On secure implementation of an IHE XUA-based protocol for ...
On secure implementation of an IHE XUA-based protocol for ...
On secure implementation of an IHE XUA-based protocol for ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>On</strong> <strong>secure</strong> <strong>implementation</strong> <strong>of</strong> <strong>an</strong> <strong>IHE</strong> <strong>XUA</strong>-<strong>based</strong><br />
<strong>protocol</strong> <strong>for</strong> authenticating healthcare pr<strong>of</strong>essionals ⋆<br />
Massimili<strong>an</strong>o Masi, Rosario Pugliese, <strong>an</strong>d Fr<strong>an</strong>cesco Tiezzi<br />
Università degli Studi di Firenze, Viale Morgagni, 65 - 50134 Firenze, Italy<br />
masi@math.unifi.it, {pugliese,tiezzi}@dsi.unifi.it<br />
Abstract. The import<strong>an</strong>ce <strong>of</strong> the Electronic Health Record (EHR) has been addressed<br />
in recent years by governments <strong>an</strong>d institutions. M<strong>an</strong>y large scale projects<br />
have been funded with the aim to allow healthcare pr<strong>of</strong>essionals to consult patients<br />
data. Properties such as confidentiality, authentication <strong>an</strong>d authorization<br />
are the key <strong>for</strong> the success <strong>for</strong> these projects. The Integrating the Healthcare Enterprise<br />
(<strong>IHE</strong>) initiative promotes the coordinated use <strong>of</strong> established st<strong>an</strong>dards<br />
<strong>for</strong> authenticated <strong>an</strong>d <strong>secure</strong> EHR exch<strong>an</strong>ges among clinics <strong>an</strong>d hospitals. In particular,<br />
the <strong>IHE</strong> integration pr<strong>of</strong>ile named <strong>XUA</strong> permits to attest user identities<br />
by relying on SAML assertions, i.e. XML documents containing authentication<br />
statements. In this paper, we provide a <strong>for</strong>mal model <strong>for</strong> the <strong>secure</strong> issu<strong>an</strong>ce <strong>of</strong><br />
such <strong>an</strong> assertion. We first specify the scenario using the process calculus COWS<br />
<strong>an</strong>d then <strong>an</strong>alyse it using the model checker CMC. Our <strong>an</strong>alysis reveals a potential<br />
flaw in the <strong>XUA</strong> pr<strong>of</strong>ile when using a SAML assertion in <strong>an</strong> unprotected network.<br />
We then suggest a solution <strong>for</strong> this flaw, <strong>an</strong>d model check <strong>an</strong>d implement this solution<br />
to show that it is <strong>secure</strong> <strong>an</strong>d feasible.<br />
1 Introduction<br />
In recent years, the exch<strong>an</strong>ge <strong>of</strong> Electronic Health Records (EHRs) among clinics <strong>an</strong>d<br />
hospitals has become <strong>an</strong> interesting field <strong>of</strong> research <strong>an</strong>d study <strong>for</strong> academia <strong>an</strong>d the<br />
industry. An EHR is a set <strong>of</strong> sensitive data containing all healthcare history <strong>of</strong> a patient<br />
(e.g. medical exams or prescriptions).<br />
Two import<strong>an</strong>t concepts in EHR m<strong>an</strong>agement are security <strong>an</strong>d interoperability: the<br />
content <strong>of</strong> <strong>an</strong> EHR c<strong>an</strong>not be disclosed to unauthorized people without <strong>an</strong> explicit patient<br />
consent <strong>an</strong>d has to be accessible by heterogeneous systems. These requirements<br />
impose that <strong>an</strong>y s<strong>of</strong>tware participating in <strong>an</strong> EHR exch<strong>an</strong>ge must adhere to common<br />
specifications.<br />
Integrating the Healthcare Enterprise (<strong>IHE</strong>) [1] is a worldwide initiative founded <strong>for</strong><br />
promoting the coordinated use <strong>of</strong> established st<strong>an</strong>dards to improve in<strong>for</strong>mation sharing<br />
in <strong>an</strong> healthcare scenario. To achieve security <strong>an</strong>d interoperability, m<strong>an</strong>y pr<strong>of</strong>iles <strong>for</strong> integrating<br />
different systems have been proposed by <strong>IHE</strong>. These pr<strong>of</strong>iles c<strong>an</strong> be combined<br />
<strong>for</strong> building healthcare applications by using a Service Oriented Computing (SOC) approach<br />
<strong>an</strong>d OASIS st<strong>an</strong>dards such as SAML [2], ebXML [3], <strong>an</strong>d WS-Trust [4].<br />
⋆ This work has been supported by the EU project Sensoria, IST-2005-016004.
Document<br />
Source<br />
Document<br />
Registry<br />
Query<br />
Documents<br />
Document<br />
Counsumer<br />
Provide <strong>an</strong>d Register<br />
Document Set<br />
Register<br />
Document Set<br />
Document<br />
Repository<br />
Retrieve<br />
Documents<br />
Fig. 1. The XDS model<br />
<strong>IHE</strong> specifications are by now used to build nationwide projects with the aim <strong>of</strong><br />
sharing patient healthcare data, such as the French GIP-DMP [5] or the Austri<strong>an</strong> ARGE-<br />
ELGA [6] EHR projects.<br />
A typical EHR tr<strong>an</strong>smission is made by exploiting <strong>an</strong> ebXML registry/repository<br />
model (called in <strong>IHE</strong> jargon Cross Enterprise Document Sharing, XDS), as depicted in<br />
Figure 1. A document source (typically a medical device) provides <strong>an</strong>d registers documents<br />
<strong>for</strong> a given patient to a repository that extrapolates metadata <strong>an</strong>d feeds a registry.<br />
A document consumer (a workstation used by <strong>an</strong> healthcare pr<strong>of</strong>essional) queries the<br />
registry <strong>for</strong> documents related to the patient. The registry searches in its metadata <strong>an</strong>d<br />
replies with a set <strong>of</strong> links. These links are used by the consumer <strong>for</strong> retrieving documents<br />
from the repository.<br />
Confidentiality <strong>an</strong>d auditing is achieved using Tr<strong>an</strong>sport Layer Security (TLS) [7]<br />
<strong>an</strong>d logging as defined in the Audit Trail <strong>an</strong>d Node Authentication (ATNA) pr<strong>of</strong>ile [1].<br />
Any node participating in ATNA owns <strong>an</strong> host X.509 certificate <strong>for</strong> attesting machine’s<br />
identity. Requisites <strong>of</strong> each pr<strong>of</strong>ile c<strong>an</strong> be merged (i.e. grouped) together <strong>for</strong> building a<br />
complete infrastructure. For inst<strong>an</strong>ce, XDS grouped with ATNA provides a <strong>secure</strong> <strong>an</strong>d<br />
audited data exch<strong>an</strong>ge through TLS ch<strong>an</strong>nels using a registry/repository model.<br />
Healthcare pr<strong>of</strong>essionals authentication is one <strong>of</strong> the basic requirements <strong>for</strong> the access<br />
<strong>of</strong> person related health data at regional, national <strong>an</strong>d also multinational level. Authentication<br />
is defined by <strong>IHE</strong> in the Cross Enterprise User Assertion (<strong>XUA</strong>) integration<br />
pr<strong>of</strong>ile. The <strong>XUA</strong> specification covers the use <strong>of</strong> a SAML authentication assertion issued<br />
by <strong>an</strong> identity provider to be injected using WS-Security [8] during the documents<br />
queries. Due to local government complexities where each nation / hospital / clinic<br />
have its own authentication method, the assertion issu<strong>an</strong>ce process is leaved open. The<br />
WS-Trust st<strong>an</strong>dard is only suggested, but not proposing a specific pr<strong>of</strong>ile or a set <strong>of</strong><br />
messages to be exch<strong>an</strong>ged potentially leads to weak <strong>implementation</strong>s.<br />
Because <strong>of</strong> the impact that the <strong>IHE</strong> specifications are having, <strong>for</strong>mal models <strong>of</strong><br />
<strong>protocol</strong>s <strong>an</strong>d st<strong>an</strong>dards are needed. A large body <strong>of</strong> work has been already made on<br />
<strong>an</strong>alyzing WS-Trust <strong>protocol</strong>s, see e.g. [9–12], where message-level authentication [13]<br />
properties are verified. By relying on them, in this paper we aim at <strong>for</strong>malizing <strong>an</strong>d<br />
implementing a <strong>protocol</strong> combining WS-Trust <strong>an</strong>d <strong>IHE</strong> pr<strong>of</strong>iles. More specifically, our<br />
<strong>protocol</strong> is built on <strong>an</strong> XDS tr<strong>an</strong>saction grouped with ATNA <strong>an</strong>d authenticated by <strong>an</strong><br />
<strong>XUA</strong> SAML assertion. To our best knowledge, this is the first tentative to <strong>for</strong>malize<br />
<strong>protocol</strong>s derived from <strong>IHE</strong> specifications.<br />
2
issuer-identity <br />
. . . <br />
username <br />
<br />
. . .<br />
<br />
<br />
<br />
registry-address <br />
<br />
<br />
. . .<br />
<br />
. . . <br />
<br />
Fig. 2. Excerpt <strong>of</strong> a sample SAML token (using the bearer method)<br />
The process <strong>for</strong> issuing a SAML token is a delicate task: if <strong>an</strong> assertion is stolen, a<br />
malicious attacker c<strong>an</strong> re-use it <strong>an</strong>d have access to unauthorized healthcare data. <strong>On</strong>e<br />
could suggest to use TLS <strong>for</strong> authenticating ch<strong>an</strong>nels during the issu<strong>an</strong>ce. In fact, <strong>IHE</strong><br />
supports TLS by me<strong>an</strong>s <strong>of</strong> ATNA <strong>for</strong> compatibility with legacy non-WS st<strong>an</strong>dards such<br />
as Dicom [14] <strong>an</strong>d Health Level 7 version 2 [15]. However, given the possibility by<br />
<strong>XUA</strong> to choose <strong>an</strong>y issu<strong>an</strong>ce process, the use <strong>of</strong> TLS should be discouraged in favor<br />
<strong>of</strong> WS-Security. Moreover, as argued in [11], if a <strong>secure</strong> tr<strong>an</strong>sport layer in web service<br />
communications is used, intermediaries c<strong>an</strong>not m<strong>an</strong>ipulate the messages on their way;<br />
this does not comply with the requirements <strong>of</strong> SOC. For these reasons, our proposal<br />
does not rely on TLS.<br />
It is worth noticing that in the <strong>IHE</strong> security model, applications should also avoid<br />
heavy use <strong>of</strong> encryption, because the impact on per<strong>for</strong>m<strong>an</strong>ce <strong>of</strong> the current encryption<br />
