Toward an Automatic Analysis of Web Service Security

Yannick Chevalier; Denis Lugiez; Michael Rusinowitch

inria-00133996, version 2

Toward an Automatic Analysis of Web Service Security

Yannick Chevalier^a^, 1, Denis Lugiez ², Michael Rusinowitch ()^b^, 3

N° RR-6341 (2007)

Résumé : Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike with usual security protocols, we have to address here the facts that: (1) The Web service receive/send actions are nondeterministic to accommodate the XML format and the lack of normalization in parsing XML messages. Our model is designed to permit non-deterministic operations. (2) The Web service message format is better modelled with multiset constructors than with fixed arity symbols. Hence we had to introduce an attacker model that handles associativecommutative operators. In particular we present a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives.

a – Université Paul Sabatier - Toulouse III
b – INRIA
1 : Institut de recherche en informatique de Toulouse (IRIT)
CNRS : UMR5505 – Institut National Polytechnique de Toulouse - INPT – Université des Sciences Sociales - Toulouse I – Université Toulouse I [UT1] Capitole – Université Toulouse le Mirail - Toulouse II – Université Paul Sabatier [UPS] - Toulouse III
2 : Laboratoire d'informatique Fondamentale de Marseille (LIF)
CNRS : UMR6166 – Université de la Méditerranée - Aix-Marseille II – Université de Provence - Aix-Marseille I
3 : CASSIS (INRIA Lorraine - LORIA / LIFC)
INRIA – CNRS : FRE2661 – Université de Franche-Comté – Université Henri Poincaré - Nancy I – Université Nancy II – Institut National Polytechnique de Lorraine (INPL)

inria-00133996, version 2
http://hal.inria.fr/inria-00133996
oai:hal.inria.fr:inria-00133996
Contributeur : Rapport De Recherche Inria <>
Soumis le : Mercredi 31 Octobre 2007, 14:46:24
Dernière modification le : Mercredi 31 Octobre 2007, 14:48:06

Voir la fiche détaillée

Documents associés

PS :

PDF :

Exporter

Bibtex EndNote TEI RefWorks

<?xml version="1.0" encoding="UTF-8"?>
<listBibl xmlns="http://www.tei-c.org/ns/1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:mml="http://www.w3.org/1998/Math/MathML">
<listBibl type="report"><head>Rapports</head>
<biblStruct type="report" xml:id="inria-00133996"><monogr>
<author><persName><forename>Yannick</forename><surname>Chevalier</surname></persName>
<affiliation>
<orgName type="laboratory">IRIT</orgName>
<orgName type="team">Institut de recherche en informatique de Toulouse</orgName>
<country>FR</country>
<orgName type="institution">CNRS : UMR5505</orgName>
<orgName type="institution">Institut National Polytechnique de Toulouse - INPT</orgName>
<orgName type="institution">Université des Sciences Sociales - Toulouse I</orgName>
<orgName type="institution">Université Toulouse I [UT1] Capitole</orgName>
<orgName type="institution">Université Toulouse le Mirail - Toulouse II</orgName>
<orgName type="institution">Université Paul Sabatier [UPS] - Toulouse III</orgName>
</affiliation>
</author>
<author><persName><forename>Denis</forename><surname>Lugiez</surname></persName>
<affiliation>
<orgName type="laboratory">LIF</orgName>
<orgName type="team">Laboratoire d'informatique Fondamentale de Marseille</orgName>
<country>FR</country>
<orgName type="institution">CNRS : UMR6166</orgName>
<orgName type="institution">Université de la Méditerranée - Aix-Marseille II</orgName>
<orgName type="institution">Université de Provence - Aix-Marseille I</orgName>
</affiliation>
</author>
<author><persName><forename>Michael</forename><surname>Rusinowitch</surname></persName>
<affiliation>
<orgName type="laboratory">INRIA Lorraine - LORIA / LIFC</orgName>
<orgName type="team">CASSIS</orgName>
<country>FR</country>
<orgName type="institution">INRIA</orgName>
<orgName type="institution">CNRS : FRE2661</orgName>
<orgName type="institution">Université de Franche-Comté</orgName>
<orgName type="institution">Université Henri Poincaré - Nancy I</orgName>
<orgName type="institution">Université Nancy II</orgName>
<orgName type="institution">Institut National Polytechnique de Lorraine (INPL)</orgName>
</affiliation>
</author>
<title type="main" level="m">Toward an Automatic Analysis of Web Service Security</title><title type="main" level="m">Toward an Automatic Analysis of Web Service Security</title><imprint><biblScope type="publicationDate">2007-00-00</biblScope><biblScope type="pp">40</biblScope></imprint></monogr><idno type="HALid">http://hal.inria.fr/inria-00133996</idno><idno type="HALFile">http://hal.inria.fr/inria-00133996/PDF/RR-6341.pdf</idno></biblStruct>
</listBibl>
</listBibl>