Skip to Main content Skip to Navigation
Reports

Toward an Automatic Analysis of Web Service Security

Yannick Chevalier 1 Denis Lugiez 2 Michael Rusinowitch 3
1 IRIT-LILaC - Logique, Interaction, Langue et Calcul
IRIT - Institut de recherche en informatique de Toulouse
3 CASSIS - Combination of approaches to the security of infinite states systems
FEMTO-ST - Franche-Comté Électronique Mécanique, Thermique et Optique - Sciences et Technologies (UMR 6174), INRIA Lorraine, LORIA - Laboratoire Lorrain de Recherche en Informatique et ses Applications
Abstract : Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike with usual security protocols, we have to address here the facts that: (1) The Web service receive/send actions are nondeterministic to accommodate the XML format and the lack of normalization in parsing XML messages. Our model is designed to permit non-deterministic operations. (2) The Web service message format is better modelled with multiset constructors than with fixed arity symbols. Hence we had to introduce an attacker model that handles associativecommutative operators. In particular we present a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives.
Document type :
Reports
Complete list of metadatas

https://hal.inria.fr/inria-00133996
Contributor : Rapport de Recherche Inria <>
Submitted on : Wednesday, October 31, 2007 - 2:46:24 PM
Last modification on : Tuesday, October 27, 2020 - 2:34:29 PM
Long-term archiving on: : Tuesday, September 21, 2010 - 2:58:43 PM

Files

RR-6341.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : inria-00133996, version 2

Citation

Yannick Chevalier, Denis Lugiez, Michael Rusinowitch. Toward an Automatic Analysis of Web Service Security. [Research Report] RR-6341, INRIA. 2007, pp.40. ⟨inria-00133996v2⟩

Share

Metrics

Record views

502

Files downloads

1351