algorithms is excessive [1]. Indeed, <strong>IHE</strong> applications c<strong>an</strong> even run on medical devices<br />
with a reduced computational power.<br />
The work presented in this paper consists <strong>of</strong> three main contributions. First, we<br />
fill the gap leaved open by <strong>XUA</strong> by proposing a <strong>protocol</strong> (Section 2) <strong>for</strong> issuing the<br />
SAML token according to the <strong>IHE</strong> <strong>an</strong>d OASIS dictates. Second, we <strong>for</strong>mally specify<br />
the <strong>protocol</strong> (Section 3) using the calculus COWS [16]. We then <strong>an</strong>alyze (Section 4) the<br />
<strong>for</strong>mal model with the model checker CMC <strong>an</strong>d show that a potentially severe security<br />
flaw exists in the SAML assertion <strong>for</strong>mat specified by <strong>XUA</strong>. Third, we provide <strong>an</strong><br />
<strong>implementation</strong> <strong>of</strong> the <strong>protocol</strong> with our revised assertion <strong>for</strong>mat (the <strong>implementation</strong><br />
is sketched in Section 5). We conclude by touching upon comparisons with related work<br />
<strong>an</strong>d directions <strong>for</strong> future work (Section 5). Implementation details c<strong>an</strong> be found in the<br />
Appendix, together with the complete COWS specification <strong>an</strong>d the SOAP messages<br />
exch<strong>an</strong>ged.<br />
2 An <strong>XUA</strong>-Based <strong>protocol</strong><br />
As previously discussed, <strong>XUA</strong> does not address the authentication mech<strong>an</strong>isms <strong>of</strong> the<br />
local network. Instead, it leverages on the abstraction layer introduced by SAML. The<br />
SAML OASIS st<strong>an</strong>dard is a set <strong>of</strong> specification documents defining assertions (or tokens)<br />
<strong>an</strong>d a <strong>protocol</strong> to exch<strong>an</strong>ge them. A SAML authentication assertion is <strong>an</strong> XML<br />
3
C → STS : C, msgId1, STS, UT(user, salt, int), ts1, RST(REG) (1)<br />
STS → C : STS, C, msgId2, msgId1, RSTR(ctx, {STS, n, ts, ctx} dKey ) (2)<br />
C → STS : msgId3, msgId2, STS, ts2, RSTR(ctx, {n + 1, C, msgId3, msgId2, ctx} K +<br />
STS<br />
) (3)<br />
STS → C : C, STS, msgId4, msgId3, RSTRC(RSTR({[STS, ts ′ , user, REG]} K −<br />
STS<br />
)) (4)<br />
C → REG : C, REG, msgId5, {[STS, ts ′ , user, REG]} K −<br />
STS<br />
, ‘Sus<strong>an</strong>’ (5)<br />
REG → C : REG, C, msgId6, msgId5, docLinks (6)<br />
Table 1. The proposed <strong>XUA</strong> <strong>protocol</strong><br />
document issued by a Security Token Service (STS) 1 that contains statements about<br />
<strong>an</strong> authentication procedure per<strong>for</strong>med by <strong>an</strong> underlying authentication mech<strong>an</strong>ism<br />
(such as Kerberos) <strong>for</strong> a subject. An example is shown in Figure 2. The SAML token<br />
is then used by the service requester to interact with the services listed in the<br />
AudienceRestriction element.<br />
The contacted service provider uses the assertion <strong>for</strong> authenticating the requester<br />
by verifying the digital signature <strong>of</strong> the trusted issuer. SAML subjects c<strong>an</strong> be confirmed<br />
with the method listed in the SubjectConfirmation element. Here, we are interested<br />
in two methods named bearer [2] <strong>an</strong>d holder-<strong>of</strong>-key (HoK) [17]. The bearer subject<br />
confirmation method tells the service provider that the subject <strong>of</strong> the assertion is the<br />
presenter (i.e. the bearer) <strong>of</strong> the assertion. In the holder-<strong>of</strong>-key method, STS binds <strong>an</strong><br />
identity <strong>for</strong> the subject (or <strong>for</strong> the requester) as X.509 data. By this me<strong>an</strong>s, we set the<br />
subject <strong>of</strong> the assertion as the healthcare pr<strong>of</strong>essional with confirmation data as the<br />
ATNA certificate <strong>of</strong> the requesting machine. The service provider c<strong>an</strong> compare such<br />
data with the X.509 identity carried in the TLS tr<strong>an</strong>saction.<br />
By me<strong>an</strong>s <strong>of</strong> the <strong>for</strong>mal investigation presented in Section 4, we discovered a security<br />
flaw due to the <strong>for</strong>mat <strong>of</strong> the SAML assertion. <strong>XUA</strong> explicitly says that the bearer<br />
subject confirmation method shall be supported. However, in a large scale network as<br />
described be<strong>for</strong>e, it is unrealistic to assume that each node is trusted. Compromised<br />
nodes may exist <strong>an</strong>d if one is able to obtain a SAML assertion issued <strong>for</strong> <strong>an</strong>other, authorized<br />
node, with the bearer method it c<strong>an</strong> re-use the assertion to gain access to secret<br />
resources. In fact, the service provider has no knowledge if the presenter <strong>of</strong> the assertion<br />
was the original requester. With the holder-<strong>of</strong>-key method, requester identity is bound<br />
as subject confirmation data <strong>an</strong>d digitally signed by STS. The service provider c<strong>an</strong> now<br />
detect if the bearer is the node which the assertion was intended <strong>for</strong> by checking if the<br />
identity set by STS matches the one presented in the communication ch<strong>an</strong>nel by me<strong>an</strong>s<br />
<strong>of</strong> ATNA.<br />
In [11], the feeling <strong>of</strong> the authors is that it looks like impossible to authenticate<br />
correctly the request <strong>for</strong> a security token issue in a two step <strong>protocol</strong> as it is instead suggested<br />
in the WS-Trust specification. Since our aim is to propose a <strong>secure</strong> <strong>an</strong>d authenticated<br />
holder-<strong>of</strong>-key assertion issu<strong>an</strong>ce, we designed a challenge-response WS-Trust<br />
<strong>protocol</strong> in four message exch<strong>an</strong>ges. Our model involves <strong>an</strong> XDS tr<strong>an</strong>saction grouped<br />
1 For the sake <strong>of</strong> simplicity, we assume <strong>an</strong> STS that is directly able to authenticate users, i.e. it<br />
plays also the role <strong>of</strong> the identity provider.<br />
4
Consumer Intruder STS Registry<br />
(1). RST (1). RST<br />
(2). Challenge RSTR<br />
(2). Challenge RSTR<br />
(3). Challenge RSTR (3). Challenge RSTR<br />
(4). RSTR w/ SAML<br />
(4). RSTR w/ SAML<br />
(5). XDS Query w/ SAML<br />
(6). XDS Query Response<br />
(5). XDS Query w/ SAML<br />
(6). XDS Query Response<br />
Fig. 3. The WS-Trust <strong>protocol</strong> <strong>for</strong> SAML token issu<strong>an</strong>ce. Messages (5) <strong>an</strong>d (6) are over TLS<br />
ch<strong>an</strong>nels. An intruder c<strong>an</strong> steal the SAML token in message (4) <strong>an</strong>d, if the subject confirmation<br />
method is bearer, c<strong>an</strong> per<strong>for</strong>m <strong>an</strong> unauthorized authenticated query.<br />
with ATNA <strong>an</strong>d <strong>XUA</strong> <strong>for</strong> retrieving documents <strong>for</strong> a patient with id Sus<strong>an</strong>. The <strong>protocol</strong><br />
that we propose, written in a notation commonly used <strong>for</strong> describing security <strong>protocol</strong>s,<br />
is shown in Table 1 <strong>an</strong>d is graphically depicted in Figure 3.<br />
Notation {M} dKey st<strong>an</strong>ds <strong>for</strong> the symmetric encryption <strong>of</strong> message M using the<br />
derived key dKey, {M} K +<br />
STS<br />
<strong>for</strong> the encryption <strong>of</strong> M using the public key <strong>of</strong> STS <strong>an</strong>d<br />
{[M]} K −<br />
STS<br />
<strong>for</strong> the signature <strong>of</strong> M using STS’s private key (where [M] is the hash code <strong>of</strong><br />
M). ts, ts ′ , ts1 <strong>an</strong>d ts2 are timestamps.<br />
The consumer C initiates the <strong>protocol</strong> by sending the message (1) <strong>for</strong> requesting<br />
a token to STS. It sends its identity C, a unique message identifier msgId1, using<br />
WS-Addressing [18], <strong>an</strong>d the identity <strong>of</strong> the Security Token Service STS. Notation<br />
UT(user, salt, int) st<strong>an</strong>ds <strong>for</strong> the WS-Security Username Token Pr<strong>of</strong>ile 1.1 [19] <strong>an</strong>d contains<br />
the username, a r<strong>an</strong>dom number which acts as a cryptographic salt, <strong>an</strong>d <strong>an</strong> integer,<br />
respectively. RST(REG) is the WS-Trust 1.3 Request Security Token where the registry<br />
address REG is the ultimate recipient <strong>of</strong> the token.<br />
<strong>On</strong>ce received the message, STS unpacks the value <strong>of</strong> the username token, unpacks<br />
the RST(REG) element (REG must be in the STS’s list <strong>of</strong> valid assertion targets) <strong>an</strong>d<br />
computes the derived key dKey. The key is computed by STS by concatenating the password<br />
<strong>of</strong> the user (which is given as input by the real hum<strong>an</strong> sitting in front <strong>of</strong> the workstation<br />
<strong>an</strong>d is known by STS by me<strong>an</strong>s <strong>of</strong> the underlying authentication mech<strong>an</strong>ism)<br />
with the salt <strong>an</strong>d then hashed using the SHA-1 algorithm. The result <strong>of</strong> this operation<br />
is also hashed using SHA-1. This process is repeated until the total number <strong>of</strong> hash<br />
operations equals the iteration count int. Then, STS encrypts the challenge composed<br />
by its identity, a nonce n, a new timestamp ts <strong>an</strong>d the WS-Trust context element ctx <strong>of</strong><br />
the challenge (i.e. <strong>an</strong> identifier defined by WS-Trust used <strong>for</strong> correlating the messages<br />
involved in the token issu<strong>an</strong>ce). Indeed, STS challenges the requester in order to be<br />
5
sure on its identity <strong>an</strong>d attesting its availability. RSTR is the WS-Trust Request Security<br />
Token Response element that contains the challenge data.<br />
When message (2) is received by C, it computes dKey using the same algorithm<br />
as the STS <strong>an</strong>d decrypts the message (indeed, it is the only particip<strong>an</strong>t able to do it).<br />
C per<strong>for</strong>ms the WS-Addressing checks: message (2) must contain the identifier msgId1<br />
