Logic programming based formal representations for authorization and security protocols

Wang, Shujing, University of Western Sydney, College of Health and Science, School of Computing and Mathematics

January 2008

Logic programming with answer set semantics has been considered appealing rule-based formalism language and applied in information security areas. In this thesis, we investigate the problems of authorization in distributed environments and security protocol verification and update. Authorization decisions are required in large-scale distributed environments, such as electronic commerce, remote resource sharing, etc. We adopt the trust management approach, in which authorization is viewed as a ‘proof of compliance" problem. We develop an authorization language AL with non-monotonic feature as the policy and credential specification language, which can express delegation with depth control, complex subject structures, both positive and negative authorizations, and separation of duty concepts. The theoretical foundation for language AL is the answer set semantics of logic programming. We transform AL to logic programs and the authorization decisions are based on answer sets of the programs. We also explore the tractable subclasses of language AL. We implement a fine grained access control prototype system for XML resources, in which the language AL¤ simplified from AL is the policy and credential specification language. We define XPolicy, the XML format of AL¤, which is a DTD for the XML policy documents. The semantics of the policy is based on the semantics of language AL. The system is implemented using Java programming. We investigate the security protocol verification problem in provable security approach. Based on logic programming with answer set semantics, we develop a unified framework for security protocol verification and update, which integrates protocol specification, verification and update. The update model is defined using forgetting techniques in logic programming. Through a case study protocol, we demonstrate an application of our approach. / Doctor of Philosophy (PhD)

computer security

computer networks

database security

logic programming

Implementation of a logic-based access control system with dynamic policy updates and temporal constraints

Crescini, Vino Fernando, University of Western Sydney, College of Health and Science, School of Computing and Mathematics

January 2006

As information systems evolve to cope with the ever increasing demand of today’s digital world, so does the need for more effective means of protecting information. In the early days of computing, information security started out as a branch of information technology. Over the years, several advances in information security have been made and, as a result, it is now considered a discipline in its own right. The most fundamental function of information security is to ensure that information flows to authorised entities, and at the same time, prevent unauthorised entities from accessing the protected information. In a typical information system, an access control system provides this function. Several advances in the field of information security have produced several access control models and implementations. However, as information technology evolves, the need for a better access control system increases. This dissertation proposes an effective, yet flexible access control system: the Policy Updater access control system. Policy Updater is a fully-implemented access control system that provides policy evaluations as well as dynamic policy updates. These functions are provided by the use of a logic-based language, L, to represent the underlying access control policies, constraints and policy update rules. The system performs authorisation query evaluations, as well as conditional and dynamic policy updates by translating language L policies to normal logic programs in a form suitable for evaluation using the well-known Stable Model semantics. In this thesis, we show the underlying mechanisms that make up the Policy Updater system, including the theoretical foundations of its formal language, the system structure, a full discussion of implementation issues and a performance analysis. Lastly, the thesis also proposes a non-trivial extension of the Policy Updater system that is capable of supporting temporal constraints. This is made possible by the integration of the well-established Temporal Interval Algebra into the extended authorisation language, language LT , which can also be translated into a normal logic program for evaluation. The formalisation of this extension, together with the full implementation details, are included in this dissertation. / Doctor of Philosophy (PhD)

computer security

database security

logic programming

computer safety

Oblivious transfer protocols for securing electronic commerce

Zhang, Jun Qi, University of Western Sydney, College of Science, Technology and Environment, School of Computing and Information Technology

January 2002

Security is a major issue for electronic commerce. Crytography is the foundation of security and oblivious transfer (OT) protocols are one primitive of modern cryptography. The main goal of this dissertation is to develop new and more efficient OT protocols and explore their applications in electronic commerce. A new m out of n OT scheme is proposed, its implementation, security and efficiency are discussed, and it is compared with a previous OT scheme. The analysis shows that the previous OT protocol can be regarded as a special case of the new proposed OT scheme. The new OT scheme's applicability in blind signatures is explored. A new non-interactive m out of n OT scheme is proposed that includes a newly developed public keys generation algorithm based on the discrete log problem and an OT protocol based on the Diffie-Hellman problem. The security of this scheme is discussed. A new buying digital goods scheme is proposed using the new m out of n priced OT which is based on the priced OT protocol developed by Bill Aiello, Yuval Isahai, and Omer Reingold. Tools used in this scheme are discussed and its security is analyzed. A concrete homomorphic protocol is given / Master of Science (Hons)

oblivious transfer protocols

cryptography

computer security

electronic commerce

Solving multiparty private matching problems using Bloom-filters

Lai, Ka-ying.

January 2006

Thesis (M. Phil.)--University of Hong Kong, 2007. / Title proper from title frame. Also available in printed format.

