Click to edit Master title style © by Nat Sakimura. Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies Nat Sakimura Nomura Research Institute

© by Nat Sakimura. 2 IdPRP Alice How can I trust this RP that it will treat my data as promised? How can I trust that the user is Alice? Is the data provided accurate? Can I trust this RP? Can I trust Alice?

© by Nat Sakimura. 3 Market Failure

© by Nat Sakimura. 4 Empirical Study n Funded by Ministry of Internal Affairs and Communication (MIC) n n=117, distributed same as the population. n Observed testing combined with F2F interviews Source: Based on the Report on Identity Federation Substantial Experiment

© by Nat Sakimura. 5 n Restaurant Search Engine + Restaurant Sites (Both Mobile and PC) n Users are told to find the restaurants they want to go and reserve. n Registration requires various user information depending on the site. l Some are traditional “Form Submission” l Some are using Identity Federation and attribute sharing.

© by Nat Sakimura. 6 IdP ② AuthZed Attrs Sent to RP User AuthN + Attr AuthZ RP No need to fill in the info that the user authzed to be sent Attribute Sharing AuthZed Attrs is being sent from IdP to RP - Results - How It looked like Users needed to fill-in the attrs not sent by IdP Name Post Code Address Telephone Mail Address Sex Occupation Age Source: Based on the Report on Identity Federation Substantial Experiment

© by Nat Sakimura. 7 (N=177) Without Attr. Sharing With Attrs Sharing 1’33”0’19” 19.6%7.1% Time Req. to complete registration Input Error Rate （ Down 80% ） （ Down 65% ） Both Time Required to complete And the Error Rate were reduced. - Results - Attribute Sharing Greatly improves the user experience IdP ② AuthZed Attrs Sent to RP User AuthN + Attr AuthZ RP No need to fill in the info that the user authzed to be sent Attribute Sharing Source: Based on the Report on Identity Federation Substantial Experiment

© by Nat Sakimura. 8 -User Feedback - 94% Answered that they want to use Attribute Sharing Services. Do yo want to use such Attribute Sharing Services? Source: Based on the Report on Identity Federation Substantial Experiment

© by Nat Sakimura. 9 Additional Features Wanted by the Users Assist users to find out if the RP is trustworthy Selectively Send the attributes (e.g., not sending telephone no.) Automatically notify/update the selected RPs when Attrs changed. Select one from Multiple “profiles” when sending attrs. -User Feedback - 97% Users wanted to have a way to find out the trustworthiness of the RP Additional Features Requested Source: Based on the Report on Identity Federation Substantial Experiment

© by Nat Sakimura. 10 How? n Third Party Audit l E.g., Open Identity Trust Framework n Reputation “ Reputation is a subjective evaluation of the assertion about an entity being true based on factual and/or subjective data about it, and is used as one of the factors for establishing trust on that subject for a specific purpose. Reputation can be aggregated by rolling up opinions from smaller sets like individuals. ” Open Reputation Management Systems (ORMS) TC

© by Nat Sakimura. 11 ORMS Reference Model Input data collection/ generation Individual & demographic data – entity E Oberved data – Entity E Real-world data: entity E Inferred data: Entity E subjective data – Entity E Input data collection/ generation … Reputation Computer Context Reputation System Reputation of Input entities (local) Reputation Portable Reputation Computation of Trust by (external) Consuming party Pub-Sub Portable Reputation Data Input Computation of Trust by (external) Consuming party Source: ORMS TC, “Use Cases”

© by Nat Sakimura. 12 Reputation Format Requirements 1.Reputation result XML needs to have an identifier of somebody being scored. lIt may include PII (e.g., Social Security Number), so it may be wise to mandate that this be a hash(identifier, salt)?=>Protocol Consideration 2.The same for who is scoring, and sometimes for who is receiving. 3.For what criteria, this reputation score was made. 4.Input Data Range 5.For the reputation to be aggregatable, it has to have a distribution that we know about the aggregated distribution (such as normal distribution). 6.The information about the distribution, including what distribution, mean, and standard deviation must be published together with the score. 7.Display score should be intuitive for an average person. 8.Date that score was made 9.Signature by the score maker so that it will be tamper proof. Source: ORMS TC, “Use Cases”

© by Nat Sakimura. 13 Protocol Requirements n PR1.The reputation consumer SHOULD be able to obtain the reputation file by specifying the assertion including the subject identifier. n PR2.Since the reputation data itself is often an sensitive data including PII, it SHOULD have the following security considerations: l SubjectID SHOULD be represented so that it cannot be traced back to the Subject, e.g., sha256(SubjectID, salt). This implies that the protocol should be a request-response protocol since otherwise the receiver cannot map the file to the Subject. l Be able to make the source detectable in the case of the leakage, the file should contain the requester ID. l To make the request forgery-proof, the request should contain the digital signature of the requesting party. l To protect from eavesdropping and MITM attacks, the response should be encrypted using a content encryption key (session key) which in turn is encrypted by the requesting party’s public key. l Considering that the mere fact that an entity is requesting a reputation representation of the subject may be a privacy risk, the request probably should be encrypted in the same manner as the response, with reputation authority’s public key. Source: ORMS TC, “Use Cases”

© by Nat Sakimura. 14 Example Reputation Display Last Login, How Many Times in the Past. Reputation Authorize Source: Based on the Report on Identity Federation Substantial Experiment