On Provable Security for Complex Systems

Dirk Achenbach
2016
Computers are ubiquitous. They are critical for a multitude of operations in business, government, and society. Simultaneously they become ever more complex. Consequently, while they gain in importance, it is increasingly difficult to guarantee their security. Because security is a non-functional property, it can neither be tested for, nor can a system be made secure in an ad-hoc fashion. Security can only be included as an inherent property of a system by design. We investigate the
more » ... of cryptographic proofs of security to a systematic security engineering process. To this end we study how to model and prove security for concrete applications in three practical domains: computer networks, data outsourcing, and electronic voting. In the first domain, computer networks, we investigate the security of a network component irrespective of the surrounding network. As a concrete application, we study how to combine several candidate firewalls to yield one provably-secure firewall, even if one candidate is compromised. Our modeling of a firewall network allows us to define security independent of a firewall's functionality. We show that a concatenation of firewalls is not secure, while a majority decision is. Second, we develop a framework for the privacy of outsourced data. Specifically, we consider privacy in the presence of queries. We identify three privacy objectives-data privacy, query privacy, and result privacy. They apply to a wide array of outsourcing applications. Our analysis yields generic relations among these objectives. We introduce a searchable encryption scheme that fits in the framework. The third domain is electronic voting. We focus on re-voting as a strategy to achieve coercion resistance. Insights from a cryptographic model of coercion resistance yield requirements for possible realisations. We provide a proof-of-concept scheme that achieves coercion resistance through revoting. We conclude that cryptographic proofs of security can benefit a security engineering process in formulating requirements, influencing design, and identifying constraints for the implementation. iii I had the honour to work with wonderful co-authors:
doi:10.5445/ir/1000052204 fatcat:wgma3o2ahfecdg7m6e43iuyt2q