G. Radhamani & G. S. V. Radha Krishna Rao
 |
| Web Services Security & E-Business |
Foreword
There has been a dramatic impact on our society due to multifold increases in the use of
personal computers. Computer networking plays a crucial role in building a wireless
information society. Internet services and their applications have provided us with
tools to obtain any kind of information in a flash of time, and the real world has been
converted into a virtual world due to the proliferation of computers. Web sites are now
a key asset to organizations of all sizes, providing information and services to clients,
suppliers, and employees. Unfortunately, these developments have also opened new
security threats to the enterprise networks, and opened the door to an increasing
number of threats to individual and business computers. There is a growing trend of
hackers attacking networks via home and remote users. These attacks can be range
from partial loss of data to making the system nonusable, and privacy can be completely
violated. Unauthorized users can use their computer to attack other computers
by gaining access through the Internet. In the year 2005, new threats increased by
almost 50%, as cybercriminals joined forces to create targeted malware attacks for
financial gain.
Being security aware means that computer system users understand the potential
threats: that it is possible for some people to deliberately or accidentally steal, damage,
or misuse the data that is stored within their computer systems and throughout their
organization. Therefore, it would be prudent to support the assets of their institution
(information, physical, and personal) by trying to stop that from happening. By following
the recommended security practices, the user has knowledge of the potential hole
in the system, and the capabilities to block the hole in their defenses. There has never
been a greater need for early, integrated, threat-management solutions because organized
criminals are now working more closely together than ever before to infect computers.
Bringing together the understanding of security problems related to the protocols and
applications of the Internet, and their contemporary solutions to these problems in this
book, Web Services Security and E-Business, is both timely and purposeful. Cryptography
has been introduced to understand the security protocols. The focus of the book
is on architectures and protocols. Authors have provided an insight into uncovering
the security risks of dynamically created content, and looks at how proper content
management can greatly improve the overall security. They have also looked at the
security life cycle and how to respond to an attack, as well as the problems of site
hijacking and phishing.
Professor S. S. Jamuar
Acknowledgments
We would like to thank all contributors/authors who worked very hard to complete theirchapters in time. Without each of their contributions, this book would have never been
accomplished.
Our grateful thanks to the external reviewers for their valuable comments and constructive
criticism, which developed and improved the overall content of this book.
We would like to thank Professor Datuk, Dr. Ghauth Jasmon, president of Multimedia
University, and Dr. Ewe Hong Tat, dean of Faculty of Information Technology for kind
assistance and support.
Special thanks to Dr. Mehdi Khosrow-Pour, senior academic editor, and Kristin Roth,
development editor, of Idea Group Inc., for production of this book. Their efficiency
and amiable manner made working together a pleasure.
We are grateful to all others who have indirectly helped us in bringing out this book to
be successful.
Dr. G. Radhamani
Dr. G. S. V. Radha Krishna Rao
Preface
The proliferation of Internet services and applications is bringing systems and Web
services security issues to the fore. There is a consensus that a key, contributing factor
leading to cyberthreats is the lack of integrated and cohesive strategies that extend
beyond the network level, to protect the applications and devices at system level as
well. Many techniques, algorithms, protocols, and tools have been developed in the
different aspects of cybersecurity, namely, authentication, access control, availability,
integrity, privacy, confidentiality, and nonrepudiation as they apply to both networks
and systems.
The IT industry has been talking about Web services for many years. The benefits of
having a loosely coupled, language-neutral, platform-independent way of linking applications
within organizations, across enterprises, and across the Internet, are becoming
more evident as Web services are used in pilot programs and in wide-scale production.
Moving forward, customers, industry analysts, and the press identify a key area
that needs to be addressed as Web services become more mainstream: security.
The purpose of this book is to bring together the technologies and researchers who
share interest in the area of e-business and Web services security. The main aim is to
promote research and relevant activities in security-related subjects. It also aims at
increasing the synergy between academic and industry professionals working in this
area. This book can also be used as the textbook for graduate courses in the area of
Web services security. This book is comprised of 20 chapters that cover various aspects
of Web services security and e-business. The scope of the chapters is summarized hereunder.
The first chapter gives a practical overview of the brief implementation details of the
IEEE802.11 wireless LAN and the security vulnerabilities involved in such networks.
