Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
ava i lab le a t www.sc iencedi rec t .com
journa l homepage : www.e l sev i er . com/ loca te /cose
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5
Adaptable security mechanism for dynamicenvironments
Bogdan Ksie _zopolskia,*, Zbigniew Kotulskib,c
aInstitute of Computer Science, M. Curie-Skłodowska University, Pl. M. Curie-Skłodowskiej 1, 20-031 Lublin, PolandbInstitute of Fundamental Technological Research of PAS, Swietokrzyska 21, 00-049 Warsaw, PolandcInstitute of Telecommunications of WUT Nowowiejska 15/19, 00-665 Warsaw, Poland
a r t i c l e i n f o
Article history:
Received 12 December 2005
Revised 25 October 2006
Accepted 1 November 2006
Keywords:
Network security
Information security
Cryptographic protocol
Cryptography
Risk management
Scalable security
a b s t r a c t
Electronic services in dynamic environment (e.g. e-government, e-banking, e-commerce, etc.),
meet many different barriers reducing their efficient applicability. One of them is the
requirement of information security when it is transmitted, transformed, and stored in an
electronicservice. It ispossibletoprovide the appropriate level ofsecuritybyapplying the pres-
ent-day information technology. However, the level of protection of information is often much
higher than it is necessary to meet potential threats. Since the level of security strongly affects
the performance of the whole system, the excessive protection decreases its reliability and
availability and, as a result, its global security. In this paper we present a mechanism of adapt-
able security for, digital information transmission systems (being usually the crucial part of
e-service). It makes it possible to guarantee the adequate level of protection for actual level
of threats dynamically changing in the environment. In our model the basic element of the
security is the Public Key Infrastructure (PKI) is enriched with specific cryptographic modules.
ª 2006 Elsevier Ltd. All rights reserved.
1. Introduction
Nowadays advanced teleinformatic technologies provide
a wide range of possibilities of development for industry and
institutions and public services. Emphasis, is put on the devel-
opment of well-available, mobile information services called
‘‘e-anything’’, like e-government, e-money, and e-banking.
These public services are realized in an electronic manner,
which enables increasing their availability, while simulta-
neously cutting down on expenses (Barlow, 2003).
Implementation of these services would be connected with
the choice of a proper level of security of the information sent
between parties of protocols (Groves, 2001; Merabti et al., 2000;
Patton and Josang, 2004). Among teleinformatic technologies,
cryptographic modules there are those, which assure various
information security services, e.g. confidentiality, integrity,
non-repudiation and anonymity of data. The important prob-
lem is establishing an appropriate level of information secu-
rity, represented by security services in a given protocol.
Every use of any Internet service is connected with informa-
tion exchange, which in the case of successful attack causes
different threats to the whole process. This problem can be
solved by estimation of the security level for each phase of
the protocol (Lambrinoudakis et al., 2003). Such an approach
is only a partial solution, because during a particular phase
of the protocol, one can send information of different level
of threats. Traditionally, the aim has been to provide the
strongest possible security. However, the use of strong mech-
anisms may deteriorate the performance of a device with lim-
ited resources and pave the way for new threats such as
* Corresponding author.E-mail addresses: [email protected] (B. Ksie _zopolski), [email protected] (Z. Kotulski).
0167-4048/$ – see front matter ª 2006 Elsevier Ltd. All rights reserved.doi:10.1016/j.cose.2006.11.002
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5 247
resource exhaustion. Finally, it decreases system efficiency,
availability and introduces redundancy. Another effect of
overestimation of security mechanisms is increasing the sys-
tem complexity, which later influences implementation of
a given project in practice, imposing restrictions that decrease
their functionality.
The adequate solution in such a case is the introduction of
adaptable (or scalable) security model for the protocols, which
can change the security level depending on particular condi-
tions that take place at a certain moment, and in given exter-
nal conditions. In this paper we present a mechanism, which
can modify the level of security of information for each phase
of the protocol. The parameters which influence the security
level are: the risk of a successful attack, probability of a suc-
cessful attack and the independence of the security elements.
The applied security elements which take care of the protec-
tion of information are based mainly on PKI services and addi-
tional cryptographic modules.
2. Security services
In practice, the realization of electronic processes is con-
nected with the fulfilment of a number of legal and technical
standards. While designing the systems, we can take care of
different security services (Lambrinoudakis et al., 2003; NIST,
2004). Among them we can enumerate: confidentiality of
data, integrity of data, anonymity of the parties of protocols,
non-repudiation of a sender and/or a receiver, authorization,
secure data storage, management of privileges, public trust,
and network and protocol/service accountability. Every secu-
rity service has its own characteristics. A systematic presenta-
tion of the security services is given in Table 1.
3. Security elements
The system conditions, described by the security services, can
be fulfilled with many different security elements. To achieve
this goal, we can use different mechanisms (Patel et al., 1999;
Kulesza and Kotulski, 2003; Groves, 2001). In the article, we
will focus on two groups of solutions: the services based on
PKI (Lambrinoudakis et al., 2003; Patel et al., 1999) and addi-
tional cryptographic modules (Kulesza and Kotulski, 2003).
3.1. Security elements connected with PKI
� Registration: in order to be a member of the PKI domain,
a user must register and go through a certification procedure
in TTP. The main function of this service is to establish the
reliable and unique binding between a user and his digital
identity (e.g. his public key/secret key).
