一个简单的WEB服务安全通信模型及其应用研究
摘要
WEB服务技术随着Internet的广泛应用得到迅速的发展,它是在继承现有的各种系统框架和实现技术的基础上提出的一种解决不同平台、不同协议、不同开发语言下的应用系统集成问题的技术。为了解决WEB服务通信的安全问题,提出了一个简单的WEB服务安全通信模型。
客户端在所发送的SOAP消息中嵌入身份验证元素和抵御重传攻击元素,并进行XML加密和XML数字签名处理。服务器端在对客户端消息进行身份验证、解密以及完整性验证之后,对照所维护的抵御重传攻击数据记录,能够判断消息是否来自重传攻击,并做相应的处理。
WEB服务安全通信模型利用已经比较成熟的XML安全技术完成身份验证、加密和数字签名处理。而对于重传攻击,提出一种新的抵御方法。在客户端发送的SOAP消息中嵌入抵御重传攻击元素,该元素有三个子元素:GUID、ID、maxID。其中,GUID为全球唯一标识符(Globally Unique ID),该值的全球唯一性保证了所有SOAP消息的标识不重复;ID为某个具体SOAP消息的标识符。GUID和ID的组合,能唯一地标识一个SOAP消息。maxID是能应用到当前GUID上的ID号的最大值。
服务器端对所接收到的SOAP消息中的抵御重传攻击元素数据进行记录。对所到达的每个GUID号,为该GUID值建立和维护一个数组,该数组大小即为相应的maxID值,并在该数组中记录相应的ID号的状态。服务器端根据这些数组来判断新到达的SOAP消息是否来自重传攻击。
WEB服务安全通信模型能够满足安全通信的基本要求,并且能够较为高效地抵御重传攻击。该安全通信模型在对安全要求较高的WEB服务应用中能达到较好的效果。在抵御重传攻击方面,与传统的时间戳方式相比更易于实现。与传统的挑战响应技术相比能大幅减少所需的网络通信数据量,具有较高的效率。是一种简单高效的WEB服务安全通信模型。
The WEB service technology has progressed rapidly with the widespread of Internet. It inherits existing system framework and implementation technologies and presents an application system integration technology on different platforms, protocols and programming languages. To solve the security issue of WEB service communication, a simple WEB service secure communication module is presented.
The client inserts authentication element and anti-replay element in the SOAP messages it sends, and secures them with XML encryption and XML digital signature technology. The server performs authentication, decryption and signature verification on receiving the SOAP messages, and based on the anti-replay element in the message, the server can decide whether the message is from replay attack or not, and handles the message based on the result.
The authentication, encryption and digital signature are handled nicely with matured XML security technologies. A new way of replay attack resistance is presented. The client inserts anti-replay element in the SOAP messages it sends, the element has three child elements, namely GUID, ID and maxID. The value of GUID is globally unique, the combination of GUID and ID ensures that identifications for each SOAP message is unique. maxID is the maximum value of ID that applies to current GUID.
The server records the anti-replay element data in the SOAP messages it receives, creates and maintains an array for every GUID that it gets from the client. The capacity of the array is the corresponding maxID value, and status of corresponding ID values are recorded in the arrays. The server can judge if an incoming SOAP message is from replay attack or not based on the values of these arrays.
The WEB service secure communication model can satisfy the basic requirements of secure communication, and performs replay attack resistance efficiently. The module can be applied in the WEB service applications that requires higher security guarantee. As for the replay attack, the module is easier to implement when compared with traditional timestamp method. And it can greatly reduce the data exchange when compared with traditional challenge and response technology, thus get higher efficiency. It’s a WEB service secure communication module that is both simple and efficient.
