secure mobile web services which contains Flow Façade. Component (FFC), Security Façade .... new web service and mobile agent system confidentiality. 208 ...
World 2016Congress World Congress on Computing on Computing and Communication and Communication Technologies Technologies (WCCCT)
A Secure Architecture for Mobile Web Service (SAMWS) J Ronald Martin, K. Michael Raj,S. Albert Rabara, Department of Computer Science, St. Joseph’s College, Trichirapalli researchers and industry are stimulated to pave the road for mobile Web service.
Abstract— The Web environment is a distributed, dynamic, and large information repository which has now evolved to encompass various information resources accessible worldwide. Organizations across all spectra have already moved their main operations to the Web which has realized a fast growth in various Web applications. This has dramatically increased the need to build a fundamental infrastructure for efficient deployment and access of Web applications. As the Web applications have evolved, the complexity involved in designing, developing, managing and maintaining these applications have also increased remarkably. This scenario has led to the emergence of a new discipline towards the end of last decade known as Web Engineering. The essence of Web engineering consists in successfully managing the diversity and complexity of Web application development where web services have become more flexible as to independent by support mobile devices to access web services at any time, and place. In this context mobile web access is currently being hyped as the alternative for both mobile devices and web services. Moreover easily readable mobile web services, the complexity to realize security increases further. Hence it is necessary to build security mechanisms for hosting and accessing web services through mobile devices.
Cisco VNI Mobile 2015 Report [2] states that each year several new devices in different form factors which increased capabilities and intelligence, are introduced in the market. Global mobile devices and connections grew up from 6.9 billion to 7.4 billion in 2013. In the year 2014 alone, half a billion (497 million) mobile devices and connections were added. It is estimated that mobile devices and connections will grow globally to 11.5 billion by 2019 at a Compound Annual Growth Rate (CAGR) of 9 percent, which is depicted in Figure 1.1. According to the report, by 2019 there will be 8.2 billion hand held or personal mobile-ready devices and 3.2 billion Machine-to-Machine (M2M) connections will be required for mobile users. North America and Western Europe are going to have the fastest growth in mobile devices and connections with 22 percent and 14 percent CAGR from 2014 to 2019, respectively. According to e-Marketer report [3], the number of smartphone users worldwide will surpass two billion in 2015. It is predicted that in the year 2015, there will be over 1.91 billion smartphone users across the globe which will further increase to 2.16 billion in 2016. More than one-quarter of the global population will use smartphones in 2015 for the first time and over one-third of consumers worldwide or more than 2.56 billion people will use smart phones by 2019. The Figure 1.2 also represents smart phone users and penetration world-wide from 2013-2019.
Keywords—intelligent; security; device authentication;
I. INTRODUCTION The revolution in wireless communications achieved astonishing levels in increasing transmission rates and improving the spectral efficiency. The 4G network introduces a flexible and programmable platform to provide users access to future services and applications from a single terminal. Cellular networks are able to accommodate more users and offer a wide range of customized services with various quality of service (QoS) levels. New services are increasingly offered to mobile users, capitalizing on the ever-expanding mobile customer base. According to the latest Mobile FactBook released by Portio Research [1], the global mobile customer base exceeded 6.5 billion subscribers in the beginning of 2013, which represents current population 87%. Additionally, of the1.5 world billion of those subscribers have broadband access to Internet services. Mobile users are always demanding better user experience and service personalization that can fit their dynamic context change and accommodate their preferences. The demand for such smart services that can fully utilize the user‟ barriers between network technologies is on the rise. With the advancements in mobile devices‟ one hand capabilities and the revolutionary achievements on in wireless communications on the other hand, the global interest of mobile applications is steadily increasing. Hence the
978-1-5090-5573-9/17 $31.00 © 2017 978-1-5090-5573-9/16 2016 IEEE DOI 10.1109/WCCCT.2016.58
In this context, the advances of mobile technology and the popularity of mobile devices play a major role in accessing web services through mobile devices. Mobile web services facilitate the users to access information and services at anytime, anyplace and on any device, where mobile web access is currently being hyped as the alternative for both mobile devices and web services. Hence, researchers put on efforts in resolving the issues of mobile web services in recent years.. II. REVIEW OF LITERATURE Younky et al. [4] have proposed a security architecture for mobile web services. The objective of this architecture is to enhance the mobile web service security with authentication, audit and certification functionalities. This architecture has four layers namely business area layer, service area, operation area and support area. Business area contains user system, external system and presentation service. Service area layer offers secure mobile web services which contains Flow Façade Component (FFC), Security Façade Component (SFC) and 207
Core Façade Component (CFC). FFC controls the flow between mobile web services; SFC achieves the security functions of authentication, authorization, encryption, etc. CFC uses Simple Object Access Protocol (SOAP) and Mobile Service Description Language (MSDL) to ensure that requested mobile web service is available and displays the result of certification with the user certification screen to utilize the mobile web service. The operation layer adopts Component Based Development (CBD) methodology to build policy and reuse the business solutions in order to offer secure mobile web services to the requestor through support area layer. This architecture is used as a template to implement the mobile web service security. The authors‟ future work is strengthening the security mechanism for mobile web services.
