Secure sessions for Web services

ACM Transactions on Information and System Security

Volumn 10, Issue 2, 2007, Pages

  Bhargavan, Karthikeyan ^a,c   Fournet, Cédric ^a,c   Gordon, Andrew D ^a,c   Corin, Ricardo ^b  

^a MICROSOFT RESEARCH   (United States)

^b UNIVERSITY OF TWENTE   (Netherlands)

^c MICROSOFT RESEARCH   (United Kingdom)

Author keywords

Web services; XML security

Indexed keywords

FORMAL SCRIPTING LANGUAGE; SECURITY PROTOCOLS; WS-SECURECONVERSATION; XML SECURITY;

FORMAL LANGUAGES; NETWORK PROTOCOLS; SECURITY OF DATA; SEMANTICS; XML;

WEB SERVICES;

EID: 34249658491     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/1237500.1237504     Document Type: Article

References (61)

1. ABADI, M. AND FOURNET, C. 2001. Mobile values, new names, and secure communication. In 28th ACM Symposium on Principles of Programming Languages (POPL'01). 104-115.
2. ABADI, M. AND GORDON, A. D. 1999. A calculus for cryptographic protocols: The spi calculus. Information and Computation 148, 1-70.
3. ABADI, M. AND ROGAWAY, P. 2002. Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15, 2, 103-127.
4. ABADI, M., BLANCHET, B., AND FOURNET, C. 2004. Just fast keying in the pi calculus. In 13th European Symposium on Programming (ESOP'04). LNCS, vol. 2986. Springer, New York. 340-354.
5. ARMANDO, A., BASIN, D., BOICHUT, Y., CHEVALIER, Y., COMPAGNA, L., CUELLAR, J., HANKES DRIELSMA, P., HEÁM, P.-C., MANTOVANI, J., MÖDERSHEIM, S., VON OHEIMB, D., RUSINOWITCH, M., SANTIAGO, J., TURUANI, M., VIGANÒ, L., AND VIGNERON, L. 2005. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In 17th International Conference on Computer Aided Verification (CAV'05), K. Etessami and S. K. Rajamani, Eds. LNCS, vol. 3576. Springer, New York. Available at http://www.avispa-project.org/publications.html.
6. BACKES, M., PFITZMANN, B., AND WAIDNER, M. 2003. A composable cryptographic library with nested operations. In 10th ACM Conference on Computer and Communications Security (CCS'03). 220-230.
7. BACKES, M., MÖDERSHEIM, S., PFITZMANN, B., AND VIGANÒ, L. 2006. Symbolic and cryptographic analysis of the secure WS-ReliableMessaging scenario. In Foundations of Software Science and Computation Structures (FOSSACS'06). 428-445.
8. BARBIR, A., GOODNER, M., GUDGIN, M., GRANQVIST, H., NADALIN, A., ET AL. 2006. Web Services Secure Conversation Language (WS-SecureConversation) Oasis Committee Draft Version 0.1. At http://www.oasis-open.org/committees/download.php/ 20158/ws-secureconversation-1.3-spec-cd-01.pdf.
9. BHARGAVAN, K., CORIN, R., FOURNET, C., AND GORDON, A. D. 2004a. Secure sessions for web services. In 2004 ACM Workshop on Secure Web Services (SWS'04). 56-66.
10. BHARGAVAN, K., CORIN, R., FOURNET, C., AND GORDON, A. D. 2004d. Secure sessions for web services. Tech. Rep. MSR-TR-2004-114, Microsoft Research.
11. BHARGAVAN, K., FOURNET, C., AND GORDON, A. D. 2004c. Verifying policy-based security for web services. In 11th ACM Conference on Computer and Communications Security (CCS'04). 268-277.
12. BHARGAVAN, K., FOURNET, C., GORDON, A. D., AND PUCELLA, R. 2004d. TulaFale: A security tool for web services. In International Symposium on Formal Methods for Components and Objects (FMCO'03). LNCS, vol. 3188. Springer, New York. 197-222.
13. BHARGAVAN, K., FOURNET, C., AND GORDON, A. D. 2005. A semantics for web services authentication. Theor. Comput. Sci. 340, 1 (June), 102-153.
14. BHARGAVAN, K., FOURNET, C., GORDON, A. D., AND TSE, S. 2006. Verified interoperable implementations of security protocols. In 19th IEEE Computer Security Foundations Workshop (CSFW'06). 139-152.
15. BLANCHET, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14). IEEE Computer Society, Washington, D.C. 82-96.
