Skip to main content
SpringerLink
Log in

Intrusion Attack Tactics for the Model Checking of e-Commerce Security Guarantees

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2007)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4680))

Included in the following conference series:

Abstract

In existing security model-checkers the intruder’s behavior is defined as a message deducibility rule base governing use of eavesdropped information, with the aim to find out a message that is meant to be secret or to generate messages that impersonate some protocol participant(s). The advent of complex protocols like those used in e-commerce brings to the foreground intrusion attacks that are not always attributed to failures of secrecy or authentication. We introduce an intruder model that provides an open-ended base for the integration of multiple attack tactics. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. Thus, the analyst can express e-commerce security guarantees that are not restricted to the absence of secrecy and the absence of authentication failures. The described intruder model was implemented within the SPIN model-checker and revealed an integrity violation attack on the PayWord micro payment protocol.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transactions on Information Theory 2/29, 198–208 (1983)

    Google Scholar 

  2. Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proc. of the IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press, Los Alamitos (1993)

    Google Scholar 

  3. Meadows, C.A.: Formal verification of cryptographic protocols: A survey. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 133–150. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  4. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transaction on Computer Systems 8/1, 18–36 (1990)

    Google Scholar 

  5. Syverson, P., Cervesato, I.: The logic of authentication protocols. In: Focardi, R., Gorrieri, R. (eds.) Foundations of Security Analysis and Design. LNCS, vol. 2171, pp. 63–137. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. The SPIN model checker official website, available at http://spinroot.com/

  7. Holzmann, G.J.: Design and Validation of Computer Protocols. Prentice-Hall, Englewood Cliffs (1991)

    Google Scholar 

  8. Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Computer Communications 25/17, 1606–1621 (2002)

    Google Scholar 

  9. Shmatikov, V., Mitchell, J.C.: Finite-state analysis of two contract signing protocols. Theoretical Computer Science 283, 419–450 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  10. Cremers, C.J.F.: Feasibility of multi-protocol attacks. In: Proc. of the First International Conference on Availability, Reliability and Security, IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  11. Rivest, R.L., Shamir, A.: Payword and Micromint: Two simple micropayment schemes. In: Lomas, M. (ed.) Security Protocols. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997)

    Google Scholar 

  12. Millen, J.K., Clark, S.C., Freedman, S.B.: The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering 13/2 (1987)

    Google Scholar 

  13. Clarke, E.M., Jha, S., Marrero, W.: Verifying security protocols with Brutus. ACM Transactions on Software Engineering and Methodology 9/4, 443–487 (2000)

    Google Scholar 

  14. Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murφ. In: Proc. of the IEEE Symposium on Research in Security and Privacy, pp. 141–153. IEEE Computer Society, Los Alamitos (1997)

    Google Scholar 

  15. Roscoe, A.W.: Modeling and verifying key-exchange protocols using CSP and FDR. In: Proc. of the 8th IEEE Computer Security Foundations Workshop, pp. 98–107. IEEE Computer Society, Los Alamitos (1995)

    Google Scholar 

  16. Roscoe, A.W.: The theory and practice of concurrency. Prentice Hall, Englewood Cliffs (1997)

    Google Scholar 

  17. Roscoe, A.W., Goldsmith, M.: The perfect spy for model-checking cryptoprotocols. In: Proc. of the 1997 DIMACS Workshop on Design and Formal Verification of Security Protocols (1997)

    Google Scholar 

  18. Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 18–30. IEEE Computer Society, Los Alamitos (1997)

    Google Scholar 

  19. Meadows, C., Kemmerer, R., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7/2, 79–130 (1994)

    Google Scholar 

  20. Gritzalis, S., Spinellis, D., Georgiadis, P.: Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification. Computer Communications 22, 697–709 (1999)

    Article  Google Scholar 

  21. Basin, D., Modersheim, S., Vigano, L.: OFMC: A Symbolic Model-Checker for Security Protocols. International Journal of Information Security (2004)

    Google Scholar 

  22. AVISPA: Automated validation of internet security protocols and applications, FET Open Project IST-2001-39252 (2003), http://www.avispa-project.org

  23. Lowe, G.: Towards a completeness result for model-checking of Security Protocols. In: Proc. of the 11th Computer Security Foundations Workshop, IEEE Computer Society Press, Los Alamitos (1998)

    Google Scholar 

  24. Clark, J., Jacob, J.: A survey of authentication protocol literature: version 1.0, Technical Report, University of York (1997)

    Google Scholar 

  25. Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proc. of the 13th IEEE Computer Security Foundations Workshop, pp. 255–268. IEEE Computer Society, Los Alamitos (2000)

    Google Scholar 

  26. Carlsen, U.: Cryptographic protocol flaws – Know your enemy. In: Proc. of the 7th IEEE Computer Security Foundations Workshop, pp. 192–200. IEEE Computer Society, Los Alamitos (1994)

    Google Scholar 

  27. Rivest, R.L.: The MD5 Message-Digest Algorithm. In: Internet informational RFC 1321 (1992)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Informatics, Aristotle University of Thessaloniki, 54124 Thessaloniki, Greece

    Stylianos Basagiannis, Panagiotis Katsaros & Andrew Pombortsis

Authors
  1. Stylianos Basagiannis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Panagiotis Katsaros
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrew Pombortsis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Francesca Saglietti Norbert Oster

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Basagiannis, S., Katsaros, P., Pombortsis, A. (2007). Intrusion Attack Tactics for the Model Checking of e-Commerce Security Guarantees. In: Saglietti, F., Oster, N. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2007. Lecture Notes in Computer Science, vol 4680. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75101-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75101-4_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75100-7

  • Online ISBN: 978-3-540-75101-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation