The term “ mashup ” has been originated from the music field where it means that bring forthing a new vocal by blending of commixture of vocals, lyric and background music[ 1 ]. A figure of new techniques for making web applications have been resulted into the rapid growing of Web 2.0, one of these techniques is engaging up of needed content/services from several independent beginnings for the intent to make a new content/service [ 1 ] . Web mashup ( started as a consequence of security misdemeanor of hole in Google Maps web application by a hacker named Paul Rademacher [ 2 ] ) can be defined as a situational web application or web page that is created by drawing out, parsing, and aggregating required relevant content/service from diverse and different publically available web application to fulfill user demands and undertakings through exposing it to them on their compute screens [ 3 ] [ 4 ] [ 5 ] . A simple illustration can be of a web page pull outing map information from one beginning and location information of some kind of service ( such as eating houses or houses traveling to be sold ) from another site and expose the map with services placed on it as shown in Figure 1 [ 5 ] . Obviously the mashup consequence will be more valuable to the user than a individual piece of information. A web site incorporating a web page that combines these resources is called planimeter and the web site that contains the contents that integrator want to utilize is called supplier [ 2 ] .
Figure 1: Example of mashup [ 5 ]
For the intent of doing mashup creative activity procedure easier, several models have been suggested in the last few old ages to ease experts every bit good as users with no programming experience. Many content supplier have offered their Application Programing Interfaces ( APIs ) leting other users to interact, do data/service petition and reacting to their petition ; therefore doing the creative activity of mashup easy [ 1 ] . Google is the innovator and is missive followed by Flicker, Amazon, Twitter, and YouTube etc. The figure of web mashups is increasing enormously and programmableweb ( directory service for web mashups ) is registering three new web mashups every twenty-four hours [ 6 ] . This directory late contains more than 9000 registered mashups and more than 3000 registered content suppliers APIs. The figure of web mashups provided in the different countries along with their per centum to the entire figure of web mashups available up-to-date is shown in the Figure 2.
Several engineerings have been invented for doing the petition and response of information efficient and apprehensible every bit good as hive awaying such as Ajax, syndicated provenders like RSS or ATOM, REST, SOAP and JSON etc and informations is transferred in XML format [ 5 ] . Screen Scrapping is another manner of utilizing package tools to parse and analyse the content originally written for human existences and infusion required information to be used and manipulated programmatically[ 2 ].
A web mashup can be either consumer mashup or endeavor mashup: consumer mashup combines different informations types and uses public web site that made their content available through good defined APIs and provenders etc, therefore necessitating less programming expertness such as Wikipediavision combines Google Map and Wikipedia API etc, whereas, endeavor mashup besides called informations mashups combines similar types of data/information from diverse beginnings into a alone representation and make a new web service ; architecturally, mashups can be either web-based or server-based: web-based mashups user ‘s web browser is used to incorporate and stand for the informations, server-based mashups uses a distant waiter to analyse and reformat the information, which is send back to the user ‘s browser for exposing to the user[ 3 ].
Figure 2: Web Mashup classs
Similarly, each web mashup addresses a peculiar intent such as ( a ) function mashups: utilizations maps and location informations to be diagrammatically displayed, ( B ) picture and exposure mashups: combines other information with picture or exposures utilizing the metadata associated with pictures or exposures, ( degree Celsius ) searching and shopping mashups: hunts different content supplier for a merchandise, compares their offered monetary values and gives up with a optimal consequence to the user, ( vitamin D ) intelligence mashups: uses RSS or ATOM syndication and disseminates intelligence provenders to the users[ 4 ].
2. MASHUP SECURITY
Mashup is concerned with incorporating content/services from different beginnings into a new services and hence creates new security issues like who made the information to be combined available? What are the purposes behind the handiness ( e.g. commercial grounds etc ) ? What is the trustiness of the content available? etc [ 1 ] . Security issues can originate either from the security jobs or loop-holes of the engineering being used or nature of the mashups to be performed [ 5 ] .
