Towards an Automatic Analysis of Web Service Security

10 years 3 months ago
Towards an Automatic Analysis of Web Service Security
Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle non-deterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By non-trivial extension of the combination techniques of [3] we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to prob...
Yannick Chevalier, Denis Lugiez, Michaël Rusi
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Authors Yannick Chevalier, Denis Lugiez, Michaël Rusinowitch
Comments (0)