Trust

1
Trust

• Course CS 6381 -- Grid and Peer-to-Peer Computing

Gerardo Padilla
2
Source

• Part 1 A Survey Study on Trust Management in P2P
  Systems
• Part 2 Trust-? A Peer-to-Peer Framework for
  Trust Establishment

3
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

4
What is Trust?

• Kini Choobineh
• trust is "a belief that is influenced by the
  individuals opinion about certain critical
  system features"
• Gambetta
• " trust (or, symmetrically, distrust) is a
  particular level of the subjective probability
  with which an agent will perform a particular
  action, both before the trustor can monitor
  such action (or independently of his capacity of
  ever to be able to monitor it)
• The Trust-EC project (http//dsa-isis.jrc.it/Trust
  EC/)
• trust is "the property of a business
  relationship, such that reliance can be placed on
  the business partners and the business
  transactions developed with them''.
• Gradison and Sloman
• trust is "the firm belief in the competence of
  an entity to act dependably, securely and
  reliably within a specified context". .

5
What is Trust? Some Basic Properties of Trust
Relations

• Trust is relative to some business transaction.
• A may trust B to drive her car but not to
  baby-sit.
• Trust is a measurable belief.
• A may trust B more than A trusts C for the same
  business.
• Trust is directed.
• A may trust B to be a profitable customer but B
  may distrust A to be a retailer worth buying
  from.
• Trust exists and evolves in time.
• The fact that A trusted B in the past does not
  in itself guarantee that A will trust B in the
  future. Bs performance and other relevant
  information may lead A to re-evaluate her trust
  in B.

6
Reputation, Trust and Reciprocity

• Reputation perception that an agent creates
  through past actions about its intentions and
  norms.
• Trust a subjective expectation a peer has about
  another's future behavior based on the history of
  their encounters.
• Reciprocity mutual exchange of deeds

reputation
Increase pis reputation
Increase pjs trust of pi
trust
reciprocity
Increase pis reciprocating actions
7
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

8
What is a Trust Management?

• a unified approach to specifying and
  interpreting security policies, credentials,
  relationships which allows direct authorization
  of security-critical actions Blaze, Feigenbaum
  Lacy
• Trust Management is the capture, evaluation and
  enforcement of trusting intentions.
• Other areas Distributed Agent Artificial
  Intelligence/ Social Sciences

9
What is a Trust Management?
Trust Management
Policy-Based Trust Systems
Reputation-Based Trust Systems
Social Network-Based Trust Systems
10
What is a Trust Management?
Trust Management
Policy-Based Trust Systems
Reputation-Based Trust Systems
Social Network-Based Trust Systems

• Example PolicyMaker
• Goal Access Control
• Peers use credential verification to establish a
  trust relationship
• Unilateral, only the resource-owner request to
  establish trust

11
What is a Trust Management?
Trust Management
Policy-Based Trust Systems
Reputation-Based Trust Systems
Social Network-Based Trust Systems

• Example Marsh, Regret, NodeRanking,
• Based on social relationships between peers when
  computing trust and reputation values
• Form conclusions about peers through analyzing a
  social network

12
What is a Trust Management?
Trust Management
Policy-Based Trust Systems
Reputation-Based Trust Systems
Social Network-Based Trust Systems

• Example DMRep, EigenRep, P2PRep, XRep, NICE,
• Based on measuring Reputation
• Evaluate the trust in the peer and the trust in
  the reliability of the resource

13
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

14
How to measure Trust?An example of Computation
ModeA computational Model of Trust and
Reputation (Mui et al,2001)

• Lets assume a social network where no new peers
  are expected to join or leave
• (i.e. the social network is static)
• Action Space cooperate, failing

b
a
15
How to measure Trust?An example of Computation
Mode

• Lets assume a social network where no new peers
  are expected to join or leave
• (i.e. the social network is static)
• Action Space cooperate, failing

b
a
16
How to measure Trust?An example of Computation
Mode

• Reputation perception that a peer creates
  through past actions about its intentions and
  norms
• Let ?ji(c) represents pis reputation in a social
  network of concern to pj for a context c.
• This value measures the likelihood that pi
  reciprocates pjs actions.

17
How to measure Trust?An example of Computation
Mode

• ?ab bs reputation in the eyes of a.
• Xab(i) the ith transaction between a and b.
• After n transactions. We obtained the history
  data
• History Dab Xab(1), Xab(2), , Xab(n)

18
How to measure Trust?An example of Computation
Mode

• ?ab bs reputation in the eyes of a.
• Let p be the number of cooperations by peer b
  toward a in the n previous encounters.
• bs reputation ?ab for peer a should be a
  function of both p and n.
• A simple function can be the proportion of
  cooperative action over all n encounters (or
  transactions)
• From statistics, a proportion random variable can
  be modeled as a Beta distribution

19
How to measure Trust?An example of Computation
Mode

• NOTE Beta Distribution

Shape Parameters
20
How to measure Trust?An example of Computation
Mode

• Beta distribution p( ) Beta(a, ß)
• estimator for ?
• a and ß a ß 1 (by prior assumptions)
• A simple estimator for ?ab
• bs reputation in the eyes of a as the proportion
  of cooperation in n finite encounters.

21
How to measure Trust?An example of Computation
Mode

• Trust is defined as the subjective expectation a
  peer has about anothers future behavior based on
  the history of encounters.
• T(c) E ?(c) D(c)
• The higher the trust level for peer ai, the
  higher the expectation that ai will reciprocate
  peer ajs actions.

22
How to measure Trust?An example of Computation
Mode

• Assuming that each encounters cooperation
  probability is independent of other encounters
  between a and b, the likelihood of p cooperations
  and (n p) failings can be modeled as
• The likelihood for the n encounters
• Combining the prior and the likelihood, the
  posterior estimate for becomes (the
  subscripts are omitted)

23
How to measure Trust?An example of Computation
Mode

• Trust towards b from a is the conditional
  expectation of given D.
• Tab p(xab(n1)D)
• Then

24
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

25
Reputation-based Trust Management
SystemsIntroduction

• Examples of completely centralized mechanism for
  storing and exploring reputation data
• Amazon.com
• Visitors usually look for customer reviews before
  deciding to buy new books.
• eBay
• Participants at eBays auctions can rate each
  other after each transaction.

26
Reputation-based Trust Management SystemsP2P
Properties

• No central coordination
• No central database
• No peer has a global view of the system
• Global behavior emerges from local interactions
• Peers are autonomous
• Peers and connections are unreliable

27
Reputation-based Trust Management SystemsDesign
Considerations

• The system should be self-policing
• The shared ethics of the user population are
  defined and enforced by the peers themselves and
  not by some central authority
• The system should maintain anonymity
• A peers reputation should be associated with an
  opaque identifier rather with an externally
  associated identity
• The system should not assign any profit to
  newcomers
• The system should have minimal overhead in terms
  of computation, infrastructure, storage, and
  message complexity
• The system should be robust to malicious
  collectives of peers who know one another and
  attempt to collectively subvert the system.

28
Reputation-based Trust Management SystemsDesign
Considerations DMRepManaging Trust in a P2P
Information System (Aberer,Despotovic,2001)

• P2P Facts
• No central coordination or DB (e.g. not eBay)
• No peer has global view
• Peers autonomous and unreliable
• Importance of trust in digital communities, but
  information dispersed and sources are not
  unconditionally trustworthy
• Solution reputation as decentralized storage of
  replicated redundant transaction history
• Calculate binary trust metric based on history of
  complaints.

