After looking at the security literature, you will find
secrecy is formalized in different ways, depending on
the application. Applications have threat models that
influence our choice of secrecy properties. A property
may be reasonable in one context and completely unsatisfactory
in another if other threats exist.
The primary goal of this panel is to foster discussion
on what sorts of secrecy properties arc appropriate for
different applications and to investigate what they have
in common. We also want to explore what is meant by
secrecy in different contexts. Perhaps there is enough
overlap among our threat models that we can begin to
identify some key secrecy properties for 'vidcr application.
Currently, secrecy is treated in rather ad hoc
ways. With some agreement among calculi for expressing
protocols and systems, we might even be able to
use one another's proof techniques for proving secrecy!
Four experts \Vere invited as panelists. Two panelists,
Riccardo Focardi and Martin Abadi, represent
formalizations of secrecy as demanded by secure systems
that aim to prohibit various channels, or insecure
information flows. More specifically, they represent
noninterference-based secrecy. The other two panelists,
Cathy Meadows and Jon Millen, represent formalizations
of secrecy for protocols based on the Dolev-Yao
threat model

Volpano, Dennis

Calhoun, Institutional Archive of the Naval Postgraduate School

Calhoun: The NPS Institutional ArchiveFaculty and Researcher Publications Faculty and Researcher Publications1999-06Formalization and Proof of Secrecy PropertiesVolpano, DennisProc. 12th IEEE Computer Security Foundations Workshop, pp. 92-95, Mordano Italy, June 1999.http://hdl.handle.net/10945/35270Formalization and Proof of Secrecy Properties Dennis Volpa.no Computer Science Department I\ a.val Postgraduate School .rvionterey, CA 93943, USA volpano©cs.nps.navy.mil After looking at the security literature, you will find secrecy is formafo;o;ed in different ways, depending on the application. Applications have threat models that influence our choice of secrecy properties. A property may be reasonable in one cont.ext and completely un-satisfactory in another if other threats exist. The primary goal of this panel is to foster discussion on 'vhat sorts of secrecy properties arc appropriate for different applications and to investigate what they have in common. \Ve also 'vant. to explore what is meant by secrecy in different contexts. Perhaps there is enough overlap among our threat models that we can begin to identify some key secrecy properties for 'vidcr appli-cation. Currently, secrecy is treated in rather ad hoc ways. \Vith some agreement. among calculi for express-ing protocols and systems, 've might even be able to use one another's proof techniques for proving secrecy! Four experts \Vere invited as panelists. Two pan-elists, Riccardo Focardi and :tvlartfn Abadi, represent formalbmtions of secrecy as demanded by secure sys-tems that aim to prohibit various channels, or insecure information flmvs. }fore specifically, they represent noninterference-based secrecy. The other two panelists, Cathy :tvleadows and .Jon l\Iillen, represent formaliza-tions of secrecy for protocols based on the Dolev-Yao threat model [2]. Belmv arc some specific questions that 'vcrc asked of each of the panelists: 1. Secrecy is sometimes formulated as a "safety" property in protocol analysis where one is con-cerned 'vith whether an intruder learns a specific value (a secret). Such a criterion is inadequate for guaranteeing secure information flow in systems where secrets can ahvays be encoded or transmit-ted in covert ways. Leaks arising by indirect fiows from within a process executing a protocol seem as dangerous as those caused by message exchange with an adversary. This is especially true of crypto u Appca.rs in the Proc 12th TEEE CSF\V, pp. !!2-95. protocols whose implementations normally admit cryptanalytic attacks. So why does protocol anal-ysis adopt a different criterion? 2. Is there a secrecy property for protocols and sys-tems'? Is it noninterference (='JI) based'? One key problem is encryption. It blows NI-based formu-lations apart. Hmv can 'vc cope with it"? Do we assume perfect encryption and fiddle with notions of equivalence until 've get the "desired effect"'? Or do we use techniques that are more sensitive to the computational complexity of compromising secrets'? 3. Can we study protocol secrecy within the same framework as that used for information flow in a concurrent setting? If not, why? 4. Suppose l\fallory imitates Bob in a key establish-ment protocol \vith Alice, to get Alice to accept a key that lVlallory knows. Is this a failure of secrecy because Alice incorrectly believes that the key is known only to Bob and herself'? Panelists were asked to try to respond to these ques-tions or provide questions that they feel arc more ap-propriate. Their responses are given in the following sections. Thanks to the panelists for participating. 1. Martin Abadi's Reply Suppose that we 'vish to require that a protocol pre-serve the secrecy of one of its parameters, :i:. The protocol should not leak any information about :r-in other words, the value of x should not interfere with the behavior of the protocol that the environment can observe. The parameter x may denote the identity of one of the participants or the sensitive data that is sent encrypted aft.er a key exchange. In general, we cannot express this secrecy property as a predicate on behaviors. On the other hand, representing the pro-tocol as a process P(x), \Ve may express the secrecy property by saying that P(Al) and P(N) a.re equiv-alent (or indistinguishable), for all possible values JV! and N for :r:. Here we say that t.