Trust Negotiation Concepts and Issues

1
Trust Negotiation Concepts and Issues

• Elisa Bertino
• CS ECE Departments, CERIAS
• Purdue University
• Boston November 9, 2004

2
Outline

• Trust some definitions
• The trust negotiation model
• Trust-X
• Privacy solutions in Trust-X
• Credential format
• Policy context
• System architecture
• Conclusions and future work

3
Trust Some Definitions

• Kini Choobineh
• trust is "a belief that is influenced by the
  individuals opinion about certain critical
  system features"
• Gambetta
• " trust (or, symmetrically, distrust) is a
  particular level of the subjective probability
  with which an agent will perform a particular
  action, both before the trustor can monitor
  such action (or independently of his capacity of
  ever to be able to monitor it)
• The Trust-EC project (http//dsa-isis.jrc.it/Trust
  EC/)
• trust is "the property of a business
  relationship, such that reliance can be placed on
  the business partners and the business
  transactions developed with them''.
• Gradison and Sloman
• trust is "the firm belief in the competence of
  an entity to act dependably, securely and
  reliably within a specified context". .

4
Some Basic Properties of Trust Relations

• Trust is relative to some business transaction.
• A may trust B to drive her car but not to
  baby-sit.
• Trust is a measurable belief.
• A may trust B more than A trusts C for the same
  business.
• Trust is directed.
• A may trust B to be a profitable customer but B
  may distrust A to be a retailer worth buying
  from.
• Trust exists and evolves in time.
• The fact that A trusted B in the past does not
  in itself guarantee that A will trust B in the
  future. Bs performance and other relevant
  information may lead A to re-evaluate her trust
  in B.

5
Trust Services

• Identity services
• Authorization services with support for the
  delegation and control of fine-grained access
  control at the data, resource and service levels
• Trust negotiation
• Anonimity services
• Trust rating and recommendation services
• Notarisation
• Guaranteed message delivery
• Auditable logs
• Secure storage

6
Trust Negotiation model

• The goal establish trust between parties in
  order to exchange sensitive information and
  services
• The approach establish trust by verifying
  properties (credentials) of the other party.
• Note that trust can also be stablished based on
  other factors and information, e.g. Reputation.
  The use of credentials is the common choice in
  current TN languages and systems
• Protect sensitive credentials and services with
  ad hoc policies, namely disclosure policies.

7
Trust Negotiation model
Client
Server
Resource request
Policy Base
Policies
Policies
Credentials
Credentials
Resource granted
8
Issues language Requirements

• Well-defined semantics
• Monotonicity
• Credential combination
• Authentication
• Constraints on property values
• Intercredential constraints
• Sensitive Policies
• Unified formalism and use of interoperable
  languages

9
Issues System Requirements

• Credential ownership
• Credential validity
• Credential chain discovery
• Privacy protection
• Support for alternative negotiation strategies
• Fast negotiation strategies

10
Systems and Prototypes

• Keynote
• by Blaze and Faigenbaum
• ATT Research Lab. and Yale University
• TrustBuilder
• By K. Seamons et Al.
• Brigham Young University
• Trust-X
• By Bertino, Ferrari and Squicciarini
• Purdue University and University of Milano

11
Systems and Prototypes a Comparison
12
Systems and Prototypes a Comparison
13
The Trust-X system

• Comprehensive XML based framework for trust
  negotations
• Trust negotiation language
• System architecture
• Protocol and strategies to carry on a negotiation
• A Trust-X negotiation consists of a set of phases
  to be sequentially executed.
• The key phase is the policy evaluation phase,
  which consists of a bilateral and ordered policy
  exchange.

14
A Trust-X negotiation
15
Message exchange in a Trust-X negotiation
Bob
Alice
Service request
Request
Disclosure policies
Prerequisite acknowledge
Disclosure policies
Credential and/or Declaration
Match disclosure policies
Credential and/or Declaration
Service granted
16
The basic Trust-X system
17
Privacy issues in trust negotiations

• Trust negotiation does not control nor safeguard
  personal information once it has been disclosed.
• During the policy evaluation phase, privacy can
  be compromised since there are no guarantees
  about counterpart honesty until the actual
  disclosure of the credentials.
• Sensitive information can be inferred from a
  response to a request to access a resource.