16. BLANCHET, B. 2002. From secrecy to authenticity in security protocols. In 9th International Static Analysis Symposium (SAS'02). LNCS, vol. 2477. Springer, New York. 342-359.
17. BLANCHET, B. 2006. A computationally sound mechanized prover for security protocols. In IEEE Symposium on Security and Privacy. 140-154.
18. BOX, D., CURBERA, P., ET AL. 2004. Web Services Addressing (WS-Addressing). At http://www.w3.org/Submission/2004/ SUBM-ws-addressing-20040810/.
19. BURROWS, M., ABADI, M., AND NEEDHAM, R. 1989. A logic of authentication. Proceedings of the Royal Society of London A 426, 233-271.
20. COHEN, E. 2000. TAPS: A first-order verifier for cryptographic protocols. In 13th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, Washington, D.C. 144-158.
21. DAMIANI, E., DE CAPITANI DI VIMERCATI, S., PARABOSCHI, S., AND SAMARATI, P. 2002. Securing SOAP e-services. International Journal of Information Security 1, 2, 100-115.
22. DAVIS, D., FERRIS, C., GAJJALA, V., GAVRYLYUK, K., GUDGIN, M., KALER, C., LANGWORTHY, D., MORONEY, M., NADALIN, A., ROOTS, J., STOREY, T., VISHWANATH, T., AND WALTER, D. 2005. WS-ReliableMessaging Interop Workshop. At ftp://www6.software.ibm.com/software/developer/library/ws-rmseconscanario.doc.
23. DIFFIE, W. AND HELLMAN, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory IT-22, 6 (Nov.), 644-654.
24. DOLEV, D. AND YAO, A. 1983. On the security of public key protocols. IEEE Transactions on Information Theory IT-29, 2, 198-208.
25. DURGIN, N. A., MITCHELL, J. C., AND PAVLOVIC, D. 2003. A compositional logic for proving security properties of protocols. Journal of Computer Security 11, 4, 677-721.
26. FERRIS, C., LANGWORTHY, D., ET AL. 2004. Web Services Reliable Messaging Protocol (WS-ReliableMessaging). At http://msdn.microsoft.com/ws/2004/03/ws-reliablemessaging/.
27. FREIER, A. O., KARLTON, P., AND KOCHER, P. C. November 1996. The SSL protocol: Version 3.0. http://home.netscape.com/eng/ssl3/draft302.txt.
28. GOLLMANN, D. 2003. Authentication by correspondence. IEEE Journal on Selected Areas in Communications 21, 1, 88-95.
29. GORDON, A. D. AND PUCELLA, R. 2005. Validating a web service security abstraction by typing. Formal Aspects of Computing 17, 277-318.
30. GROSS, T. AND PFITZMANN, B. 2004. Proving a WS-Federation Passive Requestor profile. In 2004 ACM Workshop on Secure Web Services (SWS). ACM Press, New York.
31. GUDGIN, M. 2004. Using WS-Trust and WS-SecureConversation. MSDN. At http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnwebsrv/html/ws-trustandsecureconv.asp.
32. GUDGIN, M., NADALIN, A., ET AL. 2005a. Web Services Secure Conversation Language (WS-SecureConversation) Version 1.2. At http://www.oasis-open.org/committees/download.php/17364/lists.oasis-open. orgarchivesws-sx200512zip00000.zip.
33. GUDGIN, M., NADALIN, A., ET AL. 2005b. Web Services Trust Language (WS-Trust) Version 1.2. At http://www.oasis-open. org/committees/download.php/17364/lists.oasis-open.orgarchivesws- sx200512zip00000.zip.
34. GUDGIN, M., NADALIN, A., ET AL. 2005e. Web Services Trust Language (WS-Trust) Version 1.2. At http://www.oasis-open. org/committees/download.php/20160/ws-trust-1.3-spec-cd-01.pdf.
35. HARKINS, D. AND CARREL, D. 1998. RFC 2409: The Internet Key Exchange (IKE), http://www.ietf.org/rfc/rfc2409.txt.
36. HUI, M. L. AND LOWE, G. 2001. Fault-preserving simplifying transformations for security protocols. Journal of Computer Security 9, 1/2, 3-46.
37. JOHNSON, J. E., LANGWORTHY, D. E., LAMPORT, L., AND VOGT, F. H. 2004. Formal specification of a web services protocol. In 1st International Workshop on Web Services and Formal Methods (WS-FM 2004). University of Pisa.
