We address the fundamental question of what are, and how to define, the threat models for a security protocol and its expected human users, the latter pair forming a heterogeneous system that is typically called a security ceremony. Our contribution is the systematic definition of an encompassing method to build the full threat model chart for security ceremonies, from which one can conveniently reify the specific threat models of interest for the ceremony under consideration. For concreteness, we demonstrate the application of the method on three ceremonies that have already been considered in the literature: MP-Auth, Opera Mini and the Danish Mobilpendlerkort ceremony. We discuss how the full threat model chart suggests some interesting threats that haven’t been investigated although they are well worth of scrutiny. In particular, one of the threat models in our chart leads to a novel vulnerability of the Danish Mobilpendlerkort ceremony. We discovered the vulnerability by analysing this threat model using the formal and automated tool Tamarin, which we employed to demonstrate the relevance of our method, but it is important to highlight that our method is generic and can be used with any tool for the analysis of security protocols and ceremonies.
|Titel||Proceedings of the 16th International Joint Conference on e-Business and Telecommunications|
|Forlag||SCITEPRESS Digital Library|
|Publikationsdato||26 jul. 2019|
|Status||Udgivet - 26 jul. 2019|