Abstract
To overcome the difficulties of correct secure systems design, we propose formal modelling using the object-oriented modelling language UML. Specifically, we consider the problem of accountability through auditing.
We explain our method at the example of a part of the Common Electronic Purse Specifications (CEPS), a candidate for an international electronic purse standard, indicate possible vulnerabilities and present concrete security advice on that system.
Supported by the Studienstiftung des deutschen Volkes and the Computing Laboratory.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
M. Abadi, M. Burrows, C. Kaufman, and B. Lampson. Authentication and delegation with smart-cards. Science of Computer Programming, 21(2):93–113, 1993.
M. Abadi and Jan Jürjens. Formal eavesdropping and its computational interpretation, 2001. Submitted.
N. Asokan, P. Janson, M. Steiner, and M. Waidner. The state of the art in electronic payment systems. Advances in Computers, 53, 2000.
R. Anderson. Why cryptosystems fail. Communications of the ACM, 37(11):32–40, November 1994.
R. Anderson. The formal verification of a payment system. In Mike Hinchey and Jonathan Bowen, editors, Industrial-Strength Formal Methods in Practice, pages 43–52. Springer, 1999.
M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Proc. Royal Society of London A, 426:233–271, 1989.
P. Bieber, J. Cazin, P. Girard, J.-L. Lanet, V Wiels, and G. Zanon. Checking secure interactions of smart card applets. In ESORICS, 2000.
E. Bertino, S. De Capitani di Vimercati, E. Ferrari, and P. Samarati. Exception-based information flow control in object-oriented systems. ACM Transactions on Information and System Security, 1(1): 26–65, 1998.
CEPSCO. Common Electronic Purse Specifications, 2000. Business Requirements vers. 7.0, Functional Requirements vers. 6.3, Technical Specification vers. 2.2, available from http://www.cepsco.com.
S. Castano, M. Fugini, G. Martella, and P. Samarati. Database Security. Addison Wesley, 1994.
C. Eckert. Matching security policies to application needs. In J. H.P. Eloff and S.H. von Solms, editors, IFIP TC11 11th International Conference on Information Security, pages 237–254. Chapman & Hall, 1995.
H. Glaser, P. Hartel, and E. de Jong Frz. Structuring and visualising an IC-card security standard. In in [HPQ96], pages 89–110, 1996.
Stefanos Gritzalis, Diomidis Spinellis, and Panagiotis Georgiadis. Security protocols over open networks and distributed systems: Formal methods for their analysis, design, and verification, Computer Communications Journal, 22(8):695–707, 1999.
P. H. Hartel, P. Paradinas, and J.-J. Quisquater, editors. 2nd Smart card research and advanced application conference (CARDIS). Stichting Mathematisch Centrum, Amsterdam, 1996.
Jan Jürjens. Secure information flow for concurrent processes. In CONCUR 2000 (11th International Conference on Concurrency Theory), volume 1847 of LNCS, pages 395–409, Pennsylvania, 2000. Springer.
Jan Jürjens. Composability of secrecy. In International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS 2001), LNCS, St. Petersburg, 21–23 May 2001. Springer.
Jan Jürjens. Secrecy-preserving refinement. In Formal Methods Europe (International Symposium), LNCS. Springer, 2001.
Jan Jürjens. Towards development of Secure systems using UMLsec. In Fundamental Approaches to Software Engineering (FASE/ETAPS, International Conference), LNCS. Springer, 2001.
Jan Jürjens. Transformations for introducing patterns-a secure systems case study. In WTUML: Workshop on Transformations in UML (ETAPS 2001 Satellite Event), Genova, 7 April 2001.
Jan Jürjens and Guido Wimmel. Security modelling for electronic commerce: The Common Electronic Purse Specifications. Submitted, 2001.
G. Lowe. Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR. Software Concepts and Tools, 17:93–102, 1996.
M. Olivier and S. von Solms. A taxonomy for secure object-oriented databases. ACM Transactions on Database Systems, 19(1):3–46, 1994.
Lawrence C. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Computer Security, 6(1–2):85–128, 1998.
J. Rumbaugh, I. Jacobson, and G. Booch. The Unified Modeling Language Reference Manual. Addison-Wesley, 1999.
P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. Modelling and Analysis of Security Protocols. Addison Wesley, 2001. (to be published).
P. Samarati. Access control: Policies, models, architectures, and mechanisms. Lecture Notes, 2000.
S. Stepney, D. Cooper, and J. Woodcock. An Electronic Purse: Specification, Refinement, and Proof. Oxford University Computing Laboratory, 2000. Technical Monograph PRG-126.
G. Wimmel and A. Wißpeitner. Extended description techniques for security engineering. In IFIP SEC, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jürjens, J. (2001). Modelling Audit Security for Smart-Card Payment Schemes with UML-Sec. In: Dupuy, M., Paradinas, P. (eds) Trusted Information. SEC 2001. IFIP International Federation for Information Processing, vol 65. Springer, Boston, MA. https://doi.org/10.1007/0-306-46998-7_7
Download citation
DOI: https://doi.org/10.1007/0-306-46998-7_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7389-6
Online ISBN: 978-0-306-46998-5
eBook Packages: Springer Book Archive