Skip to main content

Advertisement

Springer Nature Link
Log in

Analysis of e-commerce protocols: Adapting a traditional technique

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We present the adaptation of our model for the validation of key distribution and authentication protocols to address some of the specific needs of protocols for electronic commerce. The two models defer in both the threat scenario and in the protocol formalization. We demonstrate the suitability of our adaptation by analyzing a specific version of the Internet Billing Server protocol introduced by Carnegie Mellon University. Our analysis shows that, while the security properties a key distribution or authentication protocol shall provide are well understood, it is often not clear which properties an electronic commerce protocol can or shall provide. We use the automatic theorem proving software “Otter” developed at Argonne National Laboratories for state space exploration.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bella G, Paulson LC (1998) Kerberos version iv: Inductive analysis of the secrecy goals. In: 5th European Symposium on Research in Computer Security, Lecture Notes in Computer Science. Springer-Verlag, pp 361–375

  2. Bellare M, Canetti R, Krawczyk H (1998) A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In: Annual Symposium on the Theory of Computing. ACM

  3. Bellare M, Rogaway P (1995) Provably secure session key distribution – the three party case. In: Annual Symposium on the Theory of Computing. ACM, pp 57–66

  4. Berger R, Kannan S, Peralta R (1985) A framework for the study of cryptographic protocols. In: Advances in Cryptology – CRYPTO ’85, Lecture Notes in Computer Science. Springer-Verlag, pp 87–103

  5. Boyd C (1990) Hidden assumptions in cryptographic protocols. In: IEEE Proceedings 137:433–436

  6. Brackin S (1999) Automatically detecting authentication limitations in commercial security protocols. In: Proc. of the 22nd National Conference on Information Systems Security

  7. Burrows M, Abadi M, Needham R (1989) A Logic of Authentication. Report 39, Digital Systems Research Center, Palo Alto, California

  8. Clark J, Jacob J (1995) On the Security of Recent Protocols. Information Processing Letters 56:151–155

    Article  Google Scholar 

  9. Denning D, Sacco G (1982) Timestamps in key distribution protocols. Communications of the ACM 24:533–536

    Article  Google Scholar 

  10. DIN NI-17 (2000) Chipkarten mit Digitaler Signatur – Anwendung/Funktion nach SigG und SigV – Teil 1: Anwendungsschnittstelle

  11. DIN NI-17.4 (1998) Spezifikation der Schnittstelle zu Chipkarten mit Digitaler Signatur – Anwendung/Funktion nach SigG und SigV, Version 1.0 (Draft)

  12. Dolev D, Yao A (1983) On the security of public-key protocols. IEEE Transactions on Information Theory 29:198–208

    Article  MathSciNet  Google Scholar 

  13. Gürgens S, Lopez J (2001) Suitability of a classical analysis method for e-commerce protocols. In: Yair Frankel George I. Davida (ed) Information Security, 4th International Conference, ISC 2001, LNCS, vol 2200. Springer Verlag, pp 46–62

  14. Gürgens S, Lopez J, Peralta R (1999) Efficient Detection of Failure Modes in Electronic Commerce Protocols. In: DEXA ’99 10th International Workshop on Database and Expert Systems Applications. IEEE Computer Society, pp 850–857

  15. Gürgens S, Peralta R (1998) Efficient Automated Testing of Cryptographic Protocols. report 45, GMD German National Research Center for Information Technology, Darmstadt, Germany

  16. Gürgens S, Peralta R (2000) Validation of Cryptographic Protocols by Efficient Automated Testing. In: FLAIRS2000. AAAI Press, pp 7–12

  17. Heintze N, Tygar JD (1994) A Model for Secure Protocols and their Compositions. In: 1994 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, pp 2–13

  18. ISO/IEC (1997) ISO/IEC CD 7816-8.2: “Identification cards – Integrated circuit(s) cards with contacts – Part 8: Security related interindustry commands”

  19. Kailar R (1996) Accountability in Electronic Commerce Protocols. IEEE Transactions on Software Engineering 22(5):313–328

    Article  Google Scholar 

  20. Kohl J, Neuman C (1993) The Kerberos Network Authentication Service (V5). Network Working Group, Request for Comments 1510

  21. Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR. In: Second International Workshop, TACAS ’96, LNCS, vol 1055. SV, pp 147–166

