. Using Web Services for Trust-based Security in Different Networks. Today's Agenda. Trust DefinitionTrust TransitivityNotation for TrustTypes of TrustTrust ClassesSocial EngineeringTechnologies for Security. Trust Definition. Trust applies to the truthfulness of specific claims made by partie
1. Trust-based Security
2. Using Web Services for Trust-based Security in Different Networks
3. Today’s Agenda Trust Definition
Notation for Trust
Types of Trust
Technologies for Security
4. Trust Definition Trust applies to the truthfulness of specific claims made by parties who request services.
Trust also applies to the honesty, reputation and reliability of service providers.
Trust must ensure meaningful and mutually beneficial interactions between parties.
5. Trust Definition (contd.) Trust based on experiences or trust in roles.
Trust is the extent to which one party is willing to depend on something or somebody in a given situation with a feeling of relative security, even though negative consequences are possible.
Process of accessing trust becomes part of QoS evaluation, decision making and risk analysis.
6. Trust Definition (contd.) Basic Ingredient of trust are – dependence, risk and uncertainty.
Trust is related to belief in the honesty, reliability, competence, willingness, etc. of the trusted entity, it being a person, organization or system.
Trust is related to the scope of the relationship.
7. Trust Transitivity Trust Transitivity means, for example,
if Alice trusts Bob who trusts Eric then
Alice will also trust Eric
This means that Bob actually tells Alice that he trusts Eric, which is called Recommendation.
8. Trust Transitivity (contd.) But in real life trust is not always transitive, for example,
if Alice trusts Bob to look after her child and Bob trusts Eric for fixing his car does not imply that
Alice will also trust Eric to look after her child or for fixing her car
Trust Transitivity collapse because the scopes of Alice’s and Bob’s Trust are different.
9. Notation for Trust arc [A, B] means that A trusts B
The symbol “:” used to denote the transitive connection of two consecutive arcs to form a transitive trust path
([Alice, Eric]) = ([Alice, Bob] : [Bob, Eric])
10. Types of Trust Previous examples shows that under certain semantic constraints, trust can be transitive.
Referral Trust (RT) can be based on someone’s recommendation while Functional Trust (FT) based on actual trust on someone.
11. Types of Trust (contd.) Peer nodes in Ad Hoc Networks are ‘stranger’ to each other. These nodes need trust before they exchange information.
There are two types of trust: direct trust same as functional trust and recommendation trust same as referral trust.
12. Types of Trust (contd.) Direct trust means that an entity can trust another entity directly using all existing experiences it has about that entity.
Recommendation trust expresses the belief in the capability of an entity to decide whether another entity is reliable in the given trust class and in its honesty when recommending third entities.
13. Algorithmic Techniques for Computing Recommendation in  Content-based suggests user items similar to the ones they liked in the past, by extracting features.
In Collaborative Filtering, the recommender asks users to rate items so that it knows who likes what. The recommender then recommend to the particular user based on the liking of the neighbors. Hybrid will combine the two approaches.
14. Trust Classes Provision Trust – trust in a service or resource provider i.e. relying party seeking protection from unreliable service provider [Business Trust – contract agreement]
Access Trust – access resources under relying party
Delegation Trust – trust in an agent who acts and make decisions on behalf of relying party
15. Trust Classes (contd.) Identity Trust – entity or agent identity [Authentication Trust]
Context Trust – relying party believes that every thing in a system are in place and safety net is there to protect against something went wrong. [System Trust]
Trust relationship based on three attributes – Trustor, Trustee and Trust Scope
16. Trust Classes (contd.) Additional attribute of trust measure can be computed as:
Binary [trusted, not trusted]
Discrete [strong trust, weak trust, strong distrust, weak distrust, etc.]
Continuous like probability, percentage, etc.
Fifth attribute of time component can also be added. Event may change time to time.
17. Social Engineering Political science refers to social engineering as an attempt by government or private groups to change or "engineer" the views and behavior of citizens.
In computer security, social engineering is the practice of obtaining confidential information by manipulation (social skills) of legitimate users.
A social engineer commonly uses the telephone or Internet to trick people into revealing sensitive information or getting them to do something against their policy.
18. Social Engineering (contd.) Social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer security holes.
"users are the weakest link" in security
Social Engineering is a non-technical kind of intrusion relying heavily on human interaction which often involves tricking other people into breaking normal security procedures, the attacker uses social skills and human interaction to obtain information about an organization or their computer systems.
19. At this point I will close my discussion on TRUST.
Now, I will be discussing about the available Tools, Techniques and Technologies to be considered for SECURITY.
20. Technologies for Security State of the art technology used in e-commerce which encourage trust includes cryptographic security mechanism for providing confidentiality of communication and authentication of identities.
Trusted Public Key refers to the authenticity of a cryptographic key used in a public-key system.
21. Cryptography System Every participant holds a trusted (public) key in the cryptography system.
The process of generating, distributing, and using cryptographic keys are known as Key Management. Still a major and largely unsolved problem for internet users.
