306
Int. J. Computational Science and Engineering, Vol. 10, No. 3, 2015
Service-oriented network architecture: significant issues and principles of communication Bhawana Rudra* Department of Information Technology, Indian Institute of Information Technology, Allahabad – 211 012, India Email:
[email protected] *Corresponding author
A.P. Manu Department of Information Science, Sahyadri College of Engineering and Management, Mangalore – 575 007, India Email:
[email protected]
O.P. Vyas Department of Information Technology, Indian Institute of Information Technology, Allahabad – 211 012, India Email:
[email protected] Abstract: The internet is not designed for any specific application purposes, rather it is for generic and evolve purposes. Although the architecture of the internet is based on a number of principles including self-describing, datagram packet, the end-to-end argument, diversity in technology, and global addressing, but David D. Clark along with J.H. Saltzer highlighted end-to-end arguments amongst the most influential of all the communication protocol design goals. Also that internet adopted a method of patchwork approach to cope with the needs of evolution and revolution of technology growth with acceptable cost and speed. The future network is expected to host much more than today’s applications in an efficient manner but experts predicted rigidity as one of the failure factors for current internet (CI). In this paper the authors discuss various issues involved in the flexible network architecture - SONATE (Reuther and Henric, 2008) while incorporating security functionality ‘inside’ the architecture. Keywords: service-oriented network architecture; SONATE; flexible network; service-oriented architecture; SOA; future internet; service. Reference to this paper should be made as follows: Rudra, B., Manu, A.P. and Vyas, O.P. (2015) ‘Service-oriented network architecture: significant issues and principles of communication’, Int. J. Computational Science and Engineering, Vol. 10, No. 3, pp.306–314. Biographical notes: Bhawana Rudra is a research scholar at IIIT-A working on security aspect of future internet and its related issues. A.P. Manu is a faculty of Sahyadri College of Engineering and Management, Mangalore, India and working for service-oriented network architecture and its architectural issues. O.P. Vyas is a Professor at Indian Institute of Information Technology (IIIT-A), Allahabad, India, and pursued MTech and doctoral degree from IIT-Kharagpur, India. He is a DAAD Research Fellow from German University (University of Kaiserslautern) and worked for Fraunhofer Institute of Software Engineering (Germany) as a Research Scientist (Systems Analyst) and also for Centre of International Cooperation Computerization-Japan (CICC) Tokyo, Japan, in the area of internet/network technology. His primary research interests are software engineering, computer network, data mining and future internet.
Copyright © 2015 Inderscience Enterprises Ltd.
Service-oriented network architecture: significant issues and principles of communication
1
Introduction
The penetration level of the internet gets highly influenced by society and its values. The other influencing factors like economy, politics and technology are also forcing the development of the next generation internet. There are many hidden expectations that are covered under the umbrella of future internet which need to be uncovered during the upcoming days. The researcher articulated these issues as improper set of vision during the design phase of internet architecture. The internet architecture of the future should be flexible, accessible, accountable, manageable, scalable, reliable, robust, stable, simple, cost-effective, secure, so on so forth. For this a deep understanding of architecture design, impact of society, implementation and design processes and other crucial issues are to be analysed in detail. There is a difference between methodical design at one end and desire of the community at the other end. This difference led to a design and development of a new framework in accordance with the need of society; such as scientific approach forced to develop distributed systems in the field of network (Day, 2008; Touch et al., 2006) while economics approach forced to introduce economic models into the network (Vaishnav, 2008). Since from the beginning of ARPANET the concept of layering has become a fundamental design principle of network communication protocols. Current internet (CI) communication works based on packet format and that are organised into layers (Meyer, 1970). The data which controls the delivery are called headers. The architecture of the internet is designed to connect sensors to supercomputers based on the principles of modularity, layering and E2E arguments, diversity in technology, and global addressing, but David D. Clark along with J.H. Saltzer highlighted end-to-end arguments amongst the most influential of all the communication protocol design goals (Saltzer et al., 1984). However, the implementation of new protocols becoming very complex and problematic in the CI. Overthrow of principles of layering concept made investigation of non-layered approach for the design and implementation of network protocols leads to non-stack network architecture (Manu et al., 2011). In the research thesis of Barbara van Schewick clearly highlighted that there are many ways for the internet development which are guided by its use, production, and development environments. The structure of the internet continues to change based on the goodness for the network providers, while neglecting the application developer, organisational/corporate users, individual, etc. There is a need of realisation of internet structure with full economic, social, political, and culture (Van Schewick and Farber, 2009). The future internet architecture has a disagreement with the incorporation of a wider range of stakeholder value as network neutrality. Ian Brown et al., highlighted the impact and essential of network neutrality over the design of architecture (Brown et al., 2010) and framework design with a greater understanding of the socioeconomic analytic model embedding with the internet (Sterman, 2000). As the
307
growing demands and heterogeneity of applications are continuously challenging, so it makes necessary to devise an architecture which is flexible in terms of any modification or updation of applications or protocols. It should be free from any technological revolutionary changes while addressing the issues of CI for the support of the future internet. The CI’s inability to accommodate innovation is also forcing for the creation of a framework (Koponen et al., 2011). A multitude of projects are going on under the world of the CI, which are focusing on evolutionary (Papadimitriou, 2009; Sanchez-Loro et al., 2011, Mulyar et al., 2007) or revolutionary approaches (Bellovin et al., 2005) for the development of future internet in order to solve the architectural problems like ossified and rigid structure which include security also. These projects address a wide range of topics such as new networking paradigms, support of security inherently, naming of addressing issues (Djambazova et al., 2008; Zahariadis et al., 2011). The emerging solutions allow flexible and spontaneous creation of virtual networks. This paves a way that there is no longer required to bind to a single network being suited for all purposes which allowed many architectures to work in flexible environments without making them to depend on a single architecture for the avoidance of the problems (Molva, 1999; Paul et al., 2011). This raised new opportunities for the development of different architectures and testing them in different environments. The most prominent ones that are offering the test beds in more realistic way for the purpose of evaluation of new networking ideas are Planet Lab, GENI, FIRE (Gavras et al., 2007), AKARI, G-Lab, etc. (Paul et al., 2011). The concept of developing an internet architecture by considering the salient features of CI along with flexibility, loose coupling, scalability, security, maintainability so on and it should able to connect and work applications together which are connected through networks. The work of this paper aims to design and develop a flexible network architecture, using the entities of service-oriented architecture (SOA) while discussing the significance of security.
2
Architecture design approach
The gigantic size of the internet made any changes at global level practically unsuitable and impossible. The root of the internet deepened over past four decades, so there is no easy practical way out for changing all available protocols or type of interaction or their functionalities. The mechanism of future internet architecture demands for easy build up of protocols, version’s of protocols, easy to add, remove or modify, automatic communication, and so on. To overcome this type of problems, SONATE provides full support for any upcoming changes with its flexibility. There are many design approaches available for designing an architecture. Clean slate, evolutionary, reengineering, SOA, economical, etc., are some of the approaches used to address the issues of a fundamental limitation of the CI (Manu et al., 2011). Some of the following approaches are found in
308
B. Rudra et al.
common in the development of future internet projects, such as role-based architecture (RBA) which uses roles for the flow of information by replacing the concept of layers. (Braden et al., 2003), service integration and control optimisation (SILO) which provides services in the form of modules, provide security for the services by following the policies and allows a run time adaptation (Dutta et al., 2007). Recursive network architecture (RNA) uses a metaprotocols that changes over time. It defines the constraints for the construction of protocols and uses a cross layer framework for providing security (Martin et al., 2011; Touch et al., 2006; Touch and Pingali, 2008), autonomic network architecture (ANA) which is a run time framework and uses both static and dynamic approaches for the composition of services with the help of plug-ins. Protocols are developed in the form of functional blocks (FBs) for the delivery of services over the system (Bouabene et al., 2010; Hossmann et al., 2008; Jelger et al., 2007) clean slate, evolutionary approach, Netlets, etc. (EC FIArch Group, 2010), while in all these design approaches, modular technique was found as a common method of adaptation. One of the outcomes of the clean slate approach is SONATE.
3
•
•
Services: Represents the self-contained functionality of business and that can be a part of one or more processes, or can be implemented by any technology on any platform with fault tolerant, flexible and scalable and it aims to; interoperability: services should able to connect easily in a heterogeneous system, loose coupling: minimising dependencies among others and its different forms are asynchronous communication, heterogeneous data types, mediators, weak type checking, binding platform dependencies interaction patterns, compensation control of the process, logic deployment and versions. All these goals are consummated with the help of loose coupling concept. Other factors: like interfaces and contracts, self-contained, coarse-grained visible/discoverable, stateless, idempotent, reusable, composable, technical interoperable, vendor diverse are also required to be considered while building services.
•
Specific infrastructure: It allows for the combination of any services in an easy and flexible manner.
•
Policies and processes: This deals with a fact that the distributed systems are of heterogeneous, under maintenance and have got many owners. The way to maintain flexibility in large distributed systems is to support decentralisation, heterogeneity, and fault tolerance.
Service-oriented architecture
SOA easily supports for any specific type of technologies and has already emerged as one of the candidate approaches of software development, which adhere to the software engineering principles of flexibility, maintainability, interoperability, fast develop and deployment at low cost. SOA allows to solve the problem by treating user/system needs as a service and it is good for the development of massively distributed applications/systems. These service entities are of autonomous, platform independent and can be discovered, published and described in a loosely coupled way (Papazoglou et al., 2007). Service-oriented computing allows the developers to develop application portfolios to grow dynamically, quicker than ever before by; •
for flexibility improvement, and it never says to design everything from scratch rather a large distributed systems which are legacies in nature necessitates the changing structure of an existing system that are in use will remain in use by providing backward-compatible. SOA is an approach of system maintenance which are part of different platforms, programming languages, paradigms and even middleware. Fundamental functionality of computer networks using a paradigm (or philosophy/concept) of SOA is emphasised as three major elements (Papazoglou et al., 2007):
creating solutions which use organisational internal software assets, enterprise information and legacy systems by combining these solutions with other external components which are possibly available in networks.
SOA provides an easy assemble of a network of service application components with loosely coupled, and it can create any sort of dynamic business process applications for any type of organisation. The concept of SOA has matured enough for the development of large distributed systems with a variety of owners and subsystems. This is not an architecture rather it leads to a concrete architecture/paradigm philosophy. And also neither it provides a solid tool nor is a framework to buy rather, it is an approach or a way of thinking that leads to cover materialised decisions for designing software architecture. However it is agreed that SOA is a paradigm
A service broker should play a role of negotiator to establish communication while accounts the following factors for obtaining an optimised service. •
availability of very large numbers of services
•
on demand self-organising capable services are required for service providers
•
a tolerable small amount of additional time for composing a service (i.e., add a delay in the decision making process).
A service consumer plays a role of utilising the services of the provider. The consumer defines its requirements to the broker. In short the SOA entities can be defined as 1
a user defines their requirements to the communication system
2
a service provider defines offerings describing communication services
Service-oriented network architecture: significant issues and principles of communication 3
a broker matches user requirements and offers service provided by set of service providers.
All the principles and characteristics of SOA are incorporated in SONATE, i.e., service-oriented network architecture (SONATE) respectively.
4
Service-oriented network architecture
A fine grained protocol (micro-protocol) is known as building block (BB) and these BBs are of loosely coupled and highly cohesive in nature. With the help of BBs, different types of services are formed, such as encryption, decryption, compression, or even it may be TCP/IP. SONATE is a G-Lab project, developed based on these principles. The fundamental rules of SOA are the service providers, the service consumers and the service brokers/agents and it is used in the development of SONATE framework (Figure 2). SONATE is an acronym of SONATE (Reuther and Henrici, 2008), which uses a paradigm of SOA to overcome some of the issues of the CI (Papazoglou et al., 2007). SOA works based on the service. A services can be either atomic or composite. An atomic service is a service of unbreakable functionality. On the other hand composite service consists of a number of atomic services to constitute a complex service. Services are the central design elements of SOA. The SOA paradigm is prominent in addressing issues of rigidity by providing the flexibility, which made to use in the development of a flexible network architecture (Heisel, 2012).
Figure 2
309
4.1 Entities of SONATE The prototype of this architecture follows the SOA paradigm, which contain the three components which becomes the part of the proposed architecture and they are the service provider, the service consumer and the service broker which are visualised with respect to the SONATE architecture (Figure 2). The service provider is treated as a passive entity which produces and supplies the service, the service consumer which is treated as active entities utilises the service and the service provider provides the facility to advertise, search and discover the desired services and treated as passive entity. The entities may increase in number as there is no restriction for the entities that may be active or passive of the system. When an entity role is treated as active then that entity can be constrained by the treatment of the principals of the system. A detail description of all these principals are discussed in the following. Figure 1
Service-oriented network architecture (see online version for colours)
SOA service model (see online version for colours)
310
B. Rudra et al.
4.1.1 Service users
is not allowed to connect to the provider for the utilisation of the services (Figure 4).
The functioning of SONATE begins with the request of the user by selecting a suitable requirement satisfying application (Figure 3). The acquaint levels are categorised based on their skills on the network as non-technical user and technical user (Figure 3) •
•
Non-technical user: When the user plays a role of normal user it means that the user lacks the technical knowledge then the application is used with default settings. The user is given minimum rights like to read or execute but no technical changes to the applications. The request of the user is forwarded to the broker and the requested applications are fetched from the provider and delivered to the user by the broker. In this the user
Figure 3
Technical user: The requested applications are tuned to the desired levels of needs based on the technicality of the user. If the user plays a technical role in the system then it performs additional actions such as modify, update, delete other than the normal user. The request for an application by the user is based on the knowledge of the user and this request is forwarded to the broker. The broker verifies the role of the user and if the user plays a technical role and registered with the broker then broker connects the user to the provider (Figure 5). The technical role of a user is for the development of static services and to store them in the provider’s pool and these services are utilised by the users accordingly.
