Information Security Protocols - Coursework Example

Information Security Protocols Introduction The use of internet has increased rapidly in the last few years. Applications that use the internet such as e-governance, online reservation, and online banking use sensitive data that necessitates them to have high levels of security. To provide proper security to such applications, there is the need to develop various security protocols. Security protocols provide protection to communication that exists within a hostile environment. It does so by using cryptographic primitives to perform security related functions. People realize that many protocols reveal flaws in computer security literature. Security protocols that have poor designs allow an intruder to delay, observe, and redirect messages. To provide enough security to protocols, there need to be a clear verification procedure by the use of a systematic approach. This paper critically evaluates and explores two protocols used to secure computer systems. A good protocol verification system should be compatible to computer systems and serve the purpose for which an individual intends it. It should allow for accessibility of information only by the use of authorization criteria. An effective verification protocol should have a “native” input language, which contains a description of a security protocol to be an infinite-state transition organization that uses set re-rewriting. The most preferable system is one that allows the user to give specifications on properties of channels that are to be useful in transmission (Arnba et al., 2014). Some protocols successfully reduce that search space which normally associates with a given protocol specification but not excluding attacks. There are several techniques of verification of protocols. As we had earlier mentioned, security protocols function by securing communications that take place in insecure networks, for example the internet, by basing on cryptographic primitives. Security protocols are important in enhancing security of information. Lack of proper information can cost individuals such as banks and governments (Paiola & Blanchet, 2013). Examples of online activities that need secure information management include mobile phones, bank transactions, e-commerce, WI-FI networks, and e-voting among others. Intruders aim at obtaining the sensitive information in order to acquire selfish gains (Guttman, 2014). For instance, after the publication of the famous Needham-Schroeder, people realized that it had flaws 17 years down the line. In as much as software professionals have made progress in promoting online security, there are still a number of flaws. Errors in information security can cause serious consequences that can lead to loss of confidence of users as well as loss of money (Supriyanto et al., 2013). It is unfortunate that it is impossible to detect security errors using functional software testing because they only appear when malicious adversary is present. Therefore, automatic tools can be useful in obtaining actual assurance that security protocols are correct. As a result, verification of security protocols is an area of study that researchers have explored since 1990s (Laurie, 2014). The internet has been on the rise necessitating the need for strong information security measures to make online activities efficient and effective. The initiative would help to improve trust and assurance in the use of internet to carry out a number of transactions. Burrows-Abdi-Needham logic BAN logic constitutes a set of rules that describe information exchange protocols. It assists users to find out the trustworthiness of information or if information is secure. The system bases on the assumption that exchange of information is susceptible to interference by intruders, public monitoring, and tampering. Computer security has proved to be a complex subject (Nguyen, & Dang, 2013). Many people have forwarded informal arguments to portray he truthfulness of authentication protocols are subject to errors. The existence of a security loophole allows an attacker to discover and exploit a computer system (Choosang, & Gordon, 2014). Describing Kerberos and Needham-Schroeder show informal arguments to the fact that protocols manage to achieve their goals. Close examination of the literature reveal that protocols base on the assumptions that one can access servers by the use of passwords. BAN logic uses three main stages to analyze protocols. First is to formulate an expression of the assumptions and goals in form of formulas or statements. The system organizes the formulas to symbolic notations. As a result, the logic can proceed from a state that one knows and find out the possibility of achieving goals. The second stage involves converting protocols to formulas of symbolic notations. The last stage involves the use of postulates, a set of rules applied in the process. The postulates function to lead from the assumptions (Yasmin, Ritter, & Wang, 2014). It enables the system to achieve the authentication goals from the assumptions through intermediate formulas. Analysis of every protocol takes place from the point of every principal. The system analyses protocols sourcing from every participating principal. It considered each message that principal receives in relation to an earlier message that the Principal received and that which the principal sends. The questions come when determining the principal that believes about the messages that it has sent and received (Lee, 2015). Assumptions in BAN are like those of authentication protocols by the fact that the process occurs between trustworthy principals. However, intruders and attackers can interfere by eavesdropping, sending malicious messages, or replaying messages (Shao-hui et al., 2014). The Belief of a principal initiates when one persuades it on the truth