trust negotiation concepts and issues elisa bertino cs & ece departments, cerias purdue...
Post on 11-Jan-2016
214 Views
Preview:
TRANSCRIPT
Trust Negotiation Concepts and Issues
Elisa BertinoCS & ECE Departments, CERIAS
Purdue University
Boston November 9, 2004
Outline
Trust – some definitions The trust negotiation model Trust-X Privacy solutions in Trust-X
Credential format Policy context System architecture
Conclusions and future work
Trust – Some Definitions Kini & Choobineh
trust is: "a belief that is influenced by the individual’s opinion about certain critical system features"
Gambetta" …trust (or, symmetrically, distrust) is a particular level of the subjective
probability with which an agent will perform a particular action, both before [the trustor] can monitor such action (or independently of his capacity of ever to be able to monitor it)
The Trust-EC project (http://dsa-isis.jrc.it/TrustEC/)
trust is: "the property of a business relationship, such that reliance can be placed on the business partners and the business transactions developed with them''.
Gradison and Sloman
trust is: "the firm belief in the competence of an entity to act dependably, securely and reliably within a specified context". .
Some Basic Properties of Trust Relations Trust is relative to some business transaction.
A may trust B to drive her car but not to baby-sit. Trust is a measurable belief.
A may trust B more than A trusts C for the same business. Trust is directed.
A may trust B to be a profitable customer but B may distrust A to be a retailer worth buying from.
Trust exists and evolves in time. The fact that A trusted B in the past does not in itself guarantee that A will trust B in the future. B’s performance and other relevant information may lead A to re-evaluate her trust in B.
Trust Services
Identity services Authorization services with support for the
delegation and control of fine-grained access control at the data, resource and service levels
Trust negotiation Anonimity services Trust rating and recommendation services Notarisation Guaranteed message delivery Auditable logs Secure storage
Trust Negotiation model
The goal: establish trust between parties in order to exchange sensitive information and services
The approach: establish trust by verifying properties (credentials) of the other party. Note that trust can also be stablished based on
other factors and information, e.g. Reputation. The use of credentials is the common choice in current TN languages and systems
Protect sensitive credentials and services with ad hoc policies, namely disclosure policies.
Trust Negotiation modelClient
Policy Base
ServerPolicy Base
Resource request
Policies
Policies
Subject Profile
Subject Profile
Resource granted
Credentials
Credentials
Issues – language Requirements Well-defined semantics Monotonicity Credential combination Authentication Constraints on property values Intercredential constraints Sensitive Policies Unified formalism and use of interoperable
languages
Issues – System Requirements Credential ownership Credential validity Credential chain discovery Privacy protection Support for alternative negotiation strategies Fast negotiation strategies
Systems and Prototypes Keynote
by Blaze and Faigenbaum AT&T Research Lab. and Yale University
TrustBuilder By K. Seamons et Al. Brigham Young University
Trust-X By Bertino, Ferrari and Squicciarini Purdue University and University of Milano
Systems and Prototypes – a ComparisonLanguage Requirements Keynote TrustBuilder Trust-X
Well-defined semantics Y Y Y
Monotonicity Y Y Y
Credential Combinations Y Y Y
Constraints on property values
N Y Y
Intercredential Constraints N Y Y
Credential chains N N Partially
Authentication N N N
Sensitive policies N Y Y
Unified formalism Y N Y
Interoperable languages N N Y
Systems and Prototypes – a ComparisonSystem Requirements Keynote TrustBuilder Trust-X
Credential validity N Y Y
Credential ownership N N Partially
Alternative negotiation strategies
N Y Y
Fast negotiation strategies N N Y
Privacy protection Y Y Y
Credential chain discovery N N Partially
The Trust-X system
Comprehensive XML based framework for trust negotations Trust negotiation language System architecture Protocol and strategies to carry on a negotiation
A Trust-X negotiation consists of a set of phases to be sequentially executed.
The key phase is the policy evaluation phase, which consists of a bilateral and ordered policy exchange.