� Digital signatures: thanks to digital signature, the message
authentication, message integrity, and non-repudiation
can be obtained.
� Encryption: encryption is a basic service providing the cryp-
tographic functions for protection of the confidentiality of
messages in open networks.
� Time-stamping: time-stamping is described as the process of
solid attaching dates and times to a document in order to
prove that it existed at a particular moment of time.
� Non-repudiation: this mechanism involves the generation,
accumulation, retrieval and interpretation of evidence that
a particular party processed a particular information
process.
� Key management: the service deals primarily with handling
the cryptographic keys in a proper, efficient, scaleable, and
secure way (ISO/IEC 11770-3, 1999).
Table 1 – Characteristics of the security services
Groupof services
Name ofa service
Characteristics
Integrity Integrity of data Prevention against improper information modification
Non-repudiation Non-repudiation of an action Non-repudiation of sending a message (the fact of communication)
Non-repudiation of a sender Non-repudiation of the sender’s identity and the fact of
sending a message by the sender
Non-repudiation of a receiver Non-repudiation of the receiver’s identity and the fact of
receiving a message by the receiver
Confidentiality Confidentiality of data Guarantee of only authorized information access and disclosure
Authorization Authorization of parties
of the protocol
Correct authorization of parties of the protocol is required to realize a
step of the protocol
Privileges Management of privileges A specific function of the party in the protocol depends on his certain defined
permission level
Anonymity Network anonymity Hiding the fact that there was a data exchange (hiding the information flow,
hiding the network traffic)
Anonymity of a sender Hiding the identity of a sender of the message (without network anonymity)
Anonymity of a receiver Hiding the identity of a receiver of the message (without network anonymity)
Availability Availability of services Ensuring timely and reliable access to services and data and use of information
Public trust Trust between parties
of the protocol
Possibility of public verification of an action in the protocol be cooperation of
parties of the protocol
TTP trust Possibility of public verification of an action in the protocol by TTP
Secure storage Secure storage of data Confidential and permanent storage of information, available only for legal users
Accountability Network accountability Events in network are registered to restore past threats
Protocol/service accountability Steps of protocols (access to services) are registered to restore past threats
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5248
� Certificate management: a digital certificate is an electronic to-
ken ensuring the binding between an entity and its digital
identity. Functions supporting this service include genera-
tion, distribution, storage, retrieval, and revocation of digital
certificates.
� Information repository: this service maintains the collection of
data critical for operation of the TTP system (ETSI TS 102
042, 2002).
� Directory services: in order to interact, a user of a PKI must
have access to information about other PKI users (e.g. the
validity of their certificates).
� Camouflaging communication: camouflaging communication
not only provides data confidentiality, but also hides every
fact of communication.
� Authorization: a user of PKI who possesses a resource may
grant another user PKI privileges to access this resource.
TTPs should ensure granting privileges, including the ability
to access specific information or resources.
� Audit: in order to ensure that certain operational, proce-
dural, legal, qualitative, and technological requirements
are complied within the system (as it is assumed), an audit-
ing service is required.
� TTP to TTP interoperability: interoperability services are con-
cerned with the issues necessary for establishing a network
of TTPs, verification of parties of the protocol can be done si-
multaneously by different TTPs, which ensure the authen-
ticity of TTP usage.
� Notary: public verification of the party of the protocol or of
a certain message can be done by TTP.
3.2. Additional cryptographic modules
� SSS: Secure Secret Sharing Scheme, can be used in the case
when an encrypted message (e.g. with a certain public key)
can be decrypted only with the cooperation of the assumed
number of participants of the protocol (Kulesza and
Kotulski, 2003; Saez, 2003).
� PKG: the module generates strong cryptographic keys, e.g.
PKG based on a biometric method (Teoh et al., 2004). This
technique generates personalized cryptographic keys from
biometric data (data connected with a person), which offers
an inextricably link to its owner.
� Anonymizer: the mechanism which protects anonymity of
parties of the protocol. An example of this could be Crowds.
This is a scalable system, based on world-wide-web ser-
vices. This assures anonymity of message sender inside net-
work communication (Reiter and Rubin, 1998).
� AA: the user identification scheme, that can also simulta-
neously achieve key exchange requirement while preserv-
ing the users anonymity (Tzong-Sun and Chien-Lung, 2004).
� Individual numbers: individual numbers generated by parties
of the protocol can improve of users anonymity
(Ksie _zopolski and Kotulski, 2004).
4. The concept of adaptable security
The realization of an electronic process strongly depends on
a proper level of security. During the design of such a process,
the security mechanisms are established. These are usually
overestimated according to real risk. It can be noticed that
there are certain differences between various kinds of infor-
mation, sent in the same electronic process. These concern
different threats, which in the case of successful attack, will
affect parties of a protocol. In case of a small threat, there is
a grave possibility of decreasing redundant tools of informa-
tion security, which in fact could improve efficiency of the
protocol, system availability, and, as a consequence, should
increase the global security level.
