Transcript slides
Privacy preserving Trust Negotiations Elisa Bertino, Anna Cinzia Squicciarini 5th CACR, October 28-29, 2004, Toronto Outline Overview of the Trust Negotiation model Trust-X Privacy issues Privacy solutions in Trust-X Credential format Policy context System architecture Conclusion and future work Trust Negotiation model The goal: establish trust between parties in order to exchange sensitive information and services The approach: establish trust by verifying properties (credentials) of the other party. Protect sensitive credentials and services with ad hoc policies, namely disclosure policies. The Trust-X system Comprehensive XML based framework for trust negotations Trust negotiation language System architecture Protocol and strategies to carry on a negotiation A Trust-X negotiation consists of a set of phases to be sequentially executed. The key phase is the policy evaluation phase, which consists of a bilateral and ordered policy exchange. The basic Trust-X system Server Policy Database Client X Profile Tree Manager Policy Database X Profile Compliance Checker Tree Manager Compliance Checker A Trust-X negotiation Server Client Message exchange in a Trust-X negotiation Alice Bob Request Prerequisite acknowledge Service request Disclosure policies Disclosure policies Match disclosure policies Credential and/or Declaration Credential and/or Declaration Service granted Preliminary Information exchange Bilateral disclosure of policies Actual credential disclosure INTRODUCTORY PHASE POLICY EXCHANGE CREDENTIAL DISCLOSURE RESOURCE DISCLOSURE Privacy issues in trust negotiations Trust negotiation does not control nor safeguard personal information once it has been disclosed. During the policy evaluation phase, privacy can be compromised since there are no guarantees about counterpart honesty until the actual disclosure of the credentials. Sensitive information can be inferred from a response to a request to access a resource. Sensitive attributes in digital credentials Policy disclosure can be used to determine the value of sensitive attributes without the credential ever being disclosed. A credential may contain several sensitive attributes, and very often just a subset of them is required to satisfy a counterpart policy. However, when a credential is exchanged, the receiver anyway gathers all the information contained in the credential. How we preserve privacy in Trust-X Support of a new credential format, which may provide a high degree of privacy protection: Selective disclosure of attributes Gradual disclosure of the credential content Extension of policy notion, with additional information to express privacy preferences and the possibility of negotiating privacy rules. Integration of Trust-X with the P3P platform. The P3P platform is used for used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver. Privacy enhanced credential (1) Credential header: Set of information that is crucial for proving that the credential, besides its specific content, is a signed and valid digital document issued by a trusted authority. CREDID: CREDTYPE: EXPIRATION: ISSUEREP: unique credential identifier type of the credential expiration date credential issuer repository Credential content List collecting attribute specifications Privacy enhanced credentials (2) CREDENTIAL HEADER (plain) CREDENTIAL CONTENT (blinded at first release) <CRED.... ID>.......... TYPE............... ISSUER.......... <name>..........<\name> <address> .......... <\address> ................... <citizenship>...... ..French........... <\citizenship>..... ................... <CRED> attribute names, values, random numbers signature computed over the whole credential CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF: particular state of a privacy enhanced credential, where the header is plain and the content is hidden, while the signature over the whole document can be verified. Disclosing attribute credentials Gradual disclosure of credential content 1. 2. Header disclosed during policy evaluation phase as soon as the credential is required <CRED.... ID>....... TYPE................ ISSUER.............. Attributes revealed during credential exchange phase Attributes required during policy evaluation phase as soon as they are involved in the process Using privacy enhanced credentials 1. 2. Alice is a patient of the Health Clinic and wants to buy drugs by an on-line pharmacy, which is selling this kind of drugs by prescription of Health Clinic doctors. Alice is willing to disclose the requested credentials only if the pharmacy presents a credential proving pharmacy affiliation with the hospital. Patient_Card() Health_Clin_Aff(). 