Advertisement

Mapping Requirements Specifications into a Formalized Blockchain-Enabled Authentication Protocol for Secured Personal Identity Assurance

  • Benjamin LeidingEmail author
  • Alex Norta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10646)

Abstract

The design and development of novel security and authentication protocols is a challenging task. Design flaws, security and privacy issues as well as incomplete specifications pose risks for its users. Authcoin is a blockchain-based validation and authentication protocol for secure identity assurance. Formal methods, such as Colored Petri Nets (CPNs), are suitable to design, develop and analyze such new protocols in order to detect flaws and mitigate identified security risks. In this work, the Authcoin protocol is formalized using Colored Petri Nets resulting in a verifiable CPN model. An Agent-Oriented Modeling (AOM) methodology is used to create goal models and corresponding behavior models. Next, these models are used to derive the Authcoin CPN models. The modeling strategy as well as the required protocol semantics are explained in detail. Furthermore, we conduct a state-space analysis on the resulting CPN model and derive specific model properties. The result is a complete and correct formal specification that is used to guide future implementations of Authcoin.

Keywords

Authcoin Colored Petri Net Authentication Security Trust Privacy Access control Identity Blockchain Smart contract Formal verification 

References

  1. 1.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. In: Proceedings of the 4th ACM Conference on Computer and Communications Security, pp. 36–47. ACM (1997)Google Scholar
  2. 2.
    Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)CrossRefGoogle Scholar
  3. 3.
    Aly, S., Mustafa, K.: Protocol Verification and Analysis Using Colored Petri Nets (2004)Google Scholar
  4. 4.
    Brook, C.: Nuclear power plant disrupted by cyber attack (2016). https://threatpost.com/nuclear-power-plant-disrupted-by-cyber-attack/121216/. Accessed 26 Apr 2017
  5. 5.
    Buterin, V.: Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform (2014). https://github.com/ethereum/wiki/wiki/White-Paper. Accessed 13 Mar 2017
  6. 6.
    Cam-Winget, N., Housley, R., Wagner, D., Walker, J.: Security flaws in 802.11 data link protocols. Commun. ACM 46(5), 35–39 (2003)CrossRefGoogle Scholar
  7. 7.
    Carlsen, U.: Cryptographic protocol flaws: know your enemy. In: Computer Security Foundations Workshop VII, CSFW 7, Proceedings, pp. 192–200. IEEE (1994)Google Scholar
  8. 8.
    Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. https://eprint.iacr.org/2016/1013.pdf. Accessed 26 Apr 2017
  9. 9.
    Crazzolara, F., Winskel, G.: Events in security protocols. In: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 96–105. ACM (2001)Google Scholar
  10. 10.
    Dai, P., Mahi, N., Earls, J., Norta, A.: Smart-contract value-transfer protocols on a distributed mobile application platform (2017). https://qtum.org/uploads/files/cf6d69348ca50dd985b60425ccf282f3.pdf. Accessed 13 Mar 2017
  11. 11.
    DeLoach, S.A.: Analysis and Design using MaSE and agentTool. Technical report, DTIC Document (2001)Google Scholar
  12. 12.
    Dresp, W.: Security analysis of the secure authentication protocol by means of coloured petri nets. In: Dittmann, J., Katzenbeisser, S., Uhl, A. (eds.) CMS 2005. LNCS, vol. 3677, pp. 230–239. Springer, Heidelberg (2005).  https://doi.org/10.1007/11552055_23 CrossRefGoogle Scholar
  13. 13.
    Edwards, K.: Cryptographic protocol specification and analysis using Coloured Petri Nets and Java. Ph.D. thesis, Queen’s University Kingston (1999)Google Scholar
  14. 14.
    Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: 1998 IEEE Symposium on Security and Privacy, Proceedings, pp. 160–171. IEEE (1998)Google Scholar
  15. 15.
    Giorgini, P., Mylopoulos, J., Sebastiani, R.: Goal-oriented requirements analysis and reasoning in the tropos methodology. Eng. Appl. Artif. Intell. 18(2), 159–171 (2005)CrossRefGoogle Scholar
  16. 16.
    Hoare, C.A.R.: Communicating sequential processes. In: Hansen, P.B. (ed.) The Origin of Concurrent Programming, pp. 413–443. Springer, New York (1978).  https://doi.org/10.1007/978-1-4757-3472-0_16 CrossRefGoogle Scholar