4.1. General requirements
Secure electronic processes are based on cryptographic proto-
cols. Applications of properly designed cryptographic proto-
cols introduce many security services which enable reliable
realization of the electronic process. The protocols realize se-
curity services by means of various security elements, mainly
PKI-based services and some additional cryptographic mod-
ules. The usage of these security elements is strictly defined
in steps of cryptographic protocols. After the protocol is prop-
erly designed, any modification of its content is prohibited
without detailed security analysis; otherwise changes could
ruin the whole concept of the protocol. This, in turn, negates
the idea of adaptable security.
Creating different protocols which realize the same ser-
vice, applied on different level of security,1 is a solution to
that contradiction. To design a given electronic service, a pro-
tocol is constructed according to well-defined security
requirements. Some security elements are unchangeable
because their modification would affect the given processes.
Other can be added in a dynamic process of system tuning.
4.2. Parameters of the adaptable security concept
The security level of an electronic process, depends on several
factors. This level can be modified by the choice of security el-
ements applied in a protection system. In the presented model
of the scalable security, we suggest an analytical expression to
calculate the security level; its numerical value is a function of
three primary parameters:
1. The protection level: Lxij;
2. The risk of an attack on a given service: ½ð1� uxijÞð1� Px
ij�;3. The parameter of a scalability of the security mechanisms: Z.
The proposed expression has the following form:
FS ¼1a
Xa
i¼1
1bi
Xbi
j¼1
1cij
Xcij
x¼1
�Lx
ij
�Zh�1� ux
ij
��1� Px
ij
�i; (1)
where:
Fs is the security level realized by a given version of crypto-
graphic protocol, Fs e (0, 1);
i is the number of subprotocols in a given protocol;
j is the number of steps in a given subprotocol;
1 To simplify, when we change the element not important forthe protocol’s functionality but important for its security, wecall it a new protocol.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5 249
x is the number of specific security services;
uxij is the weight describing an average cost of loses after a suc-
cessful attack on a given service, u e (0, 1);
Lxij is the value of a protection level for a given service, L e (0, 1);
Pxij is the probability of an attack on a given service, P e (0, 1);
Z is the scalability parameter for security elements, Z e (1, 10).
Each of the above defined primary parameters in Eq. (1) is
calculated for all cryptographic protocols, all subprotocols
within these protocols, and all steps within these
subprotocols.
The first parameter defines the protection level for a given
cryptographic service in a given step of a subprotocol. It is the
sum of the effects of chosen security elements which guaran-
tee security of a given service.
The second parameter represents a risk of an attack on
a given security service. It is a product of average losses
made by a successful attack on the service, and the probability
of an attack on the security service.
The third parameter offers the additional possibility of
scaling the security mechanisms. It could describe, for in-
stance, the independence of security elements used to rich
a proper protection level. The security elements are mutually
connected. Missing protection of information mechanisms in
one subprotocol (e.g. at the beginning of the protocol) strongly
influences the security of other subprotocols. A degree of con-
vergence can also be changeable; it depends on, among
others, the number of subprotocols and the expected security
level.
4.2.1. The level of protectionThe security level of an electronic process depends mainly on
specific elements of information protection used as required
by the security services. In this paper, the security elements
are based on PKI services and cryptographic modules. In Table 2
main security services and possible security mechanisms that
realize them are presented.
Every security service can be realized by different security
mechanisms. The security level of a given protocol depends
amongst other things on an appropriate selection of the ele-
ments. For every security element, its level of protection is de-
fined as Lxij. The contribution of the protection of a particular
service to the global protection level is defined in percents.
Dependencies of the security elements presented in Table 2
are only an example. They can be created in an arbitrary way by
using different security mechanisms. The value of the param-
eter L is a constant value for particular security requirements.
While creating the cryptographic protocol on a different level
of protection, this parameter should not be modified.
4.2.2. Probability of an incident occurrenceOne of the parameters in the Eq. (1) for scalable security, is the
risk of an attack on a given service. This parameter involves
two factors: the probability of incident occurrence ðPxijÞ and
the impact of a successful attack ðuxijÞ. In this section we sug-
gest a method to calculate the first parameter from this pair.
At the beginning, the combination of possible and accessi-
ble security elements is created, and present by means of
a graph. In graphs detailed security parameters are defined,
the choice of which affects the level of information security.
For each service an individual graph is created. In Fig. 1 an
example of such a graph with the security elements required
to protect the security service ‘‘integrity of data’’ is depicted.
The choice of a particular graph node corresponds to a choice
of a specific security element. By choosing rigid security
elements, a number of graph nodes is connected by edges
and the path is build. That path corresponds to the complete
security service. Below the description of the graph for the ser-
vice ‘‘integrity of data’’ is defined (Fig. 1), along with the values
of parameters describing security services (they are to be
defined later). To simplify, only main security elements are
taken into consideration. The whole graph should be based
on the security mechanisms which are described in interna-
tional security standards (e.g. ISO, IEC, IEEE, ETSI).