\vO processes P1 and P 2 are equivalent. when no third process Q can distinguish running in parallel with P 1 from running in parallel in P'2. This notion of process equivalence (testing equiv-alence) has been applied to several classes of processes and \Vith several concepts of dist.inguishability, some-times accounting for cryptographic operations. Approaches based on predicates on behaviors rely on a rather different. definition of secrecy, which can be traced back to the influential work of Dolev and Yao. According to tha.t definition, a. process preserves the secrecy of a piece of data l\1 if the process never sends Al in clear on the network, or anything that would permit the computation of JJ1, even in interaction with an attacker. N cit.her definition of secrecy implies the other. The first one concerns a process with a free variable :r;, while the second one concerns a. process and a term \Vith no free variables. \Vith the first definition, we can sa.y that P(x) preserves the secrecy of the value of x even when this value may be a boolean; \Vit.h the second one, it does not make much sense to talk about a se-cret boolean. In addition, the first definition rules out implicit information flows, while the second one docs not. \Vhile the exact relations between the definitions remain unclear, I believe that the first one represents a more compelling criterion, and that the second one is a useful approximation that fits better into some formal frameworks. 2. Riccardo Focardi's Reply Non-Interference (NI) has been introduced with the aim of formalizing security policies in systems. In par-ticular, given hvo groups of users .4 and n, the require-ment ".4 must not interfere \:Vith B" basically imposes that wha.t is done by users in .4 cannot modify in any \vay the behaviour of the users in B. As a consequence, \Ve obtain that the information which is knmvn by users in .4 can never be revealed to users belonging to fl. This gives us a strong notion of secrecy (in systems). For example, through :\TI requirements, \Ve can easily formalize a multilevel security policy by requiring that users at a certain confidentiality level do not interfere with users at a lower level. Indeed, :\TI is a general concept that can also be prof-it.ably applied in other settings, as it simply verifies if someone is able to induce a ne\v (potentially danger-cms) behaviour. As an example, :\TI has already been 2 successfully exploited for the automatic verification of cryptographic protocols. Usually, when we consider a cryptographic protocol, \Ve would like to be guaran-teed that no enemy is able to introduce any "undesir-able behaviours". This is exactly what NI requires. For example, for secrecy an "undesirable behaviour" is rep-resented by the leaking of (secret) information which is detectable by simply observing the state of the enemy. This reflects the power and the limitations of the use of NI-based properties in the analysis of security protocols: • On one hand, the generality of NI makes it possi-ble to detect in the same analysis completely dif-ferent attacks (e.g., secrecy and authentication). This could increase the probability of finding ne\v attacks, since we do not need to fix in advance the specific security property to be checked; • On the other hand, this kind of analysis requires an additional effort in identifying which a.re the "undesirable behaviours", i.e., \vhich of the re-vealed behaviours are at.tacks and which are not. Hmvever, \vhen it is possible to reveal an attack by observing fe,v well-defined events, e.g., in secrecy analyses, this task becomes trivial. Finally, KI seems to be a good unifying approach to computer and net.vmrk security. As a matter of fact, after the underlying model has been enriched (in some way) in order to deal with cryptography, KI can be used to analyze protocol secrecy within the same framework as that used for information flow in systems. 3. Cathy Meadows' Reply :\fost of the work that has been done on applying formal methods to cryptographic protocols has relied upon the Dolev-Yao model, in \vhich both intruders and honest participants have access to a finite num-ber of \vell-defined operations obeying a finite set of algebraic rules. In this model the secrecy problem re-duces to the problem of determining whether or not an int.ruder can learn a specific word by combining the set of operations available to it v.rith the set of oper-ations performed by the legitimate participants in the protocol. This is a very simple notion of secrecy: the intruder either learns the \Vord or doesn't. Thus it avoids dealing with the quest.ion of whether or not the intruder can learn information about a word or key tha.t would help in cryptanalysis, whether or not the intruder learns relationships between words (for exam-ple the relationship behveen a message and its sender), and whether a conspirator can encode secret informa-tion in the execution of the protocol. On the other hand, the Dolev-Yao model gives the protocol analyst a powerful tool for understanding a \vide range of au-thentication properties that can be guaranteed by a cryptographic protocol. This