From Java CoG Kit

Contents 1 Tasks 2 Who? 3 Where? 4 What ? 4.1 Introduction 4.2 Background 4.3 Project Details 5 References 5.1 Books 5.2 Links 5.3 Papers 6 Timeline 7 Progress 7.1 Week July 14th 7.2 Week May 28th, 2006 - June 4th, 2006 7.3 Week May 15th, 2006 - May 21st, 2006 7.4 Week May 10th, 2006 - May 14th, 2006 7.5 Week May 1 - May 10th 7.6 Week Apr 24th, 2006 - Apr 30th, 2006 7.7 Week Apr 18th, 2006 - Apr 23th, 2006 7.8 Week Apr 10th, 2006 - Apr 17th, 2006 7.9 Week Apr 10th, 2006 - Apr 17th, 2006 7.10 Week Apr 2nd, 2006 - Apr 9th, 2006 7.11 Week Mar 27th, 2006 - Apr 2nd, 2006 7.12 Week Mar 27th, 2006 - Apr 2nd, 2006 7.13 Week Mar 20th, 2006 - Mar 26th, 2006 7.14 Week Mar 13th, 2006 - Mar 19th, 2006 7.15 Week Mar 6th, 2006 - Mar 12th, 2006 7.16 Week Feb 27th, 2006 - Mar 5th, 2006 7.17 Week Feb 20th, 2006 - Feb 26th, 2006 7.18 January 17, 2006 7.19 Week Nov 6th - Nov 22nd 7.20 Week Oct 31th, 2005 - Nov 6th, 2005 7.21 Week Oct 24th, 2005 - Oct 30th, 2005 7.22 Week Oct 17th, 2005 - Oct 23th, 2005 7.23 Week Oct 10th, 2005 - Oct 16th, 2005 7.24 Week Oct 3rd, 2005 - Oct 9th, 2005 7.25 Week Sept 19th, 2005 - Sept 25th, 2005 7.26 Multiple weeks missing 7.27 Week Sept 12th, 2005 - Sept 18th, 2005

Tasks

learn about how to do tasks in mediawiki, e.g. edit this page (Vignesh)
add tasks that need to be done for the project (Vignesh)
add important dates and milestones to the tasks (Vignesh)
complete this taks by Saturday March 11 (Vignesh)
upload report that has been handed in to wiki [Media:vignesh-feb-06-report.doc] (Vignesh)
include link to source code that you place on a public html web server (Vignesh)
include in timeline when the semester is over, and when Dr. Sun likes to see the final report (Vignesh)
Develop both windows and linux client - 03.12.06 (Vignesh)
Develop server with methods to execute commands (Vignesh)
Implement message integrity - XML signature (Vignesh)
Implement message confidentiality - XML encryption (Vignesh)
Implement authentication - SAML (Vignesh)
Implement authorization - SAML (Vignesh)
Implement key infrastructure - 04.02.06 (Vignesh)
Develop the queue for handling jobs - 04.09.06 (Vignesh)
Implement logging using log4j (Vignesh)
Bash scripts to automate setup service, create service, start service, stop service, setup client, create client, inspect log, etc., (Vignesh)
Implement the ANT build file. (Vignesh)
Create draft of final report for Dr.Gregor's review - 04.16.06 (Vignesh)
Semester gets over by 05.13.06 (Vignesh)
Read the book "Core security patterns" by Christopher Steel et al., for more insight. (Vignesh)

Incomplete list of tasks for Vignesh

Who?

This project has not been completed. It has been closed due to inactivity.

Vignesh Manickam Periaswamy Nithyanandam is a graduate student at the Illinois Institute of Technology. His supervisor is Dr. Sun. His interests include Distributed Systems and Java. Currently he is enrolled in the course of CS550: Distributed Systems taught by Dr. Sun. As part of the course requirements he will be working on a project "A Secure Execution Service Enabling Distributed Systems" under supervision of Dr. von Laszewski from Argonne National Laboratory.

Where?

The code Vignesh is developing is avalable from svn at

svn co https://svn.sourceforge.net/svnroot/cogkit/trunk/src/school/vignesh

Vigneshs source forge account name is: vigneshmpn

What ?

