17 research outputs found
Privacy Architectures: Reasoning About Data Minimisation and Integrity
Privacy by design will become a legal obligation in the European Community if
the Data Protection Regulation eventually gets adopted. However, taking into
account privacy requirements in the design of a system is a challenging task.
We propose an approach based on the specification of privacy architectures and
focus on a key aspect of privacy, data minimisation, and its tension with
integrity requirements. We illustrate our formal framework through a smart
metering case study.Comment: appears in STM - 10th International Workshop on Security and Trust
Management 8743 (2014
Verification of the TESLA protocol in MCMAS-X
We present MCMAS-X, an extension of the OBDD-based model
checker MCMAS for multi-agent systems, to explicit and deductive knowledge. We use MCMAS-X to verify authentication properties in the TESLA secure stream protocol
Privacy by Design: From Technologies to Architectures (Position Paper)
Existing work on privacy by design mostly focus on technologies rather than
methodologies and on components rather than architectures. In this paper, we
advocate the idea that privacy by design should also be addressed at the
architectural level and be associated with suitable methodologies. Among other
benefits, architectural descriptions enable a more systematic exploration of
the design space. In addition, because privacy is intrinsically a complex
notion that can be in tension with other requirements, we believe that formal
methods should play a key role in this area. After presenting our position, we
provide some hints on how our approach can turn into practice based on ongoing
work on a privacy by design environment
Modeling Adversaries in a Logic for Security Protocol Analysis
Logics for security protocol analysis require the formalization of an
adversary model that specifies the capabilities of adversaries. A common model
is the Dolev-Yao model, which considers only adversaries that can compose and
replay messages, and decipher them with known keys. The Dolev-Yao model is a
useful abstraction, but it suffers from some drawbacks: it cannot handle the
adversary knowing protocol-specific information, and it cannot handle
probabilistic notions, such as the adversary attempting to guess the keys. We
show how we can analyze security protocols under different adversary models by
using a logic with a notion of algorithmic knowledge. Roughly speaking,
adversaries are assumed to use algorithms to compute their knowledge; adversary
capabilities are captured by suitable restrictions on the algorithms used. We
show how we can model the standard Dolev-Yao adversary in this setting, and how
we can capture more general capabilities including protocol-specific knowledge
and guesses.Comment: 23 pages. A preliminary version appeared in the proceedings of
FaSec'0
Protection de la vie privée dès la phase de conception: application à la vérification de propriétés d'architectures de systèmes biométriques
The goal of the work presented in this paper is to show the applicability of the privacy by design approach to biometric systems and the benefit of using formal methods to this end. We build on a general framework for the definition and verification of privacy architectures introduced at STM 2014 and show how it can be adapted to biometrics. The choice of particular techniques and the role of the components (central server, secure module, biometric terminal, smart card, etc.) in the architecture have a strong impact on the privacy guarantees provided by a biometric system. Some architectures have already been analysed but on a case by case basis, which makes it dicult to draw comparisons and to provide a rationale for the choice of specific options. In this paper, we describe the application of a general privacy architecture framework to specify di↵erent design options for biometric systems and to reason about them in a formal way
Biometric Systems Private by Design: Reasoning about privacy properties of biometric system architectures
International audienceThe goal of the work presented in this paper is to show the applicability of the privacyby design approach to biometric systems and the benefit of using formal methods to this end. Webuild on a general framework for the definition and verification of privacy architectures introducedat STM 2014 and show how it can be adapted to biometrics. The choice of particular techniques andthe role of the components (central server, secure module, biometric terminal, smart card, etc.) in thearchitecture have a strong impact on the privacy guarantees provided by a biometric system. Somearchitectures have already been analysed but on a case by case basis, which makes it difficult to drawcomparisons and to provide a rationale for the choice of specific options. In this paper, we describethe application of a general privacy architecture framework to specify different design options forbiometric systems and to reason about them in a formal way
Recommended from our members
Required Information Release
Many computer systems have a functional requirement to release information. Such requirements are an important part of a system's information security requirements. Current information-flow control techniques are able to reason about permitted information flows, but not required information flows.
In this paper, we introduce and explore the specification and enforcement of required information release in a language-based setting. We define semantic security conditions that express both what information a program is required to release, and how an observer is able to learn this information. We also consider the relationship between permitted and required information release, and define bounded release, which provides upper- and lower-bounds on the information a program releases. We show that both required information release and bounded release can be enforced using a security-type system.Engineering and Applied Science