Abstract
There is a long history of authentication protocols designed for ease of human use, which rely on users copying a short string of digits. Historical examples include telex test keys and early nuclear firing codes; familiar modern examples include prepayment meter codes and the 3-digit card verification values used in online shopping. In this paper, we show how security protocols that are designed for human readability and interaction can fail to provide adequate protection against simple attacks. To illustrate the problem, we discuss an offline payment protocol and explain various problems. We work through multiple iterations, or ‘evolutions’, of the protocol in order to get better tradeoffs between security and usability. We discuss the limitation of verifying such protocols using BAN logic. Our aim is to develop usable human-friendly protocols that can be used in constrained offline environments. We conclude that protocol designers need to be good curators of security state, and also pay attention to the interaction between online and offline functions. In fact, we suggest that delay-tolerant networking might be a future direction of evolution for protocol research.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
The notation here follows the original Needham–Schroeder protocol [8].
References
Anderson, R.J.: UEPS – a second generation electronic wallet. In: Deswarte, Y., Eizenberg, G., Quisquater, J.-J. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 411–418. Springer, Heidelberg (1992). doi:10.1007/BFb0013910
Anderson, R.J., Bezuidenhout, S.J.: Cryptographic credit control in pre-payment metering systems. In: Security and Privacy, p. 15. IEEE (1995)
Baddeley, A., Longman, D.: The influence of length and frequency of training session on the rate of learning to type. Ergonomics 21(8), 627–635 (1978)
Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). doi:10.1007/3-540-45760-7_9
Blanchet, B.: CryptoVerif: computationally sound mechanized prover for cryptographic protocols. In: Dagstuhl seminar Formal Protocol Verification Applied, p. 117 (2007)
Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP), pp. 49–64. IEEE (2014)
Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. Proc. Roy. Soc. Lond. A Math. Phys. Eng. Sci. 426, 233–271 (1989). The Royal Society
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Baqer, K., Bezuidenhoudt, J., Anderson, R., Kuhn, M. (2017). SMAPs: Short Message Authentication Protocols. In: Anderson, J., Matyáš, V., Christianson, B., Stajano, F. (eds) Security Protocols XXIV. Security Protocols 2016. Lecture Notes in Computer Science(), vol 10368. Springer, Cham. https://doi.org/10.1007/978-3-319-62033-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-62033-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62032-9
Online ISBN: 978-3-319-62033-6
eBook Packages: Computer ScienceComputer Science (R0)