Schematic model of SONATE (see online version for colours) Users
Skilled / Unskilled user
Service Consumer
Service Provider
Requirements Services Applications
A1
A(N)
S1
Selection Process
S(N)
Selection Process
Agent
Agent Composition Process
Building Blocks
Building Blocks
Composition Process
IP
IP
I N T E R F A C E R
Wireless
OFC
Wired
Communication Media
I N T E R F A C E R
Service-oriented network architecture: significant issues and principles of communication Figure 4
Sequence diagram for a non-technical user process
311
4.1.2 Service broker The following three types of functionalities must be performed by a broker for the successful communication in the distributed environment of SONATE.
Figure 5
Figure 6
Sequence diagram for a technical user process
Broker’s communication (see online version for colours)
•
Protograph generator: A very complex service can be made by the combination of simple services. A definite combination pattern/sequence is called a protocolgraph. The graph description specifies the definite interaction pattern required for getting a specific service of a consumer. Each node should have the capability for generating the protograph. The creation of protograph is performed by service selection and composition algorithm. The application requirements and network constraints are used for the dynamic creation of a protocolgraph. The dynamic information like How to combine? What they do? And, etc., are addressed with the help of the BB descriptions.
•
Message translator: There are some messages which need to be composed of more than one message and which is done using a messageList (with the use of TLV formats). A BB can create/add messages or reads/removes messages from a received mesageList to make compatible. Transformation of messages is done with the help of special BB, that is, an Application BB which bridges the gap between application and the workflow.
•
Message transmission: The intra and inter message transmission involves Application BB and network BBs respectively.
312
B. Rudra et al.
4.1.2.1
Message formats for communication
Following abbreviations and its corresponding information/messages are used in explaining the inter and intra communication of SONATE system. •
msg1 & msg4: a XML file name in string format
•
msg2 & msg5: it is msg1 built in messageList format
•
msg3 & msg6: a tagged message with file name and fragmented data to be transferred.
4.1.2.2
Communication broker’s operation
After getting a request from the user, the agent creates a list consisting of unavailable BBs and which will be in XML format. This information is sent to Application BB as msg1 (Figure 6). The Application BB sends msg2 to up port of Transmission BB after the translation. Transmission BB sends msg3 to data port of network BB after making a data chunk. So received msg3 by network BB will be communicated to the other network BB of the network with the same message format. At the receiving side network BB sends msg3 to down port of Transmission BB. The data
extracted from Transmission BB will be copied in the form of XML file and the above procedure is repeated until all the packets get over. And the above mentioned procedure is repeated for a return message with appropriate message formats. The broker starts functioning after gathering the required information from the point of user, and at the same time it also gathers other information such as BBs availability in the local repository, network status, etc., from the point of the network. If a service S(N) is made up of three sub services (s1, s2, and s3) and these services are made available with the local provider, then it is provided to the user by the broker else the broker plays the role of requester for requesting the services from another brokers that are present in the network (Figure 8). Once the requester knows the exact location of the service availability it fetches the service from other broker of the network and delivers it as an agent to the user (Figure 7). And thus a service gets fulfilled by the broker of the system. The broker plays a role of selector for the selection of services, as a requester for requesting the services from other principals in the network.
Figure 7
Sequence diagram for a broker communication in a network
Figure 8
Service selection and composition process in network (see online version for colours)
Service-oriented network architecture: significant issues and principles of communication
4.1.3 Service providers The service provider produces and supplies the service, the service consumer utilises the service and the service broker provides the facility to advertise, search and discover the desired services. The service provider provides services, and these services may be the type of conventional, compound, template or dynamic. •
A service provider may provide different types of services. Many flavours of a service with the same or different service providers are made available for the purpose of backward compatibility of conventional systems.
•
The new services are made available on the basis of pre-compiled, pre-defined and pre-composed methods. And with the help of these methods a compound service can be easily formed. As an example of this a pre-self-organisation approach is followed in the creation of Netlets.
•
Another type of service provider is a template. In this some built in formats are made available to the customers. The customer can tune the functionalities of these templates by the addition or deletion of modules.
•
Another type of service provider is who instantly develops the requested service and make it available to the user on requirement basis. Two methods are available under this type of service provider: static self-organising (the developer develops the service and interfaces manually with the other services) and dynamic self-organising (the runtime self-organisation of a service). The factors such as requirements of developers/end-user, constraints of local hosts, networks, etc., are considered for the dynamic self-organisation of service and the whole operation is known as service orchestration and service self-organisation (O&S). The database of a service broker holds all the information about the system, and this information will be used at the time of dynamic self-organisation of a service. A protocol graph is the outcome of a service self-organisation.
The above mentioned methods have got its own advantages and disadvantages, especially, if the self-organisation time and the total number of services disposable for service are considered then following observations can be made. The response time of a conventional service provider is very quick when compared to all other type of service provider due to the limited number of available services. The time taken for searching and selecting an appropriate service is more in the case of compound service providers as they store huge number of pre-composed services. In case of template service provider the time taken is more than the above mentioned methods as it takes additional time for computation and self-organisation process, in spite of less number of available services. The O&S service provider compose takes very long time, but it can create the maximum number of services at delivery. The service
313
facility of different types of service providers is facilitated considering the response time and type of demand. The provider plays a role of composer for the services which are formed statically or dynamically. The security of all the three components, user, broker, provider is necessary for the correct service provisioning. The authenticated users should only be authorised to avail the services. The broker should be limited to the services authorised for by the mechanism of authentication and it should not suffer from attacks such as denial of service. Finally for correct service provisioning, providers must ensure the integrity of the services and also the availability of the services (Figure 9). Figure 9
5
Significant security issues of SONATE
Conclusions
The problems associated with the CI were thoroughly analysed and provided a new flexible structure to the internet. The new improved technology of SONATE with significant issues and roles were analysed with the existing paradigm of SOA which treates everything as a service. A service is envisaged as a fine grained loosely coupled and highly cohesive BBs which are stored with the provider of the system. The flexibility for long term and a short term services are provided with the concept of SOA. The self organising nature of BBs available with the provider made the system flexible and can develop the services of simplex to very complex types in a distributed environment to support dynamic, distributed, and heterogeneous conditions raises the issues related to security. Deploying security modules at the early phase of network system is very essential for the development of secure internet architecture which could be a possible candidate for future internet. Future work include researches on providing more reliable
314
B. Rudra et al.
and secured architecture for supporting faster convergence, access control on the services and higher performance when it comes as an autonomous future internet.
Acknowledgements Whole heartedly author acknowledges German-Lab (G-LAB) for kind cooperation and extended support.
References Bellovin, S.M., Clark, D.D., Perrig, A. and Song, D. (2005) ‘A clean-slate design for the next-generation secure internet’, Technical report, July. Bouabene, G., Jelger, C., Tschudin, C., Schmid, S., Keller, A. and May, M. (2010) ‘The autonomic network architecture (ANA)’, IEEE J. Sel. A. Commun., January, Vol. 28, No. 1, pp.4–14, ISSN 0733-8716, doi: 10.1109/JSAC.2010.100102. Braden, R., Faber, T. and Handley, M. (2003) ‘From protocol stack to protocol heap: role-based architecture’, SIGCOMM Comput. Commun. Rev., January, Vol. 33, No. 1, pp.17–22, ISSN 0146-4833, doi: 10.1145/774763.774765. Brown, I., Clark, D.D. and Trossen, D. (2010) ‘Should specific values be embedded in the internet architecture?’, in Proceedings of the Re-architecting the Internet Workshop, ReARCH ‘10, pp.10:1–10:6, ACM, New York, NY, USA, ISBN 978-1-4503-0469-6, doi: 10.1145/1921233.1921246. Day, J. (2008) Patterns in Network Architecture: A Return to Fundamentals, Pearson Education, ISBN 0132252422, 9780132252423. Djambazova, E., Dimitrov, K., Ioannidis, S., Kirda, E., Bos, H., Jonsson, E. and Kruegel, C. (2008) ‘Anticipating security threats to a future internet’ Dutta, R., Rouskas, G.N., Baldine, I., Bragg, A. and Stevenson, D. (2007) ‘The SILO architecture for services integration, control, and optimization for the future internet’, in IEEE ICC, pp.24–27. EC FIArch Group (2010) ‘Fundamental limitations of current internet and the path to future internet – draft (ver: 0.9)’, October. Gavras, A., Karila, A., Fdida, S., May, M. and Potts, M. (2007) ‘Future internet research and experimentation: the FIRE initiative’, SIGCOMM Comput. Commun. Rev., July, Vol. 37, No. 3, pp.89–92, ISSN 0146-4833. Heisel, M. (Ed.) (2012) ‘Software service and application engineering – essays dedicated to Bernd Krämer on the occasion of his 65th birthday’, Vol. 7365 of Lecture Notes in Computer Science, Springer, ISBN 978-3-642-30834-5. Hossmann, T., Keller, A., May, M. and Dudler, S. (2008) ‘implementing the future internet: a case study of pub/sub in ANA’, in Proceedings of CFI ‘08, Seoul, Korea. Jelger, C., Tschudin, C.F., Schmid, S. and Leduc, G. (2007)’ Basic abstractions for an autonomic network architecture’, in International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2007), 18–21 June, Helsinki, Finland, pp.1–6, IEEE, ISBN 1-4244-0992-6, doi: http://dx.doi.org/10.1109/WOWMOM.2007.4351692. Koponen, T., Shenker, S., Balakrishnan, H., Feamster, N., Ganichev, I., Ghodsi, A., Godfrey, P.B., McKeown, N., Parulkar, G., Raghavan, B., Rexford, J., Arianfar, S. and Kuptsov, D. (2011) ‘Architecting for innovation’, SIGCOMM Comput. Commun. Rev., 24–36, July, Vol. 41, No. 3, ISSN 0146-4833.
Manu, A.P., Rudra, B., Reuther, B. and Vyas, O.P. (2011) Design and Implementation Issues of Flexible Network Architecture, October, pp.283–288, doi: 10.1109/CICN.2011.59. Martin, D., Völker, L. and Zitterbart, M. (2011) ‘A flexible framework for future internet design, assessment, and operation’, Comput. Netw., March, Vol. 55, No. 4, pp.910–918, ISSN 1389-1286. Meyer, E. (1970) ARPA Network Protocol Notes, RFC 46, April. Molva, R. (1999) ‘Internet security architecture’, Computer Networks, Vol. 31, No. 8, pp.787–804, Amsterdam, Netherlands. Mulyar, N.A., Schonenberg, M.H., Mans and van der Aalst (2007) Towards a Taxonomy of Process Flexibility, extended version. Papadimitriou, D. (2009) ‘Future internet – the cross-ETP vision document’, Technical report, European Future Internet Portal, January. Papazoglou, M.P., Traverso, P., Dustdar, S. and Leymann, F. (2007) ‘Service-oriented computing: state of the art and research challenges’, IEEE Computer Society, November, Vol. 40, No. 11, pp.l38–145. Paul, S., Pan, J. and Jain, R. (2011) ‘Architectures for the future networks and the next generation internet: a survey’, Comput. Commun., January, Vol. 34, No. 1, pp.2–42, ISSN 0140-3664. Reuther, B. and Henrici, D. (2008) ‘A model for service-oriented communication systems’, J. Syst. Archit., Vol. 54, No. 6, pp.594–606, ISSN 1383-7621, doi: 10.1016/j.sysarc.2007.12.001 [online] http://dx.doi.org/10.1016/j.sysarc (accessed 1 December 2007). Saltzer, J.H., Reed, D.P. and Clark, D.D. (1984) ‘End-to-end arguments in system design’, ACM Trans. Comput. Syst., November, Vol. 2, No. 4, pp.277–288, ISSN 0734-2071. Sanchez-Loro, X., Ferrer, J.L., Gomez, C., Casademont, J. and Paradells, J. (2011) ‘Can future internet be based on constrained networks design principles?’, Computer Networks, March, Vol. 55, No. 4, pp.893–909, ISSN 13891286, doi: 10.1016/j.comnet.2010.12.018. Sterman, J.D. (2000) Business Dynamics: Systems Thinking and Modeling for a Complex World, McGraw-Hill, ISBN 0-07-054371-2. Touch, J., Wang, Y. and Pingali, V. (2006) ‘A recursive network architecture’, Technical report, ISI Technical Report ISI-TR2006-626, October. Touch, J.D. and Pingali, V.K. (2008) ‘The RNA metaprotocol’, in ICCCN, pp.157–162. Vaishnav, C. (2008) ‘Does technology disruption always mean industry disruption?’, in Conference of System Dynamics Society, pp.1–25, Athens, Greece. Van Schewick, B. and Farber, D. (2009) ‘Point/counterpoint – network neutrality nuances’, Commun. ACM, Vol. 52, No. 2, pp.31–37. Zahariadis, T., Papadimitriou, D., Tschofenig, H., Haller, S., Daras, P., Stamoulis, G.D. and Hauswirth, M. (2011) The Future Internet. Chapter Towards a Future Internet Architecture, pp.7–18, Springer-Verlag, Berlin, Heidelberg, ISBN 978-3-642-20897-3.
Int. J. Security and Networks, Vol. 10, No. 1, 2015
9
Understanding and mitigating security and authentication issues in service oriented network architecture Bhawana Rudra* and O.P. Vyas Department of Information Technology, Indian Institute of Information Technology, Allahabad 211 012, UP, India E-mail:
[email protected] E-mail:
[email protected] *Corresponding author Abstract: Service oriented network architecture (SONATE) is one of the outcome of many architectures being explored to evolve as future network architecture. The architecture describes about the importance of flexibility to solve the short term as well as the long term requirements of the consumer (Manu et al., 2012; Rudra et al., 2011a). Flexibility is the solution for solving the architectural problems but raises many security problems. It is important to consider security must be considered as the integral part of design level rather than at the development stage of the architecture. This paper discusses various security requirements for the entities of the architecture and the importance of authentication. A public key based infrastructure (PKI) mechanism is proposed and discussed in detail. Keywords: security; services; flexible network; SONATE; service oriented network architecture; authentication; public key; PKI; public key infrastructure. Reference to this paper should be made as follows: Rudra, B. and Vyas, O.P. (2015) ‘Understanding and mitigating security and authentication issues in service oriented network architecture’, Int. J. Security and Networks, Vol. 10, No. 1, pp.9–19. Biographical notes: Bhawana Rudra is a Research Scholar at Indian Institute of Information Technology (IIIT-A) working on security aspect of future internet with special reference to service oriented network architecture (SONATE) and its related issues. She has persued her MTech from Computer Science in 2010 from SRM University Chennai, Tamilnadu. Also She is a member of IEEE. Primary research interests are mobile adhoc networks, network security, future internet architectures and its security issues. O.P. Vyas is a Professor at Indian Institute of Information Technology (IIIT-A), Allahabad, India, pursued MTech and Doctoral Degree from IIT-Kharagpur, India. DAAD Research fellow from German University (University of Kaiserslautern) and worked for Fraunhofer Institute of Software Engineering (Germany) as a Research Scientist (Systems Analyst). Also for Center of International Cooperation Computerisation-Japan (CICC) Tokyo, Japan, in the area of internet/network technology. Primary research interests are software engineering, computer network, data mining and future internet. This paper is a revised and expanded version of a paper entitled ‘Security and Authentication issues in emerging network architectures with special reference to Sonate’ presented at Computational Intelligence and Communication Networks, Gwalior, 10 October, 2011.
