What Are the Threats? (Charting the Threat Models of Security Ceremonies)

Diego Sempreboni, Giampaolo Bella, Rosario Giustolisi, Luca Vigano

Research output: Conference Article in Proceeding or Book/Report chapterArticle in proceedingsResearchpeer-review


We address the fundamental question of what are, and how to define, the threat models for a security protocol and its expected human users, the latter pair forming a heterogeneous system that is typically called a security ceremony. Our contribution is the systematic definition of an encompassing method to build the full threat model chart for security ceremonies, from which one can conveniently reify the specific threat models of interest for the ceremony under consideration. For concreteness, we demonstrate the application of the method on three ceremonies that have already been considered in the literature: MP-Auth, Opera Mini and the Danish Mobilpendlerkort ceremony. We discuss how the full threat model chart suggests some interesting threats that haven’t been investigated although they are well worth of scrutiny. In particular, one of the threat models in our chart leads to a novel vulnerability of the Danish Mobilpendlerkort ceremony. We discovered the vulnerability by analysing this threat model using the formal and automated tool Tamarin, which we employed to demonstrate the relevance of our method, but it is important to highlight that our method is generic and can be used with any tool for the analysis of security protocols and ceremonies.
Original languageEnglish
Title of host publicationProceedings of the 16th International Joint Conference on e-Business and Telecommunications
Number of pages12
PublisherSCITEPRESS Digital Library
Publication date26 Jul 2019
ISBN (Electronic)978-989-758-378-0
Publication statusPublished - 26 Jul 2019


  • Security ceremonies
  • Threat models
  • Human factors
  • Formal analysis
  • Vulnerability discovery


Dive into the research topics of 'What Are the Threats? (Charting the Threat Models of Security Ceremonies)'. Together they form a unique fingerprint.

Cite this