|Title:||A Non-monotonic Trust Management System with
Privacy-Preserving Credential Verification
|Affiliation:||Imperial College London|
PhD project description
The open and dynamic nature of modern distributed systems presents a significant challenge to security management. Traditional security management systems are centralised and operate under a closed world assumption. All participants must have an identity established by the system and share some secret information with the system for authentication purposes. The centralised model is usually infeasible in open distributed systems. Trust management is an alternative approach that utilises some notion of trust in order to specify and interpret security policies and make authorisation decisions on security-related actions.
Most trust management systems, assume monotonicity: additional credentials can only result in the increasing of privilege. There are several reasons why monotonicity is a desirable property in trust management. Firstly, monotonicity simplifies the design of trust management systems. The systems do not need to evaluate all potential policies and credentials, but are still provably correct and analysable. Monotonicity also avoids policy conflicts which are often caused by non-monotonicity. Furthermore, in some cases, non-monotonic policies can be converted into monotonic policies. For example, instead of defining a negative policy that requires credential C, one can define a positive policy to require a credential of "not have C".
The monotonic assumption oversimplifies the real world by cutting off the negative part, thus it cannot handle many important scenarios. For example, with monotonic semantics, it is hard to express explicit negative policies such as a consultant cannot serve company A and B at the same time because there is a conflict of interest (the Chinese Wall policy); a bank teller should not be an auditor of the same bank (Separation of Duties). Explicit negation is particularly important for authorisation in distributed system scenarios, where the number of potential requesters is high. Without negations, we cannot express policies such as "allow all except some" elegantly.
This thesis aims to build a non-monotonic trust management system which allows flexible and expressive policies. We proposed the use of a policy language which supports non-monotonic reasoning with well-defined semantics. It also supports flexible conflict resolution. The system combines information from multiple sources such as direct experience, credentials, recommendations and reputation to build up trust. When credentials are used the system must have the exact set of credentials from an entity to make a sound decision. It is hard because if a subject knows or can predict that a certain credential will result in the decrease of its privileges, it may prefer not to reveal it. A trust management system cannot distinguish whether the absence of certain credentials is caused by "not having" or "not disclosing". To solve this problem, previous studies on non-monotonic trust management suggest that the system should be able to collect credentials directly from the credentials issuers rather than only from the subjects. Although this approach seems to be able to solve the problem, it causes new problems. One problem is privacy: the issuer could disclose information about the subject, i.e. the credential, to anyone who wants the credential. It also requires issuers to be always online, which may not be practical. To handle non-monotonicity in trust management systems, we present a cryptographic credential verification scheme which guarantees that the trust management system can identify all the required credentials possessed by the subject while also providing protecting the subject's privacy.
- Giovanni Russello, Changyu Dong, Naranker Dulay, A Workflow-based Access Control Framework for Healthcare Applications, in Proceedings of 4th International Symposium on Frontiers in Networking with Applications (FINA2008), GinoWan, Okinawa, Japan, March 2008
- Giovanni Russello, Changyu Dong, Naranker Dulay, Personalizing Situated Workflows for Pervasive Healthcare Applications, in Proceedings of 2st International Conference on Pervasive Computing Technologies for Healthcare (PervasiveHealth 2008), Tampere, Finland, January 2008
- Changyu Dong, Giovanni Russello, and Naranker Dulay, Privacy-Preserving Credential Verification for Non-monotonic Trust Management Systems, in Proceedings of International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS-07) , St. Petersburg, Russia, September 2007.
- Changyu Dong, Giovanni Russello, and Naranker Dulay, Trust Transfer in Distributed Systems, in Proceedings of 2007Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM 2007) , Moncton, Canada, July 2007.
- Giovanni Russello, Changyu Dong, and Naranker Dulay, Authorisation and Conflict Resolution for Hierarchical Domains, in Proceedings of 2007 IEEE Workshop on Policies for Distributed Systems and Networks (Policy 07) , Bologna, Italy, June 2007.
- Giovanni Russello, Changyu Dong, and Naranker Dulay, Enforcing Fine-grained Authorization Policies for Java Mobile Agents, in Proceeding of 3rd IEEE Symposium on Security Network and Distributed Systems (SSNDS07) , Niagara Falls, Canada, May 2007.
- Changyu Dong, and Naranker Dulay, Privacy Preserving Trust Negotiation for Pervasive Healthcare, in Proceedings of 1st International Conference on Pervasive Computing Technologies for Healthcare (PervasiveHealth 2006), Innsbruck, Austria, November 2006
- [_URL_ Homepage] of Changyu Dong
- Publications of Changyu Dong, as indexed by DBLP