1 Integrity of data
1.1 Digital signature (LZ, LK, LP¼ heritage)
1.1.1 Cryptographic key management Cryptographic modules
(min. level 2) (ISO/IEC 19790) (LZ¼ 80%, LK¼ 70%,
LP¼ 80%, C¼ 0.05, M¼ 0.01)
1.1.1.1 Generating keys by using biometric method, PKG
(Teoh et al., 2004) (LZ¼ 80%, LK¼ 100%,
LP¼ 100%, M¼ 1.02) (LKþ 5%, LP¼þ5%)
1.1.1.2 Audit (LZ¼ 10%, LK¼ 60%, LP¼ 40%) (LK¼þ5%,
LP¼þ5%, C¼ 0.01, M¼ 0.03)
1.1.1.3 Ports and interfaces of cryptographic module
(LZ, LK, LP¼ heritage)
1.1.1.3.1 Cryptographic modules (min. level 2)
(ISO/IEC 19790) (LZ¼ 70%, LK¼ 50%,
LP¼ 80%)
1.1.1.3.2 Cryptographic modules (min. level 3)
(ISO/IEC 19790) (LZ¼ 70%, LK¼ 70%,
LP¼ 80%)
1.1.2 Cryptographic key management Cryptographic modules
(min. level 3) (ISO/IEC 19790) (LZ¼ 80%, LK¼ 80%,
LP¼ 90%, C¼ 0.05, M¼ 0.02)
1.1.2.1 Generating keys by using biometric method, PKG
(ISO/IEC 15408) (LZ¼ 80%, LK¼ 100%, LP¼ 100%,
M¼ 0.02) (LKþ 5%, LP¼þ5%)
1.1.2.2 Audit (LZ¼ 10%, LK¼ 60%, LP¼ 40%) (LK¼þ5%,
LPþ 5%, C¼ 0.01, M¼ 0.03)
1.1.2.3 Ports and interfaces of cryptographic module
(LZ, LK, LP¼ heritage)
1.1.2.3.1 Cryptographic modules (min. level 2)
(ISO/IEC 19790) (LZ¼ 70%, LK¼ 50%,
LP¼ 80%)
1.1.2.3.2 Cryptographic modules (min. level 3)
(ISO/IEC 19790) (LZ¼ 70%, LK¼ 70%,
LP¼ 80%)
1.2 Key management (LZ, LK, LP¼ heritage)
1.2.1 Key generation (LZ, LK, LP¼ heritage)
1.2.1.1 Cryptographic modules (min. level 2) (FIBS PUB
140-2), Security techniques (min. EAL 3) (ISO/
IEC 15408) (LZ¼ 80%, LK¼ 70%, LP¼ 80%)
1.2.1.2 Cryptographic modules (min. level 3) (FIBS PUB
140-2), Security techniques (min. EAL 4) (ISO/
IEC 15408) (LZ¼ 80%, LK¼ 80%, LP¼ 90%,
M¼ 0.01)
7 8 9
– –
tory
ces,
M7¼ 5%
Information
repository,
L_NRM8¼ 5%
PKG,
L_NRM9¼ 10%
tory
ces,
S7¼ 5%
Information
repository,
L_NRS8¼ 5%
PKG,
L_NRS9¼ 10%
tory
ces,
R7¼ 5%
Information
repository,
L_NRR8¼ 5%
PKG,
L_NRR9¼ 10%
– –
orization
7¼ 10%
AA,
L_Au8¼ 10%
–
– –
– –
– –
– –
– –
– –
tory
ces,
7¼ 5%
Audit,
L_SS8¼ 5%
PKG,
L_SS9¼ 5%
– –
– –
co
mp
ut
er
s&
se
cu
rit
y2
6(2
00
7)
24
6–
25
52
50
Table 2 – Security services and security elements that realize them
1 2 3 4 5 6
Integrity
of data (I)
Digital
signatures,
L_I1¼ 50%
Key
management,
L_I2¼ 10%
Certificate
management,
L_I3¼ 10%
Directory
services,
L_I4¼ 5%
TTP to TTP
interoperability,
L_I5¼ 15%
PKG,
L_I6¼ 10%
–
Non-repudiation
of action (NRM)
Digital
signatures,
L_NRM1¼ 30%
Time-stamping,
L_NRM2¼ 15%
Key
management,
L_NRM3¼ 10%
Certificate
management,
L_NRM4¼ 10%
Audit,
L_NRM5¼ 5%
Non-repudiation
PKI,
L_NRM6¼ 10%
Direc
servi
L_NR
Non-repudiation
of sender (NRS)
Digital
signatures,
L_NRS1¼ 30%
Time-stamping,
L_NRS2¼ 15%
Key
management,
L_NRS3¼ 10%
Certificate
management,
L_NRS4¼ 10%
Audit,
L_NRS5¼ 5%
Non-repudiation
PKI,
L_NRS6¼ 10%
Direc
servi
L_NR
Non-repudiation
of receiver (NRR)
Digital
signatures,
L_NRR1¼ 30%
Time-stamping,
L_NRR2¼ 15%
Key
management,
L_NRR3¼ 10%
Certificate
management,
L_NRR4¼ 10%
Audit,
L_NRR5¼ 5%
Non-repudiation
PKI,
L_NRR6¼ 10%
Direc
servi
L_NR
Confidentiality
of data (C)
Encryption,
L_C1¼ 50%
Key
management,
L_C2¼ 10%
Certificate
management,
L_C3¼ 10%
SSS, L_C4¼ 15% Directory
services,
L_C5¼ 5%
PKG, L_C6¼ 10% –
Authorization of
parties
of protocol (Au)
Registration,
L_Au1¼ 20%
Digital
signatures,
L_Au2¼ 20%
Key
management,
L_Au3¼ 10%
Certificate
management,
L_Au4¼ 10%
TTP to TTP
interoperability,
L_Au5¼ 10%
Directory
services,
L_Au6¼ 5%
Auth
PKI,
L_Au
Management of
privileges (MP)
Registration,
L_MP1¼ 50%
Authorization
PKI,
L_MP2¼ 50%
– – – – –
Network
anonymity (AN)
Crowds,
L_AA1¼ 100%
– – – – – –
Anonymity of
sender (AM)
Individual
numbers,
L_AM1¼ 100%
– – – – – –
Anonymity of
receiver (AR)
Broadcasting,
L_AR1¼ 100%
– – – – – –
Trust between
parties of
protocol (PTA)
Time-stamping,
L_PTA1¼ 30%
Information
repository,
L_PTA2¼ 30%
Audit,
L_PTA3¼ 20%
TTP to TTP
interoperability,
L_PTA4¼ 20%
– – –
TTP trust (PTT) Time-stamping,
L_PTT1¼ 30%
Information
repository,
L_PTT2¼ 20%
Audit,
L_PTT3¼ 10%
TTP to TTP
interoperability,
L_PTT4¼ 10%
Notary,
L_PTT5¼ 30%
– –
Secure storage
of data (SS)
Encryption,
L_SS1¼ 30%
Time-stamping,
L_SS2¼ 10%
Key
management,
L_SS3¼ 10%
Certificate
management,
L_SS4¼ 10%
Non-repudiation
PKI,
L_SS5¼ 10%
Information
repository,
L_SS6¼ 15%
Direc
servi
L_SS
Network
accountability
(NA)
Logging,
L_NA1¼ 50%
Audit,
L_NA2¼ 20%
Encryption,
L_NA3¼ 10%
Digital
signatures,
L_NA4¼ 10%
Information
repository,
L_NA5¼ 10%
– –
Protocol/service
accountability
(PA)
Logging,
L_PA1¼ 50%
Audit,
L_PA2¼ 20%
Encryption,
L_PA3¼ 10%
Digital
signatures,
L_PA4¼ 50%
Information
repository,
L_PA5¼ 10%
– –
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5 251
Fig. 1 – The graph for security service: data integrity.
1.2.2 Key distribution (LZ¼ 80%, LK¼ 50%, LP¼ 80%, C¼0.02)
1.2.3 Key usage (LZ¼ 80%, LK¼ 80%, LP¼ 50%)
1.2.4 The end of key life cycle (LZ¼ 30%, LK¼ 80%, LP¼ 50%,
C¼ 0.01)
1.3 Certificate management (LZ, LK, LP¼ heritage)
1.3.1 Subject registration (LZ, LK, LP¼ heritage)
1.3.1.1 Detailed verification of subject (LZ¼ 70%, LK¼30%, LP¼ 90%, C¼ 0.02)
1.3.1.2 Standard verification of subject (LZ¼ 70%, LK¼20%, LP¼ 70%, C¼ 0.02, M¼ 0.01)
1.3.2 Certification renewal (LZ¼ 70%, LK¼ 50%, LP¼ 30%,
C¼ 0.02)
1.3.3 Certificate generation (LZ¼ 70%, LK¼ 80%, LP¼ 80%,
M¼ 0.01)
1.3.4 Certificate dissemination (LZ, LK, LP¼ heritage)
1.3.4.1 The certificate verification is available as speci-
fied in the CA Certification Practice Statement
(LZ¼ 30%, LK¼ 60%, LP¼ 30%, C¼ 0.03, M¼ 0.01)
1.3.4.2 The certificate verification is available 24 h per
day, 7 days per week (LZ¼ 30%, LK¼ 80%,
LP¼ 30%, C¼ 0.03, M¼ 0.02)
1.3.4.3 The certificate verification is additionally checked
by another TTP (LZ¼ 30%, LK¼ 80%, LP¼ 70%,
C¼ 0.02, M¼ 0.01) (LKþ 5%, LPþ 5%)
1.3.4.4 The certificate information is available depend-
ing on the permission level (LZ¼ 15%, LK¼ 50%,
LP¼ 30%) (LKþ 5%, LPþ 5%)
1.3.5 Certificate revocation and suspension (LZ, LK, LP¼heritage)
1.3.5.1 The maximum 72 h delay between receipt of
a revocation request or report and the
change to revocation status information be-
ing available to all relying parties (LZ¼ 30%,
LK¼ 60%, LP¼ 40%, C¼ 0.01)
1.3.5.2 The maximum 24 h delay between receipt of
a revocation request or report and the
change to revocation status information be-
ing available to all relying parties (LZ¼ 30%,
LK¼ 80%, LP¼ 40%, C¼ 0.01, M¼ 0.01)
To verify, if the applied combination of security mecha-
nisms is complete, we assign adequate Boolean operations
to pairs of the graph edges. In this way, we obtain the Bool-
ean function for the complete graph, with the arguments
being services at the nodes leaves of the tree. The condition
of proper choice of the security mechanisms is connected
with the value of the obtained function. That value must
be equal to 1.
Introducing additional security elements to the system
might cause extra threats for the system’s assets. Therefore,
any change of a mechanism of the system protection influ-
ences the calculated probability.
Some security elements might modify parameters of the
higher edges (e.g. 1.1.2.2 – LK¼þ5%, LP¼þ5%, C¼ 0.01,
M¼ 0.03).