indicating that (2) is in response to (1). It also checks if the request comes from a particip<strong>an</strong>ts<br />
whose identity is included in the RSTR, by me<strong>an</strong>s <strong>of</strong> TLS mutual authentication,<br />
<strong>for</strong> inst<strong>an</strong>ce. C now trusts that the challenge really comes from STS. Then, it adds 1 to<br />
the nonce <strong>an</strong>d encrypts it, together with the message identifiers <strong>an</strong>d the context, using<br />
the STS public key. The reply is in message (3).<br />
After receiving the message, STS decrypts the content <strong>of</strong> the RSTR, checks if the<br />
nonce is equal to the one that it sent (plus one) <strong>an</strong>d if the context is the same. If it is<br />
able to per<strong>for</strong>m all these operations, then it c<strong>an</strong> attest the identity <strong>of</strong> the user sitting in<br />
front <strong>of</strong> C. Thus, it issues the SAML assertion (it is signed by STS according to the<br />
SAML Signature pr<strong>of</strong>ile, as enveloped signature) <strong>an</strong>d sends it to C, via message (4).<br />
The assertion is:<br />
{[STS, ts ′ , user, REG]} K −<br />
STS<br />
where the confirmation method is bearer. In fact, if we would have used the holder-<strong>of</strong>key<br />
method, the assertion would be as follows:<br />
{[C, STS, ts ′ , user, REG]} K −<br />
STS<br />
The assertion then contains the requester’s identity as ATNA X.509 certificate, here<br />
simply represented by C, the issuer identity, a timestamp, the user name <strong>an</strong>d the audience<br />
restriction list. We omit <strong>for</strong> simplicity all the details introduced by the SAML<br />
specification (e.g. the assertion time r<strong>an</strong>ge validity).<br />
<strong>On</strong>ce C has obtained a security token, it c<strong>an</strong> finally query the registry REG to retrieve<br />
the links to the repositories containing the EHR data that it is looking <strong>for</strong>. The<br />
query is message (5), which contains the SAML assertion.<br />
Finally, once received message (5), REG validates the token. Using the STS’s public<br />
key it verifies the signature <strong>an</strong>d, if it is valid, delivers the requested resource (i.e. the<br />
links docLinks) to C via message (6).<br />
3 COWS specification <strong>of</strong> the <strong>protocol</strong><br />
In this section, first we report the syntax <strong>an</strong>d the in<strong>for</strong>mal sem<strong>an</strong>tics <strong>of</strong> COWS 2 , then<br />
we present the COWS specification <strong>of</strong> the <strong>XUA</strong> <strong>protocol</strong> in Section 2. Our specification<br />
reflects m<strong>an</strong>y real-world <strong>implementation</strong> details. Algorithms, field names <strong>an</strong>d message<br />
flows are taken from OASIS st<strong>an</strong>dards.<br />
2 For the sake <strong>of</strong> simplicity, we present here a fragment <strong>of</strong> COWS without linguistic constructs<br />
<strong>for</strong> dealing with <strong>for</strong>ced termination, since such primitives have not been used in the <strong>protocol</strong><br />
specification. We refer the interested reader to [16, 20] <strong>for</strong> the presentation <strong>of</strong> the full l<strong>an</strong>guage<br />
<strong>an</strong>d <strong>for</strong> m<strong>an</strong>y examples illustrating COWS peculiarities <strong>an</strong>d expressiveness.<br />
6
s ::=<br />
(services)<br />
nil | u . u! | p . o? . s (empty activity, invoke, receive)<br />
| s 1 + s 2 | s 1 | s 2 | [n♯] s | [X] s (choice, parallel, name & var. delim.)<br />
| ∗ s | A(u, . . . ,u) | let A(u, . . . ,u) =s in s ′ end (replication, call, let definition)<br />
Table 2. COWS syntax<br />
3.1 COWS syntax <strong>an</strong>d in<strong>for</strong>mal sem<strong>an</strong>tics<br />
COWS [16] is a <strong>for</strong>malism specifically devised <strong>for</strong> modelling (<strong>an</strong>d <strong>an</strong>alysing) serviceoriented<br />
applications; in fact, its design has been influenced by the principles underlying<br />
the OASIS st<strong>an</strong>dard <strong>for</strong> orchestration <strong>of</strong> web services WS-BPEL [21]. The syntax <strong>of</strong><br />
COWS, written in the ‘machine readable’ <strong>for</strong>mat accepted by the interpreter <strong>an</strong>d the<br />
model checker CMC [22] that we use <strong>for</strong> the <strong>an</strong>alysis, is presented in Table 2. It is<br />
defined using the following notational conventions: variables (r<strong>an</strong>ged over by X, Y, . . . )<br />
start with capital letters; names (r<strong>an</strong>ged over by n, m, . . . , p, p’, . . . , o, o’, . . . ) start<br />
with digits or lower case letters; identifiers (r<strong>an</strong>ged over by u, u 1 , u 2 , . . . <strong>an</strong>d used as<br />
non-terminal symbol only) are either variables or names; service identifiers (r<strong>an</strong>ged<br />
over by A, A’, . . . ) start with capital letters <strong>an</strong>d each <strong>of</strong> them has a fixed non-negative<br />
arity. Names are used to represent communicable values, partners <strong>an</strong>d operations.<br />
Invoke <strong>an</strong>d receive are the basic communication activities provided by COWS.<br />
Besides input <strong>an</strong>d output parameters, both activities indicate <strong>an</strong> endpoint, i.e. a pair<br />
composed <strong>of</strong> a partner name p <strong>an</strong>d <strong>an</strong> operation name o, through which communication<br />
should occur. An endpoint p.o c<strong>an</strong> be interpreted as a specific <strong>implementation</strong><br />
<strong>of</strong> operation o provided by the service identified by the logic name p. An invoke<br />
p.o! c<strong>an</strong> proceed as soon as all arguments u 1 , . . . , u n are names (i.e. have<br />
been evaluated). A receive p.o? .s <strong>of</strong>fers <strong>an</strong> invocable operation o along a<br />
given partner name p. Partner <strong>an</strong>d operation names c<strong>an</strong> be exch<strong>an</strong>ged in communication<br />
(although dynamically received names c<strong>an</strong>not <strong>for</strong>m the endpoints used to receive<br />
further invocations). This makes it easier to model m<strong>an</strong>y service interaction <strong>an</strong>d reconfiguration<br />
patterns.<br />
A choice c<strong>an</strong> be used to pick out one <strong>of</strong> a set <strong>of</strong> receive activities (in fact, the<br />
arguments <strong>of</strong> a choice are constrained to start with a receive activity) that are enabled<br />
<strong>for</strong> execution.<br />
Execution <strong>of</strong> parallel terms is interleaved, except when a communication c<strong>an</strong> be<br />
per<strong>for</strong>med. Indeed, this must ensure that, if more th<strong>an</strong> one matching receive is ready to<br />
process a given invoke, only one <strong>of</strong> the receives with greater priority (i.e. the receives<br />
that generate the substitution with ‘smaller’ domain, see [16, 20] <strong>for</strong> further details) is<br />
allowed to progress.<br />
The delimitation operators are the only binders <strong>of</strong> the calculus: [n♯] s <strong>an</strong>d [X] s bind<br />
n <strong>an</strong>d X, respectively, in the scope s. Name delimitation c<strong>an</strong> be used to generate ‘fresh’<br />
private names (like the restriction operator <strong>of</strong> π-calculus), while variable delimitation<br />
c<strong>an</strong> be used to regulate the r<strong>an</strong>ge <strong>of</strong> application <strong>of</strong> the substitution generated by <strong>an</strong><br />
inter-service communication. This takes place when the arguments <strong>of</strong> a receive <strong>an</strong>d <strong>of</strong><br />
a concurrent invoke along the same endpoint match <strong>an</strong>d causes each variable argument<br />
<strong>of</strong> the receive to be replaced by the corresponding name argument <strong>of</strong> the invoke within<br />
7
the whole scope <strong>of</strong> variable’s declaration. In fact, to enable parallel terms to share the<br />
state (or part <strong>of</strong> it), receive activities in COWS do not bind variables (which is different<br />
from most process calculi).<br />
The replication operator ∗ s permits to spawn in parallel as m<strong>an</strong>y copies <strong>of</strong> s as necessary.<br />
This, <strong>for</strong> example, is exploited to model persistent services, i.e. services which<br />
c<strong>an</strong> create multiple inst<strong>an</strong>ces to serve several requests simult<strong>an</strong>eously.<br />
Finally, the let construct permits to re-use the same ‘service code’, thus allowing to<br />
define services in a modular style; let A(u, . . . ,u) =s in s ′ end behaves like s ′ , where<br />
calls to A c<strong>an</strong> occur. A service call A(u ′ 1 , . . . ,u′ n) occurring in the body s ′ <strong>of</strong> a construct<br />
let A(u 1 , . . . ,u n ) =s in s ′ end behaves like the service obtained from s by replacing<br />
the <strong>for</strong>mal parameters u 1 , . . . ,u n with the corresponding actual parameters u ′ 1 , . . . ,u′ n.<br />
3.2 Protocol specification<br />
In this section we present the relev<strong>an</strong>t part <strong>of</strong> the COWS specification <strong>of</strong> the <strong>XUA</strong>-<strong>based</strong><br />
<strong>protocol</strong> (the overall specification is relegated to the Appendix).<br />
To effectively take part to the <strong>protocol</strong>, each particip<strong>an</strong>t has to be able to call some<br />
internal functions, defined in some basic libraries provided by the programming l<strong>an</strong>guage<br />
used to specify the service. These functions implement algorithms, such as SHA<br />
<strong>for</strong> hashing, RSA <strong>for</strong> public-key cryptography <strong>an</strong>d AES <strong>for</strong> symmetric key cryptography,<br />
necessary to properly m<strong>an</strong>age the data to be sent <strong>an</strong>d received. An internal function<br />
c<strong>an</strong> be rendered in COWS as a term <strong>of</strong> the following <strong>for</strong>m 3 :<br />
*( p.req? . p.resp!<br />
+ p.req? . p.resp!<br />
+ . . . + p.req? . p.resp! )<br />
where p indicates the partner name <strong>of</strong> the considered particip<strong>an</strong>t, while req <strong>an</strong>d resp<br />
indicate the operations used to call the function <strong>an</strong>d to receive the result, respectively.<br />
