medina: combining evidence to build trust. a second look at passwords not as strong as encryption...
TRANSCRIPT
![Page 1: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/1.jpg)
Medina: Combining Evidence to Build Trust
Reasoning about trust without onions.Reasoning about trust without onions.
Johannes HelanderJohannes HelanderBen ZornBen Zorn
Microsoft ResearchMicrosoft ResearchMay 23, 2007May 23, 2007
Oakland, WSP07Oakland, WSP07
![Page 2: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/2.jpg)
A Second Look at Passwords
Not as strong as encryption would suggest
Ad-hoc methodology Back-channels (e.g.
password reset) Reuse of passwords Inconvenient to store
They just don’t work
(14) front door(16) side door
![Page 3: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/3.jpg)
Our Formalism and Passwords
allow = P(e1,e2,e3) = e1 | (e2 & e3)
e1 = knows password
e2 = has an email address registered with the account
e3 = can read email sent to that address
Stricter policy: allow = P2(e1,e2,e3,e4) = e4 & P1(e1,e2,e3)
e4 = is human
Boolean operation will generalize
Interpretation of policies that combine evidence
![Page 4: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/4.jpg)
Framework for reasoning about trust
Non-onion
Time decay & integration
Multiple sources of evidence
Imprecise dataHIP, puzzle, biometric, proximitypeer rating, knowledge quiz
![Page 5: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/5.jpg)
Scenario: Sharing soccer picture @café
Difficult with current mechanismsUSB stick, web page, email, IM, wireless
Virtual USB stick
Proximity, humanity, spoken word
Reflection of inter-human trust
![Page 6: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/6.jpg)
Scenario: Wiki access control
Quizzes Ratings
edit1 = ((quiz1>70% & peer>50%) | passwdA) & HIP edit2 = ((quiz2>90% & peer>75%) | passwdB) & HIP
read1 = anybody read2 = (peer>20%) & HIP
![Page 7: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/7.jpg)
Adaptive Trust Evaluation
Stochastic process?
Decay Filters Credit history Suspicious activity
![Page 8: Medina: Combining Evidence to Build Trust. A Second Look at Passwords Not as strong as encryption would suggest Ad-hoc methodology Back-channels (e.g](https://reader035.vdocuments.us/reader035/viewer/2022062511/55146c09550346414e8b5e34/html5/thumbnails/8.jpg)
Status & Conclusions
Take mechanisms that are now ad hoc & bring into formal system
Currently implementing prototype Allows evolution of evaluation engine & underlying
math