secured information integration with a semantic-web based framework

UT DALLASUT DALLAS Erik Jonsson School of Engineering & Computer Science

FEARLESS engineering

SECURED INFORMATION INTEGRATION WITH A SEMANTIC-WEB BASED

FRAMEWORK


What is a web service?

• Everyone would agree with a general definition like this:

“A Web service is a software system designed to support interoperable machine-to-

machine interaction over a network.” (Source: W3C)


SOAP,WSDL and UDDI

3

• Most people understand Web Services to be the “triumvirate” of SOAP, WSDL, and UDDI

SOAPClient

Payload

SOAP Envelope

SecurityToken

WebService

ApplicationA

ApplicationB

WSDL (Web Services

Description Language)

UDDI Web Services

Directory

SSL

Platform BPlatform A


SOAP-based web services

Web services and SOAP are often considered the same


REST

4

• But, SOAP is not the only kind of Web Service communication

• REST stands for REpresentational State Transfer

• Described in a thesis by Roy Fielding (Day Software, co-founder of the Apache Software Foundation, co-author of HTTP and URI RFCs)

• REST applies the architecture of the Web to Web Services- Each URI is a distinct resource, as in the browser-based Web- URIs be bookmarked and cached- Don’t reinvent the “wheel”

• Used by Amazon, Google, Flickr, and many others


REST

5

• In REST, everything is a resource

• “Resource Modelling” is required at the outset. Model each document, and each process, as a “resource” with a distinct URI

• Then use the standard HTTP “verbs” to interact with the resource:

• - GET: Retrieve a representation of a resource. Does not modify the server state. A GET must have no side effects on the server side

• - POST: Create or update a representation of a resource• - PUT: Update a representation of a resource• - DELETE: Remove a representation of a resource


Example of a REST Weather Service

6

• GET /weatherforecast/02110 HTTP/1.1 - Get the weather forecast for Boston

• POST /weatherforecast HTTP/1.1 - Upload a new weather forecast for San Jose by sending up an XML

document which conforms to the appropriate Schema- Response is a “201 Created” and a new URI

201 CreatedContent-Location: /weatherforecast/95101

• PUT /weatherforecast/95101 HTTP/1.1- Update an existing resource representation

• DELETE /weatherforecast/02110 HTTP/1.1 - Delete the resource representation


Contrast with SOAP Weather service

7

• POST /weatherforecast.asmx HTTP/1.1 - Send a SOAP message to get the weather in Boston

• POST /weatherforecast.asmx HTTP/1.1 - Send a different SOAP message to create a forecast for San Jose- Response is a custom SOAP response message

• POST /weatherforecast.asmx HTTP/1.1-Send another SOAP message to update the San Jose weather forecast

• POST /weatherforecast.asmx HTTP/1.1 - Send another SOAP message to delete the Boston weather forecast

• Notice anything?- Everything is a POST. All the details are in the SOAP messages


Reinventing Protocols

8

• In REST, HTTP is the protocol- Well known, simple, and established- Only four methods: GET, POST, PUT, DELETE- A network admin can look at something like “GET

/weatherforecast/02110” and understand what it is doing- Requests can be bookmarked- Responses can be cached

• By contrast, in SOAP, developers effectively create their own protocols- Everything is a POST - Rather than using “GET, POST, PUT, and DELETE”, the methods and

operations are in the SOAP messages themselves- A network admin just sees POSTs and cannot understand the purpose

of the traffic without looking into the SOAP messages themselves


More differences between SOAP and REST

9

1. SOAP is transport neutral- SOAP can be used across FTP, SMTP, Message Queues- But REST is tied to HTTP only

2. SOAP includes a whole stack of “composable” WS-* specifications- WS-Security for inserting security tokens into SOAP headers, WS-

ReliableMessaging, WS-Transactions, etc etc etc- But since WS-* builds on top of SOAP, it does not apply to REST- Proponents of REST would argue “use HTTP infrastructure for reliable

messaging and security. Don’t reinvent the wheel”- Experts argue that REST is “as safe as HTTP”


REST in Practice

10

• REST is seen as “more simple to develop than SOAP” because you can create a QueryString just by concatenating strings together

