Data Privacy and Security using Web Services

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

515

Data Privacy and Security using Web Services

Rajan Datt,

Varshisth Soni,

Nimisha Patel,

Rushabh Shah

2,3

MCA Scholar, Nirma University 1_{rajandatt27@yahoo.com} 2_{soni_Vashisth@yahoo.com} 3_{nimisha_k_patel@yahoo.in}

Abstract: Internet has become a powerful tool for communication and transferring the data between the two parties across the world. Private data or other important information are being exchanged between two parties which has changed the way of communicating. But along with the advantage, the main disadvantage of this capability is that it is not secure, it means it exposes these resources to information leakage, malicious invasion by hackers, and results into the loss of information or misuse of important information and also causes damage due to software viruses. This risk can be overcome by the intelligent use of web services that allows to send the data privately and also imposes data security on it. This paper tells about how the data can be made secured using various methods provided by web services and by comparing the techniques. It also includes the basic 3 main components of security, First Authentication which results in a security token that conveys both the identity of the requestor so we can easily find out the person who has requested for the data as well as provides the trust level of the identification technology. Second, Authorization which determines what objects are accessible by a user given his identity token, request, role, context, and privileges. Thus, we can easily secure the data by giving the access to only the authorised person and by preventing the unauthorised person. Third, Federation means using both direct and indirect trust, addresses the problem of how identity, once legally established in one trust domain, can be reliably exported to another cooperating trust domain.

Key words: Web service, Authentication, Digital certificate

I.

I

A Web service is a method of communication between electronic devices over a network. Let’s suppose I keep a database with up-to-date information about weather in the United States, and I want to distribute that information to anyone in the world. To do so, I could

publish the weather information through a Web Service that, given a ZIP code, will provide the weather information for that ZIP code. The clients (programs that want to access the weather information) would then contact the Web Service (in the server), and send a service request asking for the weather information.

The server would return the forecast through a service response.

Figure 1

Emergence Of Web Services

Web services have resulted from the convergence of three important events. The first was the emergence of the Internet as a cost-effective and widespread infrastructure. The second was the adoption of XML as a standard. And the third was the emergence of a set of common Web services standards--namely, the Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL)

Need for web services

It had the ability to fundamentally change the way people communicate. Now Web services have the ability

to fundamentally change the way applications

communicate. Simply put, Web services make

application functionality available over the Internet in a standardized, programmatic way. Applications that couldn't be accessed except by following rigid proprietary protocols can now talk to one another over the Internet, regardless of their native language, platform or internal protocols. They provide a low-cost way to connect internal applications and collaborate among business partners.

Web Services have Two Types of Uses

 Reusable application-components. 4

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

516

There are things applications needs very often.

Web services can offer application-components like: currency conversion, weather reports, or even language translation as services.

 Connect existing software.

Web services can help to solve the interoperability problem by giving different applications a way to link their data.

With Web services you can exchange data between different applications and different platforms.

Web Services can convert your application into a Web-application, which can publish its function or message to the rest of the world.

The basic Web Services platform is XML + HTTP.

 Web Services are platform-independent and

language-independent, since they use standard XML languages. This means that client program can be programmed in C++ and running under Windows, while the Web Service is programmed in Java and running under Linux.

 Most Web Services use HTTP for transmitting messages (such as the service request and response).

It also in contains drawback i.e.

Overhead Transmitting all your data in XML is obviously not as efficient as using a proprietary binary code.

Web services provide several technological and business benefits, a few of which include:

Application and data integration

Versatility

Code re-uses

Cost savings

The inherent interoperability that comes with using vendor, platform, and language independent XML technologies and the ubiquitous HTTP as a transport mean that any application can communicate with any other application using Web services. The client only requires the WSDL definition to effectively exchange data with the service – and neither part needs to know how the other is implemented or in what format its underlying data is stored.

These benefits allow organizations to integrate disparate applications and data formats with relative ease. Web services are also versatile by design. They can be accessed by humans via a Web-based client interface, or they can be accessed by other applications and other Web services. A client can even combine data from multiple Web services to, for instance, present a user with an application to update sales, shipping, and ERP systems from one unified interface – even if the systems themselves are incompatible. Because the systems exchange information via Web services, a change to the sales database, for example, will not affect the service itself. Code re-use is another positive side-effect of Web services' interoperability and flexibility. One service might be utilized by several clients, all of which employ the operations provided to fulfil different business objectives. Instead of having to create a custom service for each unique requirement, portions of a service are simply re-used as necessary.

