Modeling human errors in security protocols

David Basin, Sasa Radomirovic, Lara Schmid

Research output: Chapter in Book/Report/Conference proceedingConference contribution

33 Citations (Scopus)
405 Downloads (Pure)

Abstract

Many security protocols involve humans, not machines, as endpoints. The differences are critical: humans are not only computationally weaker than machines, they are naive, careless, and gullible. In this paper, we provide a model for formalizing and reasoning about these inherent human limitations and their consequences. Specifically, we formalize models of fallible humans in security protocols as multiset rewrite theories. We show how the Tamarin tool can then be used to automatically analyze security protocols involving human errors. We provide case studies of authentication protocols that show how different protocol constructions and features differ in their effectiveness with respect to different kinds of fallible humans. This provides a starting point for a fine-grained classification of security protocols from a usable-security perspective.

Original languageEnglish
Title of host publicationIEEE 29th Computer Security Foundations Symposium CSF 2016
Subtitle of host publicationProceedings
Place of PublicationPiscataway
PublisherInstitute of Electrical and Electronics Engineers
Pages325-340
Number of pages16
ISBN (Electronic)9781509026074
DOIs
Publication statusPublished - 2016
Event29th IEEE Computer Security Foundations Symposium - Fundação Calouste Gulbenkian (FCG), Lisbon, Portugal
Duration: 27 Jun 20161 Jul 2016
http://csf2016.tecnico.ulisboa.pt/ (Link to Conference website)

Publication series

NameProceedings of the IEEE
PublisherIEEE
ISSN (Electronic)2374-8303

Conference

Conference29th IEEE Computer Security Foundations Symposium
Abbreviated titleCSF 2016
Country/TerritoryPortugal
CityLisbon
Period27/06/161/07/16
Internet address

Keywords

  • Formal methods
  • Human errors
  • Security protocols
  • Usable security

ASJC Scopus subject areas

  • General Engineering

Fingerprint

Dive into the research topics of 'Modeling human errors in security protocols'. Together they form a unique fingerprint.

Cite this