CRYPTOGRAPHIC PROTOCOL SECURITY IN NATIONAL ENCRYPTION APPLICATIONS
Abstract
In the era of digital transformation, information exchange, especially confidential and strategic information has become the most vital aspect for almost all organizations. Various bad precedents regarding classified and strategic information leaks in Indonesia have become a slap in the face that must be acknowledge and answered with effective solutions. In 2020, XYZ Agency developed a file encryption application (ABC Application) to address the challenge of securing confidential information, especially those transmitted on electronic channels. Until 2022, the ABC Application has been implemented in a limited scope and its implementation is planned to be expanded nationally. After 2 years of operation, the XYZ Agency has conducted a study on the security of the algorithm used in ABC Application, but unfortunately has not conducted an in-depth study regarding the security of the protocol suite used in the Application. In this research, a security analysis of ABC application protocol suites, namely the registration protocol, user verification, key generation, and key request for the encryption-decryption process protocol was conducted through formal verification approach using the Scyther Tool. The analysis focuses on aspects of guaranteeing confidentiality of information and authentication with four criteria, namely secrecy, aliveness, synchronization, and agreement. The experimental results showed that these protocols meet the security criteria for the transmitted confidential information but have general weaknesses in the authentication aspect, especially for synchronization and agreement criteria. Based on these weaknesses, technical recommendations are proposed that are able to overcome the identified weaknesses.
Downloads
References
Ş. Eroğlu and T. Çakmak, "Information as an organizational asset: assessment of a public organization’s capabilities in Turkey," SAGE Journals of Information Development, vol. 36, no. 1, pp. 58-77, 2020.
C. C. Aktan and İ. Y. Vural, "Bilgi C¸ ag˘ ında Bilginin Yo¨netimi (Manajemen Informasi dan Jaringan Informasi)," in Bilgi Yo¨netimi ve Bilgi Sistemleri (Manajemen Informasi dan Sistem Informasi), Konya, Çizgi Kitabevi, 2005, pp. 1-30.
Undang-Undang Nomor 14 Tahun 2008 tentang Keterbukaan Informasi Publik.
F. Cooren, T. Khun, J. P. Cornelissen and T. Clark, "Communication, Organizing and organization: An Overview and Introduction to the Special Issue," Journals of Organization Studies (SAGE Journals Access), vol. 32, no. 9, pp. 1149-1170, 2011.
Lee, R. R., McDonagh, J. E., Farre, A., Peters, S., Cordingley, L., & Rapley, T. "Data protection, information governance and the potential erosion of ethnographic methods in health care?" Sociology of Health & Illness, 44: 211– 217, 2022.
BBCIndonesia, "BIN: Australia menyadap Indonesia sejak 2007," BBC Indonesia, 20 November 2013. [Online]. Available: https://www.bbc.com/indonesia/berita_indonesia/2013/11/131120_bin_sadap_australia. [Diakses pada 1 Desember 2022].
BIN, "Kepala BIN: Evaluasi Sistem Keamanan Komunikasi," Badan Intelijen Negara, 28 November 2013. [Online]. Available: http://www.bin.go.id/nasional/detil/255/1/29/11/20%2013/kepala-bin-evaluasi-sistem-keamanankomunikasi. [Diakses pada 1 Desember 2020].
Tempo.co, "4 Kasus Penyadapan Besar di Indonesia," Tempo, 21 February 2014. [Online]. Available: https://nasional.tempo.co/read/556304/4-kasus-penyadapan-besar-di-indonesia. [Diakses pada 1 Desember 2022].
Policies For The Protection Of Critical Information Infrastructure: Ten Years Later. (2019). (). Paris: Organisation for Economic Cooperation and Development (OECD). Retrieved from ProQuest One Business; SciTech Premium Collection Retrieved from https://www.proquest.com/reports/policies-protection-critical-information/docview/2187380843/se-2.
Peraturan Presiden Nomor 82 Tahun 2022 tentang Pelindungan Infrastruktur Informasi Vital.
Peraturan Instansi XYZ Nomor a Tahun x Tentang Perubahan atas Peraturan Instansi XYZ Nomor b Tahun x tentang Penyelenggaraan Penilaian Kesiapan Penerapan SNI ISO/IEC 27001 Menggunakan Indeks Keamanan Informasi.
M. Soriano, Information and Network Security 1st Edition, R. Gustau and S. Silvestre, Eds., Prague: Czech Technical University.
J. K. Shim, A. A. Qureshi and J. G. Siegel, The International Handbook of Computer Security, United States: The Glenlake Publishing Company, Ltd, 2000.
A. J. Menezes, S. A. Vanstone and P. C. Van Oorschot, Handbook of Applied Cryptography, United States: CRC Press, 1997.
J. Andres, "The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice," Syngress Media Incorporated, Amsterdam, 2011.
Instansi XYZ, Dokumentasi Aplikasi ABC, 2021 (unpublished)
S. S. Emami, Security Analysis of Cryptographic Algorithms, Sydney: Macquarie University, 2013.
Q. Chen, C. Zhang and S. Zhang, "Overview of Security Protocol Analysis," in Secure Transaction Protocol Analysis, Lecture Notes in Computer Science, Vol 5111, Heidelberg, Springer, 2008.
Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi.
N. Z. Almuzaini and I. Ahmad, "Formal Analysis of the Signal Protocol Using the Scyther Tool," 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS), pp. 1-6, 2019, doi: 10.1109/CAIS.2019.8769532.
Fikri, M. A., Ramli, K., & Sudiana, D., "Formal verification of the authentication and voice communication protocol security on device X using scyther tool," IOP Conference Series. Materials Science and Engineering, 1077(1), 2019, doi:https://doi.org/10.1088/1757-899X/1077/1/012057.
Shaik Shakeel Ahamad & Al-Sakib Khan Pathan, "A formally verified authentication protocol in secure framework for mobile healthcare during COVID-19-like pandemic," Connection Science, 33:3, 532-554, 2021, doi: 10.1080/09540091.2020.1854180
N. E., Madhoun, F. Guenane, G. Pujolle, "An online security protocol for NFC payment: Formally analyzed by the scyther tool," Second International Conference on Mobile and Secure Services (MobiSecServ), pp. 1-7, 2016, doi: 10.1109/MOBISECSERV.2016.7440225.
P. R. Babu, A. G. Reddy, B. Palaniswamy and S. K. Kommuri, "EV-Auth: Lightweight Authentication Protocol Suite for Dynamic Charging System of Electric Vehicles With Seamless Handover," in IEEE Transactions on Intelligent Vehicles, vol. 7, no. 3, pp. 734-747, Sept. 2022, doi: 10.1109/TIV.2022.3153658.
S. Rostampour, M. Safkhani, et al. "ECCbAP: A secure ECC-based authentication protocol for IoT edge devices," Pervasive and Mobile Computing, Volume 67, ISSN 1574-1192, 2020 doi: https://doi.org/10.1016/j.pmcj.2020.101194.
H. Huang, S. Lu, Z. Wu, et al, "An efficient authentication and key agreement protocol for IoT-enabled devices in distributed cloud computing architecture," J Wireless Com Network, 150, 2021, https://doi.org/10.1186/s13638-021-02022-1.
M. Hosseinzadeh et al., "A New Strong Adversary Model for RFID Authentication Protocols," in IEEE Access, vol. 8, pp. 125029-125045, 2020, doi: 10.1109/ACCESS.2020.3007771.
M. Avalle, A. Pironti and R. Sisto, "Formal Verification of Security Protocol Implementations: a Survey," Form Asp Comp, vol. 26, pp. 99-123, 2014.
R. Chadha, V. Cheval, Ş. Ciobâcă and S. Kremer, "Automated Verification of Equivalence Properties of Cryptographic Protocols," ACM Transactions on Computational Logic, vol. 17, no. 4, p. Article 23, 2016.
Cremers, C., Mauw, S., Operational Semantics and Verification of Security Protocols, ISSN 1619-7100, Springer Berlin, Heidelberg, 2012, doi: https://doi.org/10.1007/978-3-540-78636-8.
El Madhoun, N., Bertin, E., Badra, M. et al. (2021). Towards more secure EMV purchase transactions. Ann. Telecommun. 76, 203–222, doi: https://remote-lib.ui.ac.id:2075/10.1007/s12243-020-00784-1
R. Amin, S. Kunal et al, "CFSec: Password based secure communication protocol in cloud-fog environment," Journal of Parallel and Distributed Computing, Volume 140, Pages 52-62, ISSN 0743-7315, 2020, doi: https://doi.org/10.1016/j.jpdc.2020.02.005.
A.K. Yadav, M. Misra, et al, "An improved and provably secure symmetric-key based 5G-AKA Protocol," Computer Networks, Volume 218, ISSN 1389-1286, 2022, doi: https://doi.org/10.1016/j.comnet.2022.109400.
M. Farokhlagha, S. Masoumeh, "SEOTP: A new secure and efficient ownership transfer protocol based on quadric residue and homomorphic encryption," Wireless Networks, 26(7), 5285-5306, 2022, doi:https://doi.org/10.1007/s11276-020-02397-x.
M. Bouchaala, C. Ghazel, L.A. Saidane, "Enhancing security and efficiency in cloud computing authentication and key agreement scheme based on smart card," J Supercomput 78, 497–522, 2022, doi:https://remote-lib.ui.ac.id:2075/10.1007/s11227-021-03857-7.
F.G. Darbandeh, M. Safkhani, "A New Lightweight User Authentication and Key Agreement Scheme for WSN," Wireless Pers Commun 114, 3247–3269, 2020, doi: https://remote-lib.ui.ac.id:2075/10.1007/s11277-020-07527-4.
Ahamad S. S., "A Novel NFC-Based Secure Protocol for Merchant Transactions," IEEE Access, vol. 10, pp. 1905-1920, 2022, doi: 10.1109/ACCESS.2021.3139065.
Peraturan Badan Siber dan Sandi Negara nomor 15 Tahun 2009, diatur tentang penyelenggaraan skema Common criteria Indonesia.
Hsiao, R., “Technology fears: Distrust and cultural persistence in electronic marketplace adoption,” The Journal of Strategic Information Systems. 12. 169-199, 2003, doi:10.1016/S0963-8687(03)00034-9.
Copyright (c) 2023 agung widodo
This work is licensed under a Creative Commons Attribution 4.0 International License.