A Proposed SOAP Model Against Wrapping Attacks and Insecure Conversation

Abstract

The web services in SOA are under the heterogeneous ownership domains, there should be a uniform means to offer, discover and interact with each other. Ensuring interoperatability among the web service which is under various ownership domains is the most important challenge. One of the major interoperatablilty issue is protecting the SOAP message from rewriting attacks and insecure conversation as the contents of a SOAP message protected by an XML Signature as specified in WS-Security can be altered without invalidating the signature. The paper presents a proposed SOAP model avoids rewriting attacks and ensures secure conversation. The model highlighted three possible recommendations namely, using shared key for encrypting timestamp in the message body for generating corresponding signature; Secondly, using value referencing both for signature validation and message processing; and finally encrypting the whole SOAP body instead of sending an open SOAP Message in the network to prevent unauthorized access. The paper at the end concludes that the proposed model not only successfully detects rewriting attacks and establishes secure conversation but it also has less overhead in terms of performance metric time which is an important issue in security