web services security a preliminary study using casper
play

Web Services Security: a preliminary study using Casper and FDR - PowerPoint PPT Presentation

Jul 22, 2023 •573 likes •752 views

Web Services Security: a preliminary study using Casper and FDR 01 Web Services Security: a preliminary study using Casper and FDR E. Kleiner and A.W. Roscoe Web Services Security: a preliminary study using Casper and FDR 02 Web Services -

  1. Web Services Security: a preliminary study using Casper and FDR 01 Web Services Security: a preliminary study using Casper and FDR E. Kleiner and A.W. Roscoe

  2. Web Services Security: a preliminary study using Casper and FDR 02 Web Services - a quick overview Web Services is an XML-based architecture that was developed in order to make the coupling between distributed components looser. SOAP was defined by Microsoft and DevelopMentor to provide a way to envelop information using XML to exchange it between different computing systems. With the growth of the popularity and importance of the Web Services architecture, more and more standards have been defined for extending the functionality and for dealing with different concerns.

  3. Web Services Security: a preliminary study using Casper and FDR 03 Web Service - An example implementation ����� � �������� ������� ��������� ����� ����� ��������� ����� �����

  4. Web Services Security: a preliminary study using Casper and FDR 04 SOAP request example ��������������������������������������������������������������������� ������������������ ������������������� ���������� ��!�������"��#��������������������#�����#���$%!&����� ��������"��#����� %!�� ����������"��#�����'����� ��(�� ������"��#�����'����� ����������"��#�����)�&#���������"��#�����)�&#��� ����������"��#����� ��(���* +���"��#����� ��(�� ��������"��#����� %!�� ����������� ��!�� ������������������ � �

  5. Web Services Security: a preliminary study using Casper and FDR 05 SOAP response example ��������������������������������������������������������������������� ������������������ ������������������� ���������� ��!�������"��#��������������������#�����#���$#������� ��������"��#����� %!&��������� �����������"��#�����&��%����'����������%##���(%��!��"��#�����)����� ���������"��#������ %!&���������� ����������� ��!�� ������������������ � �

  6. Web Services Security: a preliminary study using Casper and FDR 06 Web Services Security - an overview Problems with securing web services with a secure transport layer (ex. SSL): • SOAP is not bound to a specific transport layer. • The message is protected only in a secure channel. • The secure transport layer does not support intermediaries. • Inefficiency. Web Services Security specification Was initially proposed by Microsoft in October 2001. Defines elements to incorporate security tokens within a SOAP message. XML-Signature and XML-Encryption are used for achieving integrity and confidentiality for the security tokens.

  7. Web Services Security: a preliminary study using Casper and FDR 07 Message M - taken from an Oasis proposed protocol <Envelope> <Header> <Security mustUnderstand="1"> <BinarySecurityToken ValueType="x509v3" Id="myCert"> BV1 </BinarySecurityToken> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm=.... /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig\#rsa-sha1"/> <Reference URI="#body"> <Transforms> <Transform Algorithm=.... /> </Transforms> <DigestMethod Algorithm=... /> <DigestValue> BV2 </DigestValue> </Reference> </SignedInfo> <SignatureValue> BV3 </SignatureValue> <KeyInfo> <SecurityTokenReference> <Reference URI="#myCert" /> </SecurityTokenReference> </KeyInfo> </Signature>

  8. Web Services Security: a preliminary study using Casper and FDR 08 <EncryptedKey> <EncryptedMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <KeyInfo> <SecurityTokenReference> <KeyIdentifier ValueType="X509v3"> BV4 </KeyIdentifier> </SecurityTokenReference> </KeyInfo> <CipherData> <CipherValue> BV5 </CipherValue> </CipherData> <ReferenceList> <DataReference URI="#enc" /> </ReferenceList> </EncryptedKey> </Security> </Header> <Body Id="body"> <EncryptedData Id="enc" Type="http://www.w3.org/2001/04/xmlenc#content"> <EncryptedMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <CipherData> <CipherValue> BV6 </CipherValue> </CipherData> </EncryptedData> </Body> </Envelope>

