Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Philipp Kärger, Daniel Olmedilla, Wolf-Tilo Balke L3S Research Center, Leibniz University Hannover, Germany 5 th Secure Data Management Workshop, Auckland, New Zealand, August 24, 2008
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Outline 1. Policy-driven Trust Negotiations what are they? what do they serve for? what may happen that we need Preferences? 2. Preferences in Trust Negotiations Modeling Disclosure Sets Modeling Preferences A Preference Model for comparing Disclosure Sets 3. Implementation and Experiments An Implementation guiding a Trust Negotiation Simulating Trust Negotiations
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations 1. Trust Negotiation
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Trust Negotiation: how to trust a stranger? Aliceon-line book shop Disclose CreditCard IF Requestor has BBB certificate Disclose Book IF Requestor discloses valid CredidCard Disclose BBB certificate to any requestor request for a book “for the book I need a CreditCard” “for the CreditCard I need a BBB cert.” policy:
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Trust Negotiation: used for … Trust Negotiation is used for Access control Dynamic contracts E.g., in web service composition Autonomic computing Pervasive environments E.g., sensor networks Service-level agreements e.g., more service for certain requestors Etc.
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Protune – Rule-based Policies on the Semantic Web a policy framework developed at L3S Research Center and Naples University provides a logic-based, declarative policy language features include trust negotiation external actions access to relational databases, RDF stores, file system requests, time and location-aware packages policy explanations “You cannot access because …” (in contrast to just “Access denied.”) Demo at:
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations The Need for Preferences What if a policy evaluation has more than one result? Aliceon-line book shop Disclose CreditCard IF Requestor has BBB certificate Disclose bank account information IF Requestor has BBB certificate request for a book “for the book I need a CreditCard or your bank account information” Which Credential? CreditCard or bank account information? exploit user preferences in the negotiation process to decide
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations It may become even more complex … Aliceon-line book shop request for a book
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations How to decide between the options? if the system is not aware of any user preferences it has to ask the user to decide. But the user may easily be overwhelmed by so many options. may take a bad decision because of lost overview. has to decide it again for all future negotiations. may not at all be available. ?
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations 2. Preferences in Trust Negotiation
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preference handling a preference is an order of values having a decreasing preference “I prefer English but German is also fine.” “I prefer to disclose my pay pal account information instead of my credit card number. My bank account information is the last option.” preferences are known from: databases: preference queries [Werner Kießling: Preference SQL: design, implementation, experiences. 2002] [Jan Chomicki: Preference formulas in relational queries. 2003] logic programming: preferring answer set [Gerhard Brewka, Thomas Eiter: Preferred Answer Sets for Extended Logic Programs. 1999]
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preferences in Trust Negotiation Typically, users have general preferences which credential to disclose. For example “I prefer to disclose my address instead of my postal address.” “My postal code together with my date of birth is very sensitive. I prefer to disclose my address instead of these two.” an example preference graph: Quasi identifier
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preferences of Different Kinds total vs. partial order quantitative vs. qualitative default preference: not disclosing a credential is preferred to disclose it contextual preferences
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Modeling Disclosure Sets Disclosure Sets are represented as Binary Vectors e.g., S 6 = (0,0,0,0,0,1,0,0,0,1,1) represents the set {ID, CreditCard, PIN}.
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Modeling Preferences Preferences are defined over a subset of dimensions in the disclosure set vectors, e.g., Not disclosing the telephone number is preferred to disclosing the telephone number. (x, x, 0, x, x, x, x, x, x,x, x) (x, x, 1, x, x, x, x, x, x,x, x) If I have to disclose my date of birth, I prefer to disclose my address instead of my postal code. (x, 1, x, 1, 0, x, x, x, x,x, x) (x, 1, x, 0, 1, x, x, x, x,x, x) Quasi identifier = = ===== = == ceteris paribus
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Filtering out Non-Preferred Disclosure Sets Finding the optimal disclosure set by ruling out non-optimal sets according to Alice’s preferences: default preference: not disclosing a credential is preferred to disclose it: which credential is preferred to disclose:
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Filtering out Non-Preferred Disclosure Sets S 6 ? S 10
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Filtering out Non-Preferred Disclosure Sets S1? S4S1? S4
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Filtering out Non-Preferred Disclosure Sets For our example: Applying this technique iteratively rules out 10 of the 12 alternatives. user’s decision between S 1 and S 5 may be stored for later negotiations
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations 3. Implementation and Experiments
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations prefer- ences Prolog policy Implementation preference engine
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Experiments -For simulated negotiations with -varying preferences -varying policies -the mean amount of disclosure sets ruled out was 82 %.
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preferences in Policies - the database approach Idea: exploit user preferences over the credentials: generate all possible next steps in the negotiation and select the optimal step according to these preferences like selecting the optimal entry in a database with a preference query for example { , date of birth, passport, credit card } is preferred to { name, ID, bank account } according to the above preferences.
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preferences in Policies - the database approach (2) drawbacks of this approach: non-preferred disclosure sets are first created although they will be thrown away later conditional preferences can not depend on arbitrary conditions e.g., “A is preferred to B only if it is sunny in Galway.” preferences are defined on grounded literals (representing credentials) i.e., preference statements with variables are impossible e.g., “ X is preferred to Y only if age( X ) > age( Y ).” Solution: defining the preferences as parts of the policies.
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Preference and Policies – a log. progr. approach A policy with preferences: If possible: Disclose bank account Otherwise: Disclose credit card IF Requestor has BBB certificate inspired by Answer Set Programming with Ordered Disjunctions: advantage: variables in preferences arbitrary conditions for preferences non-preferred solutions (here answer sets) are not created so far no partial order preferences possible requires extensions
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Summary Preferences help to automatically decide between alternatives in a Trust Negotiation. Our approach allows qualitative, partially ordered, contextual preferences always selects the optimal next steps in a negotiation includes an iterative process to elicit new user preferences
Philipp Kärger, L3S Research Center Auckland, New Zealand, August 24, Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations Thank you for your attention. Please ask if there are any questions. Or get in touch later: Philipp Kärger