Understanding the Weaknesses of Human-Protocol Interaction

Carlos, Marcelo Carlomagno; Price, Geraint

doi:10.1007/978-3-642-34638-5_2

Cited by 5 publications

(6 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When implemented, the assumptions are replaced by dynamic user-interactions. When these assumptions are too strong, it becomes difficult to implement a protocol providing the expected security properties (Carlos and Price, 2012). By adding new components to the specification, such as users and different communication mediums, we can start to describe these assumptions in the ceremony, and consequently perform a more detailed analysis of them and their impact on the ceremony's security properties.…”

Section: A Proposed Methodsmentioning

confidence: 99%

“…This leaves such implementations susceptible to failure, weakening the achievability of the protocol's goals due to the weakening of the assumptions. Additionally, implementations such as those we find in web browsers force users to authenticate digital objects (Certificates) which, according to some research findings, is not feasible (Carlos and Price, 2012).…”

Section: An Example Ceremonymentioning

confidence: 95%

“…Ellison gives an overview and establishes the basic building blocks for ceremony description. Carlos and Price (Carlos and Price, 2012) further analysed the human-protocol interaction problems, proposing a taxonomy of overlooked components in this interaction and elaborating a set of design recommendations for security ceremonies. Although Ellison proposes the possibility of using formal methods for security protocol analysis, no major work is found today in the ceremony formal-analysis field.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Proposed Framework for Analysing Security Ceremonies

Carlos¹,

Martina²,

Price³

et al. 2012

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

The concept of a ceremony as an extension of network and security protocols was introduced by Ellison. There are no currently available methods or tools to check correctness of the properties in such ceremonies. The potential application for security ceremonies are vast and fill gaps left by strong assumptions in security protocols. Assumptions include the provision of cryptographic keys and correct human interaction. Moreover, no tools are available to check how knowledge is distributed among human peers nor their interaction with other humans and computers in these scenarios. The key component of this position paper is the formalisation of human knowledge distribution in security ceremonies. By properly enlisting human expectations and interactions in security protocols, we can minimise the ill-described assumptions we usually see failing. Taking such issues into account when designing or verifying protocols can help us to better understand where protocols are more prone to break due to human constraints.

show abstract

Section: A Proposed Methodsmentioning

confidence: 99%

Section: An Example Ceremonymentioning

confidence: 95%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Proposed Framework for Analysing Security Ceremonies

Carlos¹,

Martina²,

Price³

et al. 2012

Proceedings of the International Conference on Security and Cryptography

View full text Add to dashboard Cite

show abstract

“…They extend the ceremony analysis by proposing a layered model for integrated technical and technology practice analysis. Their approach is somewhat similar to human-protocol interaction layers defined by Carlos [11]. In network security systems, Karlof et al [12] proposed a concept of conditioned-safe ceremony which is a ceremony that deliberately conditions users to automatically take actions that protect them from an attack.…”

Section: Related Workmentioning

confidence: 98%

“…The major effort yet to be accomplished in the field of ceremony design and analysis is the modelling of the memory and processing performed by human nodes [10], [11], [12], [13]. Ceremony analysis provides a more complete understanding of the security threats surrounding the use of a protocol by a human than analysing the protocol alone.…”

Section: Introductionmentioning

confidence: 99%

Model for analysing Anti-Phishing Authentication Ceremonies

Hatunic-Webster¹,

Mtenzi²,

O’Shea³

2014

The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014)

View full text Add to dashboard Cite

Phishing takes advantage of the way humans interact with computers or interpret messages; and also that many online authentication protocols place a disproportional burden on human abilities. A security ceremony is an extension of the concept of network security protocol and includes user interface and human-protocol interaction. It is one way of extending the reach of current methods for social, technical and contextual analysis of security protocols to include humans. In this paper, we propose a Human Factors in Anti-Phishing Authentication Ceremonies (APAC) Framework for investigating phishing attacks in authentication ceremonies, which builds onThe Human-in-the-Loop Security Framework of communication processing. We show how to apply the APAC framework to model human-protocol behaviour. The resulting Model for Analysing APAC correlates the framework components and examines how the authentication tasks required to be performed by humans influence their decision-making and consequently their phishing detection.

show abstract