Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Language-Based Reasoning about WS-Security Protocols Andy Gordon

advertisement 
Language-Based
Reasoning about
WS-Security Protocols
Andy Gordon
Based on joint work with Karthik
Bhargavan and Cédric Fournet
Microsoft Research
GALT'03, NeSC, Edinburgh, 16-17 October 2003
The Proposition

Two parallel trends over past five years:

Rapid invention and deployment of XML-based
crypto protocols for securing web services


Sustained and successful effort to develop
formalisms and tools to check crypto protocols



SOAP, XML-ENC, -DSIG, WS-Security, …
(Dolev&Yao, BAN,) FDR, Athena, Cryptyc, Proverif, …
New crypto protocols are often wrong, XML or not
Timely opportunity to develop tools for validating
standards-based XML crypto protocols
MSRC Samoa Project
http://Securing.WS
2
Scope of Dolev-Yao Model


The threat model is an attacker who can replay,
redirect, assemble new messages, but cannot brute
force secrets such as passwords
Can verify that crypto protocols establish various
safety properties in spite of such an attacker:





Message authentication – against impersonated access
Message integrity – against parameter manipulation
Message confidentiality – against eavesdropping
Message freshness – against replays
Like all formal or informal methods, certain threats lie
outside the model, and must be addressed separately


Disclosure of configuration data
Unauthorized access via SQL injection or cross-site scripting
3
What’s a Web Service?




“A web service is a web site
intended for use by computer
programs instead of human
beings.” (Barclay et al)
On public internets: Amazon, MSDN, …
Within intranet: vendor-neutral middleware to
interconnect existing systems (IDC: North American
companies implemented 3,300 WS projects in 2002)
Between intranets: inter-institution workflow (ebusiness, e-science); eg OGSI spec for “grid services”
4
A Sample Web Service
Smart client for
checking orders
The Internet
[WebMethod]
public Order GetOrder(int orderId) {
return orderWebService.GetOrder(orderId); }
PetShopService ws = new PetShopService();
Order o = ws.GetOrder(20);
Implementation via
proxy class and
HTTP transport
Vendor-neutral
XML-encoding
over HTTP
www.bobspetshop.com
SOAP
Request
Implementation via
WebService classes
in Web Server
SOAP
Response
WS-Security
specifies how to
sign or encrypt, etc
Pet Shop
database
5
Grids Over Web Services



“Grid” means different things to different people, eg:
 WAN-based cpu-intensive e-science
 LAN-based dynamically-provisioned server farms
Global Grid Forum: growing consensus to use SOAP
 If not yet on how to handle mutable state
Need SOAP authentication to implement grid policies:
 Who can read or write data?
 Who pays for metered cpu time or disc space?
 Who is licensed to run this software?
 Who has priority on this freshly imaged server?
6
Today’s Talk



Problem:
 How to specify and verify authentication
properties at the level of SOAP messages
Part I
 Detailed Sample of Authentication via WS-Security
Part II
 A Semantics of Web Services Authentication




XML data model with embedded crypto
Predicates for security tokens and signatures
Theorems about sample security protocols
Part III
 Demo: verifier for XML security protocols
7
Part I: Abstract vs XML
Views of Simple Sample
To see why we need to model XML in detail, we examine a
typical authentication protocol as implemented for the Pet
Shop sample site
Get
Order
Order
Info
Sample Security Goals

Suppose a human A with password p uses a client I
to invoke a web service at URL S



S = http://www.bobspetshop.com/ws/orderstatus.asmx
Without some kind of authentication, anybody could
request the private details of anyone else’s order
Simple solution to require p-based signature of:
 Message body


Timestamp-based message identifier


to show request from A, and has not been modified
to detect replays, with cache of recent messages
Web server S

to detect redirection from another server
9
Routing header
<Envelope>
<Header>
identifies action
<path actor="next">
UsernameToken assumes
and server
<action>http://bobspetshop/ws/OrderStatus</>
both parties know adg’s
<to>http://www.bobspetshop.com/ws/orderstatus.asmx</>
secret password p
Password digest =
<id>uuid:5ba86b04-3c0f-428b-8dd6-17804286fe40</>
<Timestamp>
sha1(nonce+time+p) proves
<Created>2003-02-04T16:49:45Z</>
knowledge of p
<Expires>2003-02-04T16:50:45Z</>
<Security>
<UsernameToken>
Nonce to prevent replays;
<Username>adg</>
<Password>Ouywn2V6ikNNtWYL29gl9R3CPBk=</>
receiver needs to cache
<Nonce>cGxr8w2AnBUzuhLzDYDoVw==</>
recently seen nonces
<Created>2003-02-04T16:49:45Z</>
<Signature>
Each DigestValue is the
<SignedInfo>
sha1 hash of the URI target
<Reference URI="#..."><DigestValue>Ego0...</>
<Reference URI="#..."><DigestValue>5GHl...</>
<Reference URI="#..."><DigestValue>efb0...</>
URI arrows implemented
<Reference URI="#..."><DigestValue>dFGb...</>
using GUID Id attributes
<Reference URI="#..."><DigestValue>23io...</>
<Reference URI="#..."><DigestValue>E4G0...</>
<SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</>
<KeyInfo><SecurityTokenReference><Reference URI="#..."/>
<Body>
<GetOrder>
hmacsha1(key, SignedInfo) where
Hence, signature can
<orderId>20</>
A Signed Request
prove this is a fresh
message from adg
key=psha1(p+nonce+time)
Part II: A Semantics of
Web Services Security
The XML wire format is trees plus pointers, rather more
complex than the abstract trees of most Dolev-Yao models
To reason at this level, we propose an XML model with
symbolic crypto, that we embed within the applied pi
calculus (paper at POPL’04)
To the best of our knowledge, this is the first and only
work on a formalism for XML-based crypto protocols
XML Data 1: Standard Core
Label ::= anyLegalXmlName
String : str ::= any legal XML string
Att : att ::= Label="String"
Atts : atts ::= Att Atts | 
Item : itm ::= Element | String
Items : itms ::= Item Items | 
Element ::= <Label Atts>Items</Label>
element or attribute name
XML string
attribute
attribute sequence
item
item sequence
element

