380 likes | 545 Views
SECURED INFORMATION INTEGRATION WITH A SEMANTIC-WEB BASED FRAMEWORK . What is a web service?. Everyone would agree with a general definition like this: “A Web service is a software system designed to support interoperable machine-to-machine interaction over a network.” (Source: W3C).
E N D
SECURED INFORMATION INTEGRATION WITH A SEMANTIC-WEB BASED FRAMEWORK
What is a web service? • Everyone would agree with a general definition like this: “A Web service is a software system designed to support interoperable machine-to-machine interaction over a network.” (Source: W3C)
SOAP,WSDL and UDDI • Most people understand Web Services to be the “triumvirate” of SOAP, WSDL, and UDDI SOAP Envelope Platform A Payload Platform B Web Service Application B Security Token Application A SOAP Client SSL WSDL (Web Services Description Language) UDDI Web Services Directory 3
SOAP-based web services Web services and SOAP are often considered the same
REST • But, SOAP is not the only kind of Web Service communication • REST stands for REpresentational State Transfer • Described in a thesis by Roy Fielding (Day Software, co-founder of the Apache Software Foundation, co-author of HTTP and URI RFCs) • REST applies the architecture of the Web to Web Services • - Each URI is a distinct resource, as in the browser-based Web • - URIs be bookmarked and cached • - Don’t reinvent the “wheel” • Used by Amazon, Google, Flickr, and many others 4
REST • In REST, everything is a resource • “Resource Modelling” is required at the outset. Model each document, and each process, as a “resource” with a distinct URI • Then use the standard HTTP “verbs” to interact with the resource: • - GET: Retrieve a representation of a resource. Does not modify the server state. A GET must have no side effectson the server side • - POST: Create or update a representation of a resource • - PUT: Update a representation of a resource • - DELETE: Remove a representation of a resource 5
Example of a REST Weather Service • GET /weatherforecast/02110 HTTP/1.1 • Get the weather forecast for Boston • POST /weatherforecast HTTP/1.1 • - Upload a new weather forecast for San Jose by sending up an XML document which conforms to the appropriate Schema • - Response is a “201 Created” and a new URI 201 CreatedContent-Location: /weatherforecast/95101 • PUT /weatherforecast/95101 HTTP/1.1 • Update an existing resource representation • DELETE /weatherforecast/02110 HTTP/1.1 • - Delete the resource representation 6
Contrast with SOAP Weather service • POST /weatherforecast.asmx HTTP/1.1 • Send a SOAP message to get the weather in Boston • POST /weatherforecast.asmx HTTP/1.1 • - Send a different SOAP message to create a forecast for San Jose • Response is a custom SOAP response message • POST /weatherforecast.asmx HTTP/1.1 • -Send another SOAP message to update the San Jose weather forecast • POST /weatherforecast.asmx HTTP/1.1 • - Send another SOAP message to delete the Boston weather forecast • Notice anything? • - Everything is a POST. All the details are in the SOAP messages 7
Reinventing Protocols • In REST, HTTP is the protocol • Well known, simple, and established • Only four methods: GET, POST, PUT, DELETE • A network admin can look at something like “GET /weatherforecast/02110” and understand what it is doing • Requests can be bookmarked • Responses can be cached • By contrast, in SOAP, developers effectively create their own protocols • Everything is a POST • Rather than using “GET, POST, PUT, and DELETE”, the methods and operations are in the SOAP messages themselves • A network admin just sees POSTs and cannot understand the purpose of the traffic without looking into the SOAP messages themselves 8
More differences between SOAP and REST • SOAP is transport neutral • - SOAP can be used across FTP, SMTP, Message Queues • - But REST is tied to HTTP only • SOAP includes a whole stack of “composable” WS-* specifications • - WS-Security for inserting security tokens into SOAP headers, WS-ReliableMessaging, WS-Transactions, etc etc etc • - But since WS-* builds on top of SOAP, it does not apply to REST • Proponents of REST would argue “use HTTP infrastructure for reliable messaging and security. Don’t reinvent the wheel” • Experts argue that REST is “as safe as HTTP” 9
REST in Practice • REST is seen as “more simple to develop than SOAP” because you can create a QueryString just by concatenating strings together • Most developers find it easier to concatenate strings together and then do a “GET” to a URI like Google’s “doGoogleSearch”, rather than to create a SOAP request • SOAP products are getting easier to use though, the gap is closing… • This simplicity is the main reason for REST’s popularity 10
REST’s popularity – a famous data point Source: Jeff Barr, Web Services Evangelist at Amazon.com 11
When to use SOAP instead of REST WS-Security defines how to encrypt just part of an XML message - e.g. to encrypt search strings into a search engine - Rather than reinventing the wheel, use SOAP for this WS-* includes reliable messaging and transaction support SOAP can be applied to FTP traffic and MQ, REST can’t - So, use SOAP for these applications SOAP supports attachments, although there are three different specifications for how to do attachments right now (MIME, DIME, MTOM). - Nevertheless, use SOAP when you need to send around binary data or large attachments 12
RESTful Interface in Blackbook Blackbook is a semantic web-based framework which provides analysts an easy-to-use tool which federates queries across local and remote data sources to access valuable data Why REST in Blackbook? Semantic data is a collection of different vocabularies and REST allows visualizers to show semantic data in an easy manner as compared to SOAP. Implemented in following Blackbook modules: workspace-workflow workspace-workspace workspace-blackbook 13
Workflow Workflow is used to build complex processing sequences by stringing together BLACKBOOK algorithms A workflow process definition can be executed any number of times. An individual execution of a process definition is called Process Instance. Functionalities in RESTful Workflow: 1) GET the process definition 2) DELETE the process definition 3) PUT the process definition 4) POST the process definition 5) PUT the process instance 6) GET the process instance 14
