Skip to main content
SpringerLink
Log in
Book cover

International Conference on Trust and Trustworthy Computing

Trust 2012: Trust and Trustworthy Computing pp 239–254Cite as

A Belief Logic for Analyzing Security of Web Protocols

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7344))

Abstract

Many useful transactions on the web are implemented as a sequence of interactions that a user performs with multiple collaborating providers. Safety of such transactions requires the user to not only trust individual providers and communication channels, but also the web protocols that manage security of these transactions. A protocol can be trusted for a particular usage, if the guarantees that it provides its participants are considered acceptable in the context. An important set of approaches for cryptographic protocol analysis are based on the so-called BAN logic which is used to reason about beliefs established at protocol participants. In this paper, we attempt at providing a similar approach for web protocols. The new logic extends BAN and supports key concepts that simplify security analysis of web protocols. It also takes into account additional challenges introduced due to browser-based interaction. Through examples of two leading cross-domain identity and access management protocols, we demonstrate efficacy of our analysis in establishing precisely what a protocol achieves, in deciding whether it can be trusted for a particular need and in proposing fixes that improve trust levels.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Burrows, M., Abadi, M., Needham, R.: A Logic of Authentication. ACM Transactions on Computer Systems (TOCS) 8(1), 18–36 (1990)

    Article  Google Scholar 

  2. OASIS SAML Specifications. SAML v2.0, Core, http://saml.xml.org/saml-specifications

  3. OpenID 2.0 Specifications, http://openid.net/specs/openid-authentication-2_0.html

  4. Hammer, E.: The OAuth 1.0 Protocol, Internet Engineering Task Force, Request for Comments (RFC): 5849, http://www.rfc-editor.org/rfc/rfc5849.txt

  5. Gong, L., Needham, R., Yahalom, R.: Reasoning about Belief in Cryptographic Protocols. In: Proceedings 1990 IEEE Symposium on Research in Security and Privacy (1990)

    Google Scholar 

  6. Abadi, M., Tuttle, M.R.: A semantics for a logic of authentication. In: Proceedings of the ACM Symposium of Principles of Distributed Computing (1991)

    Google Scholar 

  7. Kessler, V., Wedel, G.: AUTLOG: An advanced logic of authentication. In: Proceedings of Computer Security Foundation Workshop VII, pp. 90–99 (1994)

    Google Scholar 

  8. Syverson, P., van Oorschot, P.: On unifying some cryptographic protocol logics. In: Proceedings of the Symposium on Security and Privacy, Oakland, CA, pp. 14–28 (1994)

    Google Scholar 

  9. Schumann, J.: Automatic Verification of Cryptographic Protocols with SETHEO. In: McCune, W. (ed.) CADE 1997. LNCS, vol. 1249, pp. 831–836. Springer, Heidelberg (1997)

    Google Scholar 

  10. Craigen, D., Saaltink, M.: Using EVES to analyze authentication protocols. Technical Report TR-96-5508-05, ORA Canada (1996)

    Google Scholar 

  11. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inform. Theory IT-29, 198–208 (1983)

    Article  MathSciNet  Google Scholar 

  12. Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1, 5–53 (1992)

    Google Scholar 

  13. Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  14. Armando, A., et al.: An Optimized Intruder Model for SAT-based Model-Checking of Security Protocols. Elec. Notes in Theoret. Comp. Sci. 125(1) (March 2005)

    Google Scholar 

  15. Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Proceedings of 19th ACSAC 2003, pp. 298–307. IEEE Computer Society Press (2003)

    Google Scholar 

  16. Hammer-Lahav, E.: Explaining the OAuth Session Fixation Attack, http://hueniverse.com/2009/04/explaining-the-oauth-sessionfixation-attack/

  17. Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)

    Article  MATH  Google Scholar 

  18. Basin, D., Mödersheim, S., Viganò, L.: An On-the-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  19. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  20. Javier, F., Fabrega, T., Herzog, J.C., Guttman, J.D.: Strand spaces: Why a security protocol is correct? In: Proceedings of IEEE Symposium on Security and Privacy, pp. 160–171 (1998)

    Google Scholar 

  21. Dawn, S., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9, 47–74 (2001)

    Google Scholar 

  22. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: Proceedings of 23rd IEEE Computer Security Foundations Symposiym (CSF), pp. 290–304 (2010)

    Google Scholar 

  23. Kumar, A.: Model Driven Security Analysis of IDaaS Protocols. In: Kappel, G., Maamar, Z., Motahari-Nezhad, H.R. (eds.) ICSOC 2011. LNCS, vol. 7084, pp. 312–327. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  24. The OAuth Core 1.0 Specification, http://oauth.net/core/1.0

  25. Hammer, E., Reardon, D., Hardt, D.: The OAuth 2.0 Authorization Protocol, Network Working Group, Internet Draft (work in progress), http://tools.ietf.org/html/draft-ietf-oauth-v2-xx

Download references

Author information

Authors and Affiliations

  1. IBM Research, India

    Apurva Kumar

Authors
  1. Apurva Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Technical University Darmstadt, Hochschulstrasse 10, 64289, Darmstadt, Germany

    Stefan Katzenbeisser  & Melanie Volkamer  & 

  2. Institute of Software Technology and Interactive Systems, Vienna University of Technology and SBA Research, Favoritenstrsse 9-11, 1040, Vienna, Austria

    Edgar Weippl

  3. School of Informatics, Indiana University, 901 East Tenth Street, 47405, Bloomington, IN, USA

    L. Jean Camp

  4. Department of Computer Science, University of North Carolina at Chapel Hill, 201 S. Columbia Street UNH-CH, 27599-3175, Chapel Hill, NC, USA

    Mike Reiter

  5. Huawei America R&D, 2330 Central Expressway, 95050, Santa Clara, CA, USA

    Xinwen Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kumar, A. (2012). A Belief Logic for Analyzing Security of Web Protocols. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-30921-2_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30920-5

  • Online ISBN: 978-3-642-30921-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation