Abstract
We investigate known security flaws in the context of security ceremonies to gain an understanding of the ceremony analysis process. The term security ceremonies is used to describe a system of protocols and humans which interact for a specific purpose. Security ceremonies and ceremony analysis is an area of research in its infancy, and we explore the basic principles involved to better understand the issues involved. We analyse three ceremonies, HTTPS, EMV and Opera Mini, and use the information gained from the experience to establish a list of typical flaws in ceremonies. Finally, we use that list to analyse a protocol proven secure for human use. This leads to a realisation of the strengths and weaknesses of ceremony analysis.
Chapter PDF
Similar content being viewed by others
References
Abadi, M., Needham, R.M.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Software Eng. 22(1), 6–15 (1996)
Bella, G.: Formal correctness of security protocols. Springer, Heidelberg (2007)
Bellare, M.: Practice-oriented provable-security. In: Damgård, I. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 1–15. Springer, Heidelberg (1999)
Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Brainard, J.G., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication: somebody you know. In: ACM Conference on Computer and Communications Security, pp. 168–178. ACM, New York (2006)
Dhamija, R., Tygar, J., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI conference on Human Factors in computing systems, p. 590. ACM, New York (2006)
Ellison, C.: Ceremony Design and Analysis. Cryptology ePrint Archive, Report 2007/399 (2007), http://eprint.iacr.org/
Ellison, C., Dohrmann, S.: Public-key support for group collaboration. ACM Trans. Inf. Syst. Secur. 6(4), 547–565 (2003)
Gajek, S., Manulis, M., Sadeghi, A.R., Schwenk, J.: Provably Secure Browser-Based User-Aware Mutual Authentication over TLS. In: Abe, M., Gligor, V.D. (eds.) ASIACCS, pp. 300–311. ACM, New York (2008)
Herzberg, A.: Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security 28(1-2), 63–71 (2009)
Karlof, C., Tygar, J.D., Wagner, D.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009. The Internet Society, San Diego (2009)
Martina, J., Carlos, M.: Why should we analyze security ceremonies. In: Applications of Logic in Computer Security. In: The 15th International Conference on Logic for Programming, Artificial Intelligence and Reasoning (2008)
Martina, J.E., de Souza, T.C.S., Custodio, R.F.: Ceremonies Formal Analysis in PKI’s Context. In: CSE 2009: Proceedings of the 2009 International Conference on Computational Science and Engineering, pp. 392–398. IEEE Computer Society, Washington, DC, USA (2009)
Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and pin is broken. In: IEEE Symposium on Security and Privacy, pp. 433–446. IEEE Computer Society, Los Alamitos (2010)
Radke, K., Boyd, C., Brereton, M., Nieto, J.G.: How HCI Design Influences Web Security Decisions. In: OzCHI. ACM, New York (2010)
Ruksenas, R., Curzon, P., Blandford, A.: Detecting cognitive causes of confidentiality leaks. Electr. Notes Theor. Comput. Sci. 183, 21–38 (2007)
Ruksenas, R., Curzon, P., Blandford, A.: Modelling and analysing cognitive causes of security breaches. ISSE 4(2), 143–160 (2008)
Shostack, A., Stewart, A.: The New School of Information Security. Addison-Wesley Professional, Upper Saddle River (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Radke, K., Boyd, C., Gonzalez Nieto, J., Brereton, M. (2011). Ceremony Analysis: Strengths and Weaknesses. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)