Abstract
We describe a new reference implementation of the web services security specifications. The implementation is structured as a library in the functional programming language F#. Applications written using this library can interoperate with other compliant web services, such as those written using Microsoft WSE and WCF frameworks. Moreover, the security of such applications can be automatically verified by translating them to the applied pi calculus and using an automated theorem prover. We illustrate the use of our reference implementation through examples drawn from the sample applications included with WSE and WCF. We formally verify their security properties. We also experimentally evaluate their interoperability and performance.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Abadi, M., Blanchet, B.: Analyzing security protocols with secrecy types and logic programs. J. ACM 52(1), 102–146 (2005)
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115 (2001)
Apache Software Foundation. Apache WSS4J (2006), At: http://ws.apache.org/wss4j/
Bhargavan, K., Corin, R., Fournet, C., Gordon, A.D.: Secure sessions for web services. In: 2004 ACM Workshop on Secure Web Services, pp. 11–22 (October 2004)
Bhargavan, K., Fournet, C., Gordon, A.D.: A semantics for web services authentication. Theoretical Computer Science 340(1), 102–153 (2005)
Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A security tool for web services. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 197–222. Springer, Heidelberg (2004)
Bhargavan, K., Fournet, C., Gordon, A.D., Tse, S.: Verified interoperable implementations of security protocols. In: 19th IEEE Computer Security Foundations Workshop (CSFW 2006) (to appear, 2006)
Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 82–96 (2001)
Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. In: 20th IEEE Symposium on Logic in Computer Science (LICS 2005), pp. 331–340 (2005)
Box, D., Curbera, F., et al.: Web Services Addressing (WS-Addressing). W3C Member Submission (August 2004)
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory IT–29(2), 198–208 (1983)
Eastlake, D., Reagle, J., et al.: XML Encryption Syntax and Processing. W3C Recommendation (2002)
Eastlake, D., Reagle, J., Solo, D., et al.: XML-Signature Syntax and Processing. W3C Recommendation (2002)
Gordon, A.D., Pucella, R.: Validating a web service security abstraction by typing. In: 2002 ACM workshop on XML Security, pp. 18–29 (2002)
Goubault-Larrecq, J., Parrennes, F.: Cryptographic protocol analysis on real C code. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 363–379. Springer, Heidelberg (2005)
Gudgin, M., et al.: SOAP Version 1.2. W3C Recommendation (2003)
IBM Corporation. IBM WebSphere Application Server (2006), At: http://www.ibm.com/software/websphere/
Kleiner, E., Roscoe, A.W.: Web services security: A preliminary study using Casper and FDR. In: Automated Reasoning for Security Protocol Analysis (ARSPA 2004) (2004)
Kleiner, E., Roscoe, A.W.: On the relationship between web services security and traditional protocols. In: Mathematical Foundations of Programming Semantics (MFPS XXI) (2005)
Microsoft Corporation. Web Services Enhancements (WSE) 2.0 (2004), At: http://msdn.microsoft.com/webservices/building/wse/default.aspx
Microsoft Corporation. Windows Communication Foundation (WCF) (2006), At: http://windowscommunication.net
Milner, R.: Functions as processes. Mathematical Structures in Computer Science 2(2), 119–141 (1992)
Milner, R.: Communicating and Mobile Systems: the π-Calculus. In: CUP (1999)
Nadalin, A., Kaler, C., Hallam-Baker, P., Monzillo, R.: OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004). OASIS Standard 200401 (March 2004)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)
Syme, D.: F# (2005), At: http://research.microsoft.com/fsharp/fsharp.aspx
Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 178–194 (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bhargavan, K., Fournet, C., Gordon, A.D. (2006). Verified Reference Implementations of WS-Security Protocols. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds) Web Services and Formal Methods. WS-FM 2006. Lecture Notes in Computer Science, vol 4184. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11841197_6
Download citation
DOI: https://doi.org/10.1007/11841197_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-38862-3
Online ISBN: 978-3-540-38865-4
eBook Packages: Computer ScienceComputer Science (R0)