Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | euphemia-cathy |
View: | 35 times |
Download: | 2 times |
6th November 2007 1st ONE Review, Brussels1
WP5: Identity Management and Reputation Framework for Trusted
Negotiation
Partners: CN, SN, WIT, FBK, UdG, UNISG
Speaker: Mihaela Ion (CN)
6th November 2007 1st ONE Review, Brussels2
WP Overview
Core security primitives: platform independent and transparent to underlying crypto protocols and mechanisms
Identity management model for automatic processing of user identity information which scales to a decentralized environment
Trust & reputation scheme for P2P or agency-centric recommendations
Security primitives (T5.1)
Identity Management (T5.2)
Rating Agencies (T5.3)
P2P reputation (T5.4)
Trust & Reputation Mgmt
Fig. WP5 tasks and relations between them
Security primitives and identity management functionalities used by all ONE components (WP2, WP3, WP4)
Decision support functionalities to users and WP4
6th November 2007 1st ONE Review, Brussels3
T5.1 Security Primitives: Authentication, Integrity and Confidentiality
Independent from specific cryptographic algorithms and protocols
Allow new algorithms to be plugged in the future: we target evolutionary DEs
Will be deployed as Java APIs on each ONE node providing Web Services integration capabilities
Provided through: username & password, certificates, SSO, digital signatures, SSL/TLS, symmetric and asymmetric encryption and digest
APIs already designed and D5.1 was submitted (task completed as scheduled)
6th November 2007 1st ONE Review, Brussels6
T5.2 Identity Management and PrivacyThe model targets an automated process of identification between
ecosystem entities.
Practical solutions which are clear and easy to adopt and implement by SMEs.
Provide interoperability by convergence between existing identity technologies through SAML (v2.0).
Use of user identity profile: an abstract view of a user’s identity information.
Decentralized identity information is managed through user profiles replicated in a peer-to-peer fashion on trusted nodes.
6th November 2007 1st ONE Review, Brussels7
Main Characteristics of the ModelMain target: decentralized P2P ecosystem domains
All users are equal and there is no hierarchy of DEs
Any peer can be a Credential Provider (CP) or a Service Provider (SP), or both
Each SP has a list of trusted CPs
Each CP has a list of trusted CPs and a list of accepted security tokens
SAML unifies different identity representations that might be used by different SPs
CPs translate from SAML to their SPs security tokens representations and viceversa (e.g. X.509 SAML, SPKI SAML, Kerberos SAML)
Each CP issues certificates to users based on:
Secure tokens issued by the CP itself,
Secure tokens issued by a CP with whom it has a trust relationship, or
User registration information
6th November 2007 1st ONE Review, Brussels9
User ProfileUnified view of a user’s distributed identity information
Encrypted with a master password known only by the user
Replicated encrypted on trusted peers
Downloaded, decrypted and updated on secure memory on user’s side
Obtained using username & password (different from the master password) when logging to the ONE system.
