International Conference IFIPTM 2015
Hamburg Germany May 26 28 2015
Proceedings 1st Edition Christian Damsgaard Jensen
Visit to download the full and correct content document: https://textbookfull.com/product/trust-management-ix-9th-ifip-wg-11-11-international-c onference-ifiptm-2015-hamburg-germany-may-26-28-2015-proceedings-1st-edition-c hristian-damsgaard-jensen/
Trust
WG 11
Management IX 9th IFIP
11
More products digital (pdf, epub, mobi) instant download maybe you interests ...
ICT Systems Security and Privacy Protection 30th IFIP TC 11 International Conference SEC 2015 Hamburg Germany May 26 28 2015 Proceedings 1st Edition Hannes Federrath
https://textbookfull.com/product/ict-systems-security-andprivacy-protection-30th-ifip-tc-11-international-conferencesec-2015-hamburg-germany-may-26-28-2015-proceedings-1st-editionhannes-federrath/
Trust Management XIII 13th IFIP WG 11 11 International Conference IFIPTM 2019 Copenhagen Denmark July 17 19 2019 Proceedings Weizhi Meng
https://textbookfull.com/product/trust-management-xiii-13th-ifipwg-11-11-international-conference-ifiptm-2019-copenhagen-denmarkjuly-17-19-2019-proceedings-weizhi-meng/
Computer and Computing Technologies in Agriculture IX 9th IFIP WG 5 14 International Conference CCTA 2015 Beijing China September 27 30 2015 Revised Selected Papers Part I 1st Edition Daoliang Li
https://textbookfull.com/product/computer-and-computingtechnologies-in-agriculture-ix-9th-ifip-wg-5-14-internationalconference-ccta-2015-beijing-china-september-27-30-2015-revisedselected-papers-part-i-1st-edition-daoliang-li/
Environmental Software Systems Infrastructures Services and Applications 11th IFIP WG 5 11 International Symposium ISESS 2015 Melbourne VIC Australia March 25 27 2015 Proceedings 1st Edition Ralf Denzer
https://textbookfull.com/product/environmental-software-systemsinfrastructures-services-and-applications-11th-ifipwg-5-11-international-symposium-isess-2015-melbourne-vicaustralia-march-25-27-2015-proceedings-1st-edition-ralf-denz/
Open
Source Systems Adoption and Impact 11th IFIP WG 2
13 International Conference OSS 2015 Florence Italy May 16 17 2015 Proceedings 1st Edition Ernesto Damiani
https://textbookfull.com/product/open-source-systems-adoptionand-impact-11th-ifip-wg-2-13-international-conferenceoss-2015-florence-italy-may-16-17-2015-proceedings-1st-editionernesto-damiani/
Health Information Science 4th International Conference
HIS 2015 Melbourne Australia May 28 30 2015 Proceedings 1st Edition Xiaoxia Yin
https://textbookfull.com/product/health-information-science-4thinternational-conference-his-2015-melbourne-australiamay-28-30-2015-proceedings-1st-edition-xiaoxia-yin/
Codes Cryptology and Information Security First
International Conference C2SI 2015 Rabat Morocco May 26 28 2015 Proceedings In Honor of Thierry Berger 1st Edition Said El Hajji
https://textbookfull.com/product/codes-cryptology-andinformation-security-first-internationalconference-c2si-2015-rabat-morocco-may-26-28-2015-proceedings-inhonor-of-thierry-berger-1st-edition-said-el-hajji/
Algorithms and Complexity 9th International Conference CIAC 2015 Paris France May 20 22 2015 Proceedings 1st Edition Vangelis Th. Paschos
https://textbookfull.com/product/algorithms-and-complexity-9thinternational-conference-ciac-2015-paris-francemay-20-22-2015-proceedings-1st-edition-vangelis-th-paschos/
Data
Driven Process Discovery and Analysis 5th IFIP WG
2 6 International Symposium SIMPDA 2015 Vienna Austria December 9 11 2015 Revised Selected Papers 1st Edition Paolo Ceravolo
https://textbookfull.com/product/data-driven-process-discoveryand-analysis-5th-ifip-wg-2-6-international-symposiumsimpda-2015-vienna-austria-december-9-11-2015-revised-selectedpapers-1st-edition-paolo-ceravolo/
Christian Damsgaard Jensen Stephen Marsh
Theo Dimitrakos Yuko Murayama (Eds.)
Trust Management IX
9th IFIP WG 11.11 International Conference, IFIPTM 2015 Hamburg, Germany, May 26–28, 2015 Proceedings
123
IFIP AICT 454
IFIPAdvancesinInformation andCommunicationTechnology
Editor-in-Chief
KaiRannenberg,GoetheUniversity,Frankfurt,Germany
EditorialBoard
FoundationofComputerScience
JacquesSakarovitch,TélécomParisTech,France
Software:TheoryandPractice
MichaelGoedicke,UniversityofDuisburg-Essen,Germany Education
ArthurTatnall,VictoriaUniversity,Melbourne,Australia
InformationTechnologyApplications
ErichJ.Neuhold,UniversityofVienna,Austria CommunicationSystems
AikoPras,UniversityofTwente,Enschede,TheNetherlands SystemModelingandOptimization
FrediTröltzsch,TUBerlin,Germany InformationSystems
JanPries-Heje,RoskildeUniversity,Denmark ICTandSociety
DianeWhitehouse,TheCastlegateConsultancy,Malton,UK ComputerSystemsTechnology
RicardoReis,FederalUniversityofRioGrandedoSul,PortoAlegre,Brazil SecurityandPrivacyProtectioninInformationProcessingSystems
YukoMurayama,IwatePrefecturalUniversity,Japan
Arti ficialIntelligence
TharamDillon,CurtinUniversity,Bentley,Australia
Human-ComputerInteraction
JanGulliksen,KTHRoyalInstituteofTechnology,Stockholm,Sweden
EntertainmentComputing
MatthiasRauterberg,EindhovenUniversityofTechnology,TheNetherlands
454
IFIP – TheInternationalFederationforInformationProcessing
IFIPwasfoundedin1960undertheauspicesofUNESCO,followingtheFirstWorld ComputerCongressheldinParisthepreviousyear.Anumbrellaorganizationfor societiesworkingininformationprocessing,IFIP’saimistwo-fold:tosupportinformationprocessingwithinitsmembercountriesandtoencouragetechnologytransferto developingnations.Asitsmissionstatementclearlystates,
IFIP’smissionistobetheleading,trulyinternational,apoliticalorganizationwhich encouragesandassistsinthedevelopment,exploitationandapplicationofinformationtechnologyforthebenefitofallpeople.
IFIPisanon-profitmakingorganization,runalmostsolelyby2500volunteers.It operatesthroughanumberoftechnicalcommittees,whichorganizeeventsandpublications.IFIP’seventsrangefromaninternationalcongresstolocalseminars,butthe mostimportantare:
• TheIFIPWorldComputerCongress,heldeverysecondyear;
• Openconferences;
• Workingconferences.
The flagshipeventistheIFIPWorldComputerCongress,atwhichbothinvitedand contributedpapersarepresented.Contributedpapersarerigorouslyrefereedandthe rejectionrateishigh.
AswiththeCongress,participationintheopenconferencesisopentoalland papersmaybeinvitedorsubmitted.Again,submittedpapersarestringentlyrefereed.
Theworkingconferencesarestructureddifferently.Theyareusuallyrunbya workinggroupandattendanceissmallandbyinvitationonly.Theirpurposeisto createanatmosphereconducivetoinnovationanddevelopment.Refereeingisalso rigorousandpapersaresubjectedtoextensivegroupdiscussion.
PublicationsarisingfromIFIPeventsvary.ThepaperspresentedattheIFIPWorld ComputerCongressandatopenconferencesarepublishedasconferenceproceedings, whiletheresultsoftheworkingconferencesareoftenpublishedascollectionsof selectedandeditedpapers.
Anynationalsocietywhoseprimaryactivityisaboutinformationprocessingmay applytobecomeafullmemberofIFIP,althoughfullmembershipisrestrictedtoone societypercountry.FullmembersareentitledtovoteattheannualGeneralAssembly, Nationalsocietiespreferringalesscommittedinvolvementmayapplyforassociateor correspondingmembership.Associatemembersenjoythesamebenefitsasfullmembers,butwithoutvotingrights.CorrespondingmembersarenotrepresentedinIFIP bodies.Affiliatedmembershipisopentonon-nationalsocieties,andindividualand honorarymembershipschemesarealsooffered.
