A distributed authentication model for composite Web services

Abstract Proliferation of Web services based applications, collaboration and interoperability between companies, extremely heterogeneous policies of security, and, more generally, reply attacks over Internet are major challenges in the design of security infrastructures for Web services. In this paper, we focus our study on authentication of composite Web services. Authentication is certainly at the heart of any secure system. Thus, we propose a distributed model of authentication based on the circle of trust concept for composite Web services. This model has several functionalities: First, it ensures authentication for arbitrary composite Web services over Internet. Second, it can process across and beyond domain authentication boundaries. Third, it takes over the conflicts of security policies using the concept of Web Single Sign On (SSO) and client's profile using ontologies. Furthermore, the proposed model is scalable and dynamic because it is designed in a fully distributed manner, there are no central points and it evolves over time. An implementation of a prototype and a simulation design demonstrate that a strong security can be achieved for both the client and the composite Web service through the combination of a dynamic and collaborative trust model with a number of enhancements: (i) a combined encryption technique, (ii) a distributed authority of certificates, and (iii) semantic annotations.

[1]  Iraklis Paraskakis,et al.  Web Service Discovery In A Semantically Extended Uddi Registry: The Case Of Fusion , 2007, Virtual Enterprises and Collaborative Networks.

[2]  Jean François Santucci,et al.  A Community Based Algorithm for Large Scale Web Service Composition , 2013, ArXiv.

[3]  Vitalian A. Danciu,et al.  Dynamic inter-organizational cooperation setup in Circle-of-Trust environments , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[4]  Barbara Carminati,et al.  Secure Web Service Composition with Untrusted Broker , 2014, 2014 IEEE International Conference on Web Services.

[5]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[6]  Jonathan M. Spring,et al.  Resistance Strategies: Authentication and Permissions , 2014 .

[7]  Ved Prakash Singh,et al.  Survey of Different Types of CAPTCHA , 2014 .

[8]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[9]  Jamal Bentahar,et al.  A survey on trust and reputation models for Web services: Single, composite, and communities , 2015, Decis. Support Syst..

[10]  Nour Ali,et al.  A Systematic Mapping Study in Microservice Architecture , 2016, 2016 IEEE 9th International Conference on Service-Oriented Computing and Applications (SOCA).

[11]  Marc Pasquet,et al.  Enabling collaboration between heterogeneous circles of trust through innovative identity solutions , 2009, 2009 International Symposium on Collaborative Technologies and Systems.

[12]  Selwyn Piramuthu,et al.  Knowledge-based RFID enabled Web Service architecture for supply chain management , 2010, Expert Syst. Appl..

[13]  Fatih Karatas,et al.  Service composition with consideration of interdependent security objectives , 2015, Sci. Comput. Program..

[14]  Matjaz B. Juric,et al.  WSDL and UDDI extensions for version support in web services , 2009, J. Syst. Softw..

[15]  蔡瑋哲 Single Sign-on機制之探討與實現 , 2012 .

[16]  Jianxin Li,et al.  SCENETester: A Testing Framework to Support Fault Diagnosis for Web Service Composition , 2011, 2011 IEEE 11th International Conference on Computer and Information Technology.

[17]  Vijay Varadharajan,et al.  Trust Management for Web Services , 2008, 2008 IEEE International Conference on Web Services.

[18]  Sahin Albayrak,et al.  Behavioral biometrics for persistent single sign-on , 2011, DIM '11.

[19]  Hongxia Wang,et al.  Service Selection Algorithm of Two-layer QoS Model based on Functional Grouping , 2016 .

[20]  Stefano Paraboschi,et al.  Extending Mandatory Access Control Policies in Android , 2015, ICISS.

[21]  Michael Mrissa,et al.  Privacy-Enhanced Web Service Composition , 2014, IEEE Transactions on Services Computing.

[22]  Eduardo B. Fernández,et al.  A Survey of Patterns for Web Services Security and Reliability Standards , 2012, Future Internet.

[23]  Ravi S. Sandhu,et al.  Cross-tenant trust models in cloud computing , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[24]  Gabor Kecskemeti,et al.  The ENTICE approach to decompose monolithic services into microservices , 2016, 2016 International Conference on High Performance Computing & Simulation (HPCS).

[25]  Athman Bouguettaya,et al.  Reputation Management for Composite Services in Service-Oriented Systems , 2011, Int. J. Web Serv. Res..

