On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals

  • Massimiliano Masi
  • Rosario Pugliese
  • Francesco Tiezzi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5905)


The importance of the Electronic Health Record (EHR) has been addressed in recent years by governments and institutions.Many large scale projects have been funded with the aim to allow healthcare professionals to consult patients data. Properties such as confidentiality, authentication and authorization are the key for the success for these projects. The Integrating the Healthcare Enterprise (IHE) initiative promotes the coordinated use of established standards for authenticated and secure EHR exchanges among clinics and hospitals. In particular, the IHE integration profile named XUA permits to attest user identities by relying on SAML assertions, i.e. XML documents containing authentication statements. In this paper, we provide a formal model for the secure issuance of such an assertion. We first specify the scenario using the process calculus COWS and then analyse it using the model checker CMC. Our analysis reveals a potential flaw in the XUA profile when using a SAML assertion in an unprotected network. We then suggest a solution for this flaw, and model check and implement this solution to show that it is secure and feasible.


Model Check Electronic Health Record Hash Code Service Orient Computing Transport Layer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The IHE Initiative: IT Infrastructure Technical Framework (2009),
  2. 2.
    OASIS Security Services TC: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005)Google Scholar
  3. 3.
    OASIS/ebXML Registry Technical Committee: ebXML business process specification schema technical specification v2.0.4 (2006),
  4. 4.
    OASIS Web Services Security TC: WS-Trust 1.3 specification (2007)Google Scholar
  5. 5.
    GIP DMP: Dossier Médical Personnel A French Project,
  6. 6.
    ARGE-ELGA: Die Arbeitsgemeinschaft Elektronische Gesundheitsakte,
  7. 7.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. Technical Report RFC 5246, IETF (August 2008)Google Scholar
  8. 8.
    OASIS Web Services Security TC: Web service security: SOAP message security (2006)Google Scholar
  9. 9.
    Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A Security Tool for Web Services. CoRR abs/cs/0412044 (2004)Google Scholar
  10. 10.
    Bhargavan, K., Corin, R., Fournet, C., Gordon, A.D.: Secure sessions for web services. In: SWS, pp. 56–66. ACM, New York (2004)CrossRefGoogle Scholar
  11. 11.
    Kleiner, E., Roscoe, A.W.: On the relationship between web services security and traditional protocols. In: Mathematical Foundations of Programming Semantics, MFPS XXI (2005)Google Scholar
  12. 12.
    Armando, A., et al.: Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In: FMSE. ACM, New York (2008)Google Scholar
  13. 13.
    Lowe, G.: A hierarchy of authentication specifications, pp. 31–43. IEEE, Los Alamitos (1997)Google Scholar
  14. 14.
    ACR-NEMA: Digital imaging and communications in medicine, dicom (1995)Google Scholar
  15. 15.
    Health Level Seven organization: Hl7 standards (2009),
  16. 16.
    Lapadula, A., Pugliese, R., Tiezzi, F.: A calculus for orchestration of web services. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 33–47. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Masi, M., Pugliese, R., Tiezzi, F.: On secure implementation of an IHE XUA-based protocol for authenticating healthcare professionals (full version),
  18. 18.
    OASIS Security Services TC: SAML v2.0 Holder-of-Key Assertion Profile (March 2009)Google Scholar
  19. 19.
    Gudgin, M., Hadley, M., Rogers, T.: Web Services Addressing 1.0 - Core. Technical report, W3C, W3C Recommendation (May 2006)Google Scholar
  20. 20.
    OASIS Web Services Security TC: Username token profile v1.1 (2006)Google Scholar
  21. 21.
    Lapadula, A., Pugliese, R., Tiezzi, F.: A Calculus for Orchestration of Web Services (full version). Technical report, Dipartimento di Sistemi e Informatica, Univ. Firenze (2008),
  22. 22.
    OASIS WSBPEL TC: Web Services Business Process Execution Language v2.0 (2007)Google Scholar
  23. 23.
    ter Beek, M.H., Gnesi, S., Mazzanti, F.: CMC-UMC: A framework for the verification of abstract service-oriented properties. In: Shin, S.Y., Ossowski, S. (eds.) 2009 ACM Symposium on Applied Computing (SAC), pp. 2111–2117. ACM, New York (2009)CrossRefGoogle Scholar
  24. 24.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)Google Scholar
  25. 25.
    Broadfoot, P., Lowe, G.: On distributed security transactions that use secure transport protocols. In: 16th Computer Security Foundations Workshop, pp. 63–73. IEEE, Los Alamitos (2003)Google Scholar
  26. 26.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Fantechi, A., Gnesi, S., Lapadula, A., Mazzanti, F., Pugliese, R., Tiezzi, F.: A model checking approach for verifying COWS specifications. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 230–245. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Blanchet, B.: CryptoVerif: Computationally sound mechanized prover for cryptographic protocols. In: Dagstuhl seminar Formal Protocol Verification Applied (October 2007)Google Scholar
  29. 29.
    Groß, T.: Security analysis of the saml single sign-on browser/artifact profile. In: ACSAC, pp. 298–307. IEEE, Los Alamitos (2003)Google Scholar
  30. 30.
    Hansen, S., Skriver, J., Nielson, H.: Using static analysis to validate the saml single sign-on protocol. In: WITS, pp. 27–40. ACM, New York (2005)CrossRefGoogle Scholar
  31. 31.
    OASIS Security Services TC: Profiles for the OASIS Security Assertion Markup Language (SAML) v2.0 (2005)Google Scholar
  32. 32.
    Armando, A., et al.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Massimiliano Masi
    • 1
  • Rosario Pugliese
    • 1
  • Francesco Tiezzi
    • 1
  1. 1.Università degli Studi di FirenzeFirenzeItaly

Personalised recommendations