Ceremony Design and Analysis.pdf
文本预览下载声明
Ceremony Design and Analysis
Carl Ellison
Microsoft Corporation, One Microsoft Way, Redmond WA 98052
cme@
Abstract. The concept of ceremony is introduced as an extension of the
concept of network protocol, with human nodes alongside computer nodes and
with communication links that include UI, human-to-human communication
and transfers of physical objects that carry data. What is out-of-band to a
protocol is in-band to a ceremony, and therefore subject to design and analysis
using variants of the same mature techniques used for the design and analysis of
protocols. Ceremonies include all protocols, as well as all applications with a
user interface, all workflow and all provisioning scenarios. A secure ceremony
is secure against both normal attacks and social engineering. However, some
secure protocols imply ceremonies that cannot be made secure.
1 Introduction
It is common for computer professionals to disparage human users as the source of all
the flaws that make an excellently designed product malfunction. Some will admit a
certain amount of responsibility for this by characterizing the design of a user
interface as extremely difficult, but few accept the challenge of designing systems and
protocols that produce the correct results when operated by actual human users.
The issue comes up most prominently with security protocols – well designed and
thoroughly reviewed – that are fielded and broken. The breaks are usually by social
engineering. Social engineering exploits human weaknesses to bypass security,
doing an end-run around a well designed security protocol. Examples of social
engineering include password theft by confidence game techniques and phishing.
The concept of ceremony1 extends the concept of network protocol by including
human beings as nodes in the network. Ceremonies include all network protocols as a
degenerate case, but also all applications with user interfaces and all instances of
workflow. For security pr
显示全部