Protecting Privacy During On-line Trust Negotiation K. Seamons, L. Yu, R. Jarvis Brigham Young University M. Winslett, Ting Yu University of Illinois at Urbana-Champaign The title of my talk is interoperable strategies for automated trust negotiation. In a distributed environment, before two parties conduct a transaction, a certain level of trust should be established. Traditionally, it’s often assumed that the two parties are from the same security domain. Thus identity authentication is adequate for access control. However, in an open system like the Internet, most transactions are between strangers. They have no pre-existing knowledge about each other and are from different security domain. Identity-based access control does not help in such a situation. Let’s first look at an example.

Outline Automated trust negotiation. Potential privacy problems in automated trust negotiation. Attribute-sensitive credentials and their protection. Summary and future work.

An E-Business Transaction Example Show me your reseller’s license along with your credit card number or your CPN member card. You are qualified to be exempt from sales tax. Here is my Better Business Bureau Certificate. Here is my credit card number. Here’s my reseller’s license. I have a credit card. But prove you are member of Better Business Bureau first. I request to be exempt from sales tax. Landscape Designer Champaign Prairie Nursery

E-Business Requires Trust Participants are often strangers. Identity-based authentication is not adequate for access control. Properties other than identity are relevant to establishing trust. Age, address, citizenship, membership One’s properties may be sensitive. Nowadays, e-business over the internet is developing very fast. Before a transaction starts, the participants should first build mutual trust based on the ongoing transactions. In an open system like the Internet, usually transaction participants are strangers. They have no pre-known knowledge about each other. In such a situation, identity-based solutions to build trust are not applicable. Identity itself are usually irrelevant to the service provider. Proving I am indeed John Smith does not show anything that I am qualified to get access to a certain service. There are also potential privacy issues when revealing one’s identity. For example, if a person retrieves information of a certain disease from a medical digital library and reveals his identity, it is very reasonable to assume that the user herself or some relatives may have that disease. That may be highly sensitive information. Actually it is properties instead of identity that are relevant to establish trust. Such properties may include one’s age, address, membership and citizenship.

Digital Credentials Electronic counterparts of paper credentials in people’s daily life. Verifiable and unforgeable. To establish trust, strangers can use digital credentials describing their properties. In the Internet, we can use digital credentials to prove one’s identity and properties. Digital credentials are the online counter parts of paper credentials we use in our daily life. By modern encryption technology, digital credentials can be made verifiable and unforgable. Property-based credentials provide a basis for establishing trust between strangers.

Trust Negotiation Protect sensitive credentials and services with (access control) policies. Establish trust incrementally through a sequence of credential disclosures. Begin with credentials that are less sensitive. Build up trust so that more sensitive credentials can be disclosed. When credentials are not sensitive therefore are freely available, the trust building process is kind of simple. The client asks for access to a service and the server tells the client what kind of credentials it needs. Then the client shows those required credentials and gets access to the service. However, credentials may contain sensitive information. For example, one’s credit card number or one’s social security number. So one can not show those sensitive information to just anybody. Like the server may define what kind of client are qualified to access a service, the credential owners should also define when and to whom a credential can be disclosed. Such control is by means of credential and service disclosure policies. Therefore, when credentials contain sensitive information, trust needs to be established incrementally through a sequence of credential disclosures. Usually less sensitive credentials are disclosed first. When a certain level of trust is achieved, more sensitive credentials then can be disclosed.

An Example Credential Exchange Sequence Landscape Designer CPN BBB_Member Credit_Card  BBB_Member Reseller_License  true Order_OK  (Credit_Card  CPN_Account)  Reseller_License BBB_Member  true Credit_Card Reseller_License Here is a small example of a trust negotiation. The client requires service S from the server. The policy for S is (C1  C6)  (C2  C4). We can see how the trust is established step by step starting with less sensitive credentials. If a credential is freely available, which means it can be disclosed to others without requiring any credentials from the other side, we use C   to represent its policy. (show the sequence) The question we now have is that, without knowing each other’s disclosure policies, how the two parties find such an credential exchange sequence that establishes trust. In our model, each party runs an algorithm which can guide the message exchange between the two parties and find a successful trust negotiation. We call such an algorithm trust negotiation strategy. Order_OK

Sensitive Policy Protection Policies may be sensitive. A project requiring employee credentials from either IBM or Microsoft indicates a cooperation between the two companies. Policy graphs help. Express policies in a hierarchical way so that sensitive constraints are disclosed gradually.

An Example Policy Graph Issued by IBM employeeID P1 R project info P3 Issued by Microsoft

How policy graphs work When a resource is requested, only the policy in the source node is disclosed. Further constraints are checked only when the other party has disclosed necessary credentials. Sensitive constraints are not visible to the other party.

How policy graphs work (cont’d) 1. Client requests to access project information. Project info R Server returns policy P0, only asking for an employeeID credential. issued by IBM issued by MS P1 P2 3. Client discloses its employeeID credential. 4. Server checks whether the credential is issued by IBM or MS, and grant or deny access accordingly. P0 employeeID

Potential Privacy Problems in Trust Negotiation A stranger who wishes to access a resource must learn about its policy. Sensitive information can be inferred from a response to a request to access a resource. Possession-sensitive credentials. Attribute-sensitive credentials.

Attribute-Sensitive Credentials Policies constrain the values of credentials’ attributes. Show me your driver’s license to prove your age is over 25. Sensitive information can be inferred from the response. Disclosing the policy for your driver’s license suggests that your age is over 25

One Solution: Dynamic Policy Graphs Hide constraints on sensitive attributes. Only ask for driver’s license. When it is disclosed, check the age attribute. On receiving a policy, convert it into a policy graph with no sensitive attributes in the source node.

One Solution: Dynamic Policy Graphs (cont’d) Security Agent Transformed policy P’ Policy P Policy Transformation Agent P Negotiation Strategy Engine Counter message

One Solution: Dynamic Policy Graphs (cont’d) x.type = “drivers license”  x.age  25 x.type = “drivers license” x.age25

Negotiation Protocols Negotiation protocols leak information about sensitive attributes. Fundamentally, it is a protocol design problem. Protocols allowing inaccurate response and ill-faith negotiation may help. Balance between negotiation efficiency and privacy preservation.

Other Privacy Issues in Trust Negotiation Possession-sensitive credentials. Extraneous information gathering. Privacy practices.

Summary Trust is crucial in open systems like the Internet. Automated trust establishment is a promising approach. Digital credentials and access control policies Preserving users’ privacy in automated trust negotiation is hard.

Future Work Formally model information flow in trust negotiation. Design protocols with semantics that provide more protection for users’ private information.