Abstract
The computer security community has traditionally regarded security as a “hard” property that can be modelled and formally proven under certain simplifying assumptions. Traditional security technologies assume that computer users are either malicious, e.g. hackers or spies, or benevolent, competent and well informed about the security policies. Over the past two decades, however, computing has proliferated into all aspects of modern society and the spread of malicious software (malware) like worms, viruses and botnets have become an increasing threat. This development indicates a failure in some of the fundamental assumptions that underpin existing computer security technologies and that a new view of computer security is long overdue.
In this paper, we examine traditionalmodels, policies and mechanisms of computer security in order to identify areas where the fundamental assumptions may fail. In particular, we identify areas where the “hard” security properties are based on trust in the different agents in the system and certain external agents who enforce the legislative and contractual frameworks.
Trust is generally considered a “soft” security property, so building a “hard” security mechanism on trust will at most give a spongy result, unless the underlying trust assumptions are made first class citizens of the security model. In most of the work in computer security, trust assumptions are implicit and they will surely fail when the environment of the systems change, e.g. when systems are used on a global scale on the Internet. We argue that making such assumptions about trust explicit is an essential requirement for the future of system security and argue why the formalisation of computational trust is necessary when we wish to reason about system security
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Password recovery speeds, http://www.lockdown.co.uk/?pg=combi (visited April 15, 2014)
Arbaugh, W.A., Farber, D.J., Smith, J.M.: A Secure and Reliable Bootstrap Architecture. Tech. Rep. MS-CIS-96-35, University of Pennsylvania,, School of Engineering and Applied Science, Computer and Information Science Department, Philadelphia, Pennsylvania, U.S.A (1996)
Arnold, W.: Technology; Philippines to Drop Charges on E-Mail Virus. The New York Times (August 22, 2000), http://www.nytimes.com/2000/08/22/business/technology-philippines-to-drop-charges-on-e-mail-virus.html (visited April 15, 2014)
Balacheff, B., Chen, L., Pearson, S., Plaquin, D., Proudler, G.: Trusted Computing Platforms - TCPA Technology in Context. Prentice Hall (2003)
Bell, D.E., LaPadula, L.J.: Secure Computer Systems, Vol. I. Mathematical Foundations and Vol. II. A Mathematical Model. Tech. Rep. MTR-2547, The MITRE Corporation (1973)
Biba, K.J.: Integrity Considerations for Secure Computer Systems. Tech. Rep. MTR-3153, The MITRE Corporation (1977)
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, San Francisco, CA, USA (May 2012)
Brands, S.A.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge (2000)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. Tech. Rep. RFC 2693, Internet Engineering Task Force (IETF) (September 1999)
Ferraiolo, D., Kuhn, R.: Role-based access control. In: In 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Ferranti, M.: Report on NSA ‘secret’ payments to RSA fuels encryption controversy. PC World (December 23, 2013), http://www.pcworld.com/article/2082720/report-on-nsa-secret-payments-to-rsa-fuels-encryption-controversy.html (visited April 15, 2014)
Gollmann, D.: Why trust is bad for security. Electron. Notes Theor. Comput. Sci. 157(3), 3–9 (2006)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems (1971)
Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5), RFC 4120 (July 2005)
Neuman, C., Yu, T., Hartman, S., Raeburn, K.: Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks, Recommendation X.509 (October 2012)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
The Dutch Ministry of the Interior and Kingdom Relations: DigiNotar CA certificates will be revoked on September 28 2011 (September 2011), http://www.logius.nl/english/news-message/titel/diginotar-ca-certificates-will-be-revoked-on-september-28-2011/ , (visited April 15, 2014)
Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)
Wobber, E., Abadi, M., Burrows, M., Lampson, B.: Authentication in the taos operating system. ACM Trans. Comput. Syst. 12(1), 3–32 (1994)
Wolf, J.: U.S. lawmakers seek to block China Huawei, ZTE U.S. inroads. Reuters (October 8, 2012), http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte-idUSBRE8960NH20121008 (visited April 15, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jensen, C.D. (2014). The Importance of Trust in Computer Security. In: Zhou, J., Gal-Oz, N., Zhang, J., Gudes, E. (eds) Trust Management VIII. IFIPTM 2014. IFIP Advances in Information and Communication Technology, vol 430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43813-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-662-43813-8_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43812-1
Online ISBN: 978-3-662-43813-8
eBook Packages: Computer ScienceComputer Science (R0)