4. Introduction to Trust in Computing*
Presented by:
Prof. Bharat Bhargava
Department of Computer Sciences and
Center for Education and Research in Information Assurance and Security (CERIAS)
Purdue University
with contributions from
Prof. Leszek Lilien
Western Michigan University and
CERIAS, Purdue University
*
Supported in part by NSF grants IIS0209059, IIS0242840, ANI0219110, and Cisco URP grant.
Introduction to Trust
Outline
1) Trust in Social & Computing Systems
2) Selected Trust Characteristics
3) Selected Research Issues in Trust
4) Avoiding Traps of Trust Complexity
5) Trust and Privacy
incl. Trading Privacy Loss for Trust Gain
6) Trust & Pervasive Computing
3/23/04
2
1) Trust in Social & Comput’g Systems
(1)
Trust
Trust is pervasive in social systems
[The American Heritage Dictionary of the English Language, 4th ed., Houghton Mifflin, 2000 ]
= “reliance on the integrity, ability, or character of a person or thing”
Constantly used it in interactions among:
People / Organizations / Animals / Artifacts (sic!)
3/23/04
E.g., “Can I trust my car on this long vacation trip?”
Used instinctively and implicitly in closed and static systems
Example: In a small village – everybody knows everybody
Villagers instinctively use their knowledge or stereotypes to
trust/distrust others
Used consciously and explicitly in open or dynamic systems
Example: In a big city explicit rules of behavior in diverse trust
relationships
E.g., Build up trust by asking friends or recommendation
services for a dependable plumber
3
1) Trust in Social & Computing Systems
(2)
Establishing Trust by Interactions
Social or computerbased interactions:
From a simple transaction to a complex collaboration
Adequate degree of trust required for interactions
How to establish initial trust?
Build up trust in interactions with strangers or known partners
Human or artificial partners
Offline or online
Trust Degradation and Recovery
3/23/04
Identification and isolation of violators
Dynamic trust updated according to interaction histories and
recommendations
Fast degradation of trust and its slow recovery
This defends against smart violators
4
1) Trust in Social & Computing Systems
(3)
Trust is pervasive & beneficial in complex social systems
Why not exploit pervasive trust as a paradigm in computing?
Use it also in nonpervasive computing (not a contradiction!)
Trust is already common, used extensively in computing
systems
Although usually subconsciously
Examples of users’ trustbased decisions:
Search for reputable ISPs / ebanking sites
Ignoring emails from “Nigerians” asking for transferring millions of dollars
But should be even more pervasive in computing systems
Challenge for exploiting trust in computing:
Extending trustbased solutions to:
1) Artificial entities (such as software agents or subsystems)
2) Subconscious choices made by human users’
3/23/04
5
2) Selected Trust Characteristics (1)
Dimensions of trust
Competence – Does he possess qualifications to do it
Intention – Is he willing to do it?
Degrees of trust instead of binary (allornothing) trust
“You can’t trust everybody but
Otherwise, you’d be paranoid
you have to trust somebody”
Extreme costs of being paranoid
An
Looking over one’s shoulder all the time
untrusting system (even just implicitly) would
be paranoid, inefficient
Trust is asymmetric
E.g., “I trust you more than you trust me”
In general, trust is bidirectional
But one direction can be implicit
3/23/04
[cf. M. Reiter and M. Atallah, NSF IDM Workshop, August 2003]
6
2) Selected Trust Characteristics
Can you trust your smart refrigerator?
Can you trust your car, cell phone, PDA? RFID tags in store?
Devices can selforganize into malicious “opportunistic” networks
System loyalty (like servant loyalty):
Who does it work for? For insurer? For advertiser? For Big Brother?
Trust requires visibility of evidence/recommendations
(2)
Who/what to trust?
If I don’t know what the system is doing, I don’t trust it
Relationship of trust to trustworhiness and usability
Trustworthiness => ( Usability ) => Trust
System excessive/insufficient trust demands can reduce its usability
3/23/04
If a system requires too many credentials, its usability decreases
If a system requires no credentials (e.g., no password), users don’t trust it =>
usability also decreases (surprise?)
7
3) Selected Research Issues in Trust
What incentives or penalties will foster trust relationships?
Currently incentives are often perverse
E.g., Smith buys security but Jones benefits
[cf. M. Reiter and M. Atallah, NSF IDM Workshop, August 2003]
Can we build trusted system from untrustworthy
components?
3/23/04
Or: Can we build a more trusted system from less trustworthy
components?
In interactions:
“Seller” is ultimately responsible for deciding on the degree
of trust required to offer a service
“Buyer” is ultimately responsible for deciding on the degree
of trust required to accept a service
8
4) Avoiding Traps of Trust Complexity (1)
Trust is a complex, multifaceted & contextdependent notion
=> Words of caution on using the trust paradigm:
1) Carefully select all and only those useful trust aspects
needed for the system you’re designing
Otherwise, either flexibility or performance suffers
2) Optimize demands for evidence or credentials
3/23/04
Asking for too much laborious and uncomfortable
Asking for too little – will create image of a lax system
Who wants to be friends with someone who befriends crooks
and thieves?