A Trust-X negotiation
AliceAlice BobBob
Bob
Prerequisite acknowledge
Match disclosurepolicies
Alice
Request
RESOURCE DISCLOSURE
Message exchange in a Trust-X negotiation
POLICY EXCHANGEBilateral disclosureof policies
INTRODUCTORYPHASE
PreliminaryInformationexchange
CREDENTIAL DISCLOSURE
Actual credentialdisclosure
Service request
Credential and/or Declaration
Disclosure policies
Service granted
Disclosure policies
Credential and/or Declaration
The basic Trust-X system
Tree Tree ManagerManager
Tree Tree ManagerManager
Mailbox Store
X ProfileX Profile
Mailbox Store
X ProfileX ProfilePolicy Policy DatabaseDatabase
Policy Policy DatabaseDatabase
Compliance Compliance CheckerChecker Compliance Compliance
CheckerChecker
AliceAlice BobBob
Privacy issues in trust negotiations
Trust negotiation does not control nor safeguard personal information once it has been disclosed.
During the policy evaluation phase, privacy can be compromised since there are no guarantees about counterpart honesty until the actual disclosure of the credentials.
Sensitive information can be inferred from a response to a request to access a resource.
Sensitive attributes in digital credentials Policy disclosure can be used to determine the
value of sensitive attributes without the credential ever being disclosed.
A credential may contain several sensitive attributes, and very often just a subset of them is required to satisfy a counterpart policy.
However, when a credential is exchanged, the receiver anyway gathers all the information contained in the credential.
How we preserve privacy in Trust-X
Support of a new credential format, which may provide a high degree of privacy protection:
Selective disclosure of attributes Gradual disclosure of the credential content
Extension of policy notion, with additional information to express privacy preferences and the possibility of negotiating privacy rules.
Integration of Trust-X with the P3P platform.
The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.
Privacy enhanced credential (1) Credential header: Set of information that is
crucial for proving that the credential, besides its specific content, is a signed and valid digital document issued by a trusted authority.
CREDID: unique credential identifier CREDTYPE: type of the credential EXPIRATION: expiration date ISSUEREP: credential issuer repository
Credential content
List collecting attribute specifications
Privacy enhanced credentials (2)
C R E D E N TIAL H E AD E R (p la in )
<CRED.... ID>..........TYPE...............ISSUER..........
<name>..........<\name><address>..........<\address>...................<citizenship>........French...........<\citizenship>........................<CRED>
C R E D E N TIAL C O N TE N T (b lin d e d a t
fir s t r e le a se )
attribute names, values, random numbers
signaturecomputed over the whole credential
CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF:particular state of a privacy enhanced credential, where the header is plain and the content is hidden, while the signature over the whole document can be verified.
Disclosing attribute credentials
1. Gradual disclosure of credential content
HeaderHeader disclosed during policy evaluation phase as soon as the credential is required
AttributesAttributes revealed during credential exchange phase
2. Attributes required during policy evaluation phase as soon as they are involved in the process
<CRED.... ID>.......TYPE................ISSUER..............
Modeling negotiation:logic formalism
P() credential type C set of conditions
P(C)TERM
RP1(c), P2(c)Policy expressed as
Resource which the policy refers to
Requestedcertificates
Disclosure policies are expressed in terms of logical expressions which can specify either simple or composite conditions against certificates.
Using privacy enhanced credentials1. Alice is a patient of the Health Clinic and wants to buy drugs by an
on-line pharmacy, which is selling this kind of drugs by prescription of Health Clinic doctors.
2. Alice is willing to disclose the requested credentials only if the pharmacy presents a credential proving pharmacy affiliation with the hospital. Patient_Card() Health_Clin_Aff().
3. Pharmacy affiliation is disclosed only to patients of the clinic: Health_Clin_Aff()Patient_Card()
4. Health_Clin_Aff()Patient_Card() Health_Clin_Aff().Dea
dlock
Avoided by using privacy enhanced credentials. During policy evaluation phaseparties may prove each other credential possession without revealing credential content until having received all the requested credential proofs.
The notion of context in disclosure policies
This specification is not expressive enough to specify other
crucial information that may be associated with a policy… How about policy prerequisites? How about the privacy policies for the requested credentials?
CONTEXT OF DISCLOSURE POLICIES
Policy context The goal is to integrate the basic rule defining a policy
with a structured set of information to be used during trust negotiation process.
