an introduction to decentralized trust management sandro etalle university of twente thanks to...

An Introduction to Decentralized Trust Management

Sandro EtalleUniversity of Twente

thanks toWilliam H. Winsborough – University of Texas S. Antonio.The DTM team of the UT (Ha, Marcin, Jeroen Jerry)

IPA Herfstdagen SecurityEtalle: Decentralized Trust

Management. 2

Overview Reputation-based trust management Rule-based trust management Problems & Challenges (rule-based

systems) scalability & chain discovery trust negotiation integrity constraints

Conclusions


Management. 3

Reputation-based TM concrete community of cooks (200 people) need to interact with someone you don’t

know, to extablish trust:

you ask your friends and friends of friends

... some recommendations are better than other you check the record (if any)

after success trust increases

reputation-based TM – rule-based TM – problems & challenges - conclusions


Management. 4

Reputation-based TM virtual p2p community of hackers (2000 people)

exchange programs & scripts

need to interact with someone you don’t know, ...

difference with concrete community: larger, faster

trust establishment has to be to some extent automatic



Management. 5

for instance



Management. 6

challenges trust metrics

how to model and compute trust evaluating initial trust value combining evidences, recommendations, reputation

management of reputation data secure & efficient retrieval of reputation data

automating trust based decision closing the circle: using experience as

feedback



Management. 7

Reputation-based TM: salient features

open system (different security domains) trust is a measure & changes in time risk-based recommendation based (NOT identity-based) peers are not continuously available Some systems:

PGP, EigenTrust Algorithm (Stanford)



Management. 8

rule-based TM: concrete example



Management. 9

rule-based tm, virtual

scalability



Management. 10

RT: a language for rule-based tm family of languages [Li, Mitchell, Winsborough] four types of credentials

EPub.discount Alice

EPub.discount UTwente.student

EPub.discount FAB.accredited.student

EPub.discount UTwente.student UTwente.student

principalrole nameprincipal.rolename = Role

trusting principal trusted principal (somewhere else: delegation)


attribute-based delegation


Management. 11

some language requirements [Bertino]

Monotonicity Constraints (omitted) Credential combination Sensitive Policies



Management. 12

Reputation vs rule based TM open system (different

security domains) trust is a measure &

changes in time risk-based recommendation based

(NOT identity-based) peers are not continuously

available Some systems: PGP TBD

open system (different security domains)

trust is boolean & less time-dependent

no risk rule (credential) based

(NOT identity-based) peers are not continuously

available Some systems: keynote,

Trust-X



Management. 13

Problem 1: scalability

attribute-based delegation: accepting student ID from any university

EPub.discount FAB.accred.student

FAB.accredited UnivTwente

UnivTwente.student Alice

Credential chain proves authorization.

Scalability problem



Management. 14

Problem 2: trust negotiations credentials can be confidential credential disclosure is a matter of... trust three strategies [Seamons]

Naive Reasonable Informed

additional problem: what do you do with the info in a credential after it has been disclosed



Management. 15

Problem 3: control Policies change in time: P P1 ... Pn

A principal controls only a portion of the policy

Delegating trust implies an understanding between principals,

Trusted principals need assistance Who could get access to what? (Safety) Who could be denied? (Availability)

“No-one should ever be both a buyer and an accountant” Mutual Exclusion



Management. 16

Conclusions Context:

2 or more parties in an open system. parties are not in the same security domain.

Goal establish trust between parties to exchange information

and services (access control)

Constraint access control decision is made

NOT according to the party identity BUT according to the credentials it has



Management. 17

Open problems Analysis

safety analysis we are now working with Spin

in RT0, for RTC (with constraints) nothing is available

of negotiations protocols w.r.t. the TM goals.

Integration with other systems e.g.

privacy protection location-dependent policies

ambient calculi? DRM

Semantics is not correct when

considering: chain discovery negotiations

is not modular certainly possible to

improve this using previous work on omega-semantics.

Types


Management. 18

Integrity Constraints: General Form

General: L.l ⊒ R.r Formally, L.l ⊒ R.r holds in P (P ⊢ L.l ⊒ R.r) iff [[L.l]]P

[[R.r]]P sets and intersections are allowed

Special cases Membership: A.r ⊒ { D1, …, Dn } Boundedness: { D1, …, Dn } ⊒ A.r

expressiveness is limited (it is a universal formula) but we can express all safety properties of [LWM03]

counterexample: at least a manager should have access to the DB


Management. 19

Examples buyers and accountants should be disjoint

⊒ A.buyer A.accountant

every employee should have access to the WLAN network WLAN.access UT.employee⊒

welders of BOVAG-accredited workshops should be fellows of the British Institute of Welding

Bovag.welder Bovag.accr.welder Bovag.accr PietersWorkshop PietersWorkshop.welder Pieter

BIW.fellow Bovag.welder⊒

an introduction to decentralized trust management sandro etalle university of twente thanks to...

Documents

compute trust

success trust

extablish trust

challenges trust metrics

identitybased peers

ipa herfstdagen securityetalle

time riskbased recommendation

initial trust value