skip to main content
10.1145/1368310.1368325acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

An integrated framework for security protocol analysis

Published: 18 March 2008 Publication History

Abstract

Assurance of security protocols needs particular attention. Flaws in a protocol can devastate security of the applications that rely on it. Analysis of the protocols is difficult and it is recommended that formal methods are employed to provide for higher levels of assurance. However, the formal methods can cover only a part of the scope of the problem. It is important that the formal models are valid representations of the protocol and that the application context is adequately represented. In the paper we present an analytical framework that integrates the object-oriented and formal modeling approaches. Object models are used to capture the relevant aspects of the protocol and its security context and to communicate with the protocol designers. Formal models are applied to verify the protocol security properties. Applicability of the framework was demonstrated by several industrial case studies.

References

[1]
C. Fidge, "A Survey of Verification Techniques for Security Protocols Technical Report 01--22", Software Verification Research Centre, School of Information Technology, The University of Queensland, 2001.
[2]
R. Anderson, "Security Engineering", Wiley, ISBN: 0-471-38922-6, 2001.
[3]
C. A. Meadows, "Formal Verification of Cryptographic Protocols: A Survey", ASIACRYPT: Advances in Cryptology, 1995.
[4]
M. Burrows, M. Abadi, R. Needham, "A logic of authentication. Technical Report TR 39", Digital Equipment Corporation, February 1989.
[5]
L. Paulson, "The inductive approach to verifying cryptographic protocols", University of Cambridge Computer Laboratory, December 1998.
[6]
A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P. C. Heám, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, L. Vigneron, "The Avispa Tool for the automated validation of internet security protocols and applications", Computer Aided Verification, LNCS 3576, 2005.
[7]
F. J. Thayer, J. C. Herzog, J. D. Guttman, "Strand spaces: Why is a security protocol correct?", Proceedings of 1998 IEEE Symposium on Security and Privacy, 1998.
[8]
A. W. Roscoe, "The Theory and Practice of Concurrency", Prentice-Hall, International Series in Computer Science, ISBN 0-13-674409-5, 1998.
[9]
B. Broy, F. Dederichs, M. Fuchs, T. F. Gritzner, R. Weber, "The Design of Distributed Systems -- An Introduction to FOCUS", SFB-Report 342/2-2/92 A, Technical University of Munich, 1993.
[10]
M. Abadi, A. D. Gordon, "A calculus for cryptographic protocols: The Spi Calculus", In Proceedings of the 4th ACM Conference on Computer and Communications Security, ACM Press, 1997.
[11]
L. Vigneron, "Specification Languages for Internet Security Protocols", Workshop on Automated Validation of Internet Security Protocols and Applications, 2004.
[12]
J. M. Bruel, "Integrating Formal and Informal Specification Techniques. Why? How?", Second IEEE Workshop on Industrial Strength Formal Specification Techniques, 1998.
[13]
J. M. Bruel, R. B. France, "Transforming UML models to Formal Specifications", International Conference on the Unified Modelling Language (UML): Beyond the Notation, 1998.
[14]
E. Boiten, M. Bujorianu, "Exploring UML Refinement through Unification", Critical Systems Development with UML - Proceedings of the UML'03 workshop, number TUM-I0323, pages 47--62, Technische Universitat Munchen, September 2003.
[15]
J. Jurjens, "Secure Systems Development with UML", Springer, ISBN: 3-540-00701-6, 2004.
[16]
CASENET, European Union 5th Framework Program project, IST-2001-32446
[17]
J. Rumbaugh, I. Jacobson, G. Booch, "TheUnified Modelling Language Reference Manual (2nd Edition)", Addison-Wesley, 2005.
[18]
S. Johnston, "Rational UML Profile for business modeling", IBM Corp. whitepaper, 2004.
[19]
B. Selic, "Unified Modeling Language version 2.0", IBM Corp. whitepaper, 2005.
[20]
W. Chocianowicz, J. Pejas, A. Rucinski, "The Proposal of Protocol for Electronic Signature Creation in Public Environment", in Enhanced Methods in Computer Security, Biometric and Artificial Intelligence Systems, Kluwer Academic Publishers, ISBN 1-4020-7776-9, 2005.
[21]
W. Chocianowicz, W. Mackow, A. Skrobek, P. Sukiennik, J. Pejas, Project No. 6 T11 2003 C/0 6280 -- Technical Report 7: "Design and implementation of an universal module for reliable presentation of a document to be signed or verified", Szczecin University of Technology, 2004.
[22]
M. Olszewski, "A Model-based Aproach to Analysis of Security Protocols -- A Case Study", Proceedings of the Technologies for Homeland Security and Safety Conference, Poland, 2005.
[23]
J. Jurjens, G. Wimmel, "Formally Testing Fail-Safety of Electronic Purse Protocols", 2001.
[24]
J. Grunbauer, H. Hollmann, J. Jurjens, G. Wimmel, "Modelling and Verification of Layered Security Protocols: A Bank Application", Computer Safety, Reliability, and Security, 22nd International Conference SAFECOMP, 2003.
[25]
S. Bradner, A. Mankin, J. Schiller, "A Framework for Purpose-Built Keys (PBK)", IETF Internet-Draft: draft-bradner-pbk-frame-06.txt, 2003.
[26]
The AVISPA Library of protocols, http://www.avispa-project.org/, AVISPA project: IST-2001-39252

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security
March 2008
399 pages
ISBN:9781595939791
DOI:10.1145/1368310
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. analytical framework
  2. object orientation

Qualifiers

  • Research-article

Conference

Asia CCS '08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2019)Simulation of Security Protocols based on Scenarios of AttacksFundamenta Informaticae10.5555/2364580.236459493:1-3(185-203)Online publication date: 4-Jan-2019
  • (2019)Simulation of Security Protocols based on Scenarios of AttacksFundamenta Informaticae10.5555/1576070.157608493:1-3(185-203)Online publication date: 4-Jan-2019
  • (2019)Dealing with inconsistent secure messages by weighting majorityKnowledge-Based Systems10.1016/j.knosys.2010.12.00724:6(731-739)Online publication date: 1-Jan-2019
  • (2014)An Extended UML Method for the Verification of Security ProtocolsProceedings of the 2014 19th International Conference on Engineering of Complex Computer Systems10.1109/ICECCS.2014.12(19-28)Online publication date: 4-Aug-2014
  • (2010)A framework for probabilistic model checking of security protocols using coloured stochastic activity networks and PDETool2010 5th International Symposium on Telecommunications10.1109/ISTEL.2010.5734026(210-215)Online publication date: Dec-2010
  • (2009)Modeling and analysis of agent-based specifications of security protocols using CSANs and PDEToolProceedings of the 6th international conference on Innovations in information technology10.5555/1802274.1802305(151-155)Online publication date: 15-Dec-2009
  • (2009)Modeling and analysis of agent-based specifications of security protocols using CSANs and PDETool2009 International Conference on Innovations in Information Technology (IIT)10.1109/IIT.2009.5413371(11-15)Online publication date: Dec-2009

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media