(3.210.184.142) 您好!臺灣時間:2021/05/09 10:12
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:李宜儒
研究生(外文):Yi-Ru Li
論文名稱:WebServices應用在企業資訊整合的安全性議題及解決方案之研究
論文名稱(外文):The Security Issues and Solutions of Web Services Applied to Business Information Integration
指導教授:陳文賢陳文賢引用關係
指導教授(外文):Wen-Hsien Chen
學位類別:碩士
校院名稱:國立臺灣大學
系所名稱:資訊管理學研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:中文
論文頁數:88
中文關鍵詞:企業和企業間資訊整合網路服務企業資源整合企業應用程式整合政策安全隱私信任整合仲介
外文關鍵詞:ERPpolicyIntegration BrokertrustWeb ServicesEAIprivacyB2B Integrationsecurity
相關次數:
  • 被引用被引用:4
  • 點閱點閱:175
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
本篇論文對企業資訊整合的應用提出一個完整的解決架構並分析其可能的安全問題。目的是為提供建造Web Services系統一個安全性的參考的方向,並由完整的模型探討來發現其中可能的安全議題,在設計安全系統時就能注意而盡量避免。

本論文一開始先分析Web Services可應用在哪些企業資訊整合的模式上,再由這些模式的流程找出最能代表討論安全問題的流程模型。接著依此模型探討各種可能的安全解法,最後分析所提的安全解法有無安全漏洞。

經本論文研究後,可得以下結論:

本篇論文整理出一個Web Services安全性的完整架構,任何有關安全的解決方法都可放在此架構中討論,分析其能放在此架構的哪一部份、和其他部分如何連結、其所能達到的安全防禦效果如何。

現有的安全技術其實都可對其做探討看看如何用在Web Services上,例如隱私問題或建立信任問題已在傳統網路問題中有不少的探討,而這些問題在Web Services中探討的卻還很少,這些對傳統網路的既有研究要如何套用在Web Services上,是可以多加研究的。

Web Services建立在目前的資訊系統上,所以也繼承了所有目前可能會發生的安全性問題,還會再加上因為Web Services的特性而產生的安全問題。

企業要用Web Services在內部做資訊整合的安全風險較能控制,但若和企業外部做整合安全風險就會很多風險要素需要考量。

要使用Web Services在企業資訊整合方面達到足夠的安全還有許多工作需完成,如:防火牆的設計、SOAP Server的安全性考量、內部處理資料的Filter、防毒軟體、認證的管理、以往未解決的安全問題如何解決,企業實行Web Services的安全風險如何評估。


This Paper suggests a high level total solution for the security problems of the application to business integration and we discuss the essential security problems of this structure. This solution provides a security guide and analysis base for the implementation of the Web Services.

We analyze what business integrate application can be implemented by web services. We suggest a model that can represent all the security process of these applications. Then we suggest possible security solutions about this model and analysis possible security holes of this solution.

Our including as follows:

We suggest an entire structure of web services security. Every existed security solution can use this model to analyze if they can use for web services security、where should they be combined with the system、how they are connected with other security solutions, and how to evaluate their efficiencies.
Web Services inherent the traditional security problem because it build bases on the current information systems. More addition, it produces more problems because of the characters of Web Services.
We have better control when we use Web Services technology for inner integration of business than outer integration.
We still have a lot of works to do for Web Services securely applied to business integration. For instance:the design of a firewall、how to make a secure SOAP server、Filter of inner data、anti-virus software、hoe to solve the existed unsolved security problem、and how to evaluate the risk of the implementation of business integration by Web Services.


第一章 緒論
第一節 研究背景與動機 1
第二節 研究目的 2
第三節 研究流程 3

第二章 文獻探討
第一節 Web Services在企業資訊整合的應用模式 4
第二節 目前的Web Services相關安全標準 13

第三章 研究方法
第一節 研究模型 20
第二節 Web Services基本安全需求 25

第四章 安全解決方案
第一節 Transport Level 和SOAP Message Level安全性選擇 27
第二節 XML Firewall 和Web Services Security 29
第三節 建立互信合作模式 39
第四節 交換安全政策 51
第五節 設定隱私、授權 55
第六節 攻擊模式 59

