Abstract
Web services may be able to publish easily their functions to the rest of the web world. At the same time they suffer by several security pitfalls. Currently, there is limited research on how the proposed web-services security countermeasures affect performance and applicability. In this paper, we introduce the threats/attacks vs. web-services authentication, present the most widely used security method for protecting it, and identify the threats/attacks tackled by those methods. Moreover, we evaluate the web service authentication mechanism proposed in these implementations, not only on a theoretical level (by taking into consideration all the security issues of the implementing authentication sub-mechanisms), but also in a laboratory environment (by conducting extensive experiments). Finally we demonstrate the trade-offs between sophisticated web-service security methods and their performance.
Chapter PDF
Similar content being viewed by others
References
Papazoglou, M.: Web Services and Business Transactions. World Wide Web 6(1), 49–91 (2003)
Erl, T.: Service-Oriented Architecture: Concepts, Technology and Design. Prentice Hall (2005)
Erl, T.: Service-Oriented Architecture: A Field Guide to Integrating XML and Web Services. Prentice Hall (2004)
Alonso, G., Casati, F., Kuno, H., Machiraju, V.: Web Services: Concepts, Architecture and Applications. Springer (2004)
Zeng, L., et al.: QoS-Aware Middleware for Web Services Composition. IEEE Transactions on Software Engineering 30(5), 311–327 (2004)
Vedamuthu, A.S., et al.: Web Services Policy 1.5 - Framework. W3C Recommendation (2007), http://www.w3.org/TR/ws-policy/ (last visit January 5, 2012)
OASIS Standard, WS-SecurityPolicy 1.3 (2009), http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html (last visit January 5, 2012)
Serjantov, A., Danezis, G.: Towards an Information Theoretic Metric for Anonymity. In: Privacy Enhancing Technologies (PETS), pp. 41–53 (2002)
Nadalin, A., et al.: OASIS WS-Trust 1.4, OASIS (2008)
Nadalin, A., Kaler, C., Monzillo, R., Hallam-Baker, P.: Web Services Security: SOAP Message Security 1.1 (WS-Security 2004), OASIS Standard (2006)
Vedamuthu, A., Orchard, D., Hirsch, F., Hondo, M., Yendluri, P., Boubez, T., Yalcinalp, U.: Web Services Policy 1.5 - Attachment. W3C Recommendation (2007)
Nadalin, A., et al.: WS-SecureConversation 1.3, OASIS Standard (2007)
Rosenberg, F., Khalaf, R., Duftler, M., Curbera, F., Austel, P.: End-to-End Security for Enterprise Mashups. In: Baresi, L., Chi, C.-H., Suzuki, J. (eds.) ICSOC-ServiceWave 2009. LNCS, vol. 5900, pp. 389–403. Springer, Heidelberg (2009)
Basagiannis, S., Katsaros, P., Pombortsis, A.: Intrusion Attack Tactics for the Model Checking of e-Commerce Security Guarantees. In: Saglietti, F., Oster, N. (eds.) SAFECOMP 2007. LNCS, vol. 4680, pp. 238–251. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Soupionis, Y., Kandias, M. (2012). Web Services Security Assessment: An Authentication-Focused Approach. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_49
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)