Académique Documents
Professionnel Documents
Culture Documents
Proceedings of the 2009 International Symposium on Web Information Systems and Applications (WISA09)
Nanchang, P. R. China, May 22-24, 2009, pp. 190-193
I. INTRODUCTION
In recent years, most of WebGIS services publish maps
on internet based on Tile-Map technique, such as Google
Maps, Yahoo Maps, NASAs World Wind, Mapabc,
MapBar, etc. With this technique, the performance had
been improved when the users zoom or scroll the map. In
essence, the tile caches are pre-rendered and pregenerated [1] by special program based on geographic
vector data. As this technique progresses and becomes
more readily available to the wide masses around the
world, the interrelated issues of GIS and map data
security start to surface. This paper analyzed the
publishing mode based on Tile-Map technique and
discussed the security mechanism from four aspects:
client code, raster data, vector data, and attribute data.
This paper also gives the corresponding implementation
to improve the data security based on Tile-Map technique.
TABLE I.
Website
Maps.google.com
http://mt1.google.com/mt?
v=w2.86&hl=zh-CN
&x=6697&y=3364&z=13&s=Galileo
www.mapabc.com
http://emap1.mapabc.com/mapabc/maptile?
v=w2.61&x=837&y=420&zoom=7
www.mapbar.com
http://img1.mapbar.com
/maplite/mapbank/baidu/6/22_7/8_5.png
www.51ditu.com
http://cache2.51ditu.com
/8/1102/8796140208304.png
C. Preventive measure
The http request parameters list above are not
encrypted which make it easy to download all the raster
map tiles from the server side. In order to avoid the bulk
downloading of map tiles, certain preventive measures
must be taken. For example, Google Earth uses
Intermittent IP frozen method to restrict the illegal bulk
downloading. Although non-authorized user can bypass
this restriction through dynamically changing the proxy
server, the difficulty of downloading will undoubtedly
increase. As a kind of effective preventive measure, the
way of encrypting the Http requests is widely adopted.
There are many encryption algorithms for Http request
contents, such as TEA (Tiny Encryption Algorithm) [9],
which is a very simple symmetric encryption algorithm
and its effect of encryption not rely on the complexity of
the algorithms own, but the rounds of encryption. This
algorithm also has a good anti-differential performance.
TEA operates on 64-bit blocks and uses a 128-bit key. It
has a Feistel structure with a suggested 64 rounds,
typically implemented in pairs termed cycles. It also has
an extremely simple key schedule, mixing all of the key
material in exactly the same way for each cycle. Different
multiples of a magic constant are used to prevent simple
attacks based on the symmetry of the rounds [10].
Block TEA operates on arbitrary-size blocks in place
of the 64-bit blocks of the original. It is faster than the
original version when encrypting longer blocks. It is also
simpler to implement in JavaScript for encrypting http
requests. In our study, we adopt the revised Block TEA to
encrypt the http request URL in the Development of
Wuhans WebGIS (www.vrwuhan.com). The main
source code of the JavaScript implementation as below:
SECURITY OF GEOGRAPHIC
DATA
192
cipherstr +=
(((t>=10)? (TmpInt+7) :t) +10).toString (36)
}
// Encoding the difference with 36-bit, if more
//than 10, add 7, then add 10 for all
return cipherstr
ACKNOWLEDGMENT
}
B. Security of Attribute Data
Attribute data is an important part of WebGIS, and it
covers all of the information in addition to the spatial
location and topological relations of the geographical
objects. Many WebGIS running on internet provide the
service of geographical name searching, such as shops,
restaurants, places and so on. All the attribute information
are classified and can be obtained through http request.
The requests parameters are usually regular, which make
it easy to develop a program to travel request completely.
So, it is also necessary to encrypt and confuse the
requests parameters of attribute data. Block TEA is the
same useful in this aspect. On the other hand, in order to
identify the attribute of each feature in real time, the
spatial information and the entire attribute data are
usually bound in many JavaScript file with plaintext. And
these JavaScript files are often named with regular names.
All of the problems mentioned above proved that the
client codes security is very important, which determines
the security of attribute data deeply.
In addition, WebGIS providers do not have any
restriction on usual attribute datas request, which make
the non-authorized user can obtain the attribute data and
corresponding vector data by traversal requesting. And it
made the security so fragile that the whole system could
be copied easily. So, in the security design of attribute
datas query, providers need to restrict the number of the
search results to avoid the bulk downloading of the
important data.
.
CONCLUSION
193