Formalizing End-to-End Context-Aware Trust Relationships in Collaborative Activities Dr Ioanna Dionysiou Department of Computer Science School of Sciences University of Nicosia, Cyprus International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Dr Dave Bakken Dr Carl Hauser Department of Computer Science Washington State University Pullman, WA, USA Dr Deborah Frincke CyberSecurity Group Pacific Northwest National Laboratory Richland, WA, USA

Talk Outline  Motivation  Activity-Oriented Trust Relationships  Trust Model Ontology  Trust Model Functionality Example  Conclusions International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal 2

Motivating Scenario  Consider the North American electric power grid  Operations in a geographical region controlled by a single entity  Electric Market Deregulation  Competition!  Choose among electricity providers, open bidding  Impact on stability and security of the grid itself  3500 utility organizations (public, private, federal), many points of interaction, share data  Trustworthy Data exchange among these organizations and end-users  Producer of information, consumer of information 3 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Motivating Scenario (2) 4 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal U 1 is the consumer of State Estimation data PMU Aggregation is the producer of State Estimation data What U 1 can say about the quality of the data?

Motivating Scenario (3)  How can we answer the question?  Security mechanisms are not adequate  Encrypted digitally signed message  Guarantee that not tampered with and no unauthorized person read it  What about the content itself? Reliable producer, unsecure medium OR unreliable producer, secure medium?  Trust and its management  Abstraction of beliefs that an entity has for specific situations and interactions  Not static but change over time  Need to make decisions based on current beliefs 5 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Generalized Scenario 6 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Contributions of our work…  A notation for specifying trust relationships tied to  a narrow context and  a broad activity  An intuitive and practical way to manage trust assessment for an activity  multiple trust relationships must be examined and composed  Expectations, violations, etc 7 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Talk Outline  Motivation  Activity-Oriented Trust Relationships  Trust Model Ontology  Trust Model Functionality Example  Conclusions International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal 8

Activity-Oriented Trust Relationships Activity An interaction that involves multiple trustees that may assume different roles Successful outcome of an activity requires the collaboration of entities (trustees) performing specific functions, which are not necessarily the same 9 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Activity-Oriented Trust Relationships (2) 10 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal relationship τ(C, S2,...) between S2 and C regarding S2 ability to forward data d relationship τ(C, S1,...) between S1 and C regarding S1 ability to forward data d relationship τ(C, P,...) between P and C regarding P ability to produce data d

Talk Outline  Motivation  Activity-Oriented Trust Relationships  Trust Model Ontology  Trust Model Functionality Example  Conclusions International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal 11

Trust Relationship Attributes 12 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust Relationship τ(γ, δ, c, λ, ι, ε, id, s) Trustor γ Trustee δ Context c Trust Level λ Interval ι Expectations ε Interaction identifier id Status s

Trust is… 13 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trustor γ, based on its current trusting attitude, believes that the extent that trustee δ will act as expected for context c during time interval ι is λ, and this belief is subject to the satisfaction of expectation set ε. This relationship is valid for a specific interaction id and its status is indicated by s.

Trust Level Attribute λ  Trust is subjective  Trustee trustworthiness  Trustor’s requirements are not met by trustees at the same degree  Extent to which trustee honors trust, if trust is placed  Trustor trustfulness  Trustor’s willingness to trust  Trusting attitude  How do we capture this subjectivity?  Trust level, value, degree  Continuous values  Discrete values 14 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Expectation Attribute ε  Expectation  Requirement and its allowed values that a trustor has for a particular interaction with the trustee  Expectation tuple  π is a trust requirement  o is a standard relational operator  ν o is the observed/actual value for the requirement  ν a is the allowed value for the requirement  ev are the evaluation criteria for the specific requirement  Covering algorithm, triggering algorithm, aggregating algorithm 15 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal ε(π,o,ν o,ν a,ev)

Expectation Attribute (2) 16 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust requirement : facet (coarse-grained), properties (fine-grained) Observed values: evidence (either internal or external)

Expectation Attribute (3)  Observed value  When?  Triggering method: at fixed intervals, on arrival?  How?  Aggregating method: average, weighted average?  For what?  Allowed value vs. Observed value  VIOLATIONS!!!  Covering method: strict, relaxed 17 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Expectation Attribute (4)  Expectation set describes all the requirements a trustor has for a trustee in a particular relationship  Not interesting by itself  BUT, operations on the set ARE interesting!  Define primitive comparison relationships between elements  Equal expectations  Relaxed expectations  Define comparison relationships between expectation sets  Strictly equal expectation sets  Relaxed equal expectation sets  Define operation on sets  Merging 18 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Expectation Attribute (5) 19 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Equal Expectations (=) Expectation (π 1, o 1, ν o1, ν a1, ev 1 ) is equal with expectation (π 2, o 2, ν o2, ν a2, ev 2 ) if and only if (π 1 = π 2 ) ∧ (o 1 = o 2 ) ∧ (ν o1 = ν o2 ) ∧ (ν a1 = ν a2 ) ∧ (covering 1 ∈ ev 1 = covering 2 ∈ ev 2 ) Relaxed Equal Expectations (≈) Expectation (π 1, o 1, ν o1, ν a1, ev 1 ) is relaxed equal with expectation (π 2, o 2, ν o2, ν a2, ev 2 ) if and only if ( (π 1 = π 2 ) ∧ (o 1 = o 2 ) ∧ (ν o1 ≠ ν o2 ) ∧ (ν a1 ≠ ν a2 ) ∧ (covering 1 ∈ ev 1 = covering2 ∈ ev 2 ) ) or if ( (π 1 = π 2 ) ∧ (o 1 = o 2 ) ∧ (ν o1 ≠ ν o2 ) ∧ (ν a1 = ν a2 ) ∧ (covering 1 ∈ ev 1 = covering 2 ∈ ev 2 ) )

