1 / 26

Privacy preserving Trust Negotiations

Privacy preserving Trust Negotiations. Elisa Bertino, Anna Cinzia Squicciarini 5th CACR, October 28-29, 2004, Toronto. Outline. Overview of the Trust Negotiation model Trust-X Privacy issues Privacy solutions in Trust-X Credential format Policy context System architecture

drakeford
Download Presentation

Privacy preserving Trust Negotiations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy preserving Trust Negotiations Elisa Bertino, Anna Cinzia Squicciarini 5th CACR, October 28-29, 2004, Toronto

  2. Outline • Overview of the Trust Negotiation model • Trust-X • Privacy issues • Privacy solutions in Trust-X • Credential format • Policy context • System architecture • Conclusion and future work

  3. Trust Negotiation model • The goal: establish trust between parties in order to exchange sensitive information and services • The approach: establish trust by verifying properties (credentials) of the other party. • Protect sensitive credentials and services with ad hoc policies, namely disclosure policies.

  4. The Trust-X system • Comprehensive XML based framework for trust negotations • Trust negotiation language • System architecture • Protocol and strategies to carry on a negotiation • A Trust-X negotiation consists of a set of phases to be sequentially executed. • The key phase is the policy evaluation phase, which consists of a bilateral and ordered policy exchange.

  5. The basic Trust-X system Policy Database Policy Database Server Client X Profile X Profile Compliance Checker Compliance Checker Tree Manager Tree Manager

  6. A Trust-X negotiation Client Server

  7. Preliminary Information exchange INTRODUCTORY PHASE Bilateral disclosure of policies POLICY EXCHANGE Actual credential disclosure CREDENTIAL DISCLOSURE RESOURCE DISCLOSURE Message exchange in a Trust-X negotiation Alice Bob Service request Request Disclosure policies Prerequisite acknowledge Disclosure policies Credential and/or Declaration Match disclosure policies Credential and/or Declaration Service granted

  8. Privacy issues in trust negotiations • Trust negotiation does not control nor safeguard personal information once it has been disclosed. • During the policy evaluation phase, privacy can be compromised since there are no guarantees about counterpart honesty until the actual disclosure of the credentials. • Sensitive information can be inferred from a response to a request to access a resource.

  9. Sensitive attributes in digital credentials • Policy disclosure can be used to determine the value of sensitive attributes without the credential ever being disclosed. • A credential may contain several sensitive attributes, and very often just a subset of them is required to satisfy a counterpart policy. • However, when a credential is exchanged, the receiver anyway gathers all the information contained in the credential.

  10. How we preserve privacy in Trust-X • Support of a new credential format, which may provide a high degree of privacy protection: • Selective disclosure of attributes • Gradual disclosure of the credential content • Extension of policy notion, with additional information to express privacy preferences and the possibility of negotiating privacy rules. • Integration of Trust-X with the P3P platform. • The P3P platform is used for used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

  11. Privacy enhanced credential (1) • Credential header: Set of information that is crucial for proving that the credential, besides its specific content, is a signed and valid digital document issued by a trusted authority. • CREDID: unique credential identifier • CREDTYPE: type of the credential • EXPIRATION: expiration date • ISSUEREP: credential issuer repository • Credential content • List collecting attribute specifications

  12. signature computed over the whole credential Privacy enhanced credentials (2) attribute names, values, random numbers CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF: particular state of a privacy enhanced credential, where the header is plain and the content is hidden, while the signature over the whole document can be verified.

  13. Disclosing attribute credentials • Gradual disclosure of credential content • Header disclosed during policy evaluation phase as soon as the credential is required • Attributes revealed during credential exchange phase • Attributes required during policy evaluation phase as soon as they are involved in the process

  14. Using privacy enhanced credentials • Alice is a patient of the Health Clinic and wants to buy drugs by an on-line pharmacy, which is selling this kind of drugs by prescription of Health Clinic doctors. • Alice is willing to disclose the requested credentials only if the pharmacy presents a credential proving pharmacy affiliation with the hospital. Patient_Card() Health_Clin_Aff(). • Pharmacy affiliation is disclosed only to patients of the clinic: Health_Clin_Aff()Patient_Card() • Health_Clin_Aff()Patient_Card() Health_Clin_Aff(). Deadlock Avoided by using privacy enhanced credentials. During policy evaluation phase parties may prove each other credential possession without revealing credential content until having received all the requested credential proofs.

