Security and Trust Management

Delegation is a widely used and widely studied mechanism in access control systems. Delegation enables an authorized entity to nominate another entity as its authorized proxy for the purposes of access control. Existing delegation mechanisms tend to rely on manual processes initiated by end-users. We believe that systems in which the set of available, authorized entities fluctuates considerably and unpredictably over time require delegation mechanisms that can respond automatically to the absence of appropriately authorized users. To address this, we propose an auto-delegation mechanism and explore the way in which such a mechanism can be used to provide (i) controlled overriding of policy-based authorization decisions (ii) a novel type of access control mechanism based on subject-object relationships.

One of the most widespread framework for the management of access-control policies is Administrative Role Based Access Control (ARBAC). Several automated analysis techniques have been proposed to help maintaining desirable security properties of ARBAC policies. One limitation of many available techniques is that the sets of users and roles are bounded. In this paper, we propose a symbolic framework to overcome this difficulty. We design an automated security analysis technique, parametric in the number of users and roles, by adapting recent methods for model checking infinite state systems that use first-order logic and state-of-the-art theorem proving techniques. Preliminary experiments with a prototype implementations seem to confirm the scalability of our technique.

The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several entities and reside outside the system domain. Thus, the access decisions about a usage session are made under uncertainties, while existing usage control approaches are based on the assumption that all attributes are up-to-date.

In this paper we propose an approach which helps to make a rational access decision even if some uncertainty presents. The proposed approach uses the continuous-time Markov chains (CTMC) in order to compute the probability of unnoticed changes of attributes and risk analysis for making a decision.

We define a metamodel for access control that takes into account the requirements of distributed environments, where resources and access control policies may be distributed across several sites. This distributed metamodel is an extension of the category-based metamodel proposed in previous work (from which standard centralised access control models such as MAC, DAC, RBAC, Bell-Lapadula, etc. can be derived). We use a declarative formalism in order to give an operational semantics to the distributed metamodel. We then show how various distributed access control models can be derived as instances of the distributed metamodel, including distributed models where each site implements a different kind of local access control model.

We apply SecPAL, a logic-based policy language for decentralized authorization and trust management, to our case study of automated software distribution for airplanes. In contrast to established policy frameworks for authorization like XACML, SecPAL offers constructs to express trust relationships and delegation explicitly and to form chains of trusts. We use these constructs in our case study to specify and reason about dynamic, ad-hoc trust relationships between airlines and contractors of suppliers of software that has to be loaded into airplanes.

Even though trust plays a significant role during decision-making in open collaborative environments, still Grid user trust mechanisms have not been widely deployed in Grid computing settings like Enabling Grids for E-sciencE (EGEE). In this paper, an investigation on the specification and management of user trust in Grid infrastructures is presented. The design of a novel Grid user trust service (GUTS) is introduced that aims in leveraging Grid functionality with trust mechanisms, with a special focus on achieving end-user trust in an intuitive and practical manner.

A Trust Management model that provides a measure of the degree to which a principal is trusted for some action is proposed. At the heart of the model is the notion that triangular norms and conorms provide a natural and consistent interpretation for trust aggregation across delegation chains. It is argued that specifying how trust is aggregated is as important as specifying a degree of trust value in an attribute certificate and, therefore, in stating the degree to which a principal trusts another, the principal should also state how that trust may aggregate across delegation chains. The model is illustrated and has been implemented using a modified, but backwards-compatible, version of the KeyNote Trust Management system.

A formalisation of authentication trust is proposed for federated identity management systems. Identity federation facilitates user interaction with Web services that control access, but it is more difficult for a service provider to evaluate the assurance of a user’s identity if the creation and propagation of user authentication assertions involve different authentication authorities and mediators. On the basis of this formal representation, an aggregated trust value is calculated for evaluating the trustworthiness of a user’s identity from the user’s authentication assertions propagated through multiple entities.

Social networks have sprung up and become a hot issue of current society. In spite of the fact that these networks provide users with a variety of attractive features, much to users’ dismay, however, they are likely to expose users private information (unintentionally).

In this paper, we propose an approach which is intended for addressing the problem of collaboratively deciding privacy policies for, but not limited to, shared photos. Our proposed algorithm utilizes trust relations in social networks and combines it with the Condorcet preferential voting scheme. An optimization is developed to improve its efficiency. Experimental results show that our trust-augmented voting scheme performs well. An inference technique is introduced to infer a best privacy policy for a user based on his voting history.

