Skip to main content

Über dieses Buch

This book constitutes the thoroughly refereed post-conference proceedings of the 7th International Workshop on Security and Trust Management, STM 2011, held in Copenhagen, Denmark, in June 2011 - co-located with IFIPTM 2011, the 5th IFIP International Conference on Trust Management. The 12 revised full papers presented together with 4 invited papers were carefully reviewed and selected from 33 submissions. Focusing on high-quality original unpublished research, case studies, and implementation experiences, STM 2011 features submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and trust in information and communication technologies.



Uncertainty, Subjectivity, Trust and Risk: How It All Fits together

Trust management involves the identification and analysis of trust relations. However, adequately managing trust requires all the relevant aspects of trust to be addressed. Moreover, which aspects to address depend on the perspective of the trust management. In this position paper we relate the notion of trust to the notions of uncertainty, subjectivity and risk, and we explain how these aspects should be addressed and reasoned about from three different perspectives.

Bjørnar Solhaug, Ketil Stølen

Trust Extortion on the Internet

Dangers exist on the Internet in the sense that there are attackers who try to break into our computers or who in other ways try to trick us when we engage in online activities. In order to steer away from such dangers people tend to look for signals of security and trustworthiness when navigating the Internet and accessing remote hosts. Seen from an online service provider’s perspective it therefore is an essential marketing requirement to appear trustworthy, especially when providing sensitive or professional services. Said more directly, any perception of weak security or low trustworthiness could be disastrous for an otherwise secure and honest online service provider. In this context many security vendors offer solutions for strengthening security and trustworthiness. However there is also a risk that security vendors through their marketing strategy create an illusion that an online service provider which does not implement their solutions might therefore be insecure or untrustworthy. This would represent what we call trust extortion, because service providers are forced to implement specific security solutions to appear trustworthy although there might be alternative security solutions that provide equal or better security. We describe real examples where this seems to be the case. Trust extortion as a marketing strategy does not have to be explicit, but can be done very subtly e.g. through standardisation and industry fora, which then gives it a veil of legitimacy.

Audun Jøsang

Trust Areas: A Security Paradigm for the Future Internet

Security in information and communication technology currently relies on a collection of mostly un-related and un-coordinated security mechanisms. All in all, the end-user has no chance to get a good perception of the security properties satisfied for actions she is executing in the Internet. Classical approaches (e.g. perimeter security) do not work in open and heterogeneous communication environments. Federation of single security mechanisms only works for particular applications and for a small subset of security properties. Thus, new views on trust and security are required for the Future Internet. This vision paper proposes the concept of

Trust Areas

as one candidate for a security paradigm for the Future Internet and identifies some open research challenges.

Carsten Rudolph

Non-standards for Trust: Foreground Trust and Second Thoughts for Mobile Security

In this paper, we introduce and discuss Foreground Trust. Foreground Trust, itself based on recent work in the area of Trust Enablement, is a paradigm for allowing devices in a human-device ecosystem the means to reason with and about trust in themselves, other devices, and humans, whilst allowing humans to make trusting decisions using their own internal models (whatever they may be) based on cues from the environment —

including the device(s) in use at the time.

We discuss the paradigm, and present an actualization of it in the form of Device Comfort, a model of device reasoning based on environmental cues, and the use of the device status to help users make informed trusting and security decisions for themselves. In particular we focus on the interface between user and device to help the user make trust-based decisions and use second thoughts as a means to educate and raise user awareness about their security in online and mobile behaviours.

Stephen Marsh, Sylvie Noël, Tim Storer, Yao Wang, Pam Briggs, Lewis Robart, John Stewart, Babak Esfandiari, Khalil El-Khatib, Mehmet Vefa Bicakci, Manh Cuong Dao, Michael Cohen, Daniel Da Silva

A Proof-Carrying File System with Revocable and Use-Once Certificates

We present the design and implementation of a file system which allows authorizations dependent on revocable and use-once policy certificates. Authorizations require explicit proof objects, combining ideas from previous authorization logics and Girard’s linear logic. Use-once certificates and revocations lists are maintained in a database that is consulted during file access. Experimental results demonstrate that the overhead of using the database is not significant in practice.

