Rosario Giustolisi

Trustworthy exams without trusted parties

An extended list of security requirements for exams with its formal specification in the applied pi-calculus.An updated exam protocol that meets the extended set of security requirements.The ProVerif analysis of the updated exam protocol. Historically, exam security has mainly focused on threats ascribed to candidate cheating. Such threats have been normally mitigated by invigilation and anti-plagiarism methods. However, as recent exam scandals confirm, also invigilators and authorities may pose security threats. The introduction of computers into the different phases of an exam, such as candidate registration, brings new security issues that should be addressed with the care normally devoted to security protocols.This paper proposes a protocol that meets a wide set of security requirements and resists threats that may originate from candidates as well as from exam administrators. By relying on a combination of oblivious transfer and visual cryptography schemes, the protocol does not need to rely on any trusted third party. We analyse the protocol formally in ProVerif and prove that it verifies all the stated security requirements.

Threats to 5G Group-based Authentication

The fifth generation wireless system (5G) is expected to handle an unpredictable number of heterogeneous connected devices and to guarantee at least the same level of security provided by the contemporary wireless standards, including the Authentication and Key Agreement (AKA) protocol. The current AKA protocol has not been designed to efficiently support a very large number of devices. Hence, a new group-based AKA protocol is expected to be one of the security enhancement introduced in 5G. In this paper, we advance the group-based AKA threat model, reflecting previously neglected security risks. The threat model presented in the paper paves the way for the design of more secure protocols.

On the Possibility of Non-Interactive E-Voting in the Public-key Setting

In 2010 Hao, Ryan and Zielinski proposed a simple decentralized e-voting protocol that only requires 2 rounds of communication. Thus, for k elections their protocol needs 2k rounds of communication. Observing that the first round of their protocol is aimed to establish the public-keys of the voters, we propose an extension of the protocol as a non-interactive e-voting scheme in the public-key setting (NIVS) in which the voters, after having published their public-keys, can use the corresponding secret-keys to participate in an arbitrary number of one-round elections.

Preliminaries and Definitions

In this chapter, we introduce the fundamental elements of an exam system. We begin the treatment with an informal description of roles, principals, and threats, and conclude the chapter with the formal specification of these fundamental elements in the applied π-calculus. In consequence, describing and formalising a specific exam becomes easier at the sole price of further expanding or specifying these general concepts. We anticipate that we view an exam as a protocol that involves various tasks defining roles played by various principals through various phases. Hence, exam, exam protocol, or exam system are used interchangeably. With a security take, an exam is expected to withstand a threat model meeting a number of security requirements.

The Remark! Internet-Based Exam

In this chapter, we introduce Remark!, a protocol designed for secure Internetbased exams. Remark! runs fully on computers to execute typical local tasks, such as the generation of questions and automatic marking, as well as remote tasks, such as remote registration and remote notification of candidates. Notably, it supports remote testing, in which distantly located candidates take the exam at their place, which is the distinctive functionality of Internet-based exams.

The WATA Family

In this chapter, we focus on a family of computer-assisted exam protocols called WATA, which stands for Written Authenticated Though Anonymous exams. A common characteristic of all WATA protocols is the traditional testing procedure, which is face-to-face. The difference among the WATA protocols is that each version provides a different level of computer assistance. Additionally, each protocol of the family has some slightly different functional requirement and threat model with respect to the others. One protocol considers local tasks, such as notification of marks, and no TTP. Some others consider remote tasks, such as remote registration, but assume TTP. Another achieves remote tasks without TTP. In some way, Remark! already makes remote registration and remote notification with minimal reliance on trusted parties. As Remark! belongs to the class of Internet-based exams, it mandates candidate and exam authority to use computers at testing to sign and encrypt the tests. Therefore, testing cannot take place by pen and paper. Moreover, Remark! assumes at least one honest mix server. As we shall see later, there exists a version of WATA that ensures the same authentication and privacy requirements of Remark! without the need to rely on mixnet or TTP.

The Huszti-Pethő Protocol

Although several exam systems are available, the Huszti-Pethő [HP10] exam was the first protocol proposed in the literature that focused on authentication and privacy requirements, even in the presence of corrupted candidates and exam authorities. Since no formal proof that guarantees the security of the protocol has been advanced so far, we take it as an opportunity to validate our model for secure exams.

Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets

The term security ceremony describes a technical system extended with its human users. In this paper, we examine the inspection ceremony for the mobile transport ticket in Denmark. We find several security weaknesses that are ascribable to both human and computer components of the ceremony. The main vulnerabilities are due to the design choices of how the visual inspection ceremony is organised and the lack of information that is stored into the 2D barcode. These vulnerabilities allow a ticket holder to travel up to 8 zones with a 2-zone subscription and enable several people to travel with the same subscription. The attack is significant as it can be automated, and rather modest skills are necessary to break the inspection ceremony. We state four principles that aim at strengthening the security of inspection ceremonies and propose an alternative ceremony whose design is driven by the stated principles.

Privacy-Preserving Verifiability: A Case for an Electronic Exam Protocol

We introduce the notion of privacy-preserving verifiabilityfor security protocols. It holds when a protocol admits a verifiability test that does not reveal, to the verifier that runs it, more pieces of information about the protocol’s execution than those required to run the test. Our definition of privacy-preserving verifiability is general and applies to cryptographic protocols as well as to human security protocols. In this paper we exemplify it in the domain of e-exams. We prove that the notion is meaningful by studying an existing exam protocol that is verifiable but whose verifiability tests are not privacy-preserving. We prove that the notion is applicable: we review the protocol using functional encryption so that it admits a verifiability test that preserves privacy according to our definition. We analyse, in ProVerif, that the verifiability holds despite malicious parties and that the new protocol maintains all the security properties of the original protocol, so proving that our privacy-preserving verifiability can be achieved starting from existing security.

Automated Analysis of Accountability

A recent trend in the construction of security protocols such as voting and certificate management systems is to make principals accountable for their actions. Whenever some principals deviate from the protocol’s prescription and cause the failure of a goal of the system, accountability ensures that the system can detect the misbehaving parties who caused that failure. Accountability is an intuitively stronger property than verifiability as the latter only rests on the possibility of detecting the failure of a goal. A plethora of accountability and verifiability definitions have been proposed in the literature. Those definitions are either very specific to the protocols in question, hence not applicable in other scenarios, or too general and widely applicable but requiring complicated and hard to follow manual proofs.