SOA Security

Abstract: Due to the dynamic nature, such as services composition and evaluation, it is critical for a Service-Oriented Architecture (SOA) system to consider its data provenance, which concerns security, reliability, and integrity of data as they are being routed in the system. In a traditional software system, one focuses on the software itself to determine the security, reliability, and integrity of the software. In an SOA system, however, one also needs to consider origins and routes of data and their impact, i.e., data provenance. This paper first analyzes the unique nature and characteristics of data provenance in an SOA system, particularly related to data security, reliability, and integrity. Then it proposes a new framework for data provenance analysis in an SOA system. Finally, this paper uses an example which illustrates these techniques.

Abstract: In a selective opening attack SOA on an encryption scheme, the adversary is given a collection of ciphertexts and she selectively chooses to see some subset of them "opened", meaning that the messages and the encryption randomness are revealed to her. A scheme is SOA secure if the data contained in the unopened ciphertexts remains hidden. A fundamental question is whether every CPA secure scheme is necessarily also SOA secure. The work of Bellare et al. EUROCRYPT'12 gives a partial negative answer by showing that some CPA secure schemes do not satisfy a simulation-based definition of SOA security called SIM-SOA. However, until now, it remained possible that every CPA-secure scheme satisfies an indistinguishability-based definition of SOA security called IND-SOA. In this work, we resolve the above question in the negative and construct a highly contrived encryption scheme which is CPA and even CCA secure but is not IND-SOA secure. In fact, it is broken in a very obvious sense by a selective opening attack as follows. A random value is secret-shared via Shamir's scheme so that any t out of n shares reveal no information about the shared value. The n shares are individually encrypted under a common public key and the n resulting ciphertexts are given to the adversary who selectively chooses to see t of the ciphertexts opened. Counter-intuitively, by the specific properties of our encryption scheme, this suffices for the adversary to completely recover the shared value. Our contrived scheme relies on strong assumptions: public-coin differing inputs obfuscation and a certain type of correlation intractable hash functions. We also extend our negative result to the setting of SOA attacks with key opening IND-SOA-K where the adversary is given a collection of ciphertexts under different public keys and selectively chooses to see some subset of the secret keys.

Abstract: Services account for a major part of the IT industry today. Companies increasingly like to focus on their core expertise area and use IT services to address all their peripheral needs. Services Computing is a new science which aims to study and better understand the foundations of this highly popular industry. It covers the science and technology of leveraging computing and information technology to model, create, operate, and manage business services. Since 2004, the International Conference on Services Computing (SCC) has provided a platform for practitioners to present the latest advances in services science. Like its predecessors, SCC 2009 will contribute in building the pillars of this important science and shaping the future of Service Computing.Services Computing currently shapes the thinking of business modeling, business consulting, solution creation, service delivery, and software architecture design, development and deployment. The global nature of Services Computing leads to many opportunities and challenges and creates a new networked economic structure for supporting different business models. SCC 2009 will help in bridging the gap between business services and information technology by driving research in technologies such as service-oriented architecture (SOA), business process integration and management, service engineering and grid/utility computing and Web 2.0. The theme of the conference is "Innovation in Globally Integrated Services". SCC 2009 will have the following major tracks: Foundations of Services Computing, Service Computing Practices and Applications and Business Aspects of Service Computing.SCC 2009 is sponsored by the IEEE Computer Society Technical Committee on Services Computing. SCC 2004 was held in Shanghai, China, September 15-18, 2004 . SCC 2005 was co-located with ICWS 2005 on July 11-15, 2005 in Orlando, Florida, USA. SCC 2006 was co-located with ICWS 2006 on September 18-22, 2006 in Chicago, Illinois, USA. SCC 2007 was co-located with ICWS 2007 on July 9-13, 2007 in Salt Lake City, Utah, USA. SCC 2008 was held on July 8-11, 2008, Honolulu, Hawaii, USA. The SCC Proceedings has been included in EI Compendex.SCC 2009 will concentrate on the science and technology of Business/Application Services and the bridging technologies such as Business Strategy and Design, Business Process Integration and Management, Grid and Utility Computing, and SOA Services and Solutions; while the 2009 IEEE International Conference on Web Services (ICWS 2009) will continue to put its focus on all aspects of Web based services from infrastructure and application perspectives; IEEE Congress on Services (SERVICES 2009) covers innovations in all vertical services industries and education agenda.