Abstract
Many useful transactions on the web are implemented as a sequence of interactions that a user performs with multiple collaborating providers. Safety of such transactions requires the user to not only trust individual providers and communication channels, but also the web protocols that manage security of these transactions. A protocol can be trusted for a particular usage, if the guarantees that it provides its participants are considered acceptable in the context. An important set of approaches for cryptographic protocol analysis are based on the so-called BAN logic which is used to reason about beliefs established at protocol participants. In this paper, we attempt at providing a similar approach for web protocols. The new logic extends BAN and supports key concepts that simplify security analysis of web protocols. It also takes into account additional challenges introduced due to browser-based interaction. Through examples of two leading cross-domain identity and access management protocols, we demonstrate efficacy of our analysis in establishing precisely what a protocol achieves, in deciding whether it can be trusted for a particular need and in proposing fixes that improve trust levels.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Burrows, M., Abadi, M., Needham, R.: A Logic of Authentication. ACM Transactions on Computer Systems (TOCS) 8(1), 18–36 (1990)
OASIS SAML Specifications. SAML v2.0, Core, http://saml.xml.org/saml-specifications
OpenID 2.0 Specifications, http://openid.net/specs/openid-authentication-2_0.html
Hammer, E.: The OAuth 1.0 Protocol, Internet Engineering Task Force, Request for Comments (RFC): 5849, http://www.rfc-editor.org/rfc/rfc5849.txt
Gong, L., Needham, R., Yahalom, R.: Reasoning about Belief in Cryptographic Protocols. In: Proceedings 1990 IEEE Symposium on Research in Security and Privacy (1990)
Abadi, M., Tuttle, M.R.: A semantics for a logic of authentication. In: Proceedings of the ACM Symposium of Principles of Distributed Computing (1991)
Kessler, V., Wedel, G.: AUTLOG: An advanced logic of authentication. In: Proceedings of Computer Security Foundation Workshop VII, pp. 90–99 (1994)
Syverson, P., van Oorschot, P.: On unifying some cryptographic protocol logics. In: Proceedings of the Symposium on Security and Privacy, Oakland, CA, pp. 14–28 (1994)
Schumann, J.: Automatic Verification of Cryptographic Protocols with SETHEO. In: McCune, W. (ed.) CADE 1997. LNCS, vol. 1249, pp. 831–836. Springer, Heidelberg (1997)
Craigen, D., Saaltink, M.: Using EVES to analyze authentication protocols. Technical Report TR-96-5508-05, ORA Canada (1996)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inform. Theory IT-29, 198–208 (1983)
Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1, 5–53 (1992)
Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)
Armando, A., et al.: An Optimized Intruder Model for SAT-based Model-Checking of Security Protocols. Elec. Notes in Theoret. Comp. Sci. 125(1) (March 2005)
Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Proceedings of 19th ACSAC 2003, pp. 298–307. IEEE Computer Society Press (2003)
Hammer-Lahav, E.: Explaining the OAuth Session Fixation Attack, http://hueniverse.com/2009/04/explaining-the-oauth-sessionfixation-attack/
Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)
Basin, D., Mödersheim, S., Viganò, L.: An On-the-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)
Javier, F., Fabrega, T., Herzog, J.C., Guttman, J.D.: Strand spaces: Why a security protocol is correct? In: Proceedings of IEEE Symposium on Security and Privacy, pp. 160–171 (1998)
Dawn, S., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9, 47–74 (2001)
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: Proceedings of 23rd IEEE Computer Security Foundations Symposiym (CSF), pp. 290–304 (2010)
Kumar, A.: Model Driven Security Analysis of IDaaS Protocols. In: Kappel, G., Maamar, Z., Motahari-Nezhad, H.R. (eds.) ICSOC 2011. LNCS, vol. 7084, pp. 312–327. Springer, Heidelberg (2011)
The OAuth Core 1.0 Specification, http://oauth.net/core/1.0
Hammer, E., Reardon, D., Hardt, D.: The OAuth 2.0 Authorization Protocol, Network Working Group, Internet Draft (work in progress), http://tools.ietf.org/html/draft-ietf-oauth-v2-xx
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kumar, A. (2012). A Belief Logic for Analyzing Security of Web Protocols. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-30921-2_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30920-5
Online ISBN: 978-3-642-30921-2
eBook Packages: Computer ScienceComputer Science (R0)