Abstract
In existing security model-checkers the intruder’s behavior is defined as a message deducibility rule base governing use of eavesdropped information, with the aim to find out a message that is meant to be secret or to generate messages that impersonate some protocol participant(s). The advent of complex protocols like those used in e-commerce brings to the foreground intrusion attacks that are not always attributed to failures of secrecy or authentication. We introduce an intruder model that provides an open-ended base for the integration of multiple attack tactics. In our model checking approach, protocol correctness is checked by appropriate user-supplied assertions or reachability of invalid end states. Thus, the analyst can express e-commerce security guarantees that are not restricted to the absence of secrecy and the absence of authentication failures. The described intruder model was implemented within the SPIN model-checker and revealed an integrity violation attack on the PayWord micro payment protocol.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Transactions on Information Theory 2/29, 198–208 (1983)
Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proc. of the IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press, Los Alamitos (1993)
Meadows, C.A.: Formal verification of cryptographic protocols: A survey. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 133–150. Springer, Heidelberg (1995)
Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transaction on Computer Systems 8/1, 18–36 (1990)
Syverson, P., Cervesato, I.: The logic of authentication protocols. In: Focardi, R., Gorrieri, R. (eds.) Foundations of Security Analysis and Design. LNCS, vol. 2171, pp. 63–137. Springer, Heidelberg (2001)
The SPIN model checker official website, available at http://spinroot.com/
Holzmann, G.J.: Design and Validation of Computer Protocols. Prentice-Hall, Englewood Cliffs (1991)
Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Computer Communications 25/17, 1606–1621 (2002)
Shmatikov, V., Mitchell, J.C.: Finite-state analysis of two contract signing protocols. Theoretical Computer Science 283, 419–450 (2002)
Cremers, C.J.F.: Feasibility of multi-protocol attacks. In: Proc. of the First International Conference on Availability, Reliability and Security, IEEE Computer Society Press, Los Alamitos (2006)
Rivest, R.L., Shamir, A.: Payword and Micromint: Two simple micropayment schemes. In: Lomas, M. (ed.) Security Protocols. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997)
Millen, J.K., Clark, S.C., Freedman, S.B.: The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering 13/2 (1987)
Clarke, E.M., Jha, S., Marrero, W.: Verifying security protocols with Brutus. ACM Transactions on Software Engineering and Methodology 9/4, 443–487 (2000)
Mitchell, J.C., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murφ. In: Proc. of the IEEE Symposium on Research in Security and Privacy, pp. 141–153. IEEE Computer Society, Los Alamitos (1997)
Roscoe, A.W.: Modeling and verifying key-exchange protocols using CSP and FDR. In: Proc. of the 8th IEEE Computer Security Foundations Workshop, pp. 98–107. IEEE Computer Society, Los Alamitos (1995)
Roscoe, A.W.: The theory and practice of concurrency. Prentice Hall, Englewood Cliffs (1997)
Roscoe, A.W., Goldsmith, M.: The perfect spy for model-checking cryptoprotocols. In: Proc. of the 1997 DIMACS Workshop on Design and Formal Verification of Security Protocols (1997)
Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proc. of the IEEE Computer Security Foundations Workshop, pp. 18–30. IEEE Computer Society, Los Alamitos (1997)
Meadows, C., Kemmerer, R., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7/2, 79–130 (1994)
Gritzalis, S., Spinellis, D., Georgiadis, P.: Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification. Computer Communications 22, 697–709 (1999)
Basin, D., Modersheim, S., Vigano, L.: OFMC: A Symbolic Model-Checker for Security Protocols. International Journal of Information Security (2004)
AVISPA: Automated validation of internet security protocols and applications, FET Open Project IST-2001-39252 (2003), http://www.avispa-project.org
Lowe, G.: Towards a completeness result for model-checking of Security Protocols. In: Proc. of the 11th Computer Security Foundations Workshop, IEEE Computer Society Press, Los Alamitos (1998)
Clark, J., Jacob, J.: A survey of authentication protocol literature: version 1.0, Technical Report, University of York (1997)
Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proc. of the 13th IEEE Computer Security Foundations Workshop, pp. 255–268. IEEE Computer Society, Los Alamitos (2000)
Carlsen, U.: Cryptographic protocol flaws – Know your enemy. In: Proc. of the 7th IEEE Computer Security Foundations Workshop, pp. 192–200. IEEE Computer Society, Los Alamitos (1994)
Rivest, R.L.: The MD5 Message-Digest Algorithm. In: Internet informational RFC 1321 (1992)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Basagiannis, S., Katsaros, P., Pombortsis, A. (2007). Intrusion Attack Tactics for the Model Checking of e-Commerce Security Guarantees. In: Saglietti, F., Oster, N. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2007. Lecture Notes in Computer Science, vol 4680. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75101-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-75101-4_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75100-7
Online ISBN: 978-3-540-75101-4
eBook Packages: Computer ScienceComputer Science (R0)