29
Reputation-based Trust Management SystemsDMRep

• Notation
• Let P denote the set of all peers.
• The behavioral data B are observations t(q,p)
  that a peer q makes when he interacts with a peer
  p.
• The behavioral data of p, B(p)
• B(p) t (p, q) or t (q, p) q ? P
• B(p)? B

In a decentralized system, how to model, store,
and compute B?
30
Reputation-based Trust Management SystemsDMRep

• In the decentralized environment, if a peer q has
  to determine trustworthiness of a peer p
• It has no access to global knowledge B and B(p)
• 2 ways to obtain data
• Directly by interactions
• Bq(p) t (q, p) t (q, p) ? B
• Indirectly through a limited number of referrals
  from witnesses r ? Wq ? P
• Wq(p) t (r, p) r? Wq, t (r, p)? B

31
Reputation-based Trust Management SystemsDMRep

• Assumption
• The probability of cheating or having malicious
  within a society is comparably low
• In case of a malicious behavior of q, a peer p
  can file a complaint c(p,q)
• Complaints are the only behavioral data B used in
  this model

32
Reputation-based Trust Management SystemsDMRep

• Let us look a simple situation
• p and q interact,
• later r wants to determine the trustworthiness of
  p and q.
• Assume p is cheating, q is honest
• After their interaction,
• q will file a complaint about p
• p will file a complaint about q in order to hide
  its misbehavior.
• r can not detect that p is cheating,
• If p continues to cheat with more peers, r can
  conclude that it is very probable that p is the
  cheater by observing the other complaints about p

33
Reputation-based Trust Management SystemsDMRep

• Based on the previous simple scenario, the
  reputation T(p) of a peer p can be computed as
  the product
• T(p) c(p,q) q?P x c(q,p) q?P
• High value of T(p) indicate that p is not
  trustworthy
• c(p,q) q?P number of complains made by p
• c(q,p) q?P number of complains about p

Problem The reputation was determined based on
the global knowledge on complains which is very
difficult to obtain. ? How to store the
complaints?
34
Reputation-based Trust Management SystemsDMRep

• The storage structure proposed in this approach
  uses P-Grid (other can be used, such as CAN or
  CHORD)
• P- Grid is a peer-to-peer lookup system based on
  a virtual distributed search tree.
• It stores data items for which the associated
  path is a prefix of the data key.
• For the trust management application this are the
  complaints indexed by the peer number.

35
Routing Tables
Data Stores
36
Reputation-based Trust Management SystemsDMRep

• The same data can be stored at multiple peers and
  we have replicas of this data ? improve
  reliability
• As the example shows, collisions of interest may
  occur, where peers are responsible for storing
  complaints about themselves. We do not exclude
  this, as for large peer populations these cases
  will be very rare and multiple replicas will be
  available to double-check.

37
Reputation-based Trust Management SystemsDMRep

• Problem The peers providing the data could
  themselves be malicious
• Assume that the peers are only malicious with a
  certain probability p p max lt1.
• If there are r replicas satisfies on average p
  rmax lt e, where e is an acceptable
  fault-tolerance.
• Problem Solution If we receive the same data
  about a specific peer from a sufficient number of
  replicas we need no further checks, otherwise
  continue search.

38
Reputation-based Trust Management SystemsDMRep

• How it works?
• P-Grid has two operations for storage-retrieve
  information
• insert(p k v),
• where p is an arbitrary peer in the network, k is
  the key value to be searched for, and v is a data
  value associated with the key.
• query(r k) v,
• where r is an arbitrary peer in the network,
  which returns the data values v for a
  corresponding query k.

39
Reputation-based Trust Management SystemsDMRep

• How it works?
• Every peer p can file a complaint about q at any
  time. It stores the complaint by sending messages
• insert(a1 key(p) c(p q)) and
• insert(a2 key(q) c(p q))
• to arbitrary peers a1 and a2.

40
Reputation-based Trust Management SystemsDMRep
Query Results

• Assume that a peer p query for information about
  q (p evaluates the trustworthiness of q)
• p submits messages query(a key(q)) to arbitrary
  peers a.
• This process is performed s times.