<pol_prec_set, priv>
Set of policy identifiers such that at least one of the policy needs to be satisfied before the disclosure
of the policy with which the precondition set is associated.
denotes a P3P privacy policy. The task of privacy policies is to complement disclosure policies,
specifying whether theinformation conveyed by the
credentials will be collected and/or used.
Privacy policies in Trust-X negotiations
1. Introductory phase
Send a request for a resource/service Introductory policy exchanges .
2. Policy evaluation phase
Disclosure policy exchange and Evaluation of the exchanged policies
3. Certificate exchange phase
Exchange of the sequence of certificates determined at step n. 2.
Privacy agreement subphase
eventually specific privacy policies
Alice DrugStore
Drug Request
Introductory policies
P3P_Drugstore P3P_DrugStore match
with local privacy preferences:
P3P acknowledge
Request R
Alice P3P
P3P_DrugStore
DRUG
INTRODUCTORYPHASE
(1a)(1a)PRIVACY PRIVACY
AGREEMENTAGREEMENTSUBPHASESUBPHASE
P3P proposalP3P prior agreement request
ackacknoweledge
Introductory policies
P3P acceptance
Certificate exchange
disclosure policy exchange
within associated P3P
Match disclosurepolicy and P3P
policy complianceA<-B(C5,P3PB)
R<-A(C1,C2),P3PA,D(C3),P3PD
R<-E(C4,P3PE)
Credential sent
CERTIFICATE EXCHANGE
PHASE
RESOURCE DISCLOSURE
POLICY EVALUATION
PHASE
Certificate exchange
(1)
(2)
(3)
(4)
A privacy enabled Trust-X negotiation
Strategies in Trust-X
In order to define a framework that is as adaptable and flexible as possible we do not define a unique mode to carry on the negotiation.
Our framework supports a variety of strategies, that can be used for carrying on a negotiation.
We have devised five general purpose strategies that reflect five different approaches to a negotiation.
Trust-X privacy preserving strategies Standard: This is the traditional way of carrying on a negotiation,
based on an informed strategy.
Suspicious: The credential proof is always requested during the policy evaluation phase for each of the involved credentials.
Strongly Suspicious: This is a specific case of the suspicious strategy: parties require attribute disclosure as the corresponding policies are satisfied.
Trusting: The goal of this strategy is to speed up the process whenever possible. This can be done using credential suggestions, stored in a special field of the policy context.
Mixed Strategy: is characterized by the possibility of dynamically switching among the above strategies.
Privacy enabled Trust-X architecture
Creating a P3P policy in Trust-X
1. If the information to be collected is a set of properties the policy can be specified as a conventional P3P policy using built in data schemas and categories provided by the standard, without referring to the particular credential collecting the requested attributes.
2. If the key information is the credential itself, then the policy should refer not only to the attributes in the credential but also to the credential itself.
Credential schema repository Privacy
policiesPolicy base
Policywizard
Policywizard
Credentials content can be analyzed under two different perspectives:
1 2
3
Responding to a disclosure policy
If P3P is attached to the disclosure policy, policy check is performed between the P3P and the preference rules of the receiving party, with respect to the credentials requested by the disclosure policy with which the privacy policy is associated.
If no P3P is associated with the disclosure policy, then the preference rules are checked against the privacy policies exchanged during privacy agreement phase.
ComplianceChecker
ComplianceChecker
Privacypreferences
Tree manager
X-profile
Summary
Trust-X is a privacy-enabled system supporting
Selective disclosure of attributes Privacy enhanced credential Privacy policy exchange during negotiation process
Trust-X system is the first trust negotiation system complemented with the P3P platform.
The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.
Ongoing work…
Development of mechanisms and modules to semi-automatically design privacy policies to be associated with disclosure policies.
Use of a reference ontology to specify high level trust requirements to be mapped into disclosure policies
Notion of private concept groups to protect combination of concepts not to be released together. Private concept groups are formed by taking into account not only the subject privacy preference but also the privacy practices of the counterpart.
Future work
Evaluation of the strategies to carry on a negotiation, that exploit and extend the notion of context associated with a policy, to allow one to trade-off among efficiency, robustness, and privacy requirements.
Mechanisms for enforcing anonymity. Fully support of P3P version 1.1.
top related