The security theoretical account Same-Origin Policy implemented by browsers besides creates jobs for mashups security ; SOP uses origin to sort paperss: paperss belonging to the same beginning can openly entree each other ‘s contents whereas paperss from the different beginnings are non allowed to entree ; beginnings are recognized by hostname/Internet sphere, protocol along with port [ 2 ] [ 6 ] . SOP imposes some limitations on books and misdemeanor of any of them can ensue in security breach [ 2 ] :
One beginning book should non be able to read or compose content to another papers or frame belonging to another beginning.
One beginning book should non utilize XMLHttpRequest to pass on with a site with another beginning.
Scripts ‘ entree to cookies and browser circuit boards is restricted by the Same-Origin Policy.
iframe ticket was introduced to work out the jobs [ 6 ] but still there are several ways to assail browsers: most well-known are Cross-Site-Scripting ( XSS ) and Cross-Site-Request-Forgery ( CSRF ) [ 1 ] .
Techniques used to make mashups wholly ignores the SOP ( Same-Origin Policy ) ; hence needs a new security model to be built, where issues like user privateness, informations unity, informations confidentiality, and user hallmark are needed to be addressed [ 2 ] .
User Privacy: User come ining content to a web page may be wishing that they should be available to a peculiar web site and non to any other unwanted parties.
Data Integrity: The user should be guaranteed that the content received by his web page is non corrupted by any untrusted parties on the manner before having, in other words, the user will having the content as it is send by the sending organic structure.
User Authentication: The pass oning entities may wish to vouch and verify the individualities of each other to construct trust steps.
Data Confidentiality: The pass oning entities may wish to vouch that the content being exchanged should be clear to them merely, any other 3rd party on the manner should non be able to unwrap the content of a message.
.3. PROPOSED Solution
As two of the most common onslaughts on mashups security are XSS and CSRF. Ten can be avoided by stipulating session timeouts or renewing session identifiers with each petition and CSRF can be avoided by enabling waiters non to accept HTTP GET petition, which is practically impossible, hence, another manner is: a item should be transmitted to the waiter with each HTTP POST and GET request [ 4 ] . Most of the current research work fundamentally focuses on supplying solutions to XSS and CSRF, whereas, the issues of informations unity, informations confidentiality, user privateness, and user hallmark has non been addressed explicitly and might be left for the web protocols or engineerings used for directing, having, and storing of informations. It is, hence a composite model is needed that will take into history all these issues. Exploitation of cryptanalytic techniques can assist us in this respect.
The proposed solution considers server-side mashup architecture, where the mashup constituents are combined on the waiter and users petitions them for informations supplying. The proposed solution uses cryptanalytic techniques. Proposed architecture consists of two stages: Phase 1 and Phase 2.
3.1 PHASE 1
Phase 1 consists of three stairss ( tripartite handshaking ) taking topographic point between user and mashup server shown in Figure 4.
In measure 1, user sends a message consisting of a petition along with user ID, users ‘ public key and a time being ( a figure generated with each session petition unambiguously and to supply guard against rematch onslaught ) . The message has been encrypted utilizing the public key of mashup waiter ( available to the user ) .
In measure 2, mashup waiter responses with a message encrypted utilizing users ‘ public key, where the message contains request-specific array of items for the user, session timeout policy, session ID, a time being ( alone with each user alone petition ) and a map applied to the time being send by the user ( demoing that the user petition message is received and right interpreted by the mashup waiter ) .
In measure 3, user responses with a message encrypted utilizing mashup waiters ‘ public key, where the message contains a map applied to the time being send by the mashup waiter ( demoing that the waiter message is received and right interpreted by the user ) , and request specific array of items send by the mashup waiter for the user ( demoing that user has agreed upon on the waiter selected request-specific array of items for the user ) .
The basic grounds of these three stairss is the debut of user to the waiter every bit good as the transmittal of some control information selected by the Mashup waiter for the user such as session timeout policy, session ID and request-specific array of items which can be used for utile maps such as session clip out policy specifies the session expiration policy that can be used to guard against XSS onslaught and request-specific array of items can be used to guard against CSRF onslaught.