Moreinformationaboutthisseriesathttp://www.springer.com/series/6102
ChristianDamsgaardJensen • StephenMarsh
TheoDimitrakos • YukoMurayama(Eds.)
9thIFIPWG11.11
InternationalConference,IFIPTM2015
Hamburg,Germany,May26–28,2015
Proceedings
Trust ManagementIX
123
Editors
ChristianDamsgaardJensen TechnicalUniversityofDenmark Lyngby
Denmark
StephenMarsh UniversityofOntario Oshawa,ON
Canada
TheoDimitrakos BTResearch&Innovation
Ipswich
UK
YukoMurayama IwatePrefecturalUniversity
Takizawa
Japan
ISSN1868-4238
ISSN1868-422X(electronic)
IFIPAdvancesinInformationandCommunicationTechnology
ISBN978-3-319-18490-6ISBN978-3-319-18491-3(eBook) DOI10.1007/978-3-319-18491-3
LibraryofCongressControlNumber:2015937744
SpringerChamHeidelbergNewYorkDordrechtLondon © IFIPInternationalFederationforInformationProcessing2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors giveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforanyerrorsor omissionsthatmayhavebeenmade.
Printedonacid-freepaper
SpringerInternationalPublishingAGSwitzerlandispartofSpringerScience+BusinessMedia (www.springer.com)
Preface
DearReader
WelcometotheIFIPTM2015Proceedings!
Thisvolumecontainstheproceedingsofthe9thIFIPWorkingGroup11.11 InternationalConferenceonTrustManagement.TheconferencewasheldinHamburg, Germany,May26–28,2015.
IFIPTMisatrulyglobalconference,spanningresearch,development,policy,and practicefortheincreasinglyimportantareasoftrustmanagementandcomputational trust.Giventhebreadthofapplicationoftheseareas,andtruetoourhistorical underpinningsestablishedatthe firstIFIPTMconferencein2007,IFIPTM2015 focusedonseveralareas,includingtrustandreputationandmodelsthereof,therelationshipbetweentrustandsecurity,socio-technicalaspectsoftrust,reputation,and privacy,trustinthecloud,andbehavioralmodelsoftrust.
Theconferencereceived28submissionsfromawidevarietyofcountries,including France,Germany,TheNetherlands,UK,Algeria,Norway,Singapore,Greece,Denmark,China,Japan,Malaysia,Luxembourg,Romania,China,USA,Australia,and Canada.Everysubmissionwassubjectedtoathoroughpeerreviewprocess,withat leastthreeandmostoftenfourreviewsperpaper.Followingtheseweacceptedeight longand fiveshortpapers(anacceptancerateforlongpapersof32%).Inaddition, sinceIFIPTMwascolocatedwiththeIFIPSECconference,wesolicitedtwopapers fromSECthatweremoresuitablefortheTrustManagementarea,eachofwhichwas alsoreviewedbyIFIPTMProgramCommitteemembers.Theresultingprogramis broadandwehopestimulatingfortheattendeesandyourself.
IFIPTMalsohostseveryyeartheWilliamWinsboroughCommemorativeAddress inmemoriamofouresteemedcolleagueProf.WilliamWinsborough.Theawardis giventoanindividualwhohassignifi cantlycontributedtotheareasofcomputational trustandtrustmanagement.In2015,theWorkingGroupwaspleasedtohostProf. EhudGudesofBen-GurionUniversityoftheNegev,whokeynotedtheconferenceand providedanextendedabstractwhichcanbefoundintheseproceedings.
Inadditiontopapersandkeynoteaddress,IFIPTMhostedatutorialonidentityand accessmanagementbyProf.AudunJøsangoftheUniversityofOslo,aspecialsession onDataProtection,Privacy,andTransparencyorganizedbyDr.RehabAlnemrfrom HPLabsandDr.CarmenFernández-GagofromUniversityofMálagaandkeynotedby MaritHansen,DeputyChiefofUnabhängigesLandeszentrumfürDatenschutz,Germany.Finally,theconferencehostedaspecialsessiononTrustedCloudEcosystems organizedandchairedbyDr.TheoDimitrakosofBT,fromwhichpapersanda messagefromDr.Dimitrakosareincludedintheseproceedings.
Conferencesaremultiheadedbeasts,andassuchrequireateamofdedicatedpeople totamethem.ToourProgramCommitteeandassociatedreviewers,whodelivered thoughtful,insightfulandverymuchontimereviews,ourthanks.Thisyearwehave beenluckytoworkwithtrulyprofessionalandhelpfulWorkshop,tutorial,Posterand
Demonstration,Publicity,andLiaisonChairs.SinceIFIPTMiscolocatedwithIFIP SEC,thetaskoflocalorganizationandregistrationfellontheIFIPSECteam,notably Dr.DominikHerrmannoftheUniversityofHamburg,towhom,specialthanksfor puttingupwithourfrailties.ThanksalsototheUniversityofHamburgforproviding thefacilities.
Noconferencewouldsucceedwithoutauthors.Toallofthosewhosubmitted,our thanksandcongratulationsforbeingpartofagrowing,important,andvibrantresearch area.Therearemany,manyconferencesforwhichtrustislistedaseitherakeyoran associatedareaofinterest,andwearekeenlyawareoftheapplicabilityoftrustand trustmanagementtoagreatmanyaspectsofcomputersecurity,HumanComputer Interaction,privacy,thesocialsciences,andbeyond.Wecontinuetotrytobuild IFIPTMasacross-disciplinaryconferenceofchoice,andappreciateyoursupport.
Formoreinformationontheworkinggroup,pleasevisit http://www.i fiptm.org/.
Wehopeyouenjoytheconferenceandtheproceedings.
March2015 StephenMarsh ChristianDamsgaardJensen
VIPreface
IFIPTrustManagementIX
9thIFIPWG11.11InternationalConference onTrustManagement,2015 Hamburg,Germany
May26–28,2015
GeneralChairs
TheoDimitrakosSecurityResearchCentre,BTGroupCTO andUniversityofKent,UK
YukoMurayamaIwatePrefecturalUniversity,Japan
ProgramChairs
ChristianDamsgaardJensenTechnicalUniversityofDenmark,Denmark
StephenMarsh UniversityofOntarioInstituteofTechnology, Canada
WorkshopandTutorialChairs
SheikhMahbubHabibTechnischeUniversitätDarmstadt,Germany
Jan-PhilippSteghöferGöteborgUniversity,Sweden
PosterandDemonstrationChairs
DhirenPatelNITSurat,India
AudunJøsangUniversityofOslo,Norway
PanelandSpecialSessionChairs
Jean-MarcSeigneurUniversityofGeneva,Switzerland MasakatsuNishigakiShizuokaUniversity,Japan
PublicityChairs
TimMullerNanyangTechnologicalUniversity,Singapore AnirbanBasuKDDIR&DLaboratories,Japan
GraduateSymposiumChairs
NuritGal-OzSapirAcademicCollege,Israel JieZhangNanyangTechnologicalUniversity,Singapore
LocalOrganizationChair
DominikHerrmannUniversityofHamburg,Germany
ProgramCommittee
RehabAlnemr
HPLabsBristol,UK
ManHoAu HongKongPolytechnicUniversity,HongKong
AnirbanBasu KDDIR&DLaboratories,Japan
ElisaBertino PurdueUniversity,USA
PamelaBriggs NorthumbriaUniversity,UK
DavidChadwick UniversityofKent,UK
PiotrCofta
LynneCoventry NorthumbriaUniversity,UK
FrédéricCuppens TELECOMBretagne,France
TheoDimitrakos SecurityResearchCentre,BTGroupCTO andUniversityofKent,UK
NatashaDwyer VictoriaUniversity,Australia
BabakEsfandiari CarletonUniversity,Canada
RinoFalcone InstituteofCognitiveSciencesandTechnologies, Italy
HuiFang
NanyangTechnologicalUniversity,Singapore
CarmenFernández-GagoUniversityofMálaga,Spain
JosepFerrer UniversitatdelesIllesBalears,Spain
SimoneFischer-HübnerKarlstadUniversity,Sweden
