Automated security analysis of payment protocols
Massachusetts Institute of Technology. Dept. of Civil and Environmental Engineering.
George A. Kocur.
MetadataShow full item record
Formal analyses have been used for payment protocol design and verification but, despite developments in semantics and expressiveness, previous literature has placed little emphasis on the automation aspects of the proof systems. This research develops an automated analysis framework for payment protocols called PTGPA. PTGPA combines the techniques of formal analysis as well as the decidability afforded by theory generation, a general-purpose framework for automated reasoning. A comprehensive and self-contained proof system called TGPay is first developed. TGPay introduces novel developments and refinements in the formal language and inference rules that conform to the prerequisites of theory generation. These target desired properties in payment systems such as confidentiality, integrity, authentication, freshness, acknowledgement and non-repudiation. Common security primitives such as encryption, decryption, digital signatures, message digests, message authentication codes and X.509 certificates are modeled. Using TGPay, PTGPA performs analyses of payment protocols under two scenarios in full automation. An Alpha-Scenario is one in which a candidate protocol runs in a perfect environment without attacks from any intruders. The candidate protocol is correct if and only if all pre-conditions and post-conditions are met. PTGPA models actions and knowledge sets of intruders in a second, modified protocol that represents an attack scenario. This second protocol, called a Beta-Scenario, is obtained mechanically from the original candidate protocol, by applying a set of elementary capabilities from a Dolev-Yao intruder model. This thesis includes a number of case studies to demonstrate the feasibility and benefits of the proposed framework. Automated analyses of real-world bank card payment protocols as well as newly proposed contactless mobile payment protocols are presented. Security flaws are identified in some of the protocols; their causes and implications are addressed.
Thesis (Ph. D. in the Field of Computer Engineering)--Massachusetts Institute of Technology, Dept. of Civil and Environmental Engineering, 2012.Cataloged from PDF version of thesis.Includes bibliographical references (p. 173-182).
DepartmentMassachusetts Institute of Technology. Dept. of Civil and Environmental Engineering.
Massachusetts Institute of Technology
Civil and Environmental Engineering.