XML Rewriting Attacks: Existing Solutions and their Limitations

Web Services are web-based applications made available for web users or remote Web-based programs. In order to promote interoperability, they publish their interfaces in the so-called WSDL file and allow remote call over the network. Although Web Services can be used in different ways, the industry standard is the Service Oriented Architecture Web Services that doesn't rely on the implementation details. In this architecture, communication is performed through XML-based messages called SOAP messages. However, those messages are prone to attacks that can lead to code injection, unauthorized accesses, identity theft, etc. This type of attacks, called XML Rewriting Attacks, are all based on unauthorized, yet possible, modifications of SOAP messages. We present in this paper an explanation of this kind of attack, review the existing solutions, and show their limitations. We also propose some ideas to secure SOAP messages, as well as implementation ideas

Application of Steganography for Anonymity through the Internet

In this paper, a novel steganographic scheme based on chaotic iterations is proposed. This research work takes place into the information hiding security framework. The applications for anonymity and privacy through the Internet are regarded too. To guarantee such an anonymity, it should be possible to set up a secret communication channel into a web page, being both secure and robust. To achieve this goal, we propose an information hiding scheme being stego-secure, which is the highest level of security in a well defined and studied category of attacks called "watermark-only attack". This category of attacks is the best context to study steganography-based anonymity through the Internet. The steganalysis of our steganographic process is also studied in order to show it security in a real test framework.Comment: 14 page

An efficient web authentication mechanism preventing man-in-the-middle attacks in industry 4.0 supply chain

The fourth industrial revolution (Industry 4.0) is transforming the next generation of the supply chain by making it more agile and efficient compared with the traditional supply chain. However, data communication across the partners in the Industry 4.0 supply chain can be the target of a wide spectrum of attackers exploiting security breaches in the internal/external environment of the partners due to its heterogeneous and dynamic nature as well as the fact that the non-professional users in security issues usually operate their information systems. Attackers can compromise the data communication between legitimate parties in the Industry 4.0 Supply Chain, and thus, jeopardizing the delivery of services across the partners as well as the continuity of the service provision. Consequently, secure data communications across the partners in the Industry 4.0 Supply Chain are of utmost importance. Toward this direction, TLS protocol, which is the de facto standard for secure Internet communications, is employed to ensure secure communication between a user's web browser and a remote web server located in the premises of the same or another partner. However, over the last few years, there have been several serious attacks on TLS, including man-in-the-middle attacks in web applications using TLS to secure HTTP communication. Therefore, in this paper, we propose an efficient TLS-based authentication mechanism, which is resistant against MITM in web applications

Performance testing of distributed computational resources in the software development phase

A grid software harmonization is possible through adoption of standards i.e. common protocols and interfaces. In the development phase of standard implementation, the performance testing of grid subsystems can detect hidden software issues which are not detectable using other testing procedures. A simple software solution was proposed which consists of a communication layer, resource consumption agents hosted in computational resources (clients or servers), a database of the performance results and a web interface to visualize the results. Communication between agents, monitoring the resources and main control Python script (supervisor) is possible through the communication layer based on the secure XML-RPC protocol. The resource monitoring agent is a key element of performance testing which provides information about all monitored processes including their child processes. The agent is a simple Python script based on the Python psutil library. The second agent, provided after the resource monitored phase, records data from the resources in the central MySQL database. The results can be queried and visualized using a web interface. The database and data visualization scripts could be considered for a service thus the testers do not need install them to run own tests

A Versatile and Ubiquitous Secret Sharing: A cloud data repository secure access

NoThe Versatile and Ubiquitous Secret Sharing System, a cloud data repository secure access and a web based authentication scheme. It is designed to implement the sharing, distribution and reconstruction of sensitive secret data that could compromise the functioning of an organisation, if leaked to unauthorised persons. This is carried out in a secure web environment, globally. It is a threshold secret sharing scheme, designed to extend the human trust security perimeter. The system could be adapted to serve as a cloud data repository and secure data communication scheme. A secret sharing scheme is a method by which a dealer distributes shares of a secret data to trustees, such that only authorised subsets of the trustees can reconstruct the secret. This paper gives a brief summary of the layout and functions of a 15-page secure server-based website prototype; the main focus of a PhD research effort titled ‘Cryptography and Computer Communications Security: Extending the Human Security Perimeter through a Web of Trust’. The prototype, which has been successfully tested, has globalised the distribution and reconstruction processes.Petroleum Technology Development Fun

