Secure sessions for Web services
- 1 May 2007
- journal article
- Published by Association for Computing Machinery (ACM) in ACM Transactions on Information and System Security
- Vol. 10 (2) , 8
- https://doi.org/10.1145/1237500.1237504
Abstract
We address the problem of securing sequences of SOAP messages exchanged between web services and their clients. The WS-Security standard defines basic mechanisms to secure SOAP traffic, one message at a time. For typical web services, however, using WS-Security independently for each message is rather inefficient; moreover, it is often important to secure the integrity of a whole session, as well as each message. To these ends, recent specifications provide further SOAP-level mechanisms. WS-SecureConversation defines security contexts , which can be used to secure sessions between two parties. WS-Trust specifies how security contexts are issued and obtained. We develop a semantics for the main mechanisms of WS-Trust and WS-SecureConversation, expressed as a library for TulaFale, a formal scripting language for security protocols. We model typical protocols relying on these mechanisms and automatically prove their main security properties. We also informally discuss some pitfalls and limitations of these specifications.Keywords
This publication has 29 references indexed in Scilit:
- On the Relationship Between Web Services Security and Traditional ProtocolsElectronic Notes in Theoretical Computer Science, 2006
- A semantics for web services authenticationTheoretical Computer Science, 2005
- Web services are not distributed objectsIEEE Internet Computing, 2003
- Authentication by correspondenceIEEE Journal on Selected Areas in Communications, 2003
- Inductive analysis of the Internet protocol TLSACM Transactions on Information and System Security, 1999
- A Calculus for Cryptographic Protocols: The Spi CalculusInformation and Computation, 1999
- A logic of authenticationProceedings of the Royal Society of London. Series A. Mathematical and Physical Sciences, 1989
- On the security of public key protocolsIEEE Transactions on Information Theory, 1983
- Using encryption for authentication in large networks of computersCommunications of the ACM, 1978
- New directions in cryptographyIEEE Transactions on Information Theory, 1976