This project has not been completed. It has been closed due to inactivity.

Introduction

Security is critical in any kind of distributed computing environment, because of the diverse and vast human and computing resources involved. It becomes more critical for web services because of the additional security threats due to the involvement of internet and challenges involved in implementing it are numerous. This motivated me to indulge in this project.

The objective of this project is to develop a secure Web service that can be employed as a distributed service infrastructure and allows a number of users to execute jobs on them. A simple queuing system for jobs and available machines will distribute the work amongst the available services. How to secure such a service will be the primary focus of this project.

Web services have various security threats as it involves vast users and resources over internet. What makes these threats more intimidating is the typical security implementations for web systems are not enough for the web services for various reasons.

Many XML-based security schemes have been developed to address various security needs of the web services. Those will include XML digital signature, XML Encryption, XKMS (XML Key Management Specification), XACML (Extensible Access Control Markup Language), SAML (Secure Assertion Markup Language), WS-Security (Web Services Security), ebXML Message Service. Unifying all these state-of-the-art security schemes would give the comprehensive solution for secure web services.

This proposal is organized in the following way: It discusses the history of security for web based systems, why those security schemes will not be enough for web services, what are the security threats for web services, what are different schemes to address those threats, how those schemes can be unified to provide a comprehensive solution.

Background

The security for a typical web based systems is addressed by SSL (Secure Socket Layer). But SSL will not work well for web services for various reasons. Foremost, SSL provides point-to-point security whereas web services need end-to-end security, meaning that there could be many intermediate nodes between the two end communication parties. In a web service framework, if a client sends a request to a service, the transport-level security can only deal with originator of the request. The end user’s authorization or authentication information is not available at the transport level to perform security based on the end user.

Web services not only require transport level security, but also message level. In SSL the data is secured only when it is transported over the network. But in web services not only the data, but the process also needs to be secured.

Apart from these HTTPS is not good at handling nonrepudiation, which critical for web services.

Web services use an XML-based enveloping technology, SOAP (Simple Object Access Protocol) as a messaging protocol. SOAP can be bound to both SMTP and HTTP.

Project Details

For a web service to be secure it should have all the following attributes: confidentiality, authentication, authorization, integrity, nonrepudiation, privacy, and availability.

XML digital signature is a digital signing technology to provide authentication, nonrepudiation and data integrity. The difference between any other signing technology and XML signature is we can even sign an individual or multiple items of an XML document.

XML encryption provides XML syntax for representing encrypted data and procedures for encrypting and decrypting such data.

XKMS (XML Key Management Specification) consists of two parts: XKISS (XML Key Information Service Specification) and XKRSS (XML Key Registration Service Specification). XKISS defines a protocol for resolving or validating public keys contained in signed and encrypted XML documents, while XKRSS defines a protocol for public key registration, revocation, and recovery. XKMS serves as a protocol specification between an XKMS client and an XKMS server in which the XKMS server provides trust services to its clients by performing various PKI (public key infrastructure) operations, such as public key validation, registration, recovery, and revocation on behalf of the clients.

XACML (eXtensible Access Control Markup Language) is a standard access control language in XML syntax. Being standard it avoids the need to develop an application-specific access control language.

SAML is a standard XML framework for exchanging authentication and authorization information.

The WS-Security (Web Services Security) defines a set of SOAP header extensions for end-to-end SOAP messaging security. It supports message integrity and confidentiality by allowing communicating partners to exchange signed and encrypted messages in a Web services environment.

ebXML Message Service defines how to securely and reliably send and receive SOAP messages.

All these can be unified to provide a comprehensive security solution. The SAML assertions can be digitally signed using XML digital signature. The same assertions can be encrypted using XML Encryption to ensure privacy. The public key used for digital signing and encryption can be validated and registered via XKMS. As for XACML, an SAML asserting party could use it to define an access control policy as a basis for handling SAML-based assertion requests.