Towards NFC payments using a lightweight architecture for the Web of Things

The Web (and Internet) of Things has seen the rapid emergence of new protocols and standards, which provide for innovative models of interaction for applications. One such model fostered by the Web of Things (WoT) ecosystem is that of contactless interaction between devices. Near Field Communication (NFC) technology is one such enabler of contactless interactions. Contactless technology for the WoT requires all parties to agree one common definition and implementation and, in this paper, we propose a new lightweight architecture for the WoT, based on RESTful approaches. We show how the proposed architecture supports the concept of a mobile wallet, enabling users to make secure payments employing NFC technology with their mobile devices. In so doing, we argue that the vision of the WoT is brought a step closer to fruition

Secure web services using two-way authentication and three-party key establishment for service delivery

With the advance of web technologies, a large quantity of transactions have been processed through web services. Service Provider needs encryption via public communication channel in order that web services can be delivered to Service Requester. Such encryptions can be realized using secure session keys. Traditional approaches which can enable such transactions are based on peer-to-peer architecture or hierarchical group architecture. The former method resides on two-party communications while the latter resides on hierarchical group communications. In this paper, we will use three-party key establishment to enable secure communications for Service Requester and Service Provider. The proposed protocol supports Service Requester, Service Broker, and Service Provider with a shared secret key established among them. Compared with peer-to-peer architecture and hierarchical group architecture, our method aims at reducing communication and computation overheads

ZeroComm: Decentralized, Secure and Trustful Group Communication

In the context of computer networks, decentralization is a network architecture that distributes both workload and control of a system among a set of coequal participants. Applications based on such networks enhance trust involved in communication by eliminating the external author- ities with self-interests, including governments and tech companies. The decentralized model delegates the ownership of data to individual users and thus mitigates undesirable behaviours such as harvesting personal information by external organizations. Consequently, decentral- ization has been adopted as the key feature in the next generation of the Internet model which is known as Web 3.0. DIDComm is a set of abstract protocols which enables secure messaging with decentralization and thus serves for the realization of Web 3.0 networks. It standardizes and transforms existing network applications to enforce secure, trustful and decentralized com- munication. Prior work on DIDComm has only been restricted to pair-wise communication and hence it necessitates a feasible strategy for adapting the Web 3.0 concepts in group-oriented networks. Inspired by the demand for a group communication model in Web 3.0, this study presents Zero- Comm which preserves decentralization, security and trust throughout the fundamental opera- tions of a group such as messaging and membership management. ZeroComm is built atop the publisher-subscriber pattern which serves as a messaging architecture for enabling communi- cation among multiple members based on the subjects of their interests. This is realized in our implementation through ZeroMQ, a low-level network library that facilitates the construction of advanced and distributed messaging patterns. The proposed solution leverages DIDComm protocols to deliver safe communication among group members at the expense of performance and efficiency. ZeroComm offers two different modes of group communication based on the organization of relationships among members with a compromise between performance and security. Our quantitative analysis shows that the proposed model performs efficiently for the messaging operation whereas joining a group is a relatively exhaustive procedure due to the es- tablishment of secure and decentralized relationships among members. ZeroComm primarily serves as a low-level messaging framework but can be extended with advanced features such as message ordering, crash recovery of members and secure routing of messages

Building Trusted Paths for Web Browsers

The communication between the Web browser and the human user is one component of the server-client channel. It is not the user but the browser that receives all server information and establishes the secure connection. The browser\u27s user interface signals, such as SSL lock, https protocol header et al., indicate whether the browser-server communication at the current moment is secure. Those user interface signals indicating the security status of browser should be clearly and correctly understood by the user. A survey of modern Web browsers shows the information provided by current browsers is insufficient for users to make trust judgment. Our Web spoofing work further proved that the browser status information is not reliable either. We discuss the criteria for and how to build the trusted paths between a browser and a human user. We present an open source implementation of one of the designs--synchronized random dynamic (SRD) boundary, based on Modified Mozilla source code, together with its usability study results