Get documents about "reputation based TM
Document Sample
An Introduction to
Decentralized Trust Management
Sandro Etalle
University of Twente
thanks to
William H. Winsborough – University of Texas S. Antonio.
The DTM team of the UT (Ha, Marcin, Jeroen Jerry)
Overview
Reputation-based trust management
Rule-based trust management
Problems & Challenges (rule-based
systems)
scalability & chain discovery
trust negotiation
integrity constraints
Conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 2
Reputation-based TM concrete
community of cooks (200 people)
need to interact with someone you don’t
know,
to extablish trust:
you ask your friends
and friends of friends
...
some recommendations are better than other
you check the record (if any)
after success trust increases
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 3
Reputation-based TM virtual
p2p community of hackers (2000 people)
exchange programs & scripts
need to interact with someone you don’t
know,
...
difference with concrete community:
larger, faster
trust establishment has to be to some extent automatic
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 4
for instance
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 5
challenges
trust metrics
how to model and compute trust
evaluating initial trust value
combining evidences, recommendations, reputation
management of reputation data
secure & efficient retrieval of reputation data
automating trust based decision
closing the circle: using experience as
feedback
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 6
Reputation-based TM: salient features
open system (different security domains)
trust is a measure & changes in time
risk-based
recommendation based (NOT identity-based)
peers are not continuously available
Some systems:
PGP,
EigenTrust Algorithm (Stanford)
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 7
rule-based TM: concrete example
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 8
rule-based tm, virtual
scalability
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 9
RT: a language for rule-based tm
family of languages [Li, Mitchell, Winsborough]
four types of credentials principal
role name
EPub.discount Alice principal.rolename = Role
trusting principal trusted principal (somewhere else: delegation)
EPub.discount UTwente.student
attribute-based delegation
EPub.discount FAB.accredited.student
EPub.discount UTwente.student UTwente.student
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 10
some language requirements
[Bertino]
Monotonicity
Constraints (omitted)
Credential combination
Sensitive Policies
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 11
Reputation vs rule based TM
open system (different open system (different
security domains) security domains)
trust is a measure & trust is boolean & less time-
changes in time dependent
risk-based no risk
recommendation based rule (credential) based
(NOT identity-based) (NOT identity-based)
peers are not continuously peers are not continuously
available available
Some systems: PGP TBD Some systems: keynote,
Trust-X
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 12
Problem 1: scalability
attribute-based delegation:
accepting student ID from any university
EPub.discount FAB.accred.student
FAB.accredited UnivTwente
UnivTwente.student Alice
Credential chain proves authorization.
Scalability problem
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 13
Problem 2: trust negotiations
credentials can be confidential
credential disclosure is a matter of... trust
three strategies [Seamons]
Naive
Reasonable
Informed
additional problem: what do you do with the
info in a credential after it has been disclosed
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 14
Problem 3: control
Policies change in time: P P1 ... Pn
A principal controls only a portion of the policy
Delegating trust implies an understanding between principals,
Trusted principals need assistance
Who could get access to what? (Safety)
Who could be denied? (Availability)
“No-one should ever be both a buyer and an accountant”
Mutual Exclusion
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 15
Conclusions
Context:
2 or more parties in an open system.
parties are not in the same security domain.
Goal
establish trust between parties to exchange information
and services (access control)
Constraint
access control decision is made
NOT according to the party identity
BUT according to the credentials it has
reputation-based TM – rule-based TM – problems & challenges - conclusions
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 16
Open problems
Analysis Semantics
safety analysis is not correct when
we are now working with Spin considering:
in RT0, for RTC (with chain discovery
constraints) nothing is available
negotiations
of negotiations protocols w.r.t.
is not modular
the TM goals.
certainly possible to
Integration with other
improve this using previous
systems work on omega-semantics.
e.g.
privacy protection Types
location-dependent policies
ambient calculi?
DRM
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 17
Integrity Constraints: General Form
General: L.l ⊒ R.r
Formally, L.l ⊒ R.r holds in P (P ⊢ L.l ⊒ R.r) iff [[L.l]]P [[R.r]]P
sets and intersections are allowed
Special cases
Membership: A.r ⊒ { D1, …, Dn }
Boundedness: { D1, …, Dn } ⊒ A.r
expressiveness is limited (it is a universal formula) but we
can express all safety properties of [LWM03]
counterexample: at least a manager should have access to
the DB
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 18
Examples
buyers and accountants should be disjoint
⊒ A.buyer A.accountant
every employee should have access to the WLAN network
WLAN.access ⊒ UT.employee
welders of BOVAG-accredited workshops should be fellows of
the British Institute of Welding
Bovag.welder Bovag.accr.welder
Bovag.accr PietersWorkshop
PietersWorkshop.welder Pieter
BIW.fellow ⊒ Bovag.welder
IPA Herfstdagen Security Etalle: Decentralized Trust Management. 19
