Skip to main content
SpringerLink
Log in

Security in Business Process Engineering

  • Conference paper
  • First Online:
Business Process Management (BPM 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2678))

Included in the following conference series:

Abstract

We present a general methodology for integrating arbitrary security requirements in the development of business processes in a both elegant and rigorous way. We show how trust relationships between different parties and their respective security goals can be reflected in a specification, which results in a realistic modeling of business processes in the presence of malicious adversaries. Special attention is given to the incorporation of cryptography in the development process with the main goal of achieving specifications that are sufficiently simple to be suited for formal verification, yet allow for a provably secure cryptographic implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. N. Asokan, V. Shoup, and M. Waidner. Asynchronous protocols for optimistic fair exchange. In Proc. 19th IEEE Symposium on Security & Privacy, pages 86–99, 1998.

    Google Scholar 

  2. M. Backes and C. Jacobi. Cryptographically sound and machine-assisted verification of security protocols. In Proc. 20th Annual Symposium on Theoretical Aspects of Computer Science (STACS), volume 2607 of Lecture Notes in Computer Science, pages 675–686. Springer, 2003.

    Google Scholar 

  3. M. Backes, C. Jacobi, and B. Pfitzmann. Deriving cryptographically sound implementations using composition and formally verified bisimulation. In Proc. 11th Symposium on Formal Methods Europe (FME 2002), volume 2391 of Lecture Notes in Computer Science, pages 310–329. Springer, 2002.

    Google Scholar 

  4. M. Backes and B. Pfitzmann. Computational probabilistic non-interference. In Proc. 7th European Symposium on Research in Computer Security (ESORICS), volume 2502 of Lecture Notes in Computer Science, pages 1–23. Springer, 2002.

    Google Scholar 

  5. M. Backes, B. Pfitzmann, M. Steiner, and M. Waidner. Polynomial fairness and liveness. In Proc. 15th IEEE Computer Security Foundations Workshop (CSFW), pages 160–174, 2002.

    Google Scholar 

  6. M. Backes, B. Pfitzmann, and M. Waidner. A universally composable cryptographic library. IACR Cryptology ePrint Archive 2003/015, Jan. 2003. http://eprint.iacr.org/.

  7. S. Bensalem, V. Ganesh, Y. Lakhnech, C. Muñoz, S. Owre, H. Rueß, J. Rushby, V. Rusu, H. Saïdi, N. Shankar, E. Singerman, and A. Tiwari. An overview of SAL. In LFM 2000: Fifth NASA Langley Formal Methods Workshop, pages 187–196, 2000.

    Google Scholar 

  8. C. Cachin and J. A. Poritz. Secure intrusion-tolerant replication on the Internet. In Proc. International Conference on Dependable Systems and Networks (DSN), pages 167–176, 2002.

    Google Scholar 

  9. E. Clark, O. Grumberg, and D. Peled. Model Checking. The MIT Press, 1999.

    Google Scholar 

  10. D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198–208, 1983.

    Article  MATH  MathSciNet  Google Scholar 

  11. D. Harel and M. Politi. Modeling Reactive Systems with Statecharts: The Statemate Approach. McGraw-Hill, 1998.

    Google Scholar 

  12. C. A. R. Hoare. Communicating Sequential Processes. International Series in Computer Science, Prentice Hall, Hemel Hempstead, 1985.

    Google Scholar 

  13. W. Janssen, R. Mateescu, S. Mauw, P. Fennema, and P. van der Stappen. Model checking for managers. In Proc. Theoretical and Practical Aspects of SPIN Model Checking, volume 1680 of Lecture Notes in Computer Science, pages 92–107. Springer, 1999.

    Chapter  Google Scholar 

  14. J. Jürjens. Towards development of secure systems using UMLsec. In Proc. Fundamental Approaches for Software Engineering (FASE), pages 187–200, 2001.

