Trust Negotiation Concepts and Issues

Elisa BertinoCS & ECE Departments, CERIAS

Purdue University

Boston November 9, 2004

Outline

Trust – some definitions The trust negotiation model Trust-X Privacy solutions in Trust-X

Credential format Policy context System architecture

Conclusions and future work

Trust – Some Definitions Kini & Choobineh

trust is: "a belief that is influenced by the individual’s opinion about certain critical system features"

Gambetta" …trust (or, symmetrically, distrust) is a particular level of the subjective

probability with which an agent will perform a particular action, both before [the trustor] can monitor such action (or independently of his capacity of ever to be able to monitor it)

The Trust-EC project (http://dsa-isis.jrc.it/TrustEC/)

trust is: "the property of a business relationship, such that reliance can be placed on the business partners and the business transactions developed with them''.

Gradison and Sloman

trust is: "the firm belief in the competence of an entity to act dependably, securely and reliably within a specified context". .

Some Basic Properties of Trust Relations Trust is relative to some business transaction.

A may trust B to drive her car but not to baby-sit. Trust is a measurable belief.

A may trust B more than A trusts C for the same business. Trust is directed.

A may trust B to be a profitable customer but B may distrust A to be a retailer worth buying from.

Trust exists and evolves in time. The fact that A trusted B in the past does not in itself guarantee that A will trust B in the future. B’s performance and other relevant information may lead A to re-evaluate her trust in B.

Trust Services

Identity services Authorization services with support for the

delegation and control of fine-grained access control at the data, resource and service levels

Trust negotiation Anonimity services Trust rating and recommendation services Notarisation Guaranteed message delivery Auditable logs Secure storage

Trust Negotiation model

The goal: establish trust between parties in order to exchange sensitive information and services

The approach: establish trust by verifying properties (credentials) of the other party. Note that trust can also be stablished based on

other factors and information, e.g. Reputation. The use of credentials is the common choice in current TN languages and systems

Protect sensitive credentials and services with ad hoc policies, namely disclosure policies.

Trust Negotiation modelClient

Policy Base

ServerPolicy Base

Resource request

Policies

Policies

Subject Profile

Subject Profile

Resource granted

Credentials

Credentials

Issues – language Requirements Well-defined semantics Monotonicity Credential combination Authentication Constraints on property values Intercredential constraints Sensitive Policies Unified formalism and use of interoperable

languages

Issues – System Requirements Credential ownership Credential validity Credential chain discovery Privacy protection Support for alternative negotiation strategies Fast negotiation strategies

Systems and Prototypes Keynote

by Blaze and Faigenbaum AT&T Research Lab. and Yale University

TrustBuilder By K. Seamons et Al. Brigham Young University

Trust-X By Bertino, Ferrari and Squicciarini Purdue University and University of Milano

Systems and Prototypes – a ComparisonLanguage Requirements Keynote TrustBuilder Trust-X

Well-defined semantics Y Y Y

Monotonicity Y Y Y

Credential Combinations Y Y Y

Constraints on property values

N Y Y

Intercredential Constraints N Y Y

Credential chains N N Partially

Authentication N N N

Sensitive policies N Y Y

Unified formalism Y N Y

Interoperable languages N N Y

Systems and Prototypes – a ComparisonSystem Requirements Keynote TrustBuilder Trust-X

Credential validity N Y Y

Credential ownership N N Partially

Alternative negotiation strategies

N Y Y

Fast negotiation strategies N N Y

Privacy protection Y Y Y

Credential chain discovery N N Partially

The Trust-X system

Comprehensive XML based framework for trust negotations Trust negotiation language System architecture Protocol and strategies to carry on a negotiation

A Trust-X negotiation consists of a set of phases to be sequentially executed.

The key phase is the policy evaluation phase, which consists of a bilateral and ordered policy exchange.