Song et al. [7] have proposed a security architecture for mobile web services to realize the security requirements for secure service delivery. This architecture adopts security protocol, for web service delivery which is composed of four components namely system setup, two way authentication and session key establishment, session key confirmation and transaction encryption and service delivery. The three participants involved in the proposed architecture are service requestor, broker and service provider. Service requester requests for service delivery. Broker finds the required service from available service provider and service provider supplies the resource required by the broker on behalf of the service requestor. Service requestor, broker and provider are assigned public monoid Sa, Sb, Sc and they register themselves to the system initiator. The system initiator generates pseudo Ids and certificates for the involved participants and only one shared key was established for all the participants. The participants can use this shared key for the symmetric encryption after two way authentication to ensure secure service delivery. The authors claim that symmetric encryption is more efficient then asymmetric encryption with regard to computation cost and overhead. The security strength of the proposed work is not analyzed.
Narges et al. [5] have proposed a security framework for mobile web services to protect the web services against security threats. The web services threats are WSDL attacks which includes WSDL scanning, parameter tampering, oversize payloads and recursive payload attacks. To provide security for WSDL files and to protect them against WSDL attacks the authors have employed asymmetric encryption. In the proposed framework, the service provider request for a public and private key pair from Trust Web Service (TWS) using SOAP messages. The TWS generates a pair of key for requestor by using proper arithmetic algorithm. Then TWS sends request to XML Key Management Specification (XKMS) in XML format through SOAP to store the public key of web service. Public Key Infrastructure (PKI) delivers the response of public key storage to XKMS and XKMS delivers the response of PKI to TWS. TWS publishes provider web service specification in UDDI registry. WSDL file is encrypted by the WS-provider which can be decrypted only by the owner who holds the private key. So even if someone access the WSDL through UDDI, the encrypted WSDL will be useless unless the consumer is proved to be an authenticated user. This model ensures the authenticity of the users and has not addressed the security issues such as message confidentiality and non-repudiation.
Haiping et al. [8] have proposed a formal XML firewall security model for secure web service accessing. The major components of this XML firewall are application model and the XML firewall model. This proposed model uses Role Based Access Control (RBAC) mechanisms to support user authentication and role based used authorization according to the policy rules stored in a policy database that can be updated dynamically. This model is designed compositionally using colored retainers which serve as a high level design for XML firewall implementation. In this model service provider can deploy a group of web services on a web server protected by XML firewall where web services are invoked securely and interact with different applications concurrently and dynamically using RBAC mechanism. The user interacts with the application through the user interface. The application logic then processes the requests from the user and initiates service calls that may in turn invoke either a single web service or a cluster of web services. The request from the application is verified by the XML firewall for authentication and authorization based on the state information available in the state DB database. When the request is affirmed to be valid, it then passes the request to the corresponding web service; else, the request is rejected. The administrator of an XML firewall has the privilege of changing the policies available in the policy database through the administration module. This model does not address the other security issues like non-repudiation and data integrity.
