Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Privacy During On-line Trust Negotiation

Published byมาลี รักไทย Modified over 5 years ago

Similar presentations

Presentation on theme: "Protecting Privacy During On-line Trust Negotiation"— Presentation transcript:

1 Protecting Privacy During On-line Trust Negotiation
K. Seamons, L. Yu, R. Jarvis Brigham Young University M. Winslett, Ting Yu University of Illinois at Urbana-Champaign The title of my talk is interoperable strategies for automated trust negotiation. In a distributed environment, before two parties conduct a transaction, a certain level of trust should be established. Traditionally, it’s often assumed that the two parties are from the same security domain. Thus identity authentication is adequate for access control. However, in an open system like the Internet, most transactions are between strangers. They have no pre-existing knowledge about each other and are from different security domain. Identity-based access control does not help in such a situation. Let’s first look at an example.

2 Outline Automated trust negotiation.
Potential privacy problems in automated trust negotiation. Attribute-sensitive credentials and their protection. Summary and future work.

3 An E-Business Transaction Example
Show me your reseller’s license along with your credit card number or your CPN member card. You are qualified to be exempt from sales tax. Here is my Better Business Bureau Certificate. Here is my credit card number. Here’s my reseller’s license. I have a credit card. But prove you are member of Better Business Bureau first. I request to be exempt from sales tax. Landscape Designer Champaign Prairie Nursery

4 E-Business Requires Trust
Participants are often strangers. Identity-based authentication is not adequate for access control. Properties other than identity are relevant to establishing trust. Age, address, citizenship, membership One’s properties may be sensitive. Nowadays, e-business over the internet is developing very fast. Before a transaction starts, the participants should first build mutual trust based on the ongoing transactions. In an open system like the Internet, usually transaction participants are strangers. They have no pre-known knowledge about each other. In such a situation, identity-based solutions to build trust are not applicable. Identity itself are usually irrelevant to the service provider. Proving I am indeed John Smith does not show anything that I am qualified to get access to a certain service. There are also potential privacy issues when revealing one’s identity. For example, if a person retrieves information of a certain disease from a medical digital library and reveals his identity, it is very reasonable to assume that the user herself or some relatives may have that disease. That may be highly sensitive information. Actually it is properties instead of identity that are relevant to establish trust. Such properties may include one’s age, address, membership and citizenship.

5 Digital Credentials Electronic counterparts of paper credentials in people’s daily life. Verifiable and unforgeable. To establish trust, strangers can use digital credentials describing their properties. In the Internet, we can use digital credentials to prove one’s identity and properties. Digital credentials are the online counter parts of paper credentials we use in our daily life. By modern encryption technology, digital credentials can be made verifiable and unforgable. Property-based credentials provide a basis for establishing trust between strangers.

6 Trust Negotiation Protect sensitive credentials and services with (access control) policies. Establish trust incrementally through a sequence of credential disclosures. Begin with credentials that are less sensitive. Build up trust so that more sensitive credentials can be disclosed. When credentials are not sensitive therefore are freely available, the trust building process is kind of simple. The client asks for access to a service and the server tells the client what kind of credentials it needs. Then the client shows those required credentials and gets access to the service. However, credentials may contain sensitive information. For example, one’s credit card number or one’s social security number. So one can not show those sensitive information to just anybody. Like the server may define what kind of client are qualified to access a service, the credential owners should also define when and to whom a credential can be disclosed. Such control is by means of credential and service disclosure policies. Therefore, when credentials contain sensitive information, trust needs to be established incrementally through a sequence of credential disclosures. Usually less sensitive credentials are disclosed first. When a certain level of trust is achieved, more sensitive credentials then can be disclosed.

