160 likes | 251 Views
WP5: Identity Management and Reputation Framework for Trusted Negotiation. Partners: CN , SN, WIT, FBK, UdG, UNISG Speaker: Mihaela Ion (CN). WP Overview. Core security primitives: platform independent and transparent to underlying crypto protocols and mechanisms
E N D
WP5: Identity Management and Reputation Framework for Trusted Negotiation Partners: CN, SN, WIT, FBK, UdG, UNISG Speaker: Mihaela Ion (CN) 1st ONE Review, Brussels
WP Overview Core security primitives: platform independent and transparent to underlying crypto protocols and mechanisms Identity management model for automatic processing of user identity information which scales to a decentralized environment Trust & reputation scheme for P2P or agency-centric recommendations • Security primitives and identity management functionalities used by all ONE components (WP2, WP3, WP4) • Decision support functionalities to users and WP4 Identity Management (T5.2) Trust & Reputation Mgmt P2P reputation (T5.4) Rating Agencies (T5.3) Security primitives (T5.1) Fig. WP5 tasks and relations between them 1st ONE Review, Brussels
T5.1 Security Primitives: Authentication, Integrity and Confidentiality Independent from specific cryptographic algorithms and protocols Allow new algorithms to be plugged in the future: we target evolutionary DEs Will be deployed as Java APIs on each ONE node providing Web Services integration capabilities Provided through: username & password, certificates, SSO, digital signatures, SSL/TLS, symmetric and asymmetric encryption and digest APIs already designed and D5.1 was submitted (task completed as scheduled) 1st ONE Review, Brussels
T5.2 Identity Management and Privacy The model targetsan automatedprocess of identification between ecosystem entities. Practicalsolutions which are clear and easy to adopt and implement by SMEs. Provide interoperabilityby convergence between existing identity technologies through SAML (v2.0). Use of user identity profile: an abstract view of a user’s identity information. Decentralized identity information is managed through user profiles replicated in a peer-to-peer fashion on trusted nodes. 1st ONE Review, Brussels
Main Characteristics of the Model Main target: decentralized P2P ecosystem domains All users are equal and there is no hierarchy of DEs Any peer can be a Credential Provider (CP) or a Service Provider (SP), or both Each SP has a list of trusted CPs Each CP has a list of trusted CPs and a list of accepted security tokens SAML unifies different identity representations that might be used by different SPs CPs translate from SAML to their SPs security tokens representations and viceversa (e.g. X.509 SAML, SPKI SAML, Kerberos SAML) Each CP issues certificates to users based on: Secure tokens issued by the CP itself, Secure tokens issued by a CP with whom it has a trust relationship, or User registration information 1st ONE Review, Brussels
User Profile Unified view of a user’s distributed identity information Encrypted with a master password known only by the user Replicated encrypted on trusted peers Downloaded, decrypted and updated on secure memory on user’s side • Obtained using username & password (different from the master password) when logging to the ONE system. 1st ONE Review, Brussels
Model Communication Scheme Service Provider Service Provider Credential Provider Trust relationship Public list of accepted security tokens Public list of trusted CPs Public list of trusted SCPs 12 1 2 1 10 1 4 Certificates Request resource Authentication request Authentication request List of accepted certificates Token 1 1 3 Resource Token 9 11 1 forwarding Browser/Service on another peer 5 7 Certificate Login/ Request profile Request token/ certificate Profile 8 6 Trusted Peer Credential Provider Public list of trusted SCPs Encrypted user profile Public list of trusted SCPs List of issued certificates/tokens 1st ONE Review, Brussels
Service Composition by Proxy Cert SP2 Trust relationship CP2 6 6 +policies Request service Result PC 5 1 4 1 Composed service Trust relationship SP1 CP1 +policies 7 1 PC Request service Result 2 1 3 3 forwarding Browser/Service 1 1 Profile download Trusted Peer 1st ONE Review, Brussels
T5.3 Trusted Rating Agencies P2P reputation is subjective Certificates issued by rating agencies should be objective and hence more trustworthy Inspiration from financial rating agencies Dedicated service that could be offered by each ONE node Each entity decides on its own to register or not with an agency Each agency specifies its predefined criteria on which users are registered (necessary credentials) Agencies across the ONE platform cooperate with each other to retrieve information about unknown users Authorization certificates 1st ONE Review, Brussels
T5.4 Peer-to-peer Reputation We model adaptive reputation-based trust: Based on opinions (recommendations) expressed by users about other users, data, services and nodes (multi-levels) Social networks represented through contacts lists (private - shared only with contacts) Context-aware trust values: users have different levels of expertise in different domains Multidimensional trust: e.g. a service can be rated for availability, response time, memory usage, result accuracy etc. Bootstrapping: Make use of trust relations established between users outside the system Assign higher levels of trust to newcomers based on credentials obtained from trusted Certification Authorities outside the system 1st ONE Review, Brussels
Initial reputation values We use probabilistic values from 0 (no trust or no information) to 1 (complete trust). Users provide registration information to the CP of the chosen ONE node including certificates obtained from external CAs CPs assign initial trust values based on relations with the CAs Invited users are added to the social network of the inviter which assigns manually a trust value Fig. Internal CPs and external CAs trust relations 1st ONE Review, Brussels
Contacts’ lists and lists of opinions Contacts’ list Trusted contacts known either from outside or inside the system Different trust levels attached to each contact: the trust a user has to receive accurate recommendations List of opinions Based on direct interactions Each user keeps on his private MyONE space a history of (recent) experiences (negotiations, transactions) with other users, services, and data. 4-tuples composed by subject, object, keyword and value. 1st ONE Review, Brussels
Propagation of opinions across the contacts graph Users ask their contacts’ opinions about unknown entities These can further ask their contacts if no information is available MoleTrust predicts the trust score of source agent on target agent by walking the trust graph starting from the source agent and by propagating trust along edges. Trust values are weighted by the trust scores of the agents who issued them (as stated in the contacts’ list) Trust values are relative to the source agent Fig. Propagation of opinions across the contacts graph 1st ONE Review, Brussels
Opinion’s Data Model Contexts are expressed by user defined keywords (folksonomy) Simple or complex contexts (e.g. a taxonomy) Through contexts we model the multidimensional nature of trust Fig. Generalized Opinion Data Model 1st ONE Review, Brussels
Status & Next Steps Security primitives Status: implementation of user authentication with username & password Next steps: implementation of advanced authentication mechanisms (certificates , SSO ) Identity management Status: model designed and partially implemented ( simple user registration ) Next steps: user profile and transformations, complete the model implementation Trusted rating agencies Status: Inspiration from financial rating agencies, objective, based on credentials, in line with the distributed nature of ONE Next steps: design the model P2P reputation Status: model designed Next steps: draft implementation for simulations and validation, collaboration with WP3 - T3.4 for the replication algorithm of the Distributed Knowledge Base. 1st ONE Review, Brussels
Task 5.2 will be extended until month 19, and deliverable D5.4 will be delayed until month 19 and a new milestone will be added at month 15 providing draft implementations. For bugs fixing and software enhancements after the First Trial Iteration additional 4 Months are required, they will be distributed from month 23 to month 26. Task 5.3 will be extended until month 20 and deliverable D5.3 will be delayed until month 20. The reason for this extension is caused by the delay of the research activities in Phase I. 1st ONE Review, Brussels