Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy and Trust Frameworks/Systems Presented by Zalia Shams Usable Security –

Published byCuthbert Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy and Trust Frameworks/Systems Presented by Zalia Shams Usable Security –"— Presentation transcript:

1 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy and Trust Frameworks/Systems Presented by Zalia Shams Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

2 PRIME - Privacy and Identity Management for Europe Primarily a research project. Aimed to develop a working prototype of a Privacy- enhancing Identity Management System. www.prime-project.eu Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech

3 Trust In PRIME (2005) Christer Andersson*, Jan Camenisch‡, Stephen Crane§, Simone Fischer-Hübner*, Ronald Leenes†, Siani Pearson§, John Sören Pettersson* and Dieter Sommer‡ * Karlstad University ‡IBM Zurich Research Laboratory, §Hewlett-Packard Laboratories, †Tilburg University

4 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Where Identity Information is Stored? A complete picture of someone’s movements, transactions, whereabouts and relationships can be found from the trail left from interaction with websites!!!

5 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech A Typical e-Shopping Scenario John

6 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech PRIME Solution Browsing Direct Delivery Direct Payment Advice, Purchase Credit Card Payment Pick up point/ Delivery Service Anonymous Delivery CustomerMerchant Bank

7 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Contribution Introduces the PRIME technical architecture. Discusses end user’s trust influencing factors  Socio-psychological factors  HCI aspects Describes necessity of  HCI research,  User studies and  Socio-psychological research in system design.

8 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Design Principles Start from maximum privacy (anonymity). State explicit privacy rules. Privacy rules must be enforced, not just stated. System should be transparent (data track).

9 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech PRIME Architecture User Side:  Stores users’ personal data and credentials in repository  Protects these by software layer. Services Side :  Interacts with users.  Provide evidence of its trustworthiness.  Protects user’s data once released.

10 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech PRIME Architecture User Side:  Stores users’ personal data and credentials in repository  Protects these by software layer. Services Side :  Interacts with users.  Provide evidence of its trustworthiness.  Protects user’s data once released. Handles communi cation

11 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech PRIME Architecture User Side:  Stores users’ personal data and credentials in repository  Protects these by software layer. Services Side :  Interacts with users.  Provide evidence of its trustworthiness.  Protects user’s data once released. Handles communication Applications access prime functionality by middleware components

12 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Components and Mechanisms Combining Accountability and Privacy (Access Control):  User side checks evidence of service provider’s trustworthiness (e.g. privacy seal)  Services side checks proof of individual attributes denoted as Anonymous Credentials Enforcing Privacy Policy (Before and After):  Both sides checks compliance on policy and obligation of data handling by Automated Trust and Policy Negotiation.  A component on service side enforces agreed obligations (e.g. limited time data retention ).This is Obligation Management. T ransparency:  User can track their data that are released to services side. Trusted User Interface: Prime console is used as front-end.

13 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech A Typical Interaction Protected resource access request Confirmation data request (e.g. age) Trust data (e.g. privacy seal) requested Trust + Policy compliance data submitted Actual release of data Access is granted Front end access control component User’s identity control component Trust and policy negotiation component Obligation Management User Console

14 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Socio-Psychological Factors Trust Layers Influence Socio-cultural  Relates to trust in Society.  Strongly associate with known people, likely to have low trust in online stores. Institutional  Relates to trust in institution.  Legal and technological safeguards enhances peoples’ trust. Service area  Concerns trust in a particular sector of economic activity (e.g. Medical profession > banking sector >internet service provider). Application layer  Concerns trust in a particular service provider.  Irregular events creates distrust. Media layer  Relates to communication channel.  Visible icons like lock sign in pages can increase trust.

15 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Usability Tests and Problems found A series of usability tests were performed for an e- shopping scenario using interactive mock-ups. Results: 1.Many users did not trust the claim that system will protect their data and privacy 2. “Internet is insecure anyway”. 3. “I did not agree my mental picture that I can buy a book anonymously”. 4. Users had difficulties to  mentally differentiate server and user side identity managements.  understand that PRIME console is with in users’ control and protects their identities.

16 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Possible Solutions for Enhancing Trust “Institutional Trust” has to put into PRIME from external sources. (e.g. consumers’ organizations recommend PRIME). Trustworthiness of the service provider must be conveyed to user. Data blocking, rectifying or deleting facilities need to be added. Help functions for legal issues need to added. User side and services side Identity Management Middleware functionalities should be clearly distinguishable by UI.

17 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Conclusions Powerful trust and privacy-enhancing technical mechanisms are developed in PRIME. Social factor and usability research have to accompany the development to enhance trust in users’.

18 Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Discussions Do you think anonymous credentials support unlinkability/privacy appropriately? Is so why? If not, why? The paper mentioned-” … buying anonymously via Internet did not fit to a user’s mental picture… it is clear that providing anonymous shopping will wake awake an interest in the privacy technology”. How this conflict can be resolved? Do you think PRIME is transparent enough? If not, what can be done to increase transparency? Up to what extent PRIME middleware should enforce service provider and third party’s back-end? (e.g. only give a message that you should delete x customers’ data or, Check back-end database and delete the data itself.)

Download ppt "Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy and Trust Frameworks/Systems Presented by Zalia Shams Usable Security –"

Similar presentations

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.

09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.

UDDI, Discovery and Web Services Registries. Introduction To facilitate e-commerce, companies needed a way to locate one another and exchange information.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.

Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.
Internet Sellouts Final Presentation Enterprise Architecture Group.

Internet Sellouts Final Presentation Enterprise Architecture Group.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Copyright © 2002 Pearson Education, Inc.

Copyright © 2002 Pearson Education, Inc.
Chapter 2: IS Building Blocks Objectives

Chapter 2: IS Building Blocks Objectives
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.

Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.

Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.
Web application architecture

Web application architecture
Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.

Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
PRIME Economics WP Sub-contractors Meeting Thursday 16th December, 2004 21.00 – 21.30 In Den Rustwat.

PRIME Economics WP Sub-contractors Meeting Thursday 16th December, – In Den Rustwat.
Information Systems Today, 2/C/e ©2008 Pearson Education Canada Lecture Outline eCommerce Highlights of Electronic Business 2-1.

Information Systems Today, 2/C/e ©2008 Pearson Education Canada Lecture Outline eCommerce Highlights of Electronic Business 2-1.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.

Similar presentations

Ads by Google