Mohammad Ashiqur Rahaman

Towards secure SOAP message exchange in a SOA

SOAP message exchange is one of the core services required for system integration in Service Oriented Architecture (SOA) environments. One key concern in a SOA is thus to provide Message Level Security (as opposed to point to point security). We observe that systems are communicating with each other in a SOA over SOAP messages, often without adequate protection against XML rewriting attacks.We have already provided a solution to protect the integrity of SOAP messages in earlier work [1]. This solution was based on the usage of messagestructure information (SOAP Account) for preservation of message integrity. However, this earlier work did not discuss the issue of forging the SOAP Account itself. In this paper, we discuss the integrity feature of a SOAP Account within a more general context of the current web service security state of the art.

SOAP-based Secure Conversation and Collaboration

Web services in different trust boundaries interact with each other via SOAP messages to realize functionality in a collaborative environment. Exchanging SOAP messages for remote service invocation has gained wide acceptance among web service developers. Several web service security standards are widely deployed aiming at securing exchanges of a single SOAP message and a conversation of SOAP messages among partners in a collaborative environment. Concerns have been raised about the possibility of XML rewriting attacks within this context and their early detection. In this paper, we demonstrate such possible attacks with respect to WS* policy based scenarios to set a security context and to use a security context for conversations of SOAP messages. We show how our proposed SOAP Account [21] solution could be applied for early detection of XML rewriting attacks, specifically regarding secure SOAP-based conversations. A simulation-based performance analysis and comparison of our SOAP Account approach vs. a WS* policy based approach complements our observations.

Distributed Access Control For XML Document Centric Collaborations

This paper introduces a distributed and fine grained access control mechanism based on encryption for XML document centric collaborative applications. This mechanism also makes it possible to simultaneously protect the confidentiality of a document and to verify its authenticity and integrity, as well to trace its updates. The enforcement of access control is distributed to participants and does not rely on a central authority. Novel aspects of the proposed framework include the adoption of a decentralized key management scheme to support the client-based enforcement of the access control policy. This scheme is driven by the expression of access patterns of interest of the participants over document parts to determine the keys required. A lazy rekeying protocol is also defined to accommodate the delegation of access control decisions that in particular reduces rekeying latency when faced with the addition and removal of participants.

Ontology-based secure XML content distribution

This paper presents an ontology-driven secure XML content distribution scheme. This scheme first relies on a semantic access control model for XML documents that achieves three objectives: (1) representing flexible and evolvable policies, (2) providing a high-level mapping and interoperable interface to documents, and (3) automating the granting of fine-grained access rights by inferring on content semantics. A novel XML document parsing mechanism is defined to delegate document access control enforcement to a third party without leaking the document XML schema to it. The Encrypted Breadth First Order Labels (EBOL) encoding is used to bind semantic concepts with XML document nodes and to check the integrity of a document.

Document-Based Dynamic Workflows: Towards Flexible and Stateful Services

Task-based workflows describe a set of predefinedtasks executed in a predefined sequence flow in whichdocuments representing business objects are sent to activate tasks according to some business goal. The increasingly agile nature of business processes implies that neither the potential tasks nor their sequence flow can be defined a priori. In this context, documents may constitute the central abstraction in a business process execution while services are stateless entities. While business goals and associated business rules drive models and their executions, document content and its structure may additionally be used to determine how the document can be processed and how multiple processing tasks may be composed dynamically.This paper introduces a document-based workflow modelthat implements such agile business processes. The described approach relies on the use of a rule-based system as ameans to capture diverse concerns such as business goals and associated rules within a uniform framework. To this end, we illustrate this approach with an electronic health record (EHR) application.

A Secure Comparison Technique for Tree Structured Data

Comparing different versions of large tree structured data is a CPU and memory intensive task. State of the art techniques require the complete XML trees and their internal representations to be loaded into memory before any comparison may start. Furthermore, comparing sanitized XML trees is not addressed by these techniques. We propose a comparison technique for sanitized XML documents which ultimately results into a minimum cost edit script transforming the initial tree into the target tree. This method uses encrypted integer labels to encode the original XML structure and content, making the encrypted XML readable only by a legitimate party. Encoded tree nodes can be compared by a third party with a limited intermediate representation.

Towards Secure Content Based Dissemination of XML Documents

Collaborating on complex XML data structures is a non-trivial task in domains such as the public sector,healthcare or engineering. Specifically, providing scalable XML content dissemination services in a selective and secure fashion is a challenging task. This paper describes a publish/subscribe middleware infrastructure to achieve a content-based dissemination of XML documents. Our approach relies on the dissemination of XML documents based on their semantics, as described by concepts that form an interoperable description of documents. This infrastructure leverages our earlier scheme [1] for protecting the integrity and confidentiality of XML content during dissemination.