Académique Documents
Professionnel Documents
Culture Documents
www.elsevier.com/locate/comcom
Abstract
Security in networked information systems is a very complex task that ranges from the level of crypto-primitives over crypto-protocols to
the level of organizational matters and legislation. All this is comprised in a so-called security policy, which is often treated as an afterthought. One of the main reasons is the lack of appropriate techniques for conceptual modeling of security policy at early stages of system
design. The approach in this paper is based on flow controls as one of the key ingredients for defining a security policy. Consequent security
services and security architectures are derived by means of the proposed technique, which also bridges the gap to formal techniques. The
result is a formalized output that serves as a basis for further refinement in subsequent stages of the modeling process. 2000 Elsevier
Science B.V. All rights reserved.
Keywords: Security architectures; Security policy; Conceptual modeling; Formal methods
1. Introduction
Providing security in contemporary information systems
(ISs) requires a wide spectrum of knowledge consisting of
cryptography, cryptographic protocols, system reliability,
organizational and even legislative matters. This clearly
implies the need for the involvement of various profiles in
the process of IS protection, which was recognized in the
early eighties [1] and it evolved recently to appropriate
standards in the field [2,3]. The most general framework
in the area of ISs security has been carried out by the US
Department of Defense and the European union, resulting in
the so-called Common Criteria: CC [4]. This should be the
basis for every attempt to model IS security, and it is also the
basis for this paper.
Projected damage in case of loss of data or non-operational IS is a starting point for security-related activities.
Threat analysis is essential and has been studied intensively
for a long time. It can be found in many places in the literature [57] and is usually very technically oriented. On the
other hand, many successful attacks have been due to
system design blunders and organizational matters [8,9].
Reasons arise from the development of ISs itself, which
has a top-down nature, while security mechanisms and
services are incorporated bottom-up. Therefore means are
* Tel.: 386-611-773379; fax: 336-611 262102.
E-mail address: denis.trcek@ijs.si (D. Trcek).
0140-3664/00/$ - see front matter 2000 Elsevier Science B.V. All rights reserved.
PII: S0140-366 4(00)00257-7
1717
1718
numbers. Next, keys are grouped in sets and each set has
a corresponding key length. These sets form a sequence,
where a consecutive position of a set in a sequence implies
the length of keys in that set. Associating a particular security domain with a particular set is achieved with categorization. Besides, it is required that sets of keys are disjoint.
All entities have to be classified into defined security
domains. A particular entity can belong to only one security
domain. There should be no unconnected security domains,
i.e. at least one data flow has to exist to or from a domain.
To handle data flows from one domain to another, a definition of a new relation dFT (dataFlowsTo) is introduced.
This relation embodies flow controls, i.e. security policy. It
is a matter of access control how a piece of information
within one domain is accessed. But once it is accessed
within a particular domain, it is assumed that it is shared
between all members of this domain.
The next step is controlling its propagation to another
security domain. This is the fundamental concept of
SPCMT. Relation dFT is the key building block of the
whole SPCMT approach. Whichever security policy is
chosen for a particular environment, it is embodied with a
dFT relation, which has to be defined accordingly. The most
known technique in this field is the BellLa Padula or BLP
technique [21]. Its definition would require appropriate
statements for no-write-down and no-read-up requirements.
However, to keep things simple, the relation dFT in this
paper is defined as a loose, network-like variant of BLP
model, in line with the following considerations:
Based on a security policy, the dissemination of information is realized by using appropriate keys to set up confidentiality channels. It is required that an entity may not
forward a received information from one domain to an
entity in another. Only the originating entity is eligible to
do this, and if necessary an appropriate data flow has to be
established.
A concept of hierarchy is replaced by a concept of security
domains, because organizations have structures that are
closer to networks than trees. This is also reflected in
their networked computer systems, which are operating in
a distributed manner. For these reasons the hierarchical
proliferation of information may be too limiting.
A concept of subjects and objects is replaced with entities,
as active and passive roles are interleaved (clientserver
technology).
Table 1
Initial specification for SPCMT
Domain/flow control
Authentication
Confidentiality
0
1
2
3
Password
Short keys
Mid keys
Long keys
Short keys
Mid keys
Long keys
1719
1720
In the following step, redundant cryptographic channels can be removed according to the derivation rules
given in Fig. 4, which denotes system transitions, where
existing channels can be replaced with new channels
[19].
Now the complete procedure of the conceptual modeling
can be given. It consists of the following phases:
1. Analyzing a business process, entities and data flows are
identified. This is modeled with an ordinary DFD
technique.
2. Entities are classified into security domains and keys are
categorized.
3. Data flows are weighted with labels, where a label of a
particular data flow is determined by the security domain,
at which a connection starts.
4. Weighted data flow controls are replaced accordingly with
crypto channels. Due to the fact that authentication is the
most basic service, the replacement starts with authentication channels.
5. If confidentiality channels are needed, it is checked
whether they can be derived using existing authentication
channels (see Fig. 3). If not, these channels are defined
explicitly.
The output of this process is a model, defined in Z
notation.
A short explanation of the above steps/procedure follows.
In the first step processes have to be modeled somehow. For
SPCMT, DFD is chosen, because it is one of the most
popular tools for system analysis and design. DFD gives a
clear presentation of what systems do along with definitions
of repositories of data. In the second step the starting point
for implementation of a security policy is defined. In the
third step a dFT relation is included, which is a core of a
security policy. The fourth step presents its practical implementation by using cryptographic channels. In the fifth step
it is checked whether systems transitions also result in
desired confidential channels. This last step basically
presents optimization of key management.
1721
Table 2
The initial table
Domain/flow control
Authentication
Confidentiality
0
1
2
Passwords
Short keys
Mid keys
Short keys
Mid keys
Fig. 6. (a) The fourth phase and (b) the fifth phase.
1722
References
[1] D.B. Parker, Managers Guide to Computer Security, Prentice-Hall,
London, 1981.
[2] ISO, Information Security Guidelines, TC68/SC2/WG4, TR 13569,
CD N481, Geneva, 1997.
[3] ISO, Guidelines for the management of IT Security, part 14
Selection of Safeguards, ISO/IEC JTC1/SC27, TR 13335, WD N
1659, Geneva, 1998.
[4] ISO, Common Criteria for Information Technology Security
Evaluation, version 2.0, part 13, ISO/IEC 15408, Geneva,
May 1998.
[5] E. Amoroso, Fundamentals of Computer Security Technology,
Prentice-Hall, New Jersey, 1994.
[6] W. Stallings, Network and Internetwork Security, Prentice-Hall,
London, 1995.
[7] National Institute of Standards and Technology, Computer Security
Handbook, Computer Systems Laboratory, Gaithersburg, MD 208990001.
[8] R.J. Anderson, Whither Cryptography, Information Management and
Computer Security, vol. 2, no. 5, MCB University Press, 1994.
[9] R.J. Anderson, Why Cryptosystems Fail, Communications of the
ACM1994, pp. 3240.
[10] B.S. Collins, S. Matthews, Securing Your Business Process, Computers and Security 12 (7) (1993) 629633.
[11] J. Leiwo et al., Harmonizer A Tool for Dealing with Information
Security Requirements, Proceedings of the 3rd NWSCS, Trondheim,
November 1998.
[12] ISO, Z version 1.2, CD 13568, JTC1 SC22, September 1995,
Geneva.
[13] D. Trcek, et al., Security Policy Space Definition and Structuring,
Computer Standards and Interfaces, 18, 1996, pp. 191196.
[14] ISO, Information Processing Systems, OSI RM Security Architecture, ISO 7498-2, July 1988.
[15] ISO/IEC, Information technology OSI Security frameworks for
open systems, 10181, parts 18, Geneva, 1996.
[16] ITU-T, Authentication Framework, X.509(E), Geneva, 1993.
[17] M. Burrows, et al., Logic of authentication, ACM Transactions on
Computer Systems 8 (1) (1990) 1836.
[18] C. Boyd, Security architectures using formal methods, IEEE Journal
on Selected Areas in Communications 11 (5) (1993) 694701.
[19] T. DeMarco, Structured Analysis and System Specification, PrenticeHall, New York, 1978.
[20] D.E.R. Denning, Cryptography and Data Security, Addison Wesley,
Reading, 1982.
[21] D. Bell, L. La Padula, Secure Computer Systems: Mathematical
Foundations, ESD-TR-73-278, MITRE Corporation, 1973.
[22] M. Gordon, T. Melham, Introduction to HOL, Cambridge University
Press, Cambridge, 1993.
[23] M. Abadi, et al., Calculus for access control in distributed systems,
1723
Denis Trcek received his PhD from University of Ljubljana in 1995. As a scientist he
is involved in the field of information
systems and computer networks with
emphasis on security, for almost ten
years. He has authored or co-authored
about 60 papers, a majority of them
published in international journals,
proceedings of international conferences
and invitational workshops. He is involved
in many EU research projects, e.g.
NetLINK/CEE, COST 257. Some recent
market-oriented projects: a project leader for design and implementation of information system for Slovene National Gallery and consulting
in the field of security policy for e-banking services at Nova ljubljanska
banka (the biggest Slovene bank). His current interests include security
policy formalization, e-business and intrusion detection.