SaraForesti Università degliStudidiMilano,Italy
NuritGal-Oz SapirAcademicCollege,Israel
DieterGollmann HamburgUniversityofTechnology,Germany
StefanosGritzalis UniversityoftheAegean,Greece
EhudGudes Ben-GurionUniversityoftheNegev,Israel
SheikhMahbubHabibCASED/TechnischeUniversitätDarmstadt, Germany
OmarHasan UniversityofLyon,France
PeterHerrmann NTNUTrondheim,Norway
XinyiHuang FujianNormalUniversity,China
RoslanIsmail UniversitiTenagaNasional,Malaysia
ValerieIssarny Inria,France
ChristianDamsgaardJensenTechnicalUniversityofDenmark,Denmark
AudunJøsang UniversityofOslo,Norway
YuecelKarabulut VMware,USA
TracyAnnKosa UniversityofOntarioInstituteofTechnology, Canada
CostasLambrinoudakisUniversityofPiraeus,Greece
GabrieleLenzini
SnT/UniversityofLuxembourg,Luxembourg
JosephLiu MonashUniversity,Australia
VIIIIFIPTrustManagementIX
YangLiu NanyangTechnologicalUniversity,Singapore
JavierLopez UniversityofMálaga,Spain
StephenMarsh UniversityofOntarioInstituteofTechnology, Canada
FabioMartinelli IIT-CNR,Italy
SjoukeMauw UniversityofLuxembourg,Luxembourg
WeizhiMeng InstituteforInfocommResearch(I2R),Singapore
MaxMühlhäuser TechnischeUniversitätDarmstadt,Germany
TimMuller NanyangTechnologicalUniversity,Singapore
YukoMurayama IwatePrefecturalUniversity,Japan
WeeKeongNg NanyangTechnologicalUniversity,Singapore
MasakatsuNishigakiShizuokaUniversity,Japan
ZeinabNoorian UniversityofSaskatchewan,Canada
DhirenPatel
NITSurat,India
GüntherPernul UniversitätRegensburg,Germany
SiniRuohomaa UniversityofHelsinki,Finland
PierangelaSamaratiUniversità degliStudidiMilano,Italy
Jean-MarcSeigneurUniversityofGeneva,Switzerland
MuratSensoy ÖzyeğinUniversity,Turkey
KetilStølen SINTEF,Norway
TimStorer UniversityofGlasgow,UK
MaheshTripunitaraTheUniversityofWaterloo,Canada
ClaireVishik IntelCorporation,UK
IanWakeman UniversityofSussex,UK
ShouhuaiXu UniversityofTexasatSanAntonio,USA
JieZhang NanyangTechnologicalUniversity,Singapore
JianyingZhou InstituteforInfocommResearch(I2R),Singapore
ExternalReviewers
NaipengDongNationalUniversityofSingapore,Singapore
IdaMariaHaugstveitSINTEF,Norway
RaviJhawarUniversityofLuxembourg,Luxembourg
SpyrosKokolakisUniversityoftheAegean,Greece
FranciscoMoyanoUniversityofMálaga,Spain
AidaOmerovicSINTEF,Norway
RubenRios UniversityofMálaga,Spain
AggelikiTsohouIonianUniversity,Greece
DongxiaWangNanyangTechnologicalUniversity,Singapore
YangZhangUniversityofLuxembourg,Luxembourg
IFIPTrustManagementIXIX
Contents
WinsboroughAwardInvitedPaper
Reputation-fromSocialPerceptiontoInternetSecurity...............3 EhudGudes
FullPapers
MathematicalModellingofTrustIssuesinFederatedIdentityManagement ....13 Md.SadekFerdous,GethinNorman,AudunJøsang,andRonPoet
SimpleandPracticalIntegrityModelsforBinariesandFiles............30 YongzhengWuandRolandH.C.Yap
EnablingNAME-BasedSecurityandTrust.........................47 NikosFotiouandGeorgeC.Polyzos
TrustDrivenStrategiesforPrivacybyDesign......................60 ThibaudAntignacandDanielLeMétayer
LightweightPracticalPrivateOne-WayAnonymousMessaging..........76 AnirbanBasu,JuanCamiloCorena,JaideepVaidya,JonCrowcroft, ShinsakuKiyomoto,StephenMarsh,YungShinVanDerSype, andToruNakamura
Privacy-PreservingReputationMechanism:AUsableSolutionHandling NegativeRatings...........................................92 PaulLajoie-Mazenc,EmmanuelleAnceaume,GillesGuette, ThomasSirvent,andValérieVietTriemTong
ObscuringProvenanceConfidentialInformationviaGraphTransformation...109 JamalHussein,LucMoreau,andVladimiroSassone
SocialNetworkCultureNeedstheLensofCriticalTrustResearch........126 NatashaDwyerandStephenMarsh
PredictingQualityofCrowdsourcedAnnotationsUsingGraphKernels.....134 ArchanaNottamkandath,JasperOosterman,DavideCeolin, GerbenKlaasDirkdeVries,andWanFokkink
AnArchitectureforTrustworthyOpenDataServices..................149 AndrewWong,VickyLiu,WilliamCaelli,andTonySahama
ShortPapers
1,2,Pause:LetsStartbyMeaningfullyNavigatingtheCurrentOnline AuthenticationSolutionsSpace.................................165 IjlalLoutfiandAudunJøsang
DataConfidentialityinCloudStorageProtocolBasedonSecret SharingScheme:ABruteForceAttackEvaluation...................177 AlexandruButoi,MirceaMoca,andNicolaeTomai
TheDetailofTrustedMessages:RetweetsinaContextofHealth andFitness...............................................185 NatashaDwyerandStephenMarsh
ReusableDefenseComponentsforOnlineReputationSystems...........195 JohannesSänger,ChristianRichthammer,ArturRösch, andGüntherPernul
ContinuousContext-AwareDeviceComfortEvaluationMethod..........203 JingjingGuo,ChristianDamsgaardJensen,andJianfengMa
SpecialSession:TowardTrustedCloudEcosystems
Foreword:TowardsTrustedCloudEcosystems......................215 TheoDimitrakos
ACloudOrchestratorforDeployingPublicServicesontheCloud – TheCase ofSTRATEGICProject............................................217 PanagiotisGouvas,KonstantinosKalaboukas,GiannisLedakis, TheoDimitrakos,JoshuaDaniel,GéryDucatel, andNuriaRodriguezDominguez
IntegratingSecurityServicesinCloudServiceStores.................226 JoshuaDaniel,FadiEl-Moussa,GéryDucatel,PramodPawar, AliSajjad,RobertRowlingson,andTheoDimitrakos
BuildinganEco-SystemofTrustedServicesviaUserControl andTransparencyonPersonalData..............................240 MicheleVescovi,CorradoMoiso,MattiaPasolli,LorenzoCordin, andFabrizioAntonelli
Security-as-a-ServiceinMulti-cloudandFederatedCloudEnvironments....251 PramodS.Pawar,AliSajjad,TheoDimitrakos,andDavidW.Chadwick
TheRoleofSLAsinBuildingaTrustedCloudforEurope.............262 AnaJuanFerrerandEnricPagesiMontanera
AuthorIndex ............................................277 XIIContents
WinsboroughAwardInvitedPaper
Reputation-fromSocialPerception toInternetSecurity
EhudGudes(B)
Ben-GurionUniversity,84105Beer-Sheva,Israel
ehud@cs.bgu.ac.il
Abstract. Reputationisaconceptthatweuseinmanyaspectsofour sociallifeandaspartofourdecisionmakingprocess.Weusereputation inourinteractionwithpeopleorcompanieswedonotknowandweuseit whenwebuymerchandizeorreservearoominahotel.However,reputationplaysalsoanimportantroleintheinternetsocietyandenablesusto establishtrustwhichisessentialforinteractioninthevirtualworld.ReputationhasseveralimportantaspectssuchasAggregation,Identityand Transitivitywhichmakeitapplicableincompletelydifferentdomains. Inthispresentationweshowtheuseoftheseaspectsinseveraldifferent domainsanddemonstrateitwithourownpreviousandcurrentresearch onreputation.