1 Introduction The flaws in the current internet (CI) increases with the increase in use of internet. The problems are partly due to changing requirements which include mobility, high performance, timeliness, scalability, quality of service, ease of management and security and partly due to its rigid structure i.e., one-size- fits-all approach. The concept of layering was introduced to give an abstract view to the designer, but Crowcroft et al. Shaffer et al., clearly showed that
Copyright © 2015 Inderscience Enterprises Ltd.
layering is harmful and leads to various attacks in the network (Crowcroft et al., 1992; Shaffer and Simon, 1994). In 1980s, incidences towards the security crimes in the internet were increased for example the world has seen the real evidence that occurred in 1988, destroyed 60,000 systems that were using the internet (Innella, 2008). Not only this, but many other issues also helped in giving raise to the concept of network security. Many security protocols were developed and included into the architecture as a patchwork. Owing to its tightly coupled structure, security mechanisms were inserted
10
B. Rudra and O.P. Vyas
into the architecture of TCP/IP as sub-layers that lacks a comprehensive approach towards security. The architecture was clogged with too many ‘shim’ sub layers and the structure started relying on each and every layer of a process to happen. A thorough understanding of the fundamental principle of networking is essential for understanding and addressing the problems of security (Bellovin, 2004).The expansion of the internet encouraged the users to use it for critical applications such as financial applications, industries, power and telephony stations etc., which raised the insecurity problems related to the connectivity, complexity, scalability and inter dependability of the system (Bos et al., 2008; Bellovin et al., 2005; Feldmann, 2007; Martin et al., 2011). The works of Bellovin and Steven M, Stefan Leue and Philippe A. Oechslin, and a draft released by European Commission Future internet Architecture Group clearly mentioned that the rigidity can worsen the communication performance and can lead to security threats (Bellovin, 1989, 2004; Group, 2011; Leue and Oechslin, 1996). Experts have articulated that these problems are not due to the inherent problems of protocol rather it is an issue of architecture of protocol which is due to the improper set of vision during the design phase of the architecture (Reuther and Henrici, 2008). The internet architecture of the future should be flexible, accessible, accountable, manageable, scalable, reliable, robust, stable,efficient, simple, cost-effective, secure, etc. For this a deep understanding of architecture design, impact of society, implementation and design processes and other crucial issues should be analysed in detail. There is a difference between methodical design at one end and desire of the community at the other end. This difference led to a design and development of a new framework in accordance with the need of society; as scientific approach forced to introduce economic models into the network (Day, 2008; Touch et al., 2006; Vaishnav, 2008). For the development of future internet architecture which should be flexible, highly cohesive, loosely coupled, scalable, maintainable, reliable, secured research might be classified on their technical and geographical diversity. While some organisational projects target on specific topic while some others aim for the development of a holistic architecture with the help of collaboration and coordination among individual projects by providing testbeds like the Planet Lab, GENI, FIRE, AKARI, G-Lab etc. Many research organisations were set up all over the world including the USA, Europe, Japan, China etc. (Paul et al., 2011). Some of the issues include the scalability of naming and aggregation, compatibility and coworking with IP, privacy of the services, security encourages for the innovation of new internet architecture (Force, 2010; Martin et al., 2011). Many Network Architectures like RBA (Braden et al., 2003), SILO (Dutta et al., 2007), Autonomic Network Architecture (ANA) (Bouabene et al., 2010), RNA (Touch and Pingali, 2008), etc., were designed to solve the infrastructural problems of the current internet but could not provide a sustainable solution. It is observed that the application and the services are consistently changing and is not supported by the Current internet architecture which made the architectural rethinking as necessary at the network
level that can accommodate the future demands (Kumar, 2010; Blumenthal and Clark, 2001). This promoted the development of new architecture based on service oriented architecture (SOA) aimed to meet the next generation demands (Ramaratnam et al., 2007). One such architecture which is based on this concept is service oriented network architecture (SONATE) is drawing considerable attention.
2 Requirement of security in service oriented network architecture (SONATE) Service oriented network Architecture (SONATE) (Reuther and Henrici, 2008; Manu et al., 2012) uses the paradigm of SOA to overcome some of the issues of the Present internet. It supports for long term as well as short term demands that may evolve in future for various applications. The model allows shift to P2P, end-to end, overlay, broadcasting, multicasting etc., on distributed environment. Flexibility of the architecture solves the issues related to the architecture but raises many security issues. The services provided by the architecture are flexible and vulnerable to attacks. Service Consumer, Service Broker, Service Provider (Figure 1) are the key roles in the architecture for the communication and exchange of various services over the network. Services are designed using the concept of loose coupling by avoiding the cross service dependencies.Services are designed using the concept of loose coupling by avoiding the cross service dependencies. The services are fine grained protocols (micro-protocol) known as building block (BB). These BB’s are of loosely coupled and highly cohesive in nature. An application can be composed of single or multiple protocols/Building Block’s (BB’s). Various types of services are obtained with the help of BB’s which includes services such as encryption, decryption, compression or even TCP/IP itself. The functioning of the model begins with the request from the user/consumer. The broker gathers all the requirement of the user along with the information gathering for the availability of the services/BB’s, Network status etc. from the point of the network. A selection process is performed according to the gathered requirements and then the service fetched from the provider is delivered to the user. If the requested service/BB is not available then the service is fetched from the network of available nodes and delivered to the user (Figure 2). At the time of this process, it is envisioned that the security aspect must be considered as a chief ingredient the design stage of the architecture rather than after the development of the architecture (FIPS, 2006). Some of the security issues that raise while communicating with other entities of the network are: •
Are the requested entity is authenticated with each other?
•
What about the access control permissions?
•
How to build trust between the entities of the network?
•
Are all the services/applications/ Building Blocks available on one system,then what about the availability of services?
Understanding and mitigating security and authentication issues in service oriented network architecture •
If services are fetched from another system then what about the confidentiality of the services sent among the entities?
•
What about the control of data in transit i.e integrity of the services?
•
While communicating in the network there is a possibility of DoS attack?
11
Figure 3 Entities security aspects
Figure 1 Service oriented network architecture
Figure 4 Secured SONATE
Figure 2 Binding of the brokers over the network (see online version for colours)
To provide strong and secured SONATE and to solve the problems related to security, their is a requirement of security measures (Figure 4) for the protection of entities, services etc. The fundamental security services required for the protection of the services/ applications provided by the architecture, entities security, with respect to SONATE are discussed (Figure 3) are the authentication, authorisation, confidentiality, integrity and availability of the services. Authentication is important among the entities for the smooth communication over the network. Mutual authentication is required between the brokers of the network and one way authentication is required between the user, brokers and providers of the system. The user and provider get registered with the broker for the exchange of services. A detail explanation of the authentication process is discussed in the following sections.
3 Security capabilities In SONATE, there are two types of information gathering; the user information and network information. The user information is collected by the user and the network information is collected from the network. The gathering of this information starts with selecting a specific application by a user based on the needs and demands that are trying to satisfy the task. The selection requires some decision making information parameters like security level required for the requested application etc., is expected to be fulfilled by the application user on the basis of existing knowledge of the user. Similarly the network has also got some decision making information parameters, and these parameters are periodically sensed and gathered by the network monitoring devices.
12
B. Rudra and O.P. Vyas
The cumulative information is periodically posted on to the broker/agent for the purpose of future decision.
4 Authentication Authentication is the process of identifying the principals of the network associated for accessing the applications. This serves as a proof of identification that the principal is the same as it claims to be. This is required while logging into the network or communicating over the network. Once the principals get authenticated they are believed to be communicated among themselves but not with the malicious principals of the network. Authentication can be used for different purposes depending on the specific application types. The main goal of authentication is to allow a principal to communicate for, to and fro fetching of the services from the network which assures the following: •
the verification of the identity of the principal from where the service was requested or sent i.e., User and Broker authentication (principals/entities authentication)
•
the service was not modified in the transit over the network i.e., Service authentication.
4.1 Architecture for the identity management of the entities The identity of the entities is important for the exchange of the services over the network and for the protection of the services from the attackers. The users can only interact with the service brokers for requesting the services by sending the application/service request. Identification of the entities can be performed by using the IP address as source ID or the userID. In both the cases, the entities have to get authenticated with the authentication server via the broker of the system. Service consumer identity. Each user/broker involved in a transaction must be authenticated as the first step by using its userID/brokerID. If the entity is already authenticated and requesting for a service then the request is fulfilled by forwarding the request to the service provider after the verification of the identity of the entity (Figure 5). At present IP address, MAC address is considered as UniqueID for the identification of the user which is stored in Valid-IP table of the system. The identification of the user can be performed based on the UserID and password in future as these two are also unique in nature. Service broker’s identity. The broker communicates with the users at front end to accept the service request and the provider at backend to fetch the services. The broker has to fetch the services from other brokers of the network if the service is not available within the registered provider of the system. The brokers are identified with the broker’s ID which is authenticated within the network.
Service provider’s identity. For the identity of the service provider’s of the system, the service providers get registered with the brokers of the network along with the list of services they provide before offering the services to the user via a broker. Figure 5 Sequence diagram of authentication mechanism in SONATE
4.2 SONATE: PKI management of the keys One of the major issues of the transaction of the services over the network is how can the entities verify each other identity, exchange of encrypted services, creation and verification of the signatures. PKI is a well established approach for addressing this issue. Technically PKI is referred to a technique to enable the public key encryption or digital signature over the distributed networks. The function of the PKI is to distribute the keys to those who want to encrypt the services. This process involves the digital certificates issued by the certificate authority (CA) to the users via brokers and the brokers who get registered with that CA. For the issuance of the certificates to the entities, it requests authentication, usually by the broker of the system. It can extend its functions to renewal of the certificates of the entities of the architecture of SONATE. The main functions of PKI are: •
to generate the key pairs (public and private keys)
•
to store the certificates in the authentication server
•
generation and verification of the signatures that are produced digitally.
4.2.1 PKI consumer functionalities The user sends a request of the requirements of an application along with its sourceID i.e UserID or IP address of the system if already registered with the broker of the system. If the user is not registered then the functionalities to get registered with the provider for accessing the services as follows: •
user sends a request to get authenticated by sending a request of invoking Generate_Key pair() function along with its sourceID for the generation of public and private key pair
Understanding and mitigating security and authentication issues in service oriented network architecture •
whenever a user sends a request that requires a digital signature, user invokes Digital signing function which helps in creating hash of the message and generate the digital signature
•
verification of the certificate signature can be performed using the public key of the sender.
identification of the specific certificate request. If the verification is successful, it invokes a Certificate_Request. The service request contains PKCS#10 (Nystrom and Kaliski, 2000) certificate message request. •
The CA issues the certificate based on the identity of the user by sending a response message PKCS#7 (Kaliski, 1998) to the broker as service response which is forwarded to the user. This message contains X.509 certificate details signed by the service provider of the Certificate Authority of the authentication server.
•
The CA of the PKI verifies the user’s signature with users certificate which was loaded during initialisation phase. If the signatures are same then the CA of PKI store the X.509 certificate along with the public key, permissions of the services to be accessed. The same is also stored with the broker of the systems for the verification of the user for the next time. The key is stored with the service provider for the issue of services in an encrypted form to the user via a broker.
4.2.2 Key establishment process The user/broker generates its private key sends it to the broker in the encrypted format using the systems public key. Hashing technique was used for the transmission of the keys over the network. For the computation of the certificate services, MD5 or MAC services can be utilised. The private key is established with the help of the authentication server’s authority and the public key which consist of two session keys one for each direction. Once the session is established, all the traffic over the network is encrypted over the both the directions. The private key can be used for multiple sessions for fetching the services, ultimately reduces the overhead of private key operations. For the development of the session, keys MD5 can be used. The certificate of the user can be stored within the authentication server and use it for future purpose.
4.3 Certificate management service: SONATE
13
Figure 6 Certificate request process
The purpose of use of the PKI is for the management of the certificates. The functions provided by the certification authority (CA), PKI via authentication server are certificate request, certificate revocation and the certificate verification service.
4.3.1 SONATE: certificate request process The functions of the certificate request are as follows (Figure 6): •
The service consumers/users use PKI to generate the asymmetric key pair and send Certificate_Request message to the communication broker of the system. The broker forwards it to the authentication server. The message contains information like the sourceID and it is signed with users private key as attachment.
•
The CA of the authentication server verifies the entities digital signature with the public key. If it is successful, a randomly generated Authentication code is sent to the broker as specified in the Certificate_Request. This code is used to identify the certificate request.
•
When the broker receives the message from PKI via AS, it stores the details in its repository and forwards the authentication code to the user of the system. The user sends its code along with its sourceID to the broker as in Step 1. The broker verifies the user with the received code from the AS. If it is correct then sends a verification signed by brokers private key to PKI of AS.
•
CA verifies the user’s signature which is received via the broker and checks the random codes for the
4.3.2 SONATE: certificate revocation process The revocation process is useful when the key is lost or compromised. There exists two approaches for the revecation and verification of the certificates namely: CRL which provides a list of revoked certificates that are received less frequently and OCSP which provides a real time revocation process about the certificates for the issuing authority (Figure 7). OCSP method has been adopted in this architecture where the broker acts as responder and the process.