18
Sensitive attributes in digital credentials

• Policy disclosure can be used to determine the
  value of sensitive attributes without the
  credential ever being disclosed.
• A credential may contain several sensitive
  attributes, and very often just a subset of them
  is required to satisfy a counterpart policy.
• However, when a credential is exchanged, the
  receiver anyway gathers all the information
  contained in the credential.

19
How we preserve privacy in Trust-X

• Support of a new credential format, which may
  provide a high degree of privacy protection
• Selective disclosure of attributes
• Gradual disclosure of the credential content
• Extension of policy notion, with additional
  information to express
• privacy preferences and the possibility of
  negotiating privacy rules.
• Integration of Trust-X with the P3P platform.
• The P3P platform is used for stating how the
  personal information collected through
  credentials disclosure during on line
  transactions will be managed by the receiver.

20
Privacy enhanced credential (1)

• Credential header Set of information that is
  crucial for proving that the credential, besides
  its specific content, is a signed and valid
  digital document issued by a trusted authority.
  
• CREDID unique credential identifier
• CREDTYPE type of the credential
• EXPIRATION expiration date
• ISSUEREP credential issuer repository
• Credential content
• List collecting attribute specifications

21
Privacy enhanced credentials (2)
attribute names, values, random numbers
CREDENTIAL HEADER IS USED AS A CREDENTIAL
PROOF particular state of a privacy enhanced
credential, where the header is plain and the
content is hidden, while the signature over the
whole document can be verified.
22
Disclosing attribute credentials

• Gradual disclosure of credential content
• Header disclosed during policy evaluation phase
  as soon as the credential is required
• Attributes revealed during
  credential exchange phase
• Attributes required during policy evaluation
  phase as soon as they are involved in the process

23
Modeling negotiationlogic formalism
Disclosure policies are expressed in terms of
logical expressions which can specify either
simple or composite conditions against
certificates.

• P() credential type
• C set of conditions

R?P1(c), P2(c)
Policy expressed as
24
Using privacy enhanced credentials

• Alice is a patient of the Health Clinic and
  wants to buy drugs by an on-line pharmacy,
  which is selling this kind of drugs by
  prescription of Health Clinic doctors.
• Alice is willing to disclose the requested
  credentials only if the pharmacy presents a
  credential proving pharmacy affiliation with the
  hospital. Patient_Card()? Health_Clin_Aff().
• Pharmacy affiliation is disclosed only to
  patients of the clinic Health_Clin_Aff()?Patient_
  Card()
• Health_Clin_Aff()?Patient_Card() ?
  Health_Clin_Aff().

Deadlock
Avoided by using privacy enhanced credentials.
During policy evaluation phase parties may prove
each other credential possession without
revealing credential content until having
received all the requested credential proofs.
25
The notion of context in disclosure policies

• This specification is not expressive enough to
  specify other
• crucial information that may be associated with a
  policy
• How about policy prerequisites?
• How about the privacy policies for the
  requested credentials?

26
Policy context

• The goal is to integrate the basic rule defining
  a policy with a structured set of information to
  be used during trust negotiation process.
• ltpol_prec_set, privgt

Set of policy identifiers such that at least one
of the policy needs to be satisfied before the
disclosure of the policy with which the
precondition set is associated.
denotes a P3P privacy policy. The task of
privacy policies is to complement disclosure
policies, specifying whether the information
conveyed by the credentials will be collected
and/or used.
27
Privacy policies in Trust-X negotiations

• Introductory phase
• Send a request for a resource/service
• Introductory policy exchanges
• .
• Policy evaluation phase
• Disclosure policy exchange and
• Evaluation of the exchanged policies
• Certificate exchange phase
• Exchange of the sequence of certificates
  determined at step n. 2.