41
Reputation-based Trust Management SystemsDMRep
Query Results

• The result of these queries, called W, such that
• w number of witness found
• cri(q) number of complaints that q received
  according witness ai
• cfi(q) number of complaints q filed according
  witness ai
• fi the frequency with which ai is found
  (non-uniformity of the P-Grid structure)

42
Reputation-based Trust Management SystemsDMRep
Variability

• Different frequencies fi indicate that not all
  witnesses are found with the same probability due
  to the non-uniformity of the P-Grid structure.
• Thus witnesses found less frequently will
  probably also not receive as many storage
  messages when complaints are filed. Thus the
  number of complaints they report will tend to be
  too low.
• Problem We need to compensate the information
  contribution from every witness.
• Problem solution Normalize values by using the
  frequencies .
• High contribution (high fi), high probability
• Low contribution (low fi), low probability

43
Reputation-based Trust Management SystemsDMRep
Variability
the probability of not finding witness i in s
attempts.
44
Reputation-based Trust Management SystemsDMRep
Trust

• This model proposed to decide if a peer p
  considers peer q trustworthy (binary decision)
  based on tracking the history and computing T.
• Thus p keeps a statistics of the average number
  of complaints received and complaints filed,
  aggregating all observations it makes over its
  lifetime.
• Using the following heuristic approach

45
Reputation-based Trust Management SystemsDMRep
Trust
if an observed value for complaints exceeds the
general average of the trust measure too much,
the agent must be Dishonest.
46
Reputation-based Trust Management SystemsDMRep -
Discussion

• Strength
• The method can be implemented in a fully
  decentralized peer-to-peer environment and scales
  well for large number of participants.
• Limitations
• environment with low cheating rates.
• specific data management structure.
• Not robust to malicious collectives of peers.

47
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

48
Reputation-based Trust Management SystemsDesign
Considerations EigenRepThe Eigen Trust
Algorithm for Reputation Management in P2P
Networks (Kamvar, Schossler,2003)

• Goal To identify sources of inauthentic files
  and bias peers against downloading from them.
• Method Give each peer a trust value based on its
  previous behavior.

49
Reputation-based Trust Management
SystemsEigenRep Terminology
Peer 3

• Local trust value cij. The opinion that peer i
  has of peer j, based on past experience.
• Global trust value ti. The trust that the
  entire system places in peer i.

Peer 1
Peer 2
Peer 4
50
Reputation-based Trust Management
SystemsEigenRep Normalizing Local Trust Values

• All cij non-negative
• ci1 ci2 . . . cin 1

51
Reputation-based Trust Management
SystemsEigenRep Local Trust Vector

• Local trust vector ci contains all local trust
  values cij that peer i has of other peers j.

52
Reputation-based Trust Management
SystemsEigenRep Local Trust Values

• Model Assumptions
• Each time peer i downloads an authentic file from
  peer j, cij increases.
• Each time peer i downloads an inauthentic file
  from peer j, cij decreases.

How to quantify these assumptions?
53
Reputation-based Trust Management
SystemsEigenRep Local Reputation Values

• Local Reputation Values own experience
• sat(i, j) number of satisfactory transactions
  (downloads) peer i has had with peer j.
• unsat(i, j) number of unsatisfactory
  transactions (downloads) peer i has had with
  peer j local
• Reputation value
• sijsat(i, j) - unsat(i,
  j).

54
Reputation-based Trust Management
SystemsEigenRep Normalizing Local Reputation
Value

• Normalize Local Reputation Values -gt Local
  Reputation Vector
• Note
• Local reputation vector
• Most are 0

55
Reputation-based Trust Management
SystemsEigenRep Normalizing Local Reputation
Value

• Issues
• Advantages of normalizing
• Reduce the problem where malicious peers can
  assign arbitrarily high local trust values to
  other malicious peers, and arbitrarily low local
  trust values to good peers, easily subverting the
  system.
• Disadvantages of normalizing
• the normalized trust values do not distinguish
  between a peer with whom peer i did not interact
  and a peer with whom peer i has had poor
  experience.
• these cij values are relative, and there is no
  absolute interpretation. That is, if cij cik,
  we know that peer j has the same reputation as
  peer k in the eyes of peer i, but we dont know
  if both of them are very reputable, or if both of
  them are mediocre.