3.2 PHASE 2
Phase 2 consists of two scenarios a bit different from each other as shown in Figure 5. Figure 5 ( a ) shows transmittal of user petition to the mashup waiter and Figure 5 ( B ) shows mashup waiter response to the user petition. Both of them uses PGP ( Pretty Good Privacy ) protocol that is normally used with electronic mail, but Figure 5 ( a ) somewhat modify it for the transmittal of nominal information. PGP is fundamentally aimed to supply informations
Figure 3: Server-side Mashup theoretical account
Figure 4: Phase 1 — Exchanging of control information between user and mashup waiter
confidentiality and user hallmark and that is what we really want to accomplish through its use every bit good as other aims.
DATA AUTHENTICATION AND USER CONFIDENTIALITY
User hallmark and informations conditionality is required for the protection of information to be communicated and is achieved in similar manner in both of the scenarios.
User Authentication: On the transmitter side, the hash value calculated is encrypted utilizing the private key of the transmitter ( KRA ) , the encrypted hash value is decrypted utilizing the public key of the transmitter ( KUA ) at the receiver side.
Data Confidentiality: On the transmitter side, transmitter selects a session key ( Ks ) . Code the concatenated message utilizing the selected session key. The session key is besides encrypted utilizing the public key of the receiving system ( KUB ) , and is combined with the encrypted concatenated message to be transmitted to the receiving system. On the receiver side, the receiving system foremost extracts the encrypted session key and decrypts it utilizing the private key ( KRB ) of the receiving system. The encrypted concatenated message is so decrypted utilizing the decrypted session key. Thus an unauthorised user holding no cognition of the concerned keys, therefore if he/she catches the message on theodolite would non be able to decode it and unwrap the message contents.
Figure 5: Phase – 2 ( a ) Request from user to mashup waiter
( B ) Response from mahup waiter to the user
Again achieved in the similar manner in both of the scenarios. On the transmitter side, the hash codification is generated utilizing SHA-1, which is so encrypted utilizing the transmitters ‘ private key ( KRA ) . The encrypted hash codification is combined with the original dealing message and direct to receiver. The receiver side separates the hash codification organize the message, decrypts it utilizing the transmitters ‘ public key ( KUA ) . At the same clip, the receiving system will besides cipher the hash codification of the standard message utilizing the same SHA-1 algorithm. If the deliberate hash codification and the decrypted hash codification are the same, the message received is accurate ( as it is as that was send by the transmitter ) otherwise some job has been occurred on the manner.
CSRF onslaught has been initiated on the mashup waiter. SOP, user name/password, cookies, and SSL will non supply protection against CSRF onslaught ; hence, a request-specific item should be included within each HTTP GET and POST petition to protect against CSRF onslaught [ 4 ] . A request-specific item is associated with the message by the transmitter as shown in Figure 5 ( a ) , which is verified by the receiving system and if found correct the message is accepted otherwise rejected. Response from the mashup waiter to the user is non needed to utilize nominal as shown in Figure 5 ( B ) .
4. Decision AND FUTURE WORK
A new epoch in the web has been started by Web 2.0. Alternatively of making web application organize the abrasion, relevant content can be extracted from the online available beginnings, they can be mesh together and presented in a alone manner. This new phenomenon can present many security challenges that can non merely be limited to cross-site referencing but others such as informations unity, user hallmark, and informations confidentiality are every bit good of really importance. The built-in security theoretical account ( Same-Origin Policy ) implemented in web browsers every bit good as cookies, and SSL etc can non cover with these security challenges, hence, a new security model is needed.
This research paper presents a security model through utilizing cryptanalytic techniques that can be used in server-side mashup theoretical account and will supply solutions to most common mashup security onslaughts such as CSS, CSRF, and other security issues discussed above.
But, the narrative has non been ended here. There are certain other parametric quantities such as entree control, and non-repudiation which are besides indispensable for a systems ‘ security. In the hereafter, it has been desired to widen the proposed model to suit these security parametric quantities every bit good.