Abstract
Web services are an important series of industry standards for adding semantics to web-based and XML-based communication, in particular among enterprises. Like the entire series, the security standards and proposals are highly modular. Combinations of several standards are put together for testing as interoperability scenarios, and these scenarios are likely to evolve into industry best practices. In the terminology of security research, the interoperability scenarios correspond to security protocols. Hence, it is desirable to analyze them for security. In this paper, we analyze the security of the new Secure WS-ReliableMessaging Scenario, the first scenario to combine security elements with elements of another quality-of-service standard. We do this both symbolically and cryptographically. The results of both analyses are positive. The discussion of actual cryptographic primitives of web services security is a novelty of independent interest in this paper.
This work was partially supported by the Zurich Information Security Center. It represents the views of the authors.
Chapter PDF
Similar content being viewed by others
Keywords
- Security Protocol
- Security Property
- Simple Object Access Protocol
- Symmetric Encryption
- Cryptographic Primitive
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M., Rogaway, P.: Reconciling two views of cryptography: The computational soundness of formal encryption. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Heám, P.-C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)
Backes, M., Mödersheim, S., Pfitzmann, B., Viganò, L.: Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario (Extended Version). Technical Report 502, Department of Computer Science, ETH Zurich (2006), Available at: www.infsec.ethz.ch
Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. 17th IEEE CSFW (2004)
Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM CCS, January 2003, Full version in IACR Cryptology ePrint Archive 2003/015, pp. 220–230 (2003), http://eprint.iacr.org/
Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)
Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004)
Basin, D., Mödersheim, S., Viganò, L.: OFMC: A Symbolic Model-Checker for Security Protocols. International Journal of Information Security 4(3), 181–208 (2005)
Bella, G., Massacci, F., Paulson, L.C.: Verifying the SET Purchase Protocols. Journal of Automated Reasoning (to appear)
Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient constructions. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)
Bhargavan, K., Corin, R., Fournet, C., Gordon, A.: Secure sessions for web services. In: Proc. ACM Workshop on Secure Web Services (SWS) (2004)
Bhargavan, K., Fournet, C., Gordon, A.: A semantics for web service authentication. In: Proc. 31st POPL, pp. 198–209. ACM Press, New York (2004)
Bhargavan, K., Fournet, C., Gordon, A.: Verifying policy-based security for web services. In: Proc. 11th ACM CCS, pp. 268–277 (2004)
Bhargavan, K., Fournet, C., Gordon, A., Pucella, R.: TulaFale: A security tool for web servics. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 197–222. Springer, Heidelberg (2004)
Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Proc. 14th IEEE CSFW, pp. 82–96 (2001)
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Static validation of security protocols. Journal of Computer Security 13(3), 347–390 (2005)
Box, D., Curbera, F., et al.: Web Services Addressing (WS-Addressing) (August 2004)
Box, D., Ehnebuske, D., Kakivaya, G., Layman, A., Mendelsohn, N., Nielsen, H.F., Thatte, S., Winer, D.: Simple object access protocol (SOAP) 1.1 (May 2000)
Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004)
Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Mantovani, J., Mödersheim, S., Vigneron, L.: A High Level Protocol Specification Language for Industrial Security-Sensitive Protocols. In: Proc. Workshop on Specification and Automated Processing of Security Requirements (SAPS 2004), pp. 193–205. Austrian Computer Society (2004)
Clark, J., Jacob, J.: A Survey of Authentication Protocol Literature: Version 1.0, 17 November (1997)
Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 99–113. Springer, Heidelberg (2003)
Davis, D., Ferris, C., Gajjala, V., Gavrylyuk, K., Gudgin, M., Kaler, C., Langworthy, D., Moroney, M., Nadalin, A., Roots, J., Storey, T., Vishwanath, T., Walte, D.: Secure WS-ReliableMessaging scenarios (April 2005), ftp://www6.software.ibm.com/software/developer/library/ws-rmseconscenario.doc
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)
Donovan, B., Norris, P., Lowe, G.: Analyzing a library of security protocols using Casper and FDR. In: Proc. Workshop on Formal Methods and Security Protocols (FMSP 1999) (1999)
Ferguson, D.F., Storey, T., Lovering, B., Shewchuk, J.: Secure, reliable, transacted Web Services – architecture and composition (October 2003), Available at: http://www-106.ibm.com/developerworks/webservices/library/ws-securtrans/
Ferris, C., Langworthy, D., et al.: Web Services Reliable Messaging Protocol (WS-ReliableMessaging) (February 2005)
Gordon, A., Pucella, R.: Validating a web service security abstraction by typing. In: Proc. 1st ACM Workshop on XML Security, pp. 18–29 (2002)
Gotsman, A., Massacci, F., Pistore, M.: Towards an Independent Semantics and Verification Technology for the HLPSL Specification Language. Electronic Notes in Theoretical Computer Science 135(1), 59–77 (2005)
Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Proving a WS-Federation Passive Requestor Profile with a Browser Model. In: Proc. ACM Workshop on Secure Web Services (SWS), pp. 54–64. ACM Press, New York (2005)
Gudgin, M., Nadalin, A., et al.: Web Services Secure Conversation Language (WS-SecureConversation) (February 2005)
Gudgin, M., Nadalin, A., et al.: Web Services Trust Language (WS-Trust (February 2005)
Hur, M., Johnson, R.D., Medvinsky, A., Rouskov, Y., Spellman, J., Weeden, S., Nadalin, A.: Passive Requestor Federation Interop Scenario, Version 0.4 (February 2004), ftp://www6.software.ibm.com/software/developer/library/ws-fpscenario2.doc
Jacquemard, F., Rusinowitch, M., Vigneron, L.: Compiling and verifying security protocols. In: Parigot, M., Voronkov, A. (eds.) LPAR 2000. LNCS (LNAI), vol. 1955, pp. 131–160. Springer, Heidelberg (2000)
Kaler, C., et al.: Web Services Security (WS-Security), version 1.0 (April 2002)
Kleiner, E., Roscoe, A.: On the relationship of traditional and Web Services Security protocols. In: Proceedings of the XXI Mathematical Foundations of Programming Semantics (MFPS 2005). Electronic Notes in Theoretical Computer Science (to appear)
Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE Symposium on Security & Privacy, pp. 71–85 (2004)
Lowe, G.: A hierarchy of authentication specifications. In: Proc. 10th IEEE CSFW, pp. 31–43 (1997)
Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)
Song, D., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9, 47–74 (2001)
Turuani, M.: Sécurité des Protocoles Cryptographiques: Décidabilité et Complexité. Phd, Université Henri Poincaré, Nancy (December 2003)
Viganò, L.: Automated Security Protocol Analysis with the AVISPA Tool. In: In Proceedings of the XXI Mathematical Foundations of Programming Semantics (MFPS 2005). Electronic Notes in Theoretical Computer Science (to appear)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Backes, M., Mödersheim, S., Pfitzmann, B., Viganò, L. (2006). Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In: Aceto, L., Ingólfsdóttir, A. (eds) Foundations of Software Science and Computation Structures. FoSSaCS 2006. Lecture Notes in Computer Science, vol 3921. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11690634_29
Download citation
DOI: https://doi.org/10.1007/11690634_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33045-5
Online ISBN: 978-3-540-33046-2
eBook Packages: Computer ScienceComputer Science (R0)