Degree of security

When the installation demands a high degree of security, such as in a generating station. 

As the maturity of the process increased, only the key parameters would require continued monitoring. Ultimately, the data collected on these properties would permit the generation of material specifications. If the work had been performed properly, then it would be possible to specify limits for the-appropriate bulk drugs and raw materials that would ensure that the final product always was satisfactory. These guidelines would naturally apply only to the specific formulation, but their implementation would enable manufacturers to deliver their products with a greater degree of security than is now possible. 

To ensure the highest degree of security of SCADA systems, isolate the SCADA network from other network connections to as great a degree as possible. Any connection to another network introduces security risks, particularly if the connection... 

Then, when changes its sign, failure becomes probable and the material can no longer be used with a sufficient degree of security. 

F. A notion of fulfilling the requirements, or whatever the specification is, with certain degrees of security. 

Formally, the degrees of security with which requirements or specifications can be fulfilled can only be defined when one has defined a class of requirements or specifications. Hence this subject is postponed to Section 5.4.3. Anyway, the most important criteria are whether small error probabilities are tolerated or not and whether security has really been proved. These criteria are closely related to the assumptions about the attackers (cf. Figure 5.16). 

Section 5.1 contains the main ideas behind the definition and classification, some justification for these ideas, and general remarks about consequences and alternatives. Sections 5.2 to 5.4 contain the actual definitions and classification criteria (sorted according to service, structure, and degree of security, which is one of the main ideas of Section 5.1). 

Req(i groupj) denotes the set of sequences that fulfil the requirement made in the interest of a set of users, i groupj. The two requirements are usually fulfilled with different degrees of security. Hence they cannot be replaced by one requirement that the sequence is in Req(i groupi) n Req i group . ... 

Multiple speciHcations, i.e., different specifications intended for different degrees of security, which would be redundant otherwise. For instance, with fail-stop signature schemes one first requires that no forgeries occur, but secondly, if a forgery occurs nevertheless, it should be provable. This makes sense because the second requirement is to hold on weaker assumptions than the first... 

Moreover, the fail-stop property will only be used with two specific degrees of security low is on a cryptologic assumption and high information-theoretically . In principle, other combinations are also possible, for instance that low needs an upper bound on the number of attackers and high means that more attackers are tolerated. 

Black arrows show the strong requirements for the low degree of security, i.e., for normal situations. (It is assumed that honest users behave sensibly in the details that are not shown in the figiure, e.g., the signer disavows if she has not authenticated.) Grey arrows show transitions that are additionally possible in extreme situations. Transitions without any arrow are excluded with both degrees of security. 

These security types are mainly treated in Section 5.4.3. With the ordinary type of security, known from ordinary digital signature schemes, the requirement of the recipient on disputes is guaranteed with the high degree of security, whereas the court may wrongly decide for the recipient in extreme situations. To its right, a type of security dual to ordinary security is shown. 

This section describes degrees of security. A short overview was already given in Sections 4.4.5 to 4.4.7. A degree of security is primarily defined for one scheme and one requirement, not for a complete specification. It is characterized by the attackers that are tolerated and the notion of fulfilling the requirement. Most of this section can be used for all cryptologic transaction schemes. 

Private channels. Some signature schemes need point-to-point channels in initialization that keep messages confidential (in addition to integrity and availability), i.e., only the intended receiver obtains any information. This must be mentioned explicitly in the degree of security, and can only be applied to schemes where the switch program contains two types of point-to-point channels. 

Essentially, one obtains the best degree of security if one universally quantifies over the behaviour of the honest users No matter what the honest users do, the requirements are fulfilled. Such a model automatically covers all conceivable active attacks, because behaviours resulting from an influence by an attacker are just behaviours, too. It is rather a natural model, too — for instance, how could one know anything about how an honest user selects the messages she authenticates (This is in contrast to the behaviour of correct entities, which act according to programs.)... 

The security semantics must define under which conditions a scheme Scheme fulfils a requirement Req with a given degree of security, degree. This could boldly be written as... 

So far, degrees of security have been defined for individual requirements. As there are several minimal requirements on signature schemes (and more for special types of service), many different combinations are possible. This subsection considers some important combinations. 

First, if the requirements are restricted to temporal logic, general temporal validity (i.e., the fact that a formula holds for all sequences over the given domain) should trivially imply security validity with every degree of security. 

As to proof rules, modus ponens is not trivial. It can be seen as a test for robust classes of very small functions Let requirements / i, / 2 and R = (Ri -> R2) be given. Modus ponens means that the validity of R and R for a scheme with a certain degree of security implies the validity of R2. For given parameters A, sys pars, and i group, let Pj, P2, and P denote the probabilities P 5(5ys pars, i group) for the respective requirements. Obviously, (1 - P2) < (1 - Pj) + (1 - P). Hence modus ponens can be used if the sum of two very small functions is still very small . 

Whenever a requirement holds for a scheme in the interest of a certain interest group, it also holds in the interest of any larger interest group with the same degree of security. This should be clear because more entities are correct if the interest group is larger, and correct entities are a special case of an attacker strategy. 

It is assumed that the given requirements hold with a common degree of security (which may be the minimum of the degrees with which they were originally shown to hold). 

A consequence of these statements is that subdividing the security types from Section 5.4.3, Combinations of Degrees of Security in Signature Schemes , according to the error probabilities in their information-theoretic parts does not yield many new types. 

It is not useful to consider all possible combinations of service, structure, and degree of security one by one, because there are far more possible combinations than existing schemes. (However, one could try to do so in future, i.e., either invent a scheme, or prove impossibility, or explain why the combination only has disadvantages even if one takes efficiency into account.) Instead, classes are defined according to a few important criteria, and within each class, the existing schemes with their remaining properties are listed. 

The special problem with the degree of security is due to the fact that the entities of recipients and courts have secret information and divulge some of it in authentication and disputes, in contrast to all other existing signature schemes. Hence not only the signer, but also recipients and courts are vulnerable to active attacks, as described at the end of Section 5.4.2. This seems to be a more difficult problem than active attacks on signers, because each signature is issued only once, whereas it may be tested very often. ... 

Section 7.1.1 explains why one can concentrate on schemes with special risk bearers. The components of the schemes are derived in Section 7.1.2 and summarized formally in Definitions 7.1 to 7.3. The requirements, which are now mixed with considerations of structure and degree of security, are studied in Sections 7.1.3 to 7.1.5. 

This does not mean that bounds on time complexity would not be interesting. However, on the one hand, no approach at proving non-trivial ones seems to be known, and on the other hand, efficiency differences between existing signature schemes with different degrees of security primarily concern communication and storage complexity. 

---