Shostack + Friends Blog Archive


Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies:

The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.

He’s talked about it in public a little before, and now has a paper available from the IACR eprint service, “Ceremony Design and Analysis.”

If you design network protocols, or think about the intersection of security and usability, this is very much worth reading.

3 comments on "Ceremony Design and Analysis"

  • Chris says:

    “The major effort yet to be accomplished in the field of ceremony design and analysis is the modeling of the memory, state machines and processing performed by human nodes. The definitive research in this area should be conducted by experimental psychologists or cognitive scientists.” (emphasis mine)
    Because we all know human behavior is determined individually, without reference to its social context. :^)
    Methinks more “human nodes” should transcend psychological reductionism. As a student of the human condition, I expect more.

  • Ian says:

    Fascinating. As a network professional I’ve always felt that leaving the human “node” out of the network design is missing the purpose of the network. In some way, ultimately, all networks are connecting human actors and therefore security, reliability and performance considerations should take that into account. If there is a computing network which exists for its own, non-anthopogenic sake, I’d be interested in knowing about it. I’d hazard it is probably biological in origin.

  • nick says:

    A related idea is the “cognitive channel.” A cognitive channel is a “protocol” where human beings are the endpoints rather than computers or misleading abstractions like “Alice” and “Bob”. When somebody tells you about a cool new web site and you go to it, or when you read a domain name or e-mail address in an ad and then type it in, or when you share your PGP public key with somebody (perhaps after they’ve checked your driver’s license), those are examples of cognitive channels. Your credit report is a cognitive channel. Phishing (and “social engineering” generally) are attacks against the cognitive channel.

Comments are closed.