A Trust-X negotiation

AliceAlice BobBob

Bob

Prerequisite acknowledge

Match disclosurepolicies

Alice

Request

RESOURCE DISCLOSURE

Message exchange in a Trust-X negotiation

POLICY EXCHANGEBilateral disclosureof policies

INTRODUCTORYPHASE

PreliminaryInformationexchange

CREDENTIAL DISCLOSURE

Actual credentialdisclosure

Service request

Credential and/or Declaration

Disclosure policies

Service granted

Disclosure policies

Credential and/or Declaration

The basic Trust-X system

Tree Tree ManagerManager

Tree Tree ManagerManager

Mailbox Store

X ProfileX Profile

Mailbox Store

X ProfileX ProfilePolicy Policy DatabaseDatabase

Policy Policy DatabaseDatabase

Compliance Compliance CheckerChecker Compliance Compliance

CheckerChecker

AliceAlice BobBob

Privacy issues in trust negotiations

Trust negotiation does not control nor safeguard personal information once it has been disclosed.

During the policy evaluation phase, privacy can be compromised since there are no guarantees about counterpart honesty until the actual disclosure of the credentials.

Sensitive information can be inferred from a response to a request to access a resource.

Sensitive attributes in digital credentials Policy disclosure can be used to determine the

value of sensitive attributes without the credential ever being disclosed.

A credential may contain several sensitive attributes, and very often just a subset of them is required to satisfy a counterpart policy.

However, when a credential is exchanged, the receiver anyway gathers all the information contained in the credential.

How we preserve privacy in Trust-X

Support of a new credential format, which may provide a high degree of privacy protection:

Selective disclosure of attributes Gradual disclosure of the credential content

Extension of policy notion, with additional information to express privacy preferences and the possibility of negotiating privacy rules.

Integration of Trust-X with the P3P platform.

The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

Privacy enhanced credential (1) Credential header: Set of information that is

crucial for proving that the credential, besides its specific content, is a signed and valid digital document issued by a trusted authority.

CREDID: unique credential identifier CREDTYPE: type of the credential EXPIRATION: expiration date ISSUEREP: credential issuer repository

Credential content

List collecting attribute specifications

Privacy enhanced credentials (2)

C R E D E N TIAL H E AD E R (p la in )

<CRED.... ID>..........TYPE...............ISSUER..........

<name>..........<\name><address>..........<\address>...................<citizenship>........French...........<\citizenship>........................<CRED>

C R E D E N TIAL C O N TE N T (b lin d e d a t

fir s t r e le a se )

attribute names, values, random numbers

signaturecomputed over the whole credential

CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF:particular state of a privacy enhanced credential, where the header is plain and the content is hidden, while the signature over the whole document can be verified.

Disclosing attribute credentials

1. Gradual disclosure of credential content

HeaderHeader disclosed during policy evaluation phase as soon as the credential is required

AttributesAttributes revealed during credential exchange phase

2. Attributes required during policy evaluation phase as soon as they are involved in the process

<CRED.... ID>.......TYPE................ISSUER..............

Modeling negotiation:logic formalism

P() credential type C set of conditions

P(C)TERM

RP1(c), P2(c)Policy expressed as

Resource which the policy refers to

Requestedcertificates

Disclosure policies are expressed in terms of logical expressions which can specify either simple or composite conditions against certificates.

Using privacy enhanced credentials1. Alice is a patient of the Health Clinic and wants to buy drugs by an

on-line pharmacy, which is selling this kind of drugs by prescription of Health Clinic doctors.

2. Alice is willing to disclose the requested credentials only if the pharmacy presents a credential proving pharmacy affiliation with the hospital. Patient_Card() Health_Clin_Aff().

3. Pharmacy affiliation is disclosed only to patients of the clinic: Health_Clin_Aff()Patient_Card()

4. Health_Clin_Aff()Patient_Card() Health_Clin_Aff().Dea

dlock

Avoided by using privacy enhanced credentials. During policy evaluation phaseparties may prove each other credential possession without revealing credential content until having received all the requested credential proofs.

The notion of context in disclosure policies

This specification is not expressive enough to specify other

crucial information that may be associated with a policy… How about policy prerequisites? How about the privacy policies for the requested credentials?

CONTEXT OF DISCLOSURE POLICIES

Policy context The goal is to integrate the basic rule defining a policy

with a structured set of information to be used during trust negotiation process.

