Confidentiality, Privacy and Trust II

1
Confidentiality, Privacy and Trust - II

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Lecture 13
• October 8, 2008

2
Outline of the Unit

• Need to Know to Need to Share
• RBAC, UCON, RBUC
• Dissemination
• Rick based access control
• Trust Management/Credential/Disclosure
• Semantic Web and Trust
• Directions
• Major conferences for Policy and Access Control
• IEEE Policy Workshop
• ACM SACMAT

3
Need to Know to Need to Share

• Need to know policies during the cold war even
  if the user has access, does the user have a need
  to know?
• Pose 9/11 the emphasis is on need to share
• User may not have access, but needs the data
• Do we give the data to the user and then analyze
  the consequences
• Do we analyze the consequences and then determine
  the actions to take
• Do we simply not give the data to the user
• What are risks involved?

4
RBAC

• Access to information sources including
  structured and unstructured data both within the
  organization and external to the organization
• Access based on roles
• Hierarchy of roles handling conflicts
• Controlled dissemination and sharing of the data

5
RBAC (Sandhu)
6
UCON

• RBAC model is incorporated into UCON and useful
  for various applications
• Authorization component
• Obligations
• Obligations are actions required to be performed
  before an access is permitted
• Obligations can be used to determine whether an
  expensive knowledge search is required
• Attribute Mutability
• Used to control the scope of the knowledge search
• Condition
• Can be used for resource usage policies to be
  relaxed or tightened

7
UCON (Sandhu)
8
Role-based Usage Control (RBUC)
RBAC with UCON extension
9
RBUC in Coalition Environment

• The coalition partners maybe trustworthy),
  semi-trustworthy) or untrustworthy), so we can
  assign different roles on the users (professor)
  from different infospheres, e.g.
• professor role,
• trustworthy professor role,
• semi-trustworthy professor role,
• untrustworthy professor role.
• We can enforce usage control on data by set up
  object attributes to different roles during
  permission-role-assignment,
• e.g. professor role 4 times a day,
• trustworthy role 3 times a day
• semi-trustworthy professor role 2 times a day,
• untrustworthy professor role 1 time a day

10
Dissemination Policies

• Release policies will determine to whom to
  release the data
• What is the connection to access control
• Is access control sufficient
• Once the data is retrieved from the information
  source (e.g., database) should it be released to
  the user
• Once the data is released, dissemination policies
  will determine who the data can be given to
• Electronic music, etc.

11
Risk Based Data Sharing/Access Control/Trust

• What are the risks involved in releasing/dissemina
  ting the data
• Risk modeling should be integrated with the
  access control model
• Simple method assign risk values
• Higher the risk, lower the sharing
• What is the cost of releasing the data?
• Cost/Risk/Security closely related

12
Trust Management

• Trust Services
• Identify services, authorization services,
  reputation services
• Trust negotiation (TN)
• Digital credentials, Disclosure policies
• TN Requirements
• Language requirements
• Semantics, constraints, policies
• System requirements
• Credential ownership, validity, alternative
  negotiation strategies, privacy
• Example TN systems
• KeyNote and Trust-X (U of Milan), TrustBuilder
  (UIUC)

13
Trust Management
14
The problem establishing trust in open systems

• Interactions between strangers
• - In conventional systems user identity is
  known in advance
• and can be used for performing access
  control
• - In open systems partecipants may have no
  pre-existing
• relationship and may not share a common
  security domain

?

• Mutual authentication
• - Assumption on the counterpart honesty no
  longer holds
• - Both participants need to authenticate each
  other

15
Trust Negotiationmodel

• A promising approach for open systems where most
  of the interactions occur between strangers
• The goal establish trust between parties in
  order to exchange sensitive information and
  services
• The approach establish trust by verifying
  properties of the other party

16
Trust negotiation the approach

• Interactions between strangers in open systems
• are different from traditional access control
  models

Policies and mechanisms developed in conventional
systems need to be revised
ACCESS CONTROL POLICIES VS. DISCLOSURE POLICIES
USER IDs VS. SUBJECT PROPERTIES
17
Subject properties digital credentials

• Assertion about the credential owner issued and
  certified by a Certification Authority.

• Each entity has an associated set of
  credentials,
• describing properties and attributes of the
  owner.

