Service security revisited

Proceedings - 2014 IEEE International Conference on Services Computing, SCC 2014

Volumn , Issue , 2014, Pages 464-471

  Gorski, Peter Leo ^a   Iacono, Luigi Lo ^a   Nguyen, Hoai Viet ^a   Torkian, Daniel Behnam ^a  

^a Verkehr und Wasser Lehr und Forschungsgebiet Geotechnik und Tunnelbau   (Germany)

Author keywords

REST; Security; Services; SOA; SOAP

Indexed keywords

INFORMATION SERVICES; SERVICE ORIENTED ARCHITECTURE (SOA); SOAPS (DETERGENTS); STANDARDIZATION; WEBSITES;

DISTRIBUTED APPLICATIONS; REST; SECURITY; SECURITY CONSIDERATIONS; SERVICE ORIENTED ARCHITECTURE PRINCIPLES; SERVICES; SOAP-BASED WEB SERVICES; WEB SERVICES SECURITY;

WEB SERVICES;

EID: 84919625923     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SCC.2014.68     Document Type: Conference Paper

References (52)

1. T. Erl, SOA Principles of Service Design (The Prentice Hall Service-Oriented Computing Series from Thomas Erl). Upper Saddle River, NJ, USA: Prentice Hall PTR, 2007.
2. M. Gudgin, M. Hadley, N. Mendelsohn, J.-J. Moreau, H. F. Nielsen, A. Karmarkar, and Y. Lafon, "SOAP Version 1.2 Part 1: Messaging Framework (Second Edition)," W3C, Recommendation, 2007. [Online]. Available: http://www.w3.org/TR/soap12-part1/
3. R. Fielding, "Architectural Styles and the Design of Network-based Software Architectures," Ph.D. dissertation, University of California, Irvine, 2000. [Online]. Available: https://www.ics.uci.edu/~fielding/ pubs/dissertation/top.htm
4. A. Nadalin, C. Kaler, R. Monzillo, and H.-B. Phillip, "Web Services Security: SOAP Message Security 1.1," OASIS, Standard Specification, 2006. [Online]. Available: http://docs.oasis-open.org/wss/v1.1/wss-v1. 1-spec-os-SOAPMessageSecurity.pdf
5. E. Bertino, L. Martino, F. Paci, and A. C. Squicciarini, Security for Web Services and Service-Oriented Architectures. Springer, 2010.
6. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," IETF, RFC 5246, 2008. [Online]. Available: http://www.ietf.org/rfc/rfc5246.txt
7. D. Hardt, "The OAuth 2.0 Authorization Framework," IETF, RFC 6749, 2012. [Online]. Available: https://tools.ietf.org/html/rfc6749
8. E. Hammer-Lahav, "The OAuth 1.0 Protocol," IETF, RFC 5849, 2010. Available: https://tools.ietf.org/html/rfc5849
9. IETF, "Javascript Object Signing and Encryption (jose)," 2014. Available: http://datatracker.ietf.org/wg/jose/
10. A. Nadalin, M. Goodner, M. Gudgin, D. Turner, A. Barbir, and H. Granqvist, "WS-SecurityPolicy 1.3," OASIS, Standard, 2012. Available: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/ v1.3/errata01/ws-securitypolicy-1.3-errata01-complete.html
11. A. S. Vedamuthu, D. Orchard, F. Hirsch, M. Hondo, P. Yendluri, T. Boubez, and Y. Umit, "Web Services Policy 1.5-Framework," W3C, Recommendation, 2007. [Online]. Available: http://www.w3.org/ TR/ws-policy
12. A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, and H. Granqvist, "WS-Trust 1.3," OASIS, Standard, 2007. [Online]. Available: http: //docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
13. M. Goodner and A. Nadalin, "Web Services Federation Language (WSFederation) Version 1.2," OASIS, Standard, 2009. [Online]. Available: http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.html
14. E. Rissanen, "eXtensible Access Control Markup Language (XACML) Version 3.0," OASIS, Standard, 2013. [Online]. Available: http: //www.oasis-open.org/committees/xacml
15. S. Cantor, J. Kemp, R. Philpott, and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0," OASIS, Standard, 2005. [Online]. Available: http: //docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip
16. T. Imamura, B. Dillaway, E. Simon, Y. Kelvin, and M. Nystrom, "XML Encryption Syntax and Processing Version 1.1," W3C, Recommendation, 2013. [Online]. Available: http://www.w3.org/TR/ xmlenc-core1/