References

Books

• Developing Java Web Services by Ramesh Nagappan, Robert Skoczylas, Rima Patel Sriganesh.
• Securing Web Services with WS-Security by Jothy Rosenburg and David Remy.
• Building Web Services with Java - Making sense of XML, SOAP, WSDL and UDDI (Second edition) by Steve Graham et al.
• Core Security Patterns - Best Practices and Strategies for J2EE, Web Services, and Identity Management by Christopher Steel, Ramesh Nagappan and Ray Lai.
• Java Web Services in a Nutshell by Kim Topley.
• Web Services Security by Mark O'Neill et al.

Links

• Secure Web Services
• Implementing WS-Security with Java and WSS4J

Papers

• Web Services Security (WS-Security) Graduation Project by Moustafa Mohammed Arafa, Isameil Moustafa Habib & Mohammed Ahmed Hossam.
• M. Vignesh, Februrary project report

Timeline

learn about how to do tasks in mediawiki, e.g. edit this page (Vignesh)
add tasks that need to be done for the project (Vignesh)
add important dates and milestones to the tasks (Vignesh)
complete this taks by Saturday March 11 (Vignesh)
upload report that has been handed in to wiki [Media:vignesh-feb-06-report.doc] (Vignesh)
include link to source code that you place on a public html web server (Vignesh)
include in timeline when the semester is over, and when Dr. Sun likes to see the final report (Vignesh)
Develop both windows and linux client - 03.12.06 (Vignesh)
Develop server with methods to execute commands (Vignesh)
Implement message integrity - XML signature (Vignesh)
Implement message confidentiality - XML encryption (Vignesh)
Implement authentication - SAML (Vignesh)
Implement authorization - SAML (Vignesh)
Implement key infrastructure - 04.02.06 (Vignesh)
Develop the queue for handling jobs - 04.09.06 (Vignesh)
Implement logging using log4j (Vignesh)
Bash scripts to automate setup service, create service, start service, stop service, setup client, create client, inspect log, etc., (Vignesh)
Implement the ANT build file. (Vignesh)
Create draft of final report for Dr.Gregor's review - 04.16.06 (Vignesh)
Semester gets over by 05.13.06 (Vignesh)
Read the book "Core security patterns" by Christopher Steel et al., for more insight. (Vignesh)
integrate in time table when report is due, integrate in time table when program is due (Vignesh)
March 12 - update progress report (Vignesh)
March 19 - update progress report (Vignesh)
March 26 - update progress report (Vignesh)
April 2 - update progress report (Vignesh)
April 9 - FAILED: update progress report (Vignesh)
April 9 - FAILED: Preliminary paper due with Gregor (Vignesh)
April 9 - FAILED: Preliminary code due with Gregor (Vignesh)
April 16 - FAILED: update progress report (Vignesh)
April 23 - update progress report (Vignesh)
April 30 - update progress report (Vignesh)
April 7 - FAILED: update progress report (Vignesh)
May 6 - FAILED: Final paper due with Gregor - this will be used for grading (Vignesh)
May 6 - FAILED: Final code due with Gregor - this will be used for grading (Vignesh)
May 13, Meeting With Dr. Sun and Gregor (Vignesh)

Note that the paper is in form of an academic paper submissible to a workshop or conference. Use IEEE or ACM conference templates. Refernces are not cited by mumbers but by labels in case word is used as tect processing system. IN aces you use LaTeX you are allowed to use numbers but you must use bibtex.

Progress

The progress of the project is monitored weekly:

In reverse order (latest week first):

Week July 14th

No progress has been reported since June 4th. The project has been closed due to inactivity. This project has unfortunatly not produced anything and has no impact on the Java CoG Kit.

Week May 28th, 2006 - June 4th, 2006

• What have I achieved this week?
  • I am facing problems in setting up a PKI infrastructure.

• What have I not achieved this week?
  • I am facing problems in setting up a PKI infrastructure.

• What do I plan to achieve next week?
  • Will give a good update this week.

Week May 15th, 2006 - May 21st, 2006

• What have I achieved this week?
  • Implemented the CmdExecuter web service.
  • Have setup the linux client.

• What have I not achieved this week?
  • Couldn't find a solution for key distribution.