14
B. Rudra and O.P. Vyas along with the public key. CA of AS verifies the public key of the broker using the public key which is loaded at initial phase. It verifies R[b] , as it was retained in step 2. If all verification is successful, it means the broker has authenticated the user successfully else a failure notification is sent to the user. Finally the broker returns a message along with the authentication result and it is R[b] , R[user] , and S[user] (R[b] , R[user] ).
Figure 7 Certificate revocation process
5
The broker verifies the provider who gets registered with the broker of the system for offering the services using the step 4 of the process. The user verifies the broker by sending the request along with the public key. If all the verifications are successful, means the user is authenticated and using steps of 3 and 4 the brokers of the network get authenticated with each other for the exchange of keys along with certificates.The brokers of the network of the proposed architecture of SONATE are mutually authenticated using the concept of hierarchical certification process with the integrated PKI concept.
6
After mutual authentication between the brokers and one way authentication between users and brokers of the system i.e., after a successful authentication process between the entities of the architecture they agree on and the keys are established for the encryption of the messages. The entities generate a message consists of a session key and the algorithm ID (RSA-1, MD5-2 etc.,) sign and encrypt with the entities public key and sends it to the broker of the system. After receiving this message, the entity decrypts it with its private key and verifies the signature using the public key of the sent entity. Once the verification and establishment of the session are done, the provider entities encrypts all the services using the algorithm and the key specified and forward it to the broker of the system, and these are forwarded to the users by the brokers of the system.
4.3.3 SONATE: certificate verification process Once the user gets the certificate by the above process (refer request process) the user can use it for authentication before fetching the services from the provider of the system/other broker of the network via a broker. OCSP process is used for checking the status of the certificates. The authentication protocol used as it provides a strong authentication as specified in FIPS 196 (FIPS, 1997). Mutual authentication is performed between the brokers and the providers of the network based on the Digital signature and exchange of certificates and one way authentication with the exchange of the keys and signing of the certificates is performed between service user and service broker of the system (Figure 8). The process is as follows: 1
The service consumer/user sends a service request message to the broker. The message contains the sessionID, sourceID and an indicator which identify the message as an authenticated request.
2
The service broker verifies in its repository and decides to terminate or initiate the session of the authentication process. If it decides to authenticate the user, the broker generates a random number challenge R[b] and sends it with a sessionID to the user of the system.
3
The consumer/user generates a random number challenge, R[user] and send it to the broker with the inclusion of the following data: R[b] , sessionID, sourceID and Suser (Ruser , R[b] )where S is a service request and S[ x](M ) describes the signed message with ’X’s’ private key.
4
After receiving the service message, broker verifies the entities certificate by sending the verification_Certificate_Request which contains the users X.509 certificate to the AS. The CA of AS searches for the certificate based on X.509 and verifies the status using OCSP protocol. The CA sends an OCSP based response after verification to the broker. CA of the PKI verifies the broker’s signature using the public key of the broker which was pre-loaded at the initialisation phase. The verification result is returned to the broker in a signed format as Verification_ Certificate_Response
A comparison of Execution time and throughput for the series of files were conducted and found that Execution time is more and throughput is less because the selection and composition of services are performed, the best services are delivered. The graph (Figure 9) compares the execution time (milliseconds) for a series of files where first 4 series, i.e., Series1, Series2, Series3, Series4 represents the execution time for secure file transfer (above series line) in SONATE interface and other series, i.e., Series5, Series6, Series7 and Series8 represents execution time for secure file transfer (below series line) in TCP/IP interface. The second graph (Figure 10) compares the throughput (bytes/milliseconds) for eight series of files where the first 4 series represent the throughput of TCP/Ip and next four represent for the SONATE architecture.
5 Authorisation It is to determine what the principal is allowed to do once the principal is authenticated to a network, system. Access control restricts the access of the authenticated entities to perform an
Understanding and mitigating security and authentication issues in service oriented network architecture action on a resource even though holding the privileges. These policies define the rules of what the principal is allowed and what is not. The policy list is stored in the repository of the broker in XML format and the details are stored by the service provider. And these policies are implemented using a Policy enforcement Point in the security domains. Before granting the access of an application the user must authenticate and then the privileges are to be assigned according to the fundamental conceptual model of security (Table 1). Table 1 Principals with their permissions Role of the principals
Privileges
Technical user Non technical user Brokers Providers
Read, write, execute Read and execute Read only Read, write, execute
15
based on the roles they play in the system and these roles were decided based on role based access control (RBAC) (di Vimercati et al., 2005; Ramachandran, 2002). These access control privileges are maintained in the repository of the brokers and the servers in the system. After receiving the request from the user broker checks in its repository for its authentication and the assigned privileges for granting the access to the principal. Figure 9 Comparison of execution time (milliseconds) of a secure file transfer in SONATE and TCP/IP interface (see online version for colours)
Figure 8 Certificate verification process
Figure 10 Comparison of throughput (bytes/milliseconds) of a secure file transfer in SONATE and TCP/IP interface (see online version for colours)
Access control is the determination of the level of access to the applications based on security levels like microlevel, medium level, macro level with respect to SONATE (Rudra et al., 2011a). The hierarchy consists of microlevel security that provides Top level security for the services like the information related to military affairs like top secret documents related to missiles, bombs, and so on. This level provides top level security for highly confidential applications. Medium level security is provided to the services which are just below the top secret i.e to the secret and confidential applications like financial transactions etc. And finally Macro level security which is provided to unclassified services which are communicated over the network. Each security level dominates itself and all other below it. Accesses to these services are permitted if there exist a relationship between the security levels associated with the principals and the applications. These levels were described based on mandatory access control (MAC), the privileges are granted to the principals using the discretionary access control (DAC),
These permissions will be accessed by the principals based the group they belong to such as Owner, Group, Public. The services are fetched from the providers which are available in the network via brokers who communicate and interact with others of the network. The owner of the service will contain full access rights like read, write, execute but not always as the ownership can be transferred to others by removing its permissions on the services that were provided to other brokers in the network. The authenticated principals belongs to a group those who work with the same permissions on the network, In SONATE a set of brokers who transfers and fetches information from others can be considered as a group. The brokers contain read only permissions for the acceptance or rejection of the service. The permissions of the users vary when they play different roles i.e., from technical to nontechnical role. The non technical users are treated as public who access
16
B. Rudra and O.P. Vyas
the internet or utilise the resources whose permissions are to read and execute the services. Let us take an example for the issue of permission to the user where the user is non technical user, broker and provider. A request from the user will be checked for the privileges of the principal and these ACL’s are present with the brokers for request to get fulfilled and in the network for the flow of services from one system to another system. All privileges are not allowed by all the principals of the network. For the access permissions the principals must be authenticated and some levels of security are to be allowed and these must be verified with the security levels of the applications.
6 Confidentiality Confidentiality is the characteristic of a security which ensures that the information is being shared among authorised principals in an authorised manner. This can also be called privacy or secrecy and refers to the protection of information from attackers in the network. Usually this can be achieved using encryption mechanisms available in the present infrastructure. Many experts considered authentication, authorisation and confidentiality, as a separate security goal (Menzel et al., 2009; Rodríguez et al., 2007) but Ruth Brue and Michal Hafner described authentication and authorisation under the concept of confidentiality (Hafner and Breu, 2008) which can be achieved by the enforcement of access control mechanism. Each entity must secure the information that is exchanged between them along with the address of the location. The services can be sent over the unsecured channel after applying the encryption techniques to the application/service (Rudra et al., 2011b). Privacy is to prevent identity leakage to any other principals in the network while confidentiality is maintaining the secret of the exchanged information from those who are not allowed for accessing it. In SONATE, transmission of the information to the intended entity of the network pass through several routers where there is a possibility of eaves dropping, misdelivery of the messages, exposure of the data in the medium, etc.. For solving such problems, authentication of the principals are not enough. Some encryption techniques along with authentication will be helpful in solving such type of attacks. If encryption is not applied on the packets, the transmission of data lacks privacy in the network. Encryption of services is not compulsorily required for authentication purposes. All that is required is some type of assurance that the information passed over the network, is correct and not modified in the transit. Confidentiality can be achieved by encrypting messages (Myllarniemi, 2007) by using various algorithms such as message digest algorithm, message encryption, digital signature, key management, etc. Aldabbas et al. proposed in their work that confidentiality can be achieved by using the access control mechanisms for the services based on their sensitivity (Jonnaganti, 2009; Aldabbas et al., 2012) such as bank transaction when performed, the security provided by authentication is not sufficient. Though sometimes data/service authentication does not allow
modification of information, it allows an attacker to read the information that was transmitted over the network. To avoid these confidentiality techniques are to be used along with authentication and access control for the services for the development of secure SONATE architecture.
7 Integrity Integrity ensures that the message was not modified in the communication transit. This allows only authorised principal for altering a message in an authorised way (Wolter et al., 2008; Hafner and Breu, 2008). The corruption of the message may occur due to the malicious principals present in the network or other reasons like noise etc. Integrity is the assurance of accuracy, authentication and completeness of the received application. Integrity acts as a primary indicator of security in information systems. It is enforced using a set of rules or constraints which are the integral part of the system. This refers to the validation of data, principals control which should not be changed, for a change which can lead to service interruptions and results in breach (Myllarniemi, 2007; Jonnaganti, 2009). In SONATE integrity can be achieved using access control and digital signature for the services .The term integrity can be referenced as the functioning of the system. It can be referred as message level protection by preventing the alteration of the message by others in the transit (i.e., other than the originator). Though it does not avoid the alteration of the message by the attacker, it allows the recipient to know about the breach after the sign (Leune, 2007). Integrity is an essential requirement for the avoidance of tampering attack of the sensitive applications like military, banking and aircraft control systems and so on.
8 Availability Availability is the assurance that the required data, applications/services are available for the proper functioning of the system. Availability is also an assurance that relevant information is provided to the principal on a timely basis (Hafner and Breu, 2008). There are specifically designed systems available today with computing resources whose architectures are towards improving availability. Depending on a specific design may result in power outages, network outages, upgrades, and hardware failures (Jonnaganti, 2009). In SONATE, if the required Building Blocks (BB’s) are not available with the system, they are fetched from other systems of the network with the help of brokers for the fulfillment of the request. This assures the stability of the system even at the time of DOS attack (Aldabbas et al., 2012). The applications in the network need to be made available when requested, even at the time of faults in the system. The broker starts functioning after gathering the required information from the point of user, and at the same time it also gathers other information such as BB’s available in the local repository, network status etc., from the point of the network. If a service S(N ) is made up of 3 sub services (s1, s2, and s3) and these services are available in local provider, then it is made available to the user by the broker else the broker plays
Understanding and mitigating security and authentication issues in service oriented network architecture the role of requesters and requests for the service from another broker (Figure 2). Once the requester (broker) knows the exact location of the service availability it fetches the service and delivers it to the user. To fetch a service from the network, the principal/entity must prove its identity. A simple file transfer is performed on the testbed of the architecture (Algorithm 1). The transferring of a file in smaller chunks is easier than transferring a large file over the network. Therefore, a larger file is made into chunks of smaller sized messages and sent over the net-work in encrypted form. At the destination side, these chunks of messages are collected and reassembled to form back the original message. The proposed framework supports for this type of operation. For the avoidance of the permanent connection establishment problem, a session control mechanism is introduced. Using this mechanism, the required BB is made available for a definite period of time. As soon as the session completes the BB becomes obsolete like the bank transaction where the session ends after a certain amount of time.
17
accountability of parties involved in the communication for the requesting and receiving of the services. When the entities misbehave, the disputes are investigated to nd the hacker (Wei and Heather, 2007). The concept of non-repudiation which plays a major role in finding the attacks on the present internet is not an essential requirement in the architecture of SONATE because the details of the principals are stored with the Broker of the system. Only the authenticated principals with their respective permissions can access the services of the system or the network. There is no direct contact between the user (i.e., normal users) and the provider as the services are fetched and delivered to the user with the help of the broker of the system. If any malfunctioning occurs with the tool or the principals in the system, it is considered as an error but not as an attack on the system. Though the requirement of feedback system is mandatory for the current internet, its functionality can be achieved by authentication and authorisation in the proposed framework.
10 Discussion
9 Non repudiation Non repudiation is considered as one of the essential security services in networks which is applied in message handling systems and electronic commerce ((Zhou and Gollamann, 1997)). It is the protection of the parties involved in the exchange of services against the other principal denying of accepting the resources. These are required to establish the
The security aspects that are applicable to all the three components, User, Broker, Provider is necessary for the correct service Provisioning. The authenticated users should only be authorised to avail the services. The broker should be limited to the services authorised for by the mechanism of authentication and it should not suffer from attacks such as Denial Of Service. Finally for correct service provisioning, providers must ensure the integrity of the services and also the availability of the services. It is important to evaluate any designed secure system, which helps to evaluate, whether it can support the expected security services or not. This section deals with the evaluation of the security proposed for SONATE architecture on the basis of the threat model. A threat model was designed using the attacker based approach. Then verified whether the proposed protocols can prevent the consequences or not. Identity management system was analysed from attackers point of view, and considered the following possible attacks: eavesdropping, replay attack, impersonation, data tampering (Table 2). Then analyses were performed whether these security services are capable of solving these security issues. All messages are digitally signed using sender’s private key and encrypted with receiver’s public key which helps in preventing the interception and replay attack. Since a strong authentication method was applied before each session, so it solves the problem of impersonation attack. A simple file transfer can use simple cryptographic functions, such as hash that can prevent only tampering attack. For the prevention of interception, replay attack along with data tampering it is better to use the digital signature, consists of sender’s private key and encrypted with receiver’s public key. Before each session, the entities who want to communicate perform a strong authentication in order to establish a secure session. Until and unless the entities prove their identity and authenticate themselves the exchange of the services are not allowed. In the certificate request phase, a sessionID is randomly generated in each session for the avoidance of a replay attack. Each
18
B. Rudra and O.P. Vyas
service transaction is based on the challenge response mode and if an attack occurs, there is a possibility to cancel the transaction by the broker of the system or network and send an acknowledgement to the sender system. For the revocation process, the above mentioned attacks can be prevented due to above mentioned reasons. In addition to this, use of certificates provides integrity and authentication for the services. Table 2 Security evaluation results
Identity verification Certificate request Certificate revocation Certificate verification
Replay attack
Data tampering
Impersonation
Eaves dropping
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
services. As the result, we designed a solution based on the concept of PKI and its trusted authorities. The proposed mechanism includes PKI server and CA Server and three services: certificate request service, certificate revocation service, and certificate verification service. Our solution not only solves the authentication issues, but also provides flexibility and interoperability for its deployment. Finally, the evaluation of usability and security is also given. Based on the evaluation results, it is concluded that the proposed PKI solution is easy and secure to use. The performance analysis considered for both the scenarios of TCP and SONATE which uses UDP for transferring the messages over the network. It is observed that the execution time is more and throughput is less for UDP when compared to TCP due to the service orchestration process for the delivery of best possible services by the architecture.
