exploiting preferences for minimal credential disclosure in policy-driven trust negotiations

Exploiting Preferences for

Minimal Credential Disclosure

in

Policy-Driven Trust

NegotiationsPhilipp Kärger, Daniel Olmedilla, Wolf-Tilo Balke

L3S Research Center, Leibniz University Hannover, Germany

5th Secure Data Management Workshop, Auckland, New Zealand, August 24, 2008

Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, 2008 2

Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations

Outline

1. Policy-driven Trust Negotiations what are they? what do they serve for? what may happen that we need Preferences?

2. Preferences in Trust Negotiations Modeling Disclosure Sets Modeling Preferences A Preference Model for comparing Disclosure Sets

3. Implementation and Experiments An Implementation guiding a Trust Negotiation Simulating Trust Negotiations



1. Trust Negotiation



Trust Negotiation: how to trust a stranger?

Alice on-line book shop

Disclose CreditCard IF Requestor has BBB certificate

Disclose Book IFRequestor discloses valid CredidCard

Disclose BBB certificate to any requestor

request for a book

“for the book I need a CreditCard”

“for the CreditCard I need a BBB cert.”

policy: policy:



The Need for Preferences

• What if a policy evaluation has more than one result?

Alice on-line book shopDisclose

CreditCard IF Requestor has BBB certificate

Disclose bank account information IF Requestor has BBB certificate

request for a book

“for the book I need a CreditCard or your bank account information”

Which Credential? CreditCard or bank account information?

exploit user preferences in the negotiation process to decide



It may become even more complex …

Alice on-line book shoprequest for a book



How to decide between the options?

• if the system is not aware of any user preferences it has to ask the user to decide.

• But the user may easily be overwhelmed by so

many options. may take a bad decision because of

lost overview. has to decide it again for all future negotiations. may not at all be available.

?



2. Preferences in Trust Negotiation



Preference handling

• a preference is an order of values having a decreasing preference “I prefer English but German is also fine.” “I prefer to disclose my pay pal account information instead of

my credit card number. My bank account information is the last option.”

preferences are known from:

databases: preference queries [Werner Kießling: Preference SQL: design, implementation, experiences. 2002] [Jan Chomicki: Preference formulas in relational queries. 2003]

logic programming: preferring answer set [Gerhard Brewka, Thomas Eiter: Preferred Answer Sets for Extended Logic

Programs. 1999]



Preferences in Trust Negotiation

• Typically, users have general preferences which credential to disclose.

• For example “I prefer to disclose my e-mail address

instead of my postal address.” “My postal code together with my date of birth is very

sensitive. I prefer to disclose my e-mail address instead of these two.”

an example preference graph:

Quasi identifier



Preferences of Different Kinds

• total vs. partial order

• quantitative vs. qualitative

• default preference: not disclosing a credential is preferred to disclose it

• contextual preferences



Modeling Disclosure Sets

Disclosure Sets are represented asBinary Vectors

e.g., S6 = (0,0,0,0,0,1,0,0,0,1,1)

represents the set

{ID, CreditCard, PIN}.



Modeling Preferences

• Preferences are defined over a subset of dimensions in the disclosure set vectors, e.g.,

Not disclosing the telephone number is preferred to disclosing the telephone number.

(x, x, 0, x, x, x, x, x , x ,x , x)

(x, x, 1, x, x, x, x, x , x ,x , x)

If I have to disclose my date of birth, I prefer to disclose my e-mail address instead of my postal code.

(x, 1, x, 1, 0, x, x, x , x ,x , x)

(x, 1, x, 0, 1, x, x, x , x ,x , x)

Quasi identifier

= = = === = = = =

ceteris paribus



Filtering out Non-Preferred Disclosure Sets

Finding the optimal disclosure set by ruling out non-optimal sets according to Alice’s preferences:

default preference: not disclosing a credential is preferred to disclose it:

which credential is preferred to disclose:




00000100011

00010100011

S6

?

S10




11010001100

11001001100

11001000110

11001000011

S1

?

S4




For our example:

Applying this technique iteratively rules out 10 of the 12 alternatives.

user’s decision between S1 and S5 may be stored for later negotiations



3. Implementation and Experiments



prefer-ences

Prolog

policy

Implementation

preference engine



Experiments

- For simulated negotiations with- varying preferences- varying policies

- the mean amount of disclosuresets ruled out was 82 %.



Summary

Preferences help to automaticallydecide between alternatives in a Trust Negotiation.

Our approach• allows qualitative, partially ordered, contextual

preferences• always selects the optimal next steps in a negotiation• includes an iterative process to elicit new user

preferences



Thank you for your attention.

Please ask if there are any questions.

Or get in touch later:

Philipp Kä[email protected]

http://www.L3S.de/~kaerger

exploiting preferences for minimal credential disclosure in policy-driven trust negotiations

Documents

l3s research center

trust negotiationphilipp

new zealand

policy evaluation

user preferences

decidephilipp krger

semantic weba policy

bbb certificatedisclose