• What do I plan to achieve next week?
  • Will find a solution for key distribution.
  • Will complete implementation of XML encryption and Signature.
  • Will start working on SAML authentication and authorization.

Week May 10th, 2006 - May 14th, 2006

• What have I achieved this week?
  • Submitted to the paper report and source code to Dr. Gregor.
  • Have implemented the client side processing of XML encryption and XML signature.
  • Read on PKI using OpenSSL. Will start implementing it.

• What have I not achieved this week?
  • I could not complete the project as per Dr.Sun's deadline. Still working on it.
  • Having problems in key distribution.

• What do I plan to achieve next week?
  • Will find a solution for key distribution.
  • Will complete implementation of XML encryption and Signature.
  • Will start working on SAML authentication and authorization.

Week May 1 - May 10th

• No progress report from the student.

Week Apr 24th, 2006 - Apr 30th, 2006

• What have I achieved this week?

Submitted to the pre-version paper report and source code to Dr. Gregor. Have implemented the client side processing of XML encryption and XML signature. Having issues on the server side.

• What have I not achieved this week?

I could not submit the document on the shell scripts because I wanted to hands on the server and client code before designing it.

• What do I plan to achieve next week?

Will complete implementation of SAML authentication and authorization.

Week Apr 18th, 2006 - Apr 23th, 2006

• What have I achieved this week?

Currently working on the implementation of encryption, signature and certificates. Half way through, but having issues with the implementation, so couldn't submit the code. Will be submitting the code by today (04/24/06)

• What have I not achieved this week?

I could not submit the document on the shell scripts because I wanted to hands on the server and client code before designing it.

• What do I plan to achieve next week?

Will submit the document on shell scripts, the source code and the pre-version of the paper.

Week Apr 10th, 2006 - Apr 17th, 2006

• What have I achieved this week?
• What have I not achieved this week?
• What do I plan to achieve next week?

• Student failed to meet with GVL as he missed the bus.
• Vignesh did not send the code or the writeup to GVL.
• A meeting has been rescheduled for April 19th, however, the student did not provide any material for me to review prior to the meeting as requested last week.

Week Apr 10th, 2006 - Apr 17th, 2006

• GVL: no progress report filed.
• GVL: no preliminary documnet.
• GVL: no preliminary code.

• student did not have time to meet due to Dr. visit.
• Vignesh did not provide any input on my request to send me his code or the writeup.

Week Apr 2nd, 2006 - Apr 9th, 2006

• GVL: no progress report filed.
• GVL: no preliminary documnet.
• GVL: no preliminary code.

Week Mar 27th, 2006 - Apr 2nd, 2006

• What have I achieved this week?
  • I didn't make much progress this week, spent lots of time but couldn't get something concrete.

• What have I not achieved this week?
  • Didn't implement client in linux.

• What do I plan to achieve next week?
  • Will implement client in Linux and security features.

Week Mar 27th, 2006 - Apr 2nd, 2006

• What have I achieved this week?
  • I couldn't afford time for the project. I'll updating the status tonight (04.3.2006).

• What have I not achieved this week?
  • Didn't implement client in linux.

• What do I plan to achieve next week?
  • Will implement client in Linux and security features.

Week Mar 20th, 2006 - Mar 26th, 2006

• What have I achieved this week?
  • I couldn't afford time for the project. I understand this is the third week in row. But this week I'll be primarily spending more time on the project this week and I'll update my progress here everyday of the whole week.

• What have I not achieved this week?
  • Didn't implement client in linux.

• What do I plan to achieve next week?
  • Will implement client in Linux and security features.

Week Mar 13th, 2006 - Mar 19th, 2006

• What have I achieved this week?
  • I have an exam for the algorithm, so will proceed with the project after the exam.

• What have I not achieved this week?
  • Didn't implement client in linux.

• What do I plan to achieve next week?
  • Will implement client in Linux and security features.

Week Mar 6th, 2006 - Mar 12th, 2006

• What have I achieved this week?
  • I haven't done anything, will show more progress over the spring break.

• What have I not achieved this week?
  • Didn't implement client in linux.

• What do I plan to achieve next week?
  • Will implement client in Linux and security features.

