Protecting Privacy during Online Trust Negotiation

1
Protecting Privacy during On-line Trust
Negotiation

• K.E.Seamons, M.Winslett, T.Yu, L.Yu, R.Jarvis

Soumya Ragunathan
2
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

3
The Addressed Problem

• Concerns over privacy in online transactions
• Trust Negotiation
• Establish trust between strangers
• Bilateral exchange of digital credentials
• ACP for sensitive credentials
• This paper
• Identifies privacy vulnerabilities and approaches
  to minimize them
• Proposes modifications to negotiation strategies
  to prevent inadvertent disclosure of credential
  information

4
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

5
Privacy Trust

• Privacy is of grave concern to individuals and
  organizations operating in open systems like the
  internet
• Complete anonymity is preferred.
• Applicable to casual browsing only
• Automated Trust Establishment
• Digital credentials
• Credential signed using issuers private key
• Each credential contains issuers public key
• Incremental trust establishment trust
  negotiation

6
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

7
Trust Negotiation

• Naive strategy client discloses all details
• Another approach disclose every credential whose
  ACP has been satisfied
• ACP specifies credentials that the other party
  must provide to obtain access
• Results in needless credential disclosures even
  though the party is authorized to receive.
• 3rd approach disclose ACP that focus the
  negotiation only on necessary credentials

8
Definition

• The purpose of trust negotiation is to find a
  credential disclosure sequence (C1, ,Ck, R),
  where R is the service or other resource to which
  access was originally requested, such that when
  credential Ci is disclosed, its access control
  policy has been satisfied by credentials
  disclosed by the other party
• Trust Negotiation Strategy controls the exact
  content of messages exchanged

9
Example

• Alice wants to order plants from CPN
• She fills a form. She wishes to be exempt from
  sales tax.
• Upon the receipt of order, CPN will ask for
  credit card and resellers license.
• She wants to show the card to only BBB members

10
Example (contd.)
Alice
CPN
BBB_Member
Credit_card Reseller_license
Credit card lt BBB_Member Reseller_license lt
true
No_Sales_Tax_OK lt Credit_card
Reseller_license BBB_Member lt true
No_Sales_Tax_OK
11
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

12
Privacy Vulnerabilities during Trust Negotiation

• Possession or non-possession of a sensitive
  credential
• The type of credential can be a reflection of the
  trust relationship
• Eg IBM employee, GM preferred supplier
• In order to guard against the release of
  sensitive information when a possession-sensitive
  credential is requested during negotiation, its
  possessors behavior must not allow the other
  party to infer whether or not they possess that
  credential

13
Privacy Vulnerabilities during Trust Negotiation
(contd.)

• Sensitive credential attributes
• Constraint on the sensitive credential attribute
• Age
• Selectively disclose attributes within a
  credential so that only the needed subset is made
  available to the recipient of the credential
• Extraneous Information gathering
• Request unnecessary details
• an attacker can modify a policy during
  transmission to increase the number of required
  credentials, and force a participant to disclose
  more information than the requester intends a
  policy can be digitally signed to protect its
  integrity.

14
Privacy Vulnerabilities during Trust Negotiation
(contd.)

• Privacy practices
• Privacy seals like TRUSTe
• Forgery possible

15
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

16
Privacy Safeguards for Trust Negotiation

• No response
• Trust negotiation strategies ensure that all
  disclosures are safe (in accordance with ACP)
• Possession sensitive policy disclosure gt
  admission of possession failure to respond gt
  admission of non possession
• Instead of disclosing the policy for a possession
  sensitive policy, wait for the requester to
  reveal the necessary credentials

17
Privacy Safeguards for Trust Negotiation (contd.)

• Pretend to possess a credential
• Disclose the policy for a sensitive credential
  even if its not applicable
• The requester will have to pass the same set of
  trust worthiness tests

18
Privacy Safeguards for Trust Negotiation (contd.)

• Dynamic Policy Graphs

19
Privacy Safeguards for Trust Negotiation (contd.)
20
Privacy Safeguards for Trust Negotiation (contd.)

• Privacy practices
• Make sure the privacy practice credentials are
  not forged and verify ownership of credential
• Certified privacy practices can be represented in
  the form of digital credentials that can be
  disclosed in response to the user policies that
  require some guarantees
• Support automated verification of privacy
  policies in software
• Issuer signs credential gt stronger trust
• Opt-in and opt-out process

21
Summary

• Problem
• Privacy and Trust
• Trust Negotiation
• Privacy Vulnerabilities during Trust Negotiation
• Privacy Safeguards for Trust Negotiation
• Conclusion

22
Conclusions

• Identifies privacy vulnerabilities
• Policy disclosure
• Helps to focus negotiation
• Inadvertently disclose evidence of possession or
  non possession
• Excessive gathering of information
• Identifies 2 kinds of sensitive credentials
• Describes how clients privacy preferences can be
  enforced

23
References

• Bertino, E., Castano, S., Ferrari, E. On
  Specifying Security Policies for Web Documents
  with an XML-based Language, Proceedings of Sixth
  ACM Symposium on Access Control Models and
  Technologies, Chantilly, Virginia (2001).
• Biskup, J. For Unknown Secrecies Refusal is
  Better than Lying, Data Knowledge Engineering
  33 (2000), Elsevier Science, Amsterdam (2000).
• Bonatti, P., Samarati, P. Regulating Service
  Access and Information Release on the Web,
  Proceedings of the 7th Conference on Computer and
  Communications Security, Athens, Greece (2000).
• Brands, S. A. Rethinking Public Key
  Infrastructures and Digital Certificates, MIT
  Press, Cambridge, Massachusetts (2000).
• Companies Must Adopt A Whole-View Approach To
  Privacy, According to Forrester Research,
  http//www.forrester.com/ER/Press/Release/0,1769,5
  14,00.html (2001).
• Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
  Seamons, K. E., Smith, B. Advanced Client/Server
  Authentication in TLS, Network and Distributed
  System Security Symposium, San Diego, CA, (2002).
• Persiano, P., Visconti, I. User Privacy Issues
  Regarding Certificates and the TLS Protocol, in
  Proceedings of the 7th ACM Conference on Computer
  and Communications Security, Athens, Greece
  (2000).
• Platform for Privacy Preferences (P3P)
  Specification, W3C Working Draft 26 August
  (1999), http//www.w3.org/TR/WD-P3P/Overview.html.
  
• Seamons, K. E., Winslett, M., Yu, T. Limiting
  the Disclosure of Access Control Policies During
  Automated Trust Negotiation, Symposium on Network
  and Distributed System Security, San Diego
  (2001).
• TRUSTe, http//www.truste.org.
• Tygar, J. D. Atomicity versus Anonymity
  Distributed Transactions for Electronic Commerce,
  Proceedings of 24th International Conference on
  Very Large Data Bases, New York City, New York
  (1998).
• International Telecommunication Union,
  Recommendation X.509 Information Technology -
  Open Systems Interconnection - The Directory
  Authentication Framework (1997).
• Yu, T., Winslett, M., Seamons, K. E.
  Interoperable Strategies in Automated Trust
  Negotiation, Proceedings of the 8th ACM
  Conference on Computer and Communications
  Security, Philadelphia, Pennsylvania (2001).