Trustbased Security

1
Trust-based Security
Presented by Muhammad Shahab Siddiqui PhD (CS)
Student GSESIT, Hamdard University
2

• Using Web Services for Trust-based Security in
  Different Networks

3
Todays Agenda

• Trust Definition
• Trust Transitivity
• Notation for Trust
• Types of Trust
• Trust Classes
• Social Engineering
• Technologies for Security

4
Trust Definition

• Trust applies to the truthfulness of specific
  claims made by parties who request services.
• Trust also applies to the honesty, reputation and
  reliability of service providers.
• Trust must ensure meaningful and mutually
  beneficial interactions between parties.

5
Trust Definition (contd.)

• Trust based on experiences or trust in roles.
• Trust is the extent to which one party is willing
  to depend on something or somebody in a given
  situation with a feeling of relative security,
  even though negative consequences are possible.
• Process of accessing trust becomes part of QoS
  evaluation, decision making and risk analysis.

6
Trust Definition (contd.)

• Basic Ingredient of trust are dependence, risk
  and uncertainty.
• Trust is related to belief in the honesty,
  reliability, competence, willingness, etc. of the
  trusted entity, it being a person, organization
  or system.
• Trust is related to the scope of the relationship.

7
Trust Transitivity

• Trust Transitivity means, for example,
• if Alice trusts Bob who trusts Eric then
• Alice will also trust Eric
• This means that Bob actually tells Alice that he
  trusts Eric, which is called Recommendation.

8
Trust Transitivity (contd.)

• But in real life trust is not always transitive,
  for example,
• if Alice trusts Bob to look after her child and
  Bob trusts Eric for fixing his car does not imply
  that
• Alice will also trust Eric to look after her
  child or for fixing her car
• Trust Transitivity collapse because the scopes
  of Alices and Bobs Trust are different.

9
Notation for Trust

• arc A, B means that A trusts B
• The symbol used to denote the transitive
  connection of two consecutive arcs to form a
  transitive trust path
• (Alice, Eric) (Alice, Bob Bob, Eric)

80 of Computer Security Threat is insider-related
Source Entrust Technologies
10
Types of Trust

• Previous examples shows that under certain
  semantic constraints, trust can be transitive.
• Referral Trust (RT) can be based on someones
  recommendation while Functional Trust (FT) based
  on actual trust on someone.

11
Types of Trust (contd.)

• Peer nodes in Ad Hoc Networks are stranger to
  each other. These nodes need trust before they
  exchange information.
• There are two types of trust direct trust same
  as functional trust and recommendation trust same
  as referral trust.

12
Types of Trust (contd.)

• Direct trust means that an entity can trust
  another entity directly using all existing
  experiences it has about that entity.
• Recommendation trust expresses the belief in the
  capability of an entity to decide whether another
  entity is reliable in the given trust class and
  in its honesty when recommending third entities.

13
Algorithmic Techniques for Computing
Recommendation in 8

• Content-based suggests user items similar to the
  ones they liked in the past, by extracting
  features.
• In Collaborative Filtering, the recommender asks
  users to rate items so that it knows who likes
  what. The recommender then recommend to the
  particular user based on the liking of the
  neighbors. Hybrid will combine the two
  approaches.

14
Trust Classes

• Provision Trust trust in a service or resource
  provider i.e. relying party seeking protection
  from unreliable service provider Business Trust
  contract agreement
• Access Trust access resources under relying
  party
• Delegation Trust trust in an agent who acts and
  make decisions on behalf of relying party

According to Grandison and Sloman (2000)
15
Trust Classes (contd.)

• Identity Trust entity or agent identity
  Authentication Trust
• Context Trust relying party believes that every
  thing in a system are in place and safety net is
  there to protect against something went wrong.
  System Trust
• Trust relationship based on three attributes
  Trustor, Trustee and Trust Scope

16
Trust Classes (contd.)

• Additional attribute of trust measure can be
  computed as
• Binary trusted, not trusted
• Discrete strong trust, weak trust, strong
  distrust, weak distrust, etc.
• Continuous like probability, percentage, etc.
• Fifth attribute of time component can also be
  added. Event may change time to time.

17
Social Engineering

• Political science refers to social engineering as
  an attempt by government or private groups to
  change or "engineer" the views and behavior of
  citizens.
• In computer security, social engineering is the
  practice of obtaining confidential information by
  manipulation (social skills) of legitimate users.
  
• A social engineer commonly uses the telephone or
  Internet to trick people into revealing sensitive
  information or getting them to do something
  against their policy.

18
Social Engineering (contd.)

• Social engineers exploit the natural tendency of
  a person to trust their word, rather than
  exploiting computer security holes.
• "users are the weakest link" in security
• Social Engineering is a non-technical kind of
  intrusion relying heavily on human interaction
  which often involves tricking other people into
  breaking normal security procedures, the attacker
  uses social skills and human interaction to
  obtain information about an organization or their
  computer systems.

19

• At this point I will close my discussion on
  TRUST.
• Now, I will be discussing about the available
  Tools, Techniques and Technologies to be
  considered for SECURITY.

20
Technologies for Security

• State of the art technology used in e-commerce
  which encourage trust includes cryptographic
  security mechanism for providing confidentiality
  of communication and authentication of
  identities.
• Trusted Public Key refers to the authenticity of
  a cryptographic key used in a public-key system.

21
Cryptography System

• Every participant holds a trusted (public) key in
  the cryptography system.
• The process of generating, distributing, and
  using cryptographic keys are known as Key
  Management. Still a major and largely unsolved
  problem for internet users.
• PKI have very strict trust requirements. Public
  Key Authenticity to be certified by Certification
  Authorities (CAs).