Maher et al. [6] have proposed a security architecture for mobile web services. This security architecture consists of two components namely Public Key Infrastructure (PKI) and Universal Description, Discovery, and Integration (UDDI). The UDDI plays as trust center where clients and the providers have to be subscribed and registered first in order to ease the authentication of each other consequently to secure web service. PKI provides public and private keys for each client and the provider who involved in communication to guarantee safe communication between them. Along with the prior subscription, the publication of the public key of every involved party over the trust centre is also mandatory by which clients and the providers come to know each other. This enables the two parties to communicate each other in an encrypted manner authenticating each other. This guarantees substantially the security of the exchanged messages and consequently the security of the provided web services. This proposed architecture ensures only the authentication and the other security requirements such as integrity and nonrepudiation need to be addressed.
Junqi et al., [9] have developed a security architecture for the integration of mobile agent and the web services technology which play an important role in e-commerce applications. This integrated security architecture provides a new authentication scheme for web services using an ID based public key management algorithm to verify the without mobile using the agent username/password pair but using owners email-ID for identification. The authors have also proposed a new web service and mobile agent system confidentiality
208
protocol, which provides an alternative method to current security mechanisms without using Certification Authorities (CA) based Public Key Infrastructure (PKI). In this architecture web service provider can encrypt the web service data with a session key, and encrypt the session key with corresponding web service key then email is to the user. Only legitimate users can get the session key decryption, which can be used to decrypt the encrypted web service data. This scheme simplifies the key management and reduces the computation load for group oriented web services and provides authorization, authentication and confidentiality and non-repudiation. The authors have not implemented this proposed work in a real time scenario. The review of literature reveals that the research work carried out on mobile web services has the following limitations. There is no standard architecture to access web services through mobile devices with end-to-end security. So far, there is no intelligent mechanism to filter the contents while accessing the web services through mobile devices. These limitations entail the need to design a novel integrated, intelligent architecture for mobile web services with content filtering and security mechanisms. Hence, this paper proposes a novel secure architecture for Mobile Web Service (SAMWS) to carry out public related web services anytime, anywhere.
Figure 3.1: The Security Architecture of the SAMWS The proposed Intelligent, Integrated secure architecture provides a solution for accessing the web services through mobile devices over the wireless network in a secure manner anytime, anywhere with end-to-end security. The different levels of the proposed security architecture are: Device Level Authentication (DLA), Client and Client/Server Level Authentication (CCSLA), Service Request Level Authentication (SRLA), Agent Level Authentication (ALG) and Corporate Service. Provider Level Authentication (CSPLA). The various phases of the security architecture of the SAMWS are presented in the following sections.
III. SECURITY DESIGN OF THE PROPOSED ARCHITECTURE (SAMWS) The security is the most important issue related to mobile web services. In the present scenario, researchers have proposed several models for secure access of mobile web services. However, the proposed models have its own limitations and no model facilitates end-to-end security. Hence a novel security architecture has been designed and incorporated in this thesis with end-to-end high level security using Public Key Infrastructure (PKI).
3.1 Certificate Registration and Public Key Certificate Issuance Initially the Corporate Web Service Providers have to register with Certificate Authority (CA) to acquire the public key certificate and the corporates service providers are to be authenticated by the SAMWS. Figure 3.9 illustrates the various steps involved in obtaining the public key certificate from the Certificate Authority by the Web Service Providers.
The proposed security architecture provides a solution for securing sensitive services between mobile clients and information service providers, which occurs through the mobile devices irrespective of the underlying transport protocol used for transferring the service responses using PKI. The PKI facilitates strong authentication and message confidentiality as well. The security procedures are developed and integrated with the proposed SAMWS which providers the secure communication between the mobile clients and the information service providers through, the Hypertext Transfer Protocol over SSL (HTTPS). The proposed security architecture of SAMWS is depicted in Figure 3.1 The proposed system offers security services with digital signature and standard encryption and decryption algorithms. The message confidentiality and the client authentication are accomplished by using standard encryption/decryption algorithm namely RSA and the digital signature. The unrevealed digest algorithm known as SHA-256 ensures the integrity of the message effectively. The non-repudiation is yet another security service which is well-supported through the use of digital signature. Security interfaces have been developed for various levels of authentication.