Agoodnameismoredesirablethangreatriches; tobeesteemedisbetterthansilverorgold. Proverbs22:1
1Introduction
Reputationisakeyconceptinoursociallife.Manyofourdaytodaydecisionssuchaswhichbooktobuyorwhichphysiciantoconsultwitharebased onTrust.Thistrustisbasedeitheronourowndirectexperienceorwhensuch directexperienceislacking,onotherpeople(whoseopinionwevalue)direct experience.Howeverwhennosuchdirectorindirectexperienceisavailablewe tendtorelyonanaggregatedopinionofalargesetofpeopleoracommunity whichismanifestedasReputation.Reputationplaysalsoamajorroleinvirtualcommunitiesandsocialnetworks.Attemptstotarnishreputationinsocial networkshavecausedmuchdamagetopeopleinrecentyears(severalcasesof suicidehavebeenreportedasaresultoftarnishedreputation).Somaintaininga goodonlinereputationbecomesacriticalissueforbothpeopleandbusinesses. Theexistenceofeasilyaccessiblevirtualcommunitiesmakesitbothpossibleand legitimatetocommunicatewithtotalstrangers.Suchinteractionhowevermust bebasedontrustwhichisusuallybasedonpersonalexperience.Whensuch experienceisnotreadilyavailable,oneoftenreliesonreputation.Thus,computingreputationtocaptureacommunity’sviewpointisanimportantchallenge. Reputationhasbecomeakeycomponentofseveralcommercialsystemssuch asE-bay[3].Also,quiteafewmodelsfortrustandreputationweredeveloped.
c IFIPInternationalFederationforInformationProcessing2015 C.D.Jensenetal.(Eds.):IFIPTM2015,IFIPAICT454,pp.3–10,2015. DOI:10.1007/978-3-319-18491-3 1
Differentmodelsusedifferentconceptualframeworksincludingsimpleaverage ofratings,bayesiansystems,beliefmodels[11]whichenabletherepresentation ofuncertaintyinrating,flowmodelsinwhichtheconceptoftransitivetrustis centralsuchasEigen-trust[13]andPage-rank[16]andgroup-basedmodelssuch astheKnotmodel[7].Inthispresentationwediscussthreeimportantaspectsof reputationandshowhowtheyareusedindifferentdomains.Whilethefirsttwo domainswediscussinvolvereputationofreal-lifeusers,thethirddomaindeals withabstractentities,internetdomains,yetcomputingandusingreputationin thisdomainissimilartoitsuseinthesocialdomain.
Thefirstaspectwedealwithistheuseofreputationaspartofan Identity Inthesocialdomains,reputationisanimportantpartofapersonidentity,and theidentityofapersondeterminesitspermittedactions.Anexpertprogrammer maygainmoreaccessrightstoanopensourcecodemanagedbysomecompany, asherreputationincreases.Suchrightsmaybereviewormodifycodeatdifferentlevels.OurfirstdomainthenistheAuthorizationdomainandtheuse ofreputationforfine-grainedaccesscontrol.InSect. 2 wepresentsomemodels whichusereputationaspartofauseridentityandconsideritinmakingaccess controldecisions.
Thesecondaspectweexamineis Aggregation.Mostreputationcomputationalmodelsusesomeformofaggregationofratingstocomputethereputation[12].However,suchaggregationisusuallydonewithinasinglecommunity.In real-life,usersmaybeactiveinseveralcommunitiesandtoprotecttheirprivacy, usersmayusedifferentidentitiesindifferentcommunities.Amajorshortcomings isthatusereffortstogainagoodreputationinonecommunityarenotutilized inothercommunitiestheyareactivein.Anothershortcomingistheinabilityof onecommunitytolearnaboutthedishonestbehaviorofsomememberasidentifiedbyothercommunities.Thustheneedarisestoaggregatereputationfrom multiplecommunities.WedevelopedtheCross-CommunityReputation(CCR) modelforthesharingofreputationknowledgeacrossvirtualcommunities[5, 6, 9]. TheCCRmodelisaimedatleveragingreputationdatafrommultiplecommunitiestoobtainmoreaccuratereputation.Itenablesnewvirtualcommunities torapidlymaturebyimportingreputationdatafromrelatedcommunities.The useofAggregationintheCCRmodelisdiscussedinSect. 3
Thethirdaspectwediscussis Transitivity,animportantpropertyoftrust whichhasimplicationsonthecomputationofreputation.Itenablesustocomputereputationnotonlyfromourownexperienceorourfriendsexperience butalsofromour“friendsoffriends”experience,etc.Severalflowmodelsfor computingreputationwhilepracticingthetransitivityproperty,havebeenpublished,includingEigen-trust[13]andPage-rank[16].Ouruniquecontribution hereisintransferringtheseideastothecomputationofInternetdomainsreputation.Today’sinternetworldisfullofthreatsandmalware.Hackersoftenuse variousdomainstospreadandcontroltheirmalware.Thedetectionofthesemisbehavingdomainsisdifficultsincethereisnotimetocollectandanalyzetraffic datainreal-time,thustheiridentificationaheadoftimeisveryimportant.We usetheterm domainreputation toexpressameasureofourbeliefthatadomain
4E.Gudes
isbenignormalicious.ComputingdomainreputationbyusingtheTransitivity propertyandaFlowalgorithmwasinvestigatedbyus[15]andwillbediscussed inSect. 3.
2Identity-ReputationandAccessControl
Conventionalaccesscontrolmodelslikerolebasedaccesscontrolaresuitable forregulatingaccesstoresourcesbyknownusers.However,thesemodelshave oftenfoundtobeinadequateforopenanddecentralizedmulti-centricsystems wheretheuserpopulationisdynamicandtheidentityofallusersarenotknown inadvance.Forsuchsystems,theremustbe,inadditiontouserauthentication,sometrustmeasureassociatedwiththeuser.Suchtrustmeasurecanbe representedbytheuserreputationasoneattributeofitsidentity.Chakraborty andRay[2]presentedTrustBAC,atrustbasedaccesscontrolmodel.Itextends theconventionalrolebasedaccesscontrolmodelwiththenotionoftrustlevels. Usersareassignedtotrustlevelsinsteadofrolesbasedonanumberoffactors likeusercredentials,userbehaviorhistory,userrecommendationetc.Trustlevelsareassignedtoroleswhichareassignedtopermissionsasinrolebasedaccess control.InTrustbac,whenthereputationofauserdecreasesbecauseofpast actions,itsassignmenttotheoriginalrolemaynotbevalidanymoreandanew rolewithlesspermissionsisassignedbythesystem.Anexampleofsuchscenario inthedigitallibrarydomainisgivenin[2].Theswitchingofrolesmaynotbe desirableinallcases.Inamedicaldomainforexample,aphysicianwithless reputationmaynotloseitsroleas“doctor”butmayloseinsteadsomeofher permissions.Thisdynamicassignmentofpermissionsforthesamerole,basedon theuserreputationmaybemuchmoreflexibleandcanpreventtheproliferationoftoomanyroles.In[14]wedefinethisdynamicmodelformallyandshow adetailedexampleofitsoperationinthesoftwaredevelopmentdomain.The mainobservationofthisisthatwhenoneconsidersreputationaspartofthe useridentity,onecansupportmuchmoreflexiblerole-basedmodelswithout theneedtoincreasesignificantlythenumberofrolesinthesystem.
3AggregationandCrossCommunityReputation
Inthissectionwebrieflydescribethewayreputationisaggregatedfromseveral communitiesusingtheCCRmodel[5, 9].TheCCRmodeldefinesthemajorstages requiredtoaggregatethereputationofacommunitymemberwiththereputation ofthatmemberinothercommunities.Thefirststagedeterminestheconfidence onecommunityhasinanotherasapreconditionforreceivingreputationinformationfromthelatter.Thesecondstageinvolvestheconversionofreputationvalues fromthedomainvaluesofonecommunitytothoseoftheother.Inthethirdstage, amatchingprocedureiscarriedoutbetweenthesetsofattributesusedbytheparticipatingcommunitiestodescribereputation.Asanexample,supposethereare twosportcommunitiesinwhichacommentatorisactive,oneforBasketball,the
Reputation-fromSocialPerceptiontoInternetSecurity5
otherforFootball.AssumethatBobacommentatorlikestoimport(andaggregate)hisreputationfromthefootballcommunityintothebasketballcommunity. Thefirststageconsidersthegeneralconfidencethatbasketballcommunitymembershaveforreputationcomputedinthefootballcommunity.Thesecondstage considersthestatisticaldistributionofreputationvaluesinthetwocommunities andapplytherequiredtransformation(e.g.,averygoodratinginonecommunitymayonlybeconsidered“good”intheother).Thethirdstagemapsthespecificattributesthatareusedtocomputethereputationinthetwocommunities (e.g.,theattribute“predictionaccuracy”inthefootballcommunitymaybepartiallymappedtotheattribute“generalreliability”inthebasketballcommunity). Adetailedmathematicalmodelwhichexplainstheprocessofthemappingand aggregationofCCR,isdescribedin[5].TheCCRmodelwasimplementedasthe TRICsoftware.TRICisconcernedprimarilywithaggregatingdifferentreputationmechanismsacrosscommunitiesandwithprotectinguserrightstoprivacy andcontroloverdataduringthisaggregation.TheCCRcomputationprocess[5] beginswhena requestingcommunity thatwishestoreceiveCCRdataregarding oneofitsusers,sendsarequesttorelevant respondingcommunities.Communities thathavereputationdataoftheuserandarewillingtosharetheinformationreply withtherelevantreputationdata.Thereceiveddataisaggregatedandassembled intoanobjectcontainingtheCCRdataoftheuserinthecontextoftherequesting community.ThisprocessisillustratedinFig. 1.