  17. 17.
    Jensen, K.: Coloured petri nets. In: Brauer, W., Reisig, W., Rozenberg, G. (eds.) ACPN 1986. LNCS, vol. 254, pp. 248–299. Springer, Heidelberg (1987).  https://doi.org/10.1007/978-3-540-47919-2_10 CrossRefGoogle Scholar
  18. 18.
    Jensen, K., Kristensen, L.M., Wells, L.: Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems. Int. J. Softw. Tools Technol. Transfer 9(3–4), 213–254 (2007)CrossRefGoogle Scholar
  19. 19.
    Leiding, B.: Securing the Authcoin Protocol using security risk-oriented patterns. Master’s thesis, University of Göttingen, Germany, DE (2017)Google Scholar
  20. 20.
    Leiding, B., Cap, C.H., Mundt, T., Rashidibajgan, S.: Authcoin: validation and authentication in decentralized networks. In: The 10th Mediterranean Conference on Information Systems - MCIS 2016, Cyprus, CY, September 2016Google Scholar
  21. 21.
    Mahunnah, M., Norta, A., Ma, L., Taveter, K.: Heuristics for designing and evaluating socio-technical agent-oriented behaviour models with Coloured Petri Nets. In: 2014 IEEE 38th International Computer Software and Applications Conference Workshops (COMPSACW), pp. 438–443. IEEE (2014)Google Scholar
  22. 22.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, I. Inform. Comput. 100(1), 1–40 (1992)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Moulin, B., Cloutier, L.: Collaborative work based on multiagent architectures: a methodological perspective. In: Soft Computing, pp. 261–296. Prentice-Hall Inc., Upper Saddle River (1994)Google Scholar
  24. 24.
    Moulin, B., Brassard, M.: A scenario-based design method and an environment for the development of multiagent systems. In: Zhang, C., Lukose, D. (eds.) DAI 1995. LNCS, vol. 1087, pp. 216–232. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-61314-5_32 CrossRefGoogle Scholar
  25. 25.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf. Accessed 26 Apr 2017
  26. 26.
    Norta, A., CINCO, Collaborative and Interoperable Computing: Safeguarding trusted eBusiness transactions of lifecycles for cross-enterprise collaboration. University of Helsinki, Department of Computer Science, Helsinki, Finland, Technical report C-2012-1 (2012)Google Scholar
  27. 27.
    Padgham, L., Winikoff, M.: Prometheus: a methodology for developing intelligent agents. In: Giunchiglia, F., Odell, J., Weiß, G. (eds.) AOSE 2002. LNCS, vol. 2585, pp. 174–185. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36540-0_14 CrossRefGoogle Scholar
  28. 28.
    Petri, C.A.: Kommunikation mit Automaten. Ph.D. thesis, Technical University of Darmstadt (1962)Google Scholar
  29. 29.
    Sornkhom, P., Permpoontanalarp, Y.: Security analysis of Micali’s fair contract signing protocol by using Coloured Petri Nets. In: 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (2008)Google Scholar
  30. 30.
    Sterling, L., Taveter, K.: The Art of Agent-Oriented Modeling. MIT Press, Cambridge (2009)Google Scholar
  31. 31.
    Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b Wired Equivalent Privacy Protocol (WEP). ACM Trans. Inform. Syst. Secur. (TISSEC) 7(2), 319–332 (2004)CrossRefGoogle Scholar
  32. 32.
    Vanek, T., Rohlik, M.: Model of DoS resistant broadcast authentication protocol in Colored Petri Net environment. In: Proceedings of 17th International Conference Systems, Signals and Image Processing, (IWSSIP 2010), pp. 264–267 (2010)Google Scholar
  33. 33.
    Vaudenay, S.: Security flaws induced by CBC padding — applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_35 CrossRefGoogle Scholar
  34. 34.
    Wood, G.: Ethereum: A Secure Decrentralized Generalised Transaction Ledger (2014). http://gavwood.com/paper.pdf. Accessed 13 Mar 2017
  35. 35.
    Wooldridge, M., Jennings, N.R., Kinny, D.: The Gaia methodology for agent-oriented analysis and design. Auton. Agent. Multi-Agent Syst. 3(3), 285–312 (2000)CrossRefGoogle Scholar
  36. 36.
    Xu, Y., Xie, X.: Modeling and analysis of security protocols using Colored Petri Nets. JCP 6(1), 19–27 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Institute of Computer ScienceUniversity of GöttingenGöttingenGermany
  2. 2.Department of Software SystemsTallinn University of TechnologyTallinnEstonia

Personalised recommendations