Ceremony Design and Analysis.pdf

Ceremony Design and Analysis Carl Ellison Microsoft Corporation, One Microsoft Way, Redmond WA 98052 cme@ Abstract. The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure. 1 Introduction It is common for computer professionals to disparage human users as the source of all the flaws that make an excellently designed product malfunction. Some will admit a certain amount of responsibility for this by characterizing the design of a user interface as extremely difficult, but few accept the challenge of designing systems and protocols that produce the correct results when operated by actual human users. The issue comes up most prominently with security protocols – well designed and thoroughly reviewed – that are fielded and broken. The breaks are usually by social engineering. Social engineering exploits human weaknesses to bypass security, doing an end-run around a well designed security protocol. Examples of social engineering include password theft by confidence game techniques and phishing. The concept of ceremony1 extends the concept of network protocol by including human beings as nodes in the network. Ceremonies include all network protocols as a degenerate case, but also all applications with user interfaces and all instances of workflow. For security pr