skip to main content
10.1145/1111348.1111355acmotherconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Secure sessions for web services

Published: 29 October 2004 Publication History

Abstract

WS-Security provides basic means to secure SOAP traffic, one envelope at a time. For typical web services, however, using WS-Security independently for each message is rather inefficient; besides, it is often important to secure the integrity of a whole session, as well as each message. To these ends, recent specifications provide further SOAP-level mechanisms. WS-SecureConversation introduces security contexts, which can be used to secure sessions between two parties. WS-Trust specifies how security contexts are issued and obtained.We develop a semantics for the main mechanisms of WS-Trust and WS-SecureConversation, expressed as a library for TulaFale, a formal scripting language for security protocols. We model typical protocols relying on these mechanisms, and automatically prove their main security properties. We also informally discuss some limitations of these specifications.

References

[1]
M. Abadi, B. Blanchet, and C. Fournet. Just fast keying in the pi calculus. In Proceedings of the 13th European Symposium on Programming (ESOP'04), volume 2986 of LNCS, pages 340--354. Springer, 2004.
[2]
M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In 28th ACM Symposium on Principles of Programming Languages (POPL'01), pages 104--115, 2001.
[3]
K. Bhargavan, R. Corin, C. Fournet, and A. D. Gordon. Secure sessions for web services. Technical Report MSR-TR-2004-114, Microsoft Research, 2004.
[4]
K. Bhargavan, C. Fournet, and A. D. Gordon. A semantics for web services authentication. In 31st ACM Symposium on Principles of Programming Languages (POPL'04), pages 198--209, 2004. An extended version appears as Microsoft Research Technical Report MSR-TR-2003-83.
[5]
K. Bhargavan, C. Fournet, and A. D. Gordon. Verifying policy-based security for web services. In 11th ACM Conference on Computer and Communications Security (CCS'04), pages 268--277, 2004.
[6]
K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. TulaFale: A security tool for web services. In International Symposium on Formal Methods for Components and Objects (FMCO'03), volume 3188 of LNCS. Springer, 2004.
[7]
B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82--96. IEEE Computer Society, 2001.
[8]
B. Blanchet. From secrecy to authenticity in security protocols. In 9th International Static Analysis Symposium (SAS'02), volume 2477 of LNCS, pages 342--359. Springer, 2002.
[9]
D. Box, F. Curbera, et al. Web Services Addressing (WS-Addressing), Aug. 2004. At http://www.w3.org/Submission/2004/SUBM-ws-addressing-20040810/.
[10]
E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. Securing SOAP e-services. International Journal of Information Security, 1(2):100--115, 2002.
[11]
W. Diffie and M. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, Nov. 1976.
[12]
D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, IT-29(2):198--208, 1983.
[13]
C. Ferris, D. Langworthy, et al. Web Services Reliable Messaging Protocol (WS-ReliableMessaging), Mar. 2004. At http://msdn.microsoft.com/ws/2004/03/ws-reliablemessaging/.
[14]
A. O. Freier, P. Karlton, and P. C. Kocher. The SSL protocol: Version 3.0. http://home.netscape.com/eng/ss13/draft302.txt, November 1996.
[15]
A. D. Gordon and R. Pucella. Validating a web service security abstraction by typing. In ACM Workshop on XML Security 2002, pages 18--29, 2003. An extended version appears as Microsoft Research Technical Report MSR-TR-2002-108.
[16]
M. Gudgin. Using WS-Trust and WS-SecureConversation. MSDN, May 2004. At http://msdn. microsoft.com/library/default.asp?url=/library/en-us/dnwebsrv/html/ws-trustandsecureconv.asp.
[17]
D. Harkins and D. Carrel. RFC 2409: The Internet Key Exchange (IKE). http://www.ietf.org/rfc/rfc2409.txt, Nov. 1998.
[18]
J. E. Johnson, D. E. Langworthy, L. Lamport, and F. H. Vogt. Formal specification of a web services protocol. In 1st International Workshop on Web Services and Formal Methods (WS-FM 2004), 2004. University of Pisa.
[19]
C. Kaler, A. Nadalin, et al. Web Services Federation Language (WS-Federation) Version 1.0, July 2003. At http://msdn.microsoft.com/ws/2003/07/ws-federation/.
[20]
C. Kaler, A. Nadalin, et al. Web Services Secure Conversation Language (WS-SecureConversation) Version 1.1, May 2004. At http://msdn.microsoft.com/ws/2004/04/ws-secure-conversation/.
[21]
C. Kaler, A. Nadalin, et al. Web Services Trust Language (WS-Trust) Version 1.1, May 2004. At http://msdn.microsoft.com/ws/2004/04/ws-trust/.
[22]
E. Kleiner and A. W. Roscoe. Web services security: A preliminary study using Casper and FDR. In Proceedings of Automated Reasoning for Security Protocol Analysis (ARSPA 04), 2004.
[23]
G. Lowe. A hierarchy of authentication specifications. In Proceedings of 10th IEEE Computer Security Foundations Workshop, 1997, pages 31--44. IEEE Computer Society Press, 1997.
[24]
Microsoft Corporation. Web Services Enhancements (WSE) 2.0 SPI, July 2004. At http://msdn.microsoft.com/webservices/building/wse/default. aspx.
[25]
R. Milner. Communicating and Mobile Systems: the π-Calculus. Cambridge University Press, 1999.
[26]
A. Nadalin, C. Kaler, P. Hallam-Baker, and R. Monzillo. OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004), Mar. 2004. At http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0. pdf.
[27]
R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Commun. ACM, 21(12):993--999, 1978.
[28]
L. C. Paulson. Inductive analysis of the internet protocol TLS. ACM Trans. Inf. Syst. Secur., 2(3):332--351, 1999.
[29]
W3C. SOAP Version 1.2, 2003. W3C Recommendation, at http://www.w3.org/TR/soap12.
[30]
T. Woo and S. Lam. A semantic model for authentication protocols. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 178--194, 1993.
[31]
WS-SecureConversation/WS-Trust Interop Workshop, Oct. 2004. At http://msdn.microsoft.com/webservices/community/workshops/TrustWorkshopOct2004.aspx.