Fig.1. RequestforCCRscenario:(1):ArequestingcommunitysendsTRICarequest fortheCCRofacommunitymember;(2):TRICcompilesarequestand(3)submitsit toallpotentialrespondingcommunities;(4):Respondingcommunitiessubmitareputationobjectofthememberatsubject;(5):TRICprocessesallreputationobjectsand compilesaCCRobject;(6):TRICsendstheCCRobjecttotherequestingcommunity
Oneoftheimportantgoalsassociatedwithsharingreputationbetweencommunitiesisdealingwithprivacy.WithintheCCRmodel,weidentifiedthree majorprivacyconcernsthatarenotpresentorthatarelesssignificantinsingle
6E.Gudes
communitydomains.FirstUnlinkabilityisaprimaryconcernraisedbytheCCR model.Althoughweaimtocomputeauser’sCCRfromseveralcommunities,we providethemeanstodosowithoutcompromisingtheuser’sanonymityineach communityandwhileupholdingtherequirementofunlinkabilitybetweenthe communities.Controllingthedisseminationofreputationinformationisanother privacyrequirement.Wepresentapolicy-basedapproachthatenablesboththe usersandthecommunitiestohavecontroloverthedisseminationofreputationdata.Thethirdprivacyissueweaddressisthetradeoffbetweenprivacy andtrust.WesuggestthetransparencymeasureforevaluatingCCRobjects. Toattainahightransparencyrank,membersareencouragedtodisclosetheir reputation-relatedinformationwheneveritisclearthatdisclosingtheirinformationispreferableandmorevaluabletothemthanthepotentialimpairmentof theirprivacy.TheissueofPrivacywithintheCCRmodelisdiscussedin[8].
4TransitivityandComputingDomainsReputation
Aswasdiscussedearlier,computingdomainreputationandidentifyingsuspiciousdomainsisaveryimportantprobleminInternetsecuritytoday.Ourapproachtotheproblem[15]usesagraphofdomainsandIPswhichisconstructed frommappinginformationavailableinDNSlogrecords.TheDomainNameService(DNS)mapsdomainnamestoIPaddressesandprovidesanessentialservice toapplicationsontheinternet.ManybotnetsuseaDNSservicetolocatetheir nextCommandandControl(C&C)site.Therefore,DNSlogshavebeenusedby severalresearcherstodetectsuspiciousdomainsandfiltertheirtrafficifnecessary.Wetakethefamousexpression TellmewhoyourfriendsareandIwilltell youwhoyouare,motivatingmanysocialtrustmodels,intotheinternetdomains world.Thusadomainthatisrelatedtomaliciousdomainsismorelikelytobe maliciousaswell.ThisTransitivitypropertymotivatestheuseofaFlowalgorithm.AlthoughDNSdatawasusedbyseveralresearchersbeforetocompute domainreputation(see[1]),in[15]wepresentanewapproachbyapplyingaflow algorithmontheDNSgraphtoobtainthereputationofdomainsandidentify potentiallymaliciousones.Computingreputationfordomainsraisesseveralnew difficulties:
–Ratinginformationifexists,issparseandusuallybinary,adomainislabeled either“white”or“black”.
–Staticsourceslikeblacklistsandwhitelistsareoftennotup-to-date.
–Thereisnoexplicitconceptoftrustbetweendomainswhichmakesitdifficult toapplyafloworatransitivetrustalgorithm.
–Reputationofdomainsisdynamicandchangesveryfast.
Thesedifficultiesmaketheselectionofanadequatecomputationalmodelfor computingdomainreputationachallengingtask.Ourapproachisbasedona flowalgorithm,commonlyusedforcomputingtrustinsocialnetworksandvirtual communities.Wearemainlyinspiredbytwomodels:theEigentrustmodel[4] whichcomputestrustandreputationbytransitiveiterationthroughchainsof
Reputation-fromSocialPerceptiontoInternetSecurity7
trustingusersandthemodelbyGuhaetal.[10]whichcombinestheflowoftrust anddistrust.Themotivationforusingaflowalgorithmistheassumptionthat IPsanddomainswhichareneighborsofmalwaregeneratingIPsanddomains,are morelikelytobecomemalwaregeneratingaswell.Weconstructagraphwhich reflectsthetopologyofdomainsandIPsandtheirmappingsandrelationships anduseaflowmodeltopropagatetheknowledgereceivedintheformofblack list,tolabeldomainsinthegraphasmaliciousorsuspecteddomains.Although wedonotclaimthateverydomain(orIP)connectedtoamaliciousdomainin ourgraphismalicious,ourresearchhypothesisisthatsuchdomains(IPs)have ahigherprobabilitytobecomemalicious.Ourpreliminaryexperimentalresults supportthishypothesis.
ThemaininputtotheflowalgorithmistheDomains/IPsgraph.Thisgraphis builtfromthefollowingsources:(1)A-records:adatabaseofsuccessfulmappings betweenIPsanddomains,collectedfromalargeISPoverseveralmonths.These mappingbasicallyconstructtheedgesbetweenDomainsandIPs.(2)Whois:a queryandresponseprotocolthatiswidelyusedforqueryingdatabasesthatstore theregisteredusersorassignersofanInternetresource.Thisdatabasegroups IPswhichhavesimilarcharacteristicsandisthereforethebaseforIPtoIPedges. InadditionthereareDomaintoDomainedgeswhicharerelatedtosimilarity betweendomainnames.(3)Feed-framework:alistofmaliciousdomainswhich iscollectedoverthesameperiodoftimeasthecollectedA-records.Thislist isusedastheinitial“malicious”domainsset.(4)Alexa:Alexadatabaseranks websitesbasedonacombinedmeasureofpageviewsanduniquesiteusers.The initial“benign”domainsisderivedfromthislist.(5)VirustTotal:awebsitethat providesfreecheckingofdomainsforvirusesandothermalware.Weuseitto testourresultsaswillbedescribedbelow.Themostdifficultpartinconstructing theDomain/IPgraphisassigningtheweightontheedges,sincetheweightis proportionaltotheamountofflowontheedge.Wetestedseveralmethodsto assignweightswhichconsidertopologiesofthegraphandotherfactors,see[15]. OncetheDNSgraphisbuiltandthesetsof“benign”and“malicious”domains areextracted,thealgorithmcanbeperformed.Theentireprocessisdepicted inFig. 2
TheflowalgorithmmodelstheideathateveryIPanddomaindistributetheir reputationtoIPsordomainsconnectedtothem.Thisisdoneiterativelyand thereputationineachiterationisaddedtothetotalreputationofadomainor IP,withsomeattenuationfactor.Theattenuationfactorisameanstoreduce theamountofreputationonevertexcangainfromavertexthatisnotdirectly connectedtoitbytransitivity.Theflowalgorithmisexecutedseparatelyto propagategoodreputationandbadreputationandthenthetworeputation valuesarecombinedinseveralmannersresultingwithseveralvariationsofthe algorithm(seedetailsin[15].)
Theimportantcontributionofthesealgorithmsistheirabilitytocorrectly predictfuturemaliciousdomains.Althoughnotallmaliciousedomainsareidentified,asignificantamountisdiscovered.Inoneoftheexperimentsweused DNSlogsovera3monthsperiodfromwhichalargeDomain-IPgraphwas
8E.Gudes
Fig.2. Theprocessforcomputingthescore:(1)Createthegraphandassignweights representedasmatrix;(2)Createtheinitialvectorusedforpropagation;(3)Combine thematrixandthevectortoexecutetheflowalgorithm;(4)Getthefinalscores.
constructedwithnearlyonemillionnodes,andtheflowalgorithmwasapplied toit.Theresultswerethatoutofthetop1000highlysuspecteddomains,30% werefoundtobeknownmalicious(usingVirusTotal),whileinarandomsetof 1000domainsonly0.9%wereknownasmalicious.