  15. P(C) TERM Resource which the policy refers to Requested certificates Modeling negotiation:logic formalism • P() credential type • C set of conditions Disclosure policies are expressed in terms of logical expressions which can specify either simple or composite conditions against certificates. RP1(c), P2(c) Policy expressed as

  16. CONTEXT OF DISCLOSURE POLICIES The notion of context in disclosure policies This specification is not expressive enough to specify other crucial information that may be associated with a policy… • How about policy prerequisites? • How about the privacy policies for the requested credentials?

  17. Policy context • The goal is to integrate the basic rule defining a policy with a structured set of information to be used during trust negotiation process. <pol_prec_set, priv> Set of policy identifiers such that at least one of the policy needs to be satisfied before the disclosure of the policy with which the precondition set is associated. denotes a P3P privacy policy. The task of privacy policies is to complement disclosure policies, specifying whether the information conveyed by the credentials will be collected and/or used.

  18. Privacy policies in Trust-X negotiations • Introductory phase • Send a request for a resource/service • Introductory policy exchanges • . • Policy evaluation phase • Disclosure policy exchange and • Evaluation of the exchanged policies • Certificate exchange phase • Exchange of the sequence of certificates determined at step n. 2. • Privacy agreement subphase eventually specific privacy policies

  19. A privacy enabled Trust-X negotiation Alice DrugStore Drug Request Request R Introductory policies Introductory policies P3P proposal INTRODUCTORY PHASE acknoweledge P3P prior agreement request (1) ack P3P_DrugStore P3P_DrugStore match with local privacy preferences: P3P_Drugstore (1a) PRIVACY AGREEMENT SUBPHASE Alice P3P P3P acceptance P3P acknowledge POLICY EVALUATION PHASE R<-A(C1,C2),P3PA,D(C3),P3PD Match disclosure policy and P3P policy compliance disclosure policy exchange within associated P3P (2) R<-E(C4,P3PE) A<-B(C5,P3PB) CERTIFICATE EXCHANGE PHASE Certificate exchange Certificate exchange (3) RESOURCE DISCLOSURE Credential sent (4) DRUG

  20. Strategies in Trust-X • In order to define a framework that is as adaptable and flexible as possible we do not define a unique mode to carry on the negotiation. • Our framework supports a variety of strategies, that can be used for carrying on a negotiation. • We have devised five general purpose strategies that reflect five different approaches to a negotiation.

  21. Trust-X privacy preserving strategies • Standard: This is the traditional way of carrying on a negotiation, based on an informed strategy. • Suspicious: The credential proof is always requested during the policy evaluation phase for each of the involved credentials. • Strongly Suspicious: This is a specific case of the suspicious strategy: parties require attribute disclosure as the corresponding policies are satisfied. • Trusting: The goal of this strategy, is to speed up the process whenever possible. This can be done using credential suggestions, stored in a special field of the policy context. • Mixed Strategy: is characterized by the possibility of dynamically switching among the above strategies.

  22. Privacy enabled Trust-X architecture

  23. Creating a P3P policy in Trust-X • Credentials content can be analyzed under two different perspectives: • If the information to be collected is a set of properties the policy can be specified as a conventional P3P policy and categories provided by the standard, without referring to the particular credential collecting the requested attributes. 2. If the key information is the credential itself, then the policy should refer not only to the attributes in the credential but also to the credential itself. Policy wizard 2 1 3 Credential schema repository Policy base Privacy policies

  24. Responding to a disclosure policy • If P3P is attached to the disclosure policy, policy check is performed between the P3P and the preference rules of the receiving party, with respect to the credentials requested by the disclosure policy with which the privacy policy is associated. • If no P3P is associated with the disclosure policy, then the preference rules are checked against the privacy policies exchanged during privacy agreement phase. X-profile Compliance Checker Privacy preferences Tree manager

  25. Summary • Trust-X is a privacy-enabled system supporting • Selective disclosure of attributes • Privacy enhanced credential • Privacy policy exchange during negotiation process • Trust-X system is the first trust negotiation system complemented with the P3P platform. • The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver.

  26. Future work • Suite of strategies to carry on a negotiation, that exploit and extend the notion of context associated with a policy, to allow one to trade-off among efficiency, robustness, and privacy requirements. • Implementation of both the proposed system and the credential formats. • Development of mechanisms and modules to semi-automatically design privacy policies to be associated with disclosure policies. • Fully support P3P version 1.1.

More Related