  22. Marrero W, Clarke EM, Jha S (1997) A Model Checker for Authentication Protocols. In: DIMACS Workshop on Cryptographic Protocol Design and Verification, http://dimacs.rutgers.edu/Workshops/Security/

  23. Meadows C (1991) A system for the specification and verification of key management protocols. In: IEEE Symposium on Security and Privacy. IEEE Computer Society Press, New York, pp 182–195

  24. Meadows C (1995) Formal Verification of Cryptographic Protocols: A Survey. In: Advances in Cryptology – Asiacrypt ’94, LNCS, vol 917. SV, pp 133–150

  25. Meadows C (1996) Analyzing the Needham-Schroeder Public Key Protocol: A Comparison of Two Approaches. In: Proceedings of ESORICS, Naval Research Laboratory. Springer

  26. Meadows C, Syverson P (1998) A formal specification of requirements for payment transactions in the SET protocol. In: Proceedings of Financial Cryptography

  27. Needham R, Schroeder M (1978) Using encryption for authentication in large networks of computers. Communications of the ACM, pp 993–999

  28. Ostrovsky R, Yung M (1991) How to withstand mobile virus attacks. In: Proceedings of PODC, pp 51–59

  29. O’Toole K (1994) The Internet Billing Server – Transaction Protocol Alternatives. Technical Report INI TR 1994-1, Carnegie Mellon University, Information Networking Institute

  30. Pancho S (1999) Paradigm shifts in protocol analysis. In: New Security Paradigms Workshop

  31. Paulson LC (1998) The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6:85–128

    Article  Google Scholar 

  32. Paulson LC (1999) Inductive Analysis of the Internet Protocol TLS. ACM Trans. on Information and System Security 2(3):332–351

    Article  Google Scholar 

  33. Rivest RL, Shamir A, Adleman LA (1978) A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2):120–126

    Article  MathSciNet  Google Scholar 

  34. Rudolph C (2001) A Model for Secure Protocols and its Application to Systematic Design of Cryptographic Protocols. PhD thesis, Queensland University of Technology

  35. Schneider S (1997) Verifying authentication protocols with CSP. In: IEEE Computer Security Foundations Workshop. IEEE

  36. Schneider S (1998) Formal Analysis of a non-repudiation Protocol. In: IEEE Computer Security Foundations Workshop. IEEE

  37. Shoup V, Rubin A (1996) Session key distribution using smart card. In: Advances in Cryptology – EUROCRYPT ’96, LNCS, vol 1070. SV, pp 321–331

  38. Simmons GJ (1994) Proof of Soundness (Integrity) of Cryptographic Protocols. Journal of Cryptology 7(2):69–77

    Article  Google Scholar 

  39. Syverson P (1997) A Different Look at Secure Distributed Computation. In: 10th Computer Security Foundations Workshop. IEEE, pp 109–115

  40. Syverson P, Meadows C, Cervesato I (2000) Dolev-Yao is no better than Machiavelli. In: Proceedings of WITS 2000, Workshop on Issues in the Theory of Security, pp 87–92

  41. Tatebayashi M, Matsuzaki N, Newman D (1991) Key Distribution Protocol for Digital Mobile Communication Systems. In: Brassard G (ed) Advances in Cryptology – CRYPTO ’89, LNCS, vol 435. SV, pp 324–333

  42. Wos L, Overbeek R, Lusk E, Boyle J (1992) Automated Reasoning – Introduction and Applications. McGraw-Hill, Inc.

Download references

Author information

Authors and Affiliations

  1. Fraunhofer-Institute for Secure Telecooperation SIT, Darmstadt, Germany

    Sigrid Gürgens

  2. Computer Science Department, University of Malaga, Spain

    Javier Lopez

  3. Department of Computer Science, Yale University, USA

    René Peralta

Authors
  1. Sigrid Gürgens
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Javier Lopez
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. René Peralta
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding authors

Correspondence to Sigrid Gürgens, Javier Lopez or René Peralta.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gürgens, S., Lopez, J. & Peralta, R. Analysis of e-commerce protocols: Adapting a traditional technique. IJIS 2, 21–36 (2003). https://doi.org/10.1007/s10207-003-0021-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-003-0021-9

Keywords