of a formula and entitles to the truth. One can interpret the expression of “P believes X” that the principal is P and formula is X. The beliefs that the system justifies as true are of interest in the BAN logic. While it deduces some of the beliefs in the logic using postulates, it introduces others as assumptions. Another assumption in BAN logic is that trustworthy principals do not reveal lies about their beliefs to other principals. Since the system trusts P, then if one receives a formula that P sends as part of the current run of protocols, it is possible to deduce that P believes X (Ferng, Nurhakim, & Horng, 2014). Principals usually participate in many non-overlapping runs of any protocol throughout their lifetime, probably with a variety of principals over time. It is notable that BAN logic only focuses on the notions of past and present without necessarily assuming that messages are time-stamped. BAN logic has specific rules that define its operations. First, P believes X. The scope of action of P is within the truthfulness of X and likely to assert X in many other messages. Secondly, P exercises jurisdiction over X. Therefore, it is necessary to trust in the beliefs of P about X. For P said X, implies that though P might no longer believe X in future, it believed and transmitted message X at one time. We can contemplate a series of meanings to the expressions of belief and trust between P and X (Diaz, Arroyo, & Rodriguez, 2014). When P receives message X, it has to carry out decryption to obtain X from the message. In the process, P can successfully perform repetition of X in messages to other principals. BAN logic comes along with a number of benefits. First, it has high level of correctness. It can prove that a particular does or does not achieve to meet its security goals. In case it is not able to achieve specific goals, it clearly shows what it intends to achieve. The logic authentication is very efficient. It can achieve security goals by eliminating some of the contents of messages, messages, and encryption of message contents (Meier, Cremers, & Basin, 2013). The system is applicable to many circumstances. For BAN logic, it is possible to judge whether a protocol can be useful in a practical situation. Like BAN logic, a good protocol should allow an individual to find out if the assumptions stated are necessary for achieving a number of goals. BAN logic successfully achieves to answer some questions. It finds out what a protocol achieves to establish. It investigates whether a protocol needs more assumptions than another one. Otherwise, BAN logic has a number of limitations. It does not verify but assumes that agents never publish secrets. The logic fails to verify the absence of type flaws yet it works with the assumption that agents can recognize type flaws. BAN logic bases its operations on the fact that all protocol participants work high level of honesty. However, it does not consider any compromised agents (Jurcut, Coffey, & Dojen, 2014). It forms the assumption that agents have the culture of recognizing and ignoring messages that they send. Last, BAN logic tends to assume perfect cryptography. NRL Protocol Analyzer NRL protocol analyzer constitutes a prototype verification tool that is special-purpose in nature. It entails writing in Prolog developed with the aim of performing the analysis of cryptographic protocols that are useful in authenticating services and principals (Edwards, 2014). As we had mentioned earlier, cryptographic protocols make use of encryption to meet goals that include authentication of principals and distribution of cryptographic over an insecure network (Backes, Hriţcu, & Maffei, 2014). Most protocols can function in hostile environment because of their appropriate designs. It is important to admit the difficulty in designing protocols that are free from flaw. Some principals usually cooperate with intruders to perform a malicious activity in the hostile network. Security flaws are independent of weaknesses and strengths of a specific crypto-algorithm. The foundation of the analyzer is a version of the term-rewriting model of Yao and Dolev. The model assumes that intruders can easily access message traffic, read, perform any operation, and destroy any operation. There is, however, another assumption of existence of a set of words that intruders do not already know. An intruder can send a message to a honest principal which classifies protocol as an algebraic system that an intruder can manipulate (Ray, Abawajy, & Chowdhury, 2014). The goal of the intruder is to manipulate the system and produce a “secret” word. Words that the algebraic system abides by use a set of reduction rules. For instance, decryption and encryption by the use of the same key with the help of private-key algorithm is self-canceling. NRL protocol analyzer outlines a set of transitions that exist in state machines. There are clarifications and specifications of every transitions rule basing on a number of considerations. First, there are words that intruder must input so that the rule can fire. Second, there are values that local state variables must hold so that the rule can fire (Backes, Hriţcu, & Maffei, 2014). Third, the principal has to input some words that the intruder learns after the rule fires. Last, there are new values that local state variables take after the rule fires. Transitions rules are also able to define the actions of an intruder that retrieve new messages by carrying out a series of operations that include decryption and encryption. Prologs convey variables in terms of words that begin with capital letters perform universal quantification. NRL Protocol Analyzer has both strengths and weaknesses in the protocol system. One can use it with a language that enables rapid prototyping and allows researchers to try out many approaches in the shortest