第五章 威脅分析 61

第六章 結論
第一節 研究成果 71
第二節 貢獻及未來建議 73
參考文獻 75
附錄 79


[1] Hao He, Hugo Haas, David Orchard. Web Services Architecture Usage Scenarios, W3C Working Group. Technical report, www.w3.org, February 2004.
[2] Gunjan Samtani and Dimple Sadhwani. EAI and Web Services. Web Services Business Strategies and Architectures,October 2001.
[3] Gunjan Samtani and Dimple Sadhwani. B2Bi and Web Services. Web Services Business Strategies and Architectures, January 2002.
[4] Gunjan Samtani and Dimple Sadhwani. Integration Brokers and Web Services. Web Services Business Strategies and Architectures ,January 2002.
[5] Piers Wilson. Web Services Security. Network Security Volume: 2003, Issue: 5. May, 2003, pp. 14-16.
[6] Elspeth Wales. Web Services Security. Computer Fraud & Security Volume: 2003, Issue: 3, March, 2003, pp. 15-17.
[7] Kani Anshankar. Enterprise Resource Planning and Web Services. Web Services Business Strategies and Architectures, April 2002.
[8] WS-I. WS-I Security Scenarios. http://www.ws-i.org/Profiles/BasicSecurity/2004-02. Technical report, February 2004.
[9] IBM and Microsoft. Web Services Trust Language (WS-Trust). Technical report, www-106.ibm.com/developerworks/library/ws-trust, December 2002.
[10] IBM and Microsoft. Web Services Secure Conversation (WS-SecureConversation). Technical report, www-106.ibm.com/developerworks/library/ws-secon, December 2002.
[11] IBM and Microsoft. Web Services Federation Language (WS-Federation). Technical report, www-106.ibm.com/developerworks/library/ws-fed, July 2003.
[12] IBM and Microsoft.WS-Federation:Active Requestor Profile. Technical report, www-106.ibm.com/developerworks/library/ws-fedact, July 2003.
[13] IBM and Microsoft. Web Services Security (WS- Security). Technical report, www-106.ibm.com/developerworks/webservices/library/ws-secure, April 2002.
[14] IBM and Microsoft. Security in a Web Services World:A Proposed Architecture and Roadmap. Technical report, www-106.ibm.com/developerworks/webservices/library/ws-secmap, April 2002.
[15] IBM and Microsoft. WS-Federation:Passive Requestor Profile. Technical report, www-106.ibm.com/developerworks/webservices/library/ws-fedpass, July 2003.
[16] IBM and Microsoft. Web Services Security Policy(WS- SecurityPolicy). Technical report, www-106.ibm.com/developerworks/library/ws-secpol, December 2002.
[17] IBM and Microsoft. Web Services Policy Framework (WSPolicy). Technical report, www-106.ibm.com/developerworks/library/ws-polfram, May 2003.
[18] IBM. Web Services Security:Moving up the stack:New specifications improve the WS-Security model. Technical report, www-106.ibm.com/developerworks/library/ws-secpol, December 2002.
[19] Bilal Siddiqui. XML.com:Web Sevices Security,Part1. Technical report, http://webservices.xml.com, March 2003.
[20] Bilal Siddiqui. XML.com:Web Sevices Security,Part2. Technical report, http://webservices.xml.com, April 2003.
[21] Bilal Siddiqui. XML.com:Web Sevices Security,Part3. Technical report, http://webservices.xml.com, May 2003.
[22] Bilal Siddiqui. XML.com:Web Sevices Security,Part4. Technical report, http://webservices.xml.com, July 2003.
[23] Janice J. Heiss. The Future of Web Services Security:A Conversation with Eve Maler.Technical report, http://java.sun.com, March 2003.
[24]Ernesto Damiani,Sabrina De Capitani di Vimercati, Pierangela Samarati. Toward Securing XML Web Services. ACM Workshop on XML Security, November 2002.
[25] Hristo Koshutanski, Fabio Massacci. An Access Control Framework for Business Processes for Web Services. ACM Workshop on XML Security, October 2003.
[26] Patrick C. K. and Guang Sha Qiu. Specifying Conflict of Interest Assertions in WS-Policy with Chinese wall Security Policy. ACM SIGecom Exchange, May 2003.