Specifically, it discusses the implementation of EAP authentication using RADIUS
server with WEP encryption options. The chapter also touches on the ageing WEP and
the cracking process, along with the current TKIP and CCMP mechanisms. War driving
and other security attacks on wireless networks are also briefly covered. The chapter
concludes with practical security recommendations that can keep intruders at bay. The
authors hope that any reader would thus be well informed on the security vulnerabilities
and the precautions that are associated with 802.11 wireless networks.
The increasingly important role of security for wireless Web services environments has
opened an array of challenging problems centered on new methods and tools to improve
existing data encryption and authentication techniques. Real-time recurrent neural
networks offer an attractive approach to tackling such problems because of the high
encryption capability provided by the structural hidden layers of such networks. In the
second chapter, a novel neural network-based symmetric cipher is proposed. This cipher
releases the constraint on the length of the secret key to provide the data integrity
and authentication services that can be used for securing wireless Web services communication.
The proposed symmetric cipher design is robust in resisting different
cryptanalysis attacks. Simulation results are presented to validate its effectiveness.
In the third chapter, the business implications, as well as security and privacy issues of
the widespread deployment of radio frequency identification (RFID) systems, were
discussed. At first, the components that make up an RFID system to facilitate better
understanding of the implications of each were discussed, and then the commercial
applications of the RFID were reviewed. Further, the security and privacy issues for
RFID systems, and what mechanisms have been proposed to safeguard these, were
discussed. The topics discussed in this chapter highlight the benefits of using RFIDs
for user convenience in ubiquitous and pervasive commercial services and e-businesses,
while maintaining the integrity of such systems against malicious attacks on
the users’ security and privacy. This is vital for a business establishment to coexist
with peers, and remain competitively attractive to customers.
Over the years, computer systems have evolved from centralized monolithic computing
devices supporting static applications, into client-server environments that allow complex
forms of distributed computing. Throughout this evolution, limited forms of code
mobility have existed. The explosion in the use of the World Wide Web, coupled with
the rapid evolution of the platform-independent programming languages, has promoted
the use of mobile code and, at the same time, raised some important security issues. The
fourth chapter introduces mobile code technology, and discusses the related security issues.
Multicast communication demands scalable security solutions for group communication
infrastructure. Secure multicast is one such solution that achieves the efficiency of
multicast data delivery. Key generation plays an important role in enforcing secure and
efficient key distribution. The fifth chapter addresses the issues focused on the area of
key generation on key management cryptographic algorithms that support security
requirements in multicast group communications. These issues are of importance to
application developers wishing to implement security services for their multicast applications.
The three main classes: centralized, decentralized, and distributed architec tures, are investigated and analyzed here, and insight is given to their features and
goals. The area of group key generation is then surveyed, and proposed solutions are
classified according to the efficiency of the cryptographic algorithms and multicast
security requirements. The open problems in this area are also outlined.
Agent technologies have grown rapidly in recent years as Internet usage has increased
tremendously. Despite its numerous practical benefits and promises to provide an efficient
way of mitigating complex distributed problems, mobile agent technology is still
lacking effective security measures, which severely restricts their scope of applicability.
The sixth chapter analyzes and synthesizes the different security threats and attacks
that can possibly be imposed to the mobile agent systems. The security solutions
to resolve the problems and the research challenges in this field are presented.
The seventh chapter introduces the intrusion detection system (IDS). It started with a
brief explanation of history of IDS, proceeded with generic components of IDS. Besides
highlighting current advances in IDS, the chapter describes recent challenges to the
system. The authors hope that this chapter will shed a light for readers who are unfamiliar
with this domain.
ZKP-based authentication protocols provide a smart way to prove an identity of a node
without giving away any information about the secret of that identity. There are many
advantages, as well as disadvantages, to using this protocol over other authentication
schemes, as well as challenges to overcome in order to make it practical for general use.
The eighth chapter examines the viability of ZKPs for use in authentication protocols in
networks. It is concluded that nodes in a network can achieve a desired level of security
by trading off key size, interactivity, and other parameters of the authentication
protocol. This chapter also provides data analysis, which can be useful in determining
expected authentication times based on device capabilities. Pseudocode is provided
for implementing a graph-based ZKP on small or limited processing devices.