PKI have very strict trust requirements. Public Key Authenticity to be certified by Certification Authorities (CAs).
22. Cryptography System (contd.) Certificate consists of CA’s digital signature concatenated with public key and the owner identifier.
In order to verify a certificate, the CA’s public key is needed, again a problem?
So, one must receive the public key of some CA.
CA must be trusted to be honest and users must be trusted to protect their private keys.
23. Cryptography System (contd.) The easiest level of security is Absolute Trust of Public Key for every aspect.
If cryptographic key have varying trust measures then the trust in every cryptographic key must be determined, before the primary trust network of interest can be analyzed.
A principal is recommended to be reliable but the binding between the principal and its private key is broken, results in low trust.
24. PGP PGP is a software tool for cryptographic key management and email security uses discrete trust measures of “ultimate”, “always trusted”, “usually trusted”, “usually not trusted”, and “undefined” for key owner trustworthiness.
While industry totally based on binary measure of trusted and not trusted.
25. Approval Organizations Truste.org – an independent, non-profit organization whose mission is to build users’ trust in eCommerce by promoting the use of fair information practices. When a user sees the Truste logo, they are assured security procedures are in place to protect their information.
Tradesafe.com – a bridge between the buyer and seller that collects and stores financial information about buyer and seller.
Tradesafe.com uses Truste.org to ensure compliance.
26. Approval Organizations (contd.) VeriSign – Third party that processes credit card information using SSL encryption.
RSA Security – Provides software to businesses to securely and reliably engage in e-business. Recently partnered with Cisco to further enhance their products.
27. PeerTrust Language Syntax In  PeerTrust Language is used to specify policies
liti @ Issuer $ Requester.
access(Resource) $ Requester ? client(Requester).
access(Picture) $ Requester ? friend(Requester).
friend(Name) $ Requester ? isMyFriend(Name).
friend(Name) $ Requester ? friend(Name) @ “Alice”.
28. Authentication Process Two main processes were used in Sweden and UK for authentication process of an online user:
Security Box – random system generated passwords at the users’ location
Fixed Password – user owned & constant
Trust concept have four components – the online bank, the login procedure, location and box/system.
29. Digital Profile your digital profile is a cumulative digital proxy of you that is built from a pre-determined set of components. This new kind of identity representation will work same as 'official' identity that we had in pre-digital times. It will say more about you than your current forms of documented identification -- which have relatively thin information.
30. Security Token Service Security token service (STS) helps in mediating trust between companies that would otherwise not be able to ascribe trust to another.
Rather than maintaining pair-wise trust with all potential partners, individual companies instead form a trust relationship with the STS and then rely on the STS to form indirect trust.
31. Security Token Service (contd.) If the client from one organization want to contact the service of second organization then the client would send claims and proof-of-possession information to its local STS and request a security token. Based on this security token the requested service STS will issue a signed security token, because of the security policy and trust relationship between the two organizations established earlier.
32. Conclusion I define Trust, Types of Trust and Trust Classes, which give you an idea about what we meant to have in trust-based environment.
I also discussed about the available and futuristic tools and techniques which deals with security.
When we have a merger of these two we come up with trust-based security.
33. References  “Simplification and Analysis of Transitive Trust Networks”, by Audun Jøsang, Elizabeth Gray, Michael Kinateder, Web Intelligence and Agent Systems, Australia, 2006, http://citeseer.ist.psu.edu/746240.html
 “Trust Network Analysis with Subjective Logic”, by Audun Jøsang, Ross Hayward, Simon Pope, 29th Australian Computer Science Conference (ACSC2006), Tasmania, Australia, Australian Computer Society, January 2006, http://citeseer.ist.psu.edu/744155.html
34. References (contd.)  “Trust Model Based Self-Organized Routing Protocol for Secure Ad-hoc Networks”, by Xiaoqi Li, PhD Term Paper, The Chinese University of Hong Kong, April 2003, http://citeseer.ist.psu.edu/628444.html
 “Trust Networks in a Web Services World”, by Paul Madsen, May 26, 2004, http://webservices.xml.com/pub/a/ ws/2004/05/26/trust.html
35. References (contd.)  “A Distributed Tabling Algorithm for Rule based Policy System”, by Miguel Alves, Carlos Viegas Damasio, Wolfgang Nejdl, Daniel Olmedilla, 2006,
 “Social Engineering – the weakest link”, http://www.windowsecurity.com/ whitepapers/Social-Engineering-The-Weakest-Link.html
36. References (contd.)  “Building Security and Trust in Online Banking”, by Maria Nilsson, Anne Adams, Simon Herd, CHI 2005, April 2-7, 2005, Portland, Oregon, USA, ACM 1-59593-002-7/05/0004
 “Trust-aware Decentralized Recommender Systems : PhD Research Proposal”, Paolo Massa, University of Trento, Italy, May 29, 2003
37. Thanks for Listening Special Thanks to
Dr. Zubair A. Shaikh