A formal security analysis of an OSA/Parlay authentication interface

Authors:
Ricardo Corin;Gaetano Di Caprio;Sandro Etalle;Stefania Gnesi;Gabriele Lenzini;Corrado Moiso
Affiliations:
Department of Computer Science, University of Twente, Enschede, The Netherlands;Telecom Italia Lab, Torino, Italy;Department of Computer Science, University of Twente, Enschede, The Netherlands;Istituto di Scienza e Tecnologie dell'Informazione, ISTI-CNR, Area della Ricerca di Pisa, Pisa, Italy;Department of Computer Science, University of Twente, Enschede, The Netherlands;Telecom Italia Lab, Torino, Italy
Venue:
FMOODS'05 Proceedings of the 7th IFIP WG 6.1 international conference on Formal Methods for Open Object-Based Distributed Systems
Year:
2005

Citing 8
Cited 0

Prudent Engineering Practice for Cryptographic Protocols

IEEE Transactions on Software Engineering
Verifying Authentication Protocols in CSP

IEEE Transactions on Software Engineering
Verifying security protocols with Brutus

ACM Transactions on Software Engineering and Methodology (TOSEM)
Constraint solving for bounded-process cryptographic protocol analysis

CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Reasoning about Cryptographic Protocols in the Spi Calculus

CONCUR '97 Proceedings of the 8th International Conference on Concurrency Theory
Formal Verification of Cryptographic Protocols: A Survey

ASIACRYPT '94 Proceedings of the 4th International Conference on the Theory and Applications of Cryptology: Advances in Cryptology
An Improved Constraint-Based System for the Verification of Security Protocols

SAS '02 Proceedings of the 9th International Symposium on Static Analysis
Modelling and verifying key-exchange protocols using CSP and FDR

CSFW '95 Proceedings of the 8th IEEE workshop on Computer Security Foundations

Quantified Score

Hi-index	0.00

Visualization

Abstract

We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.