3. Pharmacy affiliation is disclosed only to patients of the clinic: Health_Clin_Aff()Patient_Card() 4. Health_Clin_Aff()Patient_Card() Health_Clin_Aff(). Avoided by using privacy enhanced credentials. During policy evaluation phase parties may prove each other credential possession without revealing credential content until having received all the requested credential proofs. Modeling negotiation: logic formalism Disclosure policies are expressed in terms of logical expressions which can specify either simple or composite conditions against certificates. P() credential type C set of conditions Policy expressed as P(C) TERM RP1(c), P2(c) Resource which Requested the policy refers to certificates The notion of context in disclosure policies This specification is not expressive enough to specify other crucial information that may be associated with a policy… How about policy prerequisites? How about the privacy policies for the requested credentials? CONTEXT OF DISCLOSURE POLICIES Policy context The goal is to integrate the basic rule defining a policy with a structured set of information to be used during trust negotiation process. <pol_prec_set, priv> Set of policy identifiers such that at least one of the policy needs to be satisfied before the disclosure of the policy with which the precondition set is associated. denotes a P3P privacy policy. The task of privacy policies is to complement disclosure policies, specifying whether the information conveyed by the credentials will be collected and/or used. Privacy policies in Trust-X negotiations 1. Introductory phase 2. Send a request for a resource/service Introductory policy exchanges . Privacy agreement subphase Policy evaluation phase 3. Disclosure policy exchange and eventually specific privacy policies Evaluation of the exchanged policies Certificate exchange phase Exchange of the sequence of certificates determined at step n. 2. A privacy enabled Trust-X negotiation Alice DrugStore Drug Request Introductory policies Introductory policies acknoweledge P3P prior agreement request (1) INTRODUCTORY PHASE P3P_DrugStore match with local privacy preferences: P3P_Drugstore (1a) PRIVACY AGREEMENT SUBPHASE P3P acknowledge Match disclosure policy and P3P policy compliance disclosure policy exchange within associated P3P POLICY (2) EVALUATION PHASE (3) CERTIFICATE EXCHANGE PHASE (4) RESOURCE DISCLOSURE Certificate exchange Certificate exchange Credential sent Strategies in Trust-X In order to define a framework that is as adaptable and flexible as possible we do not define a unique mode to carry on the negotiation. Our framework supports a variety of strategies, that can be used for carrying on a negotiation. We have devised five general purpose strategies that reflect five different approaches to a negotiation. Trust-X privacy preserving strategies Standard: This is the traditional way of carrying on a negotiation, based on an informed strategy. Suspicious: The credential proof is always requested during the policy evaluation phase for each of the involved credentials. Strongly Suspicious: This is a specific case of the suspicious strategy: parties require attribute disclosure as the corresponding policies are satisfied. Trusting: The goal of this strategy, is to speed up the process whenever possible. This can be done using credential suggestions, stored in a special field of the policy context. Mixed Strategy: is characterized by the possibility of dynamically switching among the above strategies. Privacy enabled Trust-X architecture Creating a P3P policy in Trust-X Credentials content can be analyzed under two different perspectives: 1. If the information to be collected is a set of properties the policy can be specified as a conventional P3P policy and Policy categories provided by the wizard standard, without referring to the 2 1 particular credential collecting 3 the requested attributes. Credential schema repository Privacy policies Policy base 2. If the key information is the credential itself, then the policy should refer not only to the attributes in the credential but also to the credential itself. Responding to a disclosure policy X-profile Privacy preferences If P3P is attached to the disclosure policy, policy check is performed between the P3P and the preference rules of the receiving party, with respect to the credentials requested by the disclosure policy with which the privacy policy is associated. If no P3P is associated with the disclosure policy, then the preference rules are checked against the privacy policies exchanged during privacy agreement phase. Complianc e Checker Tree manager Summary Trust-X is a privacy-enabled system supporting Selective disclosure of attributes Privacy enhanced credential Privacy policy exchange during negotiation process Trust-X system is the first trust negotiation system complemented with the P3P platform. The P3P platform is used for stating how the personal information collected through credentials disclosure during on line transactions will be managed by the receiver. Future work Suite of strategies to carry on a negotiation, that exploit and extend the notion of context associated with a policy, to allow one to trade-off among efficiency, robustness, and privacy requirements. Implementation of both the proposed system and the credential formats. Development of mechanisms and modules to semiautomatically design privacy policies to be associated with disclosure policies. Fully support P3P version 1.1.