Sorts str, att, atts, itm, itms

Represents valid, parsed XML

Adapted from Siméon and Wadler's model (POPL’03)

Resembles the W3C Infoset recommendation
12
XML Data 2: Crypto
Bytes : bytes ::=
s
concat(Bytes1,Bytes2)
c14n(Item)
utf8(String)
sha1(Bytes)
p-sha1(Stringpw,Bytessalt)
hmac-sha1(Byteskey,Bytessrc)
String : str ::=
s
base64(Bytes)
principal(spw)
byte array (not itself XML)
pi name, a nonce or key
array concatenation
canonical bytes of an item
UTF8 rep of a string
cryptographic digest
key from salted password
keyed hash
XML string
pi name, a password
Base64-encoding of array
from password to principal

Symbolic representation of crypto as in XML-DSIG

Omitting operations for XML-ENC, destructors, and
the equational theory
13
How Do We Apply The Model?




Use XML-based predicates to represent security
checks made by SOAP processors
Express security goals as correspondences between
each successful completion and its causal initiation
Embed the predicates and assertions within the pi
calculus to represent behaviour of server and clients
Prove absence of attacks within pi threat model
Our paper follows this recipe for a series of samples,
but also discusses threats outside pi model
14
A Concrete XML Protocol
I logs begin(A,n,t,orderid)
Event 1
Message 1 I  S e where hasUserSignedBody(e,A,p,n,t,b)
and isGetOrder(b, orderid)
S logs end(A,n,t,orderid)
Event 1’
Message 2 S  I GetOrderResponse(orderInfo)

Authenticity formalized as a correspondence;
authorization decision not formalized

We describe this protocol as a process Q, and take
the opponent O to be any arbitrary process in parallel

Theorem: Q|O is safe, that is, in every run, every
end-event corresponds to a preceding begin-event

Proofs use a combination of process calculus
techniques, and are compositional
15
Part III: TulaFale Demo
This summer, Riccardo Pucella has
implemented an automatic verifier using
Bruno Blanchet’s ProVerif
Conclusions, Futures


Successfully bridged gap between theoretical pi
threat model and XML used in WS security protocols
 Driven by real samples, eg, MS Pet Shop
 Faithful to XML message format
 Found attacks within threat model
 Proved theorems about wire-level protocols
Future directions
 Analysis of more complex protocols
 SOAP stack in an XML-aware type system
 Grid-specific security problems?
MSRC Samoa Project
http://Securing.WS
17
Securing.WS Resources



Projects: Samoa, Cryptyc, Proverif
 http://Securing.WS
 http://cryptyc.cs.depaul.edu
 http://research.microsoft.com/~adg/cryptyc.htm
 http://www.mpi-sb.mpg.de/~blanchet
Standards tracks and whitepaper
 http://www.w3.org/2002/ws/
 http://www.oasis-open.org
 http://msdn.microsoft.com/ws-security/
My Top Three Web Service Blogs
 http://www.gotdotnet.com/team/dbox/rss.aspx
 http://weblogs.cs.cornell.edu/AllThingsDistributed/index.rdf
 http://www.scottishlass.co.uk/rss.xml
18
Related documents
HyXAC: Hybrid XML Access Control Integrating View
HyXAC: Hybrid XML Access Control Integrating View
CREATING SUSTAINABLE E-LEARNING CONTENT WITH eLML (eLESSON MARKUP LANGUAGE) AND XML
CREATING SUSTAINABLE E-LEARNING CONTENT WITH eLML (eLESSON MARKUP LANGUAGE) AND XML
XML and XML Rules
XML and XML Rules
Second Lab Quiz Review Sheet
Second Lab Quiz Review Sheet
28 January to 3 February, 2008 Week 4
28 January to 3 February, 2008 Week 4
XML for taming data to be visualized over the Grid –... and
XML for taming data to be visualized over the Grid –... and
Download
advertisement