470 likes | 689 Views
Optimum WEB OF TRUST for PGP based on Social Networks. Supervise By: Dr. Zahid Anwar Co-Supervise By: Mr Owais A. Malik Committe Members: Dr. Awais Shibli Mr Qasim Rajpoot. BY Saira Kausar MS-IT(10). Roadmap. Proposed Solution. Timeline. Introduction. Problem Statement.
E N D
Optimum WEB OF TRUST for PGP based on Social Networks Supervise By: Dr. Zahid Anwar Co-Supervise By: Mr Owais A. Malik Committe Members: Dr. Awais Shibli Mr Qasim Rajpoot BY Saira Kausar MS-IT(10)
Roadmap Proposed Solution Timeline Introduction Problem Statement Literature Review Problems Identified
Background • PKI(Public Key • Infrastructure) • Web Of Trust(WOT) • Symmetric Key Cryptography • Asymmetric Key Cryptography • Only One Key • Shared between sender & receiver • Key Distribution is problem • Not scalable • Two Keys • Solution to Key Distribution Problem • Key Validation • Spoofing of key • Solution to Key Validation Problem • Need trusted CAs • Centralized approach • Only CAs can issues certificates • Need to verify a chain of certificates • Still depends on a single trusted root CA • CAs becomes bottleneck • No need for trusted CAs • Decentralized approach • Everyone can issues certificates • Implemented in PGP, GnuPG and Open PGP
What is PGP? • Pretty Good Privacy • 1991 – Zimmermann wrote PGP • Send E-mail securely to a known recipient • Digitally sign E-mail so that the recipient(s) can be sure it is from you • Can also be used with file transfers
Install GnuPG, generate a pair of keys for yourself; a "public key" and a "private key". How Does it Work? The private key is like a regular key. You will use it to unlock your messages You publish your public key (your lock) by sending it to a PGP key server on the Internet. People who wish to send you private email use a copy of your lock to lock the message. You keep the (private) key to yourself, so that only you can open and read the messages.
PGP “Web of Trust” • Anyone can upload keys to “Key Servers”-- even fake keys • Authenticity of this public key can be checked as • If you can verify that a key belongs to its owner, you can sign that key, indicating that you have verified ownership
Problem Statement • Develop a generic model for PGP that overcomes the deficiencies of current PGP’s Trust Model.
FOAF http://www.ibm.com/developerworks/xml/library/x-foaf.html http://www.foaf-project.org/ http://arnetminer.org/viewperson.do?naid=95158&keyword=Zahid%20Anwar
The Friend of a Friend (FOAF) • The FOAF project defines a mechanism for describing people, and who they know. • Creating a Web of machine-readable pages describing people, the links between them and the things they create. • Simply an RDF vocabulary. • Every user can create one or more FOAF files on his own Web server and share the URLs.
Conclusion No Trust level shown FOAF is good base for social networks Create Friends list manually and upload it to web Easy & Simple Pros Cons Shows connected Friends
Jenifer’s work for Trust and reputation 1. Jennifer Golbeck, James Hendler, "Accuracy of Metrics for Inferring Trust and Reputation in Semantic Web-based Networks" EKAW 2004 , ( Engineering Knowledge in the Age of semantic web ), LNAI 3257, pp 116-1312. Jennifer Golbeck, James Hendler. 2006, " FilmTrust: Movie recommendations using trust in web-based social networks”, Proceedings of the IEEE Consumer Communications and Networking Conference , January 2006.
Inferring Trust and Reputation in Semantic Web-based Networks • Proposed a method, to infer trust based on user’s reputation in semantic web-based social network. • Quantitative method to infer trust that a user has on next user • Implemented in web email system to infer the trust of emails received from specified user. • Trust/reputation range used {1, -1}
Recommendation System • Jenifer Golbeck proposed another method to infer trust for recommendation systems. • All trust levels are combining from source to target and this method is applied to film recommendation system.