Privacy agreement subphase
eventually specific privacy policies
28
A privacy enabled Trust-X negotiation
Alice
DrugStore
Drug Request
Request R
Introductory policies
Introductory policies
P3P proposal
INTRODUCTORY PHASE
P3P prior agreement request
acknoweledge
(1)
ack
P3P_DrugStore
P3P_DrugStore match with local privacy
preferences
P3P_Drugstore
(1a) PRIVACY AGREEMENT SUBPHASE
Alice P3P
P3P acceptance
P3P acknowledge
POLICY EVALUATION PHASE
Rlt-A(C1,C2),P3PA,D(C3),P3PD
Match disclosure policy and P3P policy compliance
disclosure policy exchange within associated P3P
(2)
Rlt-E(C4,P3PE)
Alt-B(C5,P3PB)
CERTIFICATE EXCHANGE PHASE
Certificate exchange
Certificate exchange
(3)
RESOURCE DISCLOSURE
Credential sent
(4)
DRUG
29
Strategies in Trust-X

• In order to define a framework that is as
  adaptable and flexible as possible we do not
  define a unique mode to carry on the negotiation.
  
• Our framework supports a variety of strategies,
  that can be used for carrying on a negotiation.
• We have devised five general purpose strategies
  that reflect five different approaches to a
  negotiation.

30
Trust-X privacy preserving strategies

• Standard This is the traditional way of
  carrying on a negotiation, based on an informed
  strategy.
• Suspicious The credential proof is always
  requested during the policy evaluation phase for
  each of the involved credentials.
• Strongly Suspicious This is a specific case of
  the suspicious strategy parties require
  attribute disclosure as the corresponding
  policies are satisfied.
• Trusting The goal of this strategy is to speed
  up the process whenever possible. This can be
  done using credential suggestions, stored in a
  special field of the policy context.
• Mixed Strategy is characterized by the
  possibility of dynamically switching among the
  above strategies.

31
Privacy enabled Trust-X architecture
32
Creating a P3P policy in Trust-X

• Credentials content can be analyzed under two
  different perspectives

• If the information to be collected is a set of
  properties the policy can be specified as a
  conventional P3P policy using built in data
  schemas and categories provided by the standard,
  without referring to the particular credential
  collecting the requested attributes.
• 2. If the key information is the credential
  itself, then the policy should refer not only to
  the attributes in the credential but also to the
  credential itself.

Policy wizard
2
1
3
Credential schema repository
Policy base
Privacy policies
33
Responding to a disclosure policy

• If P3P is attached to the disclosure policy,
  policy check is performed between the P3P and
  the preference rules of the receiving party, with
  respect to the credentials requested by the
  disclosure policy with which the privacy policy
  is associated.
• If no P3P is associated with the disclosure
  policy, then the preference rules are checked
  against the privacy policies exchanged during
  privacy agreement phase.

X-profile
Compliance Checker
Privacy preferences
Tree manager
34
Summary

• Trust-X is a privacy-enabled system supporting
• Selective disclosure of attributes
• Privacy enhanced credential
• Privacy policy exchange during negotiation
  process
• Trust-X system is the first trust negotiation
  system complemented with the P3P platform.
• The P3P platform is used for stating how the
  personal information collected through
  credentials disclosure during on line
  transactions will be managed by the receiver.

35
Ongoing work

• Development of mechanisms and modules to
  semi-automatically design privacy policies to be
  associated with disclosure policies.
• Use of a reference ontology to specify high level
  trust requirements to be mapped into disclosure
  policies
• Notion of private concept groups to protect
  combination of concepts not to be released
  together. Private concept groups are formed by
  taking into account not only the subject privacy
  preference but also the privacy practices of the
  counterpart.

36
Future work

• Evaluation of the strategies to carry on a
  negotiation, that exploit and extend the notion
  of context associated with a policy, to allow one
  to trade-off among efficiency, robustness, and
  privacy requirements.
• Mechanisms for enforcing anonymity.
• Fully support of P3P version 1.1.