56
Reputation-based Trust Management
SystemsEigenRep Local Reputation Values

• Problem
• The peers have limited own experience.
• Solution
• Get information from other peers who may have
  more experience about other peers.

How?
57
Reputation-based Trust Management
SystemsEigenRep Combining information by asking
others

• Ask for the opinions of the people who you trust.

58
Reputation-based Trust Management
SystemsEigenRep Aggregating Local Reputation
Values

• Peer i asks its friends about their opinions on
  peer k.

59
Reputation-based Trust Management
SystemsEigenRep Aggregating Local Reputation
Values

• Peer i asks its friends about their opinions on
  all peers.

60
Reputation-based Trust Management
SystemsEigenRep Aggregating Local Reputation
Values

• Peer i asks its friends about their opinions
  about other peers again. (It seems like asking
  his friends friends)
• Continues in this manner,
• If n is large, will converge to the same vector
  por every peer i (left principal eigenvector of C
  for every peer i if C is irreducible and
  aperiodic)

61
Reputation-based Trust Management
SystemsEigenRep Global Reputation Vector,

• We call this eigenvector , the global
  reputation vector.
• , an element of , quantifies how much trust
  the system as a whole places peer j.
• How to Estimate t?

62
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (non-dist)

• Basic EigenTrust Algorithm
• Non-distributed Algorithm
• Assume that some central server knows all the cij
  values and performs the computation.

63
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (non-dist)

• Basic EigenTrust Algorithm
• Issues to consider
• A priori notions of trust
• There are some peers in the network that are
  known to be trustworthy (pre-trusted peers). Good
  idea to incorporate this information.
• Inactive peers or new peers
• Peers which do not download files from other
  peers or do not know other peers.
• Malicious collectives
• A malicious collective is a group of malicious
  peers who know each other, who give each other
  high local trust values and give all other peers
  low local trust values in an attempt to subvert
  the system and gain high global trust values.

64
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (non-dist)

• Pre-trust peers P is a set of peers which are
  known to be trusted, is the pre-trusted
  vector of P, where,
• Assign some trust on pre-trust peers
• and use this information in new or inactive peers

65
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (non-dist)

• To avoid Malicious collectives
• Where a is some constant less than 1.
• This strategy breaks collectives by having each
  peer place at least some trust in the peers P
  that are not part of a collective.
• Strong Assumption Pre-trusted peers are essential

66
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (non-dist)

• Modified Basic EigenTrust Algorithm
• non-distributed algorithm

Now, lets consider a distributed environment
67
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm
(distributed)

• All peers in the network cooperate to compute and
  store the global trust vector.
• Each peer stores and computes its own global
  trust value.
• Minimize the computation, storage, and message
  overhead.

68
Distributed Algorithm (cont)

• Ai set of peers which have downloaded files from
  peer i.
• Bi set of peers which peer i has downloaded
  files.

69
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm
(distributed)

• Complexity

For a network of 1000 peers after 100 query cycles
70
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (dist.
secure)

• Issue The trust value of one peer should be
  computed by more than one other peer.
• malicious peers report false trust values of
  their own.
• malicious peers compute false trust values for
  others.

71
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (dist.
secure)

• Solution Strategy
• the current trust value of a peer must not be
  computed by and reside at the peer itself, where
  it can easily become subject to manipulation.
• the trust value of one peer in the network will
  be computed by more than one other peer.
• Use multiple DHTs to assign mother peers, such as
  CAN or CHORD.
• The number of mother peers for one peer is same
  to all peers.

72
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (dist.
secure)

Ai 0 1 5 11
Ai, Bi 0 2 1 9 5 12 11

73
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (dist.
secure)
m
?
74
Reputation-based Trust Management
SystemsEigenRep EigenTrust Algorithm (dist.
secure)
75
Reputation-based Trust Management
SystemsEigenRep Limitation of EigenRep

• Cannot distinguish between newcomers and
  malicious peers.
• Malicious peers can still cheat cooperatively
• A peer should not report its predecessors by
  itself.
• Flexibility
• How to calculate reputation values when peers
  join and leave, on line and off line.
• When to update global reputation values?
• According to the new local reputation vector of
  all peers.
• Anonymous?
• A mother peer know its daughters.