客户端在所发送的SOAP消息中嵌入身份验证元素和抵御重传攻击元素,并进行XML加密和XML数字签名处理。服务器端在对客户端消息进行身份验证、解密以及完整性验证之后,对照所维护的抵御重传攻击数据记录,能够判断消息是否来自重传攻击,并做相应的处理。
WEB服务安全通信模型利用已经比较成熟的XML安全技术完成身份验证、加密和数字签名处理。而对于重传攻击,提出一种新的抵御方法。在客户端发送的SOAP消息中嵌入抵御重传攻击元素,该元素有三个子元素:GUID、ID、maxID。其中,GUID为全球唯一标识符(Globally Unique ID),该值的全球唯一性保证了所有SOAP消息的标识不重复;ID为某个具体SOAP消息的标识符。GUID和ID的组合,能唯一地标识一个SOAP消息。maxID是能应用到当前GUID上的ID号的最大值。
服务器端对所接收到的SOAP消息中的抵御重传攻击元素数据进行记录。对所到达的每个GUID号,为该GUID值建立和维护一个数组,该数组大小即为相应的maxID值,并在该数组中记录相应的ID号的状态。服务器端根据这些数组来判断新到达的SOAP消息是否来自重传攻击。
WEB服务安全通信模型能够满足安全通信的基本要求,并且能够较为高效地抵御重传攻击。该安全通信模型在对安全要求较高的WEB服务应用中能达到较好的效果。在抵御重传攻击方面,与传统的时间戳方式相比更易于实现。与传统的挑战响应技术相比能大幅减少所需的网络通信数据量,具有较高的效率。是一种简单高效的WEB服务安全通信模型。
The WEB service technology has progressed rapidly with the widespread of Internet. It inherits existing system framework and implementation technologies and presents an application system integration technology on different platforms, protocols and programming languages. To solve the security issue of WEB service communication, a simple WEB service secure communication module is presented.
The client inserts authentication element and anti-replay element in the SOAP messages it sends, and secures them with XML encryption and XML digital signature technology. The server performs authentication, decryption and signature verification on receiving the SOAP messages, and based on the anti-replay element in the message, the server can decide whether the message is from replay attack or not, and handles the message based on the result.
The authentication, encryption and digital signature are handled nicely with matured XML security technologies. A new way of replay attack resistance is presented. The client inserts anti-replay element in the SOAP messages it sends, the element has three child elements, namely GUID, ID and maxID. The value of GUID is globally unique, the combination of GUID and ID ensures that identifications for each SOAP message is unique. maxID is the maximum value of ID that applies to current GUID.
The server records the anti-replay element data in the SOAP messages it receives, creates and maintains an array for every GUID that it gets from the client. The capacity of the array is the corresponding maxID value, and status of corresponding ID values are recorded in the arrays. The server can judge if an incoming SOAP message is from replay attack or not based on the values of these arrays.
The WEB service secure communication model can satisfy the basic requirements of secure communication, and performs replay attack resistance efficiently. The module can be applied in the WEB service applications that requires higher security guarantee. As for the replay attack, the module is easier to implement when compared with traditional timestamp method. And it can greatly reduce the data exchange when compared with traditional challenge and response technology, thus get higher efficiency. It’s a WEB service secure communication module that is both simple and efficient.
引文
[1]Joanne Martin,Ali Arsanjani,Peri Tarr,et al. Web Services:Promises and Compromises. Hall Professional Technical Reference,2003,3(1):63~70