Acknowledgements I am very much thankful to Mr. Neelabh Singh in helping me for the analysing the results of the authentication protocols.
11 Conclusion The security issues associated with a dynamic, distributed, and heterogeneous environment as a service are analysed. The proposed work tries to provide a different structure to internet of network by focusing on long term and short term flexibility by incorporating the security concepts into the architecture for avoiding the vulnerabilities that may evolve in future. The technology provides a service, which is a fine grained loosely coupled and highly cohesive Building Blocks with self organising nature. The work helps in selecting BBs for the composition of services which raise the security issues that can be solved using the above mentioned requirements. The security aspects in particular to the Entities was discussed and the failure of any security mechanism leads to various network attacks. Non repudiation is not considered for this architecture as the details of the principals are stored with the broker principals of the network and the access to the services are granted based on the access control permissions allocated to the principals of the network. Some of the security modules like CRC, AES, MD5, etc., were tested as a middleware in the current internet and which can make SONATE as new flexible and secure network architecture for the future internet. Authentication of the entities is imperative for the satisfactory working of SONATE and for avoidance of security vulnerabilities. The entities such as user, broker, provider are independent, and require mutual authentication at the initiation of every service request cycle for the avoidance of attacks. Thus, authentication is the most important security measure in SONATE. It allows smooth service provisioning without external threats like man in middle attack etc. In this Thesis, a mechanism based on PKI is proposed for SONATE environment due to the functional properties for the fulfillment of authentication in the networks. In addition, security, usability and interoperability of the PKI solution must be taken into account in the context of providing secure
References Aldabbas, H., Alwada’n, T., Janicke, H. and Al-Bayatti, A. (2012) ‘Data confidentiality in mobile ad hoc networks’, International Journal of Wireless Mobile Networks (IJWMN), 4 February, 2012. Bellovin, S. (1989) ‘Security problems in the TCP/IP protocol suite’, ACM SIGCOMM Computer Communication Review Archive, Vol. 19, No. 2, pp.32–48. Bellovin, S. (2004) ‘A look back at security problems in the TCP/IP protocol suite’, Computer Security Applications Conference, 2004. 20th Annual, pp.229–249. Bellovin, S.M., Clark, D.D., Perrig, A. and Song, D. (2005) A CleanSlate Design for the Next-Generation Secure Internet, Technical Report. Blumenthal, M.S. and Clark, D.D. (2001) ‘Rethinking the design of the internet: the end-to-end arguments vs. the brave new world’, ACM Trans. Internet Technol. Vol. 1, No. 1, pp.70–109. Bos, E.D.K.D.S.I.E.K.H., Jonsson, E. and Kruegel, C. (2008) Anticipating Security Threats to a Future Internet, http://www.ict-forward.eu/media/publications/fiawhitepaper.pdf Bouabene, G., Jelger, C., Tschudin, C., Schmid, S., Keller, A. and May, M. (2010) ‘The autonomic network architecture (ANA)’, IEEE J.Sel. A. Commun., Vol. 28, No. 1, pp.4–14. Braden, R., Faber, T. and Handley, M. (2003) ‘From protocol stack to protocol heap: role-based architecture’, SIGCOMM Comput. Commun. Rev., Vol. 33, No. 1, pp.17–22. Crowcroft, J., Wakeman, I., Wang, Z. and Sirovica, D. (1992) ‘Is layering, harmful? [remote procedure call]’, Netwrk. Mag. of Global Internetwkg., Vol. 6, No. 1, pp.20–24. Day, J. (2008) ‘Patterns in Network Architecture: A Return to Fundamentals, Pearson Education. di Vimercati, S.D.C., Samarati, P. and Jajodia, S. (2005) ‘Policies, models, and languages for access control’, DNIS, pp.225–237.
Understanding and mitigating security and authentication issues in service oriented network architecture Dutta, R., Rouskas, G.N., Baldine, I., Bragg, A. and Stevenson, D. (2007) ‘The SILO architecture for services integration, control, and optimization for the future internet’, IEEE International Conference on Communications, ICC, p.1899. Feldmann, A. (2007) ‘Internet clean-slate design: What and Why?’, SIGCOMM Comput. Commun. Rev., Vol. 37, No. 3, pp.59–64. FIPS (1997) Entity Authentication using Public Key Cryptography, FIPS 196, pp.1–52. FIPS (2006) Minimum Security Requirements for Federal Information and Information Systems, FIPS 200, pp.1–17. Force, I.A.T. (2010) ‘Internet architecture for innovation’, ACM Trans. Comput. Syst., ec.europa.eu/information_society/ activities/foi/.../p3-aiai-2010.pdf, December 2010. Group, E.F. (2011) Fundamental Limitations of Current Internet and the Path to Future Internet, Draft (Ver: 1.9). Hafner, M. and Breu, R. (2008) Security Engineering for Service-Oriented Architectures, Springer Publishing Company, Incorporated. Innella, P. (2008) ‘A brief history of network security and the need for adherence to the software process model’, Information Security, Vol. 10, pp.1–15. Jonnaganti, V. (2009) An Integrated Security Model for the Management of SOA Improving the attractiveness of SOA Environments through a Strong Architectural Integrity. Kaliski, B. (1998) PKCS #7: Cryptographic Message Syntax Version 1.5, RFC 2315 (Informational). Kumar, R. (2010) A Service Based Approach for Future Internet Architectures, PhD Thesis. Leue, S. and Oechslin, P.A. (1996) ‘On parallelizing and optimizing the implementation of communication protocols’, IEEE/ACM Trans. Netw., Vol. 4, No. 1, pp.55–70. Leune, K. (2007) Access Control and Service Oriented Architectures, PhD Thesis. Manu, A.P., Rudra, B. and Vyas, O. (2012) ‘Broker’s communication for service oriented network architecture’, International Journal of Future Generation Communication and Networking, Vol. 5, December, pp.77–88. Martin, D., Völker, L. and Zitterbart, M. (2011) ‘A flexible framework for future internet design, assessment, and operation’, Comput. Netw., Vol. 55, No. 4, pp.910–918. Menzel, M., Thomas, I. and Meinel, C. (2009) ‘Security requirements specification in service-oriented business process management’, 2012 Seventh International Conference on Availability, Reliability and Security pp.41–48. Myllarniemi, V. (2007) Security in Service-Oriented Architectures: Challenges and Solutions, www.soberit.hut.fi/T-86/T-86.5165/ 2008/SOAsecurity.pdf
19
Nystrom, M. and Kaliski, B. (2000) PKCS #10: Certification Request Syntax Specification Version 1.7, RFC 2986 (Informational). Updated by RFC 5967. Paul, S., Pan, J. and Jain, R. (2011) ‘Architectures for the future networks and the next generation internet: a survey’, Computer Communications, Vol. 34, No. 1, pp.2–42. Ramachandran, J. (2002) Designing Security Architecture Solutions, Wiley, pp.I–xxviii, 1–452. Ramaratnam, R., Design, S. and Program, M. (2007) An Analysis of Service Oriented Architectures, Massachusetts Institute of Technology, System Design and Management Program. Reuther, B. and Henrici, D. (2008) ‘A Model for Service-oriented Communication Systems’, J. Syst. Archit., Vol. 54, No. 6, pp.594–606. Rodríguez, A., Fernández-Medina, E. and Piattini, M. (2007) ‘A BPMN extension for the modeling of security requirements in business processes’, IEICE - Trans. Inf. Syst., Vol. E90-D, No. 4, pp.745–752. Rudra, B., Manu, A. and Vyas, O. (2011a) ‘Security and Authentication issues in emerging network architectures with special reference to Sonate’, Computational Intelligence and Communication Networks, International Conference on, pp.658–662. Rudra, B., Manu, A. and Vyas, O. (2011b) ‘Service authentication codes (SAC) for emerging network architectures’, International Journal on Recent Trends in Engineering and Technology (IJRTET), Vol. 6, No. 1, pp.6–10. Shaffer, S.L. and Simon, A.R. (1994) Network Security. Academic Press Professional, Inc. Touch, J.D. and Pingali, V.K. (2008) ‘The RNA metaprotocol’, ICCCN, pp.157–162. Touch, J., Wang, Y. and Pingali, V. (2006) A Recursive Network Architecture, Technical Report, ISI Technical Report ISI-TR2006-626. Vaishnav, C. (2008) ‘Does technology disruption always mean industry disruption?’, Conference of System Dynamics Society, Athens, Greece, pp.1–25. Wei, K. and Heather, J. (2007) ‘A theorem-proving approach to verification of fair non-repudiation protocols’, Proceedings of the 4th International Conference on Formal Aspects in Security and Trust, FAST’06, Springer-Verlag, Berlin, Heidelberg, pp.202–219. Wolter, C., Menzel, M. and Meinel, C. (2008) ‘Modelling security goals in business processes’, Modellierung, pp.197–212. Zhou, J. and Gollmann, D. (1997) ‘An efficient non-repudiation protocol’, Proceedings of the 10th IEEE Workshop on Computer Security Foundations, CSFW ’97, IEEE Computer Society, Washington DC, USA, p.126.
Int. J. Internet Protocol Technology, Vol. X, No. Y, 200x
1
Exploration of access control mechanisms for service-oriented network architecture Bhawana Rudra* and O.P. Vyas Department of Information Technology, Indian Institute of Information Technology, Allahabad – 211 012, India Email:
[email protected] Email:
[email protected] *Corresponding author Abstract: The future network is expected to hosts much more than today’s applications in an efficient manner but many flaws were found due to rigidity of the architecture. The researchers successfully developed many new flexible internet architectures to solve the infrastructural problems of the current internet. Service-oriented network architecture (SONATE) is one, which helps in supporting not only short-term demands but allows long-term demands that evolve. It offers various flexible services which bestow many issues of security. It is also envisioned that the security aspect needs to be embedded in the architecture because the major bottleneck in today’s networking architecture is imparting the security provisions from outside the architecture. The authors discuss the need and importance for the development of access controls for the authenticated principals using a technique which is based on the role-based access and Mandatory access for the loosely coupled nature of the services. Keywords: service-oriented network architecture; SONATE; security; authorisation; flexible network; access control; future internet. Reference to this paper should be made as follows: Rudra, B. and Vyas, O.P. (xxxx) ‘Exploration of access control mechanisms for service-oriented network architecture’, Int. J. Internet Protocol Technology, Vol. X, No. Y, pp.xxx–xxx. Biographical notes: Bhawana Rudra is an Assistant Professor at Vasavi College of Engineering. She received her PhD from IIIT-Allahabad, India. Her primary research interests are network security in future internet and its related issues. O.P. Vyas is a Professor at Indian Institute of Information Technology (IIIT-A), Allahabad, India. He pursued MTech and Doctoral degree from IIT-Kharagpur, India. He is a DAAD Research Fellow from German University (University of Kaiserslautern) and worked for Fraunhofer Institute of Software Engineering, Germany as a Research Scientist (Systems Analyst) and also for Center of International Cooperation Computerization-Japan (CICC) Tokyo, Japan, in the area of internet/network technology. His primary research interests are software engineering, computer network, data mining and future internet.
1
Introduction
The flaws in the current internet (CI) increases with the increase in use of internet. The problems are partly due to changing requirements which include mobility, high performance, timeliness, scalability, quality of service, ease of management and security and partly due to its rigid structure, i.e., one-size-fits-all approach. The concept of layering was introduced to give an abstract view to the designer, but Crowcroft et al. (1992), and Shaffer and Simon (1994), clearly showed that layering is harmful and leads to various attacks in the network. In 1980s, incidences towards the security crimes in the internet were increased for example the world has seen the real evidence that occurred in 1988, destroyed 60,000 systems that were using the internet (Innella, 2008). Not only this, but many other issues also helped in giving raise to the concept of network
Copyright © 20XX Inderscience Enterprises Ltd.
security. Many security protocols were developed and included into the architecture as a patchwork. Owing to its tightly coupled structure, security mechanisms were inserted into the architecture of TCP/IP as sub-layers that lacks a comprehensive approach towards security. The architecture was clogged with too many ‘shim’ sub layers and the structure started relying on each and every layer of a process to happen. A thorough understanding of the fundamental principle of networking is essential for understanding and addressing the problems of security (Bellovin, 2004). The expansion of the internet encouraged the users to use it for critical applications such as financial applications, industries, power and telephony stations, etc., which raised the insecurity problems related to the connectivity, complexity, scalability and inter dependability
2
B. Rudra and O.P. Vyas
of the system (Bos and Jonsson, 2008; Bellovin et al., 2005; Feldmann, 2007; Martin et al., 2011). The works of Bellovin (1989), Leue and Oechslin (1996), and a draft released by European Commission Future Internet Architecture Group clearly mentioned that the rigidity can worsen the communication performance and can lead to security threats. Experts have articulated that these problems are not due to the inherent problems of protocol rather it is an issue of architecture of protocol which is due to the improper set of vision during the design phase of the architecture (Reuther and Henrici, 2008). The internet architecture of the future should be flexible, accessible, accountable, manageable, scalable, reliable, robust, stable, efficient, simple, cost-effective, secure, etc. For this, a deep understanding of architecture design, impact of society, implementation and design processes and other crucial issues should be analysed in detail. There is a difference between methodical design at one end and desire of the community at the other end. This difference led to a design and development of a new framework in accordance with the need of society; as scientific approach forced to introduce economic models into the network (Day, 2008; Touch et al., 2006; Vaishnav, 2008). The clean state approach was adopted by many research organisations which concentrated on a specific topic rather than considering all the issues related to the development of future internet architecture (Paul et al., 2011; Shenker, 1995). Instead, it should be an overall design of the architecture considering all the issues such as reliability, scalability, flexibility, security so on. Many network architectures like RBA (Braden et al., 2003), SILO (Dutta et al., 2007), autonomic network architecture (ANA) (Bouabene et al., 2010), RNA (Touch and Pingali, 2008), etc., were designed to solve the infrastructural problems of the CI but could not provide a sustainable solution (Rudra et al., 2011). It is observed that the application and the services are consistently changing and is not supported by the CI architecture which made the architectural rethinking as necessary at the network level that can accommodate the future demands (Kumar, 2010; Blumenthal and Clark, 2001). This promoted the development of new architecture based on service-oriented architecture (SOA) aimed to meet the next generation demands (Ramaratnam, 2007). Some organisational projects target on specific topic while some others aim for the development of a holistic architecture with the help of collaboration and coordination among individual projects by providing testbeds like the Planet Lab, GENI, FIRE, AKARI, G-Lab, etc. Many research organisations were setup all over the world including the USA, Europe, Japan, China, etc. (Paul et al., 2011). Some of the issues include the scalability of naming and aggregation, compatibility and co-working with IP, privacy of the services, security encourages for the innovation of new internet architecture (Internet Architecture Task Force, 2010; Martin et al., 2011). One such architecture which is based on this concept is service-oriented network architecture (SONATE) is drawing considerable attention.
