Trusted Declassification

Trusted declassification is a declassification policy in which principals specify in a global policy file which declassifiers are trusted to handle their data.

Problem: Noninterference is too strict of a security policy for real applications. For example, a ciphertext releases information about sensitive inputs, even though it is too little information to recover the inputs. In strict noninterference, this is prohibited. The method for bypassing this stringent security requirement is called declassification. Declassification must be applied only in a controlled fashion.

Solution: Trusted declassification allows a data owner to indicate which functions are trusted to declassify sensitive data. One example is an encryption function such as AES. Another might be a function which only releases a single bit of information such as in a password-checking program. Another example would be an anonymization filter for patient medical records or email contents.

Security theorems: Trusted declassification can be shown to maintain noninterference modulo trusted methods. This means that for the data of a principal who allows no trusted methods, noninterference is maintained. In the presence of trusted declassifiers, the principal can be certain that all leakage occurs only through the trusted declassifiers.

Policy tools: See tools description