To guar<strong>an</strong>tee that the result outputData i is properly delivered to the caller, it is sent<br />
back together with the correlated inputData i . In this way, if the same function f (·) is<br />
concurrently called, then the results will not be mixed up. Thus, in the example below<br />
(p.req! | [X] p.resp? . s 1 ) | (p.req! | [Y] p.resp? . s 2 )<br />
where we have two calls, the pattern-matching-<strong>based</strong> communication <strong>of</strong> COWS ensures<br />
that, irrespective <strong>of</strong> the execution order, the occurrences <strong>of</strong> variable X in s 1 will be<br />
replaced by f (100), while the occurrences <strong>of</strong> Y in s 2 will be replaced by f (250).<br />
Each <strong>protocol</strong> particip<strong>an</strong>t P is rendered in COWS as a pair <strong>of</strong> service definitions <strong>of</strong><br />
the <strong>for</strong>m A(. . .) = P within a let construct:<br />
P(p,. . . ) =<br />
[hashReq♯] [hashResp♯] [encReq♯] [encResp♯] [decReq♯] [decResp♯] . . .<br />
( sha1(p, hashReq, hashResp)<br />
| rsa1_5_PublicKey(p,encReq,encResp,decReq,decResp)<br />
| . . . other internal functions . . .<br />
| P_behaviour(p,hashReq,hashResp,encReq,. . .) )<br />
P_behaviour(p,hashReq,hashResp,encReq,. . .) = s P<br />
3 These COWS terms play a role similar to that <strong>of</strong> functions in the applied π-calculus [9, 23]<br />
8
where p is the particip<strong>an</strong>t partner name <strong>an</strong>d s P is the COWS term modelling the particip<strong>an</strong>t’s<br />
behaviour. Name delimitations are used here to make the functions sha1,<br />
rsa1 5 PublicKey, . . . internal by declaring that hashReq, hashResp, encReq, . . .<br />
are private operation names known to P behaviour <strong>an</strong>d to the internal functions, <strong>an</strong>d<br />
only to them.<br />
The term representing the consumer’s behaviour is 4<br />
sts.rst!<br />
| [MsgId2] [Challenge] [Y] (<br />
c.rstr?. c.fault!<br />
+ c.rstr?.<br />
( -- Calculate the aes128 key <strong>based</strong> on his password<br />
c.hashReq!<br />
| [DKey] c.hashResp?.<br />
( -- Decrypt the Challenge<br />
c.decReq!<br />
| [Nonce] [Created] [Context] [X](<br />
c.decResp?.<br />
c.fault!<br />
+ c.decResp?.<br />
( -- Encode the response<br />
c.encReq!<br />
| [EncData] c.encResp?.<br />
( -- Encode the generated key with sts public key<br />
c.encReq!<br />
| [EncKey] c.encResp?.<br />
( -- Send the response to sts<br />
sts.rstrr!<br />
| [MsgId4] [SAMLTimestamp] [Signature]<br />
-- Receive token back<br />
c.rstrc?.<br />
( -- Query reg <strong>for</strong> the resource identified by uri<br />
reg.storedQuery! ) ) ) ) ) ) ) )<br />
As expected, the consumer starts by invoking STS, by executing the invoke activity<br />
along the endpoint sts.rst <strong>an</strong>d by sending the request security token data. This invocation<br />
corresponds to message (1) in Table 1, where the iteration number int is 1000 <strong>an</strong>d<br />
the registry address specified in the RST is uri. Then, the consumer waits <strong>for</strong> message<br />
(2), by me<strong>an</strong>s <strong>of</strong> the two receive activities along c.rstr. Notice that, in accord<strong>an</strong>ce with<br />
the WS-Addressing st<strong>an</strong>dard <strong>an</strong>d due to the pattern-matching mech<strong>an</strong>ism regulating the<br />
COWS communication, only messages that carry the name msgId1 c<strong>an</strong> be accepted by<br />
the consumer. Moreover, the identity <strong>of</strong> STS, i.e. sts, must be contained in the message,<br />
otherwise a fault is raised (represented by the invoke activity along the endpoint<br />
c.fault) 5 . <strong>On</strong>ce message (2) is received, the consumer calculates the derived key by<br />
exploiting its internal hashing function (using operation hashReq <strong>an</strong>d hashResp) <strong>an</strong>d,<br />
similarly, decrypts the challenge (using operation decReq <strong>an</strong>d decResp). Then, patternmatching<br />
<strong>an</strong>d the choice operator are used again to check the presence <strong>of</strong> the STS’s<br />
identity within the challenge. Now, the consumer c<strong>an</strong> prepare the response <strong>for</strong> STS, by<br />
4 The string -- indicates that the rest <strong>of</strong> the line is a comment (<strong>an</strong>d is ignored by CMC).<br />
5 Notice that if both receives along c.rstr match <strong>an</strong> incoming message, hence the first argument<br />
is sts, due to the prioritized sem<strong>an</strong>tics <strong>of</strong> COWS only the second receive (which generates a<br />
smaller substitution) c<strong>an</strong> progress.<br />
9
encrypting the challenge data, where the nonce has been incremented by 1 (this is represented<br />
by the couple Nonce, 1). Differently from the abstract description <strong>of</strong> message<br />
(3) shown in Table 1, the COWS specification follows the concrete approach used in<br />
the <strong>implementation</strong> (<strong>based</strong> on XML encryption): thus, the AES algorithm is used to<br />
encrypt the data rather th<strong>an</strong> RSA. The used symmetric key gen key, supposed to be<br />
calculated by the consumer, is in its turn encrypted with RSA by using the STS’s public<br />
key <strong>an</strong>d attached to the message. Finally, when the message containing the token arrives<br />
(receive along c.rstrc), the consumer invokes the storedQuery operation (the XDS<br />
feature <strong>for</strong> querying Sus<strong>an</strong>’s documents) provided by the registry.<br />
The term representing the STS behaviour is<br />
* [C] [MsgId1] [User] [Salt] [Iteration] [Timestamp1] [URI] [RST]<br />
sts.rst?.<br />
( -- Retrieve the User’s password<br />
sts.getPwd!| [Pwd] sts.getPwdResp?.<br />
( -- Calculate the derived key<br />
sts.hashReq!<br />
| [DKey] sts.hashResp?.<br />
( -- Create the challenge<br />
sts.encReq!<br />
| [Challenge] sts.encResp?.<br />
( -- Send the challenge to the consumer<br />
C.rstr!<br />
| -- Receive the challenge response<br />
[MsgId3] [Timestamp2] [EncKey] [EncData]<br />
sts.rstrr?.<br />
( -- Decrypt the encoded key<br />
sts.decReq!<br />
| [Gen_key] sts.decResp?.<br />
( -- Decrypt the encoded data<br />
sts.decReq!<br />
| [MsgId3] sts.decResp?.<br />
-- Now, the consumer is authenticated<br />
( -- Create a token SAML<br />
sts.hashReq!<br />
| [SAMLhash] sts.hashResp?.<br />
( -- Sign the hash code<br />
sts.sign!<br />
| [Signature] sts.signResp?.<br />
( -- Send the token<br />
C.rstrc! ) ) ) ) ) ) ) ) )<br />
The replication operator ∗ at the beginning <strong>of</strong> the term specifies that STS is a persistent<br />
service, i.e. it is capable <strong>of</strong> creating multiple inst<strong>an</strong>ces to serve several requests simult<strong>an</strong>eously.<br />
Thus, when it receives a message along the endpoint sts.rst, corresponding<br />
to message (1) <strong>of</strong> the <strong>protocol</strong>, it creates <strong>an</strong> inst<strong>an</strong>ce initialized with the received data.<br />
The inst<strong>an</strong>ce, by me<strong>an</strong>s <strong>of</strong> operations getPwd <strong>an</strong>d getPwdResp, retrieves the user’s<br />
password from a private database. Using the password, it c<strong>an</strong> derive a symmetric key to<br />
encrypt the challenge, by exploiting again its internal functions. Invoke along C.rstr<br />
<strong>an</strong>d the subsequent receive along sts.rstrr permit sending <strong>an</strong>d receiving message (2)<br />
<strong>an</strong>d (3), respectively. Now, by using stsPrivateKey, STS c<strong>an</strong> decipher the symmetric<br />
key generated by the consumer, which is then used to decrypt the challenge response.<br />
10
Notice that, pattern-matching in the communication along sts.decResp permits checking<br />
that the response contains the incremented nonce <strong>an</strong>d the context; this guar<strong>an</strong>tees<br />
that the sender <strong>of</strong> the message is really the consumer acting on behalf <strong>of</strong> the authorized<br />
user. There<strong>for</strong>e, STS creates the token, by exploiting its internal functions, <strong>an</strong>d sends it<br />
to the consumer.<br />
Finally, the term representing the registry’s behaviour is<br />
* [Cust] [STS] [MsgId5] [TS] [User] [Uri] [Signature]<br />
reg.storedQuery?.<br />
-- Validate the token<br />
( -- Calculate the hash code <strong>of</strong> the token data<br />
reg.hashReq!<br />
| [CalculatedHash] reg.hashResp?.<br />
( -- Retrieve the STS’s public key<br />
reg.getKey!<br />
| [PubKey] reg.getKeyResp?.<br />
( -- Check the signature by using PubKey<br />
reg.check!<br />
| [Hash] reg.checkResp?.<br />
[compare♯]<br />
( -- Compare the hash codes<br />
reg.compare!<br />
| [X] ( reg.compare?. reg.attackDetected!<br />
+ reg.compare?. reg.deliveringResource! ) ) ) ) )<br />
When the registry receives a consumer’s query, by me<strong>an</strong>s <strong>of</strong> the receive activity<br />
along the endpoint reg.storedQuery, it validates the token within the message. To<br />
this purpose, we assume that the registry has a private database storing the public<br />
keys <strong>of</strong> all trusted STSs, <strong>an</strong>d c<strong>an</strong> interact with it by calling the operations getKey<br />
<strong>an</strong>d getKeyResp. Instead, to check the validity <strong>of</strong> the signature, it calls function<br />
signChecker by me<strong>an</strong>s <strong>of</strong> check <strong>an</strong>d checkResp. After calling such function, the registry<br />
obtains the hash code <strong>of</strong> the signature (<strong>an</strong>d stores it in the variable Hash); by comparing<br />
it with the re-calculated hash code (stored in the variable CalculatedHash) using<br />
the private operation compare, it c<strong>an</strong> either detect that <strong>an</strong> attack has been per<strong>for</strong>med<br />
(this is signaled by the activity reg.deliveringResource! < Cust >) or state that the<br />
token is valid. In this last case, the activity reg.deliveringResource! < Cust > is<br />
used to signal that the registry is ready to deliver the resource to the consumer. In fact,<br />
we do not model here message (6), since the flaw we are interested to capture concerns<br />
the previous message exch<strong>an</strong>ges.<br />
4 Protocol <strong>an</strong>alysis<br />
As shown in Figure 3 we have to deal with two types <strong>of</strong> communication ch<strong>an</strong>nels: TLS<br />
protected ch<strong>an</strong>nels <strong>for</strong> communicating with the registry <strong>an</strong>d untrusted ch<strong>an</strong>nels <strong>for</strong> communicating<br />
