1. Real time Stock quotes by web Service and Securing XML for Web Services security. Bismita Srichandan bsrichandan1@student.gsu.edu

2. Outline What is Web Service? Stock Quote Application Web Services Security XML Security – Digital Signature – Symmetric and Asymmetric Encryption New Algorithm Conclusion References

3. What is Web Service A technology that enables you to invoke applications using Internet protocols and standards. Key benefits of web services technology, and the reason that it has gained widespread attention and adoption, is because of its promise of interoperability[IBM doc 1]. By Interoperability, we mean suitable for and capable of being implemented in a neutral manner on multiple operating systems and in multiple programming languages. Examples: Weather Report and Stock quote application Few Key terms to describe Web Service in next slides.

4. Web Service contd.. SOAP: Simple Object Access Protocol is a specification for the exchange of structured information in a decentralized, distributed environment. It is an XML based protocol. SOA: Service Oriented Architecture consists of three basic components: Service provider, Service broker and Service requestor.

5. Web Services contd.. Service provider creates a Web service and publishes its interface and access information to the service broker. Service broker is responsible for making the web service interface and imple -mentation access information available to any potential service requestor.

6. Web Services contd.. WSDL: Web Service Definition Language specifies the characteristics of a Web service using XML format, describing what a web service can do, where it resides, and how it is invoked. XML : Extensible Markup Language is the markup language that underlies most of the specifications used for web services. XML example http://www.student.gsu.edu/St udent 001-72-9514 Bismita Srichandan Panther card 123456789 08/2010 Bismita Srichandan

7. Stock quote application This application retrieves stock quote data from servers. It shows the same data which is displayed by yahoo and Google if you give the company code and today’s date on the screen. Why I said it real time though it’s 20 minutes late? The data being retrieved is the same data as Yahoo and Google shows. Actual data displayed by NASDAQ is not getting reflected on other web sites.

8. Stock quote application Login screen

9. Stock quote application Enter Quote Name

10. Stock quote application Quote Result Page

11. Web service security Why we need to secure it? Since Web service is widely used these days, it should be secured. So that it can be ensured that sensitive data is not corrupted.

12. Security Issues with Web service There are two different types of security issues: 1 Transport level and Message level. Transport Level Security is done by Secure Socket Layer and Transport layer security. Why message level security essential? Many companies have already made their data available to all of their divisions and departments on web, but in some cases proprietary solutions is a major concern. Next slide discusses what has been done already for message level security

13. WS-security[2] Ws-Security is a communication protocol providing a means for applying message level security to web services. WS-Security describes how to attach signatures and encryption to SOAP messages. Since XML is used widely, especially WSDL is written in XML, and SOAP is also XML based protocol, so main focus is on securing XML. WS-Security standard has already developed XML encryption and adding digital signature to XML data. XML security can ensure security partially, so we can secure sensitive data only. This is one of the advantages.

14. XML Encryption[4] Encryption is generally done by symmetric key encryption. Symmetric key encryption uses single key shared by both parties. It has some problem as confidential information can be captured by someone who knows the key. To avoid this problem involved with symmetric key, asymmetric or public-key cryptography was designed.

15. Public key Cryptography[7] In this a matched pair of keys are used. The sender encrypts message by the public key of the receiver but the message can be decrypted only by the private key by the receiver.

16. New Algorithm, a theoretical approach!

17. XML Encryption Embedded With Public Key Cryptography It can be very efficient if we use symmetric cryptography and public key cryptography together. In this process symmetric key is used to encrypt the content and then the symmetric key is encrypted using public key cryptography. Both the encrypted content and encrypted symmetric key will be sent to the recipient.

18. XML Encryption Embedded With Public Key Cryptography <customerInfo xmlns= “http://www.hotel.com/CustomerInfo>http://www.hotel.com/CustomerInfo 001-72-5914 Bismita Srichandan <EncryptedData Xmlns=”http://www.w3.org/2001/04/xmlenc#”http://www.w3.org/2001/04/xmlenc# Type=”http://w3.org/2001/04xmlenc#Content”> A12B34C657

19. Comparison of existing algorithm with new method. 1. Though only using public key cryptography provides good protection, when we use both symmetric key encryption and asymmetric key encryption together, it makes security more tight.

20. Digital Signature[3, IBM doc] A digital signature is a type of asymmetric cryptography. Digital signatures are implemented to make sure that the message receiver receives was sent by the claimed sender.

21. XML Undeniable Signature[5] Undeniable signatures were firstly introduced by Chaum and Van Antulerpen [3] ( ) ( ) How it Works? This type of methodology ca n be used in places where co- operation of the signer is required. ---It is a new approach to secure sensitive information in XML decument transitions and signers cannot deny. ---Undeniable signature can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message.

22. Web Services Security[6] How can we achieve Web Services security? Since Simple Object Access Protocol is used for Web Services which contains XML data, and Web Services Definition Language which is written in XML. We can secure XML by undeniable digital signature and a combination of symmetric and public key cryptography.

23. conclusion The stock quote application does not have any security issues as there is no sensitive data. I did it to see how web service does some amazing work. But for business, where most data are sensitive we need strong Web service security. The new method, where the data is encrypted by the symmetric key and then the key is encrypted by asymmetric key will give a higher level of protection. Which will make it impossible for the hacker to crack.

24. References [1] http://www.ibm.com/developerworks/webservices/library/http://www.ibm.com/developerworks/webservices/library/ [2] http://en.wikipedia.org/wiki/WS-Security http://en.wikipedia.org/wiki/WS-Security [3] Chaum D. and Van Antwerpen H. Undeniable signatures. Advances in Cryptology--Crypto89 volume435 of Lectures Notes in Computer Science, pages 212—216, Springer-Verlag, 1990. [4] XML-Signature Syntax and Processing. February 2002, http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/. [5] Lili Sun and Yan Li Computational Intelligence for Modeling, Control and Automation, 2005 and International Conference on Intelligent Agents, Web Technologies and Internet Commerce, International, International Conference on XML undeniable signatures. [6] Web Services Security: SOAP Message Security 1.0 (WS-Security 2004). March 2004, http://docs.oasisopen. org/wss [7] Rex Macedo Arokiaraj, A.; Shanmugam, A., International Conference on ACS: An efficient address based cryptography scheme for Mobile ad hoc networks security, May 2008.

25. Thank You Questions?