All steps of the protocol which realize a given security ser-
vice are demonstrated in a graph.
4.2.2.1. Parameters characterizing threat. As mentioned
above, any threat for a given process is characterized by
means of a combination of two parameters: the probability
of threat occurrence and its level. The particular security ele-
ments presented in the graph description are defined by
means of these parameters.
The parameters presented in the graph belong to the main
group, which is the basic part of the model. There is also an
extra group of parameters which introduce corrections to
the model but choosing of parameters from this group is not
obligatory. These parameters are treated as a checklist. Below
the complete list of parameters that could be used in this
mode is presented.
The main probability parameters (considered in the graph)
are:
� LZ – assets gained during successful attack on a given secu-
rity element (100%¼ compromising the whole protocol);
� LK – the knowledge needed for an attack (100%¼ expert);
� LP – costs needed for an attack (100%¼ the highest cost);
� C – communication steps as an additional possibility of at-
tack, C e [0/0.1] (0.1¼ the highest threat);
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5252
� M – a practical implementation. The difficulty in implement-
ing increases the probability of incorrect configuration. Error
reports are an additional source of information, etc. M e [0/
0.1] (0.1¼ the highest threat).
Additional security parameters (checklist):
� PP – global assets possible to gain in a given process PP e [0/
0.1] (0.1¼ the highest threat);
� I – a kind of institution realizing the information process.
Some of the institutions are of high threat. I e [0/0.1]
(0.1¼ the highest threat);
� H – potential risk for an attacker in case of an identification.
The legal system and punishment of countries where the
process is realized. H e [0/0.1] (0.1¼ a country with the low-
est legal restrictions).
An additional mark used in the description of a graph is
‘‘heritage’’. The nodes with parameters marked in that way
take the values of parameters of lower graph edges.
4.2.2.2. Mechanisms. The mathematical tool used to calculate
the probability of partial threats and, later, the probability of
an incident, is a certain function of parameters defined above.
The indicators which measure a chance that some assets are
successful are: LK, as a required level of knowledge; and LP, as
required costs. To estimate the values of these parameters in
the model, a detailed analysis of all vulnerabilities of the infor-
mation system should be performed. The two parameters are
modified by appropriately assumed weights uPLK and
uPLPðuP
LK þ uPLP ¼ 1Þ, which define potential lack of attacker’s
preparation in the domains of both knowledge and costs.
Apart from requirements needed for a successful attack,
potential attackers’ profits should be established. These are
defined by means of the parameter LZ describing the influence
of a potential harm which compromises the whole process.
An additional parameter which increases vulnerabilities of
a given threat and, at the same time the whole process, is the
parameter C as an extra communication step used in a given
element.
The next suggested parameter is M, describing the practi-
cal implementation of the security mechanisms. Adding com-
plex security elements increases the possibility of making
mistakes in the implementation. That fact usually influences
the results in error reports which provide attacker with addi-
tional information. If the additional parameters C and M are
not checked on a given graph edge, their values are standard
and the parameters do not influence the resultant probability.
In the process of setting up the probability of an attack, ad-
ditional parameters can be used which, in a more detailed
way, characterize the considered information process. In fur-
ther considerations we denote these parameters by d.
Combining all the above mentioned parameters, the ex-
pression of the probability of a particular threat occurrence
is established:
PKijz¼
�1�
�LKK
ijzuPLKþLPK
ijzuPLP
���LZK
ijzþ�
1�LZKijz
��CK
ijzþMKijz
��;
dPKijz¼PK
ijzþhd�
1�PKijz
�i;
d¼�PPPþ IPþHP
�;
where the symbols denote:
i, the number of the security service;
j, the number of the security elements;
z, the number of parts of the security element;
K, the number of steps of the protocol;
d, the index of additional security parameters;
P, the index of concrete processes;
PKijz, the probability of a threat occurrence without considering
additional d parameters. This is the value of part ‘‘z’’ in the
element ‘‘j’’ for the service ‘‘i’’ in step ‘‘K’’ for a given protocol;dPK
ijz, the probability after taking into account additional
parameters ‘‘d’’;
uPLK, the weight defining potential attackers’ lack of prepara-
tion in the domain of knowledge;
uPLK, the weight defining potential attackers’ lack of prepara-
tion in the domain of costs;
uPLK þ uP
LK ¼ 1:
Every partial probability for each chosen graph edge is
calculated.
The next step in the model is calculating the probability of
an incident occurrence in a given step. Firstly, we find the
highest probability among the calculated partial probabilities
in a given step. This value is the main factor of the probability
of incident occurrence in this step. It is caused by the fact that
the security of information system is like a chain; the weakest
link affects its strength.
MPKi ¼max
�PK
ijz
�:
The probability of an incident occurrence in a given step
depends not only on the highest threat but also on all other
threats possible in it. Therefore, a correction to the total prob-
ability as a contribution of all partial probabilities is calcu-
lated. The number of partial probabilities is defined by the
parameter ‘‘n’’. Thus, a series of partial probabilities is created.
We define:
aB0 ¼ MPK
i , the base element of the series;
a0 ¼ ð1� aB0Þ, zero element of the series;
a1 ¼ a0x1, the first element of the series;
an, nth element of the series;
an ¼"
a0 �Xk¼n�1
k¼1
ak
#xn where n � 2;
x, the partial probability of all security elements ðPKijzÞ.