22
Cryptography System (contd.)

• Certificate consists of CAs digital signature
  concatenated with public key and the owner
  identifier.
• In order to verify a certificate, the CAs public
  key is needed, again a problem?
• So, one must receive the public key of some CA.
• CA must be trusted to be honest and users must be
  trusted to protect their private keys.

23
Cryptography System (contd.)

• The easiest level of security is Absolute Trust
  of Public Key for every aspect.
• If cryptographic key have varying trust measures
  then the trust in every cryptographic key must be
  determined, before the primary trust network of
  interest can be analyzed.
• A principal is recommended to be reliable but the
  binding between the principal and its private key
  is broken, results in low trust.

24
PGP

• PGP is a software tool for cryptographic key
  management and email security uses discrete trust
  measures of ultimate, always trusted,
  usually trusted, usually not trusted, and
  undefined for key owner trustworthiness.
• While industry totally based on binary measure of
  trusted and not trusted.

25
Approval Organizations

• Truste.org an independent, non-profit
  organization whose mission is to build users
  trust in eCommerce by promoting the use of fair
  information practices. When a user sees the
  Truste logo, they are assured security procedures
  are in place to protect their information.
• Tradesafe.com a bridge between the buyer and
  seller that collects and stores financial
  information about buyer and seller.
• Tradesafe.com uses Truste.org to ensure
  compliance.

26
Approval Organizations (contd.)

• VeriSign Third party that processes credit card
  information using SSL encryption.
• RSA Security Provides software to businesses to
  securely and reliably engage in e-business.
  Recently partnered with Cisco to further enhance
  their products.

27
PeerTrust Language Syntax

• In 5 PeerTrust Language is used to specify
  policies
• liti _at_ Issuer Requester.
• access(Resource) Requester ? client(Requester).
• access(Picture) Requester ? friend(Requester).
• friend(Name) Requester ? isMyFriend(Name).
• friend(Name) Requester ? friend(Name) _at_ Alice.

28
Authentication Process

• Two main processes were used in Sweden and UK for
  authentication process of an online user
• Security Box random system generated passwords
  at the users location
• Fixed Password user owned constant
• Trust concept have four components the online
  bank, the login procedure, location and
  box/system.

29
Digital Profile

• your digital profile is a cumulative digital
  proxy of you that is built from a pre-determined
  set of components. This new kind of identity
  representation will work same as 'official'
  identity that we had in pre-digital times. It
  will say more about you than your current forms
  of documented identification -- which have
  relatively thin information.

30
Security Token Service

• Security token service (STS) helps in mediating
  trust between companies that would otherwise not
  be able to ascribe trust to another.
• Rather than maintaining pair-wise trust with all
  potential partners, individual companies instead
  form a trust relationship with the STS and then
  rely on the STS to form indirect trust.

31
Security Token Service (contd.)

• If the client from one organization want to
  contact the service of second organization then
  the client would send claims and
  proof-of-possession information to its local STS
  and request a security token. Based on this
  security token the requested service STS will
  issue a signed security token, because of the
  security policy and trust relationship between
  the two organizations established earlier.

32
Conclusion

• I define Trust, Types of Trust and Trust Classes,
  which give you an idea about what we meant to
  have in trust-based environment.
• I also discussed about the available and
  futuristic tools and techniques which deals with
  security.
• When we have a merger of these two we come up
  with trust-based security.

33
References

• 1 Simplification and Analysis of Transitive
  Trust Networks, by Audun Jøsang, Elizabeth Gray,
  Michael Kinateder, Web Intelligence and Agent
  Systems, Australia, 2006, http//citeseer.ist.psu.
  edu/746240.html
• 2 Trust Network Analysis with Subjective
  Logic, by Audun Jøsang, Ross Hayward, Simon
  Pope, 29th Australian Computer Science Conference
  (ACSC2006), Tasmania, Australia, Australian
  Computer Society, January 2006,
  http//citeseer.ist.psu.edu/744155.html

34
References (contd.)

• 3 Trust Model Based Self-Organized Routing
  Protocol for Secure Ad-hoc Networks, by Xiaoqi
  Li, PhD Term Paper, The Chinese University of
  Hong Kong, April 2003, http//citeseer.ist.psu.edu
  /628444.html
• 4 Trust Networks in a Web Services World, by
  Paul Madsen, May 26, 2004, http//webservices.xml.
  com/pub/a/ ws/2004/05/26/trust.html

35
References (contd.)

• 5 A Distributed Tabling Algorithm for Rule
  based Policy System, by Miguel Alves, Carlos
  Viegas Damasio, Wolfgang Nejdl, Daniel Olmedilla,
  2006,
• http//citeseer.ist.psu.edu/alves06distributed.htm
  l
• 6 Social Engineering the weakest link,
  http//www.windowsecurity.com/ whitepapers/Social-
  Engineering-The-Weakest-Link.html

36
References (contd.)

• 7 Building Security and Trust in Online
  Banking, by Maria Nilsson, Anne Adams, Simon
  Herd, CHI 2005, April 2-7, 2005, Portland,
  Oregon, USA, ACM 1-59593-002-7/05/0004
• 8 Trust-aware Decentralized Recommender
  Systems PhD Research Proposal, Paolo Massa,
  University of Trento, Italy, May 29, 2003

37
Thanks for Listening

• Special Thanks to
• Dr. Zubair A. Shaikh