Service-oriented network architecture
Figure 1 Users
User2 User1
Skilled / Unskilled user Service Consumer
Service Provider Services
Requirements Applications
S1 A1
S(N)
Building Blocks
A(N)
Building Blocks
Selection Process
Selection Process
Agent
Agent Composition Process
Composition Process
IP
IP IP I N T E R F A C E R
Wireless
OFC
Wired
Communication Media
I N T E R F A C E R
SONATE (Reuther and Henrici, 2008; Manu, 2012) uses the paradigm of SOA to overcome some of the issues of the present internet. It supports for long-term as well as shortterm demands that may evolve in future for various applications. The model allows shift to P2P, end-to end, overlay, broadcasting, multicasting, etc., on distributed environment. Flexibility of the architecture solves the issues related to the architecture but raises many security issues. The services provided by the architecture are flexible and vulnerable to attacks. Service consumer, service broker, and service provider (Figure 1) are the key roles in the architecture for the communication and exchange of various services over the network. Services are designed using the concept of loose coupling by avoiding the cross service dependencies. The services are fine grained protocols (micro-protocol) known as building block (BB). These BB’s are of loosely coupled and highly cohesive in nature. An application can be composed of single or multiple protocols/BB’s. Various types of services are obtained with the help of BB’s which includes services such as encryption, decryption, compression or even TCP/IP itself. The functioning of the model begins with the request from the user/consumer. The broker gathers all the requirement of the user along with the information gathering for the availability of the services/BB’s, network status, etc. from the point of the network. A selection process is performed according to the gathered requirements and then the service is fetched from the provider is delivered to the user. If the requested service/BB is not available then the service is fetched from the network of available nodes and delivered to the user. At the time of this process, it is envisioned that the security aspect must be considered as a chief ingredient at the design stage of the architecture rather than after the development of the architecture (FIPS, 2006). This issue raises the problem of authentication between the principals and the access control of the services of the network. Most
Exploration of access control mechanisms for service-oriented network architecture experts consider security and privacy as architectural choices, while some prefer at the deployment stage and the other ensures at the early design stage of the architecture such as SONATE. The communication principle roles involved in SONATE are user, broker and provider which require security to protect against various threats.
2
•
•
•
•
Privacy and identity management for community services (PICoS): It is a specific targeted research project aims to develop, build and manage a state-of-the-art platform for providing privacy, identity and trust in the application and community services on mobile communication and inter networks.
•
Privacy-aware secure monitoring (PriSM): This specific targeted research project aims at setting a new guaranteed de-facto standard traffic monitoring and delivering tools for legal compliance.
•
Secure widespread identities for federated telecommunications (SWIFT): This is a specific targeted research project aims to integrate transport infrastructures and services for the benefit of providers and users by developing a standard aligned model.
•
Worldwide observatory of malicious behaviours and attack threats (WOMBAT): The specific targeted research project aims to provide a new means of understanding emerging threats targeted to internet economy and the citizens.
•
eCRYPT II: It is a network of excellence coordination and action project on cryptology continued as eCRYPT-II.
•
FORWARD: It is a network of excellence coordination and action project aims at the partnership and promotion collaboration of researchers from industries and academia involved in the protection of infrastructures against threats such as spam, phishing, viruses spyware, etc.
•
THINKTRUST: This is a network of excellence coordination action project deals with regard to trust, security and dependability issues under ICT Security Research Action Board bringing together the requirements and opinions of stakeholders.
SONATE – security issues
Many architectures were developed to overcome the infrastructural issues of internet like RBA (Braden et al., 2003), SILO (Dutta et al., 2007), ANA (Bouabene et al., 2010), RNA (Touch and Pingali, 2008), etc., while some of the organisations focused to overcome the security threats that may evolve in the newly developed and developing architectures. Some of the European projects which are working on the security issues related to the present and future internet are: Managing assurance, security and trust for services (MASTEr): It is an integrated project with the objective of assuring security and trust levels in business scenarios like centralised, distributed and outsourcing by regulatory compliance of dynamic SOA. PRIMELIFE: This integrated project aims at sustainable control and management of privacy and identity of users personal data in future networks and services. Trusted architecture for securely shared services (TAS3): This is an integrated project and its objective is to develop a generic architecture for trusted services in the healthcare and employability platform.
•
Trusted embedded computing (TEC): Provide trusted computing standards to embed computing platform is the main objective of this integrated project.
•
AVANTSSAR: The aim of this specific targeted research project is to develop and implement a new language for specifying trust and security properties of services and dynamic composition with algorithms and tools to validate those using SOA.
•
Ad hoc personal area network and wireless sensor secure network (AWiSSeNet): The specific targeted research project aims to implement and validate secure, trusted scalable networking protocol stack data from self-configuration and secure roaming over multiple domain like heterogeneous, ad hoc PANs.
•
Infrastructure for heterogeneous, resilient, secure, complex, tightly inter-operating networks (InTeRSeCTION): This specific targeted research project aims at enhancing heterogeneous networks and infrastructure security by focusing on vulnerabilities at different interoperating network providers intersection points.
3
After a detail study of the work available, it has been analysed that the incorporation of security in SONATE at design stage is significant to avoid the vulnerabilities as the new architecture is developed based on the concepts of loosely coupled and flexibility that can sustain in future. It has been observed that flexibility is excellent for the deployment of services but raises many security challenges. For solving some of the challenges, it is required to consider the security concepts at early design stage of the architecture. The reuse of the existing protocols is due to its availability, reliability and cost effectiveness as well as the live existence of these modules with its long run (Asokan et al., 2002). The basic security problems that arise in any stage of SONATE are: the security of the service BB’s which are flexible in nature and are vulnerable to attacks, information security when send via a network, principal’s authentication and access control permissions, are found as important issues by which a number of attacks can be avoided.
4
B. Rudra and O.P. Vyas
The security aspects to be considered for various entities of SONATE for secure communication over the network are authentication required to authenticate the principals of the architecture, i.e., users, brokers and providers. Access control for the control of the permissions of the users and brokers over the services. These permissions vary from entity to entity like broker has read permission and no write permission. Confidentiality for the services is required to ensure the services are protected from unintented/unauthorised entities. Confidentiality is to ensure the entities that whatever service is sent and received is correct. It is ensured using the encryption and decryption algorithms. As the brokers not only communicate with the providers of the system but they communicate with the brokers of the network to fetch services which may cause congestion or leads to any type of DoS attacks. There is a possibility of DoS attack at brokers end so, some technique need to be developed for the avoidance of DoS attack over the network. The provider entity needs to ensure the integrity of the services, availability of the services to fulfil the demands of the consumer (Figure 2). Discussing all these issues is out of scope of this paper. The access control for the authenticated principals/entities are discussed in detail. Figure 2
Secured SONATE
Authentication protocols based on PKI are developed using the concept of SOA, these are included in the architecture of SONATE. Before getting access permissions to the entities, the system verifies the entities/principals authentication with the help of the PKI certificates then the access is granted according to the access permissions allotted to the entities. One way authentication is performed between user and broker, mutual authentication is performed between the brokers of the network. The access grants are allocated according to the role they play in the network
3
Access control mechanism for SONATE
Access control is more than requiring authentication when the principals want to access the resources/applications/ services of the available system or from the network. Access is nothing but ability of the principal to perform some action like read, write, execute, update, delete, modify, etc. Access control mechanisms are important to control the access of the users for the services. The information flow between the principal and the services to interact with each other follows the three steps (Samarati and Vimercati, 2001): a
Identification: The principals activity for the supply of information to identity itself for an issue of authentication service. The identification of the principals are like user ID, IP address, etc.
b
Authentication: It is to verify the identity of the principal which are based on passwords, tokens, cryptographic keys so on. Let ‘S’ be the principals and the authenticated principals are ‘s’ which solves the problem of allocation of the services to the unauthenticated principals. And s ′ is a subset of ‘S’, i.e., S ∈ s ′.
c
Authorisation: It is to determine the what the identity principal can access actually and the operations it can carry out which is enforced through the access control lists (ACL), security labels as it is based on some predefined criteria.
The access control mechanism must be enforced and maintained throughout the session. In other words, authentication permits the principals for the access to a system by validating or verifying their identity. And authorisation specifies what applications the principal can access and what operations they can perform. These are developed to enforce the rules of a security policy and to dictate how the principals can access the applications. There are several models available (Leune, 2007) for the development of access control. The policies are suitable for various applications and can be used for various implementations due to their flexibility. Access controls are assigned to the principals based on the roles they play in the network. The basic access modes (am) are read, write, execute are stored in the repository of the service broker in the form of matrix called the access matrix where each application is associated with a list of the actions that can be performed by the principal like the entities with write (w) permissions can alter, update the existing service BBs, and sometimes can delete the resources from the pool and even alter the access rights of the principals in the network. Execute (x) permission allow the principals to execute the services that were allotted to the principals. The access matrix is given by mij where ‘m’ is the matrix, i is the ith principal in the matrix and j is the jth application of the matrix. This specifies the permission level that must be granted to the principals with respect to the protected resource. If the principals ‘S’ range from S = s1 ··· si ··· sn, i.e., unlimited principals in the network. To find providers
Exploration of access control mechanisms for service-oriented network architecture principals sp in the set then it is identified by s p = s − s ′. The permission read (r) is assigned to brokers, normal users as well to the users who can read and view the contents along with its properties for the acceptance or the rejection of the resources. The meaning of the access attribute is not at all constrained rather each access mode is analysed and paired with the access principal that matches the privilege (Table 1). Table 1
Principals with their permissions
Principals Technical user
Permissions Read, write, execute
Non-technical/normal user
Read and execute but no write permission
Brokers
Read only, no write, no execute
Providers
Read, write, execute
The permissions will be accessed by the principals based on the group they belong such as owner, group, and public. The services are fetched from the providers of the network via brokers who communicate and interact with others of the network. The owner access rights like read, write, execute can be transferred to other principals of the network. The principals who work with same permissions in the network fall under one group. Technical user group permissions vary from normal user group. The non-technical/normal users are categorised as public who access the internet for the utilisation of the resources. Each service is associated with a security label that includes the classification of the services based on the information. The hierarchy related to the security levels of the services was discussed (Rudra et al., 2011). The same hierarchy is used for providing services to the principals. The hierarchy consists of micro, medium, macro security levels where each security level dominates itself and all other below it. Access to these services are permitted if there exists a relationship between the security levels associated with the principals and the applications. And this can be represented as ‘Z’ where Z = z1, ···, zp. Likewise, the applications can be classified on the basis of security levels is denoted by ‘q’ where q = q1, ···, qn, and ‘e’ be the grant categories allotted for the principals that range from e = e1···, er. The relation between Z and q and the access grants ‘e’ is given by zi = (qi, ei) where ei ∈ e and qi ∈ q. The security levels are regulated based on the roles and the activities the principals perform in the system. The security levels are assigned to the authenticated principals. For example, the security level of the bank manager is more than the access permissions of the clerk. Therefore a micro level security is assigned to the manager for accessing the confidential files where a minimal security permissions are provided for the clerk. A principals role reflects the operations performed by the principals for an application in the proposed framework. For the access permissions, the principals must be authenticated, belong to a group and security level of the principals are verified with the security
5
levels of the applications. After the verification of these, the services are allotted to the user else a negative acknowledgement is sent to the principals.
4
Access control operations for secure SONATE
The permissions are granted based on the roles the principals play in the network. The permissions of each application is interlinked with different principals of the system. The primitives of the provider are derived from high level user (technical user) specifications. The access rules of the models are being translated into separate functions such as one for each read, write, and execute. An application is made up of protocols ‘P’ and access modes of the functions are given as PF1, PF2 so on. The ACLs consists of 9 bits: first 3 bits are allocated for the access mode privileges, next 3 bits for the group where the application/protocols/file belongs to and last 3 bits for other users in the network. The advantage of using bits is that the ACLs can be represented in small vectors. Appropriate protocols are used by applications during its operation and only one medium is used for communication at any time. The system is considered to follow the properties: •
all nodes are homogeneous and deployed with appropriate software
•
any node may act as service consumer
•
service provider tries to satisfy the request if the allotted service permissions belong to the same user
•
service consumer requests for service provider through propagation channel on hop basis
•
ideal communication link establishes.