The total correction to the probability of an incident
occurrence is:
PPKin ¼
Xk¼n
k¼1
ak;
n, the number of elements in the series.
Calculating the above mentioned parameters, a total prob-
ability of incident occurrence for a given service in a given step
is obtained:
PALL ¼ MPKi þ PPK
i :
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5 253
4.2.3. Impact of a successful attackThe parameters which are set up during the risk calculation
are the weights for particular services, uxij. These weights indi-
cate the average loses caused by a successful attack.
In the risk modelling, the impact is the result of an infor-
mation security incident caused by a threat affecting assets.
In the presented model of scalable security the resultant im-
pact is obtained by the combination of two kinds of impact
caused by direct and indirect reasons. Below the parameters
used during the impact calculation are depicted.
The direct parameters:
LZxij, assets gained during a successful attack on given security
elements (100% is the compromise of the whole protocol);
Fxij, financial losses during a successful attack on given security
elements (100% is the total financial loss).
The indirect parameters:
axij, necessary financial costs for repairing the damages gained
during a successful attack (100% is the maximal cost);
bxij, losses of the value of the company shares or the company
reputation (100% is the maximal market loss).
To calculate the impact of a successful attack ðuxijÞ a combi-
nation of the parameters described above is used. Thus, the
parameter LZxij describes the influence of a potential harm of
a given threat to compromise the whole process. The param-
eter Fxij describes direct financial losses during an attack on the
particular step of the protocol.
The next parameters are connected to an indirect impact
of the successful attack. The first group of parameters ðaxijÞ is
connected to the indirect financial losses which must be
accounted for after a successful attack on the system. Those
financial losses are caused by damage and repairs to the infor-
mation systems. The second group of parameters ðbxijÞ de-
scribes the loss of the value of the company security or the
company reputation.
Combining the above mentioned parameters brings about
the impact of an attack in a particular process:
uxij ¼
LZxij
3
�Fx
ij þ bxij þ ax
ij
�:
The impact parameter is a changeable part of Eq. (1) for
a particular process, because losses connected with a success-
ful attack can differ for concrete information processes.
4.2.4. The parameter of scalability of the securitymechanismsThe scalability parameter Z gives an additional possibility to
scale the used security mechanisms. Its characteristics are
shown in Fig. 2.
5. Adaptable security and risk management
As mentioned above, the first step in the process of creating
a security system is establishing a security requirement,
which guarantees the individual service. Next, security ele-
ments, i.e. mechanisms that ensure defined security require-
ments, are set up. The choice of security mechanisms
depends on the potential risk of a given process (ISO/IEC
13335-2, 2003). Among these are: the assets involved in the
process, the threats of assets, the vulnerabilities of assets,
the impact of a successful attack, safeguards and, what is sug-
gested in this paper, the adaptable security item. The cycle of
risk management process with adaptable (or scalable) security
is shown in Fig. 3.
5.1. Assets
The basic step in setting up the security process is analyzing
the organization assets. The level of vulnerabilities of assets
and, on the basis of this, proper security elements are to be
established.
5.2. Threats
Potential threats can cause harm to gathered assets by a given
organization. These harms can be caused by an attack on in-
formation involved in the process or on the whole system.
The threats make use of vulnerabilities in assets and then
cause harm. The threats can be classified as human and envi-
ronmental, and also as deliberate and accidental. For setting
up the threats, their level should be defined and the probabil-
ity of occurrence of an incident of this kind calculated.
5.3. Vulnerabilities
A weakness of an asset that can be exploited by one or more
threats is called a vulnerability. Vulnerabilities associated
with assets include weaknesses in the physical layout, organi-
zation, procedures, management, hardware, software, infor-
mation, etc. A vulnerability itself does not cause harm; it
causes harm only in case of an attack.
5.4. Impact
The impact is the result of an information security incident
caused by a threat affecting assets. The impact could be a de-
struction of certain assets, damage to the security system and
-0,2
0
0,2
0,4
0,6
0,8
1
protection level (L)
pro
te
ctio
n le
ve
l w
ith
co
rre
ctio
n o
f s
ec
urity
me
ch
an
is
ms
s
ca
la
bility
(L
Z)
0 0,5 1
Z =3
Z=10
Z=1
Fig. 2 – The characteristics of a scalability parameter of
security mechanisms.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5254
Fig. 3 – The cycle and relationship between security elements for the risk management.
a compromise of confidentiality, integrity, availability, non-
repudiation, authenticity, reliability, etc. The possible indirect
impact includes financial losses, losses to company image, etc.
5.5. Safeguards
Safeguards are practices, procedures or mechanisms that pro-
tect against a threat, reduce vulnerability, and reduce the im-
pact of an information security incident.
5.6. Risk
The risk is characterized by a combination of two factors: the
probability of an incident occurrence and the impact of an
incident on the system. Any change to assets, threats, vulner-
abilities, and safeguards may have significant effects on the
risk itself.
5.7. Adaptable (scalable) security
The additional item in the risk management process is the
scalable security block which makes it possible to adapt the
protection level to an actual level of threats. Almost every de-
tailed security analysis of the protection system shows new
vulnerable structures in the system which involves additional
security elements. On the other hand, the applied protections
are often overestimated, generally decreasing efficiency,
availability of the system, and excess redundancy. Due to ad-
aptation mechanisms of the scalable security its level can be
altered depending on the actual security requirements of the
electronic process.
