An Introduction to Decentralized Trust Management

1
An Introduction to Decentralized Trust
Management

• Sandro Etalle
• University of Twente
• thanks to
• William H. Winsborough University of Texas S.
  Antonio.
• The DTM team of the UT (Ha, Marcin, Jeroen Jerry)

2
Overview

• Reputation-based trust management
• Rule-based trust management
• Problems Challenges (rule-based systems)
• scalability chain discovery
• trust negotiation
• integrity constraints
• Conclusions

3
Reputation-based TM concrete

• community of cooks (200 people)
• need to interact with someone you dont know,
• to extablish trust
• you ask your friends
• and friends of friends
• ...
• some recommendations are better than other
• you check the record (if any)
• after success trust increases

reputation-based TM rule-based TM problems
challenges - conclusions
4
Reputation-based TM virtual

• p2p community of hackers (2000 people)
• exchange programs scripts
• need to interact with someone you dont know,
• ...
• difference with concrete community
• larger, faster
• trust establishment has to be to some extent
  automatic

reputation-based TM rule-based TM problems
challenges - conclusions
5
for instance
reputation-based TM rule-based TM problems
challenges - conclusions
6
challenges

• trust metrics
• how to model and compute trust
• evaluating initial trust value
• combining evidences, recommendations, reputation
• management of reputation data
• secure efficient retrieval of reputation data
• automating trust based decision
• closing the circle using experience as feedback

reputation-based TM rule-based TM problems
challenges - conclusions
7
Reputation-based TM salient features

• open system (different security domains)
• trust is a measure changes in time
• risk-based
• recommendation based (NOT identity-based)
• peers are not continuously available
• Some systems
• PGP,
• EigenTrust Algorithm (Stanford)

reputation-based TM rule-based TM problems
challenges - conclusions
8
rule-based TM concrete example
reputation-based TM rule-based TM problems
challenges - conclusions
9
rule-based tm, virtual

• scalability

reputation-based TM rule-based TM problems
challenges - conclusions
10
RT a language for rule-based tm

• family of languages Li, Mitchell, Winsborough
• four types of credentials
• EPub.discount ? Alice
• EPub.discount ? UTwente.student
• EPub.discount ? FAB.accredited.student
• EPub.discount ? UTwente.student ? UTwente.student

principal role name principal.rolename Role
trusting principal
trusted principal (somewhere else delegation)
attribute-based delegation
reputation-based TM rule-based TM problems
challenges - conclusions
11
some language requirements

• Bertino
• Monotonicity
• Constraints (omitted)
• Credential combination
• Sensitive Policies

reputation-based TM rule-based TM problems
challenges - conclusions
12
Reputation vs rule based TM

• open system (different security domains)
• trust is a measure changes in time
• risk-based
• recommendation based (NOT identity-based)
• peers are not continuously available
• Some systems PGP TBD

• open system (different security domains)
• trust is boolean less time-dependent
• no risk
• rule (credential) based (NOT identity-based)
• peers are not continuously available
• Some systems keynote, Trust-X

reputation-based TM rule-based TM problems
challenges - conclusions
13
Problem 1 scalability

• attribute-based delegation
• accepting student ID from any university
• EPub.discount ? FAB.accred.student
• FAB.accredited ? UnivTwente
• UnivTwente.student ? Alice
• Credential chain proves authorization.
• Scalability problem

reputation-based TM rule-based TM problems
challenges - conclusions
14
Problem 2 trust negotiations

• credentials can be confidential
• credential disclosure is a matter of... trust
• three strategies Seamons
• Naive
• Reasonable
• Informed
• additional problem what do you do with the info
  in a credential after it has been disclosed

reputation-based TM rule-based TM problems
challenges - conclusions
15
Problem 3 control

• Policies change in time P ? P1 ? ... ? Pn
• A principal controls only a portion of the policy
• Delegating trust implies an understanding between
  principals,
• Trusted principals need assistance
• Who could get access to what? (Safety)
• Who could be denied? (Availability)
• No-one should ever be both a buyer and an
  accountant
• Mutual Exclusion

reputation-based TM rule-based TM problems
challenges - conclusions
16
Conclusions

• Context
• 2 or more parties in an open system.
• parties are not in the same security domain.
• Goal
• establish trust between parties to exchange
  information and services (access control)
• Constraint
• access control decision is made
• NOT according to the party identity
• BUT according to the credentials it has

reputation-based TM rule-based TM problems
challenges - conclusions
17
Open problems

• Analysis
• safety analysis
• we are now working with Spin in RT0, for RTC
  (with constraints) nothing is available
• of negotiations protocols w.r.t. the TM goals.
• Integration with other systems
• e.g.
• privacy protection
• location-dependent policies
• ambient calculi?
• DRM

• Semantics
• is not correct when considering
• chain discovery
• negotiations
• is not modular
• certainly possible to improve this using previous
  work on omega-semantics.
• Types

18
Integrity Constraints General Form

• General L.l ? R.r
• Formally, L.l ? R.r holds in P (P ? L.l ? R.r)
  iff L.lP ? R.rP
• sets and intersections are allowed
• Special cases
• Membership A.r ? D1, , Dn
• Boundedness D1, , Dn ? A.r
• expressiveness is limited (it is a universal
  formula) but we can express all safety properties
  of LWM03
• counterexample at least a manager should have
  access to the DB

19
Examples

• buyers and accountants should be disjoint
• ? ? A.buyer ? A.accountant
• every employee should have access to the WLAN
  network
• WLAN.access ? UT.employee
• welders of BOVAG-accredited workshops should be
  fellows of the British Institute of Welding
• Bovag.welder ? Bovag.accr.welder
• Bovag.accr ? PietersWorkshop
• PietersWorkshop.welder ? Pieter
• BIW.fellow ? Bovag.welder