562 research outputs found
XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany
XML Signature Wrapping (XSW) has been a relevant threat to web services for
15 years until today. Using the Personal Health Record (PHR), which is
currently under development in Germany, we investigate a current SOAP-based web
services system as a case study. In doing so, we highlight several deficiencies
in defending against XSW. Using this real-world contemporary example as
motivation, we introduce a guideline for more secure XML signature processing
that provides practitioners with easier access to the effective countermeasures
identified in the current state of research.Comment: Accepted for IFIP SEC 202
XML Rewriting Attacks: Existing Solutions and their Limitations
Web Services are web-based applications made available for web users or
remote Web-based programs. In order to promote interoperability, they publish
their interfaces in the so-called WSDL file and allow remote call over the
network. Although Web Services can be used in different ways, the industry
standard is the Service Oriented Architecture Web Services that doesn't rely on
the implementation details. In this architecture, communication is performed
through XML-based messages called SOAP messages. However, those messages are
prone to attacks that can lead to code injection, unauthorized accesses,
identity theft, etc. This type of attacks, called XML Rewriting Attacks, are
all based on unauthorized, yet possible, modifications of SOAP messages. We
present in this paper an explanation of this kind of attack, review the
existing solutions, and show their limitations. We also propose some ideas to
secure SOAP messages, as well as implementation ideas
Improving the Authentication Mechanism of Business to Consumer (B2C) Platform in a Cloud Computing Environment: Preliminary Findings
The reliance of e-commerce infrastructure on cloud computing environment has undoubtedly increased the security challenges in web-based e-commerce portals. This has necessitated the need for a built-in security feature, essentially to improve the authentication mechanism, during the execution of its dependent transactions. Comparative analysis of the existing works and studies on XML-based authentication and non-XML signaturebased security mechanisms for authentication in Business to Consumer (B2C) e-commerce showed the advantage of using XML-based authentication, and its inherent weaknesses and limitations. It is against this background that this study, based on review and meta-analysis of previous works, proposes an improved XML digital signature with RSA algorithm, as a novel algorithmic framework that improves the authentication strength of XML digital signature in the B2C e-commerce in a cloud-based environment. Our future works include testing and validation, and simulation, of the proposed authentication framework in Cisco’s XML Management Interface with inbuilt feature of NETCONF. The evaluation will be done in conformity to international standard and guideline –such as W3C and NIST
Formal Analysis of Security Properties on the OPC-UA SCADA Protocol
International audienceIndustrial systems are publicly the target of cyberattacks since Stuxnet [1]. Nowadays they are increasingly communicating over insecure media such as Internet. Due to their interaction with the real world, it is crucial to prove the security of their protocols. In this paper, we formally study the security of one of the most used industrial protocols: OPC-UA. Using ProVerif, a well known cryptographic protocol verification tool, we are able to check secrecy and authentication properties. We find several attacks on the protocols and provide countermeasures
Trusted Computing and Secure Virtualization in Cloud Computing
Large-scale deployment and use of cloud computing in industry
is accompanied and in the same time hampered by concerns regarding protection of
data handled by cloud computing providers. One of the consequences of moving
data processing and storage off company premises is that organizations have
less control over their infrastructure. As a result, cloud service (CS) clients
must trust that the CS provider is able to protect their data and
infrastructure from both external and internal attacks. Currently however, such
trust can only rely on organizational processes declared by the CS
provider and can not be remotely verified and validated by an external party.
Enabling the CS client to verify the integrity of the host where the
virtual machine instance will run, as well as to ensure that the virtual
machine image has not been tampered with, are some steps towards building
trust in the CS provider. Having the tools to perform such
verifications prior to the launch of the VM instance allows the CS
clients to decide in runtime whether certain data should be stored- or calculations
should be made on the VM instance offered by the CS provider.
This thesis combines three components -- trusted computing, virtualization technology
and cloud computing platforms -- to address issues of trust and
security in public cloud computing environments. Of the three components,
virtualization technology has had the longest evolution and is a cornerstone
for the realization of cloud computing. Trusted computing is a recent
industry initiative that aims to implement the root of trust in a hardware
component, the trusted platform module. The initiative has been formalized
in a set of specifications and is currently at version 1.2. Cloud computing
platforms pool virtualized computing, storage and network resources in
order to serve a large number of customers customers that use a multi-tenant
multiplexing model to offer on-demand self-service over broad network.
Open source cloud computing platforms are, similar to trusted computing, a
fairly recent technology in active development.
The issue of trust in public cloud environments is addressed
by examining the state of the art within cloud computing security and
subsequently addressing the issues of establishing trust in the launch of a
generic virtual machine in a public cloud environment. As a result, the thesis
proposes a trusted launch protocol that allows CS clients
to verify and ensure the integrity of the VM instance at launch time, as
well as the integrity of the host where the VM instance is launched. The protocol
relies on the use of Trusted Platform Module (TPM) for key generation and data protection.
The TPM also plays an essential part in the integrity attestation of the
VM instance host. Along with a theoretical, platform-agnostic protocol,
the thesis also describes a detailed implementation design of the protocol
using the OpenStack cloud computing platform.
In order the verify the implementability of the proposed protocol, a prototype
implementation has built using a distributed deployment of OpenStack.
While the protocol covers only the trusted launch procedure using generic
virtual machine images, it presents a step aimed to contribute towards
the creation of a secure and trusted public cloud computing environment
Survey of DoS/DDoS attacks in IoT
The term internet of things (IoT) has gained much popularity in the last decade, which can be defined as various connected devices over the internet. IoT has rapidly spread to include all aspects of our lives. For instance, smart houses, smart cities, and variant wearable devices. IoT devices work to do their desired goals, which is to develop a person's living with his/her minimal involvement. At the same time, IoT devices have many weaknesses, which attackers exploit to affect these devices' security. Denial of Service (DoS) and Distributed Denial of Service (DDoS) are considered the most common attacks that strike IoT security. The main aim of these attacks is to make victim systems down and inaccessible for legitimate users by malicious malware. This paper's objective is to discuss and review security issues related to DoS/DDoS attacks and their countermeasures i.e. prevention based on IoT devices' layers structure
Proposing a secure component-based-application logic and system’s integration testing approach
Software engineering moved from traditional methods of software enterprise applications to com-ponent based development for distributed system’s applications. This new era has grown up forlast few years, with component-based methods, for design and rapid development of systems, butfact is that , deployment of all secure software features of technology into practical e-commercedistributed systems are higher rated target for intruders. Although most of research has been con-ducted on web application services that use a large share of the present software, but on the otherside Component Based Software in the middle tier ,which rapidly develops application logic, alsoopen security breaching opportunities .This research paper focus on a burning issue for researchersand scientists ,a weakest link in component based distributed system, logical attacks, that cannotbe detected with any intrusion detection system within the middle tier e-commerce distributed ap-plications. We proposed An Approach of Secure Designing application logic for distributed system,while dealing with logically vulnerability issue
- …