Workspace Workspace subsystem is a general purpose storage system that uses a directory metaphor to organize content Currently, the only items stored in the workspace are “workflow process definitions” and “process instances” ( In future, user preferences and assertions content may be stored in the workspace). Functionalities in RESTful Workspace: 1) GET the root folder 2) PUT a subfolder under root folder or any other subfolder 3) GET the child items of a given folder 4) PUT a process definition under a given folder 5) GET the process definition for a given user 6) DELETE the item under a given folder 15
Blackbook Blackbook provides analysts an easy-to-use tool which federates queries across local and remote data sources to access valuable data Analysts can make logical inferences across the data sources, add their own knowledge and share that knowledge with other analysts using the system Functionalities in RESTful Blackbook: 1) GET the list of algorithms 2) GET the list of data sources 3) GET the list of local data sources 4) GET the field names of a particular data source 5) Search for a keyword in a particular data source (GET & POST) 16
Technologies used Java / J2EE RESTEasy – A Jboss project that provides framework to help build RESTful Web Services and RESTful Java applications How it works? All the calls to the RESTful Web Service are handled by the REST Servlet at the Web Tier, which in turn invokes the EJB methods at the Enterprise tier and returns the result in the form of RSS or ATOM feeds. 17
Amazon Simple Storage Service (S3) • “Amazon S3 is storage for the Internet. It is designed to make web-scale computing easier for developers.” • Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
Benefits of Amazon S3 • Storage price as low as 15 cents per GB per month • Can be invoked via both REST and SOAP web services • Facilitates data sharing at nominal cost
Blackbook with S3 • Many organizations are using the services like Amazon S3 for data storage. A few important questions arise here – • Can we use S3 to store the data sources used by Blackbook? • Is the data we store on S3, secure? Is it accessible by any user outside our organization? • How do we restrict access to the files to the users within the organization?
Our Approach • We can use Amazon S3 to store the data sources used by Blackbook. • To keep our data secure, we propose to encrypt the data using AES (Advanced Encryption Standard) before uploading the data files on Amazon S3. • To restrict access to the files to the users within the organization, we propose to implement the Role-based access control policies using XACML (eXtensible Access Control Markup Language).
Our Approach (Contd) • For authentication – Lamport One Time Password Mechanism • For authorization – XACML (eXtensible Access Control Markup Language)
Lamport One Time Password Scheme OTP in general, • Valid for a single session or transaction • NOT vulnerable to replay attacks • Requires additional technology to work due to human memory limitations Lamport OTP • Client & Server components use a common sequencing algorithm • Generate a sequence of passkey values • Each successor is based on the value of predecessor
Lamport One Time Password Scheme S6 s6 S5 S4 Server Component Client Component S3 S2 S1 S1 = seed, S2 = F(S1),S3 = F(S2),….,S[n] = F(S[n-1])
Lamport One Time Password Scheme 18 15 18 15 12 Server Component Client Component 9 6 3 Seed = 3 F(n) = Add 3 to predecessor S1 = 3, S2 = 3+3,S3 = 6+3,….,S6 = 15+3
XACML request <Request> <Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>testadmin@blackbook.jhuapl.edu</AttributeValue> </Attribute> <Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>users</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>911DataSource_OnAmazons3</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> </Request>
XACML Policy <Policy PolicyId="AmazonAccessPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides"> <Description>This policy file is used to authorize users with Amazon S3 datasource</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testadmin@blackbook.jhuapl.edu</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">911DataSource_OnAmazons3</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target>
XACML Policy(Contd) <Rule RuleId=“AmazonAccessRule" Effect=“Permit”> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue> </Condition> </Rule> </Policy>
Client (Browser) System Overview Policy Server 1 Key Server -1 1.Search input 9.Results 2a.OTP Stack Value + credentials Trusted Server-1 Server OTP Value Client OTP Stack 3a.Key1 Search Engine 2b.OTP Stack Value + credentials Policy Server 2 Key Server 2 Other Data Sources XOR Trusted Server-2 8. Decrypted data source 3b.Key2 4. XORED Key Server OTP Value Encryption / Decryption Service Provider Blackbook 7.Encrypted data source Amazon S3 Server 5.AWS Credentials + data source name Amazon File Manager OTP – One Time Password 6. Data source file (encrypted form)
Steps • The user U fires a search query to Blackbook (Step 1 in figure). Blackbook federates the queries across various data sources along with data source F securely on Amazon S3. • We follow the One Time Password (OTP) scheme to authenticate the client( Blackbook in this case) for using the AWS S3 services. The client machine sends the topmost value on the OTP stack along with the user credentials and the request to the trusted server 1 & 2.(Steps 2a and 2b in figure) • If the value passed by the client matches with the value on the OTP stack on the trusted server and the policies applicable for the user are valid for the request ,the trusted server sends the “key” used to decrypt the data source. (Step 3a and 3b in figure). 4. The keys key1 and key2 obtained from the trusted servers 1 & 2 are X-ORed to obtain the original key used to decrypt the data source F (Step 4 in figure)
Steps (Contd) • Amazon File Manager passes the Amazon account credentials and the data source name to retrieve the data source. (Steps 5 and 6 in figure) 6. The Encryption / Decryption Service Manager retrieves the encrypted data sources and using the XOR-ed key , decrypts the data source. (Steps 7 & 8 in figure) 7. Blackbook performs search on the data source retrieved from Amazon along with other data sources and returns the results to the user. (Step 9 in figure)
Advantages • No Single Point of Failure For the system to be hacked, the hacker needs to obtain control of both the Trusted Key servers • We don’t store the final keys used for encryption as we XOR the keys k1 and k2 to generate key k used in encryption
Comments !! Questions !! Suggestions !!