The passive entities of SONATE are called as applications which are denoted by ‘A’ supported by SONATE and it is given by A ∈ a1 , a2 , " , ax
(1)
Different informations carried by applications are broadly classified into two categories as mandatory information (M) and additional information (K) which are represented as a service, i.e., S = {M + K}. In general an application can be expressed as A=
∑
n i =1
Mi +
∑
m j =0
Kj
(2)
where mandatory informations are given by M ∈ {m1 , m2 , " , mn }
(3)
and that of additional/optional informations are given by K ∈ {k1 , k2 , " , km }
(4)
In case of ‘j = 0’ application interaction is similar to the interaction of current application where the user has got minimal facility of interaction, and in the case of ‘j = 1’
6
B. Rudra and O.P. Vyas
application is coarse tuned, and as the value of ‘j’ increases better tje tune of application. The application uses different protocols for communication and also there are many applications which can work with different protocols. These applications are set of BB’s which contain mandatory services that require security access permissions which are grated using access privileges ‘ap’ and the policies which include user identification, key exchange certificate, digital signature, X.509 certificates, etc. for the requested services/applications. There is no restriction for the increment of the entities that may be active or passive of the system. When an entity role is treated as active then that entity can be constrained by the treatment of the principals in the system. The application which are set of BB’s are represented by BB ∈ BB1 , BB2 , " , BBn
(5)
and protocols P ⊂ BB’s protocol graph pg ⊂ BB’s. Let ‘P’ be the total number of protocols available and it is given by P ∈ p1 , p2 , " , p z
(6)
To satisfy the user request a with the application, a protocol graph is formed which is set of BB’s and pai > pai +1 , and ak = BB / P
where BB/P can be 802:x;TCP; IP···. To perform secure communication, security services are required which are the set of BB’s where BB f = B f 1 , " , B fs , " , B fm
(7)
A protocol graph is nothing but a service which consists of BBs. If a protocol graph follows abc format then it is presented as (Pa ∪ Pb ∪ Pc). This graph contains root BB, left BB, right BB and represented as {al ∪ bri ∪ cr ···} where ‘l’ = left, ‘ri’ = right, ‘r’ = root A service can be written as
∑ a +∑ b +∑ +∑ b + ∑ c ∪ σ d n
S=
n
i =1
n
i =1
lr
n
i =1
lr
n
rir
i =1
rir
i =1
clr ∪
∑
n i =1
arir
(8)
n i =1 r
where d is the root node contains and alr = left root of ‘a’, similar for ‘b’ and ‘c’. The ACL identifies the individual users or groups of users who may access the file. Because all the access control information is stored in the repository and is clearly associated with the file, identifying who can access to a file, and add or delete names can be performed very efficiently. An ordered set of protocols used for an application ak is given by pk = { pa1 , pa 2 , " , pal }
(9)
where pai > pai+1, ak = {pk | pk ⊂ P}, i.e., TCP, IP, Ethernet, 802.x, etc., are sequence of protocols used for its functionality. Similarly ‘pf’ is a set of protocols supported for an application ‘af’ to function properly, i.e., where
af = pf | pf ⊂ P
(10)
and P ⊃ pf and pk. The universal protocol set ‘P’ consists of all protocols and it can be written as P = { P1 ∪ " ∪ PTCP ∪ PIP ∪ " ∪ Pn }
(11)
where all protocols are of ordered subset. If pi follows ‘xyz’ protocol format then it is written as pi = {Pxyz} similarly any other protocols can be represented by this, e.g., pk = {PTCP ∪ PIP} means TCP/IP protocol suit. For satisfying the various access permissions the system must satisfy some rules and conditions Let us take a variable ‘c’ c = (S, A, am) which is a secure state where am ∈ r, w, x, S ∈ s ′ and c∗ = (C ∪ (S, A, am)) and security functions which describes the application current security level, maximum security level of the principals in the network and current level of the principals and it is given by ‘F’ and F = ( FS , FA , Fq ) if and only if ES > Fq ; F ≤ z S ∗ z A (12)
4.1 Conditions Condition 1: Suppose W = (c, m, F, P) is an authenticated state which contains variable c, application/protocol matrix, Security function and the protocol/application, (S, A, am) ∉ c and c∗ = c ∪ S, A, am and W∗ = (c∗, m, F, P) then W* is also an authenticated state if a
(am = x or am = r + w) or
b
(am = r or am = w) and FS(S) > FA(P) then A ∈ c ∗ (S: r, w) ⇒ FS(S) > FA(P) by definition. If w is an authenticated then W* also does. Therefore, 1 and 2 holds good.
Condition 2: Let W = (c, m, F, P) is a state that satisfies authentication containing m as matrix of a protocol which has the permissions, F as the security function and the application/protocol P and the applies some security level to the application and the principal/entity, i.e., S ⊂ s ′, s ′ ∈ S , c ∉ (S, A, am), c∗ = c ∪ S, A, am and W∗ = (c∗, m, F, P) If W* satisfies any one of the security level then a
if am= r + w then FA(P) > Fq(S)
b
if am = w then Fq(S) = FA(S) or
c
if am = r then Fq(S) > FA(P)
If W* satisfies the security level applied to S, A, and (S, A, am) then it yields 1, 2 and 3 conditions. Condition 3: Suppose W = (c, m, F, P) that satisfies a security level, (S, A, am) ∉ c but c∗ = c ∪ (S, A, am) and W* = (c*, m, F, P) then W* fulfil the satisfaction of security level if am ∈ mij. Inference: If W = (c, m, F, P) is a secure state and (si, ai, am) ∉ c, c∗ = (c ∪ (si, ai, am)) and W* = (c*, m, F, P) then W* is a secure state if and only if 1. si ∈ sp
Exploration of access control mechanisms for service-oriented network architecture
7
and Conditions 1 and 3 are met or 2. si ∈ s ′ and the Conditions 1, 2, and 3 are met.
•
If the permission is read as requested by the user then fetch the file from the provider.
There are five rules to be followed by the SONATE system to allow the access for the services by the user (Bell and La Padula, 1976).
•
The provider search for the file in its repository, if the file exists matches the requirements then it delivers to the broker, else the description of the file is parsed for the identification of the available self composition alternatives.
•
The service or the BB should atleast satisfy the mandatory properties of security like the security level of the service must be low than the security level of the user.
•
After obtaining all the possible alternatives along with the optional properties, the best service is selected with ‘read’ permission and delivered to the user.
•
If the user tries to perform a ‘write’ operation on the obtained service, the system displays a message to the user ‘file exists with read only permission’
4.1.1 Function (PF1): read A request by the principal to get the permission for reading an application. The request contains (get access, user_id, Protocol_id, access mode(r)), i.e., Re = (g, si, pi, r) ∈ R(1). 1
The request is received by the broker principal from other principal and checks in its repository for the request to satisfy the rule 1
2
if satisfies rule 1 then check the principal authentication, if not authenticated then check the security level of the principal must dominate the security level of the application.
If 1 and 2 are satisfied then the request is forwarded else a negative response is sent to the principal via other principal, i.e., may be user/broker and can be given as PF1( Re , W ) =
{( yes, c ∪ ( s , p , r ) , m, F , P ) if value i
i
4.1.2 Function (PF2): write A request sent to get write permission for an application. The request contains (get access, user_id, Protocol_id, access mode(w)), i.e., Re = (g, si, pi, w) ∈ R(1).
value = [ Re ∈ PF1] ∧ [ r ∈ mij ] ∧ ⎡⎣ Fs ( si ) > FA ( pi ) ⎤⎦
1
The request is received by the broker principal from other principal and checks in its repository for the request to satisfy the rule 1
Proof: Suppose W is a secure state that satisfies the authentication of the principal and security level of application and Re ∈ PF1. PF1(Re, W) = (D, W*) where D is the decision of yes or no with
2
if satisfies rule 1 then check the principal authentication, if not authenticated then check the security level of the protocol, i.e., Fq(pi) must be dominated by the security level of the application FS(si). The principal must play a technical role to get permission for writing an application.
∧ [ si ∈ s ′] ∨ ⎡⎣ Fq ( si ) > FA ( pi ) ⎤⎦
1
W∗ = W
2
W∗ = (c ∪ (si, pi, r), m, F, P)W∗ is a secure state so as W from 1 and if (si, pi, r) ∈ c then W = W∗ as above: If (si, pi, r) ∉ c then according to PF1 FS(si) > FA(pi), W∗ satisfies the secure state from Condition 1 and if si ∈ s ′ then Fq(si) > FA(pi); W∗ satisfies the security relation from Condition 2 and r ∈ mij and; W∗ satisfies the 3rd condition: Therefore, from inference we can say that PF1 maintains a secure state.
As an experiment, a file with ‘read’ operations is send to the authorised user. After receiving the file, if the user tries to perform write operations with read only permissions then the access is denied. Thus, the file is secured by restricting the user to perform the changes. •
First step is to fetch the requirement of the service from the user.
•
Check for authentication, and identify the service requirements of the entity of the system.
•
If the entity is identified as authenticated, check for the requested service in the repository along with the access permission of the user.
If 1 and 2 are satisfied then the request is forwarded to the provider and the application is granted to the principal in write mode via broker else a negative response is sent to the principal PF 2 ( Re , W ) =
{( yes, c ∪ ( s , p , w) , m, F , P ) if value i
i
value = [ Re ∈ PF 2] ∧ [ w ∈ mij ] ∧ ⎡⎣ FS ( si ) > FA ( pi ) ⎤⎦ ∧ [ si ∈ s ′] ∨ ⎣⎡ Fq ( si ) = FA ( pi ) ⎦⎤
Proof: Suppose W is a secure state that satisfies the authentication of the principal and security level of application and Re ∈ PF2: If (si), pi, w) ∉ c and W∗ = (c ∪ (si, pi, w)m, FP) then according to PF2, FS(si) > FA(pi), W∗ satisfies the secure state from Condition 1 and if si ∈ s ′ then Fq(si = FA(pi), W∗ satisfies the security relation from Condition 2 and w ∈ mij and, W* satisfies Condition 3. Therefore, from inference we can say that PF2 maintains a secure state. A file transfer with ‘write’ permission is allowed to perform the changes to the services by the user. The technical user with write permissions can develop new
8
B. Rudra and O.P. Vyas
service/BB, can modify the existing applications and delete the applications. An algorithm with write permission for an application (Algorithm 1) and a sample access code is as shown (Figure 3). Figure 3
Sample code for access control mechanism (see online version for colours)
4.1.3 Function (PF3): get execute A request sent to get execute permission for an application. The request contains (get access, user_id, Protocol_id, access mode(x)), i.e., Re = (g, si, pi, x) ∈ R(1). This function is useful for the execution process which consists of many number of steps. It is a procedure for the execution of an application. The request is received by the broker principal and checks in its repository for the request to satisfy the rule 1 and if temporary pointer points to the application with access mode ‘x’ then the permission are granted for the requested application via broker else a negative response is sent to the principal via other principal.
PF 3 ( Re , W ) =
{( yes, c ∪ ( s , p , x ) , m, F , P ) if value i
i
value = [ Re ∈ PF 3] ∧ [ x ∈ mij ]
Algorithm 1
Permission to perform write operation
1.
Send Request as Write
2.
Check authentication, permission
3.
If Permission = no
4.
Return not permitted
5.
Else
6. 7. 8. 9. 10.
Check If Write = Create type matches Generate ProtocolProtocol_id, security level
Exists then Delete the Application
16.
Else not permitted If Write = change Security Level type For Services Allow reclassification if (currentsecurityleveloftheentity < thesecurityleveloftheservice) then
17.
Permit to change
18.
For Principals/Entities
19. 20. 21.
1
The requested protocol is allotted to other brokers in the network for the usage of an application and these are not the original owners of the application but act as owner for a particular session of time. The write permission is allowed for the original owner.
2
The protocol_id is the root application of the provider or is inferior to the root and if requesting a principal is allowed to cancel the access permissions for an application in the current state, i.e., transferring the ownership of the BB from one system to other system.
CheckApplication And Delete the Security Level Application
15.
The request contains (cancel access, request_Id, receiving_id, protocol_id, access mode), i.e., FP4: Re = (sh, r, si, pi, am) ∈ R(2), am ∈ (r, w, x, a):
Else not permitted
12. 14.
4.1.4 Function (PF4): cancel the access permissions (am)
If Write = Delete type matches
11. 13.
Proof: suppose W is a secure state and Re ∈ PF3 Let W∗ = (c ∪ (si, pi, x), m, F, P) and (si), pi, x) ∉ c then W* satisfies authentication by Condition 1 and W* satisfies s’ by Condition 2 and x ∈ mij according to PF3, W* satisfies Condition 3 therefore from inference we say that PF3 maintains a secure state. The technical users with ‘execute’ permissions can run the application/service to verify the output of the providing service. Consumers with technical knowledge will have the execute permissions to access the Provider to modify and execute the services/applications and save them in the provider pool.
Allow if (currentsecurityleveloftheentity > thesecurityleveloftheservice) then Permit to change Else not permitted
The transferred permission for an application expires with the principal, the access mode of that particular protocol is made off and it is removed from the ACL of the broker and if no other modes are left for that application/protocol then it will be removed from the provider’s pool.
{
PF 4 ( Re , W ) ( yes, c − ( si , pi , am ) , m | mij − am, F , P ) if value
value = [ Re ∈ PF 4] ∧ [ pi ≠ p j ] ∧ ⎡⎣ As ( j ) ∈ c ( sh : w ) ⎤⎦ ∨ [ pi = p j ] ∧ ⎣⎡ rescind ( sh , p j , W ) ⎦⎤
Exploration of access control mechanisms for service-oriented network architecture Proof: Let W be a secure state and W* = W or W* = (c – (si, pi, am), m | mij – am, F, P): Suppose c∗ ⊇ c, m∗ij ⊇ mij and F∗ = F for all i, j: If (S, A, am) ∈ c∗ with am = rorw =⇒ (S, A, am) ∈ c then FP4 is authenticated and considers some security level for application. Therefore, W* is a secure state and FP4 can rescind an application from the pool along with the access permissions, i.e., (r, w, x) ∈ am.