is in marked contrast. to the notion of secrecy used in information flow, in which it is attempted to determine \Vhether one untrusted process H could pass information to another untrusted process L by deter-mining whether or not H has any effect on the system that is visible to L. ='Jot only is this a much more subtle notion of secrecy than the Dolev-Yao version, relying on knowledge of possible as \vell as actual behavior, but the trust model is different: in the Dolev-Yao model the holders of secrets are trusted, while in the information flow model the holder of secrets H is untrusted, and it is up to the system to provide the guarantee that H does not reveal information. Since the models satisfy such different requirements, it is difficult to "defend" one against the other. How-ever, it does make sense to ask how they could be made to work together in a system that must satisfy multi-level security requirements and also engage in authen-tication protocols. For example, we might. \Vant. to con-sider a system in \vhich a subject is trusted to engage properly in a cryptographic protocol, but may or may not be trusted not to leak information via. covert chan-nels. In order to understand hmv the two notions of se-curity can be made to \Vork together, we may \Vant to look at another notion of security for systems: the type provided by access control policies. In the access control model, as in the Dolev-Yao model, the system consists of a set of principals (subjects), some of whom may be dishonest, a set of objects, and a finite set of operations that may be performed on the objects, such as creation, deletion, and the granting and removing of access rights. As in the Dolev-Yao model, the notion of secrecy is simple; it boils dmvn to determining whether or not a subject can gain read access to an object. And, also as in the Dolev-Yao model, it is possible to use the finite set of operations to model a wide range of access control policies and requirements. A number of attempts have been made to unify ac-cess control models with information-flow type models, \vith some success. The Bell-Lapadula model was per-haps the first; it foundered on the question of dmvn-grading. The ability to downgrade data is necessary, but it also violates a straightfoward information flow policy, since it is an obvious flow from High to Low. Intransitive noninterference policies attempt to rec-tify thiR Rituation by allowing information to flmv only through certain channels, such as downgraders. Other \Vork, such as that of Simon Foley [3], has concentrated 3 on developing a framework that allows complex struc-tures of information flow requirements. An approach like the above would allow us to inte-grate cryptographic protocol analysiR into the informa-tion fiow model, but at the possible price of ignoring information fiow risks that could arise from deliberate information leakage during the execution of the proto-col. For this we might want to look at work that has been done in the cryptographic community to address this very problem - knmvn as "subliminal channels'' in this context [l]. However, this work introduces an added expense: the introduction of a trusted \Varden to verify the absence of subliminal messages. l\fore-over, most of the existing work is applicable only to 7:ero knowledge protocols, which have seen few practial applications. However, a closer look at this vmrk may give us ideas for applying it to more generally appli-cable protocols and to integrating it with information flow models. 4. Jon Millen's Reply It may seem odd that an apparently primitive con-cept like "secrecy" could be formalized in Reveral dif-ferent ways within a single application area such as cryptographic protocol analysis. But \Ve already have a precedent for a multiplicity of models of secrecy in the analysis of secure operating systems. Figures 1 and 2 shmv the analogy between the t.\vo subjects. It. is Rug-gested that there is a good reason for having more than one model, and that similar reasoning applies to both areas. The pyramid pictures illustrate the progression from simple, basic policies to a more detailed analysis that focuses on localized subsystems. The more focused analysis requires more detail in the syRtem model. In both environments, a really thorough treatment of se-crecy has to bring in Shannon's information theory, which implies probabilistic considerations. There is a fundamental difficulty in applying nonin-terference to encryption, namely the fact that changes in plaintext cause changes in ciphertext. In a proba-bilistic context, one can rephrase secrecy as an inability to diRtinguish secret information from randomly gen-erc~tted text. References [1] :\-Iike Burmester, Yvo Desmedt, Toshiya Itoh, Kouichi Sakurai, Hiroka Shizuya, and \Ioti Yung, A progress report on subliminal-free channnels, In Ross Anderson, editor, Information Hiding - First CovertChannelAnalysisProbabilistic modelsNoninterferenceAccess controlFigure 1. Secure Operating System AnalysisModel checking, Inductve proofsBelief logicsCryptanalysisFigure 2. Cryptographic Protocol AnalysisProbabilistic models

Formalization and Proof of Secrecy Properties

http://calhoun.nps.edu/bitstream/handle/10945/35270/Volpano_Formalization_1999.pdf?sequence=4&isAllowed=y

Formalization and Proof of Secrecy Properties

Abstract

Similar works

Full text

Available Versions

Calhoun, Institutional Archive of the Naval Postgraduate School