Presentation is loading. Please wait.

Presentation is loading. Please wait.

Language-Based Reasoning about WS-Security Protocols Andy Gordon Based on joint work with Karthik Bhargavan and Cédric Fournet GALT'03, NeSC, Edinburgh,

Similar presentations

Presentation on theme: "Language-Based Reasoning about WS-Security Protocols Andy Gordon Based on joint work with Karthik Bhargavan and Cédric Fournet GALT'03, NeSC, Edinburgh,"— Presentation transcript:

1 Language-Based Reasoning about WS-Security Protocols Andy Gordon Based on joint work with Karthik Bhargavan and Cédric Fournet GALT'03, NeSC, Edinburgh, 16-17 October 2003 Microsoft Research

2 2 The Proposition Two parallel trends over past five years: Rapid invention and deployment of XML-based crypto protocols for securing web services SOAP, XML-ENC, -DSIG, WS-Security, … Sustained and successful effort to develop formalisms and tools to check crypto protocols (Dolev&Yao, BAN,) FDR, Athena, Cryptyc, Proverif, … New crypto protocols are often wrong, XML or not Timely opportunity to develop tools for validating standards-based XML crypto protocols MSRC Samoa Project http://Securing.WS

3 3 Scope of Dolev-Yao Model The threat model is an attacker who can replay, redirect, assemble new messages, but cannot brute force secrets such as passwords Can verify that crypto protocols establish various safety properties in spite of such an attacker: Message authentication – against impersonated access Message integrity – against parameter manipulation Message confidentiality – against eavesdropping Message freshness – against replays Like all formal or informal methods, certain threats lie outside the model, and must be addressed separately Disclosure of configuration data Unauthorized access via SQL injection or cross-site scripting

4 4 Whats a Web Service? A web service is a web site intended for use by computer programs instead of human beings. (Barclay et al) On public internets: Amazon, MSDN, … Within intranet: vendor-neutral middleware to interconnect existing systems (IDC: North American companies implemented 3,300 WS projects in 2002) Between intranets: inter-institution workflow (e- business, e-science); eg OGSI spec for grid services

5 5 A Sample Web Service SOAPRequest Implementation via proxy class and HTTP transport Smart client for checking orders PetShopService ws = new PetShopService(); Order o = ws.GetOrder(20); Implementation via WebService classes in Web Server SOAPResponse [WebMethod] public Order GetOrder(int orderId) { return orderWebService.GetOrder(orderId); } Pet Shop database Vendor-neutral XML-encoding over HTTP The Internet WS-Security specifies how to sign or encrypt, etc

6 6 Grids Over Web Services Grid means different things to different people, eg: WAN-based cpu-intensive e-science LAN-based dynamically-provisioned server farms Global Grid Forum: growing consensus to use SOAP If not yet on how to handle mutable state Need SOAP authentication to implement grid policies: Who can read or write data? Who pays for metered cpu time or disc space? Who is licensed to run this software? Who has priority on this freshly imaged server?

7 7 Todays Talk Problem: How to specify and verify authentication properties at the level of SOAP messages Part I Detailed Sample of Authentication via WS-Security Part II A Semantics of Web Services Authentication XML data model with embedded crypto Predicates for security tokens and signatures Theorems about sample security protocols Part III Demo: verifier for XML security protocols

8 Part I: Abstract vs XML Views of Simple Sample To see why we need to model XML in detail, we examine a typical authentication protocol as implemented for the Pet Shop sample site Get Order Order Info

9 9 Sample Security Goals Suppose a human A with password p uses a client I to invoke a web service at URL S S = Without some kind of authentication, anybody could request the private details of anyone elses order Simple solution to require p-based signature of: Message body to show request from A, and has not been modified Timestamp-based message identifier to detect replays, with cache of recent messages Web server S to detect redirection from another server