Web services enable the communication of application to application in a heterogeneous
network and computing environment. The powerful functionality of Web services
has given benefits to enterprise companies, such as rapid integrating between
heterogeneous e-business systems, easy implementation of e-business systems, and
reusability of e-business services. While providing the flexibility for e-business, Web
services tend to be vulnerable to a number of attacks. Core components of Web services
such as simple object access protocol (SOAP), Web services description language
(WSDL), and universal description, discovery, and integration (UDDI) can be
exploited by malicious attacks due to lack of proper security protections. These attacks
will increase the risk of an e-business that employs Web services. The ninth chapter
aims to provide a state-of-the-art view of Web services attacks and countermeasures.
This chapter also examines various vulnerabilities in Web services, followed by the
analysis of respective attacking methods. Further, this chapter also discusses preventive
countermeasures against such attacks to protect Web services deployments in ebusiness,
and finally address future trends in this research area.
The 10th chapter presents a new simple scheme for verifiable encryption of elliptic curve
digital signature algorithm (ECDSA). The protocol presented is an adjudicated protocol,
that is, the trusted third party (TTP) takes part in the protocol only when there is a
dispute. This scheme can be used to build efficient fair exchanges and certified e-mail
protocols. In this chapter, the authors also present the implementation issues. The chapter presents a new algorithm for multiplying two 2n bits palindromic polynomials
modulo xp − 1 for prime p = 2n + 1 for the concept defined in Blake and Roth (1998) and
it is compared with the Sunar-Koc parallel multiplier given in Sunar and Koc (2001).
Finally, the chapter concludes that the proposed multiplication algorithm requires (2n2−n+1) XOR gates, which is approximately 34% extra, as compared to 1.5(n2−n) XOR gates
required by the Sunar-Koc parallel multiplier, and 50% less than the speculated result
4n2 XOR gates given by Sunar and Koc (2001). Moreover, the proposed multiplication
algorithm requires (2n2 − n) AND gates, as compared to n2 AND gates which is doubled
that of the Sunar-Koc method
Firstly, the fact that business intelligence (BI) applications are growing in importance,
and secondly, the growing and more-sophisticated attacks launched by hackers, the
concern of how to protect the knowledge capital or databases that come along with BI
or, in another words, BI security, has thus arisen. In the eleventh chapter, the BI environment,
with its security features, is explored, followed by a discussion on intrusion
detection (ID) and intrusion prevention (IP) techniques. It is understood, through a
Web-service case study, that it is feasible to have ID and IP as counter measures to the
security threats; thus, further enhancing the security of the BI environment or architecture.
In the 12th chapter, the concept of “trust transfer” using chain signatures will be presented.
Informally, transferring trust involves creating a trust (or liability) relationship
between two entities, such that both parties are liable in the event of a dispute. If such
a relationship involves more than two users, we say they are connected in a chained
trust relationship. The members of a chained trust relationship are simultaneously bound
to an agreement with the property that additional members can be added to the chain,
but once added, members cannot be removed thereafter. This allows members to be
incrementally and noninteractively added to the chain. We coin the term “chained
signatures” to denote signatures created in this incremental way. An important application
of chained signatures is in e-commerce transactions involving many users. We
present a practical construction of such a scheme that is secure under the Diffie-Hellman
assumption in bilinear groups.
The recent increase in the malicious usage of the network has made it necessary that an
IDS should encapsulate the entire network rather than at a system. This was the inspiration
for the birth of a distributed intrusion detection system (DIDS). Different configurations
of DIDSs have been actively used, and are also rapidly evolving due to the
changes in the types of threats. The thirteenth chapter gives an overview and the
structure of DIDS. The various agents that are involved in DIDS, and the benefits are
given in brief. In the end, directions for future research work are discussed.
In the 14th chapter, we discuss how security protocols can be attacked by exploiting the
underlying block cipher modes of operation. This chapter presents a comprehensive
treatment of the properties and weaknesses of standard modes of operation. Further,
this chapter shows why all modes of operation should not be used with public-key
ciphers in public-key security protocols. This includes the cipher block chaining (CBC)
mode, when there is no integrity protection of the initialisation vector (IV). In particular,
it was shown that it is possible in such instances to replace a block at the beginning,
middle, or end of a CBC-encrypted message. This chapter demonstrates that the security
of single-block encryptions can be reduced to the security of the electronic codebook
(ECB) mode, and show that in the absence of integrity, one could exploit this to aid in
known- and chosen-IV attacks. Finally, this chapter also presents chosen-IV slide attacks
on counter (CTR) and output feedback (OFB) modes of operation. Results show
that protocol implementers should carefully select modes of operation, be aware of the
pitfalls in each of these modes, and incorporate countermeasures in their protocols to
overcome them. It is also important to realize that modes of operation only provide
confidentiality, and that when used in the context of security protocols, these modes
should be combined with authentication and integrity protection techniques.