[26]  Mira Mezini,et al.  Using aspects for security engineering of Web service compositions , 2005, IEEE International Conference on Web Services (ICWS'05).

[27]  Paul Vita,et al.  Challenges in the adoption and diffusion of Web services in financial institutions , 2004 .

[28]  Djamil Aïssani,et al.  Semantic web services: Standards, applications, challenges and solutions , 2014, J. Netw. Comput. Appl..

[29]  N. Balasubramanian,et al.  Security: A major threat for web services , 2012, 2012 IEEE International Conference on Advanced Communication Control and Computing Technologies (ICACCCT).

[30]  Elisa Bertino,et al.  ACConv -- An Access Control Model for Conversational Web Services , 2011, TWEB.

[31]  Qing Li,et al.  FACTS: A Framework for Fault-Tolerant Composition of Transactional Web Services , 2010, IEEE Transactions on Services Computing.

[32]  Simson L. Garfinkel,et al.  PGP: Pretty Good Privacy , 1994 .

[33]  J. G. R. Sathiaseelan Architectural Framework for Secure Composite Web Services , 2013 .

[34]  Ting He,et al.  Privacy-Aware Web Services Selection and Composition , 2014, 2014 International Conference on Service Sciences.

[35]  Ravi S. Sandhu,et al.  Authorization Federation in IaaS Multi Cloud , 2015, SCC@ASIACCS.

[36]  R. Richard,et al.  A Unified Authentication Framework for Accessing Heterogeneous Web Services , 2008, 2008 4th International Conference on Next Generation Web Services Practices.

[37]  M. Ramakrishnan,et al.  Intelligent Search Engine-based Universal Description, Discovery and Integration for Web Service Discovery , 2014, J. Comput. Sci..

[38]  Jesus Bellido,et al.  QoS aware descriptions for RESTful service composition: security domain , 2014, World Wide Web.

[39]  Pranal C. Tayade,et al.  An Enhanced Authentication System using Multi-Level Security for web Services , 2015 .

[40]  S Aruna Security in Web Services- Issues and Challenges , 2016 .

[41]  Ping Luo,et al.  A distributed expansible authentication model based on Kerberos , 2008, J. Netw. Comput. Appl..

[42]  Amandeep Singh,et al.  Security Issues in Web Services: A Evaluation and Advancement Perspective Concerning Research Agenda , 2016 .

[43]  T. Manikandan,et al.  Providing Privacy for Composition Results in Web Service Using Data Anonymization , 2014 .

[44]  Bin Zhang,et al.  A multi-objective optimization method for service composition problem with sharing property , 2016, ICNC-FSKD.

[45]  Bofeng Zhang,et al.  Rule-Based Security Capabilities Matching for Web Services , 2013, Wirel. Pers. Commun..

[46]  Ravi S. Sandhu,et al.  Role-Centric Circle-of-Trust in Multi-tenant Cloud IaaS , 2016, DBSec.

[47]  Djamil Aïssani,et al.  Semantic annotations for web services discovery and composition , 2009, Comput. Stand. Interfaces.

[48]  Phongphun Kijsanayothin,et al.  Privacy and Recovery in Composite Web Service Transactions , 2010 .

[49]  Josef Spillner,et al.  A Versatile and Scalable Everything-as-a-Service Registry and Discovery , 2013, CLOSER.

[50]  Abiud W Mulongo A Two Layer Mixed Integer Programming Model for Dynamic Composite Webservice Selection in Virtual Organizations Inspired by Layering as Optimization Decomposition , 2016 .

[51]  Eduardo Fernandez-Buglioni,et al.  Security Patterns in Practice: Designing Secure Architectures Using Software Patterns , 2013 .

[52]  Zheng Gong,et al.  Private mutual authentications with fuzzy matching , 2014, Int. J. High Perform. Syst. Archit..

[53]  S. Albert Rabara,et al.  MLSF: A Framework for Multi-Level Secure Composite Web Services , 2010, Adv. Inf. Sci. Serv. Sci..

[54]  Tuan-Dung Cao,et al.  Enhance Matching Web Service Security Policies with Semantic , 2013, KSE.

[55]  Tang Ming . Wei Lian. Si Tuo Lin Si,et al.  Cryptography and Network Security - Principles and Practice , 2015 .

[56]  Nor Izyani Daud,et al.  A Conceptual Framework Secure Web Service: Secure Transaction Logging System , 2016 .

