A formal security analysis of an OSA/Parlay authentication interface

R.J. Corin; G. Di Caprio; S. Etalle; S. Gnesi; G. Lenzini; C. Moiso

doi:10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface

R.J. Corin, G. Di Caprio, S. Etalle, S. Gnesi, G. Lenzini, C. Moiso

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

2 Citations (Scopus)

4 Downloads (Pure)

Abstract

We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

Original language	English
Title of host publication	Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)
Editors	M. Steffen, G. Zavattaro
Publisher	Springer
Pages	131-146
ISBN (Print)	3-540-26181-8
DOIs	https://doi.org/10.1007/11494881_9
Publication status	Published - 2005

Publication series

Name	Lecture Notes in Computer Science
Volume	3535
ISSN (Print)	0302-9743

Access to Document

10.1007/11494881_9

Cite this

Corin, R. J., Di Caprio, G., Etalle, S., Gnesi, S., Lenzini, G., & Moiso, C. (2005). A formal security analysis of an OSA/Parlay authentication interface. In M. Steffen, & G. Zavattaro (Eds.), Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005) (pp. 131-146). (Lecture Notes in Computer Science; Vol. 3535). Springer. https://doi.org/10.1007/11494881_9

Corin, R.J. ; Di Caprio, G. ; Etalle, S. et al. / A formal security analysis of an OSA/Parlay authentication interface. Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). editor / M. Steffen ; G. Zavattaro. Springer, 2005. pp. 131-146 (Lecture Notes in Computer Science).

@inproceedings{fddaa26250ca426cbde05bf58c272766,

title = "A formal security analysis of an OSA/Parlay authentication interface",

abstract = "We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.",

author = "R.J. Corin and {Di Caprio}, G. and S. Etalle and S. Gnesi and G. Lenzini and C. Moiso",

year = "2005",

doi = "10.1007/11494881_9",

language = "English",

isbn = "3-540-26181-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "131--146",

editor = "M. Steffen and G. Zavattaro",

booktitle = "Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)",

address = "Germany",

}

Corin, RJ, Di Caprio, G, Etalle, S, Gnesi, S, Lenzini, G & Moiso, C 2005, A formal security analysis of an OSA/Parlay authentication interface. in M Steffen & G Zavattaro (eds), Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). Lecture Notes in Computer Science, vol. 3535, Springer, pp. 131-146. https://doi.org/10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface. / Corin, R.J.; Di Caprio, G.; Etalle, S. et al.
Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). ed. / M. Steffen; G. Zavattaro. Springer, 2005. p. 131-146 (Lecture Notes in Computer Science; Vol. 3535).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - A formal security analysis of an OSA/Parlay authentication interface

AU - Corin, R.J.

AU - Di Caprio, G.

AU - Etalle, S.

AU - Gnesi, S.

AU - Lenzini, G.

AU - Moiso, C.

PY - 2005

Y1 - 2005

N2 - We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

AB - We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

U2 - 10.1007/11494881_9

DO - 10.1007/11494881_9

M3 - Conference contribution

SN - 3-540-26181-8

T3 - Lecture Notes in Computer Science

SP - 131

EP - 146

BT - Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)

A2 - Steffen, M.

A2 - Zavattaro, G.

PB - Springer

ER -

Corin RJ, Di Caprio G, Etalle S, Gnesi S, Lenzini G, Moiso C. A formal security analysis of an OSA/Parlay authentication interface. In Steffen M, Zavattaro G, editors, Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). Springer. 2005. p. 131-146. (Lecture Notes in Computer Science). doi: 10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface

Abstract

Publication series

Access to Document

Fingerprint

Cite this