Figure 3.2: Registration and Issuance of Public Key Certificate i) The corporate web service provider submits the certificate application and their information to the Registration Authority (RA) for certificate registration.ii) RA forwards the received web service provider information to the CA. iii) CA stores the web service provider information in its database for further verification. iv) CA sends RA the Ref. Number (Ref. No.) and Authorization Code (Au.Co).v) RA forwards the Ref. No. and Au.Co to the requested web service provider. vi)The corporate web service providers checks all the security parameters and requests CA for issue of
209
SAMWS application offers mobile user interfaces for the following transactions: 1) Mobile Device Authentication to validate the certificates with CA. 2) Mobileuser Authentication to the AAA server based on the user profile. 3) Loads the service list from MWS server
the digital certificatevii) CA after the verification, issues the digital certificate to the corporate web service provider. 3.2 Device level Authentication In the proposed system, X.509 client certificate is bound together with the mobile application software developed namely SAMWS.apk file. The device level authentication process is depicted in Figure 3.3.
4.2 Mobile user Authentication by the AAA server The SAMWS setup supports authentication protocols at various levels that validate the mobile user identities in local as well as remote levels. The initial level authentication is based on the registration form to be filled-in by the mobile user. It is then compared with the service requester details available in the AAA server. If they match, then the mobile user is authenticated. Otherwise the mobile user repeats the process until they are authenticated. The mobile user is authenticated at interface level. The initial level of service authentication is completed. Figure 4.2 depicts the mobileuser registration form.
Figure 3.3 device level authentication process IVSYSTEM IMPLEMENTATION AND TESTING The SAMWS applications have been developed using J2EE technology. This platform is organized in the large-scale, federated security architecture. The internal components of the architecture are different types of servers and workstations. The internal structure of SAMWS consists of the following modules:GUI module: Communication module: Security moduleThe internal structure of the SAMWS system is presented in Figure 4.1.
Figure 4.2: Mobile User Registration Form 4.3 Server Authentication confederations After the successful registration process of the mobile user, the mobile user avails the corporate-related web services by activating the application icon through SecCode. The MWS server will provide the list of corporate-related web services. The mobile user can select the required web service by clicking the option for the appropriate mobile web service. Once the mobile client selects the mobile web service, the corresponding Service-id for the selected mobile web service will be sent to the MWS server. Figure 4.3 depicts the mobile service list screen shot.
Figure 4.1Internal Structure of SAMWS System 4.1 Implementation of SAMWS Application Software The SAMWS application has been implemented using J2EE technology. The J2EE application has the major advantages such as better portability and the easier implementation compared to other competing technologies. The J2EE applications run in a Java Virtual Machine (JVM) that provides GUI interfaces for implementing the mobile user business logic and the ability to offer support for the secure communication with the SAMWS server as well as the Corporate Servers. For such reasons, the mobile user interface has been implemented using Java Server Pages (JSP). The
Figure 4.3: The Mobile Service List Screen Shot
210
4.4 Performance Authentication
Analysis
on
Mobile
Device
Infrastructure to have a secure access over day to day public related web services through mobile and handheld devices. The proposed architecture is tested by establishing a test bed for five different mobile web services such as shopping, travel, education, agriculture and weather etc. The mobile user functional components are deployed at Samsung Galaxy y s5360, Android OS version 2.3.3 mobile phone. The server functionalities are distributed to the AAA Server, Mobile Web Service Server (MWS), Intelligent Mobile Agent server (IMA), Intelligent Content filter Server (ICF) and simulated Certificate Authority (CA) server. The time taken for the mobile user authentication process such as encrypting the user credentials, retrieving the encrypted user credentials and decrypting the user credentials are also calculated. The results are summarized and graphically presented. The results indicate that the proposed model is highly scalable and secure. The proposed architecture overcomes the curbs encountered in the recent past while accessing web services through the mobile devices. This proposed work is more adoptable for the public to access mobile web services through the mobile devices at any time anywhere in a secured way with its unique key features.