[57]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[58]  Hasnae L'Amrani,et al.  The Security of Web Services: Secure Communication and Identity Management , 2015, BDCA.

[59]  Eric Dubois,et al.  Towards a Decision Model Based on Trust and Security Risk Management , 2009, AISC.

[60]  Madjid Merabti,et al.  Dynamic Monitoring of Composed Services , 2014, Cyberpatterns.

[61]  David W. Chadwick,et al.  Federated Identity Management , 2009, FOSAD.

[62]  Timothy W. Finin,et al.  Authorization and privacy for semantic Web services , 2004, IEEE Intelligent Systems.

[63]  Sophea Chhun,et al.  QoS ontology for service selection and reuse , 2016, J. Intell. Manuf..

[64]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[65]  Suhaimi Ibrahim,et al.  Novel security conscious evaluation criteria for web service composition , 2014 .

[66]  Isaac Agudo,et al.  BlindIdM: A privacy-preserving approach for identity management as a service , 2014, International Journal of Information Security.

[67]  Lori L. DeLooze Providing Web Service Security in a Federated Environment , 2007, IEEE Security & Privacy.

[68]  Marcus Hardt,et al.  Identity harmonization for federated HPC, grid and cloud services , 2016, 2016 International Conference on High Performance Computing & Simulation (HPCS).

[69]  Jacques Fayolle,et al.  A flexible and secure web service architectural model based on PKI and agent technology , 2010 .

[70]  Festim Halili,et al.  Evaluation and Comparison of Styles of Using Web Services , 2014, 2014 Sixth International Conference on Computational Intelligence, Communication Systems and Networks.

[71]  P Mahalakshmi,et al.  Providing security for Web Service Composition using Finite State Machine , 2005 .

[72]  Thomas Groß,et al.  Security analysis of the SAML single sign-on browser/artifact profile , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[73]  Ying Liu,et al.  Prevention of Fault Propagation in Web Service: a Complex Network Approach , 2015, J. Web Eng..

[74]  Yannis Soupionis,et al.  Web Services Security Assessment: An Authentication-Focused Approach , 2012, SEC.

[75]  Philippe Dague,et al.  A Model-Based Approach for Diagnosing Fault in Web Service Processes , 2009, Int. J. Web Serv. Res..

[76]  Tharam S. Dillon,et al.  Secure web services using two-way authentication and three-party key establishment for service delivery , 2009, J. Syst. Archit..

[77]  Ninghui Li,et al.  Denial of service attacks and defenses in decentralized trust management , 2006, 2006 Securecomm and Workshops.

[78]  Raimundo José de Araújo Macêdo,et al.  Personalized Reliable Web service Compositions , 2008, WONTO.

[79]  Jie Xu,et al.  Dynamic Authentication for Cross-Realm SOA-Based Business Processes , 2012, IEEE Transactions on Services Computing.

[80]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[81]  Suhaimi Ibrahim,et al.  Security-aware web service composition approaches: state-of-the-art , 2011, iiWAS '11.

[82]  David Llewellyn-Jones,et al.  The challenges of secure and trustworthy service composition in the Future Internet , 2011, 2011 6th International Conference on System of Systems Engineering.

[83]  Marijke Coetzee,et al.  Engineering Secure Adaptable Web Services Compositions , 2016, CONF-IRM.

[84]  Yonggang Li,et al.  Virtual Web Service and its application in E-commerce , 2010, The 2nd International Conference on Information Science and Engineering.

[85]  Ernesto Damiani,et al.  Security Certification of Composite Services: A Test-Based Approach , 2013, 2013 IEEE 20th International Conference on Web Services.

[86]  Boualem Benatallah,et al.  Web Service Composition , 2015 .

[87]  Athman Bouguettaya,et al.  RATEWeb: Reputation Assessment for Trust Establishment among Web services , 2009, The VLDB Journal.

[88]  Jorge Lobo,et al.  EXAM: a comprehensive environment for the analysis of access control policies , 2010, International Journal of Information Security.

[89]  Ian Horrocks,et al.  Practical Reasoning for Very Expressive Description Logics , 2000, Log. J. IGPL.

[90]  Abdelkamel Tari,et al.  A dual-layered model for web services representation and composition , 2008, Journal of Intelligent Information Systems.

[91]  Frederick C. Harris,et al.  Microservice-based architecture for the NRDC , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[92]  Henry Story,et al.  FOAF+TLS: RESTful Authentication for the Social Web , 2009, SPOT@ESWC.