9
4) Avoiding Traps of Trust Complexity (2)
=> Words of caution on using the trust paradigm (cont.):
3) Excessive reliance on explicit trust relationships hurts
performance
3/23/04
Paranoid avoid paranoia
E.g., modules in a wellintegrated system should rely on implicit
trust
Just as villagers do
In a crowd of entities, only some communicate directly
Only they need to use trust
Even fewer need to use trust explicitly
10
5) Trust and Privacy (1)
Privacy = entity’s ability to control the availability and
exposure of information about itself
We extended the subject of privacy from a person in the original
definition [“Internet Security Glossary,” The Internet Society, Aug. 2004 ] to an entity—
including an organization or software
Maybe controversial but stimulating
Privacy Problem
Consider computerbased interactions
From a simple transaction to a complex collaboration
Interactions always involve dissemination of private data
It is voluntary, “pseudovoluntary,” or compulsory
3/23/04
Compulsory e.g., required by law
Threats of privacy violations result in lower trust
Lower trust leads to isolation and lack of collaboration
11
5) Trust and Privacy
(2)
Thus, privacy and trust are closely related
Privacytrust tradeoff:
Entity can trade privacy for a corresponding
gain in its partners’ trust in it
The scope of an entity’s privacy disclosure should be proportional to
the benefits expected from the interaction
As in social interactions
E.g.: a customer applying for a mortgage must reveal much more
personal data than someone buying a book
Trust must be established before a privacy disclosure
3/23/04
Data – provide quality an integrity
Endtoend communication – sender authentication, message integrity
Network routing algorithms – deal with malicious peers, intruders,
security attacks
12
5) Trust and Privacy
Optimize degree of privacy traded to gain trust
Disclose minimum needed for gaining partner’s necessary trust level
To optimize, need privacy & trust measures
Once measures available:
(3)
Automate evaluations of the privacy loss and trust gain
Quantify the tradeoff
Optimize it
Privacyfortrust trading requires privacy guarantees for
further dissemination of private info
Disclosing party needs satisfactory limitations on further dissemination
(or the lack of thereof) of traded private information
E.g., needs partner’s solid privacy policies
Merely perceived danger of a partner’s privacy violation can make the
disclosing party reluctant to enter into a partnership
3/23/04
E.g., a user who learns that an ISP has carelessly revealed any customer’s
email will look for another ISP
13
5) Trust and Privacy (4)
Summary: Trading Information for Trust in Symmetric and
Asymmetric Negotiations When/how can partners trust
each other?
Symmetric „disclosing:”
Symmetric „preserving:” (from distrust to trust)
Initial distrust / no stepwise trust growth / establishes mutual „full”
trust
No trading of info for trust (info is private or not)
Asymmetric:
3/23/04
Initial degree of trust / stepwise trust growth / establishes mutual
„full” trust
Trades info for trust (info is private or not)
Initial „full” trust of Weaker into Stronger and no trust of Stronger
into Weaker / stepwise trust growth / establishes „full” trust of
Stronger into Weaker
Trades private info for trust
14
5) Trust and Privacy
(5)
PrivacyTrust Tradeoff: Trading Privacy Loss for Trust Gain
We’re focusing on asymmetric trust negotiations:
The weaker party trades a (degree of) privacy loss for (a degree
of) a trust gain as perceived by the stronger party
Approach to trading privacy for trust: [Zhong and Bhargava, Purdue]
Formalize the privacytrust tradeoff problem
Estimate privacy loss due to disclosing a credential set
Estimate trust gain due to disclosing a credential set
Develop algorithms that minimize privacy loss for required trust
gain
Bec. nobody likes loosing more privacy than necessary
More details later
3/23/04
15
6) Trust & Pervasive Computing (1)
People surrounded by zillions of computing devices of all
kinds, sizes, and aptitudes
[“Sensor Nation: Special
Report,” IEEE Spectrum, vol. 41, no. 7, 2004 ]
Most with limited / rudimentary capabilities
Most embedded in artifacts for everyday use, or even human bodies
3/23/04
Quite small, e.g., RFID tags, smart dust
Possible both beneficial and detrimental (even apocalyptic) consequences
16
6) Trust & Pervasive Computing
(2)
New threats to security in pervasive environments
Example: Malevolent opportunistic sensor networks
— pervasive devices selforganizing into huge spy networks
Able to spy anywhere, anytime, on everybody and everything
Need means of detection and neutralization
To tell which and how many snoops are active, what data they
collect, and who they work for
Questions such as “Can I trust my refrigerator?” will not be jokes
3/23/04
An advertiser? a nosy neighbor? Big Brother?
