A formal security analysis of an OSA/Parlay authentication interface

R.J. Corin; G. Di Caprio; S. Etalle; S. Gnesi; G. Lenzini; C. Moiso

doi:10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface

R.J. Corin, G. Di Caprio, S. Etalle, S. Gnesi, G. Lenzini, C. Moiso

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/Congresprocedure › Conferentiebijdrage › Academic › peer review

2 Citaten (Scopus)

4 Downloads (Pure)

Samenvatting

We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

Originele taal-2	Engels
Titel	Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)
Redacteuren	M. Steffen, G. Zavattaro
Uitgeverij	Springer
Pagina's	131-146
ISBN van geprinte versie	3-540-26181-8
DOI's	https://doi.org/10.1007/11494881_9
Status	Gepubliceerd - 2005

Publicatie series

Naam	Lecture Notes in Computer Science
Volume	3535
ISSN van geprinte versie	0302-9743

Toegang tot document

10.1007/11494881_9

Citeer dit

Corin, R. J., Di Caprio, G., Etalle, S., Gnesi, S., Lenzini, G., & Moiso, C. (2005). A formal security analysis of an OSA/Parlay authentication interface. In M. Steffen, & G. Zavattaro (editors), Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005) (blz. 131-146). (Lecture Notes in Computer Science; Vol. 3535). Springer. https://doi.org/10.1007/11494881_9

Corin, R.J. ; Di Caprio, G. ; Etalle, S. et al. / A formal security analysis of an OSA/Parlay authentication interface. Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). redacteur / M. Steffen ; G. Zavattaro. Springer, 2005. blz. 131-146 (Lecture Notes in Computer Science).

@inproceedings{fddaa26250ca426cbde05bf58c272766,

title = "A formal security analysis of an OSA/Parlay authentication interface",

abstract = "We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.",

author = "R.J. Corin and {Di Caprio}, G. and S. Etalle and S. Gnesi and G. Lenzini and C. Moiso",

year = "2005",

doi = "10.1007/11494881_9",

language = "English",

isbn = "3-540-26181-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "131--146",

editor = "M. Steffen and G. Zavattaro",

booktitle = "Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)",

address = "Germany",

}

Corin, RJ, Di Caprio, G, Etalle, S, Gnesi, S, Lenzini, G & Moiso, C 2005, A formal security analysis of an OSA/Parlay authentication interface. in M Steffen & G Zavattaro (uitgave), Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). Lecture Notes in Computer Science, vol. 3535, Springer, blz. 131-146. https://doi.org/10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface. / Corin, R.J.; Di Caprio, G.; Etalle, S. et al.
Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). uitgave / M. Steffen; G. Zavattaro. Springer, 2005. blz. 131-146 (Lecture Notes in Computer Science; Vol. 3535).

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/Congresprocedure › Conferentiebijdrage › Academic › peer review

TY - GEN

T1 - A formal security analysis of an OSA/Parlay authentication interface

AU - Corin, R.J.

AU - Di Caprio, G.

AU - Etalle, S.

AU - Gnesi, S.

AU - Lenzini, G.

AU - Moiso, C.

PY - 2005

Y1 - 2005

N2 - We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

AB - We report on an experience in analyzing the security of the Trust and Security Management (TSM) protocol, an authentication procedure within the OSA/Parlay Application Program Interfaces (APIs) of the Open Service Access and Parlay Group. The experience has been conducted jointly by research institutes experienced in security and industry experts in telecommunication networking. OSA/Parlay APIs are designed to enable the creation of telecommunication applications outside the traditional network space and business model. Network operators consider the OSA/Parlay a promising architecture to stimulate the development of web service applications by third party providers, which may not necessarily be experts in telecommunication and security. The TSM protocol is executed by the gateways to OSA/Parlay networks; its role is to authenticate client applications trying to access the interfaces of some object representing an offered network capability. For this reason, potential security flaws in the TSM authentication strategy can cause the unauthorized use of the network, with evident damages to the operator and the quality of services. We report a rigorous formal analysis of the TSM specification, which is originally given in UML. Furthermore, we illustrate our design choices to obtain the formal model, describe the tool-aided verification and finally expose the security flaws discovered.

U2 - 10.1007/11494881_9

DO - 10.1007/11494881_9

M3 - Conference contribution

SN - 3-540-26181-8

T3 - Lecture Notes in Computer Science

SP - 131

EP - 146

BT - Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005)

A2 - Steffen, M.

A2 - Zavattaro, G.

PB - Springer

ER -

Corin RJ, Di Caprio G, Etalle S, Gnesi S, Lenzini G, Moiso C. A formal security analysis of an OSA/Parlay authentication interface. In Steffen M, Zavattaro G, redacteurs, Formal Methods for Open Object-Based Distributed Systems (Proceedings 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005). Springer. 2005. blz. 131-146. (Lecture Notes in Computer Science). doi: 10.1007/11494881_9

A formal security analysis of an OSA/Parlay authentication interface

Samenvatting

Publicatie series

Toegang tot document

Vingerafdruk

Citeer dit