4.1.7 Function (PF7): change security level of an application Re = (r, si, pi, zu) ∈ R(3) principal si request that the security level of an application pi be changed (reclassification) to zu condition to be considered are sh ∈ s ′, and [(sh, pi, a) ∈ c ⇒ Fq(sh) < zu] ∧ [(sh, pi, w) ∈ c ⇒ Fq(sh) = zu] ∧ [(sh, pi, r) ∈ c ⇒ Fq(sh) > zu] then
4.1.5 Function (PF5): development of an application For the development of new an application, a request is sent by authenticated principal whose access permission is in write mode is allowed for the generation of an application. A Protocol_id and the security level are allotted for the new application. It can be represented as (generate leaf protocol, principal_id, protocol_id, security level). i.e., PF5: Re = (g, si, pi, zk) ∈ R(3). The request is forwarded to the broker. The broker checks in its repository for the registration details of the request, if exists and 1
If the security level of the principal dominates the security level of the application then the new application id is stored with the broker and the application is stored in the provider pool. If it is not performed then the user receives a negative acknowledgement. ⎧( yes, c, m, F | FA ← FA ∪ ( Anew( p ) , zk ) , ⎪⎪ PF 5 ( Re , W ) = ⎨ ⎪ ⎪⎩ P ∩ ( pi , Anew( p ) ) ) if value
value = [ Re ∈ PF 5] ∧ ⎡⎣ pi ∈ c ( si : w, a ) ⎤⎦
PF 7 ( Rw , W ) =
A
( pi ) ← zu , P ) if
value
∧ ⎡⎣ si ∈ s p ∧ Fq ( si ) > FA ( pi ) ∨ Fq ( si ) > zu > Fa ( pi ) ⎤⎦ ∧ ⎡⎣ for s ∈ s ⎡⎣( pi ∈ c( S : r , w) ) ⇒ FS ( si ) > zu ⎤⎦ ⎤⎦ ∧[theabovecondition] ∧ ⎡⎣ compact (W , pi , zu ) ⎤⎦ ∧ ⎣⎡ change (W , pi , zu ) ⎦⎤
Proof: If F∗ ≠ F then F∗ = F | FA(pi) ← and if the condition is true then W* is a secure state same as W. Therefore, the security level of an application can be changed.
4.1.8 Function (PF8): Change current security level of a principal PF 8 : Re = ( si , zv ) ∈ R (5)
If the principal got the write permissions and request for change for its current security level then the security levels are to be changed, i.e., the security level can be changed if and only if [pi ∈ c(si: a))FA(pi) > zv] ∧ [pi ∈ c(si: w))FA(pi) = zv] ∧ [pi ∈ c(si: a))FA(pi) < zv] these conditions are true. PF 8 ( Re , W ) =
4.1.6 Function (PF6): deletion of an application
{( yes, c, m, F | F
value = [ Re ∈ PF11]
∧ ⎡⎣ zk > FA ( pi ) ⎤⎦ Proof: Let W be a secure state and from above c* = c and m* = m. If (sh, Anew(P), am) ∉ c for any sh ∈ S and am ∈ (r, w, x, a) then W* is a secure state. Therefore, PF5 preserves a secure state.
9
{( yes, c, m, F | F ( s ) ← z , P ) if value q
i
u
value = [ Re ∈ PF10] ∧ ⎡⎣ FS ( si ) > zu ⎤⎦ ∧ [ si ∈ s p ∨ theaboveconditions ]
Proof: If F∗ ≠ F then F∗ = F | Fq(si) zu and the condition above is true then the principal gets permission to change its current security level.
PF 6 : Re = ( si , pi ) ∈ R (4)
These results in deleting the protocols and all the inferior protocols related to an application from the protocol graph
5
Convergence of services
If
⎧( yes, c − am ( pi ) , m | muv ← φ ; z ≤ u ≤ n, ⎪ PF 6 ( Re , W ) = ⎨ ⎪⎩ pv ∈ inferior ( pi , F , P − sibtree ( pi ) ) if value
then X = ‘A’ with probability 1 or X converges to ‘A’ with probability 1. User wants to get done an application ‘A’ to a tolerance limit of ε (i.e., liberty of not satisfying some
value = [ Re ∈ PF 6] ∧ [ pi ≠ pk ] ∧ ⎡⎣ ps (i ) ∈ c ( si : w ) ⎤⎦
request of
)
Proof: W is a secure state and if ( si , pi′, am) ∈ c ∗ then am ∈ mii′ so W* is a secure state and deletion of an application/protocols occurs in this secure state.
E ( X − A) 2 = 0
∑
m j =1
(13)
K j ). Let σ x2 is variability of measurement.
According to Chebyshev inequality it is given as
P {| X − A |≤ ε} ≥ 1 −
σ x2 ε2
(14)
B. Rudra and O.P. Vyas
10
If σx is very much smaller than e then observed variable X is between (A – ε) and (A + ε) which is almost certain and one measurement of X is sufficient. However, if σx is not sufficiently smaller compared to ε, then the result will not be of sufficient accuracy. To improve the accuracy of the estimate, ‘A’ need to take ‘n’ measurements corresponding to ‘n’ random variables {Xi = 1, ···, n} with mean ‘A’ and noise random variable Wi given by X i = A + Wi
i = 1, " , n
(15)
Average of ‘n’ random variables represented as
X + X 2 +" + Xn Xˆ = 1 n
(16)
where mean of Xˆ is ‘A’ and variance is nσ x2 and corresponding Chebyshev inequality is given by P {| X − A |< ε} ≥ 1 −
σ x2 nε 2
(17)
5.1 Pointwise convergence of service request Discrete sequence of random variables {X1, X2, X3, ···, XN, ···} converges to a limiting random variable X iff for any ε > 0; however, for smaller find a number ‘n0’ such that X n (ξ ) − X (ξ ) < ε
(18)
for every n > n0 and every x if is right for variables but highly restrictive for random variables.
5.2 Almost sure convergence of service request A sequence of random variables {Xn} converges almost surely to the random variable X, if for every x point in the same space S satisfies the following criterion: lim X n (ξ ) − X (ξ ) < ε → 0
n →∞
(19)
with probability 1. This can also be written as P ( X n → X ) = 1 as n → ∞
(20)
Once the properties of security are satisfied, the broker selects and forwards the request to the provider. The service selection and composition process helps in making a decision by evaluating the priorities among various alternatives for the selection of the best suitable service amongst the ‘n’ available services with a maximum accuracy for the fulfilment of the request of the user.
5.3 Secure service composition – read permission A simple example with read permission is discussed for the composition of the services using the above properties which is tested on the testbed of SONATE and the results are satisfactory. In SONATE, various combinations of BB’s produce different services which require a process of selection of the best service after the composition process is
performed using the ANP process. Before, this selection and composition the service user/consumer need to satisfy the mandatory conditions of the security such as the security level of the user, authentication of the user by providing identification and access permission of the user for the secure communication.
6
Conclusions
The ultimate technology can provide everything as a service by a finer grained loosely coupled and highly cohesive BBs which helps in self organisation of BBs made the system flexible and can develop the services of simplex to very complex types in a distributed environment. The flexibility is useful for the easy deployment of the services but eventually raises the problems related to security. The study demonstrates that there are several aspects of security which are the foundational principles that are to be incorporated in the early design stage for the development of secure architecture. The emerging architectures must support at least the same level of security of the present architecture for the avoidance of some of the security threats. There is no common and concrete agreed vision about security threats, the experts view that the future internet should be flexible, loosely coupled, secure, robust to attacks, easily manageable for the inclusion of new security services which are to be identified to serve the user in a better way. The study demonstrates that there are several aspects of security which are to be incorporated in the early design stage for the development of secure architecture. A security analysis was performed thoroughly and identified all security features that are necessary in the context of SONATE. In this paper, we omitted the discussion of all the necessary features in detail due to space limitation but designed access control mechanisms for the roles involved in the proposed architecture. Authentication of the principals is required for the identification of the access by the entities of the network. Some special permissions like read, write and execute are required for the access of the services by the entities. A group of technical users contains all the permissions to create, delete, modify, etc. permissions where as the group containing brokers have read permissions but no write or execute as the brokers only act as agents in the system of architecture of SONATE.
References Asokan, N., Niemi, V. and Nyberg, K. (2002) ‘Man-in-the-middle in tunnelled authentication protocols’, in 11th Security Protocols Workshop, Technical Report. Bell, E.D. and La Padula, J.L. (1976) Secure Computer System: Unified Exposition and Multics Interpretation. Bellovin, S.M. (1989) ‘Security problems in the TCP/IP protocol suite’, ACM SIGCOMM Computer Communication Review Archive., April, Vol. 19, No. 2, pp.32–48.
Exploration of access control mechanisms for service-oriented network architecture Bellovin, S.M. (2004) ‘A look back at security problems in the TCP/IP protocol suite’, Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC ‘04, IEEE Computer Society, Washington, DC, USA, pp.229–249, DOI: 10.1109/CSAC.2004.3, ISBN 0-7695-2252-1 [online] http://dx.doi.org/10.1109/CSAC.2004.3. Bellovin, S.M., Clark, D.D., Perrig, A. and Song, D. (2005) A Clean-Slate Design for the Next-Generation Secure Internet, Technical Report, July. Blumenthal, M.S. and Clark, D.D. (2001) ‘Rethinking the design of the internet: the end-to-end arguments vs. the brave new world’, ACM Trans. Internet Technol., August, Vol. 1, No. 1, pp.70–109, ISSN: 1533-5399, DOI: 10.1145/383034.383037. Bos, H. and Jonsson, E. (2008) Anticipating Security Threats to a Future Internet [online] http://www.ict-forward.eu/media/ publications/fia-whitepaper.pdf. Bouabene, G., Jelger, C., Tschudin, C., Schmid, S., Keller, A. and May, M. (2010) ‘The autonomic network architecture (ANA)’, IEEE J. Sel. A. Commun., January, Vol. 28, No. 1, pp.4–14, ISSN: 0733-8716. Braden, R., Faber, T. and Handley, M. (2003) ‘From protocol stack to protocol heap: role-based architecture’, SIGCOMM Comput. Commun. Rev., January, Vol. 33, No. 1, pp.17–22, ISSN: 0146-4833. Crowcroft, J., Wakeman, I., Wang, Z. and Sirovica, D. (1992) ‘Is layering, harmful? [Remote procedure call]’, Netwrk. Mag. of Global Internetwkg., January, Vol. 6, No. 1, pp.20–24, ISSN 0890-8044. Day, J. (2008) Patterns in Network Architecture: A Return to Fundamentals, Pearson Education. Dutta, R., Rouskas, G.N., Baldine, I., Bragg, A. and Stevenson, D. (2007) ‘The SILO architecture for services integration, control, and optimization for the future internet’, in IEEE International Conference on Communications, ICC, p.1899. Feldmann, A. (2007) ‘Internet clean-slate design: what and why?’, SIGCOMM Comput. Commun. Rev., July, Vol. 37, No. 3, pp.59–64, ISSN: 0146-4833. FIPS (2006) ‘Minimum security requirements for federal information and information systems’, FIPS 200, March, pp.1–17. Innella, P. (2008) ‘A brief history of network security and the need for adherence to the software process model’, Information Security, Vol. 10, pp.1–15. Internet Architecture Task Force (2010) ‘Internet architecture for innovation’, ACM Trans. Comput. Syst. Kumar, R. (2010) A Service Based Approach for Future Internet Architectures, PhD thesis. Kumar, V., Manu, A.P., Rudra, B. and Vyas, O.P. (2012) ‘Broker’s communication for service oriented network architecture’, International Journal of Future Generation Communication and Networking, December, Vol. 5, pp.77–88.
11
Leue, S. and Oechslin, P.A. (1996) ‘On parallelizing and optimizing the implementation of communication protocols’, IEEE/ACM Trans. Netw., February, Vol. 4, No. 1, pp.55–70, ISSN: 1063-6692. Leune, K. (2007) Access Control and Service Oriented Architectures, PhD thesis. Manu, A.P. (2012) Investigating Service Oriented Network Architecture for Internet Functionalities, Thesis, Indian Institute of Information Technology, Allahabad, India, October, pp.1–123. Martin, D., Völker, L. and Zitterbart, M. (2011) ‘A flexible framework for future internet design, assessment, and operation’, Comput. Netw., March, Vol. 55, No. 4, pp.910–918, ISSN: 1389-1286. Paul, S., Pan, J. and Jain, R. (2011) ‘Architectures for the future networks and the next generation internet: a survey’, Computer Communications, January, Vol. 34, No. 1, pp.2–42, ISSN: 0140-3664. Ramaratnam, R. (2007) System Design, and Management Program. An Analysis of Service Oriented Architectures, Massachusetts Institute of Technology, System Design and Management Program. Reuther, B. and Henrici, D. (2008) ‘A model for service-oriented communication systems’, J. Syst. Archit., Vol. 54, No. 6, pp.594–606, ISSN: 1383-7621. Rudra, B., Manu, A.P. and Vyas, O.P. (2011) ‘Security and authentication issues in emerging network architectures with special reference to SONATE’, International Conference on Computational Intelligence and Communication Networks, pp.658–662. Samarati, P. and Vimercati, S.D.C.d. (2001) ‘Access control: Policies, models, and mechanisms’, in Revised Versions of Lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures, FOSAD ‘00, Springer-Verlag, London, UK, pp.137–196, ISBN: 3-540-42896-8. Shaffer, S.L. and Simon, A.R. (1994) Network Security, Academic Press Professional, Inc. Shenker, S. (1995) ‘Fundamental design issues for the future internet’, IEEE Journal on Selected Areas in Communications, September, Vol. 13, No. 7, pp.1176–1188, ISSN: 0733-8716, DOI: 10.1109/49.414637. Touch, J., Wang, Y. and Pingali, V. (2006) A Recursive Network Architecture, Technical report, ISI Technical Report ISI-TR-2006-626, October. Touch, J.D. and Pingali, V.K. (2008) ‘The RNA metaprotocol’, in ICCCN, pp.157–162. Vaishnav, C. (2008) ‘Does technology disruption always mean industry disruption?’, in Conference of System Dynamics Society, Athens, Greece, pp.1–25.
