A Multilayer Secured Messaging Protocol for REST-based Services

摘要

The lack of descriptive language and security guidelines poses a big challenge to implementing security in Representational State Transfer (REST) architecture. There is over reliance on Secure Socket Layer/Transport Layer Security (SSL/TLS), which in recent times has proven to be fallible. Some recent attacks against SSL/TLS include: POODLE, BREACH, CRIME, BEAST, FREAK etc. A secure messaging protocol is implemented in this work. The protocol is further compiled into a reusable library which can be called by other REST services. Using Feature Driven Development (FDD) software methodology, a two layer security protocol was developed. The first layer is a well hardened SSL/TLS configuration. The second layer is a well-designed end-to-end protocol that handles authentication, authorization, encryption and message integrity as well as timing and replay attack prevention. The end-to-end protocol uses HMAC-512 and a hybrid encryption system using the AES and RSA algorithms. The protocol was then compiled to a reusable library using C# language. Two different tests were carried out on this protocol: Penetration test and SSL/TLS configuration test. The Penetration Test was carried out using the Open Web Application Security Project Zed Attack Proxy (OWASP ZAP) application and Fiddler Web Debugger. The SSL/TLS test sought to test the SSL/TLS layer of the protocol for known vulnerabilities using a popular SSL/TLS test tool known as SSL Lab. The raw and scaled scores obtained from SSL Lab were 95% and 93% respectively. The results of Implementation test show that the protocol is implementable. The protocol is also resistant to such attacks as: Unauthorized, Timing and Replay attacks as shown by the result of the penetration test. The grade obtained from the SSL/TLS test is “A+”. The result also shows that the implementation is not vulnerable to currently known SSL attacks. The library can be reused by .NET applications and the implementation steps can also be followed by other REST services developers using other platforms.