Weaving a Web of Trust

IRUS Bay Area Roundtable Rohit KhareOctober 9, 1998 (Adam Rifkin)

October 9, 1998 Weaving a Web of Trust 2

Weaving a Web of Trust

Mission How can users

decide what to trust on the Web?

Mechanism Does X have

permission to do Y with resource Z?

Introduction Principles Why

Principals What

Policies When

Pragmatics How

Applications Limits of Trust Implications

October 9, 1998 Weaving a Web of Trust 3

Introduction Clara Customer fires up her favorite Web browser one

morning and connects to her Bank to pay her rent. The Bank's computer duly opens up an encrypted session, and Clara fills out the payment form from her landlord

A Welter of Decisions... Can the Bank really believe it’s Clara? Vice

versa? What kind of ‘receipt’ can Clara rely on? Has the rent bill been delegated accurately?

Cryptography answers ‘how’, not ‘why’ Tamper-proofing is not the same as entrusting

October 9, 1998 Weaving a Web of Trust 4

New Conflicts in Open Systems

The Bank no longer controls both ends Assumptions about trusted hardware, ATM card

scanners, private communications links invalidated

Furthermore, Web applications tend towards interoperable infrastructure technology

Common cryptographic channel securityCommon certificate formats and repositoriesCommon user interface hooks

How can [online banks] convey trustworthiness without marble?

October 9, 1998 Weaving a Web of Trust 5

Scenario: Entrusting an Applet

Sara Surfer hears about a whiz-bang new financial applet from Jesse Jester. She hops over to FlyByNight.Com and downloads their latest and greatest auto-stock-picker

Automated support for trust decisions: Helping Sara decide whether to trust the

applet’s advice: third party ratings, endorsements, &c

Controlling the privileges of that applet: to read portfolios, even execute trades, but not leak info

October 9, 1998 Weaving a Web of Trust 6

Scenario: Content Filtering

Many transactions can be ‘rolled-back’ Often some recourse if trust is violated: files

recovered, money refunded, boarding denied

Social effects cannot “Should Johnny view page P?” is another trust issue Indecency and inappropriateness is in the eye of

several beholdersIntersection of school, parents, and political policy

Need to integrate several mechanismsBlack- and White- listsEntrusting publishers vs contents

October 9, 1998 Weaving a Web of Trust 7

Trust Management

Traditional, ‘closed’ security falls short Access Control Lists and user databases operate

over a known, finite universe of principals & resources

PolicyMaker introduced a new approachBlaze, Feigenbaum, et al. at IEEE Oakland 1996

A TM engine strings together assertions into proofs ...Where assertions can come from many sources ...And the crytpography falls out as just one way to

entrust the binding of an assertion to a speaker

We need to ask why rather than how

October 9, 1998 Weaving a Web of Trust 8

Principles Why

Digital TM engines can be more exacting in establishing authority, so:

Be Specific Broader assertions are less reliable

Trust Yourself All trust decisions must loop back to own axioms

Be Careful Logical design doesn’t preclude implementation

holes

October 9, 1998 Weaving a Web of Trust 9

Principle: Be Specific

In real life, holistic judgments are vague: “I trust my spouse” — for what? “I trust my Bank” — that’s not how they see it

General-purpose Web tools frustrate: Web servers deal in bags of bits between machines

Not easy to distinguish a medical record fileNot easy to identify the actual user

Web client interfaces don’t understand either‘Do you want to submit this data unencrypted’ - swat!

Underlying OS security can thwart limitsSandboxing mobile code, redistribution limits

October 9, 1998 Weaving a Web of Trust 10

Principle: Trust Yourself

Assertion Chains should lead back to self “My credit card number is xxxx”

CreditCorp’s certificate Issuing Bank own records “United.com is the airline” (it isn’t)

Local DNS Root Servers ICANN Jon Postel (oops!)

“Jon’s public key is yyyy” (X.509)

Signed by USC Signed by state of CA Signed by Feds “Jon’s public key is zzzz” (PGP)

Signed by Jon Signed by Fred Signed by self “Public key nnnn is Jon”(SDSI/SPKI)

“Self’s DNS’s Jon is nnnn” — root your own naming tree

October 9, 1998 Weaving a Web of Trust 11

Principle: Be Careful

Identify (& Justify) every trust decision Can be buried in operational logic

Example: Is Scooter a Member? W3C has Public, Member, and Team web access Originally, Member IP address masks were used Verbal contracts trusted employees to protect

info AltaVista’s web crawler was seen as a Member

... And information leaked out to the index!