[2]Jaideep Roy, Ramanujan A. Understanding Web Services. IEEE IT Professional,2001,11(12):67~73
[3]Rich Salz. Securing Web Services. O’Reilly Emerging Technology Conference,2003,4:87~90
[4]E.Damiani, S.De Capitani di Vimercati, S.Paradoschi, and P.Samarati. Securing SOAP e-services. International Journal of Information Security(LJIS), 2002, 1(2):100~115
[5]吕曦,王化文. Web Service 的架构与协议.计算机应用, 2002, 22(12):62~65
[6]刘晓华. .NET Web 服务开发指南. 北京:电子工业出版社. 2002.1
[7]Hovav Shacham,Dan Boneh,Eric Rescorla.Client-side caching for TLS.ACM Trans.on Information and System Security(TISSEC),2004,7(4):55~59
[8]S.Balke-Wilson.Transport Layer Security (TLS) Extensions. IETF Draft,2003,2:87~92
[9]Chung-Hwan Lim,Seog Park,Sang H.Son.Access control of XML documents considering update operations.Proceedings of the 2003 ACM workshop on XML security,2003,10:15~26
[10]Bob A.,Satoshi H.,Maryam H.Web Services Security(WS Security).IBM Developerworks article,2002,4:17~23
[11]Heather Kreger.Fulfilling the Web services promise.Communications of the ACM,2003,46(6):68~79
[12]韦琳娜,张连宽,段新东.XML 数字签名和传统数字签名的对比研究.计算机工程,2004,10(12):34~37
[13]Rainer Anzbock,Schahram Dustdar.Modeling and implementing medical web services.Data&Knowledge Engineering,2005,55(2):15~23
[14]郭晶晶.SSL协议及其安全性分析.计算机与现代化,2002,(4):26~29
[15]Lawrence C. Paulson.Inductive analysis of the Internet protocol TLS.ACM Trans.on Information and System Security(TISSEC),1999,2(3):98~105
[16]Nancy Durgin,Patrick Lincoln,John Mitchell,et al.Multiset rewriting and the complexity of bounded security protocols.Journal of Computer Security,2004,12(2):158~169
[17]孙一中.XML理论和应用基础.北京:北京邮电大学出版社,2000,10
[18]Michael Morrison.XML揭密.北京:清华大学出版社,2000,6
[19]Chuck White,Liam Quin,Linda Burrnan,et al.XML从入门到精通.北京:电子工业出版社,2002
[20]胡彦.XML技术与B2B电子商务发展.电脑开发与应用,2002,9(13):7~10
[21]Didier Martin.XML高级编程.北京:机械工业出版社,2001,1
[22]Dinar Dalvj,Joe Gray..NET XML高级编程.北京:清华大学出版社,2002,6
[23]Takeshi.L,Blair D.,Ed,S.XML.Encryption Syntax and Processing.W3C Candidate Recommendation,2002.2:12~53
[24]Murdoch Mactaggart.XML 加密和 XML 签名简介.DeveloperWorks,2001,9
[25]郭路.XML 数据传输的安全加密.DeveloperWorks,2001,6:23~27
[26]路松房.基于 Microsoft.NET 的加密与签名系统开发.CSDN 开发高手,2004,6:25~28
[27]陈建梁,袁南儿.用XML签名及SOAP信息头实现安全Web service.计算机工程与设计,2004,9(25):1510~1516
[28]XML Signature Working Group. XML Signature Syntax and Processing. W3C Proposed Recommendation. 2001.8:56~62
[29]Martin Naedele.Standards for XML and Web Services Security. Computer,2003,36(1):24~29
[30]王继梅,金连甫.Web service 安全问题研究和解决.计算机应用与软件,2004,2(21): 91~93
[31]王凡,李勇,朗宝平.基于 WS-Security 构筑安全的 SOAP 消息调用.计算机应用,2004,4(24):121~126
[32]Ernesto Damiani,Sabrina De Capitani di Vimercati,Pierangela Samarati.Towards securing XML Web services.Proceedings of the 2002 ACM workshop on XML security,2002,11:131~135
[33]A.Selkirk.XML and Security.BT Technology,2001,7(19):15~23
[34]Carlisle Adams,Sharon Boeven.UDDI and WSDL extensions for Web service:a security framework.Proceedings of the 2002 ACM workshop on XML security,2002,11:43~51
[35]Jothy Rosenberg,David Remy.Securing Web Services with WS-Security:Demystifying WS-Security,WS-Policy,SAML,XML Siqnature,and XML Encryption.Pearson Higher Education,2004,5:34~38
