Formal analysis of electronic exams

Universities and other educational organizations are adopting computer and Internet-based assessment tools (herein called e-exams) to reach widespread audiences. While this makes examination tests more accessible, it exposes them to new threats. At present, there are very few strategies to check such systems for security, also there is a lack of formal security definitions in this domain. This paper fills this gap: in the formal framework of the applied n-calculus, we define several fundamental authentication and privacy properties and establish the first theoretical framework for the security analysis of e-exam protocols. As proof of concept we analyze two of such protocols with ProVerif. The first “secure electronic exam system” proposed in the literature turns out to have several severe problems. The second protocol, called Remark!, is proved to satisfy all the security properties assuming access control on the bulletin board. We propose a simple protocol modification that removes the need of such assumption though guaranteeing all the security properties.

[1]  Mark Ryan,et al.  Applied pi calculus , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[2]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[3]  Pascal Lafourcade,et al.  Defining Privacy for Weighted Votes, Single and Multi-voter Coercion , 2012, ESORICS.

[4]  Pascal Lafourcade,et al.  Vote-Independence: A Powerful Privacy Notion for Voting Protocols , 2011, FPS.

[5]  Jun Pang,et al.  Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus , 2010, Formal Aspects in Security and Trust.

[6]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[7]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[8]  Gabriele Lenzini,et al.  Remark!: A Secure Protocol for Remote Exams , 2014, Security Protocols Workshop.

[9]  Edgar R. Weippl Security in e-learning , 2005, ELERN.

[10]  Pascal Lafourcade,et al.  Formal Verification of e-Auction Protocols , 2013, POST.

[11]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[12]  Mark Ryan,et al.  Privacy-supporting cloud computing by in-browser key translation , 2013, J. Comput. Secur..

[13]  Rolf Haenni,et al.  Secure Internet Voting on Limited Devices with Anonymized DSA Public Keys , 2011, EVT/WOTE.

[14]  Jordi Herrera-JoancomartJosep,et al.  A secure electronic examination protocol using wireless networks , 2004 .

[15]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[16]  Markus Jakobsson,et al.  Reusable anonymous return channels , 2003, WPES '03.

[17]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[18]  Jordi Herrera-Joancomartí,et al.  A secure e-exam management system , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[19]  Pascal Lafourcade,et al.  A formal taxonomy of privacy in voting protocols , 2012, 2012 IEEE International Conference on Communications (ICC).

[20]  Pascal Lafourcade,et al.  Defining verifiability in e-auction protocols , 2013, ASIA CCS '13.

[21]  Attila Pethö,et al.  A secure electronic exam system , 2010 .

[22]  Michael Backes,et al.  Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[23]  France T́elécom,et al.  Verifying Properties of Electronic Voting Protocols , 2006 .

[24]  Технология Springer Science+Business Media , 2013 .

[25]  Gabriele Lenzini,et al.  What security for electronic exams? , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[26]  Steven Furnell,et al.  A security framework for online distance learning and training , 1998, Internet Res..

[27]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[28]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[29]  Michael Backes,et al.  Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[30]  Gianpiero Costantino,et al.  Remote Management of Face-to-face Written Authenticated Though Anonymous Exams , 2011, CSEDU.

[31]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[32]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[33]  Jordi Herrera-Joancomartí,et al.  A secure electronic examination protocol using wireless networks , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..