[27] Abdelmouneaam Rezgui, Mourad Ouzzani, Athman Bouguettaya, Brahim Medjahed. Preserving Privacy in Web Services. WIDM’02, November 2002.
[28] Marco Cremonini, Ernesto Damiani. An XML-based Approach to Combine Firewalls and Web Services Security Specifications. ACM Workshop on XML Security, October 2003.
[29] Reiner Kraft. Designing a Distribute Access Control Process for Network Services on the Web. ACM Workshop on XML Security, November 2002.
[30] Karthikeyan Bhatgavan, Ce’dric Fournet, Andrew D. Gordon. A Semantics for Web Services Authentication. POPL, pages198-209, January 2004.
[31] Emin Gun Sirer, Ke Wang. An Access Control Language for Web Services. SACMAT, pages23-30, June 2002.
[32] Carlisle Adams, Sharon Boeyen. UDDI and WSDL Extensions for Web Services:A Security Framework. ACM Workshop on XML Security, pages30-35, November 2002.
[33] C.Joncheng Kuo and Polar Humenn. Dynamically Authorized Role-Based Acess Control for Secure Distributed Computation. ACM Workshop on XML Security, pages97-103, November 2002.
[34] Andrew D. Gordon, Riccardo Pucella. Validating a Web Service Security Abstraction by Typing. ACM Workshop on XML Security, pages18-29, November 2002.
[35] Navio. Navio Deploys Datapower’s Web Services Security Hardware to Provide Flexible Security Solution. Technical report, www.webservices.org, December 2003.
[36] IBM and Microsoft. Web Services AppNotes. Technical report, www-106.ibm.com/developerworks/webservices/library/ws-secmap, August 2002.
[37] IBM and Microsoft. Federation of Identities in a Web Services World. Technical report, http://msdn.microsoft.com/library, July 2003.
[38] Paul Madsen. WS-Trust:Interoperable Security for Web Services. Technical report, http://webservices.xml.com/lpt/a/ws/2003/06/24/ws-trust.html. June 2003.
[39] David Mertz. Protect Web Services. Technical report, www2.ibm.com/developerWorks/tutorial/content security, Febuary 2004.
[40] IBM and Microsoft. Web Services Kerberos Binding.Technical report, http://msdn.microsoft.com/webservices/understanding/specs. December 2003.
[41] Rich Salz. Securing Web Services.Technical report, http://webservices.xml.com. January 2003.
[42] Marc Chanliau, Prateek Mishra. Enterprise Web Services Security: A Reference Architecture. Technical report, www.sys-con.com/story/. February 2004.
[43] Rich Salz. Building a Security Infrastructure. Technical report, http://webservices.xml.com, December 2003.
[44] Stewart Mckie. Web Services and ERP. Technical report. www.contentcan.com, April 2003.
[45] Brahim Medjahed, Boualem Benatallah, Athman Bouguettaya, Anne H.H.Ngu, Ahmed K. Elmagarmid. Business-to-business inteacton: issues and enabling technologies. The VLDB Journal, April 2003.
[46] Paul madsen. The Liberty Alliance. Technical report, webservices.xml.com.April 2003.
[47] Bilial Siddiqui. Web Services Security for Java. Technical report, http://webservices.xml.com, October 2003.
[48] Bilial Siddiqui. Using XSS4J for XML Encryption. Technical report, http://webservices.xml.com, November 2003.
[49] Bilial Siddiqui. XML Canonicalization. Technical report, http://webservices.xml.com, September 2002.
[50] WS-I. Attachments Profile Version 1.0. Technical report, WS-I Working Group Draft, December 2003.
[51] OASIS.Web Services Security: SOAP Message Security 1.0. Technical report, www.docs.oasis-open.org/, March 2004.
[52] WS-I. Web Services Security:Username Token Profile 1.0. Technical report, www.docs.oasis-open.org, March 2004.
[53] King, Stuart. Threats and Solutions to Web Services Security. Network Security Volume: 2003, Issue: 9, September 2003, pp. 8-11.
[54] Brian McKenna. Web Services set to provoke new threats. COMPUTER FRAUD & SECURITY. 2003: May, 2003, pp.3-5.
[55] Stewart Mckie. Web Services and ERP. Technical report. www.contentcan.com, April 2003.


QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