Towards a Multidisciplinary Framework for the Design and Analysis of Security Ceremonies

Marcelo Carlos

Research output: ThesisDoctoral Thesis

432 Downloads (Pure)


In today's networked society, security protocols are widely used by the majority of people. From web browsing and instant messaging to cash machines, we are all, directly or indirectly, using protocols in order to ensure that certain security properties, such as integrity or confidentiality, hold. However, a significant number of real world attacks on the implementation of security protocols are against the surrounding components, such as the users, and not directly against the protocol itself. In a protocol specification, the human actions are usually included in the design assumptions, without being explicitly described in the protocol flow. When implemented, these assumptions are then replaced by dynamic user-interactions. It is often the case that these assumptions do not hold in practice. If this happens, the implementation can fail to deliver the security goals that the protocol has been designed to provide.

Security ceremonies, introduced by Ellison, can be described as an extension of security protocols which includes whatever was originally left out-of-band. In a ceremony the node types may include devices and humans, and the communication channels may vary, including not only the traditional network channels, but also human communication (e.g. speech) and human-device communication (e.g. user-interfaces). The increased coverage that ceremonies allow means that assumptions, which previously provided relatively static input to protocol design, are now a more explicit part of the model. This allows a more detailed analysis of their influence on the ceremony's security goals.

In this thesis, we provide a thorough review of security ceremonies and what we can achieve through including them in the design and analysis of a security implementation. First, we propose a taxonomy of human-protocol interaction weaknesses. This is important because the human elements of a ceremony are very hard to model. We outline a taxonomy of the most common human-interaction difficulties that can potentially result in successful attacks against protocol implementations. We then map these weaknesses onto a set of design recommendations aimed at minimising those weaknesses. Such a taxonomy and recommendations are important when modelling the user interaction in a ceremony to prevent an unrealistic expectation of the user's actions. Next, we describe a framework for designing and analysing security ceremonies. We provide a description of the agent types, communication channels, events and an adaptive threat model, designed to accurately reflect real world scenarios. We then analyse existing ceremonies using our framework and present the results. Finally, we discuss how all of our findings are related and could be used and developed further.
Original languageEnglish
Awarding Institution
  • Royal Holloway, University of London
  • Price, Geraint, Supervisor
  • Mitchell, Chris, Advisor
Thesis sponsors
Award date1 Jun 2014
Publication statusUnpublished - 2014


  • security ceremonies
  • security protocols
  • threat models
  • ceremony analysis

Cite this