Your search keyword '"Lijun Liao"' showing total 12 results

1. On Interoperability Failures in WS-Security

Author

Lijun Liao, Nils Gruschka, Meiko Jensen, and Florian Kohlar

Subjects

World Wide Web, Computer science, WS-Security, Interoperability, XML Signature, Computer security, computer.software_genre, computer

Abstract

The rise in adoption of the Web Services specifications for inter-organizational business processes has led to the development of complex architecture stacks for processing Web Services messages. In particular, the proper use of the WS-Security specification poses a real challenge in terms of manageability and interoperability to adopting companies of today. This chapter is about an example of such complexity causing severe vulnerabilities in terms of security. More precise, it discusses the XML Signature Wrapping attack, which is one of the most severe attack types in Web Services. Starting with a technical description and a real-world attack incident, the chapter explains the rationale and impact of the attack, along with a brief discussion on mitigation and countermeasures.

Published

2011

2. The curse of namespaces in the domain of XML signature

Author

Jörg Schwenk, Lijun Liao, and Meiko Jensen

Subjects

XML Encryption, Computer science, Efficient XML Interchange, XML Signature, XML validation, computer.file_format, Computer security, computer.software_genre, XML signature, XML namespace injection, World Wide Web, XML Schema Editor, Streaming XML, XML namespace, ComputingMethodologies_DOCUMENTANDTEXTPROCESSING, Signature wrapping, Prefix-free canonicalization, XML namespaces, XML schema, computer, computer.programming_language

Abstract

The XML signature wrapping attack is one of the most discussed security issues of the Web Services security community during the last years. Until now, the issue has not been solved, and all countermeasure approaches proposed so far were shown to be insufficient. In this paper, we present yet another way to perform signature wrapping attacks by using the XML namespace injection technique. We show that the interplay of XML Signature, XPath, and the XML namespace concept has severe flaws that can be exploited for an attack, and that XML namespaces in general pose real troubles to digital signatures in the XML domain. Additionally, we present and discuss some new approaches in countering the proposed attack vector.

Published

2009

3. Analysis of Signature Wrapping Attacks and Countermeasures

Author

Jörg Schwenk, Lijun Liao, Meiko Jensen, and Sebastian Gajek

Subjects

Theoretical computer science, Database, Computer science, computer.internet_protocol, WS-Security, XML Signature, Context (language use), computer.software_genre, Signature (logic), Boolean algebra, symbols.namesake, Digital signature, symbols, computer, XML, XPath

Abstract

In recent research it turned out that Boolean verification, of digital signatures in the context of WSSecurity, is likely to fail: If parts of a SOAP message, are signed and the signature verification applied to, the whole document returns true, then nevertheless the, document may have been significantly altered., In this paper, we provide a detailed analysis on the, possible scenarios that enable these signature wrapping, attacks. Derived from this analysis, we propose, a new solution that uses a subset of XPath instead of, ID attributes to point to the signed subtree, and show, that this solution is both efficient and secure.

Published

2009

4. Securing E-Mail Communication with XML Technology

Author

Mark Manulis, Jörg Schwenk, and Lijun Liao

Subjects

World Wide Web, Cloud computing security, Security service, Computer science, Security through obscurity, Computer security model, Computer security, computer.software_genre, Communications security, Phishing, computer, Security information and event management, Security testing

Abstract

This chapter deals with the issues concerning e-mail communication security. We analyze the most popular security mechanisms and standards related to the e-mail communication and identify potential threats and vulnerabilities. The most significant drawback of all current approaches is the impossibility of keeping headers information authentic. This leads to possible impersonation attacks and profiling of the e-mail communication, and encourages spam and phishing activities. Furthermore, none of the currently available security mechanisms supports partial signature generation of the e-mail content by distinct signers, which might be useful in commercial scenarios. To handle these problems, we suggest a new approach, called XMaiL, which can be considered as an advanced email security mechanism based on the popular XML technologies. The proposed XMaiL supersedes all currently available e-mail security standards in the sense of the higher flexibility and security.

Published

2009

5. Stronger TLS bindings for SAML assertions and SAML artifacts

Author

Sebastian Gajek, Jörg Schwenk, and Lijun Liao

Subjects

World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Same-origin policy, Client certificate, Computer science, ComputingMilieux_COMPUTERSANDSOCIETY, Computer security, computer.software_genre, computer, Security layer, Implementation

Abstract

Based on recently proposed attack scenarios, we show that SAML assertions and SAML artifacts are still vulnerable to real-world attacks on browser-based implementations. We propose two different bindings of SAML assertions and SAML artifacts to the TLS security layer and show that these bindings protect against all known attacks. The two bindings are based on TLS client certificates, and on a variant of the well-known Same Origin Policy of browsers.

Published

2008

6. SSL-over-SOAP: Towards a Token-based Key Establishment framework for Web services

Author

Sebastian Gajek, Jörg Schwenk, Lijun Liao, and Bodo Möller

Subjects

Authentication, Software_OPERATINGSYSTEMS, Transport Layer Security, business.industry, SOAP, computer.internet_protocol, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Cryptography, Encryption, Web application security, Computer security, computer.software_genre, Security association, Web service, business, computer, Computer network

Abstract

Key establishment is essential for many applications of cryptography. Its purpose is to negotiate keys for other cryptographic schemes, usually for encryption and authentication. In a web services context, WS-SecureConversation has been specified to make use of negotiated keys. The most popular key establishment scheme in the Internet is the (handshake protocol of the) Secure Socket Layer or Transport Layer Security protocol (SSL/TLS). However, SSL/TLS has primarily been designed to secure HTTP, by encrypting and authenticating TCP connections. It is thus not usable to negotiate keys in SOAP connections with intermediaries. We propose SSL-over-SOAP, a family of key establishment protocols for Web services. It is based the design of the SSL handshake, so security analysis results for standard SSL/TLS apply to our new proposal. We have implemented this protocol in the framework of WS-Trust and WS-SecureConversation.

