1. Trust Negotiation Concepts and Issues Elisa Bertino CS & ECE Departments, CERIAS Purdue University Boston November 9, 2004

2. Outline Trust – some definitions The trust negotiation model Trust-X Privacy solutions in Trust-X  Credential format  Policy context  System architecture Conclusions and future work

3. Trust – Some Definitions Kini & Choobineh trust is: "a belief that is influenced by the individual’s opinion about certain critical system features" Gambetta " …trust (or, symmetrically, distrust) is a particular level of the subjective probability with which an agent will perform a particular action, both before [the trustor] can monitor such action (or independently of his capacity of ever to be able to monitor it) The Trust-EC project (http://dsa-isis.jrc.it/TrustEC/) trust is: "the property of a business relationship, such that reliance can be placed on the business partners and the business transactions developed with them''. Gradison and Sloman trust is: "the firm belief in the competence of an entity to act dependably, securely and reliably within a specified context"..

4. Some Basic Properties of Trust Relations Trust is relative to some business transaction. A may trust B to drive her car but not to baby-sit. Trust is a measurable belief. A may trust B more than A trusts C for the same business. Trust is directed. A may trust B to be a profitable customer but B may distrust A to be a retailer worth buying from. Trust exists and evolves in time. The fact that A trusted B in the past does not in itself guarantee that A will trust B in the future. B’s performance and other relevant information may lead A to re-evaluate her trust in B.

5. Trust Services Identity services Authorization services with support for the delegation and control of fine-grained access control at the data, resource and service levels Trust negotiation Anonimity services Trust rating and recommendation services Notarisation Guaranteed message delivery Auditable logs Secure storage

6. Trust Negotiation model The goal: establish trust between parties in order to exchange sensitive information and services The approach: establish trust by verifying properties (credentials) of the other party.  Note that trust can also be stablished based on other factors and information, e.g. Reputation. The use of credentials is the common choice in current TN languages and systems Protect sensitive credentials and services with ad hoc policies, namely disclosure policies.

7. Trust Negotiation model Client Policy Base Server Policy Base Resource request Policies Subject Profile Resource granted Credentials

8. Issues – language Requirements Well-defined semantics Monotonicity Credential combination Authentication Constraints on property values Intercredential constraints Sensitive Policies Unified formalism and use of interoperable languages

9. Issues – System Requirements Credential ownership Credential validity Credential chain discovery Privacy protection Support for alternative negotiation strategies Fast negotiation strategies

10. Systems and Prototypes Keynote  by Blaze and Faigenbaum  AT&T Research Lab. and Yale University TrustBuilder  By K. Seamons et Al.  Brigham Young University Trust-X  By Bertino, Ferrari and Squicciarini  Purdue University and University of Milano

11. Systems and Prototypes – a Comparison Language RequirementsKeynoteTrustBuilderTrust-X Well-defined semantics YYY Monotonicity YYY Credential Combinations YYY Constraints on property values NYY Intercredential Constraints NYY Credential chains NNPartially Authentication NNN Sensitive policies NYY Unified formalism YNY Interoperable languages NNY

12. Systems and Prototypes – a Comparison System RequirementsKeynoteTrustBuilderTrust-X Credential validity NYY Credential ownership NNPartially Alternative negotiation strategies NYY Fast negotiation strategies NNY Privacy protection YYY Credential chain discovery NNPartially

13. The Trust - X system Comprehensive XML based framework for trust negotations  Trust negotiation language  System architecture  Protocol and strategies to carry on a negotiation A Trust-X negotiation consists of a set of phases to be sequentially executed. The key phase is the policy evaluation phase, which consists of a bilateral and ordered policy exchange.

14. A Trust- X negotiationAlice Bob

15. Bob Prerequisite acknowledge Match disclosure policies Alice Request RESOURCE DISCLOSURE Message exchange in a Trust- X negotiation POLICY EXCHANGE Bilateral disclosure of policies INTRODUCTORY PHASE Preliminary Information exchange CREDENTIAL DISCLOSURE Actual credential disclosure Service request Credential and/or Declaration Disclosure policies Service granted Disclosure policies Credential and/or Declaration

16. The basic Trust- X system Tree TreeManager Manager X Profile Policy Database ComplianceChecker ComplianceChecker AliceBob

17. Privacy issues in trust negotiations Trust negotiation does not control nor safeguard personal information once it has been disclosed. During the policy evaluation phase, privacy can be compromised since there are no guarantees about counterpart honesty until the actual disclosure of the credentials.   Sensitive information can be inferred from a response to a request to access a resource.

18. Sensitive attributes in digital credentials Policy disclosure can be used to determine the value of sensitive attributes without the credential ever being disclosed. A credential may contain several sensitive attributes, and very often just a subset of them is required to satisfy a counterpart policy. However, when a credential is exchanged, the receiver anyway gathers all the information contained in the credential.

19. How we preserve privacy in Trust- X Support of a new credential format, which may provide a high degree of privacy protection: Selective disclosure of attributes Gradual disclosure of the credential content Extension of policy notion, with additional information to express privacy preferences and the possibility of negotiating privacy rules. Integration of Trust-X with the P3P platform.  The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

20. Privacy enhanced credential (1) Credential header : Set of information that is crucial for proving that the credential, besides its specific content, is a signed and valid digital document issued by a trusted authority.  CREDID: unique credential identifier  CREDTYPE: type of the credential  EXPIRATION: expiration date  ISSUEREP: credential issuer repository Credential content  List collecting attribute specifications

21. Privacy enhanced credentials (2) attribute names, values, random numbers signature computed over the whole credential CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF: particular state of a privacy enhanced credential, where the header is plain and the content is hidden, while the signature over the whole document can be verified.