17. M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, "XML Signature Syntax and Processing (Second Edition)," W3C, Recommendation, 2008. [Online]. Available: http://www.w3.org/TR/ xmldsig-core/
18. P. Hallam-Baker and H. M. Shivaram, "XML Key Management Specification (XKMS 2.0)," W3C, Recommendation, 2005. [Online]. Available: http://www.w3.org/TR/xkms2/
19. K. Ballinger, D. Ehnebuske, C. Ferris, M. Gudgin, C. K. Liu, M. Nottingham, and P. Yendluri, "Basic Profile Version 1.1," WS-I, Final Material, 2006. [Online]. Available: http://www.ws-i.org/Profiles/ BasicProfile-1.1.html
20. M. McIntosh, M. Gudgin, K. S. Morrison, and A. Barbir, "Basic Security Profile Version 1.1," WS-I, Final Material, 2010. [Online]. Available: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.1.html
21. T. Bray, J. Paoli, C. M. Sperberg-McQueen, E. Maler, and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Edition)," W3C, Recommendation, 2008. [Online]. Available: http: //www.w3.org/TR/2008/REC-xml-20081126
22. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, "Hypertext Transfer Protocol-HTTP/1.1," IETF, RFC 2616, 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2616.txt
23. M. Hapner, R. Burridge, R. Sharma, J. Fialli, K. Stout, and N. Deakin, "Java Message Service Version 2.0," Oracle America, Inc, JSR 000343, 2013. [Online]. Available: https://jcp.org/aboutJava/communityprocess/ final/jsr343/index.html
24. J. Klensin, "Simple Mail Transfer Protocol," IETF, RFC 5321, 2008. Available: https://tools.ietf.org/html/rfc5321
25. A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, and H. Granqvist, "WS-SecureConversation 1.4," OASIS, Standard, 2009. [Online]. Available: http://docs.oasis-open.org/ws-sx/ws-secureconversation/v1. 4/ws-secureconversation.html
26. J. Rosenberg and D. Remy, Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption. Pearson Higher Education, 2004.
27. P. Mell and T. Grance, "The NIST Definition of Cloud Computing," NIST, Special Publication 800-145, 2011. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
28. W. M. Omar and A. Taleb-Bendiab, "Service Oriented Architecture for E-health Support Services Based on Grid Computing Overlay," in IEEE International Conference on Services Computing, ser. SCC'06. Chicago, IL, USA: IEEE, 2006, pp. 135-142. [Online]. Available: http://dx.doi.org/10.1109/SCC.2006.90
29. M. V. Bhonsle, N. Poolsappasit, and S. K. Madria, "ETIS-Efficient Trust and Identity Management System for Federated Service Providers," in IEEE 27th International Conference on Advanced Information Networking and Applications, ser. AINA'13, L. Barolli, F. Xhafa, M. Takizawa, T. Enokido, and H.-H. Hsu, Eds. Barcelona, Catalonia, Spain: IEEE, 2013, pp. 219-226. [Online]. Available: http://dx.doi.org/10.1109/AINA.2013.13
30. E. Christensen, F. Curbera, G. Meredith, and S. Weerawarana, "Web Services Description Language (WSDL) 1.1," W3C, Note, 2001. Available: http://www.w3.org/TR/wsdl
31. OWASP, "XML External Entity (XXE) Processing," 2013. Available: https://www.owasp.org/index.php/XML External Entity (XXE) Processing
32. J. Clark and S. DeRose, "XML Path Language (XPath) Version 1.0," W3C, Recommendation, 1999. [Online]. Available: http: //www.w3.org/TR/xpath
33. OWASP, "XPATH Injection," 2013. [Online]. Available: https: //www.owasp.org/index.php/XPATH Injection
34. M. McIntosh and P. Austel, "XML Signature Element Wrapping Attacks and Countermeasures," in Proceedings of the 2005 Workshop on Secure Web Services, ser. SWS '05. New York, NY, USA: ACM, 2005, pp. 20-27. [Online]. Available: http://doi.acm.org/10.1145/1103022.1103026