Published

2008

7. A Novel Solution for End-to-End Integrity Protection in Signed PGP Mail

Author

Jörg Schwenk and Lijun Liao

Subjects

DomainKeys Identified Mail, Authentication, business.industry, Computer science, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, Hash function, Email authentication, Computer security, computer.software_genre, Phishing, End-to-end principle, Header, Profiling (information science), business, computer, Computer network

Abstract

PGP mail has been widely used to provide the end-to-end authentication, integrity and non-repudiation. However it has the significant drawback that the email header is unauthentic. DKIM protects specified header fields, but only between the sending server and the receiver. These lead to possible impersonation attacks and profiling of the email communication, and encourage spam and phishing activities. In this paper we propose an approach to extend PGP mail to support end-to-end integrity of whole email, namely the whole content and selected header fields. This approach is fully compatible with PGP mail. Under some reasonable assumption our approach can help to reduce spam efficiently.

Published

2008

8. End-to-End Header Protection in Signed S/MIME

Author

Jörg Schwenk and Lijun Liao

Subjects

Authentication, DomainKeys Identified Mail, Computer science, Hash function, Header, Email authentication, S/MIME, Computer security, computer.software_genre, Phishing, computer, Privacy-enhanced Electronic Mail

Abstract

S/MIME has been widely used to provide the end-to-end authentication, integrity and non-repudiation. S/MIME has the significant drawback that headers are unauthentic. DKIM protects specified headers, but only between the sending server and the receiver. These lead to possible impersonation attacks and profiling of the email communication, and encourage spam and phishing activities. In this paper we propose an approach to extend S/MIME to support end-to-end integrity of email headers. This approach is fully compatible with S/MIME. Under some reasonable assumption our approach can help reduce spam efficiently.

Published

2007

9. Breaking and fixing the inline approach

Author

Jörg Schwenk, Lijun Liao, and Sebastian Gajek

Subjects

Theoretical computer science, Database, computer.internet_protocol, Computer science, Semantics (computer science), XML Signature, Context (language use), computer.software_genre, Signature (logic), Digital signature, computer, Boolean data type, XML, Counterexample

Abstract

McIntosh and Austel (SWS 2005, [12] ) have shown that standard semantics of digital signatures in context of WS-Security fail: If parts of the document are signed and the signature verification applied to the whole document returns a Boolean value, then the document can be significantly altered without invalidating the signature. Rahaman, Schaad and Rits (SWS 2006, [15] ) introduce the inline approach against the flaw. We analyze the inline approach and demonstrate weaknesses by the construction of counterexamples. Finally, we study solution ideas that mitigate XML wrapping attacks.

Published

2007

10. Semantic QoS-based Web Service Discovery Algorithms

Author

Jörg Schwenk and Lijun Liao

Subjects

DomainKeys Identified Mail, Computer science, business.industry, HTML email, Email authentication, Computer security, computer.software_genre, Web application security, Internet security, Privacy-enhanced Electronic Mail, Electronic mail, World Wide Web, Email encryption, business, computer

Abstract

Cryptographically signed email has been widely used to provide the end-to-end authentication, integrity and non-repudiation. PGP mail and S/MIME have the significant drawback that the headers are unauthentic. DKIM protects specified headers, however, only between the sending server and the receiver. These lead to possible impersonation attacks and profiling of the email communication, and encourage spam and phishing activities. Furthermore, none of the currently available security mechanisms supports signature generation over partial email content by distinct signers, which might be useful in commercial scenarios. In order to handle these problems we suggest a new approach which can be considered as an advanced email security mechanism based on the popular XML technology. Our approach supersedes currently available email security standards in the sense of the higher flexibility and security, and can be transported via Web Services easily.

Published

2007

11. Composition of Web Services Using Ontology with Monotonic Inheritance

Author

Lijun Liao, Beishui Liao, Aimin Yang, and Changyun Li

Subjects

Relation (database), Computer science, business.industry, Knowledge level, Process ontology, Software_PROGRAMMINGTECHNIQUES, Ontology (information science), computer.software_genre, Task (project management), World Wide Web, Inheritance (object-oriented programming), Ontology, Information system, Web service, Software engineering, business, computer

Abstract

To realize the automatic and on-demand integration of web services, it is necessary to resolve such issues as the high-level task decomposing and the goal planning at the concept level. We propose a process ontology model by adopting an inheritance mechanism with overriding declaration and monotonic inheritance. The inherited relation among processes implies a layered structure of task decomposing. A framework of automatic composition of web services at knowledge level is proposed.

Published

2005

12. Secure XMaiL or How to Get Rid of Legacy Code in Secure E-Mail Applications

Author

Lars Ewers, Wolfgang Kubbilun, Jörg Schwenk, and Lijun Liao

Subjects

computer.internet_protocol, business.industry, Computer science, Computer security, computer.software_genre, Encryption, Electronic mail, Digital signature, Financial cryptography, The Internet, business, Legacy code, computer, XML

Abstract

E-mail is one of the oldest applications on the internet. Clients have to adhere to message formats that have been defined in RFC 822 [13] back in 1982, and at the same time be able to transport all types of content. Additionally, there are severe restrictions for the use of both encryption and digital signatures due to the adherence to RFC822. In this paper we propose a new approach based on our XMaiL project: Using the XMaiL parser, we transform header and body of the mail into an XML object. This transformation preserves both the MIME and the PKCS#7 structure of the mail. We describe the security enhancements that are possible using XMaiL such as selective encryption and signature of parts of the e-mail, or signature of critical fields in the header of the mail.

Published

2005