Abstract
Security protocols are integral to the protection of cyberspace against malicious attacks. Therefore, it is important to be confident in the security of a security protocol. In previous years, people have worked on security of security protocol abstract specification. However, in recent years, people have found that this is not enough and have begun focusing on security protocol implementation. In order to evaluate the security of security protocol implementations, in this paper, firstly, we proposed the Message Construction to Security Protocol Implementation (MCSPI), a message construction method based on application programming interface (API) traces, which automatically generates the constructed client valid request messages. Then, we presented the Security Analysis Scheme (SAS), a security analysis scheme that generates an abstract model of a security protocol server. Next, we proposed a security analysis method to evaluate the security of security protocol implementations on the basis of constructed client request messages generated with MCSPI, corresponding to the server-side response message and server-side abstract model produced by SAS. Finally, we implemented the Security Protocol Implementation Analysis (SPIA) tool to generate client valid request messages and a server-side abstract model to assist in evaluating security protocol implementations. In our experiments, we tested Tencent QQ mail system version 2017 and RSAAuth system and found that RSAAuth is vulnerable and its server has only security checks for user password, while Tencent QQ mail system version 2017 is more secure and has strong security restrictions at server-side besides security checks for user password.
Highlights
Security protocols constitute a key part of cyberspace security [1] and are an important method to protect the cyberspace security against malicious attacks
We propose an application programming interface (API) Trace Parse Algorithm (APTA), which is used to parse API traces and build a stack to store the parsed data that is used to reconstruct the output of traced cryptographic primitive implementations
In order to evaluate the security of security protocol implementations, based on assumption (3), we proposed Message Construction to Security Protocol Implementation (MCSPI) scheme to construct client valid request message
Summary
Security protocols constitute a key part of cyberspace security [1] and are an important method to protect the cyberspace security against malicious attacks. People are very interested in their security. The classic method for analyzing security protocols is the formal method. Some researchers have shown that many security protocols proved with formal methods are still not secure in practice owing to incorrect implementations [2]. Apart from that, due to the capability limitation of developers, there may be inconsistencies between security protocol implementations and the abstract specification of security protocols. Just proof of security properties of a security protocol with formal methods is not enough to provide confidence in its security
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
