PhD-FSTC-2015-47 The Faculty of Sciences, Technology and Communication DISSERTATION Defense held on 26/10/2015 in Luxembourg to obtain the degree of DOCTEUR DE L'UNIVERSITE´ DU LUXEMBOURG EN INFORMATIQUE by Rosario GIUSTOLISI Born on 16 October 1983 in Giarre (Italy) Design and Analysis of Secure Exam Protocols Dissertation defense committee Dr Peter Y.A. Ryan, dissertation supervisor Professor, Universit´edu Luxembourg Dr Gabriele Lenzini, vice-chairman Universit´edu Luxembourg Dr Sjouke Mauw, chairman arXiv:1512.04751v1 [cs.CR] 15 Dec 2015 Professor, Universit´edu Luxembourg Dr Steve Schneider Professor, University of Surrey Dr Luca Vigan`o Professor, King's College London Abstract Except for the traditional threat that candidates may want to cheat, exams have historically not been seen like a serious security problem. That threat is routinely thwarted by having invigilators ensure that candidates do not misbe- have during testing. However, as recent exam scandals confirm, also invigilators and exam authorities may have interest in frauds, hence they may pose secu- rity threats as well. Moreover, new security issues arise from the recent use of computers, which can facilitate the exam experience for example by allowing candidates to register from home. Thus, exams must be designed with the care normally devoted to security protocols. This dissertation studies exam protocol security and provides an in-depth understanding that can be also useful for the study of the security of similar systems, such as public tenders, personnel selections, project reviews, and con- ference management systems. It introduces an unambiguous terminology that leads to the specification of a taxonomy of various exam types, depending on the level of computer assistance. It then establishes a theoretical framework for the formal analysis of exams. The framework defines several authentication, privacy, and verifiability requirements that modern exams should meet, and en- ables the security of exam protocols to be studied. Using the framework, we formally analyse traditional, computer-assisted, and Internet-based exam proto- cols. We find some security issues and propose modifications to partially achieve the desired requirements. This dissertation also designs three exam protocols that guarantee a wide set of security requirements. It introduces a novel protocol for Internet-based exams to thwart a malicious exam authority with minimal trust assumptions. Then, it proposes secure protocols suitable for both computer-assisted and tra- ditional pen-and-paper exams. A combination of oblivious transfer and visual cryptography schemes allows us to overcome the constraint of face-to-face test- ing and to remove the need of a trusted third party. Moreover, the protocols ensure accountability as they support the identification of the principal that is responsible for their failure. We evaluate the security of our protocols by a formal analysis in ProVerif. Finally, this dissertation looks at exams as carried out through a modern browser, Safe Exam Browser (SEB). It was specifically designed to carry out Internet-based exams securely, and we confirm it immune to the security issues of certificate validation. Using UML and CSP, we advance a formal analysis of its requirements that are not only logically conditioned on the technology but also on user actions. By extending this analysis onto other browsers, we state general best-practice recommendations to browser vendors. i ii Acknowledgements Pursuing a Ph.D. is a journey that involves many people. Here I want to ac- knowledge the people without whom this journey would not be The Journey. First, I would like to express my gratitude to Gabriele Lenzini for his con- tinuous supervision. He has devoted much of his time to help and support me in this journey. He has patiently taught me how to evaluate my work and how clearly formulate the results. I am thankful to Peter Ryan for accepting me in his research group and for his valuable advice during our conversations. I am fascinated of his rare ability to quickly grasp the essence of any mathematical problem. I am particular grateful to Giampaolo Bella for his precious support and advice. He has started me on research and is always up to taught me how to develop my research skills further. Moreover, he is a great motivator. I would like to thank my Ph.D. examiners Sjouke Mauw, Steve Schneider, and Luca Vigan`ofor their interest and valuable expertise in giving some advice useful for my dissertation. I am thankful to the Doctoral School of Computer Science and Computer Engineering for the financial support provided to attend conferences and summer schools. I am