The refrigerator snitching on its owner’s dietary misbehavior for her
doctor
17
6) Trust & Pervasive Computing
(3)
Radically changed, pervasive computing environments
demand new approaches to computer privacy & security
Our belief: Socially based paradigms (such as trustbased
paradigms for privacy & security) will play a big role in pervasive
computing
Solutions will vary (as in social settings)
3/23/04
Heavyweighty solutions for entities of high intelligence and
capabilities (such as humans and intelligent systems)
interacting in complex and important matters
Lightweight solutions for less intelligent and capable entities
interacting in simpler matters of lesser consequence
18
6) Trust & Pervasive Computing (4)
Example: Use of Pervasive Trust for Access Control
Use of pervasive trust for access control
perimeter-defense authorization model
Investigated by B. Bhargava, Y. Zhong, et al., 2002 - 2003
using trust ratings:
direct experiences
second-hand recommendations
using trust ratings to enhance the role-based access control
(RBAC) mechanism
3/23/04
19
References & Bibliography (1)
Slides based on BB+LL part of the paper:
Bharat Bhargava, Leszek Lilien, Arnon Rosenthal, Marianne Winslett, “Pervasive Trust,”
IEEE Intelligent Systems, Sept./Oct. 2004, pp.7477
“Private and Trusted Interactions,” by B. Bhargava and L. Lilien, March 2004.
“Trust, Privacy, and Security. Summary of a Workshop Breakout Session at the National
Science Foundation Information and Data Management (IDM) Workshop held in Seattle,
Washington, September 14 16, 2003” by B. Bhargava, C. Farkas, L. Lilien and F. Makedon,
CERIAS Tech Report 200334, CERIAS, Purdue University, November 2003.
/> />
1.
2.
3.
4.
5.
Paper References:
The American Heritage Dictionary of the English Language, 4th ed., Houghton Mifflin, 2000.
B. Bhargava et al., Trust, Privacy, and Security: Summary of a Workshop Breakout Session
at the National Science Foundation Information and Data Management (IDM) Workshop held
in Seattle,Washington, Sep. 14–16, 2003, tech. report 200334, Center for Education and
Research in Information Assurance and Security, Purdue Univ., Dec. 2003;
www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/200334.pdf.
“Internet Security Glossary,” The Internet Society, Aug. 2004; www.faqs.org/rfcs/rfc2828.html.
B. Bhargava and L. Lilien “Private and Trusted Collaborations,” to appear in Secure
Knowledge Management (SKM 2004): A Workshop, 2004.
“Sensor Nation: Special Report,” IEEE Spectrum, vol. 41, no. 7, 2004.
3/23/04
20
References & Bibliography(2)
5.
7.
8.
9.
10.
11.
12.
13.
3/23/04
6. R. Khare and A. Rifkin, “Trust Management on the World Wide Web,” First Monday,
vol. 3, no. 6, 1998; www.firstmonday.dk/issues/issue3_6/khare.
M. Richardson, R. Agrawal, and P. Domingos,“Trust Management for the Semantic Web,”
Proc. 2nd Int’l Semantic Web Conf., LNCS 2870, SpringerVerlag, 2003, pp. 351–368.
P. Schiegg et al., “Supply Chain Management Systems—A Survey of the State of the Art,”
Collaborative Systems for Production Management: Proc. 8th Int’l Conf. Advances in
Production Management Systems (APMS 2002), IFIP Conf. Proc. 257, Kluwer, 2002.
N.C. Romano Jr. and J. Fjermestad, “Electronic Commerce Customer Relationship
Management: A Research Agenda,” Information Technology and Management, vol. 4,
nos. 2–3, 2003, pp. 233–258.
“On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc
Networks,” by W. Wang, Y. Lu and B. Bhargava, Proc. of IEEE Intl. Conf. on Pervasive
Computing and Communications (PerCom 2003), DallasFort Worth, TX, March 2003.
/>“Fraud Formalization and Detection,” by B. Bhargava, Y. Zhong and Y. Lu, Proc. of 5th
Intl. Conf. on Data Warehousing and Knowledge Discovery (DaWaK 2003), Prague,
Czech Republic, September 2003. http://
www.cs.purdue.edu/homes/zhong/papers/fraud.pdf
“eNotebook Middleware for Accountability and Reputation Based Trust in Distributed Data
Sharing Communities,” by P. Ruth, D. Xu, B. Bhargava and F. Regnier, Proc. of the
Second International Conference on Trust Management (iTrust 2004), Oxford, UK, March
2004. />“PositionBased ReceiverContention Private Communication in Wireless Ad Hoc
Networks,” by X. Wu and B. Bhargava, submitted to the Tenth Annual Intl. Conf. on Mobile
Computing and Networking (MobiCom’04), Philadelphia, PA, September October 2004.
/>
21
THE END
3/23/04
22