Daemones Non Operantur Nisi Per Artem Daemons Do Not Operate Save Through Trickery: Human Tailored Threat Models for Formal Verification of Fail-Safe Security Ceremonies

• Published in: Security Protocols XXVI pp. 96 - 105
• Main Authors: Martimiano, Taciane, Martina, Jean Everson
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 24.11.2018
• Series: Lecture Notes in Computer Science
• Subjects: Fail-safe security ceremonies; Formal verification; Human-peer security protocols; Security ceremonies; Threat models
• ISBN: 9783030032500; 3030032507
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-03251-7_11

In this paper we argue that we must impoverish (or enrich in a different sense) threat models in order to be able to verify fail-safe security protocols that include human peers (a.k.a. security ceremonies). Some of the threat models we use nowadays for establishing the security of communication protocols are far too much concerned with failing deadly and do not encompass subtleties of the real world. Security is then maintained at all costs, especially in the presence of human constraints and expectations. Our position is that we must assume omnipresent and omnipotent evil beings (daemons) do not exist in order to be able to verify fail-safe security protocols that include human peers. We show how a popular security ceremony could be made fail-safe assuming a weaker threat model and compensating for that with usability. We also discuss the impact of our work for formal verification techniques and how they can be expanded for security ceremonies.