38. KALER, C., NADALIN, A., ET AL. 2003a. Web Services Federation Language (WS-Federation) Version 1.0. At http://msdn.microsoft.com/ws/2003/07/ws-federation/.
39. KALER, C., NADALIN, A., ET AL. 2003b. WS-Federation: Passive Requestor Profile Version 1.0. At ftp://www6.software.ibm.com/software/developer/library/ws-fedpass.pdf.
40. KALER, C., NADALIN, A., ET AL. 2004a. Web Services Secure Conversation Language (WS-SecureConversation) Version 1.1. At http://msdn.microsoft.com/ws/2004/04/ws-secure-conversation/.
41. KALER, C., NADALIN, A., ET AL. 2004b. Web Services Trust Language (WS-Trust) Version 1.1. At http://msdn.microsoft. com/ws/2004/04/ws-trust/.
42. KEMMERER, R., MEADOWS, C., AND MILLEN, J. 1994. Three systems for cryptographic protocol analysis. Journal of Cryptology 7, 2, 79-130.
43. KEYSER, C. 2004. Source code for SCT tokens in a farm source code. http://blogs.msdn.com/chriskeyser/archive/2004/11/30/272678.aspx.
44. KLEINER, E. AND ROSCOE, A. W. 2004. Web services security: A preliminary study using Casper and FDR. In Automated Reasoning for Security Protocol Analysis (ARSPA'04).
45. KLEINER, E. AND ROSCOE, A. W. 2005. On the relationship between web services security and traditional protocols. In Mathematical Foundations of Programming Semantics (MFPS XXI).
46. LOWE, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR. In Tools and Algorithms for the Construction and Analysis of Systems. LNCS, vol. 1055. Springer, New York. 147-166.
47. LOWE, G. 1997. A hierarchy of authentication specifications. In Proceedings of 10th IEEE Computer Security Foundations Workshop, 1997. IEEE Computer Society Press, Washington, D.C. 31-44.
48. Microsoft Corporation 2004. Web Services Enhancements (WSE) 2.0 SP1. Microsoft Corporation. At http://msdn.microsoft.com/webservices/ building/wse/default.aspx.
49. MILNER, R. 1999. Communicating and Mobile Systems: the π-Calculus. Cambridge University Press, Cambridge.
50. NADALIN, A., KALER, C., HALLAM-BAKER, P., AND MONZILLO, R. 2004. OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004). OASIS Standard 200401. At http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1. 0.pdf.
51. NEEDHAM, R. AND SCHROEDER, M. 1978. Using encryption for authentication in large networks of computers. Commun. ACM 21, 12, 993-999.
52. OASIS Security Services TC 2005. Security Assertion Markup Language FAQ. OASIS Security Services TC. At http://www.oasis-open.org/committees/ security/faq.php.
53. PAULSON, L. 1998. The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6, 85-128.
54. PAULSON, L. C. 1999. Inductive analysis of the internet protocol TLS. ACM Trans. Inf. Syst. Secur. 2, 3, 332-351.
55. RYAN, P. Y. A., SCHNEIDER, S. A., GOLDSMITH, M. H., LOWE, G., AND ROSCOE, A. W. 2001. The Modeling and Analysis of Security Protocols: the CSP Approach. Pearson Education.
56. THAYER FÁBREGA, F., HERZOG, J., AND GUTTMAN, J. 1999. Strand spaces: Proving security protocols correct. Journal of Computer Security 7, 191-230.
57. VOGELS, W. 2003. Web services are not distributed objects. IEEE Internet Computing 7, 6, 59-66.
58. W3C 2003. SOAP Version 1.2. W3C. W3C Recommendation, at http://www.w3.org/TR/soap12.
59. WOO, T. AND LAM, S. 1993. A semantic model for authentication protocols. In IEEE Computer Society Symposium on Research in Security and Privacy. 178-194.
60. WS 2002. WS-Trust/WS-SecureConversation Interop Workshop. At http://msdn.microsoft.com/webservices/community/workshops/trustworkshop112003. aspx.
61. WS 2004. WS-SecureConversation/WS-Trust Interop Workshop. At http://msdn.microsoft.com/webservices/community/workshops/TrustWorkshopOct2004. aspx.