Security Protocol Specification and Verification with AnBx

Designing distributed protocols is complex and requires actions at very different levels: from the design of an interaction flow supporting the desired application-specific guarantees, to the selection of the most appropriate network-level protection mechanisms. To tame this complexity, we propose AnBx, a formal protocol specification language based on the popular Alice & Bob notation. AnBx offers channels as the main abstraction for communication, providing different authenticity and/or confidentiality guarantees for message transmission. AnBx extends existing proposals in the literature with a novel notion of forwarding channels, enforcing specific security guarantees from the message originator to the final recipient along a number of intermediate forwarding agents. We give a formal semantics of AnBx in terms of a state transition system expressed in the AVISPA Intermediate Format. We devise an ideal channel model and a possible cryptographic implementation, and we show that, under mild restrictions, the two representations coincide, thus making AnBx amenable to automated verification with different tools. We demonstrate the benefits of the declarative specification style distinctive of AnBx by revisiting the design of two existing e-payment protocols, iKP and SET

AnBx - Security Protocols Design and Verification

Designing distributed protocols is challenging, as it requires actions at very different levels: from the choice of network-level mechanisms to protect the exchange of sensitive data, to the definition of structured interaction patterns to convey application-specific guarantees. Current security infrastructures provide very limited support for the specification of such guarantees. As a consequence, the high-level security properties of a protocol typically must often be hard-coded explicitly, in terms of low-level cryptographic notions and devices which clutter the design and undermine its scalability and robustness. To counter these problems, we propose an extended Alice & Bob notation for protocol narrations (AnBx) to be employed for a purely declarative modelling of distributed protocols. These abstractions provide a compact specification of the high-level security guarantees they convey, and help shield the design from the details of the underlying cryptographic infrastructure. We discuss an implementation of the abstractions based on a translation from the AnBx notation to the AnB language supported by the OFMC [1,2] verification tool. We show the practical effectiveness of our approach by revisiting the iKP e-payment protocols, and showing that the security goals achieved by our declarative specification outperform those offered by the original protocols

Codex Enables Secure Offline Micropayments

This paper introduces a new micropayment scheme, suitable for all kinds of transactions, and does not require online transactions for either the payer or payee. The designed method uses an encrypted data structure called Codex which self replicates to represent the current values of both the payer and the payee. The model, while providing fraud detection also guarantees payment & loss recovery

Model checking a server - side micro payment protocol

Many virtual payment systems are available on the world wide web for micropayment, and as they deal with money, correctness is important. One such payment system is Netpay. This paper examines the server-side version of the Netpay protocol and provides its formalization as a CSP model. The PAT model checker is used to prove three properties essential for correctness: impossibility of double spending, validity of an ecoin during the execution and the absence of deadlock. We prove that the protocol is executing according to its description based on the assumption that the customers and vendors are cooperative. This is a very strong assumption for system built to prevent abuse, but further analysis suggests that without it the protocol does no longer guarantee all correctness properties

A Review on Advanced Security Solutions in Online Banking Models

Online banking using mobile devices (mobile banking) is an effective and convenient way of providing electronic banking facility to customers from anywhere and at any time. The advent of mobile communication technology coupled with a boost in trade and commerce activity is increasingly driving the banking financial services to become ubiquitous, personalized, convenient, disseminative and secure. Realizing the advantages to be gained from mobile banking, financial institutions have begun to offer mobile banking options for their customers in addition to the internet banking they already provide. The large scale use of mobile phones in mobile banking has been closely followed by the increase in mobile fraud. Although eager to use mobile financial services, many subscribers are concerned about the security aspect when carrying out financial transactions over the mobile network. In fact, lack of security is seen as the biggest deterrent to the widespread adoption of mobile financial services. Hence, fraud prevention has become an essential ingredient in the success of online financial transactions. To enhance the security for the online financial transaction, a biometric fingerprint authentication system is proposed. In this paper, the feasibility and limitations of an advanced biometric fingerprint authentication system for mobile banking are discussed

Design of secure mobile payment protocols for restricted connectivity scenarios

The emergence of mobile and wireless networks made posible the extensión of electronic commerce to a new area of research: mobile commerce called m-commerce, which includes mobile payment), that refers to any e-commerce transaction made from a mobile device using wireless networks. Most of the mobile payment systems found in the literatura are based on the full connectivity scenario where all the entities are directly connected one to another but do not support business models with direct communication restrictions between the entities of the system is not a impediment to perform comercial transactions. It is for this reason that mobile payment systems that consider those situations where direct communications between entities of the system is not posible (temporarily or permanently) basically due to the impossibility of one of the entities connected to the Internet are required. In order to solve the current shortage in the scientific world of previous research works that address the problema of on-line payment from mobile devices in connectivity restricted scenarios, in this thesis we propose a set of secure payment protocols (that use both symmetric and non-traditional asymmetric cryptography), which have low computational power requirements, are fit for scenarios with communications restrictions (where at least two of the entities of the system cannot exchange information in a direct way and must do it through another entity) and offer the same security capabilities as those protocols designed for full connectivity scenarios. The proposed protocols are applicable to other types of networks, such as vehicular ad hoc network (VANETs), where services exist which require on-line payment and scenarios with communication restrictions.On the other hand, the implementation (in a multiplatform programming language) of the designed protocols shows that their performance is suitable for devices with limited computational power.Postprint (published version