  9. Web Services Security: a preliminary study using Casper and FDR 09 Modelling WS-Security Construct a mapping φ from SOAP messages to Casper input, such that if a WS-security protocol contains the messages m 1 , m 2 ..., m n then, 1. If an attack is found on φ ( m 1 ) , φ ( m 2 ) , ..., φ ( m n ) then a corresponding attack can be reproduced on m 1 , m 2 ..., m n . 2. If an attack exists on m 1 , m 2 , ..., m n then it also exists on φ ( m 1 ) , φ ( m 2 ) , ..., φ ( m n ) The more important of the above properties is (2), since we definitely do not want to generate a false “proof” of correctness using the translation. Any attack found by Casper can be translated back to make sure it is really present in the original protocol.

  10. Web Services Security: a preliminary study using Casper and FDR 10 Applying φ on a Security element φ ( � Security � ... � / Security � ) = φ ( � BinarySecurityToken � ... � / BinarySecurityToken � ) , φ ( � EncryptedKey � ... � / EncryptedKey � ) , φ ( � Signature � ... � / Signature � )

  11. Web Services Security: a preliminary study using Casper and FDR 11 Applying φ on a Signature element φ ( � Signature � ... � / Signature � ) = { φ ( � Reference ... � ... � / Reference � ) , . . . φ ( � Reference ... � ... � / Reference � ) ... } φ ( � KeyInfo � ... � / KeyInfo � , SIG )

  12. Web Services Security: a preliminary study using Casper and FDR 12 Demonstrate the complete derivation of φ ( M ) φ ( M ) ⇒ φ ( � Header � ... � /Header � ), φ ( � Body � ... � /Body � ) ⇒ φ ( � Security � ... � /Security � ), φ ( � Body � ... � /Body � ) ⇒ φ ( � BinarySecurityToken � ... � /BinarySecurityToken � ), φ ( � EncryptedKey � ... � /EncryptedKey � ), φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ φ ( � EncryptedKey � ... � /EncryptedKey � ), φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ φ ( � ReferenceList � ... � /ReferenceList � , { K } ), { K } φ ( � KeyInfo � ... � / KeyInfo � , ENC) , φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ φ ( � DataReference URI=#enc / � , { K } ), { K } φ ( � KeyInfo � ... � / KeyInfo � , ENC) , φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ Context(enc, { K } ), { K } φ ( � KeyInfo � ... � / KeyInfo � , ENC) , φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ Context(enc, { K } ), { K } φ ( � SecurityTokenReference � ... � / SecurityTokenReference � , ENC) , φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ Context(enc, { K } ), { K } φ ( � KeyIdentifier � ... � / KeyIdentifier � , ENC) , φ ( � Signature � ... � /Signature � ), φ ( � Body � ... � /Body � ) ⇒ Context(enc, { K } ), { K } PK(B) , { φ ( � Reference URI=#body � ... � /Reference � ) } ,

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Project Casper Preliminary Design Review PSP-SL 2020 Mission Statement Our mission statement

Project Casper Preliminary Design Review PSP-SL 2020 Mission Statement Our mission statement

Project Casper Preliminary Design Review PSP-SL 2020 Mission Statement Our mission statement can be broken into three distinct goals: Design, build, test, and fly a student-crafted launch vehicle to a predetermined altitude To carry a

1.08k views • 58 slides
OPG Leadership Series Solaris Security Design Kickoff, Considerations September, 2005 Casper

OPG Leadership Series Solaris Security Design Kickoff, Considerations September, 2005 Casper

OPG Leadership Series Solaris Security Design Kickoff, Considerations September, 2005 Casper Dik Sun Microsystems, Inc. Solaris Security Design Principles Or how ten years changed my perspective on security History of fixes and hardening

581 views • 37 slides
Preliminary Feasibility Study of a Pharmacy Carve-Out Model Department for Medicaid Services

Preliminary Feasibility Study of a Pharmacy Carve-Out Model Department for Medicaid Services

Preliminary Feasibility Study of a Pharmacy Carve-Out Model Department for Medicaid Services December 9, 2019 Outline i. Overview ii. Goal iii. Methodology i. Reimbursement adjustment ii. Administrative costs iii. Rebates iv. Premium

2.41k views • 22 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services Giancarlo Pellegrino (1) , Davide Balzarotti (2) , Stefan Winter (3) , and Neeraj Suri (3) 24th USENIX Security Symposium, Washington, D.C. (1) Saarland

574 views • 39 slides
THANK YOU to ALL nursing home social services staff for caring for our residents and families.

