金康双,王泽兵,冯雁,陈海燕

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.08.034

2004-01-01

Abstract:Session Initiation Protocol(SIP) is the Internet Engineering Task Force (IETF) standard for IP telephony,and it has a promising applied prospect.In this work,the security authentication mechanism used by SIP is described.Moreover an experimental performance analysis of the SIP security mechanisms is provided,which based on the open source Java implementation of a SIP proxy server.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

胡伟清,童春杰,陈德人,李子臣,寇卫东

DOI: https://doi.org/10.3785/j.issn.1008-973X.2004.11.011

2004-01-01

Abstract:A common digital watermark system does not provide watermark inserting and detecting services on Internet. In order to make wider application of digital watermark, a new scheme to make traditional watermark available as Web Services was presented. It was based upon Web Services for inserting watermark and detecting watermark and used simple object access protocol (SOAP) to exchange messages between service requester and service provider. Based on digital certificate and extensible markup language (XML) encryption and digital signature technology, a secure interaction between the requester and the provider was provided. This scheme reduces cost and protects digital products effectively on open networks.

Bao Liu,Minhua Shi,Deren Chen

2001-01-01

Abstract:Web Services are self-contained, modular applications that can be described, published, located, and invoked over a network, generally, the Web. Yet the problem emerges as different Web Services interoperate each other. In this paper we recommend the Simple Object Access Protocol (SOAP)[1] as the communication standard in the Web Services Architecture to solve the problem.First, we describe what is Web Services and present the architecture of it. Then, according to the challenge that Web Services faces, we address the key enabling technologies of which SOAP be composed. SOAP has many advantages that other binary protocols, such as Java RMI, do not have. Finally, by introducing an E-business model based on the integration of SOAP, UDDI [2], MQ [3] etc., we show the manner and flow of SOAP to implement Web Services architecture.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

Xiao-ning JIANG,Cheng-qing YE,Xue-zeng PAN

2001-01-01

Journal of Computer Research and Development

Abstract:Electronic commerce is a main trend in Internet applications, which should be based on fair exchange. A new fair exchange protocol with off-line semi-trusted third party is proposed. It is also efficient in the sense that it only needs 4 messages in a transaction. In the meantime all messages are encrypted naturally, which makes it appealing over large open networks that have little or no physical security, such as Internet. It is based on publicly verifiable secret sharing (PVSS) theory.

YL Shi,L Zhang,B Liu,FF Liu,LL Lin,BL Shi

DOI: https://doi.org/10.1109/cit.2005.10

2005-01-01

Abstract:Due to the promising features of Web services, their deployment and research are booming. Among them, various techniques for Web service composition have been developed. In this paper, we propose a new composition framework. We use automata to describe behaviors of Web services. Each of underlying Web services can interact with others through asynchronous messages passing according to its interaction role (client or server). All these messages are recorded by a virtual global observer and the observation result is just the composition conversation of Web services. We also develop a formal a top-down verification mechanism on this framework and provide some realizable conditions for a successful composition

Xu Feng,Huang Hao,Wang Zhijian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.010

2008-01-01

Abstract:The archetype of session authentication protocol model is presented to solve the problem of communication security among ses- sion entities in Web services.The security technologies and the shortages of the protocol in key mechanism,anonymous instance and session management are analyzed,and then some improvements and extension are made over the archetype protocol based on DH algorithm.Finally, the new session authentication protocol is used for the management of the communication among session entities in a Web services transaction environment and the authentication in a testing system.The test result reveals that the new session entities authentication protocol can provide a trustful protection for the session process in Web services.

