Automatic verification of security in payment protocols for electronic commerce

Authors:
Maurizio Panti;Luca Spalazzi;Simone Tacconi;Salvatore Valenti
Affiliations:
Istituto di Informatica, University of Ancona, Via Brecce Bianche, Ancona, Italy;Istituto di Informatica, University of Ancona, Via Brecce Bianche, Ancona, Italy;Istituto di Informatica, University of Ancona, Via Brecce Bianche, Ancona, Italy;Istituto di Informatica, University of Ancona, Via Brecce Bianche, Ancona, Italy
Venue:
Enterprise information systems IV
Year:
2003

Citing 8
Cited 3

A Sound Logic for Analysing Electronic Commerce Protocols

ESORICS '98 Proceedings of the 5th European Symposium on Research in Computer Security
Formal Verification of Cardholder Registration in SET

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Model Cheking

Proceedings of the 17th Conference on Foundations of Software Technology and Theoretical Computer Science
A Formal Specification of Requirements for Payment Transactions in the SET Protocol

FC '98 Proceedings of the Second International Conference on Financial Cryptography
Non-repudiation in SET: Open Issues

FC '00 Proceedings of the 4th International Conference on Financial Cryptography
Towards the Formal Verification of Electronic Commerce Protocols

CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
Model Checking the Secure Electronic Transaction (SET) Protocol

MASCOTS '99 Proceedings of the 7th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems
A Semantic Model for Authentication Protocols

SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy

A flaw in the electronic commerce protocol SET

Information Processing Letters
A flaw in the electronic commerce protocol SET

Information Processing Letters
Common program analysis of two-party security protocols using SMV

APWeb'06 Proceedings of the 2006 international conference on Advanced Web and Network Technologies, and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In order to make secure transactions over computer networks, various cryptographic protocols have been proposed but, because of subtleties involved in their design, many of them have been shown to have flaws, even a long time after their publication. For this reason, several automatic verification methods for analyzing these protocols have been devised. The aim of this paper is to present a methodology for verifying security requirements of electronic payment protocols by means of NuSMV, a symbolic model checker. Our work principally focus on formal representation of security requirements. Indeed, we propose an extension of the correspondence property, so far used only for authentication, to other requirements as confidentiality and integrity. These are the basic security requirements of payment protocols for electronic commerce. We illustrate as case study a variant of the SET protocol proposed by Lu & Smolka. This variant has been formally verified by Ly & Smolka and considered secure. Conversely, we have discovered two attacks that allow a dishonest user to purchase a good debiting the amount to another user.