time. Second, protocol analyzer uses equation unification in its operations. Due to the use of prolog that bases on unification, it made it efficient as an analysis tool that applies the technique of narrowing (Permpoontanalarp, & Sornkhom, 2014). There are a number of versions of protocol analyzers and each of them has new techniques. For instance, there exists a unique system that can be useful in incorporation of algorithm that help in verification of language (Yinglian, & Junyao, 2014). Otherwise, the analyzer can be time consuming that makes it be ineffective. Second, it does not provide a complete description of the available states. In addition, it is sometimes difficult to realize undiscovered flaws in the system that causes its inefficiency in computer security. The above comparison has proved that BAN logic is better than NRL protocol analyzer. It clearly sets out the goals that it wants to achieve. It works with the availability of comparison of different protocols depending on the assumptions. BAN logic determines the possibility of a protocol to do an unnecessary activity that could remain omitted without weakening the protocol (Tso, 2013). Lastly, the system ensures whether a protocol can encrypt something without weakening the protocol. References Arnbak, A, Asghari, H, Van Eeten, M, & Van Eijk, N 2014, Security Collapse in the HTTPS Market, Communications Of The ACM, 57, 10, pp. 47-55, Business Source Complete, EBSCOhost, viewed 1 January 2015. Backes, M, Hriţcu, C, & Maffei, M 2014, Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations, Journal Of Computer Security, 22, 2, pp. 301-353, Business Source Complete, EBSCOhost, viewed 1 January 2015. Choosang, S, & Gordon, S 2014, A Coloured Petri net methodology and library for security analysis of network protocols, Journal Of Computers, 2, p. 243, Academic OneFile, EBSCOhost, viewed 1 January 2015. Diaz, J, Arroyo, D, & Rodriguez, F 2014, A formal methodology for integral security design and verification of network protocols, The Journal Of Systems And Software, p. 87, General OneFile, EBSCOhost, viewed 1 January 2015. Edwards, C 2014, Researchers Probe Security Through Obscurity, Communications Of The ACM, 57, 8, pp. 11-13, Business Source Complete, EBSCOhost, viewed 1 January 2015. Ferng, H, Nurhakim, J, & Horng, S 2014, Key management protocol with end-to-end data security and key revocation for a multi-BS wireless sensor network, Wireless Networks, 4, p. 625, Academic OneFile, EBSCOhost, viewed 1 January 2015. Guttman, JD 2014, Establishing and preserving protocol security goals, Journal Of Computer Security, 22, 2, pp. 203-267, Business Source Complete, EBSCOhost, viewed 1 January 2015. Jurcut, A, Coffey, T, & Dojen, R 2014, Design guidelines for security protocols to prevent replay & parallel session attacks, Computers & Security, 45, pp. 255-273, Business Source Complete, EBSCOhost, viewed 1 January 2015. LAURIE, B 2014, Certificate Transparency, Communications Of The ACM, 57, 10, pp. 40-46, Business Source Complete, EBSCOhost, viewed 1 January 2015. Lee, T 2015, Enhancing the security of password authenticated key agreement protocols based on chaotic maps, Information Sciences, 290, pp. 63-71, Business Source Complete, EBSCOhost, viewed 1 January 2015. Meier, S, Cremers, C, & Basin, D 2013, Efficient construction of machine-checked symbolic protocol security proofs, Journal Of Computer Security, 21, 1, pp. 41-87, Business Source Complete, EBSCOhost, viewed 1 January 2015. Nguyen, T, & Dang, T 2013, Enhanced security in internet voting protocol using blind signature and dynamic ballots, Electronic Commerce Research, 13, 3, pp. 257-272, Business Source Complete, EBSCOhost, viewed 1 January 2015. Paiola, M, & Blanchet, B 2013, Verification of security protocols with lists: From length one to unbounded length, Journal Of Computer Security, 21, 6, pp. 781-816, Business Source Complete, EBSCOhost, viewed 1 January 2015. Permpoontanalarp, Y, & Sornkhom, P 2014, On-the-fly Trace Generation Approach to the Security Analysis of Cryptographic Protocols: Coloured Petri Nets-based Method, Fundamenta Informaticae, 130, 4, pp. 423-466, Academic Search Premier, EBSCOhost, viewed 1 January 2015. Ray, B, Abawajy, J, & Chowdhury, M 2014, Scalable RFID security framework and protocol supporting Internet of Things, Computer Networks, 67, pp. 89-103, Business Source Complete, EBSCOhost, viewed 1 January 2015. Safkhani, M, Bagheri, N, & Mahani, A 2014, On the security of RFID anti-counting security protocol (ACSP), Journal Of Computational And Applied Mathematics, p. 512, Academic OneFile, EBSCOhost, viewed 1 January 2015. Shao-hui, W, Zhijie, H, Sujuan, L, & Dan-wei, C 2014, Security analysis of two lightweight RFID authentication protocols, Annales Des Telecommunications, 5-6, p. 273, Academic OneFile, EBSCOhost, viewed 1 January 2015. Supriyanto, Hasbullah, I, Murugesan, R, & Ramadass, S 2013, Survey of Internet Protocol Version 6 Link Local Communication Security Vulnerability and Mitigation Methods, IETE Technical Review (Medknow Publications & Media Pvt. Ltd.), 30, 1, pp. 64-71, Academic Search Premier, EBSCOhost, viewed 1 January 2015. Tso, R 2013, Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol, Journal Of Supercomputing, 66, 2, pp. 863-874, Academic Search Premier, EBSCOhost, viewed 1 January 2015. Yasmin, R, Ritter, E, & Wang, G 2014, Provable security of a pairing-free one-pass authenticated key establishment protocol for wireless sensor networks, International Journal Of Information Security, 5, p. 453, Academic OneFile, EBSCOhost, viewed 1 January 2015. Yinglian, W, & Junyao, Y 2014, Research on Applied-information Technology in Hierarchical Network Security Protocols Designing based on Public Key, Advanced Materials Research, 951, p. 169, Publisher Provided Full Text Searching File, EBSCOhost, viewed 1 January 2015. Read More