Conclusion • Explicit trust rating Provides a good base for trust calculation • Reputation for each individual node is ignored. Provides Reputation Inference Algorithms Pros Cons Apply her work in emails, and film trust • Used only 0,1 as reputation values, round a number between them
PGP’s Key servers https://pgp.webtru.st/
Search results from Key server • Maintains a collection of public PGP keys. • Provide a decentralized, and highly reliable key synchronization. • Keys submitted to server will quickly be distributed to all key servers • This key server is open-PGP compliant
The PGP trust Model A. Abdul-Rahman. The PGP trust model. EDI-Forum: the Journal of Electronic Commerce, 10(3):27–31, 1997.
The public key belongs to the owner of the key ring, Key Validation in PGP • Accept a given public key in the key ring as completely valid, if either: The key ring contains at least C certificates from completely trusted introducers with valid public keys, The key ring contains at least M certificates from marginally trusted introducers with valid public keys.
GnuPG’s Trust Assignment • In PGP, Trust can be assigned to deliberate users manually
A probabilistic trust model for GnuPG 1. Jacek Jonczy, Markus Wüthrich, Rolf Haenni , “A probabilistic trust model for GnuPG” — 2006 — In 23C3, 23rd Chaos Communication Congress. 2. Rolf Haenni and Jacek Jonczy, “A New Approach to PGP's Web of Trust”, ENISA/EEMA 07, Paris, France, June 12.
Probabilistic Key Validation • Depending on A’s own validation policy, e.g. by specifying a validity threshold [0, 1], the key may be accepted as valid or not. • For instance, if A has a strict acceptation policy, she sets accordingly a high threshold, say = 0.9. • In this case, A would not accept K’s public key as valid, since 0.581 < . • On the other hand, A would neither reject the key, but rather collect more evidence in form of further certificates.
Conclusion • Explicit trust Several weaknesses of PGP’s trust model are eliminated. Gradual levels of validity are introduced • Trust levels are not defined Pros Cons Avoids counter-intuitive scenarios. • Problem Hidden Dependencies is remain Eliminates limited levels of trust and validity • Trust can be assigned in arbitrary way Implemented in GnuPG release 1.4.5
Proposed Architecture My Application Make Graph for Immediate friend Show Trust Level for each Friend Trust Level: Very high, High, Medium, Low, very Low Social Network (e.g. Facebook, Orkut, LinkedIn) Get Friend Lists Share Graph with friends Embed these trust levels in Open PGP Privacy setting for each friend Merge Graph Calculate Trust Values Using Fuzzy rules
Get Friend List • I have use facebook APIs to get friend list. • Friends: https://graph.facebook.com/me/friends?access_token=...
Getting Privacy Settings I have used these Privacy settings Profile Picture Photo album Likes and interest Photo Albums: https://graph.facebook.com/me/albums?access_token=... Profile feed (Wall): https://graph.facebook.com/me/feed?access_token=... Although Facebook has a lot of privacy settings of our interest, but they are not easily accessible through graph APIs.
Calculating Trust Value • Use the Privacy parameters and calculate Trust for each connect node as
Proposed Approaches We may apply both techniques and compare results and adopt better one
Potential Applications Open PGP
Timeline Sept- Dec Done TIMELINE Jan Proposal Defense, User study and get data from different users(done) Feb Apply algorithm on real scenario and get results aa March Graph Exchange Algorithms April Implementation on Fuzzy Toolbox and compare results May Paper Write-up & Mid Defense June Final Defense July Final Defense Aug These write-up Problem Definition & Literature Review, Proposed Solution, Processing of TH-1, TH1-Internal, TH-2, TH-2A and proposal defense Processing of TH-3 & In-House Thesis Write-up TH-3 (Final Oral Exam) Proposed solution TH-4 (Thesis Acceptance))
Thank you. Questions??? Saira Kauser 09msitskauser@seecs.edu.pk