Week Feb 27th, 2006 - Mar 5th, 2006

• What have I not achieved this week?
  • Improve the project report.

Gregors comment: This weeks report did not include answers to the following questions

• What have I achieved this week?
• What do I plan to achieve next week?

A 1% grade reduction will be issued at the end of the semester

Week Feb 20th, 2006 - Feb 26th, 2006

• What have I achieved this week?
  • I submitted the initial project report to Dr.Gregor and Dr.Sun.

• What have I not achieved this week?
  • None.

• What do I plan to achieve next week?
  • Will start implementing the security features.

January 17, 2006

The project was not completed and a petition to retake the project was granted. An independent study is chosen instead of retaking the class.

• The student is aware that failure to report a weekly progress on this page will effect the overall grade.

• The student is aware that this project needs to be completed timely.

Week Nov 6th - Nov 22nd

GVL: No updates conducted by the student

Week Oct 31th, 2005 - Nov 6th, 2005

• What have I achieved this week?
  • I didnt make any progress this week.

• What have I not achieved this week?
  • Didn't start implementing the security features.

• What do I plan to achieve next week?
  • Will start implementing the security features.

Week Oct 24th, 2005 - Oct 30th, 2005

• What have I achieved this week?
  • Implemented further on the web service using Java.

• What have I not achieved this week?
  • Didn't start implementing the security features.

• What do I plan to achieve next week?
  • Will start implementing the security features.
  • GVL: This reference of the thesis is incomplete. Which University? Is it available online? If not how can I get a copy?
  • GVL: Can you place a snapshot of your code on a web serevr and make a link here. I like to look at it. Keep that code up to date. comment in your weekly progres son achievments in the code also. mention what works and what does not. you can do thi sin a readme file and link to the readme file.

Week Oct 17th, 2005 - Oct 23th, 2005

• What have I achieved this week?
  • I installed Apache Tomcat and Apache Axis, and tested them.
  • Implemented a "Hello World!" web service using Java.

• What have I not achieved this week?
  • Completed.

• What do I plan to achieve next week?
  • Will start implementing the security features.

Week Oct 10th, 2005 - Oct 16th, 2005

• What have I achieved this week?
  • I have completed reading the paper "Web Services Security (WS-Security) Graduation Project" by Moustafa Mohammed Arafa, Isameil Moustafa Habib & Mohammed Ahmed Hossam, which has given me comprehensive knowledge on the subject.

• What have I not achieved this week?
  • I didn't start writing a web service.

• What do I plan to achieve next week?
  • I'll complete my other readings and start with the implementation by this week.

Week Oct 3rd, 2005 - Oct 9th, 2005

• What have I achieved this week?
  • I read how to implement web services using Java from the book "Developing Java Web Services" by Ramesh Nagappan, Robert Skoczylas, Rima Patel Sriganesh.

• What have I not achieved this week?
  • I didn't start writing a web service.

• What do I plan to achieve next week?
  • I'll read more on web services security.

Week Sept 19th, 2005 - Sept 25th, 2005

• What have I achieved this week?
  • I completed my project proposal.
  • I did a detailed reading on implementing security in web services and detailed the same in the proposal.
  • I got the outline of security in web services.

• What have I not achieved this week?
  • I am yet to read about kerberos and WS-Security 1.0 specification.

• What do I plan to achieve next week?
  • I'll complete the reading on the topics I aforementioned.
  • I'll start writing a web service.

Multiple weeks missing

No progress report was recorded between Sept 18th to Oct 10th.

Week Sept 12th, 2005 - Sept 18th, 2005

• What have I achieved this week?
  • I have decided to do a project with Dr.Gregor.
  • The project is entitled "A Secure Execution Service Enabling a Distributed System".
  • I have started on the project proposal.
  • As web services security is the key aspect of this project, I have initiated a detailed reading on that topic.

• What have I not achieved this week?
  • I am yet to complete my proposal.

• What do I plan to achieve next week?
  • I plan to have a outline of my project and write the proposal.
  • I'll further my reading on web services security, basically the WS-Security 1.0 specification by OASIS-Open and more reading on kerberos.