All these benefits add up to significant cost savings. Easy interoperability means the need to create highly customized applications for integrating data, which can be expensive, is removed. Existing investments in systems development and infrastructure can be utilized easily and combined to add additional value. Since Web services are based on open standards their cost is low and the associated learning curve is smaller than that of many proprietary solutions. Finally, Web services take advantage of ubiquitous protocols and the Web infrastructure that already exists in every organization, so they require little if any additional technology investment

II.

M

U

W

Here, there are three different techniques we are going to use to provide privacy and security to the data that we are going to transfer.

1. IP Blocking

The first type of Web service security we will examine is IP blocking. IP blocking is a common security technique available on all popular Web servers such as Apache and Microsoft Internet Information Server (IIS).

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

517

Clients who are on the accepted list will be able to use Web services. In the example scenario of The Internet Dictionary Company, IP blocking is an effective security measure. As shown in Figure 1, the Web server running the TIDC Web service automatically allows Web requests by Regal Research, while simultaneously blocking requests from anywhere else. Doing so ensures that only paying customers are able to access the TIDC Web service.

Figure 2

When we have applied this method, all requests are blocked by the Web server itself, clients will not be able to access any part of the Web site until you have added their IP to the accepted list.

Also, it is important to note that users with invalid IP addresses will be blocked from Web pages within your site. This fact can be critical, because developers often place Web services and pages within the same Web site to maximize reusability. So if you use IP blocking for your Web services, you must either accept the same security for your Web pages or create different virtual directories on your server for your sites and services.

A final consideration for using IP blocking is that access to the Web server is usually required in order for an administrator to specify the acceptable IP addresses. This access may not be possible or cost-effective in a situation where the development is completed in a remote location, away from the Web server. For example, if the TIDC developers are in New York and the physical Web server presides in California, the developers will have to find someone in California to edit the IP list every time they add or delete a customer.

2. User Authentication

User authentication is a common technique found in many types of software ranging from databases to operating systems (see Figure 1).

The concept is simple: Each user for the system is assigned a unique username. Access to resources or functionality associated with that username is protected by knowledge of a specific password.

User authentication systems are beneficial for Web services because most users are already comfortable with this security technique. Whether your Web service is being consumed by other Web developers or by the general public, this security mechanism is easily understood.

Each Web method call requires two additional parameters, username and password. Each time a Web method is called, the first action taken will be to check that the username exists in the database. The second step is to ensure that the password provided matches the password for the specified username. If both of these checks pass, then operation of the Web method continues normally. If either of these checks fails, the Web method needs to provide some sort of error message to the calling function.

A common variation to this technique is to require just a user identification code, typically a Globally Unique IDentifier (GUID)[4]. In this case, the Web method call accepts one parameter, UserID, in addition to its standard parameters. This approach is usually just as effective as using a username/password combination because GUIDs are very hard to duplicate. In most cases, it is much more difficult to randomly determine a user's GUID than their string-based password. This is also a popular technique because many databases will automatically generate a GUID. The main detriment to this technique is that a GUID is more difficult for a user or developer to remember and is easy to mistype.

User authentication: is the process of proving the user's identity and authorization is the process of identifying resources accessible by that user. Since each Web method has to authenticate the specific user making the request, it is possible to create a complex authorization scheme where users are authorized to use only a portion of the available Web methods. In this case, after authenticating the user, each Web method would make one additional check to determine if the authenticated user should be allowed to access the given Web method. If no authorization exists, then a third type of error message would be presented to the user.

Some of the problem arises when we have applied this method. The most obvious problem with this scheme is that the user has to include one or two additional parameters in every single method call.

Another major concern when using user authentication

is the requirement to store username/password

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

518

These are typically stored in a database requiring additional database storage space and requests, which can impact Web service performance. Storing this data also potentially exposes sensitive customer information to employees and hackers.

3. Digital Certificates

Another option for securing Web services is digital certificates. Digital certificates are small pieces of software installed on client machines that verify the client's identity. This verification is done through a third-party such as VeriSign that creates a unique certificate for every client machine using industry standard encryption[6]. The certificate is then passed along when the client requests a Web service. The Web service checks for the presence of the digital certificate and reacts accordingly.