10 A Signed Request http://bobspetshop/ws/OrderStatus uuid:5ba86b04-3c0f-428b-8dd6-17804286fe40 2003-02-04T16:49:45Z 2003-02-04T16:50:45Z adg Ouywn2V6ikNNtWYL29gl9R3CPBk= cGxr8w2AnBUzuhLzDYDoVw== 2003-02-04T16:49:45Z Ego0... 5GHl... efb0... dFGb... 23io... E4G0... vSB9JU/Wr8ykpAlaxCx2KdvjZcc= 20 Routing header identifies action and server UsernameToken assumes both parties know adgs secret password p Password digest = sha1(nonce+time+p) proves knowledge of p Nonce to prevent replays; receiver needs to cache recently seen nonces hmacsha1(key, SignedInfo) where key=psha1(p+nonce+time) Each DigestValue is the sha1 hash of the URI target URI arrows implemented using GUID Id attributes Hence, signature can prove this is a fresh message from adg

11 Part II: A Semantics of Web Services Security The XML wire format is trees plus pointers, rather more complex than the abstract trees of most Dolev-Yao models To reason at this level, we propose an XML model with symbolic crypto, that we embed within the applied pi calculus (paper at POPL04) To the best of our knowledge, this is the first and only work on a formalism for XML-based crypto protocols

12 12 XML Data 1: Standard Core Label ::= anyLegalXmlName element or attribute name String : str ::= any legal XML stringXML string Att : att ::= Label="String"attribute Atts : atts ::= Att Atts | attribute sequence Item : itm ::= Element | Stringitem Items : itms ::= Item Items | item sequence Element ::= Items element Sorts str, att, atts, itm, itms Represents valid, parsed XML Adapted from Siméon and Wadler's model (POPL03) Resembles the W3C Infoset recommendation

13 13 XML Data 2: Crypto Symbolic representation of crypto as in XML-DSIG Omitting operations for XML-ENC, destructors, and the equational theory Bytes : bytes ::= byte array (not itself XML) spi name, a nonce or key concat(Bytes 1,Bytes 2 )array concatenation c14n(Item)canonical bytes of an item utf8(String)UTF8 rep of a string sha1(Bytes)cryptographic digest p-sha1(String pw,Bytes salt )key from salted password hmac-sha1(Bytes key,Bytes src )keyed hash String : str ::=XML string spi name, a password base64(Bytes)Base64-encoding of array principal(s pw )from password to principal

14 14 How Do We Apply The Model? Use XML-based predicates to represent security checks made by SOAP processors Express security goals as correspondences between each successful completion and its causal initiation Embed the predicates and assertions within the pi calculus to represent behaviour of server and clients Prove absence of attacks within pi threat model Our paper follows this recipe for a series of samples, but also discusses threats outside pi model

15 15 A Concrete XML Protocol Authenticity formalized as a correspondence; authorization decision not formalized We describe this protocol as a process Q, and take the opponent O to be any arbitrary process in parallel Theorem: Q|O is safe, that is, in every run, every end-event corresponds to a preceding begin-event Proofs use a combination of process calculus techniques, and are compositional Event 1 I logs begin(A,n,t,orderid) Message 1 I S e where hasUserSignedBody(e,A,p,n,t,b) and isGetOrder(b, orderid) Event 1 S logs end(A,n,t,orderid) Message 2 S I GetOrderResponse(orderInfo)

16 Part III: TulaFale Demo This summer, Riccardo Pucella has implemented an automatic verifier using Bruno Blanchets ProVerif

17 17 Conclusions, Futures Successfully bridged gap between theoretical pi threat model and XML used in WS security protocols Driven by real samples, eg, MS Pet Shop Faithful to XML message format Found attacks within threat model Proved theorems about wire-level protocols Future directions Analysis of more complex protocols SOAP stack in an XML-aware type system Grid-specific security problems? MSRC Samoa Project http://Securing.WS

18 18 Securing.WS Resources Projects: Samoa, Cryptyc, Proverif http://Securing.WS Standards tracks and whitepaper My Top Three Web Service Blogs

Download ppt "Language-Based Reasoning about WS-Security Protocols Andy Gordon Based on joint work with Karthik Bhargavan and Cédric Fournet GALT'03, NeSC, Edinburgh,"

Similar presentations

Ads by Google