Formalization and Proof of Secrecy Properties

After looking at the security literature, you will nd secrecy is formalized in diierent ways, depending on the application. Applications have threat models that innuence our choice of secrecy properties. A property may be reasonable in one context and completely unsatisfactory in another if other threats exist. The primary goal of this panel is to foster discussion on what sorts of secrecy properties are appropriate for diierent applications and to investigate what they have in common. We also want to explore what is meant by secrecy in diierent contexts. Perhaps there is enough overlap among our threat models that we can begin to identify some key secrecy properties for wider application. Currently, secrecy is treated in rather ad hoc ways. With some agreement among calculi for expressing protocols and systems, we might even be able to use one another's proof techniques for proving secrecy! Four experts were invited as panelists. Two pan-elists, Riccardo Focardi and Mart n Abadi, represent formalizations of secrecy as demanded by secure systems that aim to prohibit various channels, or insecure information ows. More speciically, they represent noninterference-based secrecy. The other two panelists, Cathy Meadows and Jon Millen, represent formaliza-tions of secrecy for protocols based on the Dolev-Yao threat model 2]. Below are some speciic questions that were asked of each of the panelists: 1. Secrecy is sometimes formulated as a \safety" property in protocol analysis where one is concerned with whether an intruder learns a speciic value (a secret). Such a criterion is inadequate for guaranteeing secure information ow in systems where secrets can always be encoded or transmitted in covert ways. Leaks arising by indirect ows from within a process executing a protocol seem as dangerous as those caused by message exchange with an adversary. This is especially true of crypto 0 Appears in the Proc 12th IEEE CSFW, pp. 92{95. protocols whose implementations normally admit cryptanalytic attacks. So why does protocol analysis adopt a diierent criterion? 2. Is there a secrecy property for protocols and sys-tems? Is it noninterference (NI) based? One key problem is encryption. It blows NI-based formulations apart. How can we cope with it? Do we assume perfect encryption and ddle with notions of equivalence until we get the "desired eeect"? Or do we use techniques that are more sensitive to the computational complexity of compromising secrets? 3. Can we study protocol secrecy within the same framework as that used …