
Editorial
Select search scope: search across all journals or within the current journal

It was recently argued that the presence of covert channels should no longer be taken for granted in multilevel secure systems. Until today, multilevel security seems to have been an ideal to approach and not a requirement to meet. The question is: is it possible to design a practical multilevel system offering full security? Based on which architecture? The approach described in this paper reflects some results of a research project which suggests some ideas to answer these questions. We have chosen the distributed architecture of a secure LAN as an application framework. In particular we show how controls exerted on dependencies permit to control exhaustively the elementary flows of information. The enforced rules govern both the observation and the handling of data over the whole system. They are achieved by means of some hardware mechanisms that submit the access of hosts to the medium to a secure-medium access control protocol. We evaluate how secure dependencies used to ensure confidentiality and integrity in such an architecture do not prevent to build distributed operating services, as file sharing, over a secure network.
The standard approach to the specification of a secure system is to present a (usually state-based) abstract security model separately from the specification of the system's functional requirements, and establishing a correspondence between the two specifications. This complex treatment has resulted in development methods distinct from those usually advocated for general applications.
We provide a novel and intellectually satisfying formulation of security properties in a process algebraic framework, and show that these are preserved under refinement. We relate the results to a more familiar state-based (Z) specification methodology. There are efficient algorithms for verifying our security properties using model checking.
A calculus of channel security properties is presented which allows the analysis and comparison of protocols for establishing secure channels in a distributed open system at a high level of abstraction. A channel is characterized by its direction, its time of availability and its security properties. Cryptographic primitives as well as trust relations are interpreted as transformations for channel security properties, and a cryptographic protocol can be viewed as a sequence of such transformations. A protocol thus allows to transform a set of secure channels established during an initial setup phase, together with a set of insecure channels available during operation of the system, into the set of secure channels specified by the security requirements. The necessary and sufficient requirements for establishing a secure channel between two entities A and B are characterized in terms of secure channels to be made available during the initial setup phase and in terms of the minimal trust A and B must have into other entities or into trusted third parties.
Reliable authentication of communicating entities is essential for achieving security in a distributed computing environment. The design of such systems as Kerberos, SPX and more recently KryptoKnight and Kuperee, have largely been successful in addressing the problem. The common element with these implementations is the need for a trusted third-party authentication service. This essentially requires a great deal of trust to be invested in the authentication server which adds a level of complexity and reduces system flexibility.
The use of a Beacon to promote trust between communicating parties was first suggested by M. Rabin in “Transactions protected by beacons”, Journal of Computer and System Sciences, Vol. 27, pp. 256-267, 1983. In this paper we revive Rabin's ideas which have been largely overlooked in the past decade. In particular we present a novel approach to the authentication problem based on a service called Beacon which continuously broadcasts certified nonces. We argue that this approach considerably simplifies the solution to the authentication problem and we illustrate the impact of such a service by “Beaconizing” the well know Needham and Schroeder protocol. The modified protocol would be suitable for deployment at upper layers of the communication stack. We also illustrate the wide range of potential use of Beacons by employing it in a distributed authentication scheme based on the Kuperee server.
This paper discusses issues and idiosyncrasies associated with changing passwords and keys in distributed computer systems. Current approaches are often complicated and fail to provide the desired level of security and fault tolerance. A novel and very simple approach to changing passwords/keys is presented and analyzed. It provides a means for human users and service programs to change passwords and keys in a robust and secure fashion.