5Conclusions
Reputationisakeyconceptinmakingdecisionsinoursociallife.Inthispaper wehavediscussedthreekeyaspectsofreputation:Identity,Aggregationand Transitivitywhichareimportantwhenmigratingtheconceptofreputationfrom onedomaintoanother.Thiswasshownbybrieflyreviewingseveralresearch papersofours.Themainconclusionisthatreputationplaysamajorroleina widerangeofdomainsbesidethesocialarenadomain.
References
1.Antonakakis,M.,Perdisc,R.,Dagon,D.,Lee,W.,Feamster,N.:Buildinga dynamicreputationmodelforDNS.In:USENIXSecuritySymposium,pp.273–290 (2010)
2.Chakraborty,S.,Ray,I.:TrustBAC:integratingtrustrelationshipsintotheRBAC modelforaccesscontrolinopensystems.In:Proceedingsofthe11thACMsymposiumonAccessControlModelsandTechnologies(SACMAT2006),pp.49–58. ACM,NewYork(2006)
3.Dellarocas,C.:Analyzingtheeconomicefficiencyofebay-likeonlinereputation reportingmechanisms.In:ACMConferenceonElectronicCommerce,pp.171–179 (2001)
4.Kamvar,S.D.,Schlosser,M.T.,Garcia-Molina,H.:Theeigentrustalgorithmfor reputationmanagementinP2Pnetworks.In:WWW,pp.640–651(2003)
5.Gal-Oz,N.,Grinshpoun,T.,Gudes,E.:Sharingreputationacrossvirtualcommunities.J.Theor.Appl.Electr.Commer.Res. 5(2),1–25(2010)
Reputation-fromSocialPerceptiontoInternetSecurity9 Graphconstruction IPData Domains Arecords Algorithm Initial Good Domains InitialBad Domains Vector Final 1 23 3 4
6.Gal-Oz,N.,Grinshpoun,T.,Gudes,E.,Meisels,A.:Cross-communityreputation: policiesandalternatives.In:ProceedingsoftheInternationalConferenceonWeb BasedCommunities(IADIS-WBC2008)(2008)
7.Gal-Oz,N.,Gudes,E.,Hendler,D.:Arobustandknot-awaretrust-basedreputationmodel.In:Proceedingsofthe2ndJointiTrustandPSTConferenceson Privacy,TrustManagementandSecurity(IFIPTM2008),Trondheim,Norway, June2008,pp.167–182(2008)
8.Gal-Oz,N.,Grinshpoun,T.,Gudes,E.:Privacyissueswithsharingreputation acrossvirtualcommunities.In:Proceedingsofthe2011InternationalWorkshop onPrivacyandAnonymityinInformationSociety,PAIS2011,Uppsala,Sweden, p.3.March2011
9.Grinshpoun,T.,Gal-Oz,N.,Meisels,A.,Gudes,E.:CCR:amodelforsharingreputationknowledgeacrossvirtualcommunities.In:Proceedingsofthe IEEE/WIC/ACMInternationalConferenceonWebIntelligenceandIntelligent AgentTechnology(WI2009),pp.34–41.IEEE(2009)
10.Guha,R.,Kumar,R.,Raghavan,P.,Tomkins,A.:Propagationoftrustanddistrus. In:WWW,pp.403–412(2004)
11.Jøsang,A.,Ismail,R.:Thebetareputationsystem.In:Proceedingsofthe15th BledElectronicCommerceConference,vol.160,pp.17–19(2002)
12.Jøsang,A.,Ismail,R.,Boyd,C.:Asurveyoftrustandreputationsystemsfor onlineserviceprovision.Decis.SupportSyst. 43(2),618–644(2007)
13.Kamvar,S.,Schlosser,M.,Garcia-Molina,H.:TheeigentrustalgorithmforreputationmanagementinP2Pnetworks.In:Proceedingsofthe12thInternational ConferenceonWorldWideWeb(WWW2003),pp.640–651.ACM(2003)
14.Lavi,T.,Gudes,E.:AdynamicreputationbasedRBACmodel.Report,TheOpen UniversityRaananaIsrael(2015)
15.Mishsky,I.,Gal-Oz,N.,Gudes,E.:Aflowbaseddomainreputationmodel.Report, Ben-GurionUniversity,Beer-Sheva,Israel(2015)
16.Parreira,J.X.,Donato,D.,Michel,S.,Weikum,G.:Efficientanddecentralized pagerankapproximationinapeer-to-peerwebsearchnetwork.In:Proceedingsof the32ndInternationalConferenceonVeryLargeDataBases,pp.415–426(2006)
10E.Gudes
FullPapers
MathematicalModellingofTrustIssues inFederatedIdentityManagement
Md.SadekFerdous1(B) ,GethinNorman1 ,AudunJøsang2 , andRonPoet1
1 SchoolofComputingScience,UniversityofGlasgow, GlasgowG128QQ,Scotland {sadek.ferdous,gethin.norman,ron.poet}@glasgow.ac.uk
2 DepartmentofInformatics,UniversityofOslo,0316Oslo,Norway josang@mn.uio.no
Abstract. Withtheabsenceofphysicalevidence,theconceptoftrust playsacrucialroleintheproliferationandpopularisationofonlineservices.Infact,trustistheinherentqualitythatbindstogetherallinvolved entitiesandprovidestheunderlyingconfidencethatallowsthemtointeractinanonlinesetting.TheconceptofFederatedIdentityManagement (FIM)hasbeenintroducedwiththeaimofallowinguserstoaccessonline servicesinasecureandprivacy-friendlywayandhasgainedconsiderablepopularitiesinrecentyears.Beingatechnologytargetedforonline services,FIMisalsoboundbyasetoftrustrequirements.Eventhough therehavebeennumerousstudiesonthemathematicalrepresentation, modellingandanalysisoftrustissuesinonlineservices,acomprehensivestudyfocusingonthemathematicalmodellingandanalysisoftrust issuesinFIMisstillabsent.Inthispaperweaimtoaddressthisissueby presentingamathematicalframeworktomodeltrustissuesinFIM.We showhowourframeworkcanhelptorepresentcomplextrustissuesin aconvenientwayandhowitcanbeusedtoanalyseandcalculatetrust amongdifferententitiesqualitativelyaswellasquantitatively.
Keywords: Trust · FederatedIdentityManagement · Mathematical modelling
1Introduction
Unlikethebrickandmortarworld,thephysicalevidenceandvisualcuesthat canbeusedtoestablishtrustandgainconfidencearelargelyabsentinonline services.Despitethis,thepopularityofonlineserviceshasgrownexponentially inthelastdecadeorso.Theconceptoftrustplayedacrucialroleinpopularisingonlineservices.Infact,trustistheinherentqualitythatbindstogether allinvolvedentitiesandprovidestheunderlyingconfidencethatallowsthemto interactinanonlineservice.Themathematicalmodellingandanalysisofdifferenttrustrequirementsinonlineservicesareaboundandisawellestablished researcharea.Suchamodelhelpstoexpressandtoreasonwithtrustissuesina c IFIPInternationalFederationforInformationProcessing2015 C.D.Jensenetal.(Eds.):IFIPTM2015,IFIPAICT454,pp.13–29,2015. DOI:10.1007/978-3-319-18491-3 2
formalwaywhichcanultimatelyhelptocreatenovelwaysfordeterminingtrust amonginvolvedentities.
TheconceptofFederatedIdentityManagement(FIM)hasbeenintroduced toeasetheburdenofmanagingdifferentonlineidentitiesandtoallowusers toaccessonlineservicesinasecureandprivacy-friendlyway[1].FIMoffers anarrayofadvantagestodifferentstakeholdersandhasgainedconsiderable popularitiesinrecentyears.Beingatechnologytargetedfortheonlinesetting, FIMisalsoboundbyasetoftrustrequirements.Surprisingly,themathematical representation,modellingandanalysisofdifferenttrustrequirementsofFIM havereceivedlittleattentionsofar.Theaimofthispaperistofillthisgap.
