju, "Efficient Implementation of XML Security for Mobile Devices," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 134-141, 2007.
[9] A.L. Hors, P.L. Hégaret, L. Wood, G. Nicol, J. Robie, M. Champion, and S. Byrne, Document Object Model (DOM) Level 3 Core Specification, World Wide Web Consortium (W3C) recommendation, 2004.
[10] Java Web Services Performance Team, "Streaming APIs for XML Parsers," technical report, Sun Microsystems 2005.
[11] The SAX Project, "Simple API for XML - Sax 2.0.1," http:/www.saxproject.org, 2002.
[12] R. Attapattu, "Introduction to Apache Axis2," Red Hat Magazine, vol. 21, http://www.redhat.com/magazine/021jul06/ featuresapache_axis2, 2006.
[13] M. Jensen, N. Gruschka, and R. Herkenhöner, "A Survey of Attacks on Web Services," Computer Science - Research and Development, vol. 24, no. 4, pp. 185-197, 2009.
[14] N. Gruschka and N. Luttenberger, "Protecting Web Services from DoS Attacks by SOAP Message Validation," Proc. IFIP TC-11 21st Int'l Information Security Conf. (SEC '06), pp. 171-182, 2006.
[15] N. Gruschka, M. Jensen, and N. Luttenberger, "A Stateful Web Service Firewall for BPEL," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 142-149, 2007.
[16] M. Jensen, N. Gruschka, and N. Luttenberger, "The Impact of Flooding Attacks on Network-Based Services," Proc. Third Int'l Conf. Availability, Reliability and Security (ARES '08), pp. 509-513, 2008.
[17] N. Gruschka, R. Herkenhöner, and N. Luttenberger, "Access Control Enforcement for Web Services by Event-Based Security Token Processing," Proc. 15th ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS '07), T. Braun, G. Carle, and B. Stiller, eds., pp. 371-382, 2007.
[18] The Apache Software Foundation, "Apache Axis," http://axis.apache.orgaxis, 2011.
[19] The Apache Software Foundation, "Apache Axis2," http://axis.apache.org/axis2/java/coreindex.html , 2011.
[20] R. Fernando, "Secure Web Services with Apache Rampart," technical report, WSO2 Oxygen Tank, 2006.
[21] W. Lu, K. Chiu, A. Slominski, and D. Gannon, "A Streaming Validation Model for SOAP Digital Signature," Proc. 14th IEEE Int'l Symp. High Performance Distributed Computing (HPDC '05), 2005.
[22] T. Imamura, A. Clark, and H. Maruyama, "A Stream-Based Implementation of XML Encryption," Proc. ACM Workshop XML Security (XMLSEC '02), pp. 11-17, 2002.
[23] M. McIntosh, M. Gudgin, K.S. Morrison, and A. Barbir, "Basic Security Profile Version 1.0," WS-I Organisation, 2007.
[24] N. Gruschka, R. Herkenhöner, and N. Luttenberger, "WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls," Proc. IEEE/IST Workshop Monitoring, Attack Detection and Mitigation, pp. 19-25, 2006.
[25] A.O. Freier, P. Karlton, and P.C. Kocher, "The SSL Protocol," Version 3.0, Internet draft, http://wp.netscape.com/engssl3, 1996.
[26] A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam-Baker, "Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)," OASIS Standard Specification, 2006.
[27] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, XML-Signature Syntax and Processing, World Wide Web Consortium (W3C) recommendation, 2002.
[28] T. Imamura, B. Dillaway, and E. Simon, XML Encryption Syntax and processing, World Wide Web Consortium (W3C) recommendation, 2002.
[29] P. Grosso, E. Male, J. Marsh, and N. Walsh, XPointer Framework, World Wide Web Consortium (W3C) recommendation, 2003.
[30] N. Gruschka, "Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung," PhD dissertation, Univ. of Kiel, 2008.
[31] N. Gruschka, M. Jensen, and L.L. Iacono, "A Design Pattern for Event-Based Processing of Security-Enriched SOAP Messages," Proc. Second Int'l Workshop Security Aspects in Grid and Cloud Computing (SAGC '10), 2010.
[32] J.E. Hopcroft, R. Motwani, and J.D. Ullman, Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 2007.
[33] J. Boyer, D.E. Eastlake, and J. Reagle, Exclusive XML Canonicalization Version 1.0, World Wide Web Consortium (W3C) recommendation, 2002.
[34] B. Kaliski and J. Staddon, PKCS #1: RSA Cryptography Specifications Version 2.0, IETF RFC 2437, 1998.
[35] K. Lawrence and C. Kaler, "Web Services Security Policy Language (WS-SecurityPolicy) 1.2," OASIS Standard, 2007.
[36] M. Chung, "Using JConsole to Monitor Applications," SUN Developer Network, 2004.
[37] J. Somorovsky, M. Jensen, and J. Schwenk, "Streaming-Based Verification of XML Signatures in SOAP Messages," Proc. Congress on Services (SERVICES '10), 2010.
[38] L.L. Iacono and J. Wang, "Web Service Layer Security (WSLS)," Network Security, vol. 2, pp. 10-13, 2008.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool