Design and Analysis of Secure Exam Protocols

TL;DR

This paper develops a formal framework for analyzing the security of various exam protocols, identifies vulnerabilities, and proposes new secure protocols, addressing emerging threats in computer-assisted and online exams.

Contribution

It introduces a formal security analysis framework for exams, classifies exam types, and designs three novel secure exam protocols with comprehensive security guarantees.

Findings

Identified security issues in traditional and computer-assisted exams.

Proposed modifications to improve exam protocol security.

Designed three new protocols ensuring key security requirements.

Abstract

Except for the traditional threat that candidates may want to cheat, exams have historically not been seen as a serious security problem. That threat is routinely thwarted by having invigilators ensure that candidates do not misbehave during testing. However, as recent exam scandals confirm, also invigilators and exam authorities may have interest in frauds, hence they may pose security threats as well. Moreover, new security issues arise from the recent use of computers, which can facilitate the exam experience for example by allowing candidates to register from home. Thus, exams must be designed with the care normally devoted to security protocols. This dissertation studies exam protocol security and provides an in-depth understanding that can be also useful for the study of the security of similar systems, such as personnel selections, project reviews, and conference management systems. It introduces an unambiguous terminology that leads to the specification of a taxonomy of various exam types, depending on the level of computer assistance. It then establishes a theoretical framework for the formal analysis of exams. The framework defines several authentication, privacy, and verifiability requirements that modern exams should meet, and enables the security of exam protocols to be studied. Using the framework, we formally analyse traditional, computer-assisted, and Internet-based exam protocols. We find some security issues and propose modifications to partially achieve the desired requirements. This dissertation also designs three novel exam protocols that guarantee a wide set of security requirements. Finally, this dissertation looks at exams as carried out through modern browsers. We advance a formal analysis of requirements that are not only logically conditioned on the technology but also on user actions. We conclude with best-practice recommendations to browser vendors.