Mr.%20Abdelkrim%20Boujraf,%20Unisys - PowerPoint PPT Presentation

About This Presentation
Title:

Mr.%20Abdelkrim%20Boujraf,%20Unisys

Description:

The majority of eGovernment systems is and may have to remain heterogeneous. ... A number of persons are taken into custody, whilst investigations start. ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 15
Provided by: d240
Category:

less

Transcript and Presenter's Notes

Title: Mr.%20Abdelkrim%20Boujraf,%20Unisys


1
R4eGov Inter-Agency Collaboration Security
Performance Measurement
  • Mr. Abdelkrim Boujraf, Unisys
  • Mr. Andreas Schaad, SAP Research
  • Mr. Mohammad Ashiqur Rahaman, SAP Research
  • funded by EU Integrated Project R4eGov

2
AGENDA
R4eGov Inter-agency collaboration
WS Performance Criteria
Evaluating WS vs. SOAP Accounts
Evaluation Results
3
The problem.
  • The majority of eGovernment systems is and may
    have to remain heterogeneous.
  • Their configuration and definition of processes
    is likely to remain under local administration.
  • eGovernment interoperability in the EU follows
    an ad hoc approach and systems are only made
    interoperable when there is a shared purpose and
    some general legal guidelines.
  • We believe the majority of systems to require the
    methodologies, systems and tools for achieving
    the maturity level of collaborative organisations.

Europol and Eurojust are SAP EU project
partners but not SAP customers. The case study
is for illustration / requirements engineering
purposes only.
4
EU Interagency Collaboration - The reality.
  • During a routine check Spanish customs intercept
    a shipment of coffee containing cocaine in the
    harbour of Malaga.
  • The container came from Caracas, Venezuela and
    was supposed to be transported by road to Antwerp
    and to be delivered to a trade company called BE.
  • A number of persons are taken into custody,
    whilst investigations start..
  • The involved authorities (Europol and Eurojust)
    need to collaborate in a quick and efficient
    manner.
  • European Arrest Warrant
  • Rogatory Letter
  • Joint Investigation Teams
  • .
  • They need to remain in control of their systems
  • They need to follow local as well as EU-wide laws
    and agreements

Europol and Eurojust are SAP EU project
partners but not SAP customers. The case study
is for illustration / requirements engineering
purposes only.
5
Europol and Eurojust
  • Eurojust
  • Eurojust National Members,
  • Case Management Analysts
  • EJN Secretariat,
  • National Correspondents,
  • EJN Contact Points
  • National judicial authorities
  • Europol
  • Member States (MS)
  • Analysis Work File Teams (AWFTs)
  • Europol Liaison Officers (ELOs)
  • Member States Liaison Bureaux (MS-LBx)
  • Serious Crime Units (SCUs) / Analysis Unit (SC7)
  • Liaison Officer Interpol / Washington DC

Europol and Eurojust are SAP EU project
partners but not SAP customers. The case study
is for illustration / requirements engineering
purposes only.
6
Towards standardised collaboration processes
Europol and Eurojust are SAP EU project
partners but not SAP customers. The case study
is for illustration / requirements engineering
purposes only.
Europol and Eurojust are SAP EU project
partners but not SAP customers. The case study
is for illustration / requirements engineering
purposes only.
7
Requirements
  • Local case management
  • Exchange of documents
  • Access Control on documents
  • Traceability
  • Chain of evidence
  • European and Local Directives on Data Usage
  • Collaboration agreements

Can in parts be addressed by using OASIS WS
standards.
8
General WS Security Setup
WS-Policy describes the capabilities and
constraints on intermediaries and endpoints (e.g.
required security tokens, supported encryption
algorithms)
Policy
Security Token Service
WS-Trust describes a framework for trust models
that enables Web services to trust other domains
Policy
Policy
Requester
Web Service
WS-SecureConversation describes how to manage and
authenticate a series of message exchanges
WS-Security attaching signature and encryption
headers / security tokens to SOAP messages e.g.
X.509 certificates and Kerberos tickets, to
messages
9
Performance / A general Web Service invocation
flow
  • Some Performance Relevant Criteria (incomplete)
  • Methods for issuing, renewing, and validating
    security tokens
  • Establishing security contexts for a conversation
    of messages.
  • Amending, Renewing, and cancelling the security
    contexts.
  • Computing and passing derived keys and session
    keys.
  • Verify Subjects / Security Attributes

10
Approach to Performance Measurement
  • Our Problem
  • What can we measure performance against?
  • No real benchmarks for WS Performance
    Measurement.
  • Our Approach
  • Build our own solution for defined purpose scope
  • Measure WS key performance indicators against
    this
  • Our (simplified) requirements
  • Preservation of message confidentiality /
    integrity
  • Handling of complex / large messages
  • Focus on prevention of XML re-writing attacks
  • Our Proposal
  • SOAP Account Keeps record of SOAP message
    structure / elements.
  • Requires small component to be deployed on each
    SOAP processing node.

