High-Con dence Design for Security

The widespread use of networks makes information security a major concern where the underlying network (e.g., the Internet) is assumed to be insecure. Systems with security requirements typically must operate with a high degree of conndence { they must be highly assured. The task of designing and building secure systems raises a fundamental question, how do we know with conndence that our designs will behave se-curely? Having conndence in a secure system requires having conndence in the following: the strength of the cryptographic algorithms, the correctness of the hardware and software implementations, and knowing the implementation supports a security model. This article describes methods that establish conndence that implementations meet their speciications and security requirements. These methods are rigorous in nature. They rely on mathematical logic and are accessible to engineering students at the masters level. As is typical in systems engineering , a variety of methods are used depending on what level of design is being addressed. The collection of people, keys, processes, or machines who send and receive information and who access information resources (e.g., databases, processors , printers, etc.) are called principals. Security properties typically deal with the ability of principals to access information or resources. Key security properties include: privacy or conndentiality: knowing which principals can read data 1