Thi Minh Chau Le,Xuan Thang Pham,Vinh Thinh Le

DOI: https://doi.org/10.54644/jte.2024.1523

2024-02-28

Journal of Technical Education Science

Abstract:In the dynamic field of Internet security, verifying and analyzing security protocols is crucial for ensuring secure and effective communication. This paper presents an analysis of leading tools used for the verification, falsification, and analysis of security protocols, focusing particularly on Scyther and Tamarin. We examine the methodologies, capabilities, and applications of these tools in various contexts, including cloud computing and IoT, highlighting their unique approaches and contributions to the field. The paper starts with an examination of the Scyther tool, emphasizing its innovative approach to automated falsification and verification, and its application in multi-protocol analysis. We then transition to exploring the use of Scyther in verifying key agreement protocols in cloud computing. A comparative analysis of Scyther and Tamarin is also presented, shedding light on their effectiveness in identifying security properties and revealing the strengths and weaknesses of different protocols. This is further enriched by a detailed look at the unbounded verification capabilities of Scyther. Additionally, the paper covers the capabilities of the Tamarin prover, exploring its advanced features in symbolic analysis, its ability to handle complex security properties, and its application in verifying protocol implementations. Through this paper, we aim to provide a comprehensive overview of the current landscape in security protocol verification, offering insights into the methodologies, challenges, and future directions in this essential area of research.

Cheng Zhan,Xie Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.10.007

2008-01-01

Abstract:Web Service security problem is one of the highlighted topics in information security area recently.This article presents two security mechanisms for Web Services,transport-level security and message-level security.Then the security technology used to implement message-level security is introduces in detail.Finally,it gives a conclusion to Web Service security and proposes a new Web Service layered security model.

LIU Ru-juan,DAI Gui-lan,HU Chang-jun,BAI Xiao-ying

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.11.001

2007-01-01

Abstract:Based on the fundamental concepts in model checking technology,this paper mainly focuses on the key model checking technology in the application of composite Web service verification.At present,there are some difficulties during the process of composite web service verification and validation with the service oriented computing pattern,for example,how to verify the trustworthiness when services are combined dynamically or how to solve the complexity and undecidability during the process of service composition.It also summaries and compares several kinds of typical model checking application in the verification and validation for web services.At last,it discusses some existing problems and provides corresponding solutions in model checking research when it is applied in the web service validation and verification framework.

Xiaoying Bai,Yongbo Wang,Guilan Dai,Wei-Tek Tsai,Yinong Chen

DOI: https://doi.org/10.1007/978-3-540-73551-9_18

2007-01-01

Abstract:A key issue with Web Services (WS) is the verification and validation (V&V) of services to build trust between service providers and service users. This paper proposed a test-broker architecture so that all stakeholder within WS can contribute to improve the testing of the services. The test broker supports the submission, indexing, and querying of test artifacts such as test cases, defect reports and evaluations. It can also provide the services for the test generation, test coordination, and distributed testing services. The DCV&V (Decentralized, Collaborative, Verification and Validation) framework is proposed with a set of distributed and collaborated test brokers dedicated to different V&V tasks to enable scalable and flexible test collaborations. The paper explores the concept of design-by-contract and applies the principle to DCV&V. It identifies two categories of testing contracts including TSC (Testing Service Contracts) and TCC (Test Collaboration Contracts). It illustrates the application of TSC with contract-based test generation based on WS OWL-S specification. It elaborates TCC with the analysis of the test artifacts definitions.

xiao yinyin,su kaile,ma zhenyuan,hu ruo

DOI: https://doi.org/10.13245/j.hust.2013.07.015

2013-01-01

Abstract:The important properties of SET(secure electronic transaction)payment protocols were verified and improved by a knowledge reasoning method ISL(instantiation space logic)and its tool SPV(security protocol verifier).The method could verify the correctness of protocols in unbounded number of sessions compared with model checking method.By comparison with theorems or proved methods,the method was testified fully automatically.A model more closed to the original protocols was proposed by simplifying complex messages of protocols under the ISL and choosing the protocol steps rationally,without affecting the important security properties.The SPV formal description of the model and its properties(secrecy and authentication) was given,and the verification results and effectiveness were showed.The protocols were improved according to the unsatisfied epistemic specifications,and the improvement resolved the authentication problem between the cardholder and pay-gate in the protocols.