The 15th chapter addresses the need of cryptographic algorithm to prepare unbreakable
cipher. Though the performance of symmetric key algorithms is far better than asymmetric
key algorithms, it still suffers with key distribution problem. It is highly evident
that there is always a demand for an algorithm to transfer the secret key in a secure
manner between the participants. This chapter argues that by providing the randomness
to the secret key, it would be increasingly difficult to hack the secret key. This
chapter proposes an algorithm effectively utilizes the random nature of stock prices, in
conjunction with plain text, to generate random cipher. This algorithm can be used to
exchange the secret key in a secure manner between the participants.
In the 16th chapter, a watermarking scheme that utilizes error correction codes for added
robustness is proposed. A literature survey covering various aspects of the
watermarking scheme, such as the arithmetic redundant residue number system and
concepts related to digital watermarking, is given. The requirements of a robust
watermarking scheme are also described. In addition, descriptions and experimental
results of the proposed watermarking scheme are provided to demonstrate the functionality
of the scheme. The authors hope that with the completion of this chapter, the
reader will have a better understanding of ideas related to digital watermarking, as well
as the arithmetic redundant number system.
A security framework for secure message delivery and off-line message viewing of the
electronic bills is presented in the seventeenth chapter. This framework is implementable
towards smart applications such as electronic bill presentment and payment systems.
Chapter XVIII, introduces the concept of access control and its objectives in fulfilling
security requirements for the computing world. The main arrears in access control,
namely DAC, MAC, and RBAC, will be covered; thus, giving enough background
knowledge to the reader on existing policies and framework. Hence, the reader will be
able to comprehend the concept of task delegation with regard to access control policies,
and how delegated tasks or roles can affect existing risk levels in an organization.
Measuring risk has a two-fold benefit: one is that it enables security officials to be
prepared with more accurate security measures with higher granularity and secondly,
this will certainly be useful for security plans for mitigating potential risks.
Internet protocol version 6 (IPv6) is the next generation Internet protocol proposed by
the Internet Engineering Task Force (IETF) to supplant the current Internet protocol
version 4 (IPv4). Lack of security below the application layer in IPv4 is one of the
reasons why there is a need for a new IP. IPv6 has built-in support for the Internet
protocol security protocol (IPSec). The nineteenth chapter reports work done to evaluate
implications of compulsory use of IPSec on dual stack IPv4/IPv6 environment.
Finally, in the last chapter provides a conceptual modeling approach for Web services
(WS) security risk assessment, which is based on the identification and analysis of stakeholder intentions. There are no similar approaches for modeling Web services
security risk assessment in the existing pieces of literature. The approach is, thus,
novel in this domain. The approach is helpful for performing means-end analysis; thereby,
uncovering the structural origin of security risks in Web services, and how the root
causes of such risks can be controlled from the early stages of the projects. The approach
addresses “why” the process is the way it is, by exploring the strategic dependencies
between the actors of a security system, and analyzing the motivations, intents,
and rationales behind the different entities and activities in constituting the system.