THANK YOU to ALL nursing home social services staff for caring for our residents and families.

7/18/2019 The National Nursing Home Social Services Study NH Social Services in the U.S. The NH SS Study Sample Recruitment and Preliminary Findings Objectives Recruiting a national sample Mercedes BernKlug. PhD, MSW, MA

567 views • 7 slides
Lake Parkw ay (STH 794) Extension Study: SEWRPC Preliminary Recommendations Preliminary

Lake Parkw ay (STH 794) Extension Study: SEWRPC Preliminary Recommendations Preliminary

Lake Parkw ay (STH 794) Extension Study: SEWRPC Preliminary Recommendations Preliminary Recommendations 1 Public Meeting February 29, 2012 #201903 Study Background Study Background y y g g SEWRPC Study of extension of Lake Parkw ay

459 views • 18 slides
2016 Rate Study Preliminary Findings May 4, 2016 Presented by: Tom Gould HDR Engineering, Inc.

2016 Rate Study Preliminary Findings May 4, 2016 Presented by: Tom Gould HDR Engineering, Inc.

Tamalpais Community Services District 2016 Rate Study Preliminary Findings May 4, 2016 Presented by: Tom Gould HDR Engineering, Inc. Overview of the Presentation Review the discussion from the prior Board meeting Review the analysis

673 views • 36 slides
A Preliminary Study of Ground Water A Preliminary Study of Ground Water Level Change due to

A Preliminary Study of Ground Water A Preliminary Study of Ground Water Level Change due to

A Preliminary Study of Ground Water A Preliminary Study of Ground Water Level Change due to Earthquake using Time Frequency Analysis Time-Frequency Analysis Yetmen Wang Yetmen Wang President/CEO, AnCAD, Inc. Data Source: Water Resource

732 views • 69 slides
The Whole Sort of General Mish Mash Frequently Asked Questions and Trip-ups About the CASPER

The Whole Sort of General Mish Mash Frequently Asked Questions and Trip-ups About the CASPER

The Whole Sort of General Mish Mash Frequently Asked Questions and Trip-ups About the CASPER Libraries and Toolflow Henry Chen, CASPER Workshop, August 2008 Number Representation Follows Matlab/Simulink fixed-point notation (Data

335 views • 16 slides
for GAVRT at Caltech Glenn Jones Aug. 03, 2008 2008 CASPER Workshop Acknowledgements Xilinx

for GAVRT at Caltech Glenn Jones Aug. 03, 2008 2008 CASPER Workshop Acknowledgements Xilinx

CASPER Development for GAVRT at Caltech Glenn Jones Aug. 03, 2008 2008 CASPER Workshop Acknowledgements Xilinx Generous FPGA and software donations Sandy Weinreb &amp; Hamdi Mani Feed measurement data Useful stuff first! The

458 views • 43 slides
Sunrise Park and Beach Preliminary Engineering / Consulting Erosion Study June 17, 2019 Study

Sunrise Park and Beach Preliminary Engineering / Consulting Erosion Study June 17, 2019 Study

Lake Bluff Park District Sunrise Park and Beach Preliminary Engineering / Consulting Erosion Study June 17, 2019 Study Purpose Study is an Outgrowth of Erosion Impacts Caused by High Lake Levels Sand Losses Permanent Loss of Base

794 views • 45 slides
UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE

UCP GROUP Maritime Security Services UCP GROUP ONE SOLUTION ONE PLATFORM ONE SECURITY SERVICE Maritime Security - Commercial Shipping Security - Cruise Liner Security - Super-Yacht Security Maritime Security Services UCP GROUP is a market

247 views • 22 slides
Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and

Preliminary Study on Growth, Feed Conversion and Preliminary Study on Growth, Feed Conversion and Production in Non- -Improved and Improved Strains of the Improved and Improved Strains of the Production in Non Nile tilapia Oreochromis niloticus