    Google Scholar 

  15. E. Kindler and T. Vesper. A temporal logic for events and states. In Proc. 19th International Conference on Application and Theory of Petri Nets, volume 1420 of Lecture Notes in Computer Science, pages 365–384. Springer, 1998.

    Google Scholar 

  16. C. Klauck and H.-J. Mueller. Formal business process engineering based on grammer graphs. International Journal on Production Economics, 50:129–140, 1997.

    Article  Google Scholar 

  17. J. Koehler, G. Tirenni, and S. Kumaran. From business process model to consistent implementation: A case for formal verification methods. In Proc. 6th IEEE International Enterprise Distributed Object Computing Conference (EDOC), pages 96–106, 2002.

    Google Scholar 

  18. M. Koubarakis and D. Plexousakis. A formal model for business process modelling and design. In Proc. Conference on Advanced Information System Engineering, pages 142–156, 2000.

    Google Scholar 

  19. T. Lodderstedt, D. Basin, and J. Doser. SecureUML: A UML-based modeling language for model-driven security. In Proc. 5th International Conference on the Unified Modeling Language, volume 2460 of Lecture Notes in Computer Science, pages 425–441. Springer, 2002.

    Google Scholar 

  20. G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proc. 2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 1055 of Lecture Notes in Computer Science, pages 147–166. Springer, 1996.

    Google Scholar 

  21. N. Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, San Francisco, 1996.

    MATH  Google Scholar 

  22. D. O’Riordan. Business process standards for web services. available at http://www.webservicesarchitect.com/content/articles/BPSFWSBDO.pdf.

  23. S. Owre, N. Shankar, and J. M. Rushby. PVS: A prototype verification system. In Proc. 11th International Conference on Automated Deduction (CADE), volume 607 of Lecture Notes in Computer Science, pages 748–752. springer, 1992.

    Google Scholar 

  24. L. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Cryptology, 6(1):85–128, 1998.

    Google Scholar 

  25. B. Pfitzmann, M. Schunter, and M. Waidner. Cryptographic security of reactive systems. Presented at the DERA/RHUL Workshop on Secure Architectures and Information Flow, Electronic Notes in Theoretical Computer Science (ENTCS), March 2000. http://www.elsevier.nl/cas/tree/store/tcs/free/noncas/pc/menu.htm.

  26. B. Pfitzmann and M. Waidner. A model for asynchronous reactive systems and its application to secure message transmission. In Proc. 22nd IEEE Symposium on Security & Privacy, pages 184–200, 2001.

    Google Scholar 

  27. A. W. Roscoe. Modelling and verifying key-exchange protocols using CSP and FDR. In Proc. 8th IEEE Computer Security Foundations Workshop (CSFW), pages 98–107, 1995.

    Google Scholar 

  28. A. W. Roscoe and P. Broadfoot. Proving security protocols with model checkers by data independence techniques. Journal of Computer Security, 7(2,3):147–190, 1998.

    Google Scholar 

  29. A. C. Yao. Theory and applications of trapdoor functions. In Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pages 80–91, 1982.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Zurich Research Laboratory, Rüschlikon, Switzerland

    Michael Backes, Birgit Pfitzmann & Michael Waidner

Authors
  1. Michael Backes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Birgit Pfitzmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Waidner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Information and Technology, Eindhoven University of Technology, P.O. Box 513, 5600 MB, Eindhoven, The Netherlands

    Wil M. P. van der Aalst

  2. Hasso Plattner Institute for Software Systems Engineering, Potsdam University, Prof.-Dr.-Helmert-Str. 2-3, 14482, Potsdam, Germany

    Mathias Weske

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Backes, M., Pfitzmann, B., Waidner, M. (2003). Security in Business Process Engineering. In: van der Aalst, W.M.P., Weske, M. (eds) Business Process Management. BPM 2003. Lecture Notes in Computer Science, vol 2678. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44895-0_12

Download citation

  • DOI: https://doi.org/10.1007/3-540-44895-0_12

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40318-0

  • Online ISBN: 978-3-540-44895-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation