Securización de REST

REST es un estilo de arquitectura para el diseño de Servicios Web o Web Services (WS) y, a pesar de no ser considerado un estándar o protocolo, sí que utiliza algunos. Este estilo permite aprovechar al máximo los recursos de la web, consiguiendo así ser más ligero y mejorar tanto eficiencia como rendimiento frente a otras opciones como SOAP. Por este motivo, grandes compañías como Google o Facebook han cambiado las interfaces de sus servicios para hacerlas de forma RESTful. El gran problema que éste presenta es la falta de seguridad, y es que cualquier persona malintencionada puede interceptar los mensajes HTTP y leerlos, lo que provoca que sea necesario añadir algún tipo de seguridad. De aquí nace el objetivo de este proyecto, en el que se han encontrado y clasificado diferentes métodos para la securización de REST según sus características para llevar a cabo su análisis y prueba, seleccionando aquellos que parecen más interesantes. Para poder llevar a cabo este trabajo, ha sido necesario definir previamente qué es un Servicio Web, qué ventajas suponen, cómo se puede crear uno (existen varios lenguajes de programación y frameworks), y cuáles son los motivos por los que interesaría añadir seguridad a REST.REST is an architectural style for Web Services (WS) designing and, even though it is neither a standard nor a protocol, it uses a few of them. This style allows us to take advantage of the web resources to its maximum, achieving a more light and efficient service against other options such as SOAP. For that reason, big companies such as Google or Facebook have changed some of their services interfaces to use them in a RESTful way. This one introduces the big problem and that is the lack of security, because any malicious attacker can intercept the HTTP messages and read them, which causes a need for adding any kind of security. This is where the project's goal is born, in which it has been found and classified different security methods for REST classified by their properties to analyse and test them, selecting the ones that seem more interesting. To do this job, it has been necessary to first define what a Web Service is, what benefits can have, how one can be done (there are some programming languages and frameworks), and what the reasons to implement security in REST are.REST és un estil d'arquitectura pel disseny de Serveis Web o Web Services (WS) i, tot i no ser considerat un estàndard o protocol, sí que utilitza alguns. Aquest estil permet aprofitar al màxim els recursos de la web, aconseguint així ser més lleuger i millorar tant l'eficiència com el rendiment davant d'altres opcions com SOAP. Per aquest motiu, grans companyies com Google o Facebook han canviat les interfícies dels seus serveis per fer-les de forma RESTful. El gran problema que aquest presenta és la falta de seguretat, i és que qualsevol persona malintencionada pot interceptar els missatges HTTP i llegir-los, el que provoca que sigui necessari afegir algun tipus de seguretat. D'aquí neix l'objectiu d'aquest projecte, en el que s'han trobat i classificat diferents mètodes per la securització de REST segons les seves característiques per portar a terme la seva anàlisis i prova, seleccionant aquells que poden semblar més interessants. Per poder portar a terme aquest treball, ha sigut necessari definir prèviament què és un Servei Web, quins avantatges suposa, como pot crear-se'n un (existeixen diferents llenguatges de programació i frameworks), i quins són els motius pels quals interessaria afegir seguretat a REST

Multi-Factor graphical user authentication for web applications

Nowadays everybody uses web applications and need to protect their accounts with strong authentication methods. Following this need, this work research problems and solutions related with the authentication, specially concerning textual and graphical passwords. The common problem among the users is the difficulty remembering a textual password that is long and random-looking. Because of the visual aspect, graphical passwords are more easy to remember. This work proposes a recognition and recall based graphical authentication methods that can be used as a challenge to authenticate users. A security analysis is made to check the correctness of the proposed solution and how it minimizes the vulnerabilities of the authentication process. These analysis will enable us to implement these challenges in future work as an extension to authentication, authorization and accounting services, supporting a multi-factor authentication and combining theses challenges with others already available. The idea is to extend an authentication method on Apache Shiro to provide developers with a common framework to develop secure web application with strong authentication, authorization and accounting.Hoje em dia, as pessoas fazem uso de aplicações web e necessitam proteger as suas contas com métodos de autenticação forte. Considerando esta necessidade, este trabalho investiga os problemas e soluções de autenticação, especialmente relacionadas com palavras chave textuais e gráficas. Um problema comum dos utilizadores é a dificuldade de se lembrar de palavras chave textuais que sejam longas e pareçam criadas aleatoriamente. Devido ao aspeto visual, as palavras chave gráficas são mais fáceis de recordar. Este trabalho propõe métodos de autenticação gráfica baseados em reconhecimento e localização de pontos que podem ser utilizados como desafios de autenticação. É também efetuada uma análise de segurança aos métodos propostos por verificar a sua correção e que minimizam vulnerabilidades do processo de autenticação. Estes resultados permitirão, no futuro, implementar desafios de autenticação adicionais como uma extensão aos serviços de autenticação, autorização e contabilização, suportando autenticação multi-fator. A ideia será estender os métodos de autenticação do Apache Shiro para permitir os programadores desenvolverem, utilizando uma framework comum, aplicações web seguras com autenticação, autorização e contabilização

Desarrollo de una interfaz web, que permita mejorar la seguridad en la transferencia de estados de servicios web, basado en autenticación y autorización mediante el estándar Json Web Token.

El presente trabajo de investigación se realizó con la finalidad de indagar y mitigar las vulnerabilidades que se presentan a diario en los servicios orientados a la web. La seguridad informática es uno de los pilares fundamentales que se debe tomar en cuenta al momento de implementar los servicios web de tipo REST, para mantener la integridad de la información en las transferencias de estado o consumo de los servicios. Por tal razón se ha desarrollado los servicios web de tipo REST conjuntamente con el estándar de seguridad Json Web Token en el sistema académico de la Escuela Superior Politécnica de Chimborazo (ESPOCH). En la presente investigación se realizó los siguientes escenarios, en el escenario 1 se implementó los servicios web de tipo REST del sistema académico sin el uso del estándar de seguridad Json Web Token (JWT), y el escenario 2 se implementó los servicios web de tipo REST del sistema académico con autenticación y el estándar de seguridad Json Web Token, para la transferencia de estados con cada uno de los métodos GET, POST, PUT, y DELETE. La siguiente hipótesis planteada, la implementación de una interfaz Web con el estándar de seguridad Json Web Token garantiza el acceso y autorización segura a los servicios web del sistema académico de la Escuela Superior Politécnica de Chimborazo, aplicando la observación en base a los parámetros evaluados se obtuvo un 92.5% de optimización en el nivel de satisfacción, y a su vez aplicando la herramienta de pentesting Vooki se obtuvo un 80% de optimización de números de vulnerabilidades detectadas en las transferencia de estados, se concluye que el estándar propuesto optimiza el nivel de seguridad en los servicios web que tipo REST y se recomienda la configuración adecuada para la generación del token de seguridad.The present research work was carried out with the purpose of investigating and mitigating the vulnerabilities that occur daily in web-oriented services. Computer security is one of the fundamental pillars that must be taken into account when implementing REST-type web services, in order to maintain the integrity of the information in the state transfers or consumption of the services. For this reason, REST web services have been developed together with the Json Web Token security standard in the academic system of the Escuela Superior Politécnica de Chimborazo (ESPOCH). In the present investigation the following scenarios were carried out, in scenario 1 the REST type web services of the academic system were implemented without the use of the Json Web Token (JWT) security standard, and scenario 2 the REST type web services of the academic system were implemented with authentication and the Json Web Token security standard, for the transfer of states with each of the GET, POST, PUT, and DELETE methods. The following hypothesis, the implementation of a Web interface with the Json Web Token security standard guarantees the access and secure authorization to the web services of the academic system of the Escuela Superior Politécnica de Chimborazo, applying the observation based on the evaluated parameters, 92.5% of optimization in the level of satisfaction was obtained. 5% of optimization in the level of satisfaction, and in turn applying the Vooki pentesting tool was obtained an 80% optimization of vulnerability numbers detected in the state transfer, it is concluded that the proposed standard optimizes the level of security in web services that REST type and the proper configuration for the generation of the security token is recommended

Signaling for Internet Telephony

Internet telephony must offer the standard telephony services.However, the transition to Internet-based telephony services also provides an opportunity to create new services more rapidly and with lower complexity than in the existing public switched telephone network(PSTN). The Session Initiation Protocol (SIP) is a signaling protocol that creates, modifies and terminates associations between Internet end systems, including conferences and point-to-point calls. SIP supports unicast, mesh and multicast conferences, as well as combinations of these modes. SIP implements services such as call forwarding and transfer, placing calls on hold, camp-on and call queueing by a small set of call handling primitives. SIP implementations can re-use parts of other Internet service protocols such as HTTP and the Real-Time Stream Protocol (RTSP). In this paper, we describe SIP, and show how its basic primitives can be used to construct a wide range of telephony services

A framework for World Wide Web client-authentication protocols

Existing client-authentication protocols deployed on the World Wide Web today are based on conventional distributed systems and fail to address the problems specific to the application domain. Some of the protocols restrict the mobility of the client by equating user identity to a machine or network address, others depend on sound password management strategies, and yet others compromise the privacy of the user by transmitting personal information for authentication. We introduce a new framework for client-authentication by separating two goals that current protocols achieve simultaneously: 1. Maintain persistent sense of identity across different sessions. 2. Prove facts about the user to the site. These problems are independent, in the sense that any protocol for solving the first problem can be combined with any protocol for solving the second. Separation of the two purposes opens up the possibility of designing systems which balance two conflicting goals, authentication and anonymity. We propose a solution to the first problem, based on the Digital Signature Standard. The implications of this framework from the point of view of user privacy are examined. The paper is concluded with suggestions for integrating the proposed scheme into the existing WWW architecture

Web User Interface for a Information Extraction Tool

V této práci se můžete dočíst o návrhu a implementaci JavaScriptové aplikace, která slouží jako uživatelské rozhraní pro nástroj k extrakci dat. Aplikace nabízí prostředí, ve kterém si uživatel spravuje extrakční úlohy. Úlohy jsou vytvářeny pomocí interaktivních grafů. Této funkcionality je docíleno pomocí současných moderních trendů z oblasti JavaScriptových aplikací, které jsou v práci popsány. Zejména se jedná o knihovnu React a správce stavu Redux.In this work you can read about the design and implementation of the JavaScript application, which serves as a user interface for the data extraction tool. The application offers an environment in which the user manages extraction tasks. Tasks are created using interactive graphs. This functionality is achieved through the current modern trends in JavaScript applications that are described in the work. In particular, it is a React library and Redux state manager.

Design and Test of an Event Detector and Locator for the ReflectoActive™ Seals System

The purpose of this thesis was to research, design, develop and test a novel instrument for detecting fiber optic loop continuity and spatially locating fiber optic breaches. The work is for an active seal system called ReflectoActive™ Seals whose purpose is to provide real time container tamper indication. A Field Programmable Gate Array was used to implement a loop continuity detector and a spatial breach locator based on a high acquisition speed single photon counting optical time domain reflectometer. Communication and other control features were added in order to create a usable instrument that met defined requirements. A host graphical user interface was developed to illustrate system use and performance. The resulting device meets performance specifications by exhibiting a dynamic range of 27dB and a spatial resolution of 1.5 ft. The communication scheme used expands installation options and allows the device to communicate to a central host via existing Local Area Networks and/or the Internet