particular grateful to Jannik Dreier, Ali Kassem, and Pascal Lafourcade for the fruitful collaboration on the formal specification of exam requirements. I would like to thank Andrea Huszti for the interesting discussions about the security of exam protocols and efforts on how improve them. I also enjoyed dis- cussions with people I met in scientific conferences and summer schools. In par- ticular, the annual Workshop on Security Frameworks has been a great source of feedback and ideas, and I benefited from discussions with people I met there (Gi- ampaolo Bella, Denis Butin, Gianpiero Costantino, Gabriele Lenzini, Giuseppe Patan`e,Salvatore Riccobene, . ). I had great time with my fellow Ph.D. students (Arash, Massimo, Afonso, Jean-Louis, Miguel, Marjan, Dayana, Masoud, Jun) at ApSIA, and never felt too far from home thanks to my Italian office neighbours (Claudio and Vincenzo). I was privileged to live at the R´esidencedes Dominicaines and to have a lot of friends living there. I would like to thank my family: Daniela and Leo for taking care of every- thing during my stay abroad; my parents Franco e Pina for their unconditional love and support they have been giving to me, and for have allowed me to be the person I am today; my girlfriend Silvia for standing by me, for having patiently shared successes and failures, and for always believing in me. Finally, I would like to thank you for reading this dissertation. iii Contents 1 Introduction 1 1.1 Aims and Objectives . .3 1.2 Contributions . .4 1.3 Outline . .5 2 Terminology 9 2.1 Tasks . .9 2.2 Roles . 10 2.3 Principals . 11 2.4 Phases . 11 2.5 Threats . 12 2.6 Taxonomy . 13 2.6.1 Exam Types . 13 2.6.2 Exam Categories . 16 3 Formalising Authentication and Privacy 17 3.1 Related Work . 18 3.2 The Applied π-calculus . 20 3.3 Modelling Exams . 24 3.4 Security Requirements . 26 3.4.1 Authentication . 26 3.4.2 Privacy . 30 3.5 The Huszti-Peth}oProtocol . 33 3.5.1 Description . 37 3.5.2 Formal Analysis of Reusable Anonymous Return Channel 39 3.5.3 Formal Analysis of the Huszti-Peth}oProtocol . 43 3.5.4 Fixing Authentication . 51 3.6 Conclusion . 52 4 Formalising Verifiability 55 4.1 Related Work . 55 4.2 A More Abstract Model . 56 4.3 Verifiability Requirements . 57 4.3.1 Individual Verifiability . 59 4.3.2 Universal Verifiability . 61 4.4 Conclusion . 63 v 5 The Remark! Internet-based Exam Protocol 65 5.1 Related work . 66 5.2 Exponentiation mixnet . 67 5.3 Description . 68 5.4 Formal Analysis of Authentication and Privacy . 71 5.5 Formal Analysis of Verifiability . 76 5.5.1 Individual Verifiability . 78 5.5.2 Universal verifiability . 84 5.6 Conclusion . 94 6 Computer-assisted Exam Protocols 95 6.1 Related Work . 96 6.2 The WATA Exam Protocols . 97 6.2.1 WATA II . 98 6.2.2 WATA III . 102 6.3 WATA IV . 105 6.3.1 Description . 108 6.3.2 Discussion . 110 6.4 Removing the Need of Trusted Parties . 112 6.4.1 Description . 113 6.4.2 Formal Analysis . 118 6.5 Conclusion . 126 7 Formal Analysis of Certificate Validation in SEB and Modern Browsers 127 7.1 Related Work . 129 7.2 Basics . 131 7.3 Safe Exam Browser . 134 7.4 Modern Browsers . 135 7.4.1 Private Browsing . 136 7.5 Modelling Certificate Validation . 136 7.5.1 UML Activity Diagrams for Certificate Validation . 137 7.5.2 Description of the Main UML Activities . 138 7.6 Socio-Technical Formal Analysis . 144 7.6.1 Socio-Technical Security Requirements . 144 7.6.2 Automated Verification . 145 7.7 Findings . 148 7.7.1 Recommendations . 150 7.8 Conclusion . 152 8 Conclusions 155 8.1 Future Work . 157 Bibliography 159 Website Bibliography 171 Publications 175 vi A CSP# Code 177 A.1 Specification of Common Parts . 177 A.2 Specification of Web Browsers . 180 vii List of Figures 1.1 Overview of the contributions . .4 2.1 A set-theory representation of exams . 15 3.1 The grammar for plain processes in the applied π-calculus . 21 3.2 The grammar for extended processes in the applied π-calculus . 21 3.3 A general view of authentication requirements for exams . 29 3.4 Reusable anonymous return channel in the Alice-Bob notation . 36 3.5 The Huszti-Peth}oe-exam protocol in the Alice-Bob notation . 38 3.6 The processes of sender, receivers, and mixer. 41 3.7 The instance of sender, receiver, and mixer processes. 42 3.8 The instance of sender to analyse message secrecy. 42 3.9 The instance of sender to analyse anonymity. 42 3.10 Attack trace on sender anonymity . 42 3.11 The process of the exam authority that concerns preparation. 45 3.12 The process of the exam authority that concerns testing, marking, and notification. 46 3.13 The process of the candidate. 48 3.14 The process of the examiner. 49 3.15 The process of the NET. 50 3.16 The exam process.