Figure 3

Digital certificates are typically used in a fashion similar to IP blocking, in an "all or nothing" prospect for the whole site. Each Web service usually calls a single function, which verifies that a certificate was passed along with the request. If the function indicates that no certificate was passed, the Web service fails and returns an appropriate error message. If the certificate is present, then functionality is executed normally.

Digital certificates have a significant benefit over IP blocking [7]. Like user authentication, the security check for digital certificates doesn't occur until a Web method call is actually made. Thus, visitors can still view the associated Web pages. This benefit comes at the cost of having to include code in each and every method that requires it. If you forget to include the code in one Web method, that method will be freely available to anyone who wants to use it.

Digital certificates can hold personal information about the user sitting at the client machine. A common piece of information contained in a digital certificate is the user's e-mail address. This can easily be used as the identifying key in the database since it is always unique. Furthermore, since the certificate is secure and unique, there's no need for the user to supply a password. The user can be authenticated with no additional effort on their part .

The downside of digital certificates is that they are difficult to install. Digital certificates also limit the user to a single machine. Even if I install a certificate on my work computer, I have to install a second one before I can access the Web service from my home computer. Finally, certificates never obtain input from the user for authentication purposes: You are only authenticating the machine, not the person using the machine. If someone else sits at my desk, the Web service will assume that I am using the service.

III.

C

When we have used three different methods to provide data privacy and security, we have used different parameter to transfer data. Here we have summarized the comparisons by using different parameters. We have rated each parameter by giving value in the form of Easiest-1, Average-2 or Difficult-3.

Web service IP

Blocking

User Authentication

Digital Certificate

Deployment 1 3 2

Flexible authentication

3 2 1

Location use 2 1 3

End user efforts

1 2 2

tracking 3 1 2

security 2 3 1

IV.

C

In this paper we have seen that when the data is being transformed from one place to another it is not secure. So in order to provide security to the data being travelled we had described what is a web service, emergence of it, what is the need of web services, and also the uses of web services.

We had seen various methods like IP Blocking, User Authentication and Digital Certificates used by the web services to

Secure the data from unauthorised access by giving example of each of the method.

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (

ISSN 2250-2459

, Volume 2, Issue 4, April 2012)

519

R

[1] Ahmad, S. and Lu, Z. (2007) A Joint Biometrics and Watermarking Based Framework for Fingerprinting, Copyright Protection, Proof of Ownership, and Security Applications, International Conference on Computational Intelligence and Security Workshops (CISW 2007), Pp.676-679.

[2] Alattar, A.M. (2004). Reversible watermark using the difference expansion of a generalized integer transform, IEEE Transactions on Image Processing, Vol.13, No.8, Pp.1147-1156.

[3] Barni, M., Bartolini, F. and Piva, A. (2002) Multichannel watermarking of color images, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 12, No.3, Pp. 142 – 156.

[4] Barreto, P.S.L.M., Kim, H.Y. and Rijmen, V. (2002) Toward secure public key blockwise fragile authentication watermarking, IEE Proceedings - Vision, Image and Signal Processing, Vol. 148, No.2, Pp.57-62.

[5] Bloom, J.A., Cox, I.J., Kalker, T., Linnartz, J.P.M.G., Miller, M.L. and Traw, C.B.S. (1999) Copy protection for DVD video,

Proceedings of the IEEE, Vol.87, No.7,

Pp.1267-1276.International Journal of Computer Applications (0975 – 8887) Volume 2 – No.4, June 2010

[6] Bounkong, S., Toch, B., Saad, D. and Lowe, D. (2003) ICA for watermarking digital images, Journal of Machine Learning Research, Pp. 1471-1498.

[7] Chen, B. and G.W. Wornell (2001) Quantization index modulation: a class of provably good methods for digital watermarking and information embedding, IEEE Transactions on Information Theory, Vol.47, No.4, Pp.1423-1443.

[8] http://www.cs.virginia.edu/~acw/security

[9] R. Morris and K. Thompson, “Password security: a case history.”

Communications of the. ACM 22(11),1979, pp 594 – 597.

[10] http://www.ebizq.net/

[11] A. Beimel and Y. Stahl, “Robust Information-Theoretic Private

Information Retrieval”, Proc. 3rd Conference on Security in

Communication Networks, 2002.

[12] http://gdp.globus.org/

[13] http://www.altova.com/whitepapers/webservices.pdf