Xiao-Ying BAI,Chong-Chong ZHAO,Gui-Lan DAI

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.02.071

2006-01-01

Computer Science

Abstract:As an evolutionary technology,Web services poses new challenges for software testing.Web service testing need to be adaptive to distributed coordinated environment.To ensure the quality of Web services,services need to be verified and validated at different levels including infrastructure,unit and integration,from different perspectives inclu- ding functionality,performance,reliability,security,etc.The paper analyzes the issues of web service testing and gives an overview of testing techniques on SOAP protocol verification,WSDL extension,and model-based verification tech- niques of composite service specification.It finally discusses future research and practice on Web service testing.

Qing Yang,Dianfu Ma,Yongwang Zhao,Zhuqing Li

DOI: https://doi.org/10.1109/APSCC.2010.14

2010-01-01

Abstract:The implementation of Web services specifications is the key issue of Web services container which is the infrastructure of SOC. The specifications are always depicted in natural language, which may lead to misunderstanding or ambiguity. In this situation, the implementations of the same specification by different containers will re-introduce interoperability which is supposedly addressed by Web services. These may lead to the reliability problems among upper applications. Currently, formal methods is a precise mathematic way to model the specifications and verify the correctness of the properties. To solve the issues, first, we introduce an XML programming language called SODL (Service-Oriented Description Language) to describe the implementation of specifications. Then, using SODL, we describe the message processing logic according to specifications and implement a Web services container. Furthermore, the logic described in SODL can be converted to automata, by which lots of tools can be applied to verify the properties of container according to the specifications.

Felix Linker,David Basin

2024-02-06

Abstract:Social authentication has been suggested as a usable authentication ceremony to replace manual key authentication in messaging applications. Using social authentication, chat partners authenticate their peers using digital identities managed by identity providers. In this paper, we formally define social authentication, present a protocol called SOAP that largely automates social authentication, formally prove SOAP's security, and demonstrate SOAP's practicality in two prototypes. One prototype is web-based, and the other is implemented in the open-source Signal messaging application.

Cryptography and Security

Xinyi Huang,Cheng-Kang Chu,Hung-Min Sun,Jianying Zhou,Robert H. Deng

DOI: https://doi.org/10.1002/sec.620

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:The advance in information technology has made video service a market with great commercial value. As an example, in-vehicle infotainment has been introduced to vehicles with which customers can enjoy subscribed media services wherever they are. This paper investigates the authentication in commercial video services using a recently proposed protocol, the Sun–Leu protocol, as baseline. Several important security and performance requirements are revisited, including mutual authentication, anonymous authentication, one-to-many delivery, low communication cost and the security against replay attacks. We provide a detailed analysis of the Sun–Leu protocol against these requirements, based on which an enhanced authentication scheme is proposed. The new scheme is designed within the framework of the Sun–Leu protocol, preserves all merits of the original protocol and provides a higher level of security for video communication services. Copyright © 2012 John Wiley & Sons, Ltd.

Zhang Mi,Cheng Zunping,Ma Ziji,Zang Binyu

DOI: https://doi.org/10.1109/CIT.2005.47

2005-01-01

Abstract:With the emerging applications based on Web Service, end-to-end security becomes more and more important. SSL and current XML security schemas cannot reach the demand of it. This paper proposes a novel security model -- ESM, which integrates some popular XML security schemas and constructs a layered model based on SOAP message transport mechanism. It's aiming at the end-to-end security issues in Web Service environment. Compared with other security models known to us, this model is more comprehensive and flexible.

Yun Zhao,Jianxin Wang,Xingjun Wang

DOI: https://doi.org/10.1109/ISCID.2013.35

2013-01-01

Abstract:With the development of Internet, people can use their computer to make calls instead of telephone. Many Internet calls take place without any protection. TLS and SRTP could keep the callee and caller from third party's malicious action. However, both methods could do little when the reliability of VoIP server is under suspicion. In this paper, we present a server irrelevant security mechanism for VoIP system based on SIP and RTP. This mechanism implements safety handshake in media channel. User gets certificate from third party CA. Caller and callee exchange PKI or IBE information during the call. As long as the server keeps media data unchanged, this mechanism could ensure the safety of the call against server eavesdropping. It is flexible because the user could utilize different CA to obtain suitable safety demand with the same VoIP server. Cooperating with other protective methods, it can provide a more reliable environment for Internet telephone.