Ting Yu
Kent E. Seamons
Abstract
Business and military partners, companies and their customers, and other closely cooperating parties may have a compelling need to conduct sensitive interactions on line, such as accessing each other's local services and other local resources. Automated trust negotiation is an approach to establishing trust between parties so that such interactions can take place, through the use of access control policies that specify what combinations of digital credentials a stranger must disclose to gain access to a local resource. A party can use many different strategies to negotiate trust, offering tradeoffs between the length of the negotiation, the amount of extraneous information disclosed, and the computational effort expended. To preserve parties' autonomy, each party should ideally be able to choose its negotiation strategy independently, while still being guaranteed that negotiations will succeed whenever possible---that the two parties' strategies will interoperate. In this paper we provide the formal underpinnings for that goal, by formalizing the concepts of negotiation protocols, strategies, and interoperation. We show how to model the information flow of a negotiation for use in analyzing strategy interoperation. We also present two large sets of strategies whose members all interoperate with one another, and show that these sets contain many practical strategies. We develop the theory for black-box propositional credentials as well as credentials with internal structure, and for access control policies whose contents are (respectively are not) sensitive. We also discuss how these results fit into TrustBuilder, our prototype system for trust negotiation.
- Apt, K. R., Warren, D. S., and Truszczynski, M., Eds. 1999. The Logic Programming Paradigm: A 25-Year Perspective. Springer-Verlag.]] Google Scholar
- Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. 1999. The KeyNote Trust Management System Version 2. In Internet Draft RFC 2704.]] Google Scholar
- Blaze, M., Feigenbaum, J., and Keromytis, A. D. 1998. KeyNote: Trust Management for Public-Key Infrastructures. In Security Protocols Workshop. Cambridge, UK.]] Google Scholar
- Bonatti, P. and Samarati, P. 2000. Regulating Service Access and Information Release on the Web. In Conference on Computer and Communications Security. Athens.]] Google Scholar
- Dierks, T. and Allen, C. 1999. The TLS Protocol Version 1.0. IETF.]] Google Scholar
- Farrell, S. 1998. TLS Extension for Attribute Certificate Based Authorization. IETF.]]Google Scholar
- Frier, A., Karlton, P., and Kocher, P. 1996. The SSL 3.0 Protocol. Netscape Communications Corp.]]Google Scholar
- Herzberg, A. and Mass, Y. 2001. Relying Party Credentials Framework. In The Cryptographer's Tract at RSA Conference. San Francisco, CA.]] Google Scholar
- Herzberg, A., Mihaeli, J., Mass, Y., Naor, D., and Ravid, Y. 2000. Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers. In IEEE Symposium on Security and Privacy. Oakland, CA.]] Google Scholar
- Hess, A., Jacobson, J., Mills, H., Wamsley, R., Seamons, K., and Smith, B. 2002. Advanced Client/Server Authetication in TLS. In Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- IETF 2001. Simple Public Key Infrastructure (SPKI) IETF.]]Google Scholar
- IETF 2002. Simple Public Key Infrastructure (X.509) (pkix). IETF.]]Google Scholar
- Islam, N., Anand, R., Jaeger, T., and Rao, J. R. 1997. A Flexible Security System for Using Internet Content. IEEE Software 14, 5 (Sept.).]] Google Scholar
- Johnson, W., Mudumbai, S., and Thompson, M. 1998. Authorization and Attribute Certificates for Widely Distributed Access Control. In IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.]] Google Scholar
- Li, N., Grosof, B., and Feigenbaum, J. 2000. A Practically Implementable and Tractable Delegation Logic. In IEEE Symposium on Security and Privacy. Berkeley, California.]] Google Scholar
- Li, N., Winsborough, W., and Mitchell, J. 2001. Distributed Credential Chain Discovery in Trust Management. In Conference on Computer and Communication Security. Philadelphia, PA.]] Google Scholar
- Rescorla, E. 1998. HTTP Over TLS. IETF.]] Google Scholar
- Sagonas, K., Swift, T., and Warren, D. 1994. Xsb as an efficient deductive database engine. In Proceedings of the 1994 ACM SIGMOD International Conference on Management of Data. ACM Press, Minneapolis, MN, 442--453.]] Google Scholar
- Seamons, K., Winslett, M., and Yu, T. 2001. Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation. In Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- W3C 2002. Platform for Privacy Preferences (P3P) Specification W3C.]]Google Scholar
- Winsborough, W., Seamons, K., and Jones, V. 2000. Automated Trust Negotiation. In DARPA Information Survivability Conference and Exposition. Hilton Head Island, SC.]]Google Scholar
- Yu, T., Ma, X., and Winslett, M. 2000. PRUNES: An Efficient and Complete Strategy for Automated Trust Negotiation over the Internet. In Conference on Computer and Communication Security. Athens, Greece.]] Google Scholar
- Yu, T., Winslett, M., and Seamons, K. 2001. Interoperable Strategies in Automated Trust Negotiation. In Conference on Computer and Communication Security. Philadelphia, PA.]] Google Scholar
- Zimmerman, P. 1994. PGP User's Guide. MIT Press.]]Google Scholar
Index Terms
- Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation
Recommendations
Automated trust negotiation using cryptographic credentials
In automated trust negotiation (ATN), two parties exchange digitally signed credentials that contain attribute information to establish trust and make access control decisions. Because the information in question is often sensitive, credentials are ...
Automated trust negotiation using cryptographic credentials
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityIn automated trust negotiation (ATN), two parties exchange digitally signed credentials that contain attribute information to establish trust and make access control decisions. Because the information in question is often sensitive, credentials are ...
Policy migration for sensitive credentials in trust negotiation
WPES '03: Proceedings of the 2003 ACM workshop on Privacy in the electronic societyTrust negotiation is an approach to establishing trust between strangers through the bilateral, iterative disclosure of digital credentials. Under automated trust negotiation, access control policies are associated with sensitive credentials to control ...
Reviews
Caroline Merriam Eastman
Most interactions on the Internet require at least a minimal level of trust. If you buy something, you want to receive it. If you sell something, you want to get paid for it. If you give out information, you want the release of that information to be authorized. If you get information, you want it to be correct. This paper describes an approach to handling this trust problem that uses the exchange of digital certificates as part of a process of automated trust negotiation. Negotiation is needed to make sure that digital credentials, like conventional paper credentials, are revealed only when necessary and appropriate. The research described here is part of the TrustBuilder research project, which involves both theoretical research, and experimental implementation. Trust negotiation involves both a protocol that defines the format of messages exchanged, and a strategy for determining the actual content of these messages. If trust is to be negotiated, a procedure for this negotiation in the form of a protocol is necessary. It is extremely unlikely (and probably not even desirable), however, for a standard strategy for trust negotiation to be established, since appropriate strategies may vary with user and context. Nevertheless, it is desirable that the two parties involved not have to first agree on a negotiation protocol before actually doing any negotiation on credentials. If both parties to a negotiation are using compatible interoperable strategies, the negotiation can proceed even if the strategies differ. The focus of this paper is on the identification of families of interoperable strategies for trust negotiation; any two members of such a family use the same protocol, and are guaranteed to be compatible. Two large families of interoperable strategies are identified and analyzed in detail. The simpler disclosure tree strategy (DTS) family assumes propositional credentials; the binding tree strategy (BTS) family allows credentials with internal structure. Examples of realistic strategies within these two families are given. The paper focuses on the theoretical component of the TrustBuilder program, and is thus highly mathematical. It is well written, however, and presents concepts essential for those working in this area. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments