TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS

BY

CHANDRAKANTH REDDY

PAPERS UNIFIED SCHEME FOR RESOURCE

PROTECTION IN AUTOMATED TRUST NEGOTIATION

Ting Yu , Winslett

ADAPTIVE TRUST NEGOTIATION AND

ACCESS CONTROL Tatyana Ryutov, Li Zhou , Cliffard Neuman

INTRODUCTION Electronic business transactions often take place between entities that are strangers to one

another

As a result malicious users can steal sensitive data or exhaust resources by exceeding the allocated resources.

Mutual trust between the two parties is crucial in

such an environment.

The approach of automated trust negotiation differs from traditional identity-based access control systems mainly in the following aspects:1.Trust between two parties is established based on disclosure

of digital credentials.

2.Every party can define access control policies to control outsiders’ access to their sensitive resources.

3.Trust is established incrementally through a sequence of bilateral credential disclosures.

Sensitive Policies and Their Protection

Example 1: A web page’s access control policy states that in order to access documents of a project in the site, a requester should present an employee ID issued either by Microsoft or by IBM

“issued by Microsoft or by IBM” can be consider as a sensitive policy

When such a policy is shown to a requester they can infer that this project is a cooperative effort of the two companies

Sensitive Policies and Their Protection(2)

Example 2: Coastal Bank’s loan application policy says that a loan applicant must be a customer of the bank who is not on the bank’s bad-customer list

Coastal Bank learns from the policy who is on the bank’s bad customer list

How to protect sensitive policies from unauthorized disclosure?

One obvious way to prevent sensitive policies is selectively disclose part of the

policy where less sensitive credentials are disclosed first. Later on, when a certain level of trust has been established more sensitive credentials can be disclosed.

For instance in Ex1 we ask the requester to show employee id, after receiving the credentials we check whether it is issued by

Microsoft or IBM which is secured credential. Similarily in Ex2 Coastal Bank may only ask for

customer Id and perform the check on the bad customer list after the credential is received

The problem with this approach is that Alice discloses some credentials and believes that the Coastal bank’s policy has been satisfied while the Coastal bank believes the opposite because the sensitive constraints of the bank’s policy are not satisfied.

A resource protection scheme that satisfies the following 3 conditions is desirable

1.Satisfaction-agreement Two parties have the same understanding of

the semantics of policies When one party believes that a policy has been

satisfied by disclosed credentials, the other party should believe the same

Otherwise, a dispute may arise even though the two parties negotiate trust in good faith

2.The resource protection scheme should separate the protection of resource R and access control policy P R’s accessibility should depend only

on P’s satisfaction. Whether P is disclosed or not should not affect R’s accessibility

3.ALLOW INTEROPERABILITY BETWEEN NEGOTIATION STRATEGIES

A Negotiation Strategy suggests the next message that a party should send to the other negotiation participant.

Two strategies are said to be interoperable if the two parties can establish trust whenever their policies theoretically allow trust to be established.

The resource protection scheme must allow variety of negotiation strategies to interoperate correctly with one another

Overview of Trust Negotiation Process Alice wants to access one of Bob’s resource Alice sends a request for Bob’s resource R Bob calls his negotiation strategy, then sends

Alice the disclosure message it outputs Alice receives message, call her strategy, and

sends Bob the message suggested by her strategy

This process continues until: Alice finally satisfies R’s policies and gain access to R Or one party send an empty message to terminate

the negotiation

Negotiation Strategies for UniPro(2)

In negotiation strategies for UniPro, there is a tradeoff between privacy and access (establishing trust)

UniPro allows some of the credentials to be hidden from a requester

Trust establishment may fail because the requester cannot see the contents of a policy even though he may have the right credentials that will satisfy that policy

Two strategies that work with UniPro policies: Unified Eager Strategy

Send all safe disclosures to the other party Does not consider what disclosures are useful for

establishing trust Strong interoperability can be achieved. (Tend to

establish trust more than preserve privacy) Unified Relevant Strategy

identifies disclosures that are relevant to the current negotiation

Does not try to satisfy undisclosed policies (Protocol may fail)

Only weak interoperability can be achieved. (Tend to preserve privacy more than establish trust)

Adaptive Trust Negotiation and Access Control Framework based on two well established systems

GAA-API (Generic Authorization and Access control API)

TRUSTBUILDER

GAA-API : For adaptive access control and system security

TRUST BUILDER : Determines how sensitive information is disclosed to other parties

GAA-API

Middleware API Fine grained access control Application level intrusion

detection and response Can interact with intrusion

detection systems (IDS) to adapt to n/w threat conditions

Trust Builder Vulnerable to DoS attacks

Large number of Trust Negoitation sessions sent to the server

Having the server evaluate a very complex policy

Having the server evaluate invalid or irrelevant credentials.

Negotiating with the intent of collecting or inferring sensitive information instead of establishing trust to proceed with a transaction

ATNAC Combines GAA-API and TN system to avoid the

problems.

Supports fine grained adaptive policies

Jointly calculates the system suspicion levels based on feedback from access control and Trust Negoitation

Associates less restrictive policies with lower suspicion levels

Suspicion Level Indicates how likely the requester is acting

improperly. A separate SL is maintained for each requester

of a service. Has three components:

SDOS : Indicates probability of a DoS attack from the requester

SIL : For sensitive information leakage attempts So : Indicates other suspicious behavior

SL is increased by Analyzer as suspicious events occur and decreased as “positive” events occur.

SUSPICION LEVEL(2) The Analyzer increases SDoS when the requester

sends an abnormally large number of credentials. In a trust negotiotion process, credentials sent by

client must match credentials requested by the system otherwise SDoS set to 1.

If either SDoS, SIL or So > 0.9, the system will block the requester at the firewall

If SIl > threshold. Trust Builder will impose stricter sensitive credential release policies.

As SIL increases, GAA-API uses tighter access control policies

Conclusions Takes care of DoS Attacks . Can dynamically change the

security policies based on the suspicion levels and system threat level

There is no need for the two parties to hide any credentials.

Guards against sensitive information leaks

THANK YOU