7 An Example Credential Exchange Sequence
Landscape Designer CPN BBB_Member Credit_Card  BBB_Member Reseller_License  true Order_OK  (Credit_Card  CPN_Account)  Reseller_License BBB_Member  true Credit_Card Reseller_License Here is a small example of a trust negotiation. The client requires service S from the server. The policy for S is (C1  C6)  (C2  C4). We can see how the trust is established step by step starting with less sensitive credentials. If a credential is freely available, which means it can be disclosed to others without requiring any credentials from the other side, we use C   to represent its policy. (show the sequence) The question we now have is that, without knowing each other’s disclosure policies, how the two parties find such an credential exchange sequence that establishes trust. In our model, each party runs an algorithm which can guide the message exchange between the two parties and find a successful trust negotiation. We call such an algorithm trust negotiation strategy. Order_OK

8 Sensitive Policy Protection
Policies may be sensitive. A project requiring employee credentials from either IBM or Microsoft indicates a cooperation between the two companies. Policy graphs help. Express policies in a hierarchical way so that sensitive constraints are disclosed gradually.

9 An Example Policy Graph
Issued by IBM employeeID P1 R project info P3 Issued by Microsoft

10 How policy graphs work When a resource is requested, only the policy in the source node is disclosed. Further constraints are checked only when the other party has disclosed necessary credentials. Sensitive constraints are not visible to the other party.

11 How policy graphs work (cont’d)
1. Client requests to access project information. Project info R Server returns policy P0, only asking for an employeeID credential. issued by IBM issued by MS P1 P2 3. Client discloses its employeeID credential. 4. Server checks whether the credential is issued by IBM or MS, and grant or deny access accordingly. P0 employeeID

12 Potential Privacy Problems in Trust Negotiation
A stranger who wishes to access a resource must learn about its policy. Sensitive information can be inferred from a response to a request to access a resource. Possession-sensitive credentials. Attribute-sensitive credentials.

13 Attribute-Sensitive Credentials
Policies constrain the values of credentials’ attributes. Show me your driver’s license to prove your age is over 25. Sensitive information can be inferred from the response. Disclosing the policy for your driver’s license suggests that your age is over 25

14 One Solution: Dynamic Policy Graphs
Hide constraints on sensitive attributes. Only ask for driver’s license. When it is disclosed, check the age attribute. On receiving a policy, convert it into a policy graph with no sensitive attributes in the source node.

15 One Solution: Dynamic Policy Graphs (cont’d)
Security Agent Transformed policy P’ Policy P Policy Transformation Agent P Negotiation Strategy Engine Counter message

16 One Solution: Dynamic Policy Graphs (cont’d)
x.type = “drivers license”  x.age  25 x.type = “drivers license” x.age25

17 Negotiation Protocols
Negotiation protocols leak information about sensitive attributes. Fundamentally, it is a protocol design problem. Protocols allowing inaccurate response and ill-faith negotiation may help. Balance between negotiation efficiency and privacy preservation.

18 Other Privacy Issues in Trust Negotiation
Possession-sensitive credentials. Extraneous information gathering. Privacy practices.

19 Summary Trust is crucial in open systems like the Internet.
Automated trust establishment is a promising approach. Digital credentials and access control policies Preserving users’ privacy in automated trust negotiation is hard.

20 Future Work Formally model information flow in trust negotiation.
Design protocols with semantics that provide more protection for users’ private information.

Download ppt "Protecting Privacy During On-line Trust Negotiation"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.

Privacy-Preserving Trust Negotiations Mikhail Atallah Department of Computer Science Purdue University.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1. INDEX 2 A signature is a handwritten depiction of someone’s name or nickname that a person writes on documents as proof of identity and intent. Signature.

1. INDEX 2 A signature is a handwritten depiction of someone’s name or nickname that a person writes on documents as proof of identity and intent. Signature.
Automatic Trust Negotiation Presented by: Scott Hackman 1Scott Hackman – CS5204 – Operating Systems.

Automatic Trust Negotiation Presented by: Scott Hackman 1Scott Hackman – CS5204 – Operating Systems.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.

Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.

TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Similar presentations

Ads by Google