Transcript slides
Privacy preserving Trust
Negotiations
Elisa Bertino, Anna Cinzia Squicciarini
5th CACR,
October 28-29, 2004, Toronto
Outline
Overview of the Trust Negotiation model
Trust-X
Privacy issues
Privacy solutions in Trust-X
Credential format
Policy context
System architecture
Conclusion and future work
Trust Negotiation model
The goal: establish trust between parties in order
to exchange sensitive information and services
The approach: establish trust by verifying
properties (credentials) of the other party.
Protect sensitive credentials and services with ad
hoc policies, namely disclosure policies.
The Trust-X system
Comprehensive XML based framework for trust
negotations
Trust negotiation language
System architecture
Protocol and strategies to carry on a negotiation
A Trust-X negotiation consists of a set of phases to be
sequentially executed.
The key phase is the policy evaluation phase, which
consists of a bilateral and ordered policy exchange.
The basic Trust-X system
Server
Policy
Database
Client
X Profile
Tree
Manager
Policy
Database
X Profile
Compliance
Checker
Tree
Manager
Compliance
Checker
A Trust-X negotiation
Server
Client
Message exchange in a Trust-X
negotiation
Alice
Bob
Request
Prerequisite acknowledge
Service request
Disclosure policies
Disclosure policies
Match disclosure
policies
Credential and/or Declaration
Credential and/or Declaration
Service granted
Preliminary
Information
exchange
Bilateral
disclosure
of policies
Actual
credential
disclosure
INTRODUCTORY
PHASE
POLICY EXCHANGE
CREDENTIAL
DISCLOSURE
RESOURCE
DISCLOSURE
Privacy issues in trust negotiations
Trust negotiation does not control nor safeguard
personal information once it has been disclosed.
During the policy evaluation phase, privacy can
be compromised since there are no guarantees
about counterpart honesty until the actual
disclosure of the credentials.
Sensitive information can be inferred from a response
to a request to access a resource.
Sensitive attributes in digital
credentials
Policy disclosure can be used to determine the value of
sensitive attributes without the credential ever being
disclosed.
A credential may contain several sensitive attributes, and
very often just a subset of them is required to satisfy a
counterpart policy.
However, when a credential is exchanged, the receiver
anyway gathers all the information contained in the
credential.
How we preserve privacy in Trust-X
Support of a new credential format, which may provide a high degree of
privacy protection:
Selective disclosure of attributes
Gradual disclosure of the credential content
Extension of policy notion, with additional information to express
privacy preferences and the possibility of negotiating privacy rules.
Integration of Trust-X with the P3P platform.
The P3P platform is used for used for stating how the personal
information collected through credentials disclosure during on line
transactions will be managed by the receiver.
Privacy enhanced credential (1)
Credential header: Set of information that is crucial for
proving that the credential, besides its specific content,
is a signed and valid digital document issued by a trusted
authority.
CREDID:
CREDTYPE:
EXPIRATION:
ISSUEREP:
unique credential identifier
type of the credential
expiration date
credential issuer repository
Credential content
List collecting attribute specifications
Privacy enhanced credentials (2)
CREDENTIAL
HEADER
(plain)
CREDENTIAL
CONTENT
(blinded at
first release)
<CRED.... ID>..........
TYPE...............
ISSUER..........
<name>..........<\name>
<address>
..........
<\address>
...................
<citizenship>......
..French...........
<\citizenship>.....
...................
<CRED>
attribute names,
values, random
numbers
signature
computed
over the
whole credential
CREDENTIAL HEADER IS USED AS A CREDENTIAL PROOF:
particular state of a privacy enhanced credential, where the header is plain and the
content is hidden, while the signature over the whole document can be verified.
Disclosing attribute credentials
Gradual disclosure of credential content
1.
2.
Header disclosed during policy evaluation phase as
soon as the credential is required
<CRED.... ID>.......
TYPE................
ISSUER..............
Attributes revealed during
credential exchange phase
Attributes required during policy evaluation
phase as soon as they are involved in the process
Using privacy enhanced credentials
1.
2.
Alice is a patient of the Health Clinic and wants to buy drugs by an
on-line pharmacy, which is selling this kind of drugs by prescription of
Health Clinic doctors.
Alice is willing to disclose the requested credentials only if the pharmacy
presents a credential proving pharmacy affiliation with the hospital.
Patient_Card() Health_Clin_Aff().
3.
Pharmacy affiliation is disclosed only to patients of the clinic:
Health_Clin_Aff()Patient_Card()
4.
Health_Clin_Aff()Patient_Card() Health_Clin_Aff().