11
SOAP Account Message flow in the proposed
technique
12
A SOAP request using a SOAP Account
RST token is signed
ltEnvelopegt ltHeadergt ltSecuritygt
ltBinarySecurityToken Id" Id-2"
ValueType"...X509v3"gt
MIIEZzCCA9CgAwIBAgIQEmtJZc0...lt/BinarySecurityToke
ngt ltSignaturegt ltSignedInfogt
ltCanonicalizationMethod Algorithm"..xml-exc-c14n
"/gt ltSignatureMethod Algorithm"...rsa-sha
1"/gt ltReference URI"Id-1"gt
ltDigestMethod Algorithm"...sha1"/gt
ltDigestValuegtd5AOd..lt/DigestValuegt lt/Referencegt
ltReference URI"Id-2gt...lt/Referencegt
ltReference URI"Id-3gt....lt/Referencegt
lt/SignedInfogt ltSignatureValuegte4EyW...lt/Sign
atureValuegt ltKeyInfogtltSecurityTokenReference
gtltReference URI"Id-2"
ValueType"...X509v3" /gtlt/KeyInfogt
SOAP Account added
ltSoapAccount IdId-3gt
ltNoChildOfEnvelopegt2lt/gt ltNoOfHeadergt2lt/gt
lt/SoapAccountgt
Receiver can verify
ltBody Id"Id-1"gt ltRequestSecurityTokengt
ltTokenTypegthttp//schemas.xmlsoap.org/ws
/2005/02/sc/sct lt/TokenTypegtltRequestTypegth
ttp//schemas.xmlsoap.org/
ws/2004/04/security/trust/Issue lt/RequestTypegt
ltBasegt...lt/Basegt lt/RequestSecurityTokengt lt/
Bodygt
13
Simulated SOAP, WS Policy, SOAP Account
SOAP Account
SOAP
ltSoapAccount IdId-3gt
ltNoOfHeadergt2lt/gt lt/SoapAccountgt
ltEnvelopegt ltHeadergt ltSecuritygt
ltBinarySecurityToken Id" Id-2" ..gt
...lt/BinarySecurityTokengt
ltSignaturegt ltSignedInfogt
ltReference
URI"Id-1"gt ..lt/Referencegt
ltReference URI"Id-2gt
....lt/Referencegt
lt/SignedInfogt ltSignatureValuegte4EyW.
.. lt/SignatureValuegt
ltKeyInfogtlt/KeyInfogt ltBody Id"Id-1"gt
ltRequestSecurityTokengt
ltTokenTypegthttp//schemas.xmlsoap
.org/ws/2005/02/sc/sct
lt/TokenTypegt ltRequestTypegthttp//schemas.xml
soap.org/ ws/2004/04/security
/trust/Issue lt/RequestType..
lt/RequestSecurityTokengt
197 bytes
WS Policy
ltwspPolicy ..gt .. ltspSignedPartsgt
ltspBody/gt lt/spSignedPartsgt lt/wsp
Policygt
2695 bytes to 51551 bytes
388 bytes
14
Performance Criteria
1. SOAP Account Processing. 2. Policy
processing. 3. Signature Processing. 4.
Attacker Simulation
Comparison Criteria
  • Request SOAP size vs. requestor Soap Account
    header size and Policy file size.
  • SOAP Account size vs. Policy file size.
  • Relative comparison of signature processing in
    both ends.
  • Enforcement time of SOAP Account and Policy in
    sender (requestor).
  • Enforcement time of SOAP Account and Policy in
    the receiver.
  • XML rewriting attack detection time using SOAP
    Account and Policy.

SOAP Size 2695 to 51551 bytes SOAP Account 197
bytes 0.72 of SOAP Policy File 388 bytes
1.42 of SOAP Scalability.
15 more time in the Requestor
Comparable enforcement time for both in the
Requestor.
  • 30 less Enforcement time using SOAP Account in
    the Receiver.
  • SOAP size gt 4500 bytes..SOAP Account Enforcement
    Time Policy Enforcement Time.

1.50 faster XML Rewriting Attack Detection
using SOAP Account. SOAP Account is scalable.
15 less time in the Receiver
15
Summary Conclusion
  • We presented a real-world collaboration
    scenario and security requirements
  • WS can be deployed to satisfy some of these
    requirements
  • WS Security performance indicators
  • Measure these indicators against our own SOAP
    account solution
  • In summary, our solution is more performant due
    to being purpose-built for avoiding XML rewriting
    attacks (overly simplified).
  • Not really scientific approach but valuable
    lessons learnt on
  • Establishing a set of Security / Web Service
    Performance Indicators
  • Implementation and Setup, Memory Consumption,
    Processing, Key Generation, Validation,
    Message Sizing etc.
  • Current research work is focusing on XACML
    testing
  • Overall goal is a general test tool suite for
    standards evaluation

16
Thank You Questions
abdelkrim.boujraf_at_be.unisys.com andreas.schaad_at_sap
.com mohammad.ashiqur.rahaman_at_sap.com
Europol and Eurojust are SAP EU project
partners but not SAP or Unisys customers. The
case study is for illustration / requirements
engineering purposes only.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Mr.%20Abdelkrim%20Boujraf,%20Unisys" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!