with the STS. We assume the intruder as <strong>an</strong>y authorized user in the network<br />
(i.e. it owns <strong>an</strong> ATNA host certificate). There<strong>for</strong>e, it c<strong>an</strong> start <strong>an</strong>y mutual authenticated<br />
TLS tr<strong>an</strong>saction with the registry <strong>an</strong>d it c<strong>an</strong> look in <strong>an</strong>y message exch<strong>an</strong>ged by STS.<br />
Basically, we consider the intruder model introduced by [24] <strong>for</strong> TLS ch<strong>an</strong>nels <strong>an</strong>d<br />
the well-known Dolev-Yao model [25] as regards the communication with STS along<br />
untrusted ch<strong>an</strong>nels. We focus on <strong>an</strong> intruder that intercepts the message sent by STS<br />
11
containing the SAML token issued <strong>for</strong> the consumer (message (4)) <strong>an</strong>d re-uses the token<br />
(without modifying it) <strong>for</strong> <strong>an</strong> its own query to the registry (message (5), sent by the<br />
intruder). This is rendered in COWS as<br />
Intruder(i, c, sts, user, uri, reg) =<br />
[MsgId4] [TS] [Signature]<br />
c.rstrc? .<br />
( i.underAttack!<br />
| --Forwards the message to the consumer<br />
c.rstrc!<br />
| --Per<strong>for</strong>ms the attack<br />
reg.storedQuery! )<br />
<strong>On</strong>ce the intruder has caught message (4) (receive activity along c.rstrc), besides<br />
<strong>for</strong>warding the message to the consumer <strong>an</strong>d querying the registry, it enables the invoke<br />
activity i.underAttack! . This activity is only used during the <strong>an</strong>alysis to signal that<br />
the system is under attack. Notably, the intruder’s query differs from the consumer’s one<br />
<strong>for</strong> the first argument only, which is i instead <strong>of</strong> c.<br />
The <strong>an</strong>alysis <strong>of</strong> the <strong>protocol</strong> is carried out by exploiting CMC [22], a s<strong>of</strong>tware tool<br />
that permits model checking SocL <strong>for</strong>mulae over COWS specifications. SocL [26] is <strong>an</strong><br />
action- <strong>an</strong>d state-<strong>based</strong>, br<strong>an</strong>ching time, temporal logic specifically designed to express<br />
properties <strong>of</strong> service-oriented systems. Here, we are interested to look <strong>for</strong> the presence<br />
<strong>of</strong> security flaws in the <strong>protocol</strong>, which c<strong>an</strong> be expressed in SocL as follows:<br />
AG [request(samlToken,requestedBy,c)]<br />
not EF (systemUnderAttack(i) <strong>an</strong>d deliveringResource(to,i))<br />
This <strong>for</strong>mula me<strong>an</strong>s that it holds globally (operator AG) that if (operator [ · ]) a<br />
SAML token has been requested by the consumer (action request(samlToken,<br />
requestedBy, c)), then it does not (operator not) hold that eventually (operator EF)<br />
the system will be under attack by intruder i (predicate systemUnderAttack(i))<br />
<strong>an</strong>d, at the same time, the registry will deliver the resource to i (predicate<br />
deliveringResource(to, i)).<br />
The previous <strong>for</strong>mula is stated in terms <strong>of</strong> abstract actions <strong>an</strong>d predicates, me<strong>an</strong>ing<br />
that, e.g., a token is requested or a resource is ready to be delivered, while the COWS<br />
specification is stated in terms <strong>of</strong> concrete actions, i.e. communication <strong>of</strong> data tuples<br />
along endpoints. To verify <strong>an</strong> abstract property over a concrete specification, CMC permits<br />
to specify a set <strong>of</strong> tr<strong>an</strong>s<strong>for</strong>mation rules, such as<br />
Action ∗.rst<br />
−> request(samlToken,requestedBy,$requestor)<br />
State $attacker.underAttack! −> systemUnderAttack($attacker)<br />
State ∗.deliveringResource! −> deliveringResource(to, $X)<br />
The first rule maps a concrete action involving the operation rst to the abstract<br />
action request(samlToken, requestedBy, $requestor), where the (meta-)variable<br />
$requestor will be replaced with the actual requestor during the on-the-fly model<br />
checking process, while the symbol ∗ is a wildcard. Similarly, the second <strong>an</strong>d third rules<br />
map the actions involving operations underAttack <strong>an</strong>d deliveringResource to the<br />
corresponding state predicates. We refer the interested reader to [26] <strong>for</strong> a complete<br />
account <strong>of</strong> abstraction rules.<br />
12
As already mentioned in the Introduction, CMC returns FALSE when checking the<br />
above SocL <strong>for</strong>mula over the abstracted COWS specification. In fact, the system c<strong>an</strong><br />
per<strong>for</strong>m the following sequence <strong>of</strong> (abstract) actions:<br />
request(samlToken,requestedBy,c); internal actions; challenge(samlToken);<br />
internal actions; challengeResp(samlToken); internal actions;<br />
response(samlToken,requestedBy,c);<br />
request(registryQuery,requestedBy,i); internal actions<br />
<strong>an</strong>d reach a state where both predicates systemUnderAttack(i) <strong>an</strong>d delivering-<br />
Resource(to, i) hold.<br />
Now, let us modify the COWS specification to model the use <strong>of</strong> the holder<strong>of</strong>-key<br />
confirmation method rather th<strong>an</strong> the bearer method. With respect to the<br />
specification presented in Section 3, the main difference is that in the new<br />
STS specification the invoke sts.hashReq! < sts, samlTimestamp, User, URI >,<br />
used to generate the hash code <strong>of</strong> the SAML token data, is replaced with<br />
sts.hashReq! < sts, samlTimestamp, User, C, URI >. This time the result returned<br />
by CMC when checking the previous <strong>for</strong>mula over the <strong>protocol</strong> specification is TRUE.<br />
In fact, the registry c<strong>an</strong> detect that the intruder’s query is fake by comparing the intruder’s<br />
identity with the identity contained in the SAML token by me<strong>an</strong>s <strong>of</strong> ATNA<br />
credentials.<br />
5 Concluding remarks<br />
We have presented a <strong>for</strong>mal model <strong>an</strong>d <strong>an</strong>alysis <strong>of</strong> a Web Service security <strong>protocol</strong>, <strong>for</strong><br />
obtaining a <strong>XUA</strong> SAML authentication assertion, using the WS-Trust OASIS st<strong>an</strong>dard.<br />
To the best <strong>of</strong> our knowledge, our work is the first tentative to provide a <strong>for</strong>mal study<br />
<strong>for</strong> <strong>IHE</strong> specifications. This kind <strong>of</strong> <strong>protocol</strong>s are obtaining <strong>an</strong> ever increasing relev<strong>an</strong>ce<br />
since they are used to exch<strong>an</strong>ge patients’ healthcare data <strong>an</strong>d are widely adopted.<br />
We have revealed a potential flaw in the specification <strong>an</strong>d we have also proposed<br />
a solution. Afterwards, we have implemented the ‘revised’ <strong>protocol</strong> using WS-<br />
Trust 1.3, SAML 2.0, WS-Security <strong>an</strong>d the WS-Security Username Token Pr<strong>of</strong>ile<br />
1.1. We have also used the Axis2 library (available at http://ws.apache.org/axis2) <strong>an</strong>d<br />
the JBoss application server (http://www.jboss.org). Our Java <strong>implementation</strong> consists<br />
<strong>of</strong> four services: the Document Consumer <strong>an</strong>d Document Registry, a Document<br />
Repository <strong>an</strong>d a Security Token Service. All the XDS services are given as a<br />
courtesy <strong>of</strong> the Ti<strong>an</strong>i “Spirit” comp<strong>an</strong>y located in Vienna, Austria (http://www.ti<strong>an</strong>ispirit.com).<br />
The modified STS is available as Axis2 service at http://<strong>of</strong>fice.ti<strong>an</strong>ispirit.com:41081/SpiritIdentityProvider/services/STS09.<br />
A more detailed account <strong>of</strong><br />
the <strong>implementation</strong> c<strong>an</strong> be found in the Appendix.<br />
Related work. Micros<strong>of</strong>t Research proposes the TulaFale specification l<strong>an</strong>guage<br />
[10, 9] <strong>for</strong> security <strong>an</strong>alysis <strong>of</strong> web services. TulaFale uses CryptoVerif [27] as<br />
model checking engine. The main focus is on SOAP Message Rewrite attacks that we<br />
do not consider in our work since our signatures are defined by the SAML st<strong>an</strong>dard.<br />
In [10] the authors <strong>an</strong>alyze WS-Trust <strong>for</strong> a <strong>secure</strong> exch<strong>an</strong>ge <strong>of</strong> a Security Context Token<br />
(SCT) while we consider WS-Trust <strong>for</strong> issuing a SAML token.<br />
13
The SAML 1.0 <strong>an</strong>d 2.0 specifications have been studied e.g. in [12, 28, 29]. However,<br />
they concentrate on the SAML Protocol <strong>an</strong>d Pr<strong>of</strong>iles [30] to obtain SAML Authentication<br />
assertion, while we focus on WS-Trust. The work closest to ours is [12]<br />
where the SAML-<strong>based</strong> Single Sign-<strong>On</strong> <strong>for</strong> Google Apps is <strong>an</strong>alyzed with the AVISPA<br />
[31] tool. A flaw in the Google <strong>implementation</strong> is found, where a fake Service Provider<br />
c<strong>an</strong> potentially access a Google resource without the password <strong>of</strong> the user. Similarly to<br />
our scenario, the flaw discovered is in the <strong>for</strong>mat <strong>of</strong> the SAML assertion, that lacks the<br />
Audience list. In <strong>XUA</strong>, the Audience list must be contained in the assertion <strong>an</strong>d refer<br />
to the registry, hence this kind <strong>of</strong> attack c<strong>an</strong>not occur.<br />
Future work. As the above mentioned works <strong>an</strong>d ours witness, to simply adopt<br />
WS-Security <strong>an</strong>d WS-Trust does not guar<strong>an</strong>tee absence <strong>of</strong> security flaws. Due to the<br />
widespread diffusion <strong>of</strong> such st<strong>an</strong>dards, especially in EHR, it is then worthwhile pursuing<br />
this line <strong>of</strong> research. There<strong>for</strong>e, in the near future we pl<strong>an</strong> to study the correctness<br />
<strong>of</strong> <strong>IHE</strong> security <strong>protocol</strong>s <strong>for</strong> authentication <strong>an</strong>d authorization, such as CCOW [32] <strong>an</strong>d<br />
Patient Identifier Cross Referencing (PIX) [1].<br />
References<br />
