ACM Transactions on Computer Systems (TOCS)
A semantics for a logic of authentication (extended abstract)
PODC '91 Proceedings of the tenth annual ACM symposium on Principles of distributed computing
Using encryption for authentication in large networks of computers
Communications of the ACM
Athena: a novel approach to efficient automatic security protocol analysis
Journal of Computer Security
Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR
TACAs '96 Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems
Automatic Verification of Cryptographic Protocols with SETHEO
CADE-14 Proceedings of the 14th International Conference on Automated Deduction
On Unifying Some Cryptographic Protocol Logics
SP '94 Proceedings of the 1994 IEEE Symposium on Security and Privacy
Security Analysis of the SAML Single Sign-on Browser/Artifact Profile
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
An Optimized Intruder Model for SAT-based Model-Checking of Security Protocols
Electronic Notes in Theoretical Computer Science (ENTCS)
Towards a Formal Foundation of Web Security
CSF '10 Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
The AVISPA tool for the automated validation of internet security protocols and applications
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Model driven security analysis of IDaaS protocols
ICSOC'11 Proceedings of the 9th international conference on Service-Oriented Computing
On the security of public key protocols
IEEE Transactions on Information Theory
Managing trust and secrecy in identity management clouds
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
Hi-index | 0.00 |
Many useful transactions on the web are implemented as a sequence of interactions that a user performs with multiple collaborating providers. Safety of such transactions requires the user to not only trust individual providers and communication channels, but also the web protocols that manage security of these transactions. A protocol can be trusted for a particular usage, if the guarantees that it provides its participants are considered acceptable in the context. An important set of approaches for cryptographic protocol analysis are based on the so-called BAN logic which is used to reason about beliefs established at protocol participants. In this paper, we attempt at providing a similar approach for web protocols. The new logic extends BAN and supports key concepts that simplify security analysis of web protocols. It also takes into account additional challenges introduced due to browser-based interaction. Through examples of two leading cross-domain identity and access management protocols, we demonstrate efficacy of our analysis in establishing precisely what a protocol achieves, in deciding whether it can be trusted for a particular need and in proposing fixes that improve trust levels.