• Most developers find it easier to concatenate strings together and then do a “GET” to a URI like Google’s “doGoogleSearch”, rather than to create a SOAP request- SOAP products are getting easier to use though, the gap is

closing…

• This simplicity is the main reason for REST’s popularity


REST’s popularity – a famous data point

Source: Jeff Barr, Web Services Evangelist at Amazon.com

11


When to use SOAP instead of REST

• WS-Security defines how to encrypt just part of an XML message

- e.g. to encrypt search strings into a search engine

- Rather than reinventing the wheel, use SOAP for this

• WS-* includes reliable messaging and transaction support

• SOAP can be applied to FTP traffic and MQ, REST can’t

- So, use SOAP for these applications

• SOAP supports attachments, although there are three different specifications for how to do attachments right now (MIME, DIME, MTOM).

- Nevertheless, use SOAP when you need to send around binary data or large attachments

12


RESTful Interface in Blackbook

• Blackbook is a semantic web-based framework which provides analysts an easy-to-use tool which federates queries across local and remote data sources to access valuable data

Why REST in Blackbook?

Semantic data is a collection of different vocabularies and REST allows visualizers to show semantic data in an easy manner as compared to SOAP.

Implemented in following Blackbook modules:

1. workspace-workflow

2. workspace-workspace

3. workspace-blackbook

13


Workflow

• Workflow is used to build complex processing sequences by stringing together BLACKBOOK algorithms

• A workflow process definition can be executed any number of times.• An individual execution of a process definition is called Process

Instance.• Functionalities in RESTful Workflow:

1) GET the process definition

2) DELETE the process definition

3) PUT the process definition

4) POST the process definition

5) PUT the process instance

6) GET the process instance

14


Workspace

• Workspace subsystem is a general purpose storage system that uses a directory metaphor to organize content

• Currently, the only items stored in the workspace are “workflow process definitions” and “process instances” ( In future, user preferences and assertions content may be stored in the workspace).

• Functionalities in RESTful Workspace:

1) GET the root folder

2) PUT a subfolder under root folder or any other subfolder

3) GET the child items of a given folder

4) PUT a process definition under a given folder

5) GET the process definition for a given user

6) DELETE the item under a given folder

15


Blackbook

• Blackbook provides analysts an easy-to-use tool which federates queries across local and remote data sources to access valuable data

• Analysts can make logical inferences across the data sources, add their own knowledge and share that knowledge with other analysts using the system

• Functionalities in RESTful Blackbook:

1) GET the list of algorithms

2) GET the list of data sources

3) GET the list of local data sources

4) GET the field names of a particular data source

5) Search for a keyword in a particular data source (GET & POST)16


Technologies used

• Java / J2EE• RESTEasy – A Jboss project that provides framework to

help build RESTful Web Services and RESTful Java applications

• How it works?

All the calls to the RESTful Web Service are handled by the REST Servlet at the Web Tier, which in turn invokes the EJB methods at the Enterprise tier and returns the result in the form of RSS or ATOM feeds.

17



Integrating Blackbook with Amazon S3


Amazon Simple Storage Service (S3)

• “Amazon S3 is storage for the Internet. It is designed to make web-scale computing easier for developers.”

• Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.


Benefits of Amazon S3

• Storage price as low as 15 cents per GB per month

• Can be invoked via both REST and SOAP web services

• Facilitates data sharing at nominal cost


Blackbook with S3

• Many organizations are using the services like Amazon S3 for data storage. A few important questions arise here –

• Can we use S3 to store the data sources used by Blackbook?

• Is the data we store on S3, secure? Is it accessible by any user outside our organization?

• How do we restrict access to the files to the users within the organization?


Our Approach

• We can use Amazon S3 to store the data sources used by Blackbook.

• To keep our data secure, we propose to encrypt the data using AES (Advanced Encryption Standard) before uploading the data files on Amazon S3.

• To restrict access to the files to the users within the organization, we propose to implement the Role-based access control policies using XACML (eXtensible Access Control Markup Language).