1. The <strong>IHE</strong> Initiative: IT Infrastructure Technical Framework (2009) http://www.ihe.net.<br />
2. OASIS Security Services TC: Assertions <strong>an</strong>d <strong>protocol</strong>s <strong>for</strong> the OASIS security assertion<br />
markup l<strong>an</strong>guage (SAML) v2.02 (2005) http://docs.oasis-open.org/security/saml/v2.0/samlcore-2.0-os.pdf.<br />
3. OASIS/ebXML Registry Technical Committee: ebXML business process specification<br />
schema technical specification v2.0.4 (2006) http://www.ebxml.org.<br />
4. OASIS Web Services Security TC: WS-Trust 1.3 (2007) http://docs.oasis-open.org/wssx/ws-trust/200512/ws-trust-1.3-os.pdf.<br />
5. GIP DMP: Dossier Médical Personnel A French Project, http://www.d-m-p.org.<br />
6. ARGE-ELGA: Die österreich elektronische gesundheitsakte http://www.arge-elga.at.<br />
7. Dierks, T., Rescorla, E.: The Tr<strong>an</strong>sport Layer Security (TLS) Protocol Version 1.2. Technical<br />
Report RFC 5246, IETF (August 2008)<br />
8. OASIS Web Services Security TC: Web service security: SOAP message security<br />
(2006) http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-<br />
SOAPMessageSecurity.pdf.<br />
9. Bhargav<strong>an</strong>, K., Fournet, C., Gordon, A., Pucella, R.: Tulafale: A security tool <strong>for</strong> web services.<br />
CoRR abs/cs/0412044 (2004)<br />
10. Bhargav<strong>an</strong>, K., Corin, R., Fournet, C., Gordon, A.: Secure sessions <strong>for</strong> web services. In:<br />
SWS, ACM (2004) 56–66<br />
11. Kleiner, E., Roscoe, A.W.: <strong>On</strong> the relationship between web services security <strong>an</strong>d traditional<br />
<strong>protocol</strong>s. In: Mathematical Foundations <strong>of</strong> Programming Sem<strong>an</strong>tics (MFPS XXI. (2005)<br />
12. Arm<strong>an</strong>do, A., Carbone, R., Compagna, L., Cuellar, J., Abad, L.T.: Formal Analysis <strong>of</strong> SAML<br />
2.0 Web Browser Single Sign-<strong>On</strong>: Breaking the SAML-<strong>based</strong> Single Sign-<strong>On</strong> <strong>for</strong> Google<br />
Apps. In: the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE<br />
2008), Hilton Alex<strong>an</strong>dria Mark Center, Virginia, USA, ACM Press (2008)<br />
13. Lowe, G.: A hierarchy <strong>of</strong> authentication specifications, IEEE Computer Society Press (1997)<br />
31–43<br />
14. ACR-NEMA: Digital imaging <strong>an</strong>d communications in medicine (dicom) (1995)<br />
15. Health Level Seven org<strong>an</strong>ization: Hl7 st<strong>an</strong>dards (2009) http://www.hl7.org.<br />
14
16. Lapadula, A., Pugliese, R., Tiezzi, F.: A Calculus <strong>for</strong> Orchestration <strong>of</strong> Web Services. In:<br />
ESOP. Volume 4421 <strong>of</strong> LNCS., Springer (2007) 33–47<br />
17. OASIS Security Services TC: SAML V2.0 Holder-<strong>of</strong>-Key Assertion Pr<strong>of</strong>ile (March 2009)<br />
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml2-holder-<strong>of</strong>-key-cd-01.pdf.<br />
18. Gudgin, M., Hadley, M., Rogers, T.: Web Services Addressing 1.0 - Core. Technical report,<br />
W3C (May 2006) W3C Recommendation.<br />
19. OASIS Web Services Security TC: Username token pr<strong>of</strong>ile v1.1 (2006) http://www.oasisopen.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenPr<strong>of</strong>ile.pdf.<br />
20. Lapadula, A., Pugliese, R., Tiezzi, F.: A Calculus <strong>for</strong> Orchestration <strong>of</strong> Web Services (full<br />
version). Technical report, Dipartimento di Sistemi e In<strong>for</strong>matica, Univ. Firenze (2008)<br />
http://rap.dsi.unifi.it/cows.<br />
21. OASIS WSBPEL TC: Web Services Business Process Execution L<strong>an</strong>guage Version 2.0.<br />
(2007) http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.html.<br />
22. ter Beek, M., Gnesi, S., Mazz<strong>an</strong>ti, F.: CMC-UMC: A framework <strong>for</strong> the verification <strong>of</strong><br />
abstract service-oriented properties. In: SAC, ACM (2009) To appear.<br />
23. Abadi, M., Fournet, C.: Mobile values, new names, <strong>an</strong>d <strong>secure</strong> communication. In: POPL.<br />
(2001) 104–115<br />
24. Broadfoot, P., Lowe, G.: <strong>On</strong> distributed security tr<strong>an</strong>sactions that use <strong>secure</strong> tr<strong>an</strong>sport <strong>protocol</strong>s.<br />
Computer Security Foundations Workshop, IEEE 0 (2003) 141<br />
25. Dolev, D., Yao, A.: <strong>On</strong> the security <strong>of</strong> public key <strong>protocol</strong>s. In<strong>for</strong>mation Theory, IEEE<br />
Tr<strong>an</strong>sactions on 29(2) (1983) 198–208<br />
26. F<strong>an</strong>techi, A., Gnesi, S., Lapadula, A., Mazz<strong>an</strong>ti, F., Pugliese, R., Tiezzi, F.: A model checking<br />
approach <strong>for</strong> verifying COWS specifications. In: FASE. Volume 4961 <strong>of</strong> LNCS., Springer<br />
(2008) 230–245<br />
27. Bl<strong>an</strong>chet, B.: CryptoVerif: : Computationally sound mech<strong>an</strong>ized prover <strong>for</strong> cryptographic<br />
<strong>protocol</strong>s. In: Dagstuhl seminar ”Formal Protocol Verification Applied”. (October 2007)<br />
28. Groß, T.: Security <strong>an</strong>alysis <strong>of</strong> the saml single sign-on browser/artifact pr<strong>of</strong>ile. In: ACSAC,<br />
IEEE Computer Society (2003) 298–307<br />
29. H<strong>an</strong>sen, S., Skriver, J., Nielson, H.: Using static <strong>an</strong>alysis to validate the saml single sign-on<br />
<strong>protocol</strong>. In: WITS, ACM (2005) 27–40<br />
30. OASIS Security Services TC: Pr<strong>of</strong>iles <strong>for</strong> the OASIS Security Assertion Markup L<strong>an</strong>guage<br />
(SAML) V2.0 (2005) http://docs.oasis-open.org/security/saml/v2.0/saml-pr<strong>of</strong>iles-2.0-os.pdf.<br />
31. Arm<strong>an</strong>do, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma,<br />
P.H., Heám, P.C., Kouchnarenko, O., M<strong>an</strong>tov<strong>an</strong>i, J., Mödersheim, S., von Oheimb, D., Rusinowitch,<br />
M., S<strong>an</strong>tiago, J., Turu<strong>an</strong>i, M., Vig<strong>an</strong>ò, L., Vigneron, L.: The avispa tool <strong>for</strong> the<br />
automated validation <strong>of</strong> internet security <strong>protocol</strong>s <strong>an</strong>d applications. In: Proceedings <strong>of</strong><br />
CAV’2005. LNCS 3576. Springer-Verlag (2005) 281–285<br />
32. Hl7: Clinical context object workgroup, ccow (2001) http://www.hl7.org.au/CCOW.htm.<br />
15
Appendix<br />
Complete COWS specification<br />
We report here the complete COWS specification, written in the syntax accepted by<br />
CMC, <strong>of</strong> the <strong>XUA</strong>-<strong>based</strong> <strong>protocol</strong> introduced in Section 2. The specification also contains,<br />
in a commented way, the version with the holder-<strong>of</strong>-key subject confirmation<br />
method. Both c<strong>an</strong> be loaded in CMC by simply adding <strong>an</strong>d removing comments where<br />
specified.<br />
1 let<br />
2<br />
3 ------------------------<br />
4 --- Shared functions ---<br />
5 ------------------------<br />
6<br />
Listing 1.1. COWS specification <strong>of</strong> <strong>XUA</strong><br />
7 sha1(p,hashReq ,hashResp) =<br />
8 *(p.hashReq?.<br />
9 p.hashResp!<br />
10 + p.hashReq?.<br />
11 p.hashResp!<br />
12 + p.hashReq?.<br />
13 p.hashResp!<br />
14 + p.hashReq?.<br />
15 p.hashResp!)<br />
16<br />
17 rsa1_5_PublicKey(p,encReq ,encResp ,decReq ,decResp) =<br />
18 * p.encReq?. p.encResp!<br />
19<br />
20 -------------------------<br />
21 --- Private functions ---<br />
22 -------------------------<br />
23<br />
24 rsa1_5_PrivateKeySTS(sts ,encReq ,encResp ,decReq ,decResp) =<br />
25 * sts.decReq?.<br />
26 sts.decResp!<br />
27<br />
28 aes128(p,encReq ,encResp ,decReq ,decResp) =<br />
29 *(p.encReq?.<br />
30 p.encResp!<br />
32 + p.decReq?.<br />
33 p.decResp!)<br />
35 |<br />
36 *(p.encReq?.<br />
37 p.encResp!<br />
38 + p.decReq?.<br />
39 p.decResp!)<br />
40<br />
41 PwdDB(p,getPwd ,getPwdResp) =<br />
42 *( p.getPwd?. p.getPwdResp!<br />
43 + p.getPwd?. p.getPwdResp!)<br />
44<br />
45 STS_SAML_Signer(sts ,sign ,signResp) =<br />
46 *(sts.sign?.<br />
47 sts.signResp!<br />
48 + sts.sign?.<br />
49 sts.signResp!)<br />
50<br />
51 PubKeyDB(p,getKey ,getKeyResp) =<br />
52 *( p.getKey?. p.getKeyResp!<br />
53 + p.getKey?. p.getKeyResp! )<br />
16
54<br />
55 Registry_Sign_checker(r,check ,checkResp) =<br />
56 *(r.check?.<br />
57 r.checkResp!<br />
58 + r.check?.<br />
59 r.checkResp! )<br />
60<br />
61<br />
62<br />
63 -----------------------------<br />
64 --- Protocol particip<strong>an</strong>ts ---<br />
65 -----------------------------<br />
66<br />
67 Consumer_behaviour(c,user ,pwd ,salt ,uri ,rst_req ,hashReq ,hashResp ,<br />
68 gen_key ,encReq ,encResp ,decReq ,decResp ,reg) =<br />
69 -- Send a request security token message to STS<br />
70 sts.rst!<br />
71 |<br />
72 [MsgId2] [Challenge] [Y] (<br />
73 c.rstr?. c.fault!<br />
74 +<br />
75 c.rstr?.<br />
76 ( -- Calculate the aes128 key <strong>based</strong> on his password<br />
77 c.hashReq!<br />
78 | [DKey]<br />
79 c.hashResp?.<br />
80 ( -- Decrypt the Challenge<br />
81 c.decReq!<br />
82 | [Nonce] [Created] [Context] [X](<br />
83 c.decResp?.<br />
84 c.fault!<br />
85 +<br />
86 c.decResp?.<br />
87 ( -- Encode the response (suppose that the<br />
88 -- consumer calculates now the key "gen_key")<br />
89 c.encReq!<br />
90 | [EncData]<br />
91 c.encResp?.<br />
92 ( -- Encode the generated key with sts public key<br />
93 c.encReq!<br />
94 | [EncKey]<br />
95 c.encResp?.<br />
96 ( -- Send the response to sts<br />
97 sts.rstrr!<br />
98 |<br />
99 [MsgId4] [SAMLTimestamp] [Signature]<br />
100 ---------------------------------------------------------------------<br />
101 -- Receive token back<br />
102 c.rstrc?.<br />
103 ( -- Send a request <strong>for</strong> the resource identified by uri<br />
104 -- to Registry<br />
105 reg.storedQuery!<br />
107 )<br />
108 ---------------------------------------------------------------------<br />
109 -- -- Holder -<strong>of</strong>-Key version<br />
110 -- -- Receive token back with her identity (i.e. c)<br />
111 -- c.rstrc?.<br />
113 -- ( -- Send a request <strong>for</strong> the resource identified by uri<br />
114 -- -- to Registry<br />
115 -- reg.storedQuery!<br />
117 -- )<br />
118 ---------------------------------------------------------------------<br />
119 )<br />
120 )<br />
121 )<br />
17
122 )<br />
123 )<br />
124 )<br />
125 )<br />
126<br />
127<br />
128<br />
129<br />
130 STS_behaviour(sts ,hashReq ,hashResp ,getPwd ,getPwdResp ,encReq ,encResp ,<br />