6th November 2007 1st ONE Review, Brussels10
Model Communication Scheme
Browser/Service on another peer
Service Provider Credential Provider
Trust relationship
Requestresource
Authenticationrequest
Authenticationrequest
List of accepted certificates
Certificates
TokenToken
Resource
Public list of acceptedsecurity tokens
Public list of trusted SCPs
Login/Requestprofile
Service Provider
Public list of trusted CPs
Public list of trusted SCPs
Trusted Peer
Encrypteduser profile
Public list of trusted SCPs
Credential Provider
List of issuedcertificates/tokens
ProfileRequest token/certificate
Certificate
112
forwarding
11
12
3
4
5
6
7
8
9
110
111
6th November 2007 1st ONE Review, Brussels11
Service Composition by Proxy Cert
SP1 CP1
SP2 CP2
Trusted Peer
Trust relationship
Trust relationship
Requestservice
Browser/Serviceforwarding
Requestservice Result
Result
PC
PC
11
1233
1415
66
17
Composed service
Profile download
+policies
+policies
6th November 2007 1st ONE Review, Brussels13
T5.3 Trusted Rating Agencies
P2P reputation is subjectiveCertificates issued by rating agencies should be objective and hence
more trustworthy Inspiration from financial rating agenciesDedicated service that could be offered by each ONE nodeEach entity decides on its own to register or not with an agencyEach agency specifies its predefined criteria on which users are
registered (necessary credentials)Agencies across the ONE platform cooperate with each other to
retrieve information about unknown users
Authorization certificates
6th November 2007 1st ONE Review, Brussels14
T5.4 Peer-to-peer ReputationWe model adaptive reputation-based trust: Based on opinions (recommendations) expressed by users about other
users, data, services and nodes (multi-levels)Social networks represented through contacts lists (private - shared
only with contacts)Context-aware trust values: users have different levels of expertise in
different domainsMultidimensional trust: e.g. a service can be rated for availability,
response time, memory usage, result accuracy etc.Bootstrapping:
Make use of trust relations established between users outside the systemAssign higher levels of trust to newcomers based on credentials obtained from
trusted Certification Authorities outside the system
6th November 2007 1st ONE Review, Brussels15
Initial reputation valuesWe use probabilistic values from 0 (no
trust or no information) to 1 (complete trust).
Users provide registration information to the CP of the chosen ONE node including certificates obtained from external CAs
CPs assign initial trust values based on relations with the CAs
Invited users are added to the social network of the inviter which assigns manually a trust value Fig. Internal CPs and external CAs
trust relations
6th November 2007 1st ONE Review, Brussels16
Contacts’ lists and lists of opinionsContacts’ list
Trusted contacts known either from outside or inside the system
Different trust levels attached to each contact: the trust a user has to receive accurate recommendations
List of opinionsBased on direct interactions Each user keeps on his private
MyONE space a history of (recent) experiences (negotiations, transactions) with other users, services, and data.
4-tuples composed by subject, object, keyword and value.
6th November 2007 1st ONE Review, Brussels17
Propagation of opinions across the contacts graph
Users ask their contacts’ opinions about unknown entities
These can further ask their contacts if no information is available
MoleTrust predicts the trust score of source agent on target agent by walking the trust graph starting from the source agent and by propagating trust along edges.
Trust values are weighted by the trust scores of the agents who issued them (as stated in the contacts’ list)
Trust values are relative to the source agent
Fig. Propagation of opinions across the contacts graph
6th November 2007 1st ONE Review, Brussels18
Opinion’s Data Model
Contexts are expressed by user defined keywords (folksonomy)
Simple or complex contexts (e.g. a taxonomy)
Through contexts we model the multidimensional nature of trust
Fig. Generalized Opinion Data Model
6th November 2007 1st ONE Review, Brussels19
Status & Next StepsSecurity primitives
Status: implementation of user authentication with username & password Next steps: implementation of advanced authentication mechanisms (certificates , SSO )
Identity managementStatus: model designed and partially implemented ( simple user registration )Next steps: user profile and transformations, complete the model implementation
Trusted rating agencies Status: Inspiration from financial rating agencies, objective, based on credentials, in line
with the distributed nature of ONE Next steps: design the model
P2P reputation Status: model designedNext steps: draft implementation for simulations and validation, collaboration with WP3
- T3.4 for the replication algorithm of the Distributed Knowledge Base.
6th November 2007 1st ONE Review, Brussels20
Task 5.2 will be extended until month 19, and deliverable D5.4 will be delayed until month 19 and a new milestone will be added at month 15 providing draft implementations. For bugs fixing and software enhancements after the First Trial Iteration additional 4 Months are required, they will be distributed from month 23 to month 26.
Task 5.3 will be extended until month 20 and deliverable D5.3 will be delayed until month 20. The reason for this extension is caused by the delay of the research activities in Phase I.