<pol_prec_set, priv>

Set of policy identifiers such that at least one of the policy needs to be satisfied before the disclosure

of the policy with which the precondition set is associated.

denotes a P3P privacy policy. The task of privacy policies is to complement disclosure policies,

specifying whether theinformation conveyed by the

credentials will be collected and/or used.

Privacy policies in Trust-X negotiations

1. Introductory phase

Send a request for a resource/service Introductory policy exchanges .

2. Policy evaluation phase

Disclosure policy exchange and Evaluation of the exchanged policies

3. Certificate exchange phase

Exchange of the sequence of certificates determined at step n. 2.

Privacy agreement subphase

eventually specific privacy policies

Alice DrugStore

Drug Request

Introductory policies

P3P_Drugstore P3P_DrugStore match

with local privacy preferences:

P3P acknowledge

Request R

Alice P3P

P3P_DrugStore

DRUG

INTRODUCTORYPHASE

(1a)(1a)PRIVACY PRIVACY

AGREEMENTAGREEMENTSUBPHASESUBPHASE

P3P proposalP3P prior agreement request

ackacknoweledge

Introductory policies

P3P acceptance

Certificate exchange

disclosure policy exchange

within associated P3P

Match disclosurepolicy and P3P

policy complianceA<-B(C5,P3PB)

R<-A(C1,C2),P3PA,D(C3),P3PD

R<-E(C4,P3PE)

Credential sent

CERTIFICATE EXCHANGE

PHASE

RESOURCE DISCLOSURE

POLICY EVALUATION

PHASE

Certificate exchange

(1)

(2)

(3)

(4)

A privacy enabled Trust-X negotiation

Strategies in Trust-X

In order to define a framework that is as adaptable and flexible as possible we do not define a unique mode to carry on the negotiation.

Our framework supports a variety of strategies, that can be used for carrying on a negotiation.

We have devised five general purpose strategies that reflect five different approaches to a negotiation.

Trust-X privacy preserving strategies Standard: This is the traditional way of carrying on a negotiation,

based on an informed strategy.

Suspicious: The credential proof is always requested during the policy evaluation phase for each of the involved credentials.

Strongly Suspicious: This is a specific case of the suspicious strategy: parties require attribute disclosure as the corresponding policies are satisfied.

Trusting: The goal of this strategy is to speed up the process whenever possible. This can be done using credential suggestions, stored in a special field of the policy context.

Mixed Strategy: is characterized by the possibility of dynamically switching among the above strategies.

Privacy enabled Trust-X architecture

Creating a P3P policy in Trust-X

1. If the information to be collected is a set of properties the policy can be specified as a conventional P3P policy using built in data schemas and categories provided by the standard, without referring to the particular credential collecting the requested attributes.

2. If the key information is the credential itself, then the policy should refer not only to the attributes in the credential but also to the credential itself.

Credential schema repository Privacy

policiesPolicy base

Policywizard

Policywizard

Credentials content can be analyzed under two different perspectives:

1 2

3

Responding to a disclosure policy

If P3P is attached to the disclosure policy, policy check is performed between the P3P and the preference rules of the receiving party, with respect to the credentials requested by the disclosure policy with which the privacy policy is associated.

If no P3P is associated with the disclosure policy, then the preference rules are checked against the privacy policies exchanged during privacy agreement phase.

ComplianceChecker

ComplianceChecker

Privacypreferences

Tree manager

X-profile

Summary

Trust-X is a privacy-enabled system supporting

Selective disclosure of attributes Privacy enhanced credential Privacy policy exchange during negotiation process

Trust-X system is the first trust negotiation system complemented with the P3P platform.

The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

Ongoing work…

Development of mechanisms and modules to semi-automatically design privacy policies to be associated with disclosure policies.

Use of a reference ontology to specify high level trust requirements to be mapped into disclosure policies

Notion of private concept groups to protect combination of concepts not to be released together. Private concept groups are formed by taking into account not only the subject privacy preference but also the privacy practices of the counterpart.

Future work

Evaluation of the strategies to carry on a negotiation, that exploit and extend the notion of context associated with a policy, to allow one to trade-off among efficiency, robustness, and privacy requirements.

Mechanisms for enforcing anonymity. Fully support of P3P version 1.1.