[36]丁赵阳,赵谦.Microsoft.NET Framework 结构解析.微机发展,2003, 13(6): 51~53
[37]Curt Simmons,Ash Rafail.Microsoft.Net Platform and Technologies.Prentice Hall PTR,2001,11
[38]Aaron Weiss.Microsoft’s.NET:platform in the clouds.Networker, 2001,5(4):102~130
[39]Francisco Curbera,Matthew Duftler,Rania Khalaf,et al.Unraveling the Web Services Web:An Introduction to SOAP,WSDL,and UDDI.IEEE Internet Computing,2002,6(2):89~102
[40]梁娜, 张晓琳. UDDI 与 Web 服务发现. 情报技术,2003,5( 3):38~39
[41]Aaron E.,Walsh.Uddi,Soap,and Wsdl:The Web Services Specification.Prentice Hall Professional Technical Reference,2002,4:141~146
[42]Wrox Author Team,Chris Dix,Rajesh chawla,et al.Professional XML Web Services.Wrox Press Ltd.,2001,10(1):52~58
[43]Ashish Banerjee,Aravind Corera.C# Web Services Programming.北京:清华大学出版社,2002.8
[44]Tom Archer.Inside C#. Microsoft Press,2002,1
[45]Albahari,B. C# Essentials. O'Reilly & Associates,Inc,2002,10
[46]Chester, T.M. Cross-platform integration with XML and SOAP.IT Professional, 2001,3(5): 26~34
[47]朱敏,丁秋林. 基于SOAP的Web服务程序设计.计算机应用, 2003,9 (23):173~174
[48]杨珀, 赵明霞.SOAP应用服务器的设计与实现.计算机应用, 2003, 23(11):106~108
[49]Tom Jepsen. SOAP Cleans up Interoperability Problems on the Web. IT Professional, 2001,3(1):52~55
[50]James Snell,Doug Tidwell,Pavel Kulcbenko.SOAP Web 服务开发.北京:中国电力出版社,2002,9
[51]王珂,李旭峰,王闵.抗重播攻击方案的设计与实现.计算机测量与控制,2004, 12(5): 467~469
[52]Tuomas Aura. Strategies against Replay Attacks. Proceeding of the 10th Computer Security Foundations Workshop(CSFW'97),1997,7:314~321
[2]Jaideep Roy, Ramanujan A. Understanding Web Services. IEEE IT Professional,2001,11(12):67~73
[3]Rich Salz. Securing Web Services. O’Reilly Emerging Technology Conference,2003,4:87~90
[4]E.Damiani, S.De Capitani di Vimercati, S.Paradoschi, and P.Samarati. Securing SOAP e-services. International Journal of Information Security(LJIS), 2002, 1(2):100~115
[5]吕曦,王化文. Web Service 的架构与协议.计算机应用, 2002, 22(12):62~65
[6]刘晓华. .NET Web 服务开发指南. 北京:电子工业出版社. 2002.1
[7]Hovav Shacham,Dan Boneh,Eric Rescorla.Client-side caching for TLS.ACM Trans.on Information and System Security(TISSEC),2004,7(4):55~59
[8]S.Balke-Wilson.Transport Layer Security (TLS) Extensions. IETF Draft,2003,2:87~92
[9]Chung-Hwan Lim,Seog Park,Sang H.Son.Access control of XML documents considering update operations.Proceedings of the 2003 ACM workshop on XML security,2003,10:15~26
[10]Bob A.,Satoshi H.,Maryam H.Web Services Security(WS Security).IBM Developerworks article,2002,4:17~23
[11]Heather Kreger.Fulfilling the Web services promise.Communications of the ACM,2003,46(6):68~79
[12]韦琳娜,张连宽,段新东.XML 数字签名和传统数字签名的对比研究.计算机工程,2004,10(12):34~37
[13]Rainer Anzbock,Schahram Dustdar.Modeling and implementing medical web services.Data&Knowledge Engineering,2005,55(2):15~23
[14]郭晶晶.SSL协议及其安全性分析.计算机与现代化,2002,(4):26~29
[15]Lawrence C. Paulson.Inductive analysis of the Internet protocol TLS.ACM Trans.on Information and System Security(TISSEC),1999,2(3):98~105
[16]Nancy Durgin,Patrick Lincoln,John Mitchell,et al.Multiset rewriting and the complexity of bounded security protocols.Journal of Computer Security,2004,12(2):158~169