We use the Universally Composable (UC) framework to evaluate our Non-Interactive Zero-Knowledge (NIZK) protocol for verifying the validity of the ballot in an Internet voting scheme. We first describe the Internet voting scheme followed by the explanation of the NIZK protocol for ballot verification in that voting scheme. We then define the ideal functionalities using the UC framework and evaluate the NIZK protocol by using these ideal functionalities. We find that this NIZK protocol is secure in the UC framework in the presence of malicious and adaptive adversaries.

There is a growing interest in formal methods and tools to analyze cryptographic protocols modulo algebraic properties of their underlying cryptographic functions. It is well-known that an intruder who uses algebraic equivalences of such functions can mount attacks that would be impossible if the cryptographic functions did not satisfy such equivalences. In practice, however, protocols use a collection of well-known functions, whose algebraic properties can naturally be grouped together as a union of theories E ₁ ∪ … ∪ E _n . Reasoning symbolically modulo the algebraic properties E ₁ ∪ … ∪ E _n requires performing (E ₁ ∪ … ∪ E _n )-unification. However, even if a unification algorithm for each individual E _i is available, this requires combining the existing algorithms by methods that are highly non-deterministic and have high computational cost. In this work we present an alternative method to obtain unification algorithms for combined theories based on variant narrowing. Although variant narrowing is less efficient at the level of a single theory E _i , it does not use any costly combination method. Furthermore, it does not require that each E _i has a dedicated unification algorithm in a tool implementation. We illustrate the use of this method in the Maude-NPA tool by means of a well-known protocol requiring the combination of three distinct equational theories.

Existing online social networks hardly care about users’ privacy rights. In particular, they do not permit users to keep control over “their” data. By “their” data, we denote data that refers to the respective user as an identifiable object within (textual, audio, image or video) media. The well-known concept of “usage control” employs a usage rights’ perspective (e.g. DRM), but it does not explicitly deal with privacy. In this paper, we instead propose the concept of “data control”, which exactly focusses on privacy rights and therefore employs a control rights’ perspective. Based on data control, we propose a defamation-free network (DFN) in which control rights are not only manifest and visible, but can also be exercised. We examine the main usage scenarios of such a network, and discuss the possible approaches for implementing it. Finally, we sketch a solution with an underlying P2P architecture and highlight the basic technological challenges and requirements.

This paper presents InDico, an approach for the automated analysis of business processes against confidentiality requirements. InDico is motivated by the fact that in spite of the correct deployment of access control mechanisms, information leaks in automated business processes can persist due to erroneous process design. InDico employs a meta-model based on Petri nets to formalize and analyze business processes, thereby enabling the identification of leaks caused by a flawed process design.

Authorization policies can be conveniently represented and reasoned about in logic. Proof theory is important for many such applications of logic. However, so far, there has been no systematic study of proof theory that incorporates system state, upon which access policies often rely. The present paper fills this gap by presenting the design and proof theory of an authorization logic BL that, among other features, includes direct support for external procedures to verify predicates on system state. We discuss design choices in the interaction between state and other features of the logic and validate the logic both foundationally, by proving relevant metatheoretic properties of the logic’s proof system, and empirically, through a case study of policies that control access to sensitive intelligence information in the U.S.

The first part of this paper discusses developments wrt. smart (electricity) meters (simply called E-meter s ) in general, with emphasis on security and privacy issues. The second part will be more technical and describes protocols for secure communication with E-meter s and for fraud detection (leakage) in a privacy-preserving manner. Our approach uses a combination of Paillier’s additive homomorphic encryption and additive secret sharing to compute the aggregated energy consumption of a given set of users.

There are numerous works on the privacy and the security problems for RFID systems. However, many of them have failed due to the lack of formal security proof. In the literature, there are a few formal models that consider forward untraceability. In ASIACRYPT 2007, Vaudenay presented an new security and privacy model for RFID that combines early models to more understandable one. In this paper, we revisit Vaudenay’s model and modify it by considering the notion of forward untraceability. Our modification considers all message flows between RFID reader and tags before and after compromising secrets of tag. We analyze some RFID schemes claiming to provide forward untraceability and resistance to server impersonation. For each scheme, we exhibit attacks in which a strong adversary can trace the future interactions of the tag and impersonate the valid server to the tag. Further, we show that a previously proposed attack claiming to violate forward untraceability of an existing RFID scheme does not violate forward untraceability.

In today’s electronic society, data sharing and dissemination are more and more increasing, leading to concerns about the proper protection of privacy. In this paper, we address a novel privacy problem that arises when non sensitive information is incrementally released and sensitive information can be inferred exploiting dependencies of sensitive information on the released data. We propose a model capturing this inference problem where sensitive information is characterized by peculiar distributions of non sensitive released data. We also discuss possible approaches for run time enforcement of safe releases.