Jamie Morgenstern, Deepak Garg, Frank Pfenning

New Modalities for Access Control Logics: Permission, Control and Ratification

We present a new modal access control logic, ACL


, to specify, reason about and enforce access control policies. The logic includes new modalities for permission, control, and ratification to overcome some limits of current access control logics. We present a Hilbert-style proof system for ACL


and a sound and complete Kripke semantics for it. We exploit the Kripke semantics to define Seq-ACL


: a sound, complete and cut-free sequent calculus for ACL


, implying that ACL


is at least semi-decidable. We point at a Prolog implementation of Seq-ACL


and discuss possible extensions of ACL


with axioms for subordination between principals.

Valerio Genovese, Deepak Garg

Security Notions of Biometric Remote Authentication Revisited

In this paper, we describe a new biometric-based remote authentication (BRA) system by combining distributed biometric authentication and cancelable biometrics. The motivation of this construction is based on our new attacks against the BRA schemes designed according to the security model of Bringer et al. Specifically, we prove that identity privacy cannot be achieved for the schemes in this model, if biometrics is assumed as public data and a publicly stored sketch is employed for improved accuracy. Besides, a statistical attack is shown that is effective even if the sketch is stored as encrypted. To prevent statistical attacks, we propose a weaker notion of identity privacy, where the adversary has limited power. Next, we design a BRA protocol in cancelable biometric setting, which is also applicable for biometrics represented as a set of features. For this setting, we define a stronger security notion, which is guaranteed for the BRA schemes that are vulnerable to our attacks if they are implemented in cancelable biometric setting.

Neyire Deniz Sarier

Hiding the Policy in Cryptographic Access Control

Recently, cryptographic access control has received a lot of attention, mainly due to the availability of efficient

Attribute-Based Encryption (ABE)

schemes. ABE allows to get rid of a trusted reference monitor by enforcing access rules in a cryptographic way. However, ABE has a privacy problem: The access policies are sent in clear along with the ciphertexts. Further generalizing the idea of policy-hiding in cryptographic access control, we introduce

policy anonymity

where – similar to the well-understood concept of


-anonymity – the attacker can only see a large set of possible policies that might have been used to encrypt, but is not able to identify the one that was actually used. We show that using a concept from graph theory we can extend a known ABE construction to achieve the desired privacy property.

Sascha Müller, Stefan Katzenbeisser

Location Privacy in Relation to Trusted Peers

One common assumption when defining location privacy metrics is that one is dealing with attackers who have the objective of re-identifying an individual out of an anonymized data set. However, in today’s communication scenarios, user communication and information exchange with (partially) trusted peers is very common, e.g., in communication via social applications. When disclosing voluntarily a single observation to a (partially) trusted communication peer, the user’s privacy seems to be unharmed. However, location data is able to transport much more information than the simple fact of a user being at a specific location. Hence, a user-centric privacy metric is required in order to measure the extent of exposure by releasing (a set of) location observations. The goal of such a metric is to enable individuals to estimate the privacy loss caused by disclosing further location information in a specific communication scenario and thus enabling the user to make informed choices, e.g., choose the right protection mechanism.

Klaus Rechert, Benjamin Greschbach

Fairness in Non-Repudiation Protocols

We indicate two problems with the specifications of fairness that are currently used for the verification of non-repudiation and other fair-exchange protocols. The first of these problems is the implicit assumption of perfect information. The second problem is the possible lack of effectiveness. We solve both problems in isolation by giving new definitions of fairness, but leave the combined solution for further work. Moreover, we establish a hierarchy of various definitions of fairness, and indicate the consequences for existing work.

Wojciech Jamroga, Sjouke Mauw, Matthijs Melissen

Risk-Aware Role-Based Access Control

The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. The standard RBAC model is designed to operate in a relatively stable, closed environment and does not include any support for risk. In this paper, we explore a number of ways in which the RBAC model can be extended to incorporate notions of risk. In particular, we develop three simple risk-aware RBAC models that differ in the way in which risk is represented and accounted for in making access control decisions. We also propose a risk-aware RBAC model that combines all the features of three simple models and consider some issues related to its implementation. Compared with existing work, our models have clear authorization semantics and support richer types of access control decisions.