CA
18
Use of Credentials
Credential Issuer
Digital Credentials

• Julie
• 3 kids
• Married
• American

Alice
Check
Check
-Julie - Married
-Julie - American
Company B
Want to know marital status
Company A
Referenced from http//www.credentica.com/technolo
gy/overview.pdf
Want to know citizenship
19
Credentials

• Credentials can be expressed through the Security
  Assertion Mark-up Language (SAML)
• SAML allows a party to express security
  statements about a given subject
• Authentication statements
• Attribute statements
• Authorization decision statements

20
Disclosure policies
Disclosure policies

• Disclosure policies govern
• Access to protected resources
• Access to sensitive information
• Disclosure of sensitive credentials
• Disclosure policies express trust requirements by
  means of credential combinations that must be
  disclosed to obtain authorization

21
Disclosure policies - Example

• Suppose NBG Bank offers loans to students
• To check the eligibility of the requester, the
  Bank asks the student to present the following
  credentials
• The student card
• The ID card
• Social Security Card
• Financial information either a copy of the
  Federal Income Tax Return or a bank statement

22
Disclosure policies - Example

• p1 (, Student_Loan ? Student_Card())
• p2 (p1), Student_Loan ? Social_Security_Card())
  
• p3 (p2, Student_Loan ? Federal_Income_Tax_Retur
  n())
• p4 (p2, Student_Loan ? Bank_Statement())
• P5(p3,p4, Student_Loan ? DELIV)
• These policies result in two distinct policy
  chains that lead to disclosure
• p1, p2, p3, p5 p1, p2, p4, p5

23
Trust Negotiation - definition
The gradual disclosure of credentials and
requests for credentials between two strangers,
with the goal of establishing sufficient trust so
that the parties can exchange sensitive
information and/or resources
24
Trust-X system Joint Research with University
of Milan

• A comprehensive XML based framework for trust
  negotiations
• Trust negotiation language (X-TNL)
• System architecture
• Algorithms and strategies to carry out the
  negotiation process

25
Trust-X language X-TNL

• Able to handle mutliple and heterogeneus
  certificate specifications
• Credentials
• Declarations
• Able to help the user in customizing the
  management of his/her own certificates
• X-Profile
• Data Set
• Able to define a wide range of protection
  requirements by means of disclosure policies

26
X-TNL Credential type system
X-TNL simplifies the task of credential
specification by using a set of templates
called credential types Uniqueness is ensured by
use of XML Namespaces Credential types are
defined by using Document Type Definition
lt!DOCTYPE library_badge lt!ELEMENT library_badge
(name, address, phone_number, email?,
release_date, profession,Issuer)gt lt!ELEMENT name
(fname, lname)gt lt!ELEMENT address
(PCDATA)gt lt!ELEMENT phone_number
(PCDATA)gt lt!ELEMENT email
(PCDATA)gt lt!ELEMENT release_date
(PCDATA)gt lt!ELEMENT profession
(PCDATA)gt lt!ELEMENT fname
(PCDATA)gt lt!ELEMENT lname
(PCDATA)gt lt!ELEMENT Issuer ANYgt lt!ATTLIST
Issuer XMLLINK CDATA FIXED SIMPLE HREF
CDATA REQUIRED TITLE CDATA
IMPLIEDgt lt!ATTLIST library_badge CredID ID
REQUIREDgt lt!ATTLIST library_badge SENS CDATA
REQUIREDgt gt
27
Trust-X negotiation phases- basic model

• Introduction
• Send a request for a resource/service
• Introductory policy exchanges
• Policy evaluation phase
• Disclosure policy exchange
• Evaluation of the exchanged policies in order to
  determine secure solutions for both the parties.
• Certificate exchange phase
• Exchange of the sequence of certificates
  determined at step n. 2.

28
Trust-X Architecture
Trust-X has been specifically designed for a
peer-to-peer environment in that each party is
equipped with the same functional modules and
thus it can alternatively act as a requester or
resource controller during different
negotiations.
29
How a policy is processed

• Upon receiving a disclosure policy the compliance
  checker determines if it can be satisfied by any
  certificate of the local X-profile.

• Then, the module checks in the policy base the
  protection needs associated with the
  certificates, if any.
• The state of the negotiation is anyway updated
  by the tree manager, which records whether new
  policies and credentials have been involved or
  not.

COMPLIANCE CHECKER
TREE MANAGER
Disclosure Policies
Policy Base
Policy Reply
X-Profile
30
Semantic Web

• http//www.cs.washington.edu/homes/pedrod/papers/i
  swc03.pdf
• http//www4.wiwiss.fu-berlin.de/bizer/SWTSGuide/
• Web page on some of the papers related to
  semantic web, security and trust
• W3C recommendations for privacy, security, trust.
  Brian Matthews, W3C UK Office at RAL, March 2002.
  - Short presentation about current W3C
  activities.

31
Directions

• Policies are of much interest to many
  organizations and applications
• Financial, Medical, Retail, Manufacturing etc
• Roles and responsibilities
• Flexible policies
• RBAC, UCON, RBUC, Trust Negotiation,
  Dissemination Policies
• Need to Know to Need to Share
• Semantic Web plays a major role