Here,wepresentacomprehensivemathematicalframeworkconsideringdifferenttrustaspectstargetedforFIM.Indoingso,weshowhowourframework canformallyexpresstrustinFIMandhowsuchexpressionscanbeusedto analyseandevaluatetrustqualitativelyandquantitatively.Themaincontributionsofthepaperare:
1.Inspiredbythenotationoftrustpresentedin[14],wepresentanotationto expresstrustbetweendifferententitiesinFIM.
2.Weusethisnotationtodevelopthefirstmathematicalframeworktomodel, analyseandderivetrustindifferenttypesofidentityfederations.
3.WeexploretrusttransformationsresultingfrominteractionsinFIM.
4.Finally,wepresentasimplemethodtoevaluatetrustquantitativelyinFIM.
Thepaperisstructuredasfollows.Section 2 providesabriefintroductiontoFIM andtherequiredtrustissuesinthissetting.Section 3 introducesthenotation andtheinteractionmodelthatwillbeusedinourframework.Thetrustissues indifferenttypesofidentityfederationsaremodelledinSects. 4 and 5.Weshow howtrusttransformationsoccurwithindifferentfederationsusingourframework inSect. 6 andhowtrustcanbecalculatedquantitativelyinSect. 7.Section 8 discussestherelatedworkandfinallySect. 9 concludesthepaper.
2Background
Inthissection,weprovideabriefintroductiontoFIM,todifferentaspectsof trustingeneralandtotrustissuesinFIMspecifically.
FederatedIdentityManagement. IdentityManagementconsistsoftechnologiesandpoliciesforrepresentingandrecognisingentitiesusingdigitalidentifiers withinaspecificcontext[7].Asystemthatisusedformanagingtheidentity ofusersiscalledanIdentityManagementSystem(IMS).EachIMSincludes thefollowingtypesofparties: ServiceProviders(SPs) or RelyingParties(RPs) -entitiesthatprovidesservicestousersorotherSPs, Identity Providers(IdPs) -entitiesthatprovidesidentitiestouserstoenablethem toreceiveservicesfromSPsand Clients/Users -entitiesthatreceiveservices fromSPs.AmongdifferentIMS,theFederatedIdentityManagement(FIM)has gainedmuchattentionandpopularity.
14M.S.Ferdousetal.
TheFederatedIdentityManagementisbasedontheconceptofIdentityFederation.AfederationwithrespecttoIdentityManagementisabusinessmodel inwhichagroupoftwoormoretrustedpartieslegallybindthemselveswith abusinessandtechnicalcontract[1, 17].Itallowsausertoaccessrestricted resourcesseamlesslyandsecurelyfromotherpartnersresidingindifferentIdentityDomains.Anidentitydomainisthevirtualboundary,contextorenvironmentinwhichanidentityofauserisvalid[17].SingleSignOn(SSO)isthe capabilitythatallowsuserstologintoonesystemandthenaccessotherrelated butautonomoussystemswithoutfurtherlogins.Italleviatestheneedtologin everytimeauserneedstoaccessthoserelatedsystems.Agoodexampleisthe GoogleSingleSignOnservicewhichallowsuserstologinaGoogleservice,e.g., Gmail,andthenallowsthemtoaccessotherGoogleservicessuchasCalendar, Documents,YouTube,Blogsandsoon.
(a)Type1.(b)Type2.
Fig.1. Federatedidentitydomain.
AfederatedidentitydomaincanbeformedbyoneIdPinanidentitydomain andanumberofSPswitheachSPresidinginaseparateidentitydomain(Type 1inFig. 1(a)).Severalfederatedidentitydomainscanbecombinedtoformalarger federatedidentitydomainwhereeachsmallerfederateddomainisofType1(Type 2inFig. 1(b)).AType2federationallowsanIdPofaType1federationtodelegatetheauthenticationtasktoanotherIdPinadifferentType1federation.To enablethis,bothIdPsneedtoactasbothIdPsandSPs.Theissueoftrustisa fundamentalconceptinFIMasdifferentautonomousbodiesneedtotrusteach otherinsidethefederation.Suchpartiesinsideafederationaresaidtoformthe so-calledCircleofTrust(CoT).
Afederationcanbeoftwotypesdependingonhowitiscreated.Thetraditionalfederation,alsocalleda StaticFederation,iswherethefederationis createdattheadminlevelandisboundwithalegalcontractusingaspecified setofadministrativeprocedures.Ontheotherhand,ina DynamicFederation anyuser,notonlyadministrators,cancreatethefederationinadynamicfashion withoutadministrativeinterventionoralegallybindingcontract[3].
Trust. Theconceptoftrustandtrustmanagementinthesettingofonline servicesisawidelystudiedtopicandhasbeendefinedinnumerousways.For thepurposeofthispaper,weusethefollowingdefinitiontakenfrom[11]which wasoriginallyinspiredby[13].
MathematicalModellingofTrustIssuesinFIM15
“Trustistheextenttowhichonepartyiswillingtodependonsomethingor somebodyinagivensituationwithafeelingofrelativesecurity,eventhough negativeconsequencesarepossible.”
Thedefinitiongivesadirectionalrelationshipbetweentwoentities:thefirstis regardedasthe Trustor andthesecondthe Trustee.Thetrustorandtrusteecan beanyentity,however,inthescopeofthispaper,onlythoseinvolvedinFIM willbeconsidered(i.e.users,IdPsandSPs).Thepairwisetrustrelationswe considerareuser-IdP,user-SP,IdP-SPandIdP-IdPwhichisinlinewithcurrent IMSsettingandtherelationshipsthatoccurinsideafederation.
Trustcanbeoftwotypes:DirectTrust(DT )andIndirectTrust(IT )[12]. Directtrustsignifiesthatthereexistsatrustrelationshipbetweentheentities basedonfirsthandexperienceandevidence.Ontheotherhand,indirecttrust, alsoknownasTransitiveTrust,isatrustrelationshipbetweentwoentitiesbased onreferralfromoneormoreintermediatethirdparties.
Everytrustrelationshiphasascopethatsignifiesthespecificpurposeor contextintowhichthattrustrelationshipisvalid.Thetruststrength(alsoknown asthetrustdegree)signifiestheleveloftrustatrustorhasoveratrustee[14]. Thetypeandvalueusedtodefinetheleveloftrustwillvarydependingonthe trustscopesaswell.Trustcanbedefinedas MutualTrust onlyifthereisa bi-directionaltrustrelationshipwiththesametrusttype,scopeandstrength betweenthecorrespondingentities.Insuchcase,bothentitiescanactasthe trustorandthetrustee.Trustoftenexhibitsthetransitivityproperty[11]:ifan entity A trustsanotherentity B and B trustanotherentity C,atrustrelation canbederivedbetween A and C.Toderivesuchatransitivetrustrelation,the trustscopemustbesame.Thetrusttransformationistheprocesswhenatrust relationshipbetweentwoentitieschangesduetothechangeoftruststrength whilethetrusttyperemainsthesame.Suchatransformationoccursnormally fortworeasons:(i)whenthetrustisderivedfollowingthetransitivityproperty and(ii)whenoneentityinteractswithanotherentitytoperformacertainaction whichultimatelytriggersthechangeinthetruststrength.Thetransformation canbepositive,meaningthenewtruststrengthishigherthanwhatwasbefore, orcanbenegative,meaningthenewtruststrengthislowerthanwhatwas before.
Atrustwithasinglescopecanbedefinedasatomictrust.Compoundtrust canbedefinedasthecombinedtrustofseveraldifferentatomictrustswherethe trustor,trusteeandthetrustdirectionandstrengthbetweenthemremainthe same.Thecompoundtrustwillalsohavethesametrustdirectionandstrength.
TrustIssuesinIdentityManagement.
Theissueoftrustisafundamental conceptinFIMasdifferentparticipatingorganisationsneedtotrusteachother insidethefederationatasufficientleveltoallowthemtoexchangeandtrust userinformation.Wewillconsidersuchtrustissuesusingtwoseparateinstances.
Thefirst,called HighLevel trust,istheabstractleveloftrustthatisassumed betweenfederatedentities(IdPsandSPs)inafederation.Thisleveloftrustis commonintheexistingliteratureonFIM.Forexample,itiscommontoexpress thattwoentitiestrusteachotheriftheybelongtothesameCoT.Insuchan
16M.S.Ferdousetal.
expression,thetrustistreatedatanabstractlevelandisusedmostlytosignify theirarchitecturalrelationinsideafederation.
