Chapter 12. Cryptographic Data Integrity Protection, Key Exchange, and User Authentication Mechanisms
"This means true information is not leaked."
The traditional use of symmetric cryptography corresponds very well to the theoretical Bell–LaPadula model of security systems. This model was designed as an outline of the confidentiality protection in multilevel systems utilized by users with different clearances for data categories with different security classifications. The Bell–LaPadula model is based on two rules known as the simple security rule and the property rule. The simple security rule states that a subject at the given security level cannot read data at the higher security level ("no read up"). The property rule conveys the prevention of spreading the information to the lower security levels ("no write down"). For example, users who do not have the key necessary to access the VPN cannot "read up" the network traffic, and users who are on the VPN cannot send unencrypted data because their hosts are configured to send data only over secure channels, and any attempt to change such a configuration would flash an enormous neon alarm in the VPN administrator's bedroom. However, the Bell–LaPadula concept was designed for military systems where confidentiality is the major concern. In e-commerce, integrity and availability of data are just as important. The Bell–LaPadula model does not address both. Therefore, another model, the Biba model, was conceptualized to address these issues. This model states that both data and its subject must be protected from corruption by data from lower-integrity, less-secure levels and channels. Like the Bell–LaPadula model, the Biba model is also based on two laws: integrity and property laws. Integrity law states "no write up," so that unauthorized users have no rights to modify the data on higher security levels. Property law maintains a "no read down" statement, so that users with sufficient privileges cannot corrupt the data using information sources with questionable credibility and possible integrity compromise.