The proposed architecture is tested and measured in both emulator and mobile phone with the time consumption difference. The primary aim is to measure the data on emulator and also to test all the measurements on the real mobile device because various settings on the network throughput speed seem to be high. It is observed that the emulator that runs on both desktop computer, and the apk file runs on mobile devices show the difference that the time consumption is very minimum, since the processor speed and memory of the desktop computer, and mobile device are more or less equal. The mobile device authentication execution is involved in various steps both emulator and real mobile device is shown graphically in Figure 4.4.
REFERENCES [1]
http://www.slideshare.net/KarlPortio/mobile-applications-futures-20102015-portio-research-ltd [2] Cisco Visual Networking Index, “Global Mobile Data Traffic Forecast Update”, 2014–2019 White Paper, 2015. [3] http://www.emarketer.com/Article/2-Billion-Consumers-WorldwideSmartphones-by-2016/1011694 [4] Younky Chung, “Architecture Approach for Mobile Service Security”, International Journal of Software Engineering and Its Applications, Vol. 8, No. 5, pp. 43-52, ISSN: 1738-9984, DOI: 10.14257/ijseia.2014.8.5.05, 2014. [5] Narges Shahgholi, Mehran Mohsenzadeh, Mir Ali Syyedi, Saleh Hafez Qorani, “A new Security Framework against Web Services, XML attacks in SOA”, IEEE 7th International Conference on Next Generation Web Services Practices, pp. 314-319, ISBN: 978-1-4577-1125-1, DOI: 10.1109/NWeSP.2011.6088197, 2011. [6] Maher Khemakhem, WiemRekik and Jacques Fayolle, “A Flexible and Secure Web Service Architectural Model Based on PKI and Agent Technology”, International Journal for Infonomics, Vol. 3, No. 2, 2010.. Clerk Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., vol. 2. Oxford: Clarendon, 1892, pp.68-73. [7] Song Han, Tharam Dillon, Elizabeth Chang, and Biming Tian, “Secure Web Services using Two-Way Authentication and Three-Party Key Establishment for Service Delivery”, Journal of System Architecture, Vol. 55, pp. 233-242, ISBN: 1383-7621, DOI: 10.1016/j.syarc.2009.01.004, 2009. [8] Haiping Xu, Mihir Ayachit and Abhinay Reddy, “Formal Modeling and Analysis of XML Firewall for Service-Oriented Systems”, International Journal of Security and Networks, Vol. 3, No. 3, pp. 147–160, DOI: 10.1.1.189.2634, 2008. [9] Junqi Zhang, Yan Wang and Vijay Varadharajan, “Mobile Agent and Web Service Integration Security Architecture”, IEEE International Conference on Service-Oriented Computing and Application SOCA'07, pp. 172-179, ISBN: 0-7695-2861-9, DOI: 10.1109/SOCA.2007.29, 2007. [10] [Jinesh et al., 2014] Jinesh Varia and Sajee Mathew, “Overview of Amazon Web Services”, White Paper, pp. 1-22, 2014. [11] Jingyu et al., 2010] Jingyu Zhang, David Levy, Shiping Chen, John Zic, “mBOSSS: A Mobile Web Services Framework”, IEEE Asia-Pacific Services Computing Conference, pp. 91-96, ISBN: 978-0-7695-4305-5, DOI: 10.1109/APSCC.2010.95, 2010.
Figure 4.4: Time Spent for Mobile Device Authentication 4.5 Processing Time for Mobile User Authentication An experimental study has been made to measure the processing time for the performance of RSA algorithm during the process of mobile user authentication. The graphical representation of the processing time spent for the three stages of the mobile user authentication is shown in Figure-4.5.
Figure 4.5: Time taken for Mobile User Authentication The graphical representation of service requester authentication shows that the SAMWS application takes more time for the retrieval of encrypted user credentials from the mobile client. CONCLUSION The proposed Integrated and Intelligent Secure Architecture for Mobile Web Services (SAMWS) is a novel one and realizes the vision of accessing required and relevant information anytime anywhere in a secured manner. This architecture has a superior performance with the use of Intelligent Mobile Agent and Intelligent Content Filtering. It adopts Public Key
211