Thesecond,called Fine-grained trust,isadetailedexpressionoftrustincludingthescopebetweenentities(includingusers)inafederation.Theexpression may(optionally)includeatrusttypeorstrength.Inspiredbytherequirements outlinedin[8, 12],theauthorsin[2]haveoutlinedasetoffine-grainedtrust requirementsinthetraditionalfederationwhichareapplicableforbothType1 andType2federations.Wewillusetheirrequirementstorepresentfine-grained trustsinSect. 4
Trustinadynamicfederationismodelledusingthreeclassesofentities[3]: FullyTrusted entitiesareIdPsandSPsinthetraditionalSAML(Security AssertionMarkupLanguage)federationwhichhavealegalcontractbetween them[18]; Semi-trusted entitiesareSPsinadynamicfederationthathave beenaddeddynamicallytoanIdPinsidethefederationunder someconditions withoutacontractandtowhomanyuseroftheIdPhasagreedtoreleasea subsetofherattributesand Untrusted entitiesareIdPsandSPsinadynamic federationwhichhavebeenaddeddynamicallyunder someconditions without acontract.Adetaileddiscussionoftheseclassescanbefoundin[3].
3Notation
Inthissectionwewillintroducethenotationthatwillbeusedtobuildupthe model.Weuse E todenotethesetofentities,with U thesetofusers, SP the setofserviceprovidersand IDP thesetofidentityproviders.Sinceeachuser, SPandIdPisalsoanentity,wehave E = U ∪ IDP ∪ SP .Inaddition, F denotes thesetoffederationsandwillusesubscriptfrom F todefinethecontextsof entities(i.e.thefederationinwhichtheybelong).Forexample, Ef willbeused todenotethesetsofentitiesinafederation f .Weuse T todenotethesetoftrust types.Asexplainedabove,weconsidertwotypesoftrust:directtrust(denoted by DT )andindirecttrust(denotedby IT ).Therefore, T = {DT , IT }.
Weuse S forthesetoftrustscopes.Differenttrustscopescanbedefined dependingonthetrustrequirements.Weconsiderthefollowingtrustscopesfor FIMbasedonthefine-grainedtrustrequirementsof[2]:
– REG istrustintheimplementationoftheregistrationprocess;
– STO istrustinsecureattributestorage;
– AUTHN istrustintheimplementationoftheauthenticationmechanism;
– AP istrustinallowingtheuseofanonymousorpseudonymousidentifiers;
– CONSENT istrustinthereleaseofonlythoseattributesconsentedto;
– ABU isthetrustthatanentitywillnotabuseattributesreleasedtoit;
– CARE isthetrustanentityhandlesherattributeswithadequatecare;
– HON isthetrustthatanentityprovidesattributevalueshonestly;
– ACDA isthetrustthatanentityadherestotheagreedpoliciesandprocedures duringaccesscontrolanddelegatedaccess;
– SRV isthetrustinserviceprovisioning;
– MIN -ATT isthetrustthatanentityrequestsonlyminimalattributes;
MathematicalModellingofTrustIssuesinFIM17
– REL isthetrustinanentitycorrectlyreleasingattributes; – ND isthetrustinanentityadheringtothenon-disclosureofattributes; – FED istrustbetweenfederatedentities.
WeconsiderthefollowingtypesoftruststrengthsinFIM.
SubjectiveTrust. ThisdefinesthesubjectivetrustausermayhaveinIdPs andSPsinafederationandwillbedenotedwith conf .Itcanhavedifferent levels,however,wehaveoptedforthreelevels: LOW(L),MED(M),HIGH(H). LevelofAssurance(LoA). Thisdefinesthetruststrengthbetweenfederated IdPsandSPsandisusedduringserviceprovisioning.ItisbasedontheNIST LoAguidanceof1to4whereLevel1canbeusedtomodelthelowesttrustand Level4thehighest[15].Itwillbedenotedas loa withvaluesfrom1to4. FederationTrust. ThelasttypeconcernsthetruststrengthbetweenfederatedIdPsandSPswithrespecttotheirarchitecturalrelations.Itisdenoted with fed -trust andcantakefourdifferentvalues: UNTRUSTED(UT), SEMITRUSTED(ST), RESTRICTED-TRUSTED(RT) and FULLY-TRUSTED(FT). Thelowesttruststrength UT meansatrustordoesnottrustatrusteeatalland isassociatedbetweenentitiesfederatedinadynamicfashionorbetweenentities inatransitivetrustinstaticfederations(seebelow).Thestrength ST means atrustortrustsatrusteeuptoacertainlevel.Anexampleisthetruststrength betweenadynamicallyfederatedIdPandanSPandthefactthattheIdPmay notwantreleasesensitiveattributestotheSPastherearenoformalagreement betweenthem.Thestrength RT ishigherthan ST,butlowerthan FT.Sucha strengthisexhibitedwhenthetrustrelationshipbetweenatrustorandtrusteeis derivedusingtransitivityandthetrustormaynotfullytrustthetrusteeasthere arenoformalagreementsbetweenthem.Thestrength FT signifiesthehighest strengthandisexhibitedwhenthetrustorandtrusteearepartofatraditional federation.Thefederationtruststrengthsareranked:
UT < ST < RT < FT
Toindicateanentity e1 ∈ Ef (thetrustor)has t ∈ T trustoveranentity e2 ∈ Ef (thetrustee)inafederation f ∈F withatrustscopeof s ∈ S andthetrust strengthof v ,wewillusethefollowingnotation,inspiredby[14]:
e1 t : s → v e2
where v representsthetruststrength(either conf , loa or fed -trust ).Toexpress thesametrust t betweentwoentities e1 and e2 withsametruststrength v ina numberofdifferentscopes, s1 ,...,sn ,weextendthenotationto:
e1 t : {s1 ,...,sn } → v e2
Ifthereexistsamutualtrust(t)betweentwoentitiesinthesametrustscope (s)withthesametruststrength(v ),weusethenotation:
e1 t : s ←−−−−→ v e2
18M.S.Ferdousetal.
3.1InteractionModel
Toenableaprotocolflowinafederation,eachentityinteractswithanother entityinordertoperformanactionatanotherentity.Auserinteractingwith anIdPtoauthenticateherselfbyprovidinganidentifier(e.g.username)and acredential(e.g.password)isexampleofaninteraction.Interactionbetween entitiestoperformanactioncancausethetrustbetweentheinvolvedentities totransform.Theinteractionmodelconsistsoftheactionsthatanentitycan performatanotherentityinafederation.Suchinteractionsmustbecarriedout usingacommunicationchannel.Wewillusethenotation CHANNEL todefine thesetofchannels.Twotypesofchannelswillbeconsidered:securechannels, denoted SC ,modelsecureHTTPSconnectionswhereasunsecuredchannels, denoted UC ,modelunsecuredHTTPconnections.
Todenoteaninteractionthatrepresentsanentity e1 performsaction a at entity e2 usingcommunicationchannel c,wewillusethefollowingnotation: c(e1 a e2 ).Therecouldbemanyinteractionsinafederation,however,tothe scopeofthispaper,werestrictattentiontothefollowinginteractions:
– c(u RG idp )representinguser u registeringatIdP idp throughchannel c;
c(u A idp )representinguser u authenticatingherselfatIdP idp through channel c;
c(idp AP u )representingIdP idp allowinguser u touseanonymousor pseudonymousidentifiersthroughchannel c;
c(idp C u )representingIdP idp providinguser u withtheopportunityto provideconsentforreleasingselectedattributesthroughchannel c;
c(idp RL sp )representingIdP idp releasinguser u’sselectedattributestothe SP sp throughchannel c.
4TrustModellinginTraditional(Static)Federations
Inthissection,wemodeltrustbetweendifferententitiesintraditionalfederations.Wewillconsiderfirsthighleveltrustandthenfine-grainedtrust.
4.1HighLevelTrustModelling
WecanexpressthehighleveltrustinaType1federation f ∈F betweenan IdP idp ∈ IDP f andanSP sp ∈ SP f by:
idp DT : FED ← → FT sp
Thissignifiesthat idp and sp haveamutualdirecttrustinthescopeofthe federation.SinceitisaType1federation,theentitiestrusteachotherfully, hencethetruststrengthisfullytrusted(FT ).
MathematicalModellingofTrustIssuesinFIM19
–
–
–
–