Required coordination of password database, filesystem permissions, and Robot Exclusion file

October 9, 1998 Weaving a Web of Trust 12

Principals What Microsoft Authenticode entrusts ActiveX controls based on:

encrypted communication between machines; signed identity of the author(s); and a ‘safe applet pledge’ certificate from MS and a ‘commercial sw publisher’ certificate from Verisign/D&B

People Names An identity which persists across transactions; liable

Computers Addresses Limited lifetime; can only prove correct execution

Organizations Credentials Persistent lifetime; can link People & Computers

October 9, 1998 Weaving a Web of Trust 13

Principal: People

Trust = behavioral consistency Legal and social precedent holds individuals liable Ultimately, people back computers and

organizations

Human identity should be established outside of any particular application E.g. Verisign’s multiple levels, from email to notary

to credit check to personal investigation

Identity alone is not trustworthy Bank trusts Clara Customer, not Clara Beekham

Once the organization establishes a role linking the two

October 9, 1998 Weaving a Web of Trust 14

Principal: Computers

The Web’s Trusted Computing Base? Client PCs have many points of failure Even https: relies on routing and domain naming

Entrusting Devices as Devices To execute cryptographic operations correctly To modify internal state or trigger peripherals Checksums, clock freshness, channel security, etc

can only prove a consistent address Example: Cellphone cloning fraud conflates device

authentication (ser #) with user authorization (bill)

October 9, 1998 Weaving a Web of Trust 15

Principal: Organizations

Organizations are much like people Literally and legally, as ‘incorporation’ suggests

Scale has a quality all its own Easier to trust a group of people over time with

internal checks and balances and standardsAnytime trust has to be shared with a different

principal

Credentials bind people to devices It is more efficient to intermediate relationships

Reflects the same transaction costs as optimal firm-size theory does in real world economics

October 9, 1998 Weaving a Web of Trust 16

Policies When

Principal-Centric Who you areObject-Centric What you haveAction-Centric What you can do

TM Engines take a proposition (principal, action, object), assertions, and a policy evaluator as input to generate an authorization matrix

Policies can be composable on behalf of several stakeholders

Credit Line Savings Account Vault

Branch ManagerCreate, Read/Write Create, Read/WriteDeposit, Withdraw

Teller Read Read/Write Deposit

Guard None None Withdraw

October 9, 1998 Weaving a Web of Trust 17

Policies: Principal-Centric

Placing trust in principals (or roles)Typically, classify individuals into groups

[Denning 76] proved information flow w/lattices Principle of least privilege encourages specificity

... and label each object or action with a minimum or maximum authorization level [Bell and LaPadula] compartmentalization of

processes — read downwards, write upwards, sanitization

Useful when there are fewer users than objects or actions

October 9, 1998 Weaving a Web of Trust 18

Policies: Object-Centric

Placing trust in objects (or keys)Typically, protect resources with keys

Hand out the combination to a vault Secret-sharing can require multiple cooperating

keyholders (e.g. a safe-deposit box)

Optionally compartmentalize access Different interfaces have different keys Deposit and Withdraw handles in MS COM-speak

Possession of the right pointer limits the visible functions

Useful when there are fewer objects than users or actions

October 9, 1998 Weaving a Web of Trust 19

Policies: Action-Centric

Placing trust in demonstrated abilitiesTypically test and compile into an

authorization certificate Driver’s License or swimming test

Manage classes of capabilities Bank might be factored into Account Creation,

Bookkeeping, and Vault Access ... Then map onto personnel and objects as

needed Example: Drinking age laws are intrinsic, not from

a registry of drinkers or access controls on bottles

October 9, 1998 Weaving a Web of Trust 20

Policies: Implementation

Trusting someone to drive a car: By identity: a list of authorized drivers By object: a set of keys to be handed out By capability: rent a car with license & insurance

Choice of ‘primary axis’ depends on: Simplicity: which is the smallest set? bank

employees Dynamism: avoid enumerating the volatile. drivers Efficiency: what’s easiest to check? Licenses

Watch for conflicting policy styles Hotel erred in using payment-ability as identity