A Review on Advanced Security Solutions in Online Banking Models

Online banking using mobile devices (mobile banking) is an effective and convenient way of providing electronic banking facility to customers from anywhere and at any time. The advent of mobile communication technology coupled with a boost in trade and commerce activity is increasingly driving the banking financial services to become ubiquitous, personalized, convenient, disseminative and secure. Realizing the advantages to be gained from mobile banking, financial institutions have begun to offer mobile banking options for their customers in addition to the internet banking they already provide. The large scale use of mobile phones in mobile banking has been closely followed by the increase in mobile fraud. Although eager to use mobile financial services, many subscribers are concerned about the security aspect when carrying out financial transactions over the mobile network. In fact, lack of security is seen as the biggest deterrent to the widespread adoption of mobile financial services. Hence, fraud prevention has become an essential ingredient in the success of online financial transactions. To enhance the security for the online financial transaction, a biometric fingerprint authentication system is proposed. In this paper, the feasibility and limitations of an advanced biometric fingerprint authentication system for mobile banking are discussed

CafeOBJ: Logical Foundations and Methodologies

CafeOBJ is an executable industrial strength multi-logic algebraic specification language which is a modern successor of OBJ and incorporates several new algebraic specification paradigms. In this paper we survey its logical foundations and present some of its methodologies

Internet payment system--: mechanism, applications & experimentation.

Ka-Lung Chong.Thesis (M.Phil.)--Chinese University of Hong Kong, 2000.Includes bibliographical references (leaves 80-83).Abstracts in English and Chinese.Abstract --- p.iAcknowledgments --- p.iiiChapter 1 --- Introduction & Motivation --- p.1Chapter 1.1 --- Introduction --- p.1Chapter 1.2 --- Internet Commerce --- p.3Chapter 1.3 --- Motivation --- p.6Chapter 1.4 --- Related Work --- p.7Chapter 1.4.1 --- Cryptographic Techniques --- p.7Chapter 1.4.2 --- Internet Payment Systems --- p.9Chapter 1.5 --- Contribution --- p.16Chapter 1.6 --- Outline of the Thesis --- p.17Chapter 2 --- A New Payment Model --- p.19Chapter 2.1 --- Model Description --- p.19Chapter 2.2 --- Characteristics of Our Model --- p.22Chapter 2.3 --- Model Architecture --- p.24Chapter 2.4 --- Comparison --- p.30Chapter 2.5 --- System Implementation --- p.30Chapter 2.5.1 --- Acquirer Interface --- p.31Chapter 2.5.2 --- Issuer Interface --- p.32Chapter 2.5.3 --- Merchant Interface --- p.32Chapter 2.5.4 --- Payment Gateway Interface --- p.33Chapter 2.5.5 --- Payment Cancellation Interface --- p.33Chapter 3 --- A E-Commerce Application - TravelNet --- p.35Chapter 3.1 --- System Architecture --- p.35Chapter 3.2 --- System Features --- p.38Chapter 3.3 --- System Snapshots --- p.39Chapter 4 --- Simulation --- p.44Chapter 4.1 --- Objective --- p.44Chapter 4.2 --- Simulation Flow --- p.45Chapter 4.3 --- Assumptions --- p.49Chapter 4.4 --- Simulation of Payment Systems --- p.50Chapter 5 --- Discussion of Security Concerns --- p.54Chapter 5.1 --- Threats to Internet Payment --- p.54Chapter 5.1.1 --- Eavesdropping --- p.55Chapter 5.1.2 --- Masquerading --- p.55Chapter 5.1.3 --- Message Tampering --- p.56Chapter 5.1.4 --- Replaying --- p.56Chapter 5.2 --- Aspects of A Secure Internet Payment System --- p.57Chapter 5.2.1 --- Authentication --- p.57Chapter 5.2.2 --- Confidentiality --- p.57Chapter 5.2.3 --- Integrity --- p.58Chapter 5.2.4 --- Non-Repudiation --- p.58Chapter 5.3 --- Our System Security --- p.58Chapter 5.4 --- TravelNet Application Security --- p.61Chapter 6 --- Discussion of Performance Evaluation --- p.64Chapter 6.1 --- Performance Concerns --- p.64Chapter 6.2 --- Experiments Conducted --- p.65Chapter 6.2.1 --- Description --- p.65Chapter 6.2.2 --- Analysis on the Results --- p.65Chapter 6.3 --- Simulation Analysis --- p.69Chapter 7 --- Conclusion & Future Work --- p.72Chapter A --- Experiment Specification --- p.74Chapter A.1 --- Configuration --- p.74Chapter A.2 --- Experiment Results --- p.74Chapter B --- Simulation Specification --- p.77Chapter B.1 --- Parameter Listing --- p.77Chapter B.2 --- Simulation Results --- p.77Bibliography --- p.8