Avoided by using privacy enhanced credentials. During policy evaluation phase
parties may prove each other credential possession without revealing credential
content until having received all the requested credential proofs.
Modeling negotiation:
logic formalism
Disclosure policies are expressed in terms of logical expressions which
can specify either simple or composite conditions against certificates.
P() credential type
C set of conditions
Policy expressed as
P(C)
TERM
RP1(c), P2(c)
Resource which Requested
the policy refers to certificates
The notion of context in disclosure
policies
This specification is not expressive enough to specify other
crucial information that may be associated with a policy…
How about policy prerequisites?
How about the privacy policies for the requested
credentials?
CONTEXT OF DISCLOSURE POLICIES
Policy context
The goal is to integrate the basic rule defining a policy with a
structured set of information to be used during trust
negotiation process.
<pol_prec_set, priv>
Set of policy identifiers such that
at least one of the policy needs to
be satisfied before the disclosure
of the policy with which the
precondition set is associated.
denotes a P3P privacy policy.
The task of privacy policies is to
complement disclosure policies,
specifying whether the
information conveyed by the
credentials will be collected and/or
used.
Privacy policies in Trust-X
negotiations
1.
Introductory phase
2.
Send a request for a resource/service
Introductory policy exchanges
.
Privacy
agreement subphase
Policy evaluation phase
3.
Disclosure policy exchange and eventually specific privacy policies
Evaluation of the exchanged policies
Certificate exchange phase
Exchange of the sequence of certificates determined at step n. 2.
A privacy enabled Trust-X negotiation
Alice
DrugStore
Drug Request
Introductory policies
Introductory policies
acknoweledge
P3P prior agreement request
(1) INTRODUCTORY
PHASE
P3P_DrugStore match
with local privacy
preferences:
P3P_Drugstore
(1a)
PRIVACY
AGREEMENT
SUBPHASE
P3P acknowledge
Match disclosure
policy and P3P
policy compliance
disclosure policy exchange
within associated P3P
POLICY
(2) EVALUATION
PHASE
(3)
CERTIFICATE
EXCHANGE
PHASE
(4)
RESOURCE
DISCLOSURE
Certificate exchange
Certificate exchange
Credential sent
Strategies in Trust-X
In order to define a framework that is as
adaptable and flexible as possible we do not
define a unique mode to carry on the negotiation.
Our framework supports a variety of strategies,
that can be used for carrying on a negotiation.
We have devised five general purpose strategies
that reflect five different approaches to a
negotiation.
Trust-X privacy preserving strategies
Standard: This is the traditional way of carrying on a negotiation, based
on an informed strategy.
Suspicious: The credential proof is always requested during the policy
evaluation phase for each of the involved credentials.
Strongly Suspicious: This is a specific case of the suspicious strategy:
parties require attribute disclosure as the corresponding policies are
satisfied.
Trusting: The goal of this strategy, is to speed up the process whenever
possible. This can be done using credential suggestions, stored in a special
field of the policy context.
Mixed Strategy: is characterized by the possibility of dynamically
switching among the above strategies.
Privacy enabled Trust-X architecture
Creating a P3P policy in Trust-X
Credentials content can be analyzed under two different perspectives:
1. If the information to be collected
is a set of properties the policy
can be specified as a
conventional P3P policy and
Policy
categories provided by the
wizard
standard, without referring to the
2
1
particular credential collecting
3
the requested attributes.
Credential schema
repository
Privacy
policies
Policy
base
2. If the key information is the
credential itself, then the policy
should refer not only to the
attributes in the credential but
also to the credential itself.
Responding to a disclosure policy
X-profile
Privacy
preferences
If P3P is attached to the
disclosure policy, policy check is
performed between the P3P and
the preference rules of the
receiving party, with respect to the
credentials requested by the
disclosure policy with which the
privacy policy is associated.
If no P3P is associated with the
disclosure policy, then the
preference rules are checked
against the privacy policies
exchanged during privacy
agreement phase.
Complianc
e
Checker
Tree
manager
Summary
Trust-X is a privacy-enabled system supporting
Selective disclosure of attributes
Privacy enhanced credential
Privacy policy exchange during negotiation process
Trust-X system is the first trust negotiation system
complemented with the P3P platform.
The P3P platform is used for stating how the personal
information collected through credentials disclosure during
on line transactions will be managed by the receiver.
Future work
Suite of strategies to carry on a negotiation, that exploit
and extend the notion of context associated with a policy,
to allow one to trade-off among efficiency, robustness,
and privacy requirements.
Implementation of both the proposed system and the
credential formats.
Development of mechanisms and modules to semiautomatically design privacy policies to be associated
with disclosure policies.
Fully support P3P version 1.1.