131 decReq ,decResp ,sign ,signResp) =<br />
132 * [C] [MsgId1] [User] [Salt] [Iteration] [Timestamp1] [URI] [RST]<br />
133 -- Receive a request<br />
134 sts.rst?.<br />
135 ( -- Retrieve the User ’s password<br />
136 sts.getPwd!<br />
137 | [Pwd] sts.getPwdResp?.<br />
138 ( -- Calculate the derived key<br />
139 sts.hashReq!<br />
140 | [DKey]<br />
141 sts.hashResp?.<br />
142 ( -- Create the challenge<br />
143 sts.encReq!<br />
144 | [Challenge]<br />
145 sts.encResp?.<br />
146 ( -- Send the challenge to the consumer<br />
147 C.rstr!<br />
148 |<br />
149 -- Receive the challenge response<br />
150 [MsgId3] [Timestamp2] [EncKey] [EncData]<br />
151 sts.rstrr?.<br />
152 ( -- Decrypt the encoded key<br />
153 sts.decReq!<br />
154 | [Gen_key]<br />
155 sts.decResp?.<br />
156 ( -- Decrypt the encoded data<br />
157 sts.decReq!<br />
158 | [MsgId3]<br />
159 sts.decResp?.<br />
161 -- Now , the consumer is authenticated<br />
162 --------------------------------------------------------------------------------<br />
163 ( -- Create a token SAML<br />
164 sts.hashReq!<br />
165 | [SAMLhash]<br />
166 sts.hashResp?.<br />
168 ( -- Sign the hash code<br />
169 sts.sign!<br />
170 | [Signature]<br />
171 sts.signResp?.<br />
172 ( -- Send the token<br />
173 C.rstrc!<br />
175 )<br />
176 )<br />
177 )<br />
178 --------------------------------------------------------------------------------<br />
179 -- Holder -<strong>of</strong>-Key version<br />
180 -- ( -- Create a token SAML with the consumer identity<br />
181 -- sts.hashReq!<br />
182 -- | [SAMLhash]<br />
183 -- sts.hashResp?.<br />
185 -- ( -- Sign the hash code<br />
186 -- sts.sign!<br />
187 -- | [Signature]<br />
188 -- sts.signResp?.<br />
189 -- ( -- Send the token<br />
18
190 -- C.rstrc!<br />
193 -- )<br />
194 -- )<br />
195 -- )<br />
196 -------------------------------------------------------------------------------<br />
197 )<br />
198 )<br />
199 )<br />
200 )<br />
201 )<br />
202 )<br />
203<br />
204<br />
205 Registry_behaviour(reg ,hashReq ,hashResp ,getKey ,getKeyResp ,check ,checkResp) =<br />
206 * [Cust] [STS] [MsgId5] [TS] [User] [Uri] [Signature]<br />
207 reg.storedQuery?.<br />
208 -- Validate the token: we assume that Registry<br />
209 -- already knows all public keys <strong>of</strong> trusted STSs<br />
210 ( -- Calculate the hash code <strong>of</strong> the token data<br />
211 reg.hashReq!<br />
212 | [CalculatedHash] reg.hashResp?.<br />
213 ---------------------------------------------------------------------<br />
214 -- Holder -<strong>of</strong>-Key version<br />
215 -- -- With Consumer ’s identity in the token<br />
216 -- * [Cust] [STS] [MsgId5] [TS] [User] [C] [Uri] [Signature]<br />
217 -- reg.storedQuery?.<br />
218 -- -- Validate the token: we assume that Registry already knows all public<br />
219 -- -- keys <strong>of</strong> trusted STSs<br />
220 -- ( -- Calculate the hash code <strong>of</strong> the token data<br />
221 -- reg.hashReq!<br />
222 -- | [CalculatedHash] reg.hashResp?.<br />
223 ---------------------------------------------------------------------<br />
224 ( -- Retrieve the STS ’s public key from the (internal)<br />
225 -- store <strong>of</strong> trusted sts<br />
226 reg.getKey!<br />
227 | [PubKey] reg.getKeyResp?.<br />
228 ( -- Check the signature by using PubKey<br />
229 reg.check!<br />
230 | [Hash] reg.checkResp?.<br />
231 [compare#]<br />
232 ( -- Compare the hash codes<br />
233 reg.compare!<br />
234 | [X] ( reg.compare?.<br />
235 -- This action is only used to signal that <strong>an</strong> attack<br />
236 -- by Cust has been detected by the registry<br />
237 reg.attackDetected!<br />
238 + reg.compare?.<br />
239 -- This action is only used to signal that the<br />
240 -- system is ready to deliver the resource to Cust<br />
241 reg.deliveringResource!<br />
242 -- Send the data to allow Consumer to access the<br />
243 -- repository: OID <strong>of</strong> the document , Repository<br />
244 -- partner link , PatientID<br />
245 )<br />
246 )<br />
247 )<br />
248 )<br />
249 )<br />
250<br />
251<br />
252<br />
253 Consumer(c,user ,pwd ,salt ,uri ,rst_req ,gen_key ,reg) =<br />
254 [hashReq#][hashResp#][encReq#][encResp#][decReq#][decResp#]<br />
255 ( sha1(c,hashReq ,hashResp)<br />
256 | rsa1_5_PublicKey(c,encReq ,encResp ,decReq ,decResp)<br />
257 | aes128(c,encReq ,encResp ,decReq ,decResp)<br />
19
258 | Consumer_behaviour(c,user ,pwd ,salt ,uri ,rst_req ,hashReq ,<br />
259 hashResp ,gen_key ,encReq ,encResp ,decReq ,decResp ,reg) )<br />
260<br />
261<br />
262 STS(sts) =<br />
263 [hashReq#][hashResp#][getPwd#][ getPwdResp#][encReq#]<br />
264 [encResp#][decReq#][decResp#][sign#][signResp#]<br />
265 ( sha1(sts ,hashReq ,hashResp)<br />
266 | rsa1_5_PublicKey(sts ,encReq ,encResp ,decReq ,decResp)<br />
267 | rsa1_5_PrivateKeySTS(sts ,encReq ,encResp ,decReq ,decResp)<br />
268 | aes128(sts ,encReq ,encResp ,decReq ,decResp)<br />
269 | PwdDB(sts ,getPwd ,getPwdResp)<br />
270 | STS_SAML_Signer(sts ,sign ,signResp)<br />
271 | STS_behaviour(sts ,hashReq ,hashResp ,getPwd ,getPwdResp ,encReq ,<br />
272 encResp ,decReq ,decResp ,sign ,signResp) )<br />
273<br />
274 Registry(reg) =<br />
275 [hashReq#][hashResp#] [getKey#][ getKeyResp#] [check#][checkResp#]<br />
276 ( sha1(reg ,hashReq ,hashResp)<br />
277 | PubKeyDB(reg ,getKey ,getKeyResp)<br />
278 | Registry_Sign_checker(reg ,check ,checkResp)<br />
279 | Registry_behaviour(reg ,hashReq ,hashResp ,getKey ,getKeyResp ,check ,<br />
280 checkResp) )<br />
281<br />
282<br />
283<br />
284 -----------------<br />
285 --- Intruders ---<br />
286 -----------------<br />
287<br />
288 -- M<strong>an</strong> -in-the -middle between Consumer <strong>an</strong>d STS<br />
289 --<br />
290 Intruder_behaviour(i,c,sts ,user ,pwd ,salt ,uri ,rst_req ,hashReq ,<br />
291 hashResp ,gen_key ,encReq ,encResp ,decReq ,decResp) =<br />
292 [C] [MsgId1] [User] [Salt] [Iteration] [Timestamp1] [URI] [RST]<br />
293 sts.rst?.<br />
294 (<br />
295 -- This action is only used to signal that the system is under attack<br />
296 i.underAttack!<br />
297 |<br />
298 -- Send a request security token message to STS<br />
299 sts.rst!<br />
300 |<br />
301 [MsgId2] [Challenge]<br />
302 i.rstr?.<br />
303 -- It c<strong>an</strong>not decrypt Challenge because it does not know the password<br />
304 -- <strong>for</strong> the User , needed to derive the key<br />
305 --<br />
306 -- Indeed , if it <strong>for</strong>wards the message <br />
307 -- to Consumer , Consumer will discard it because the message is not<br />
308 -- originated by STS (with our assumptions , intruder c<strong>an</strong>not write<br />
309 -- a message like: )<br />
310 C.rstr!<br />
311 )<br />
312<br />
313 Intruder(i,c,sts ,user ,pwd ,salt ,uri ,rst_req ,gen_key) =<br />
314 [hashReq#][hashResp#][encReq#][encResp#][decReq#][decResp#]<br />
315 ( sha1(i,hashReq ,hashResp)<br />
316 | rsa1_5_PublicKey(c,encReq ,encResp ,decReq ,decResp)<br />
317 | aes128(c,encReq ,encResp ,decReq ,decResp)<br />
318 | Intruder_behaviour(i,c,sts ,user ,pwd ,salt ,uri ,rst_req ,hashReq ,<br />
319 hashResp ,gen_key ,encReq ,encResp ,decReq ,decResp) )<br />
320<br />
321<br />
322<br />
323<br />
324 -- Intercept the message from STS to Consumer <strong>an</strong>d try to use the token to<br />
325 -- access the resource<br />
20
326 --<br />
327 Intruder2(i,c,sts ,user ,uri ,reg) =<br />
328 ----------------------------------------------------------------------<br />
329 [MsgId4] [TS] [Signature]<br />
330 c.rstrc?.<br />
331 ( -- This action is only used to signal that the system is under attack<br />
332 i.underAttack!<br />
333 |<br />
334 -- Forward the message to Consumer<br />
335 c.rstrc!<br />
336 |<br />
337 -- Per<strong>for</strong>m the attack<br />
338 reg.storedQuery!<br />
339 )<br />
340 ----------------------------------------------------------------------<br />
341 -- -- Holder -<strong>of</strong>-Key version<br />
342 -- -- With Consumer ’s identity in the token<br />
343 -- [MsgId4] [TS] [Signature]<br />
344 -- c.rstrc?.<br />
345 -- ( -- This action is only used to signal that the system is under attack<br />
346 -- i.underAttack!<br />
347 -- |<br />
348 -- -- Forward the message to Consumer<br />
349 -- c.rstrc!<br />
350 -- |<br />
351 -- -- Per<strong>for</strong>m the attack<br />
352 -- reg.storedQuery!<br />
353 -- )<br />
354 ----------------------------------------------------------------------<br />
355<br />
356<br />
357<br />
358 in<br />
359<br />
360 Consumer(c,user1 ,pwd1 ,salt ,regUri ,rst_req ,gen_key ,reg) | STS(sts)<br />
361 | Registry(reg)<br />
362 -- | Intruder(i,c,sts ,user1 ,pwd1 ,salt ,regUri ,rst_req ,gen_key)<br />
363 | Intruder2(i,c,sts ,user1 ,regUri ,reg)<br />
364<br />
365 end<br />
366<br />
367<br />
368 Abstractions {<br />
369 Action *.rst -><br />
370 request(samlToken ,requestedBy ,$requestor)<br />
371 Action $requestor.rstr -> challenge(samlToken)<br />
372 Action *.rstrr -> challengeResp(samlToken)<br />
373 Action $requestor.rstrc -><br />
374 response(samlToken ,requestedBy ,$requestor)<br />
375 Action *.storedQuery -><br />
376 request(registryQuery ,requestedBy ,$requestor)<br />
377 State $attacker.underAttack! -> systemUnderAttack($attacker)<br />
378 State *.fault! -><br />
379 failure($X,$differentFrom ,$sts ,$<strong>for</strong> ,$Context)<br />
380 State *.fault! -> failure($X,$differentFrom ,$sts)<br />
381 State *.deliveringResource! -> deliveringResource(to,$X)<br />
382 State *.attackDetected! -> attackDetectedFrom(from ,$X)<br />
383 }<br />
384<br />
385<br />
386 -----------<br />
387 - FORMULA -<br />
388 -----------<br />
389 -- AG [request(samlToken ,requestedBy ,c)] not EF (systemUnderAttack(i)<br />
390 <strong>an</strong>d deliveringResource(to,i))<br />
391<br />
392 -- If the SAML token does not contain c then the <strong>for</strong>mula must be FALSE<br />
393<br />
21
394 -- Indeed , this is the counterxample (a trace leading to the state<br />
395 -- where the system is under attack <strong>an</strong>d delivers the resource to the attacker):<br />
396<br />
397 - -**********************************************************************<br />
398 --The Path from The Initial Configuration to Configuration C44 is:<br />
399 --C1 --> C2 {request(samlToken ,requestedBy ,c)} /* ... */<br />
400 --C2 --> C3 /* ... */<br />
401 --C3 --> C4 /* ... */<br />
402 --C4 --> C5 /* ... */<br />
403 --C5 --> C6 /* ... */<br />
404 --C6 --> C7 /* ... */<br />
405 --C7 --> C8 /* ... */<br />
406 --C8 --> C9 {challenge(samlToken)} /* ... */<br />
407 --C9 --> C10 /* ... */<br />
408 --C10 --> C11 /* ... */<br />
409 --C11 --> C12 /* ... */<br />
410 --C12 --> C13 /* ... */<br />
411 --C13 --> C14 /* ... */<br />
412 --C14 --> C15 /* ... */<br />