6. Conclusions
Adaptable security helps to choose the optimal security level
for an information system with respect to costs, applied tools,
functional redundancy, integration to many security services
and obvious gaps at the interfaces. The usage of the presented
model is especially important in the dynamic environment
where its efficiency is crucial for the secure functioning of
the system. The example of such a system could be a distrib-
uted database where the secure and timely access to the data
is its most important task.
The sensor network (Hu and Sharma, 2005) is another in-
formation system where the scalable security systems are of
utmost importance. Due to them, it is possible to obtain the
reasonable compromise between an adequate level of security
of the sensor network and the efficiency and total lifetime
(due to energy costs) of the net.
Electronic services in which the security is a crucial ele-
ment are based on cryptographic protocols. Setting up differ-
ent security levels for all subprotocols in a certain
cryptographic protocol enables changing particular versions
of subprotocol, creating freely scalable system with respect
to the security level. Such a possibility can prove useful in
case of modifying the security levels in the particular phases
of the subprotocol (Moitr and Konda, 2004) which increases
system performance and, as a result, its global security.
r e f e r e n c e s
Barlow L. A discussion of cryptographic protocols for electronicvoting; 2003.
ETSI TS 102 042. Policy requirements for certification authoritiesissuing public key certificates; 2002.
FIBS PUB 140-2. Security requirements for cryptographic modules.Groves J. Security for application service providers. Network Se-
curity January 1, 2001a;2001(1):6–9 [Elsevier].Hu F, Sharma KN. Security considerations in ad hoc sensor net-
works. Ad Hoc Networks 2005;3:69–89 [Elsevier].ISO/IEC 11770-3. Key management – Part 3: mechanisms using
asymmetric techniques 1999-11-01.ISO/IEC 13335-2. Information technology – security techniques –
management of information and communications technology(ICT) security – Part 2: Techniques for information and com-munications technology security risk management; 2003.
ISO/IEC 15408. Information technology – security techniques –evaluation criteria for IT security.
ISO/IEC 19790. Security techniques – security requirements forcryptographic modules.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 2 4 6 – 2 5 5 255
Ksie _zopolski B, Kotulski Z. Cryptographic protocol for electronicauctions with extended requirements. Annales UMCS Infor-matica 2004;2:391–400.
Kulesza K, Kotulski Z. On automatic secret generation and shar-ing for Karin–Greene–Hellman scheme. In: So1dek J,Drobiazgiewicz L, editors. Artificial intelligence and security incomputing systems. Kluwer; 2003. p. 281–92.
Lambrinoudakis C, Gritzalis S, Dridi F, Pernul G. Security re-quirements for e-government services: a methodological ap-proach for developing a common PKI-based security policy.Computer Communication 2003;26:1873–83 [Elsevier].
Merabti M, Shi Q, Oppliger R. Advanced security techniques fornetwork protection. Computer Communications 2000;23:1581–3 [Elsevier].
Moitr S, Konda S. An empirical investigation of network attackson computer system. Computer and Security 2004;23:43–51[Elsevier].
NIST. Volume I: guide for mapping types of information andinformation systems to security categories; March2004.
Patel A, Gladychev P, Katsikas S, Gritzalis S, Lekkas D. KEYSTONEproject, Support for legal framework and anonymity in theKEYSTONE public key infrastructure architecture. In: Pro-ceedings of UIPP’99 IFIP international joint working con-ference on user identification and privacy protection.Stockholm, Sweden: Kluwer Academic Publisher; June 1999.p. 243–54.
Patton MA, Josang A. Technologies for trust in electronic com-merce. Electronic Commerce Research 2004;4:9–21 [KluwerAcademic Publishers].
Reiter M, Rubin A. Crowds: anonymity for web transaction. ACMTransaction on Information and System Security November1998;1(1):66–92.
Saez G. Generation of key pre-distribution schemes using secretsharing schemes. Discrete Applied Mathematics 2003;128:239–49 [Elsevier].
Teoh A, Ngo D, Goh A. Personalised cryptographic key generationbased on Face Hashing. Computer and Security 2004;23:606–14[Elsevier].
Tzong-Sun W, Chien-Lung H. Efficient user identification schemewith key distribution preserving anonymity for distributedcomputer networks. Computer and Security 2004;23:120–5[Elsevier].
Bogdan Ksie _zopolski received his M.Sc.
in Computer Physics from Maria Curie-
Sklodowska University in Lublin, Poland. He
is currently a research assistant in Insti-
tute of Computer Science at Maria Curie-
Sklodowska University in Lublin, Poland.
He is the author or co-author of 12 articles.
Zbigniew Kotulski received his M.Sc. in
applied mathematics from Warsaw Uni-
versity of Technology and Ph.D. and
D.Sc. Degrees from Institute of Funda-
mental Technological Research of the Pol-
ish Academy of Sciences. He is currently
a professor at IFTR PAS and professor
and head of Security Research Group at
Department of Electronics and Informa-
tion Technology of Warsaw University of
Technology, Poland. He is the author or co-author of three
books and more than 100 research papers.