2,775 research outputs found
Validating a Web Service Security Abstraction by Typing
An XML web service is, to a first approximation, an RPC service in which
requests and responses are encoded in XML as SOAP envelopes, and transported
over HTTP. We consider the problem of authenticating requests and responses at
the SOAP-level, rather than relying on transport-level security. We propose a
security abstraction, inspired by earlier work on secure RPC, in which the
methods exported by a web service are annotated with one of three security
levels: none, authenticated, or both authenticated and encrypted. We model our
abstraction as an object calculus with primitives for defining and calling web
services. We describe the semantics of our object calculus by translating to a
lower-level language with primitives for message passing and cryptography. To
validate our semantics, we embed correspondence assertions that specify the
correct authentication of requests and responses. By appeal to the type theory
for cryptographic protocols of Gordon and Jeffrey's Cryptyc, we verify the
correspondence assertions simply by typing. Finally, we describe an
implementation of our semantics via custom SOAP headers.Comment: 44 pages. A preliminary version appears in the Proceedings of the
Workshop on XML Security 2002, pp. 18-29, November 200
Name-passing calculi and crypto-primitives: A survey
The paper surveys the literature on high-level name-passing process calculi, and their extensions with cryptographic primitives. The survey is by no means exhaustive, for essentially two reasons. First, in trying to provide a coherent presentation of different ideas and techniques, one inevitably ends up leaving out the approaches that do not fit the intended roadmap. Secondly, the literature on the subject has been growing at very high rate over the years. As a consequence, we decided to concentrate on few papers that introduce the main ideas, in the hope that discussing them in some detail will provide sufficient insight for further reading
Formal analysis of some secure procedures for certificate delivery
The paper describes and formally analyzes two communication protocols to manage the secure emission of digital certificates. The formal analysis is carried out by means of a software tool for the automatic erification of cryptographic protocols with finite behaviour. The tool is able to discover, at a conceptual level, attacks against security procedures. The methodology is general enough to be applied to several kinds of cryptographic procedures and protocols. It is opinion of the authors that this survey contributes towards a better understanding of the structure and aims of a protocol, both for developers, analyzers and final users
03411 Abstracts Collection -- Language Based Security
From October 5th to 10th 2003,the Dagstuhl Seminar 03411
``Language Based security\u27\u27 was held
in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar are put together in this paper
PLACES'10: The 3rd Workshop on Programmng Language Approaches to concurrency and Communication-Centric Software
Paphos, Cyprus. March 201
Term-based composition of security protocols
In the context of security protocol parallel composition, where messages
belonging to different protocols can intersect each other, we introduce a new
paradigm: term-based composition (i.e. the composition of message components
also known as terms). First, we create a protocol specification model by
extending the original strand spaces. Then, we provide a term composition
algorithm based on which new terms can be constructed. To ensure that security
properties are maintained, we introduce the concept of term connections to
express the existing connections between terms and encryption contexts. We
illustrate the proposed composition process by using two existing protocols.Comment: 2008 IEEE International Conference on Automation, Quality and
Testing, Robotics, Cluj-Napoca, Romania, May 2008, pp. 233-238, ISBN
978-1-4244-2576-
Formal Analysis of ISO/IEC 9798-2 Authentication Standard using AVISPA
International audienceUse of formal methods is considered as a useful and efficient technique for the validation of security properties of the protocols. In this paper, we analyze the protocols of ISO/IEC 9798-2 entity authentication standard using a state-of-the-art tool for automated analysis named AVISPA. Our analysis of the standard using AVISPA's OFMC and CL-AtSe back-ends shows that the two party protocols are secure against the specified security properties while the back-ends are able to find attacks against unilateral and mutual authentication protocols involving a trusted third party
- âŚ