Liang Chen, Jason Crampton

Automated Analysis of Infinite State Workflows with Access Control Policies

Business processes are usually specified by workflows extended with access control policies. In previous works, automated techniques have been developed for the analysis of authorization constraints of workflows. One of main drawback of available approaches is that only a bounded number of workflow instances is considered and analyses are limited to consider intra-instance authorization constraints. Instead, in applications, several workflow instances execute concurrently, may synchronize, and be required to ensure inter-instance constraints. Performing an analysis by considering a finite but arbitrary number of workflow instances can give designers a higher confidence about the quality of their business process. In this paper, we propose an automated technique for the analysis of both intra- and inter-instance authorization constraints in workflow systems. We reduce the analysis problem to a model checking problem, parametric in the number of workflow instances, and identify a sub-class of workflow systems with a decidable analysis problem.

Alessandro Armando, Silvio Ranise

The Role of Data Integrity in EU Digital Signature Legislation — Achieving Statutory Trust for Sanitizable Signature Schemes

We analyse the legal requirements that digital signature schemes have to fulfil to achieve the

Statutory Trust

granted by the EU electronic signature laws (“legally equivalent to hand-written signatures”). Legally, we found that the possibility to detect subsequent changes is important for the Statutory Trust. However, detectability was neither adequately nor precisely enough defined in the technical and legal definitions of the term “Data Integrity”. The existing definition on integrity lack a precise notion of which changes should not invalidate a corresponding digital signature and also lack notions to distinguish levels of detection. We give a new definition for Data Integrity including two notions: Authorized changes, these are changes which do not compromise the data’s integrity; and their level of detection. Especially, the technical term “Transparency” introduced as a security property for sanitizable signature schemes has an opposite meaning in the legal context. Technically, cryptography can allow authorized changes and keep them unrecognisably hidden. Legally, keeping them invisible removes the Statutory Trust. This work shows how to gain the Statutory Trust for a chameleon hash based sanitizable signature scheme.

Henrich C. Pöhls, Focke Höhne

Mutual Remote Attestation: Enabling System Cloning for TPM Based Platforms

We describe a concept of mutual remote attestation for two identically configured trusted (TPM based) systems. We provide a cryptographic protocol to achieve the goal of deriving a common session key for two systems that have verified each other to be a clone of themselves.

The mutual attestation can be applied to backup procedures without providing data access to administrators, i.e. one trusted systems exports its database to another identical trusted system via a secure channel after mutual attestation is completed.

Another application is dynamically parallelizing trusted systems in order to increase the performance of a trusted server platform.

We present details of our proposed architecture and show results from extensive hardware tests. These tests show that there are some unresolved issues with TPM-BIOS settings currently distributed by PC hardware manufacturers since the specification regarding measurement of extended platform BIOS configuration is either not met or the usage of undocumented options is required.

Ulrich Greveler, Benjamin Justus, Dennis Löhr

Secure Architecure for the Integration of RFID and Sensors in Personal Networks

The secure integration of RFID technology into the personal network paradigm, as a context-aware technology which complements body sensor networks, would provide notable benefits to applications and potential services of the personal network (PN). RFID security as an independent technology is reaching an adequate maturity level thanks to research in recent years; however, its integration into the PN model, interaction with other network resources, remote users and service providers requires a specific security analysis and an architecture prepared to support these resource-constrained pervasive technologies. This paper provides such PN architecture and analysis. Aspects such as the management of personal tags as members of the PN, the authentication and secure communication of PN nodes and remote users with the context-aware technologies, and the enforcement of security and privacy policies are discussed in the architecture.

Pablo Najera, Rodrigo Roman, Javier Lopez

Accepting Information with a Pinch of Salt: Handling Untrusted Information Sources

This paper describes on-going research developing a system to allow incident controllers and similar decision makers to augment official information input streams with information contributed by the wider public (either explicitly submitted to them or harvested from social networks such as Facebook and Twitter), and to be able to handle inconsistencies and uncertainty arising from the unreliability of such sources in a flexible way.

Syed Sadiqur Rahman, Sadie Creese, Michael Goldsmith


Weitere Informationen

Premium Partner

Neuer Inhalt

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.



Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!