[17]孙一中.XML理论和应用基础.北京:北京邮电大学出版社,2000,10
[18]Michael Morrison.XML揭密.北京:清华大学出版社,2000,6
[19]Chuck White,Liam Quin,Linda Burrnan,et al.XML从入门到精通.北京:电子工业出版社,2002
[20]胡彦.XML技术与B2B电子商务发展.电脑开发与应用,2002,9(13):7~10
[21]Didier Martin.XML高级编程.北京:机械工业出版社,2001,1
[22]Dinar Dalvj,Joe Gray..NET XML高级编程.北京:清华大学出版社,2002,6
[23]Takeshi.L,Blair D.,Ed,S.XML.Encryption Syntax and Processing.W3C Candidate Recommendation,2002.2:12~53
[24]Murdoch Mactaggart.XML 加密和 XML 签名简介.DeveloperWorks,2001,9
[25]郭路.XML 数据传输的安全加密.DeveloperWorks,2001,6:23~27
[26]路松房.基于 Microsoft.NET 的加密与签名系统开发.CSDN 开发高手,2004,6:25~28
[27]陈建梁,袁南儿.用XML签名及SOAP信息头实现安全Web service.计算机工程与设计,2004,9(25):1510~1516
[28]XML Signature Working Group. XML Signature Syntax and Processing. W3C Proposed Recommendation. 2001.8:56~62
[29]Martin Naedele.Standards for XML and Web Services Security. Computer,2003,36(1):24~29
[30]王继梅,金连甫.Web service 安全问题研究和解决.计算机应用与软件,2004,2(21): 91~93
[31]王凡,李勇,朗宝平.基于 WS-Security 构筑安全的 SOAP 消息调用.计算机应用,2004,4(24):121~126
[32]Ernesto Damiani,Sabrina De Capitani di Vimercati,Pierangela Samarati.Towards securing XML Web services.Proceedings of the 2002 ACM workshop on XML security,2002,11:131~135
[33]A.Selkirk.XML and Security.BT Technology,2001,7(19):15~23
[34]Carlisle Adams,Sharon Boeven.UDDI and WSDL extensions for Web service:a security framework.Proceedings of the 2002 ACM workshop on XML security,2002,11:43~51
[35]Jothy Rosenberg,David Remy.Securing Web Services with WS-Security:Demystifying WS-Security,WS-Policy,SAML,XML Siqnature,and XML Encryption.Pearson Higher Education,2004,5:34~38
[36]丁赵阳,赵谦.Microsoft.NET Framework 结构解析.微机发展,2003, 13(6): 51~53
[37]Curt Simmons,Ash Rafail.Microsoft.Net Platform and Technologies.Prentice Hall PTR,2001,11
[38]Aaron Weiss.Microsoft’s.NET:platform in the clouds.Networker, 2001,5(4):102~130
[39]Francisco Curbera,Matthew Duftler,Rania Khalaf,et al.Unraveling the Web Services Web:An Introduction to SOAP,WSDL,and UDDI.IEEE Internet Computing,2002,6(2):89~102
[40]梁娜, 张晓琳. UDDI 与 Web 服务发现. 情报技术,2003,5( 3):38~39
[41]Aaron E.,Walsh.Uddi,Soap,and Wsdl:The Web Services Specification.Prentice Hall Professional Technical Reference,2002,4:141~146
[42]Wrox Author Team,Chris Dix,Rajesh chawla,et al.Professional XML Web Services.Wrox Press Ltd.,2001,10(1):52~58
[43]Ashish Banerjee,Aravind Corera.C# Web Services Programming.北京:清华大学出版社,2002.8
[44]Tom Archer.Inside C#. Microsoft Press,2002,1
[45]Albahari,B. C# Essentials. O'Reilly & Associates,Inc,2002,10
[46]Chester, T.M. Cross-platform integration with XML and SOAP.IT Professional, 2001,3(5): 26~34
[47]朱敏,丁秋林. 基于SOAP的Web服务程序设计.计算机应用, 2003,9 (23):173~174
[48]杨珀, 赵明霞.SOAP应用服务器的设计与实现.计算机应用, 2003, 23(11):106~108
[49]Tom Jepsen. SOAP Cleans up Interoperability Problems on the Web. IT Professional, 2001,3(1):52~55
[50]James Snell,Doug Tidwell,Pavel Kulcbenko.SOAP Web 服务开发.北京:中国电力出版社,2002,9
[51]王珂,李旭峰,王闵.抗重播攻击方案的设计与实现.计算机测量与控制,2004, 12(5): 467~469
[52]Tuomas Aura. Strategies against Replay Attacks. Proceeding of the 10th Computer Security Foundations Workshop(CSFW'97),1997,7:314~321