A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures

Article type: Research Article

Authors: Casola, Valentina^{; *} | Mazzeo, Antonino | Mazzocca, Nicola | Vittorini, Valeria

Affiliations: Dipartimento di Informatica e Sistemistica, Università degli Studi di Napoli “Federico II”, Via Claudio 21, 80125 Napoli, Italy. E-mail: [email protected], [email protected], [email protected], [email protected]

Correspondence: [*] Corresponding author. Tel.: +39 0817683907; Fax: +39 0817683816; E-mail: [email protected].

Abstract: The security of complex infrastructures depends on many technical and organizational issues that need to be properly addressed by a security policy. For purpose of our discussion, we define a security policy as a document that states what is and what is not allowed in a system during normal operation; it consists of a set of rules that could be expressed in formal, semi-formal or very informal language. In many contexts, a system can be considered secure and trustworthy if the policy enforced by its security administrator is trustworthy too; from this standpoint it is possible to evaluate the system security by evaluating its policy. In this paper we present a policy-based methodology to formalize and compare policies, and a Security Metric to evaluate the security level that a system is able to grant. All the steps of the methodology will be illustrated with an operative approach, by directly applying it to a real case study: the semi-automated Cross Certification among Public Key Infrastructures.

Keywords: Security evaluation, Security Metric, Certificate Policies, Public Key Infrastructures

DOI: 10.3233/JCS-2007-15201

Journal: Journal of Computer Security, vol. 15, no. 2, pp. 197-229, 2007