Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.

Similar presentations


Presentation on theme: "TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY."— Presentation transcript:

1 TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY

2 PAPERS UNIFIED SCHEME FOR RESOURCE PROTECTION IN AUTOMATED TRUST NEGOTIATION Ting Yu, Winslett ADAPTIVE TRUST NEGOTIATION AND ACCESS CONTROL Tatyana Ryutov, Li Zhou, Cliffard Neuman

3 INTRODUCTION Electronic business transactions often take place between entities that are strangers to one another As a result malicious users can steal sensitive data or exhaust resources by exceeding the allocated resources. Mutual trust between the two parties is crucial in such an environment.

4 The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects: 1.Trust between two parties is established based on disclosure of digital credentials. 2.Every party can define access control policies to control outsiders’ access to their sensitive resources. 3.Trust is established incrementally through a sequence of bilateral credential disclosures.

5 Sensitive Policies and Their Protection Example 1: A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM “issued by Microsoft or by IBM” can be consider as a sensitive policy When such a policy is shown to a requester they can infer that this project is a cooperative effort of the two companies

6 Sensitive Policies and Their Protection(2) Example 2: Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list Coastal Bank learns from the policy who is on the bank’s bad customer list

7 How to protect sensitive policies from unauthorized disclosure? One obvious way to prevent sensitive policies is selectively disclose part of the policy where less sensitive credentials are disclosed first. Later on, when a certain level of trust has been established more sensitive credentials can be disclosed.

8 For instance in Ex1 we ask the requester to show employee id, after receiving the credentials we check whether it is issued by Microsoft or IBM which is secured credential. Similarily in Ex2 Coastal Bank may only ask for customer Id and perform the check on the bad customer list after the credential is received

9 The problem with this approach is that Alice discloses some credentials and believes that the Coastal bank’s policy has been satisfied while the Coastal bank believes the opposite because the sensitive constraints of the bank’s policy are not satisfied.

10 A resource protection scheme that satisfies the following 3 conditions is desirable 1.Satisfaction-agreement Two parties have the same understanding of the semantics of policies When one party believes that a policy has been satisfied by disclosed credentials, the other party should believe the same Otherwise, a dispute may arise even though the two parties negotiate trust in good faith

11 2.The resource protection scheme should separate the protection of resource R and access control policy P R’s accessibility should depend only on P’s satisfaction. Whether P is disclosed or not should not affect R’s accessibility

12 3.ALLOW INTEROPERABILITY BETWEEN NEGOTIATION STRATEGIES A Negotiation Strategy suggests the next message that a party should send to the other negotiation participant. Two strategies are said to be interoperable if the two parties can establish trust whenever their policies theoretically allow trust to be established. The resource protection scheme must allow variety of negotiation strategies to interoperate correctly with one another

13 Overview of Trust Negotiation Process Alice wants to access one of Bob’s resource Alice sends a request for Bob’s resource R Bob calls his negotiation strategy, then sends Alice the disclosure message it outputs Alice receives message, call her strategy, and sends Bob the message suggested by her strategy This process continues until: Alice finally satisfies R’s policies and gain access to R Or one party send an empty message to terminate the negotiation

14 Negotiation Strategies for UniPro(2) In negotiation strategies for UniPro, there is a tradeoff between privacy and access (establishing trust) UniPro allows some of the credentials to be hidden from a requester Trust establishment may fail because the requester cannot see the contents of a policy even though he may have the right credentials that will satisfy that policy

15 Two strategies that work with UniPro policies: Unified Eager Strategy Send all safe disclosures to the other party Does not consider what disclosures are useful for establishing trust Strong interoperability can be achieved. (Tend to establish trust more than preserve privacy) Unified Relevant Strategy identifies disclosures that are relevant to the current negotiation Does not try to satisfy undisclosed policies (Protocol may fail) Only weak interoperability can be achieved. (Tend to preserve privacy more than establish trust)

16 Adaptive Trust Negotiation and Access Control Framework based on two well established systems GAA-API (Generic Authorization and Access control API) TRUSTBUILDER GAA-API : For adaptive access control and system security TRUST BUILDER : Determines how sensitive information is disclosed to other parties

17 GAA-API Middleware API Fine grained access control Application level intrusion detection and response Can interact with intrusion detection systems (IDS) to adapt to n/w threat conditions

18 Trust Builder Vulnerable to DoS attacks Large number of Trust Negoitation sessions sent to the server Having the server evaluate a very complex policy Having the server evaluate invalid or irrelevant credentials. Negotiating with the intent of collecting or inferring sensitive information instead of establishing trust to proceed with a transaction

19 ATNAC Combines GAA-API and TN system to avoid the problems. Supports fine grained adaptive policies Jointly calculates the system suspicion levels based on feedback from access control and Trust Negoitation Associates less restrictive policies with lower suspicion levels

20

21 Suspicion Level Indicates how likely the requester is acting improperly. A separate SL is maintained for each requester of a service. Has three components: S DOS : Indicates probability of a DoS attack from the requester S IL : For sensitive information leakage attempts S o : Indicates other suspicious behavior SL is increased by Analyzer as suspicious events occur and decreased as “positive” events occur.

22 SUSPICION LEVEL(2) The Analyzer increases S DoS when the requester sends an abnormally large number of credentials. In a trust negotiotion process, credentials sent by client must match credentials requested by the system otherwise S DoS set to 1. If either S DoS, S IL or S o > 0.9, the system will block the requester at the firewall If S Il > threshold. Trust Builder will impose stricter sensitive credential release policies. As S IL increases, GAA-API uses tighter access control policies

23 Conclusions Takes care of DoS Attacks. Can dynamically change the security policies based on the suspicion levels and system threat level There is no need for the two parties to hide any credentials. Guards against sensitive information leaks

24 THANK YOU


Download ppt "TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY."

Similar presentations


Ads by Google