76
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

77
Reputation-based Trust Management Systems
P2PRep IntroductionChoosing reputable servents
in a P2P network (Cornelli et al, 2002)

• Not focus on computation of reputations
• Security of exchanged messages
• Queries
• Votes
• How to prevent different security attacks

78
Reputation-based Trust Management Systems
P2PRep Introduction

• Using Gnutella for reference
• A fully P2P decentralized infrastructure
• Peers have low accountability and trust
• Security threats to Gnutella
• Distribution of tampered information
• Man in the middle attack

79
Reputation-based Trust Management Systems
P2PRep Sketch of P2PRep

• To ensure authenticity of offerers voters, and
  confidentiality of votes
• Use public-key encryption to provide integrity
  and confidentiality of messages
• Require peer_id to be a digest of a public key,
  for which the peer knows the private key
• Votes are values expressing opinions on other
  peers
• Servent reputation represents the
  trustworthiness of a servent in providing files
• Servent credibility represents the
  trustworthiness of a servent in providing votes

80
Reputation-based Trust Management Systems
P2PRep Sketch of P2PRep

• P select a peer among those who respond to Ps
  query
• P polls its peers for opinions about the selected
  peer
• Peers respond to the polling with votes
• P uses the votes to make its decision

81
Reputation-based Trust Management Systems
P2PRep Approaches

• Two approaches
• Basic polling
• Voters do not provide peer_id in votes
• Enhanced polling
• Voters declare their peer_id in votes

82
Reputation-based Trust Management Systems
P2PRep Basic Polling

• Phase 1 Resource searching.
• p sends a Query message for searching resources,
  and servents matching the request respond with a
  QueryHit

83
Reputation-based Trust Management Systems
P2PRep Basic Polling

• Phase 2 Vote polling.
• p polls its peers about the reputation of a top
  list T of servents, and peers wishing to respond
  send back a PollReply

84
Reputation-based Trust Management Systems
P2PRep Basic Polling

• Phase 3 Voter evaluation.
• p selects a set of voters, contacts them
  directly, and expects back a confirmation message

85
Reputation-based Trust Management Systems
P2PRep Basic Polling

• Phase 4 Resource download.
• p selects a servent s from which download the
  resource and starts a challenge-response phase
  before downloading

86
Reputation-based Trust Management Systems
P2PRep Enhanced Polling

• Phase 1 Resource searching.
• p sends a Query message for searching resources,
  and servents matching the request respond with a
  QueryHit

87
Reputation-based Trust Management Systems
P2PRep Enhanced Polling

• Phase 2 Vote polling.
• p polls its peers about the reputation of a top
  list of servents, and peers wishing to respond
  send back a PollReply

88
Reputation-based Trust Management Systems
P2PRep Enhanced Polling

• Phase 3 Voter evaluation.
• p selects a set of voters, contacts them directly
  to avoid servent_id to declare fake IPs

89
Reputation-based Trust Management Systems
P2PRep Enhanced Polling

• Phase 4 Resource download.
• p selects a servent s from which download the
  resource and starts a challenge-response phase
  before downloading

90
Reputation-based Trust Management Systems
P2PRep Comparison Basic vs Enhanced

• Basic polling
• all votes are considered equal
• Enhanced polling
• peer_ids allow p to weight the votes based on vs
  trustworthiness

91
Reputation-based Trust Management Systems
P2PRep Security Improvements (1)

• Distribution of Tampered Information
• B responds to A with a fake resource
• P2PRep Solution
• A discovers the harmful content from B
• A updates Bs reputation, preventing further
  interaction with B
• A become witness against B in pollings by others

92
Reputation-based Trust Management Systems
P2PRep Security Improvements (2)

• Man in the Middle Attack
• Data from C to A can be modified by B, who is in
  the path
• A broadcasts a Query and C responds
• B intercepts the QueryHit from C and rewrites it
  with Bs IP port
• A receives Bs reply
• A chooses B for downloading
• B downloads original content from C, modifies it
  and passes it to A