Expectation Attribute (6)  What is the expectation set for a path as a single entity?  Merging of expectation sets! 20 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal f π function for aggregating values 1.Initialize ε merge ← 2.If ε 1 = ε 2 then ε merge ← ε 1 3.If ε 1 ≈ ε 2 then ∀ i:(π 1, o 1, ν o1, ν a1, ev 1 ) ∈ ε 1, j:(π 2, o 2, ν o2, ν a2, ev 2 ) ∈ ε 2 such that i ≈ j do ε merge ← ε merge ∪ {((π 1, o 1, f π (νo1, νo2 ), f π (νa1, νa2 ), ev 1 ) )}.

Trust Relation Properties and Operations  Trust relation is a set of trust relationships  Properties  Standard properties of any n-ary relation do not hold due to the non-absolute characteristics of trust  Dynamic and composable nature  Operations  Changing the state of the trust relation  Using the current state of the trust relation 21 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Operations changing the trust relation state 22 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Expiration of valid time A trust relationship (γ, δ, c, λ, ι, ε, id, s) does not hold in relation τ if its valid interval time expires. Thus, a trust relationship τ(γ, δ, c, λ, ι, ε, id, s) is not valid in τ if the current time t 1 > t e, t e ∈ ι Arrival of New Evidence Suppose that new evidence arrives at trustor γ for trustee δ regarding context c. The new evidence includes the trust requirement π r and the recommended value ν r. All trust relationships (γ, δ, c, λ i, ι i, ε i, id i, s i ) are updated to reflect the application of the new evidence on observed value ν o Expectation Violation Whenever new evidence arrives, the observed value changes according to the aggregation scheme for the specific requirement. An update in the observed value may lead into expectation violation. In this case, the respective trust relationship’s status is set to ALERT

Operations using the trust relation state 23 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust Assessment for context c in interaction id Trustor γ 1 may synthesize the two tuples to derive an aggregated trust assessment for context c during interval ι i (the intersection of ι 1 and ι 2 ) by applying expectation set operations on the expectation sets ε 1 and ε 2 to derive the aggregated expectation set ε i. Expectation set ε i has to be checked against the various trust level specifications in order to assign the trustworthiness level λ i for the new tuple (γ, δ 1,2, c, λ i, ι i, ε i, id, s). End-to-end Trust Assessment for interaction id Suppose there are aggregated trust assessments for contexts c 1 and c 2, which are the only contexts belonging to interaction id 1 : these are tuples (γ 1, δ 1, c 1, λ 1, ι 1, ε 1, id 1, s 1 ) and (γ 1, δ 2, c 2, λ 1, ι 2, ε 2, id 1, s 1 ). Trustor γ 1 may compose the two tuples to derive an end-to-end trust assessment for interaction id during interval ι i (the intersection of ι 1 and ι 2 ) by applying expectation set operations on the expectation sets ε 1 and ε 2 to derive the aggregated expectation set ε i. Expectation set ε i has to be checked against the various level specifications in order to assign the trustworthiness level λ i for the new tuple (γ, δ 1,2, c, λ i, ι i, ε i, id, s).

Talk Outline  Motivation  Activity-Oriented Trust Relationships  Trust Model Ontology  Trust Model Functionality Example  Conclusions International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal 24

Revisit Original Scenario 25 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust Relation Graph Network

Revisit Original Scenario (2) 26 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust Assessment for context c 1 in interaction id τ(γ C, δ S1, c 1, λ 1, ι 1, ε 1, id, s ) and τ(γ C, δ S2, c 1, λ 1, ι 2, ε 2, id, s ) τ(γ C, δ S1,S2, c 1, λ 1, ι k, ε k, id, s ) ε k ={(authentication, =, certificate, certificate, ev 1 ), (reliability,>=,average(0.97,0.95), average(0.95,0.95), ev 2 )} ι k = [1,10]

Revisit Original Scenario (3) 27 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Trust Relation Graph End-to-end Trust Assessment for interaction id τ(γ C, δ S1,S2, c 1, λ 1, ι k, ε k, id, s ) and τ(γ C, δ P, c 2, λ 1, ι 3, ε 3, id, s ) τ(γ C, δ P,S1,S2, c 1,2, λ 1, ι m, ε m, id, s ) ε m = {(authentication, =,certificate, certificate, ev 1 ), (reliability, >=, average(0.90,0.96), average(0.80,0.95), ev 2 )} ι m = [1,8]

Talk Outline  Motivation  Activity-Oriented Trust Relationships  Trust Model Ontology  Trust Model Functionality Example  Conclusions International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal 28

Conclusions  A intuitive notation to specify trust relationships tied to an activity  Allows dynamic and composable trust operations  Allows a rich set of attributes to capture the trust semantics  Current and future work,…. 29 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

30 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal

Thanks for your attention!! Questions? 31 International Conference on Security and Cryptography (SECRYPT 2008), Special Session on Trust, July , 2008, Porto, Portugal Σας ευχαριστω!!!