35. N. Gruschka and L. Lo Iacono, "Vulnerable Cloud: SOAP Message Security Validation Revisited," in IEEE International Conference on Web Services, ser. ICWS'09, E. Damiani, R. Chang, and J. Zhang, Eds. Los Angeles, CA, USA: IEEE, 2009, pp. 625-631. [Online]. Available: http://dx.doi.org/10.1109/ICWS.2009.70
36. J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono, "All Your Clouds Are Belong to Us: Security Analysis of Cloud Management Interfaces," in Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, ser. CCSW '11. New York, NY, USA: ACM, 2011, pp. 3-14. [Online]. Available: http://doi.acm.org/10.1145/2046660.2046664
37. C. Mainka, M. Jensen, L. Lo Iacono, and J. Schwenk, "Making XML Signatures Immune to XML Signature Wrapping Attacks," in Cloud Computing and Services Science, ser. Communications in Computer and Information Science, I. Ivanov, M. Sinderen, F. Leymann, and T. Shan, Eds. Springer International Publishing, 2013, vol. 367, pp. 151-167. Available: http://dx.doi.org/10.1007/978-3-319-04519-1 10
38. T. Berners-Lee, R. Fielding, and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax," IETF, RFC 3986, 2005. [Online]. Available: http://www.ietf.org/rfc/rfc3986.txt
39. Mozilla Developer Network, "Persona," 2013. [Online]. Available: https://developer.mozilla.org/en-US/Persona
40. D. Crockford, "The application/json Media Type for JavaScript Object Notation (JSON)," IETF, RFC 4627, 2006. [Online]. Available: http://www.ietf.org/rfc/rfc4627.txt
41. M. Lanthaler and C. Gutl, "On Using JSON-LD to Create Evolvable RESTful Services," in Proceedings of the Third International Workshop on RESTful Design, ser. WS-REST '12. New York, NY, USA: ACM, 2012, pp. 25-32. [Online]. Available: http: //doi.acm.org/10.1145/2307819.2307827
42. M. Jones, E. Rescorla, and J. Hildebrand, "JSON Web Encryption (JWE)," IETF, Internet-Draft, 2014. [Online]. Available: http://tools. ietf.org/html/draft-ietf-jose-json-web-encryption-25
43. M. Jones, J. Bradley, and N. Sakimura, "JSON Web Signature (JWS)," IETF, Internet-Draft, 2014. [Online]. Available: http://tools.ietf.org/ html/draft-ietf-jose-json-web-signature-25
44. M. Jones, "JSON Web Algorithms (JWA)," IETF, Internet-Draft, 2014. [Online]. Available: http://tools.ietf.org/html/ draft-ietf-jose-json-web-algorithms-25
45. M. Jones, "JSON Web Key (JWK)," IETF, Internet-Draft, 2014. [Online]. Available: http://tools.ietf.org/html/ draft-ietf-jose-json-web-key-25
46. M. Sporny, "Secure Messaging 1.0," Web Payments Community Group, specification, 2013. [Online]. Available: https://web-payments. org/specs/source/secure-messaging/
47. M. Sporny, D. Longley, G. Kellogg, M. Lanthaler, and N. Lindstrom, "JSON-LD 1.0," W3C, Recommendation, 2014. [Online]. Available: http://json-ld.org/spec/latest/json-ld/
48. D. Guinard, I. Ion, and S. Mayer, "In Search of an Internet of Things Service Architecture: REST or WS-? A Developers' Perspective," in Mobile and Ubiquitous Systems: Computing, Networking, and Services, ser. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, A. Puiatti and T. Gu, Eds., vol. 104. Springer Berlin Heidelberg, 2012, pp. 326-337. Available: http://dx.doi.org/10.1007/978-3-642-30973-1 32
49. R. Sleevi and D. Dahl, "Web Cryptography API," W3C, Working Draft, 2013. [Online]. Available: http://www.w3.org/TR/WebCryptoAPI
50. G. Serme, A. S. De Oliveira, and R. Y. Massiera, Julien, "Enabling message security for RESTful services," in 19th IEEE International Conference on Web Services, ser. ICWS'12. Honolulu, USA: IEEE, June 24-29, 2012, 2012. [Online]. Available: http: //www.eurecom.fr/publication/3739
51. Amazon, "Signing and Authenticating REST Requests," 2006. Available: http://docs.aws.amazon.com/AmazonS3/latest/dev/ RESTAuthentication.html
52. M. Cavage and M. Sporny, "HTTP Signatures," IETF, Internet-Draft, 2013. [Online]. Available: http://tools.ietf.org/html/ draft-cavage-http-signatures-01