22. Disclosing attribute credentials 1. Gradual disclosure of credential content  Header  Header disclosed during policy evaluation phase as soon as the credential is required  Attributes  Attributes revealed during credential exchange phase 2. Attributes required during policy evaluation phase as soon as they are involved in the process

23. Modeling negotiation: logic formalism P() credential type C set of conditions P(C) TERM R  P 1 (c), P 2 (c) Policy expressed as Resource which the policy refers to Requested certificates Disclosure policies are expressed in terms of logical expressions which can specify either simple or composite conditions against certificates.

24. Using privacy enhanced credentials 1. Alice is a patient of the Health Clinic and wants to buy drugs by an on-line pharmacy, which is selling this kind of drugs by prescription of Health Clinic doctors. 2. Alice is willing to disclose the requested credentials only if the pharmacy presents a credential proving pharmacy affiliation with the hospital. Patient_Card()  Health_Clin_Aff(). 3. Pharmacy affiliation is disclosed only to patients of the clinic: Health_Clin_Aff()  Patient_Card() 4. Health_Clin_Aff()  Patient_Card()  Health_Clin_Aff(). Deadlock Avoided by using privacy enhanced credentials. During policy evaluation phase parties may prove each other credential possession without revealing credential content until having received all the requested credential proofs.

25. The notion of context in disclosure policies This specification is not expressive enough to specify other crucial information that may be associated with a policy…  How about policy prerequisites?  How about the privacy policies for the requested credentials? CONTEXT OF DISCLOSURE POLICIES

26. Policy context The goal is to integrate the basic rule defining a policy with a structured set of information to be used during trust negotiation process. Set of policy identifiers such that at least one of the policy needs to be satisfied before the disclosure of the policy with which the precondition set is associated. denotes a P3P privacy policy. The task of privacy policies is to complement disclosure policies, specifying whether the information conveyed by the credentials will be collected and/or used.

27. Privacy policies in Trust- X negotiations 1. Introductory phase  Send a request for a resource/service  Introductory policy exchanges .. 2. Policy evaluation phase  Disclosure policy exchange and  Evaluation of the exchanged policies 3. Certificate exchange phase  Exchange of the sequence of certificates determined at step n. 2. Privacy agreement subphase eventually specific privacy policies

28. AliceDrugStore Drug Request Introductory policies P3P_Drugstore P3P_DrugStore match with local privacy preferences: P3P acknowledge Request R Alice P3P P3P_DrugStore DRUG INTRODUCTORY PHASE (1a)PRIVACYAGREEMENTSUBPHASE P3P proposal P3P prior agreement request ack acknoweledge Introductory policies P3P acceptance Certificate exchange disclosure policy exchange within associated P3P Match disclosure policy and P3P policy compliance A<-B(C 5,P3P B ) R<-A(C 1,C 2),P3P A,D(C 3 ),P3P D R<-E(C 4,P3P E ) Credential sent CERTIFICATE EXCHANGE PHASE RESOURCE DISCLOSURE POLICY EVALUATION PHASE Certificate exchange (1) (2) (3) (4) A privacy enabled Trust- X negotiation

29. Strategies in Trust- X In order to define a framework that is as adaptable and flexible as possible we do not define a unique mode to carry on the negotiation. Our framework supports a variety of strategies, that can be used for carrying on a negotiation. We have devised five general purpose strategies that reflect five different approaches to a negotiation.

30. Trust- X privacy preserving strategies Standard : This is the traditional way of carrying on a negotiation, based on an informed strategy. Suspicious : The credential proof is always requested during the policy evaluation phase for each of the involved credentials. Strongly Suspicious : This is a specific case of the suspicious strategy: parties require attribute disclosure as the corresponding policies are satisfied. Trusting : The goal of this strategy is to speed up the process whenever possible. This can be done using credential suggestions, stored in a special field of the policy context. Mixed Strategy : is characterized by the possibility of dynamically switching among the above strategies.

31. Privacy enabled Trust- X architecture

32. Creating a P3P policy in Trust- X 1.If the information to be collected is a set of properties the policy can be specified as a conventional P3P policy using built in data schemas and categories provided by the standard, without referring to the particular credential collecting the requested attributes. 2. If the key information is the credential itself, then the policy should refer not only to the attributes in the credential but also to the credential itself. Credential schema repository Privacy policies Policy base Policy wizard Policy wizard Credentials content can be analyzed under two different perspectives: 1 2 3

33. Responding to a disclosure policy If P3P is attached to the disclosure policy, policy check is performed between the P3P and the preference rules of the receiving party, with respect to the credentials requested by the disclosure policy with which the privacy policy is associated. If no P3P is associated with the disclosure policy, then the preference rules are checked against the privacy policies exchanged during privacy agreement phase. Complianc e Checker Complianc e Checker Privacy preferences Tree manager X-profile

34. Summary Trust-X is a privacy-enabled system supporting  Selective disclosure of attributes  Privacy enhanced credential  Privacy policy exchange during negotiation process Trust-X system is the first trust negotiation system complemented with the P3P platform.  The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

35. Ongoing work… Development of mechanisms and modules to semi- automatically design privacy policies to be associated with disclosure policies. Use of a reference ontology to specify high level trust requirements to be mapped into disclosure policies Notion of private concept groups to protect combination of concepts not to be released together. Private concept groups are formed by taking into account not only the subject privacy preference but also the privacy practices of the counterpart.

36. Future work Evaluation of the strategies to carry on a negotiation, that exploit and extend the notion of context associated with a policy, to allow one to trade-off among efficiency, robustness, and privacy requirements. Mechanisms for enforcing anonymity. Fully support of P3P version 1.1.