343 views • 16 slides
Company Profile Central Investigation and Security Services Ltd Delivering Expert Security

Company Profile Central Investigation and Security Services Ltd Delivering Expert Security

CENTRAL INVESTIGATION &amp; SECURITY SERVICES LTD Company Profile Central Investigation and Security Services Ltd Delivering Expert Security Services with Trust &amp; Transparency Since 1985 Security Services provider with a difference

518 views • 23 slides
OIL CITY AQUATIC CENTER Presenta5on by Casper Swim Club

OIL CITY AQUATIC CENTER Presenta5on by Casper Swim Club

OIL CITY AQUATIC CENTER Presenta5on by Casper Swim Club 1 AQUATIC CENTER GOALS Create a mul5-purpose aqua5c center in Casper to provide

330 views • 31 slides
ritish fas h fashion industry Executi utive not-for-p not-for-p profit organisation that aims

ritish fas h fashion industry Executi utive not-for-p not-for-p profit organisation that aims

ritish fas h fashion industry Executi utive not-for-p not-for-p profit organisation that aims to further the interests of th profit organisation that aims to further the interests of th the British the British and sharing aring the

365 views • 13 slides
T he Ma ine Ma ll Fast facts: 1,000,000 SF 99% occupied Over $300 million in

T he Ma ine Ma ll Fast facts: 1,000,000 SF 99% occupied Over $300 million in

T he Ma ine Ma ll Fast facts: 1,000,000 SF 99% occupied Over $300 million in annual sales Sales per foot of $600+ Low operating costs 175,000 SF of new construction in the past 12 months Several

291 views • 3 slides
Gibbs Planning Group 2 Naples, Florida: 5 th Avenue Merchandising Plan Gibbs Planning Group 3

Gibbs Planning Group 2 Naples, Florida: 5 th Avenue Merchandising Plan Gibbs Planning Group 3

Gibbs Planning Group 2 Naples, Florida: 5 th Avenue Merchandising Plan Gibbs Planning Group 3 Third Street Old Naples, Florida 5 6

449 views • 6 slides
Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke

Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke

Oops! d e How I accidentally the k c a h University's Merchandising Shop Dan Luedtke &lt;mail@danrl.de&gt; Thu, January 12, 2012 Slide 1 About UniBwM University of the German Federal Armed Forces, Munich ~3700 students in

489 views • 26 slides
Resurrecting Duckling Imprinting on Mother: Device shares key on 1 st contact with controller

Resurrecting Duckling Imprinting on Mother: Device shares key on 1 st contact with controller

Resurrecting Duckling Imprinting on Mother: Device shares key on 1 st contact with controller Metempsychosis: Upon death, soul progresses to a new body Reverse metempsychosis: Upon death, new soul can enter the body Resistance to

605 views • 21 slides
1Q18 EARNINGS MAY 2018 FORWARD-LOOKING STATEMENTS The statements contained in this release that

1Q18 EARNINGS MAY 2018 FORWARD-LOOKING STATEMENTS The statements contained in this release that

1Q18 EARNINGS MAY 2018 FORWARD-LOOKING STATEMENTS The statements contained in this release that refer to plans and expectations for the next quarter, the full year or the future are forward-looking statements within the meaning of Section 27A of

635 views • 20 slides
Privacy in Online Transactions 515030910619 Introduction Online shopping is an

Privacy in Online Transactions 515030910619 Introduction Online shopping is an

Blockchain Application for User Privacy in Online Transactions 515030910619 Introduction Online shopping is an essential component in our life. User privacy in online shopping isn t protected well. Online shopping platform,

500 views • 13 slides
T e c h n i c a l W r i t i n g f o r N o n - W r i t e r s F O S

T e c h n i c a l W r i t i n g f o r N o n - W r i t e r s F O S

T e c h n i c a l W r i t i n g f o r N o n - W r i t e r s F O S D E M r d B r u s s e l s , F e b r u a r y 3 2 0 1 8 T a n j a R o t h S U S E D o c u m e n t a t

257 views • 11 slides

More recommend