October 9, 1998 Weaving a Web of Trust 21

Pragmatics How

The topological shift from a single secure node to a net of separately administered domains is driving the development of a new generation of Web TM tools

Identifying Principals Decentralized PKILabeling Resources Web MetadataCodifying Policies Policy LanguagesAutomating the Web of Trust TM

Engines

October 9, 1998 Weaving a Web of Trust 22

Pragmatics: Identifying Principals

Digital Certificates alone aren’t trustworthy [Kohnfelder78] introduced Certification Authorities

CA Utility is proportional to its reach Clearinghouse simplifies group-membership

... But its power is inversely related The further up the pyramid, the greater the liability

Unprincipled compared to PGP/SPKI/SDSI: Identity certificates are not specific about authorization Hierarchy ends in God, not self Logistical difficulties of updating global revocation lists

October 9, 1998 Weaving a Web of Trust 23

Pragmatics: Labeling Resources

Traditional fixed set of security attributes UNIX file permissions, AFS ACLs, process handles

Separable security labels as metadata PICS labels, Resource Description Framwork (RDF) Deliverable in, with, or from third parties

Self-description of schemas Loadable rating scales or attribute vocabularies

Difficulty of binding to variable Web pages Languages, obsolescence, bundling together pages

October 9, 1998 Weaving a Web of Trust 24

Pragmatics: Codifying Policies

Web’s ‘trust problems’ are too varied to compile in PICS filtering, applet authorization; soon payment

method selection and privacy policy negotiation

Externalized policy evaluators More flexible to put in a general-purpose TM

Engine Possible to compose policies written in several

languages and styles Example: REFEREE can load in policy interpreters

as well as policies, rather than PICSRulz alone

October 9, 1998 Weaving a Web of Trust 25

Applications

Collaborative Authoring & Publication Extending trust to push networks, readers

Content Filtering Acceptable content; rights management; privacy Highlights composable policy, diverse label stores

Electronic Commerce Negotiating by assertion rather than policy JEPI

Downloadable Code Trusted applet; trusted runtime/OS

October 9, 1998 Weaving a Web of Trust 26

Limits of Trust

Limits of Web Security Security services below, at, and above HTTP layer

Trust as a Social Contract Game-theoretic model of rational opponents

[Axelrod]Trust is a learning process; how can tools help?

Trust in the Mirror Moving the world into the box magnifies latent

flaws in existing relationshipsThe Social Security PEBES Case (“mail vs. e-mail”):

speed, anonymity of electronic queries changes the risk profile

October 9, 1998 Weaving a Web of Trust 27

Limits: Web Servers

Unprincipled Not able to specifically identify resources at risk

within a server (“medical records”) Not responsible for own security; varies by OS Not careful in logging anomalies or for rollback

Principal identification scattered E.g. SSL client-auth info cannot pass up to HTTP Lower-layer IP source or DNS lookup spoofable

Inflexible policies Typically limited to user-and-password

configurations

October 9, 1998 Weaving a Web of Trust 28

Limits: Web Clients

Unprincipled Does not adapt behavior to specific site IE4 Zones Requires trusting monolithic sw vendor instead of self Not carefully integrated with OS: cache leaks, cookies

Principal identification scattered Desktop PCs & Macs have a weak concept of User User interface hides computer address — spoofable Organizational identification relies on images, DNS

Inflexible Policies Content-filtering, applet, and privacy checks built-in

October 9, 1998 Weaving a Web of Trust 29

Implications

Web Developers Commit to developing standardized TM infrastructure

Web Users Awareness of the flood of trust decisions of “mere”

surfing motivates developers to do their part

Application Stakeholders Identify and justify your systems’ trust decisions

Citizens What are the social consequences of fragmenting our

trust communities into self-contained world-views?

October 9, 1998 Weaving a Web of Trust 30

For Further Information... This Talk http://www.ics.uci.edu/~rohit/web-of-trust

Our Paper http://www.cs.caltech.edu/~adam/papers/www

The Book http://www.w3j.com/7/

Digital Signature Labels http://www.w3.org/DSig/

Simple PKI http://www.ietf.org/html.charters/spki-charter.html

REFEREE http://www.research.att.com/~jf/pubs/www6-97.html

PolicyMaker ftp://dimacs.rutgers.edu/pub/dimacs/TechnicalReports/TechReports/1996/96-17.ps.gz

Contact Us rohit@ics.uci.edu, adam@cs.caltech.edu