413 --C15 --> C16 /* ... */<br />
414 --C16 --> C17 /* ... */<br />
415 --C17 --> C18 {challengeResp(samlToken)} /* ... */<br />
416 --C18 --> C19 /* ... */<br />
417 --C19 --> C20 /* ... */<br />
418 --C20 --> C21 /* ... */<br />
419 --C21 --> C22 /* ... */<br />
420 --C22 --> C23 /* ... */<br />
421 --C23 --> C24 /* ... */<br />
422 --C24 --> C25 /* ... */<br />
423 --C25 --> C26 /* ... */<br />
424 --C26 --> C27 {response(samlToken ,requestedBy ,c)} /* ... */<br />
425 --C27 --> C29 {request(registryQuery ,requestedBy ,c)} /* ... */<br />
426 --C29 --> C37 {request(registryQuery ,requestedBy ,i)} /* ... */<br />
427 --C37 --> C38 /* ... */<br />
428 --C38 --> C39 /* ... */<br />
429 --C39 --> C40 /* ... */<br />
430 --C40 --> C41 /* ... */<br />
431 --C41 --> C42 /* ... */<br />
432 --C42 --> C43 /* ... */<br />
433 --C43 --> C44 /* ... */<br />
434<br />
435 --The Current Configuration is C44 (show details ... )<br />
436<br />
437 --The Abstract State Labels <strong>of</strong> Configuration C44 are:<br />
438 --deliveringResource(to,i),systemUnderAttack(i)<br />
439<br />
440 --No More Evolutions.<br />
441 - -**********************************************************************<br />
442<br />
443<br />
444<br />
445 -- If the SAML token contains C then the <strong>for</strong>mula must be TRUE<br />
Implementation details<br />
We present now some <strong>implementation</strong> details concerning the SOAP messages exch<strong>an</strong>ged<br />
during the execution <strong>of</strong> the implemented <strong>protocol</strong>. Namespaces are omitted<br />
<strong>for</strong> simplicity sake.<br />
The first SOAP message sent by the consumer is shown in Listing 1.2. It contains<br />
the identity <strong>of</strong> the client C, the identity <strong>of</strong> the Security Token Service STS <strong>an</strong>d the message<br />
unique id written using the WS-Addressing From, MessageID <strong>an</strong>d To elements,<br />
respectively. We have also specified the WS-Addressing Action required by WS-Trust.<br />
22
The subtree UT(user, salt, int) is written according to [19] <strong>an</strong>d contains the username,<br />
a salt <strong>an</strong>d <strong>an</strong> iteration number. The keydKey is derived as explained in Section 2.<br />
Listing 1.2. Envelope <strong>of</strong> message (1)<br />
1 <br />
2 <br />
3 http://url -<strong>of</strong>-c/<br />
4 <br />
5 <br />
6 urn:uuid :7930395427 DF7E119D1242208192113<br />
7 <br />
8 <br />
9 http://docs.oasis -open.org/ws-sx/ws-trust /200512/RST/Issue<br />
10 <br />
11 <br />
12 http://localhost :8088/ SpiritIdentityProvider/services/STS09<br />
13 <br />
14 <br />
15 <br />
17 admin <br />
18 <br />
19 dw/CVPO8wYf63PEc2XoOAQ==<br />
20 <br />
21 1000<br />
22 <br />
23 <br />
24 2009-05-13T09:49:52.605Z<br />
25 2009-05-13T09:51:32.605Z<br />
26 <br />
27 <br />
28 <br />
29 <br />
30 <br />
31 <br />
32 http://docs.oasis -open.org/ws-sx/ws-trust /200512/ Issue<br />
33 <br />
34 <br />
35 <br />
36 http://REG <br />
37 <br />
38 <br />
39 <br />
40 urn:oasis:names:tc:SAML:2.0: assertion<br />
41 <br />
42 <br />
43 <br />
RST(REG), in the body <strong>of</strong> the message, is a plain WS-Trust RequestSecurityToken<br />
where the AppliesTo element has value REG.<br />
In the STS reply, shown in Listing 1.3, the received message identifier is the value <strong>of</strong><br />
the RelatesTo element. STS computes the key (STS knows user’s password by the underlying<br />
authentication mech<strong>an</strong>ism) <strong>an</strong>d responds with RSTR(ctx, {STS, n, ts, ctx} dKey ),<br />
a RequestSecurityTokenResponse WS-Trust element. ctx is <strong>an</strong> attribute <strong>of</strong> this element<br />
<strong>an</strong>d the encrypted data is set as Base64 encoded binary blob <strong>of</strong> a BinaryExch<strong>an</strong>ge<br />
element, encrypted using AES <strong>an</strong>d the first 128 bits <strong>of</strong> the password hash.<br />
1 <br />
2 <br />
3 <br />
Listing 1.3. Envelope <strong>of</strong> the message (2)<br />
23
4 <br />
5 http://localhost :8088/ SpiritIdentityProvider/services/STS09<br />
6 <br />
7 <br />
8 <br />
9 http://url -<strong>of</strong>-c/<br />
10 <br />
11 <br />
12 urn:uuid:584540 CC8CC1FF52441242219794824<br />
13 <br />
14 urn:IssueTokenResponse <br />
15 <br />
16 urn:uuid :7930395427 DF7E119D1242208192113<br />
17 <br />
18 <br />
19 <br />
20 <br />
22 btz1iZOtuTg ...<br />
25 <br />
26 <br />
27 <br />
28 <br />
1<br />
The consumer receives the message, decrypts it using the previously computed key,<br />
checks if message identifiers match, adds one to the nonce, <strong>an</strong>d reply with <strong>an</strong>other RequestSecurityTokenResponse<br />
(RSTR), shown in Listing 1.4. This element is required by<br />
WS-Trust <strong>an</strong>d contains a RequestedSecurityToken element with the XML-Encryption <strong>of</strong><br />
the nonce, the message id, the client address <strong>an</strong>d the context.<br />
Listing 1.4. Envelope <strong>of</strong> the message (3)<br />
2 <br />
3 <br />
4 <br />
5 http://docs.oasis -open.org/ws-sx/ws-trust /200512/RST/Issue<br />
6 <br />
7 <br />
8 urn:uuid:EAA1663EBF3A3D74941242219796235<br />
9 <br />
10 <br />
11 urn:uuid:584540 CC8CC1FF52441242219794824<br />
12 <br />
13 <br />
14 http://localhost :8088/ SpiritIdentityProvider/services/STS09<br />
15 <br />
16 <br />
18 <br />
20 2009-05-13T13:03:16.404Z<br />
21 2009-05-13T13:04:56.404Z<br />
22 <br />
23 <br />
24 <br />
25 <br />
26 <br />
28 <br />
29 <br />
31 <br />
24
33 <br />
35 <br />
37 <br />
38 <br />
40 <br />
41 <br />
42 TtljPAbr5...<br />
43 <br />
44 <br />
45 <br />
46 <br />
47 <br />
48 <br />
49 64oNEBHk365z<br />
50 <br />
51 <br />
52 <br />
53 <br />
54 <br />
55 <br />
56 <br />
57 <br />
The STS c<strong>an</strong> now authenticate the user (the password is known by the two parties),<br />
trust the machine C <strong>an</strong>d attest the “availability” <strong>of</strong> the remote system (after some different<br />
tries, it c<strong>an</strong> simply refuse connections from a certain client, <strong>for</strong> avoiding some denial<br />
<strong>of</strong> service attacks, or suppose the client be compromised <strong>an</strong>d throw <strong>an</strong> alarm). The<br />
SAML authentication assertion is created <strong>an</strong>d put in the RequestSecurityTokenResponseCollection<br />
required by WS-Trust <strong>for</strong> a final <strong>protocol</strong> step. The token is signed by STS<br />
according to the SAML Signature pr<strong>of</strong>ile, as enveloped signature. The STS address corresponds<br />
to the SAML Issuer element. REG’s address is the AudienceRestriction<br />
element. The assertion Conditions contains a timestamp. The username user is in the<br />
Subject element, that also contains a SubjectConfirmation method as holder-<strong>of</strong>-key.<br />
The KeyInfo element in the SubjectConfirmationData is the identity <strong>of</strong> the client<br />
C. The WS-Trust context used in the token issu<strong>an</strong>ce is set as SAML attribute. The corresponding<br />
message is shown in Listing 1.5.<br />
Listing 1.5. Envelope <strong>of</strong> the message (4)<br />
1 <br />
2 <br />
3 <br />
4 urn:IssueTokenResponse<br />
5 <br />
6 <br />
7 urn:uuid:EAA1663EBF3A3D74941242219796235<br />
8 <br />
9 <br />
10 <br />
11 <br />
12 <br />
14 <br />
15 <br />
20
21 Format="urn:oasis:names:tc:SAML:2.0:nameid -<strong>for</strong>mat:entity"<br />
22 NameQualifier="urn:ti<strong>an</strong>i -spirit:idp -name -qualifier"<br />
23 SPNameQualifier="urn:ti<strong>an</strong>i -spirit:sp-name -qualifier"><br />
24 urn:ihe -xua:names:spirit -identity -provider:location:vienna<br />
25 <br />
26 <br />
27 <br />
28 <br />
30 <br />
32 <br />
34 <br />
35 <br />
37 <br />
39 <br />
42 <br />
43 <br />
44 <br />
46 <br />
47 0fbE2x+swhcaxpUN1zUdBP4jDYA=<br />
48 <br />
49 <br />
50 <br />
51 <br />
52 R9UG0WglH5/nWyQ...<br />
53 <br />
54 <br />
55 <br />
56 <br />
57 MIIDwTCCAy...<br />
58 <br />
59 <br />
60 <br />
61 <br />
62 <br />
63 <br />
66 admin<br />
67 <br />
68 <br />
70 <br />
71 <br />
73 <br />
74 <br />
75 MIIESDCCA7...<br />
76 <br />
77 <br />
78 EMAILADDRESS=massimili<strong>an</strong>o.masi@ti<strong>an</strong>i -spirit.com ,<br />
79 CN=client ,<br />
80 OU=Dipartimento di Sistemi e In<strong>for</strong>matica ,<br />
81 O=Universita degli Studi di Firenze ,<br />
82 ST=Italy ,<br />
83 C=IT<br />
84 <br />
85 <br />
86 <br />
87 EMAILADDRESS=max@masc<strong>an</strong>c.net ,<br />
88 CN=DSI CA,<br />
26
89 OU=Dipartimento di Sistemi e In<strong>for</strong>matica ,<br />
90 O=Universita degli Studi di Firenze ,<br />
91 L=Florence ,<br />
92 ST=Italy ,<br />
93 C=IT<br />
94 <br />
95 2<br />
96 <br />
97 <br />
98 <br />
99 <br />
100 <br />
101 <br />
102 <br />
105 <br />
106 <br />
107 http://REG<br />
108 <br />
109 <br />
110 <br />
111 <br />
114 <br />
115 <br />
116 urn:oasis:names:tc:SAML:2.0:ac:classes:Password<br />
117 <br />
118 <br />
119 <br />
120 <br />
121 <br />
125 <br />
129 Orthopedist<br />
130 <br />
131 <br />
132 <br />
136 <br />
137 urn:uuid:584540 CC8CC1FF52441242219794873<br />
138 <br />
139 <br />
140 <br />
144 <br />
145 http ://172.16.101.1:6060/ axis2/services/<strong>an</strong>onService2/<br />
146 <br />
147 <br />
148 <br />
149 <br />
150 <br />
151 <br />
152 urn:oasis:names:tc:SAML:2.0: assertion<br />
153 <br />
154 <br />
156
157 xmlns:wsa="http://www.w3.org/2005/08/ addressing"><br />
158 <br />
159 http://REG<br />
160 <br />
161 <br />
162 <br />
163 <br />
164 <br />
165 <br />
166 <br />
Consumer now uses the <strong>IHE</strong> XDS.b ebXML encoding rules <strong>for</strong> querying the registry<br />
(via the message shown in Listing 1.6) <strong>an</strong>d obtaining data from the repository. The<br />
SAML token is inserted in the SOAP Header according to the WS-Security st<strong>an</strong>dard.<br />
ATNA with TLS is protecting these exch<strong>an</strong>ges.<br />
Listing 1.6. Envelope <strong>of</strong> the message (5)<br />
1 <br />
2 <br />
3 <br />
4 <br />
5 http://localhost :8088/XDS/registry?wsdl<br />
6 <br />
7 <br />
8 urn:ihe:iti:2007: RegistryStoredQuery<br />
9 <br />
10 <br />
11 http://www.w3.org/2005/08/ addressing/<strong>an</strong>onymous <br />
12 <br />
13 <br />
14 uuid:37caaeff -92e1 -434a-b6d1 -89e7eec09757<br />
15 <br />
16 <br />
18 <br />
23 ...<br />
24 <br />
25 <br />
26 <br />
27 <br />
28 <br />
33 <br />
34 <br />
35 <br />
36 <br />
37 (’urn:oasis:names:tc:ebxml -regrep:StatusType:Approved ’) <br />
38 <br />
39 <br />
40 <br />
41 <br />
42 ’%’<br />
43 <br />
44 <br />
45 <br />
46 <br />
47 <br />
48 <br />
28