Our Approach (Contd)

• For authentication – Lamport One Time Password Mechanism

• For authorization – XACML (eXtensible Access Control Markup Language)


Lamport One Time Password Scheme

OTP in general, • Valid for a single session or transaction• NOT vulnerable to replay attacks• Requires additional technology to work due to human memory

limitations

Lamport OTP• Client & Server components use a common sequencing algorithm• Generate a sequence of passkey values • Each successor is based on the value of predecessor



s6

S5

S4

S3

S1

S2

S6

Client Component

Server Component

S1 = seed, S2 = F(S1),S3 = F(S2),….,S[n] = F(S[n-1])



18

15

12

9

3

6

18

Client Component

Server Component

Seed = 3F(n) = Add 3 to predecessorS1 = 3, S2 = 3+3,S3 = 6+3,….,S6 = 15+3

15


XACML request

<Request>

<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"><AttributeValue>[email protected]</AttributeValue></Attribute><Attribute AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>users</AttributeValue></Attribute></Subject>

<Resource><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>911DataSource_OnAmazons3</AttributeValue></Attribute></Resource>

<Action><Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute></Action>

</Request>


XACML Policy

<Policy PolicyId="AmazonAccessPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides"> <Description>This policy file is used to authorize users with Amazon S3 datasource</Description> <Target>

<Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">[email protected]</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/> </SubjectMatch> </Subject> </Subjects>

<Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">911DataSource_OnAmazons3</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </ResourceMatch> </Resource> </Resources>

<Actions> <AnyAction/> </Actions> </Target>


XACML Policy(Contd)

<Rule RuleId=“AmazonAccessRule" Effect=“Permit”>

<Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target>

<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue> </Condition> </Rule></Policy>


System Overview

OTP – One Time Password

ClientOTP Stack

XOR

Amazon File Manager

7.Encrypted datasource

Blackbook

4. XORED Key

Encryption / DecryptionService Provider

Client(Browser)

1.Search input

Search Engine

Other Data Sources

9.Results

Server OTP Value

Policy Server 1 Key Server -1

Server OTP Value

Policy Server 2 Key Server 2

2a.OTP Stack Value +credentials

2b.OTP Stack Value +credentials

3a.Key1

3b.Key2

Amazon S3 Server

5.AWS Credentials + data source name

6. Data source file (encrypted form)

8. Decrypted datasource

Trusted Server-1

Trusted Server-2


Steps

1. The user U fires a search query to Blackbook (Step 1 in figure). Blackbook federates the queries across various data sources along with data source F securely on Amazon S3.

2. We follow the One Time Password (OTP) scheme to authenticate the client( Blackbook in this case) for using the AWS S3 services. The client machine sends the topmost value on the OTP stack along with the user credentials and the request to the trusted server 1 & 2.(Steps 2a and 2b in figure)

3. If the value passed by the client matches with the value on the OTP stack on the trusted server and the policies applicable for the user are valid for the request ,the trusted server sends the “key” used to decrypt the data source. (Step 3a and 3b in figure).

4. The keys key1 and key2 obtained from the trusted servers 1 & 2 are X-ORed to obtain the original key used to decrypt the data source F (Step 4 in figure)


Steps (Contd)

5. Amazon File Manager passes the Amazon account credentials and the data source name to retrieve the data source. (Steps 5 and 6 in figure)

6. The Encryption / Decryption Service Manager retrieves the encrypted data sources and using the XOR-ed key , decrypts the data source. (Steps 7 & 8 in figure)

7. Blackbook performs search on the data source retrieved from Amazon along with other data sources and returns the results to the user. (Step 9 in figure)


Advantages

• No Single Point of FailureFor the system to be hacked, the hacker needs to obtain control of both the Trusted Key servers

• We don’t store the final keys used for encryption as we XOR the keys k1 and k2 to generate key k used in encryption


Upload - statistics

Upload Stats

0

5

10

15

20

25

30

35

40

45

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Size (MB)

Tim

e (S

eco

nd

s)

Without Encryption With Encryption


Download - statistics

Download Stats

0

5

10

15

20

25

30

35

40

45

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Size (MB)

Tim

e (

Se

cs

)

Without Encryption With Encryption



Comments !!

Questions !!

Suggestions !!



Thank you !!

secured information integration with a semantic-web based framework

Documents