This book aims to help toward technical strategy and a roadmap whereby the industry/
academia can produce and implement a standards-based architecture that is comprehensive,
yet flexible enough to meet the Web services security needs of real businesses
References
Blake & Roth. (1998)
Sunar & Koc. (2001)
Table of Contents
Foreword .......... viii
S. S. Jamuar Universiti Putra Malaysia, Malaysia
Preface ........ x
Chapter I
Wireless LAN Setup and Security Loopholes ......1
Biju Issac, Swinburne University of Technology, Malaysia
Lawan A. Mohammed, Swinburne University of Technology, Malaysia
Chapter II
Wireless Web Security Using a Neural Network-Based Cipher .... 32
Isaac Woungang, Ryerson University, Canada
Alireza Sadeghian, Ryerson University, Canada
Shuwei Wu, Ryerson University, Canada
Sudip Misra, Cornell University, USA
Maryam Arvandi, Ryerson University, Canada
Chapter III
RFID Systems: Applications vs. Security and Privacy Implications ....... 57
Dennis M. L. Wong, Swinburne University of Technology, Malaysia
Raphael C.-W. Phan, Swinburne University of Technology, Malaysia
Chapter IV
Mobile Code and Security Issues .......... 75
E. S. S. Samundeeswari, Vellalar College for Women, India
F. Mary Magdalene Jane, P. S. G. R. Krishnammal, India
Chapter V
A Survey of Key Generation for Secure Multicast Communication Protocols .. 93
Win Aye, Multimedia University, Malaysia
Mohammad Umar Siddiqi, International Islamic University Malaysia, Malaysia
Chapter VI
Security in Mobile Agent Systems .........112
Chua Fang Fang, Multimedia University, Malaysia
G. Radhamani, Multimedia University, Malaysia
Chapter VII
Intrusion Detection System: A Brief Study .......... 129
Robin Salim, Multimedia University, Malaysia
G. S. V. Radha Krishna Rao, Multimedia University, Malaysia
Chapter VIII
Node Authentication in Networks Using Zero-Knowledge Proofs ...... 142
Richard S. Norville, Wichita University, USA
Kamesh Namuduri, Wichita University, USA
Ravi Pendse, Wichita University, USA
Chapter IX
Web Services Security in E-Business: Attacks and Countermeasures ...... 165
Wei-Chuen Yau, Multimedia University, Malaysia
G. S. V. Radha Krishna Rao, Multimedia University, Malaysia
Chapter X
Verifiable Encryption of Digital Signatures Using Elliptic Curve Digital
Signature Algorithm and its Implementation Issues ..... 184
R. Anitha, PSG College of Technology, India
R. S. Sankarasubramanian, PSG College of Technology, India
Chapter XI
An Introductory Study On Business Intelligence Security ..... 204
Chan Gaik Yee, Multimedia University, Malaysia
G. S. V. Radha Krishna Rao, Multimedia University, Malaysia
Chapter XII
Secure Trust Transfer Using Chain Signatures ....... 218
Amitabh Saxena, La Trobe University, Australia
Ben Soh, La Trobe University, Australia
Chapter XIII
Distributed Intrusion Detection Systems: An Overview....... 231
Rosalind Deena Kumari, Multimedia University, Malaysia
G. Radhamani, Multimedia University, Malaysia
Chapter XIV
Subtle Interactions: Security Protocols and Cipher Modes of Operation ..... 239
Raphael C.-W. Phan, Swinburne University of Technology, Malaysia
Bok-Min Goi, Multimedia University, Malaysia
Chapter XV
Generic Algorithm for Preparing Unbreakable Cipher: A Short Study ..... 262
R. A. Balachandar, Anna University, India
M. Balakumar, Anna University, India
S. Anil Kumar, Anna University, India
Chapter XVI
A Robust Watermarking Scheme Using Codes Based on the Redundant Residue
Number System ........ 271
Vik Tor Goh, Multimedia University, Malaysia
Mohammad Umar Siddiqi, International Islamic University Malaysia, Malaysia
Chapter XVII
A Framework for Electronic Bill Presentment and Off-Line Message Viewing ..... 306
Ezmir Mohd Razali, Multimedia Univerisity, Malaysia
Ismail Ahmad, Multimedia Univerisity, Malaysia
G. S. V. Radha Krishna Rao, Multimedia Univerisity, Malaysia
Kenneth Foo Chuan Khit, NetInfinium Sdn. Bhd., Malaysia
Chapter XVIII
Propagation and Delegation of Rights in Access Controls and Risk Assessment
Techniques .... 328
Saravanan Muthaiyah, George Mason University, USA and
Multimedia University, Malayasia
Chapter XIX
IPSec Overhead in Dual Stack IPv4/IPv6 Transition Mechanisms:
An Analytical Study ........ 338
M. Mujinga, University of Fort Hare, South Africa
Hippolyte Muyingi, University of Fort Hare, South Africa
Alfredo Terzoli, Rhodes University, South Africa
G. S. V. Radha Krishna Rao, University of Fort Hare, South Africa
Chapter XX
An Approach for Intentional Modeling of Web Services Security Risk
Assessment ........ 363
Subhas C. Misra, Carleton University, Canada
Vinod Kumar, Carleton University, Canada
Uma Kumar, Carleton University, Canada
About the Authors .... 380
Index ........ 390
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 410 p |
File Size
|
5,123 KB |
File Type
|
PDF format |
ISBN
| 1-59904-170-7 (ebook) 1-59904-169-3 (softcover) 1-59904-168-5 |
Copyright
| 2007 by Idea Group Inc |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