93
Reputation-based Trust Management Systems
P2PRep Security Improvements (2)

• Man in the Middle Attack
• P2PRep addresses this problem by including a
  challenge-response phase before downloading
• To impersonate C, B needs
• Cs private key
• To design a public key whose digest is Cs
  identifier
• Public key encryption strongly enhances the
  integrity of the exchanged messages
• Both versions address this problem

94
Outline

• What is Trust?
• What is a Trust Management?
• How to measure Trust?
• Example
• Reputation-based Trust Management Systems
• DMRep
• EigenRep
• P2PRep
• Frameworks for Trust Establishment
• Trust- ?

95
Frameworks for Trust EstablishmentTrust- ?
Introduction

• Trust establishment via trust negotiation
• Exchange of digital credentials
• Credential exchange has to be protected
• Policies for credential disclosure
• Claim Current approaches to trust negotiation
  dont provide a comprehensive solution that takes
  into account all phases of the negotiation process

96
Frameworks for Trust EstablishmentTrust- ?
Trust Negotiation model
Resource request
Server
Client
Policy Base
Policies
Policies
Credentials
Credentials
Resource granted
97
Frameworks for Trust EstablishmentTrust- ?

• XML-based system
• Designed for a peer-to-peer environment
• Both parties are equally responsible for
  negotiation management.
• Either party can act as a requester or a
  controller of a resource
• X-TNL XML based language for specifying
  certificates and policies

98
Frameworks for Trust EstablishmentTrust- ?

• Certificates They are of two types
• Credentials States personal characteristics of
  its owner and is certified by a CA
• Declarations collect personal information about
  its owner that does not need to be certified
• Trust tickets (X-TNL)
• Used to speed up negotiations for a resource when
  access was granted in a previous negotiation
• Support for policy pre-conditions
• Negotiation conducted in phases

99
Frameworks for Trust EstablishmentTrust- ?
Credentials and Declarations
a) Credential b) Declaration
100
The basic Trust-X system
101
Frameworks for Trust EstablishmentTrust- ?
Message exchange in a Trust-X negotiation
Bob
Alice
Service request
Request
Disclosure policies
Prerequisite acknowledge
Disclosure policies
Credential and/or Declaration
Match disclosure policies
Credential and/or Declaration
Service granted
102
Frameworks for Trust EstablishmentTrust- ?
Disclosure Policies

• They state the conditions under which a resource
  can be released during a negotiation
• Prerequisites associated to a policy, its a
  set of alternative disclosure policies that must
  be satisfied before the disclosure of the policy
  they refer to.

103
Frameworks for Trust EstablishmentTrust- ?
Logic formalism
Disclosure policies are expressed in terms of
logical expressions which can specify either
simple or composite conditions against
certificates.

• P() credential type
• C set of conditions

R?P1(c), P2(c)
Policy expressed as
Slide from http//www.ccs.neu.edu/home/ahchan/wsl
/symposium/bertino.ppt
104
Example

• Consider a Rental Car service.
• The service is free for the employees of Corrier
  company. Moreover, the Company already knows
  Corrier employees and has a digital copy of their
  driving licenses. Thus, it only asks the
  employees for the company badge and a valid copy
  of the ID card, to double check the ownership of
  the badge. By contrast, rental service is
  available on payment for unknown requesters, who
  have to submit first a digital copy of their
  driving licence and then a valid credit card.
  These requirements can be formalized as follows

105
Example (2)
106
Trust-X negotiation
107
Frameworks for Trust EstablishmentTrust- ?
Negotiation Tree

• Used in the policy evaluation phase
• Maintains the progress of a negotiation
• Used to identify at least a possible trust
  sequence that can lead to success in a
  negotiation (a view)

108
Frameworks for Trust EstablishmentTrust- ?
Negotiation Tree (2)
109
Summary

• Thanks!, Questions?