A Method for Assessment of System Security

Andersson, Rikard

January 2005

<p>With the increasing use of extensive IT systems for sensitive or safety-critical applications, the matter of IT security is becoming more important. In order to be able to make sensible decisions about security there is a need for measures and metrics for computer security. There currently exist no established methods to assess the security of information systems.</p><p>This thesis presents a method for assessing the security of computer systems. The basis of the method is that security relevant characteristics of components are modelled by a set of security features and connections between components are modelled by special functions that capture the relations between the security features of the components. These modelled components and relations are used to assess the security of each component in the context of the system and the resulting system dependent security values are used to assess the overall security of the system as a whole.</p><p>A software tool that implements the method has been developed and used to demonstrate the method. The examples studied show that the method delivers reasonable results, but the exact interpretation of the results is not clear, due to the lack of security metrics.</p>

Computer security

Metrics

Assessment

Information systems

Modelling

Information technology

Informationsteknik

Scenario-Based Evaluation of a Method for System Security Assessment

Bengtsson, Jonna

January 2005

<p>This thesis evaluates a method for system security assessment (MASS), developed at the Swedish Defence Research Agency in Linköping. The evaluation has been carried out with the use of scenarios, consisting of three example networks and several modifications of those. The results from the scenarios are then compared to the expectations of the author and a general discussion is taken about whether or not the results are realistic.</p><p>The evaluation is not meant to be exhaustive, so even if MASS had passed the evaluation with flying colors, it could not have been regarded as proof that the method works as intended. However, this was not the case; even though MASS responded well to the majority of the modifications, some issues indicating possible adjustments or improvements were found and commented on in this report.</p><p>The conclusion from the evaluation is therefore that there are issues to be solved and that the evaluated version of MASS is not ready to be used to evaluate real networks. The method has enough promise not to be discarded, though. With the aid of the issues found in this thesis, it should be developed further, along with the supporting tools, and be re-evaluated.</p>

Computer security

Assessment

Information systems

Metrics

Computer science

Datalogi

Wi-Fi Guest Access: A Struggle For Secure Functionality In Academic Environments

Kevin E. Lanning

9 April 2007

The rapid growth in the functionality of Wi-Fi networking in recent years has benefited academic environments. Consistent with their role as centers of innovation academic institutions have an interest in facilitating as much mobile, computer networking functionality as possible to parties of varying levels of affiliation, while also assuring confidentiality and integrity of communications. Providing secure yet functional Wi-Fi access to guests and affiliates in an academic environment presents significant challenges. Academic institutions have taken a wide variety of approaches to this problem. This study presents and analyzes data gathered from semi-structured telephone interviews with employees focused on computer networking and security in academic environments regarding their institutions’ approaches toward striking a balance between security and functionality. The results are summarized, conclusions are presented, and solutions to common problems are reviewed. Finally, remaining significant research questions are presented and explored.

Guesswork and Entropy as Security Measures for Selective Encryption

Lundin, Reine

January 2012

More and more effort is being spent on security improvements in today's computer environments, with the aim to achieve an appropriate level of security. However, for small computing devices it might be necessary to reduce the computational cost imposed by security in order to gain reasonable performance and/or energy consumption. To accomplish this selective encryption can be used, which provides confidentiality by only encrypting chosen parts of the information. Previous work on selective encryption has chiefly focused on how to reduce the computational cost while still making the information perceptually secure, but not on how computationally secure the selectively encrypted information is.  Despite the efforts made and due to the harsh nature of computer security, good quantitative assessment methods for computer security are still lacking. Inventing new ways of measuring security are therefore needed in order to better understand, assess, and improve the security of computer environments. Two proposed probabilistic quantitative security measures are entropy and guesswork. Entropy gives the average number of guesses in an optimal binary search attack, and guesswork gives the average number of guesses in an optimal linear search attack. In information theory, a considerable amount of research has been carried out on entropy and on entropy-based metrics. However, the same does not hold for guesswork. In this thesis, we evaluate the performance improvement when using the proposed generic selective encryption scheme. We also examine the confidentiality strength of selectively encrypted information by using and adopting entropy and guesswork. Moreover, since guesswork has been less theoretical investigated compared to entropy, we extend guesswork in several ways and investigate some of its behaviors.

Computer security

security metrics

selective encryption

confidentiality

entropy

guesswork.

An approach to online anonymous electronic cash

Li, Ying

January 2011

University of Macau / Faculty of Science and Technology / Department of Computer and Information Science

Computer security -- Congresses

Electronic funds transfers

Cash management

Electronic commerce

A flexible security architecture for pervasive computing environments

Covington, Michael J.

07 June 2004

No description available.

Ubiquitous computing

Computer security

Human-computer interaction

Computer interfaces