Six Characters in Search of a Security Problem: Pirandellian Masks for Security Ceremonies
Resumo
For the Italian play-writer and 1934 Nobel-Prize winner Luigi Pirandello, a fictional mask is either self-imposed or, in most cases, forced on by society, being what makes life possible. Drawing from that, we believe that due to the non-deterministic nature of the human being, the only way to specify and verify human-tailored security protocols (known as security ceremonies) is by the specification of masks that users wear in order to interact with ceremonies. In the current paper, we review further this literary inspiration and propose six possible masks: the Attentive, the Naive, the Careless, the Fearful, the Busy, and the Elder. We then discuss an example of how we can reason about security involving human beings, and present what still needs to be done.
Palavras-chave:
Security ceremonies, socio-technical security, user personas masks, human behaviour analysis, threat models
Referências
(2022). The tamarin user manual. [Online; accessed June-2022].
Arsac, W., Bella, G., Chantry, X., and Compagna, L. (2011). Multi-attacker protocol validation. Journal of Automated Reasoning, 46(3-4):353–388.
Basin, D., Radomirovic, S., and Schläepfer, M. (2015). A complete characterization of secure human-server communication. In 2015 IEEE 28th Computer Security Foundations Symposium, pages 199–213. IEEE.
Basin, D., Radomirovic, S., and Schmid, L. (2016). Modeling human errors in security protocols. In 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pages 325–340. IEEE.
Bella, G. (2020). Out to Explore the Cybersecurity Planet. Emerald Journal of Intellectual Capital, 21(2):291–307.
Bella, G. and Coles-Kemp, L. (2012). Layered analysis of security ceremonies. In Gritzalis, D., Furnell, S., and Theoharidou, M., editors, Information Security and Privacy Research, pages 273–286, Berlin, Heidelberg. Springer Berlin Heidelberg.
Bella, G., Curzon, P., and G.Lenzini (2015). Service Security and Privacy as a Socio-Technical Problem. IOS Journal of Computer Security, 23(5):563–585.
Bella, G., Giustolisi, R., and Schürmann, C. (2022a). Modelling Human Threats in Security Ceremonies. IOS Journal of Computer Security, 30(3):411–433.
Bella, G., Ophoff, J., Renaud, K., Sempreboni, D., and Viganò, L. (2022b). Perceptions of Beauty in Security Ceremonies. Springer Philosophy & Technology.
Dolev, D. and Yao, A. C. (1983). On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29(2):198–208.
Ellison, C. (2007). Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399.
Giustolisi, R., Bella, G., and Lenzini, G. (2018). Invalid Certificates in Modern Browsers: A Socio-Technical Analysis. IOS Journal of Computer Security, 26(4):509–541.
Jacomme, C. and Kremer, S. (2018). An extensive formal analysis of multi-factor authentication protocols. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 1–15. IEEE.
Johansen, C. and Jøsang, A. (2014). Probabilistic modelling of humans in security ceremonies. In Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, pages 277–292. Springer.
Martimiano, T. and Martina, J. E. (2016). Threat modelling service security as a security ceremony. In Availability, Reliability and Security (ARES), 2016 11th International Conference on, pages 195–204. IEEE.
Martina, J. E. and Carlos, M. C. (2010). Why should we analyse security ceremonies: First CryptoForma workshop. Nobel Media AB 2018 (accessed June 2022).
The nobel prize in literature 1934. https://www.nobelprize.org/prizes/literature/1934/summary/.
Pedersen, T., Johansen, C., and Jøsang, A. (2018). Behavioural computer science: an agenda for combining modelling of human and system behaviours. Human-centric Computing and Information Sciences, 8(1):7.
Pirandello, L. (1952). Naked masks, five plays. Everyman’s library: Drama. Dutton.
Pirandello, L. (2006). Sei personaggi in cerca d’autore. Gutemberg Project, ebook #18457 edition. Original publication in 1921.
Pirandello, L. (Integral text accessed June 2022a). Ciascuno a suo modo - commedia in due o tre atti con intermezzi corali. [link].
Pirandello, L. (Integral text accessed June 2022b). Questa sera si recita a soggetto – commedia in tre atti ed un intermezzo. [link].
Radke, K. and Boyd, C. (2017). Security proofs for protocols involving humans. The Computer Journal, 60(4):527–540.
Radke, K., Boyd, C., Nieto, J. G., Manulis, M., and Stebila, D. (2014). Formalising human recognition: A fundamental building block for security proofs. In Proceedings of the Twelfth Australasian Information Security Conference - Volume 149, AISC ’14, pages 37–45, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Sempreboni, D. and Viganò, L. (2020). X-men: A mutation-based approach for the formal analysis of security ceremonies. In 2020 IEEE European Symposium on Security and Privacy (EuroSP), pages 87–104.
Arsac, W., Bella, G., Chantry, X., and Compagna, L. (2011). Multi-attacker protocol validation. Journal of Automated Reasoning, 46(3-4):353–388.
Basin, D., Radomirovic, S., and Schläepfer, M. (2015). A complete characterization of secure human-server communication. In 2015 IEEE 28th Computer Security Foundations Symposium, pages 199–213. IEEE.
Basin, D., Radomirovic, S., and Schmid, L. (2016). Modeling human errors in security protocols. In 2016 IEEE 29th Computer Security Foundations Symposium (CSF), pages 325–340. IEEE.
Bella, G. (2020). Out to Explore the Cybersecurity Planet. Emerald Journal of Intellectual Capital, 21(2):291–307.
Bella, G. and Coles-Kemp, L. (2012). Layered analysis of security ceremonies. In Gritzalis, D., Furnell, S., and Theoharidou, M., editors, Information Security and Privacy Research, pages 273–286, Berlin, Heidelberg. Springer Berlin Heidelberg.
Bella, G., Curzon, P., and G.Lenzini (2015). Service Security and Privacy as a Socio-Technical Problem. IOS Journal of Computer Security, 23(5):563–585.
Bella, G., Giustolisi, R., and Schürmann, C. (2022a). Modelling Human Threats in Security Ceremonies. IOS Journal of Computer Security, 30(3):411–433.
Bella, G., Ophoff, J., Renaud, K., Sempreboni, D., and Viganò, L. (2022b). Perceptions of Beauty in Security Ceremonies. Springer Philosophy & Technology.
Dolev, D. and Yao, A. C. (1983). On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29(2):198–208.
Ellison, C. (2007). Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399.
Giustolisi, R., Bella, G., and Lenzini, G. (2018). Invalid Certificates in Modern Browsers: A Socio-Technical Analysis. IOS Journal of Computer Security, 26(4):509–541.
Jacomme, C. and Kremer, S. (2018). An extensive formal analysis of multi-factor authentication protocols. In 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pages 1–15. IEEE.
Johansen, C. and Jøsang, A. (2014). Probabilistic modelling of humans in security ceremonies. In Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance, pages 277–292. Springer.
Martimiano, T. and Martina, J. E. (2016). Threat modelling service security as a security ceremony. In Availability, Reliability and Security (ARES), 2016 11th International Conference on, pages 195–204. IEEE.
Martina, J. E. and Carlos, M. C. (2010). Why should we analyse security ceremonies: First CryptoForma workshop. Nobel Media AB 2018 (accessed June 2022).
The nobel prize in literature 1934. https://www.nobelprize.org/prizes/literature/1934/summary/.
Pedersen, T., Johansen, C., and Jøsang, A. (2018). Behavioural computer science: an agenda for combining modelling of human and system behaviours. Human-centric Computing and Information Sciences, 8(1):7.
Pirandello, L. (1952). Naked masks, five plays. Everyman’s library: Drama. Dutton.
Pirandello, L. (2006). Sei personaggi in cerca d’autore. Gutemberg Project, ebook #18457 edition. Original publication in 1921.
Pirandello, L. (Integral text accessed June 2022a). Ciascuno a suo modo - commedia in due o tre atti con intermezzi corali. [link].
Pirandello, L. (Integral text accessed June 2022b). Questa sera si recita a soggetto – commedia in tre atti ed un intermezzo. [link].
Radke, K. and Boyd, C. (2017). Security proofs for protocols involving humans. The Computer Journal, 60(4):527–540.
Radke, K., Boyd, C., Nieto, J. G., Manulis, M., and Stebila, D. (2014). Formalising human recognition: A fundamental building block for security proofs. In Proceedings of the Twelfth Australasian Information Security Conference - Volume 149, AISC ’14, pages 37–45, Darlinghurst, Australia, Australia. Australian Computer Society, Inc.
Sempreboni, D. and Viganò, L. (2020). X-men: A mutation-based approach for the formal analysis of security ceremonies. In 2020 IEEE European Symposium on Security and Privacy (EuroSP), pages 87–104.
Publicado
12/09/2022
Como Citar
MARTIMIANO, Taciane; MARTINA, Jean Everson.
Six Characters in Search of a Security Problem: Pirandellian Masks for Security Ceremonies. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 22. , 2022, Santa Maria.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 344-357.
DOI: https://doi.org/10.5753/sbseg.2022.225346.
