ABSTRACT
Exchange of attribute credentials is a means to establish mutual trust between strangers that wish to share resources or conduct business transactions. Automated Trust Negotiation (ATN) is an approach to regulate the flow of sensitive attributes during such an exchange. Recently, it has been noted that early ATN designs do not adequately protect the privacy of negotiating parties. While unauthorized access to credentials can be denied, sensitive information about the attributes they carry may easily be inferred based on the behavior of negotiators faithfully adhering to proposed negotiation procedure. Some proposals for correcting this problem do so by sacrificing the ability to effectively use sensitive credentials. We study an alternative design that avoids this pitfall by allowing negotiators to define policy protecting the attribute itself, rather than the credentials that prove it. We show how such a policy can be enforced. We address technical issues with doing this in the context of trust management-style credentials, which carry delegations and enable one attribute to be inferred from others, and in the context where credentials are stored in a distributed way, and must be discovered and collected before being used in ATN.
- Dwaine Clarke, Jean-Emile Elien, Carl Ellison, Matt Fredette, Alexander Morcos, and Ronald L. Rivest. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 9(4):285--322, 2001. Google ScholarDigital Library
- Lorrie Cranor, Marc Langheinrich, Massimo Marchiori, Martin Presler-Marshall, and Joseph Reagle. The platform for privacy preferences 1.0 (P3P1.0). World Wide Web Consortium Recommendation, April 2002.Google Scholar
- Carl Ellison, Bill Frantz, Butler Lampson, Ron Rivest, Brian Thomas, and Tatu Ylonen. SPKI certificate theory. IETF RFC 2693, September 1999. Google ScholarDigital Library
- Ninghui Li, John C. Mitchell, and William H. Winsborough. Design of a role-based trust management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 114--130. IEEE Computer Society Press, May 2002. Google ScholarDigital Library
- Ninghui Li, William H. Winsborough, and John C. Mitchell. Distributed credential chain discovery in trust management. To appear in Journal of Computer Security. Extended abstract appeared in Proceedings of the Eighth ACM Conference on Computer and Communications Security, 2001. Google ScholarDigital Library
- Gopalan Nadathur. A proof procedure for the logic of hereditary harrop formulas. Journal of Automated Reasoning, 11:115--145, 1993.Google ScholarCross Ref
- Kent E. Seamons, Marianne Winslett, and Ting Yu. Limiting the disclosure of access control policies during automated trust negotiation. In Proceedings of the Symposium on Network and Distributed System Security (NDSS'01), February 2001.Google Scholar
- Kent E. Seamons, Marianne Winslett, Ting Yu, Lina Yu, and Ryan Jarvis. Protecting privacy during on-line trust negotiation. In 2nd Workshop on Privacy Enhancing Technologies. Springer-Verlag, April 2002. Google ScholarDigital Library
- William H. Winsborough and Ninghui Li. Towards practical automated trust negotiation. In Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks (Policy 2002), pages 92--103. IEEE Computer Society Press, June 2002. Google ScholarDigital Library
- William H. Winsborough, Kent E. Seamons, and Vicki E. Jones. Automated trust negotiation. In DARPA Information Survivability Conference and Exposition, volume I, pages 88--102. IEEE Press, January 2000.Google Scholar
- Ting Yu, Xiaosong Ma, and Marianne Winslett. Prunes: An efficient and complete strategy for trust negotiation over the internet. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS-7), pages 210--219, November 2000. Google ScholarDigital Library
- Ting Yu, Marianne Winslett, and Kent E. Seamons. Interoperable strategies in automated trust negotiation. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS-8), pages 146--155. ACM Press, November 2001. Google ScholarDigital Library
- Ting Yu, Marianne Winslett, and Kent E. Seamons. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Transactions on Information and System Security (TISSEC), 6(1), February 2003. To appear. Google ScholarDigital Library
Index Terms
- Protecting sensitive attributes in automated trust negotiation
Recommendations
Policy migration for sensitive credentials in trust negotiation
WPES '03: Proceedings of the 2003 ACM workshop on Privacy in the electronic societyTrust negotiation is an approach to establishing trust between strangers through the bilateral, iterative disclosure of digital credentials. Under automated trust negotiation, access control policies are associated with sensitive credentials to control ...
Preventing attribute information leakage in automated trust negotiation
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityAutomated trust negotiation is an approach which establishes trust between strangers through the bilateral, iterative disclosure of digital credentials. Sensitive credentials are protected by access control policies which may also be communicated to the ...
Automated trust negotiation using cryptographic credentials
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityIn automated trust negotiation (ATN), two parties exchange digitally signed credentials that contain attribute information to establish trust and make access control decisions. Because the information in question is often sensitive, credentials are ...
Comments