Minimising disclosure of client information in credential-based interactions

The advancements in ICT allow people to use and access resources and services on the web anywhere and anytime. Servers offering resources typically require users to release information about them, which is then used to enforce possible access policies on the offered services. Effective access to such resources requires the development of approaches for enabling the user to organise and manage all her credentials and regulate their release when interacting with other parties over the web. In this paper, we provide a means for the user to specify how much she values the release of different properties, credentials, or combinations thereof as well as additional constraints that she might impose on information disclosure. Exploiting a graph modelling of the problem, the user can determine the credentials and properties to disclose to satisfy a server request while minimising the sensitivity of the information disclosed. We develop a heuristic approach that shows execution times compatible with the requirements of interactive access to web resources.

[1]  Li Zhou,et al.  Adaptive trust negotiation and access control , 2005, SACMAT '05.

[2]  Sabrina De Capitani di Vimercati,et al.  Expressive and Deployable Access Control in Open Web Service Applications , 2011, IEEE Transactions on Services Computing.

[3]  Donald F. Towsley,et al.  Optimizing cost-sensitive trust-negotiation protocols , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[4]  Sabrina De Capitani di Vimercati,et al.  Minimizing Disclosure of Private Information in Credential-based Interactions: A Graph-based Approach , 2010, 2010 IEEE Second International Conference on Social Computing.

[5]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[6]  Ninghui Li,et al.  Automated trust negotiation using cryptographic credentials , 2005, CCS '05.

[7]  Ting Yu,et al.  Preventing attribute information leakage in automated trust negotiation , 2005, CCS '05.

[8]  Marianne Winslett,et al.  A unified scheme for resource protection in automated trust negotiation , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[10]  Marianne Winslett,et al.  Internet Credential Acceptance Policies , 1997, APPIA-GULP-PRODE.

[11]  Marianne Winslett,et al.  The Traust Authorization Service , 2008, TSEC.

[12]  Wolf-Tilo Balke,et al.  Exploiting Preferences for Minimal Credential Disclosure in Policy-Driven Trust Negotiations , 2008, Secure Data Management.

[13]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[14]  Marianne Winslett,et al.  Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation , 2001, NDSS.

[15]  K.E. Seamons,et al.  Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[16]  Marianne Winslett,et al.  Assuring security and privacy for digital library transactions on the Web: client and server security policies , 1997, Proceedings of ADL '97 Forum on Research and Technology. Advances in Digital Libraries.

[17]  Sabrina De Capitani di Vimercati,et al.  Access Control Policies, Models, and Mechanisms , 2011, Encyclopedia of Cryptography and Security.

[18]  Sabrina De Capitani di Vimercati,et al.  Supporting privacy preferences in credential-based interactions , 2010, WPES '10.

[19]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[20]  Mikhail J. Atallah,et al.  Private Information: To Reveal or not to Reveal , 2008, TSEC.