Cited By

View all
  • (2019)Seems LegitProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3339813(2165-2180)Online publication date: 6-Nov-2019
  • (2014)Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerifFoundations of Security Analysis and Design VII10.1007/978-3-319-10082-1_3(54-87)Online publication date: 2014
  • (2012)Security Analysis of Standards-Driven Communication Protocols for Healthcare ScenariosJournal of Medical Systems10.1007/s10916-012-9843-136:6(3695-3711)Online publication date: 1-Dec-2012
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SWS '04: Proceedings of the 2004 workshop on Secure web service
October 2004
109 pages
ISBN:158113973X
DOI:10.1145/1111348
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2004

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2019)Seems LegitProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3339813(2165-2180)Online publication date: 6-Nov-2019
  • (2014)Automatic Verification of Security Protocols in the Symbolic Model: The Verifier ProVerifFoundations of Security Analysis and Design VII10.1007/978-3-319-10082-1_3(54-87)Online publication date: 2014
  • (2012)Security Analysis of Standards-Driven Communication Protocols for Healthcare ScenariosJournal of Medical Systems10.1007/s10916-012-9843-136:6(3695-3711)Online publication date: 1-Dec-2012
  • (2012)e-Health for Rural Areas in Developing Countries: Lessons from the Sebokeng Experiencee-Infrastructure and e-Services for Developing Countries10.1007/978-3-642-29093-0_18(187-196)Online publication date: 2012
  • (2011)A standard-driven communication protocol for disconnected clinics in rural areas2011 IEEE 13th International Conference on e-Health Networking, Applications and Services10.1109/HEALTH.2011.6026770(304-311)Online publication date: Jun-2011
  • (2010)Hyperdistribution of Contextual InformationIntroduction to Contextual Processing10.1201/b10398-6(115-183)Online publication date: 15-Dec-2010
  • (2010)Implementation of message layer protocol with non-repudiationProceedings of the International Conference and Workshop on Emerging Trends in Technology10.1145/1741906.1742006(448-450)Online publication date: 26-Feb-2010
  • (2009)Planning and verifying service compositionJournal of Computer Security10.5555/1662658.166266417:5(799-837)Online publication date: 1-Oct-2009
  • (2009)On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare ProfessionalsProceedings of the 5th International Conference on Information Systems Security10.1007/978-3-642-10772-6_6(55-70)Online publication date: 15-Nov-2009
  • (2008)Semantics-Based Design for Secure Web ServicesIEEE Transactions on Software Engineering10.1109/TSE.2007.7074034:1(33-49)Online publication date: 1-Jan-2008
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media