Mar 15, 2013 - security without secrets; deception, scams & machine learning; trust networks; security that ... acco
On the Foundations of Trust in Networks of Humans and Computers Virgil D. Gligor Carnegie Mellon University Pittsburgh, PA 15213
[email protected]
CSIT Belfast March 15, 2013
VDG, Mar. 15, 2013
Copyright © 2012
1
Joint Work with . . .
V. Gligor, and J. Wing, Towards a Theory of Trust in Networks of Humans and Computers. In Proc. of the 19th International Workshop on Security Protocols. (Cambridge, UK, March 2011). LNCS 7114, Springer Verlag. T. Hyun-Jin Kim, V. Gligor, and A. Perrig, Street-Level Trust Semantics for Attribute Authentication. In Proc. of 20th Security Protocols Workshop, (Cambridge University, UK, April 2012), LNCS 7622, Springer Verlag.
VDG, Mar. 15, 2013
Copyright © 2012
2
Security => Trust Demonstrable Security Properties
Network Security
Trust User Behavior
TTP “insiders”
VDG, Mar. 15, 2013
interactions
Copyright © 2012
3 3
Malware Propagation Methods
Percentage of Attacks Analyzed
Analysis reported in the Microsoft Intelligence Report, vol. 11, 2011
45 -
44.8%
40 35 30 -
26.0%
25 20 -
17.2%
15 10 5
4.4%
-
3.2%
2.4%
0
Exploit User Autorun Autorun File Exploit Network Infection Update Interaction USB Update Long (>1 yr) Available Required Available VDG, Mar. 15, 2013
1.7%
0.3%
≈ 0.0%
Password Office Zero-day Guessing Macros Exploit Brute Force Copyright © 2012
4
Trust => * Foundations * = Sociology, Psychology, Economics, … , Neuroscience (100s of articles)
VDG, Mar. 15, 2013
Copyright © 2012
5
Trust => Security Foundations? 1. Trust Relations among Humans => Productivity & Wealth - countries where people trust more have higher GDP (e.g., trust surveys [Fehr09]) - more trust within a community => higher Total Factor Productivity [Dasgupta09]
2. Trust Relations Networks of Humans and Computers? - more trust relations => larger pool of available services, higher network effect, increased productivity, economic development & wealth
Q1. new trust relations => “street-level” security protocols?
VDG, Mar. 15, 2013
Copyright © 2012
6
Outline 1. Interactive Trust Protocols (ITPs) - questions computer security & crypto can(not) answer - necessary conditions: Value Proposition & Asymmetry
2. “Street-level” Asymmetry Reduction in ITPs - social collateral - measurable proximity - an example: accepting an unknown sender’s certificate
3. Future Research - security without secrets; deception, scams & machine learning; trust networks; security that creates new value
VDG, Mar. 15, 2013
Copyright © 2012
7
Interactive Trust Protocols Certificates
Action: “click & invest, send credit card, account no., problem” … Service: “receive money, solutions, code”
- ID, group, role …
Attributes . . .
Receiver
Sender’s ID, Credentials; Take Action => Receive Service
Either Takes Specified Action or Rejects
VDG, Mar. 15, 2013
Sender
Verifies Receiver’s Action; Provides Specified Service or Does Not
Copyright © 2012
8
Interactive Trust Protocols
Receiver
VDG, Mar. 15, 2013
Sender’s ID, Credentials; No Action => Service Ends
Sender
Copyright © 2012
9
Interactive Trust Protocols
Receiver
Sender’s ID, Credentials; Take Action => Receive Service
Sender
ITP => Value Proposition • Both parties are honest => Both are better off after session • Future sessions: rational Receiver Takes Action again
VDG, Mar. 15, 2013
Copyright © 2012
10
Questions Often Asked …
? Receiver
Sender’s ID, Credentials; Take Action => Receive Service
Sender
Sender
Should I accept this unknown Sender’s Certificate? Should I accept this stranger’s invitation? - is it safe?
VDG, Mar. 15, 2013
Copyright © 2012
11
Typical non-answers . . .
Uninformative Good, Useless Advice
VDG, Mar. 15, 2013
Copyright © 2012
12
Typical non-answers . . .
Speculative, adds a little fear
Good, Useless Advice
VDG, Mar. 15, 2013
Copyright © 2012
13
Typical non-answers . . .
Ego busting “Just say No”
VDG, Mar. 15, 2013
Copyright © 2012
14
Interactive Trust Protocols
Sender
Receiver
Accept, Take Specified Action
Dishonest Sender: Verifies Receiver’s Action & provides corrupt service; i.e., bad input, malware
ITP => Asymmetry • Dishonest Sender is better off than an Honest Sender & Honest Receiver is worse off after session • Dishonesty discovered => rational Receiver rejects all future sessions VDG, Mar. 15, 2013
Copyright © 2012
15
Asymmetry Reduction Isolation from Sender:
Trustworthiness Evidence (past)
bad input, malware discovered
never sends a bad input, malware
Sender
Receiver Recovery from bad input, malware
Deterrence against sending a bad input, malware => Punishment ⇒ Accountability - Trusted Third Parties (TTPs)? Machine? Correct Sender & Machine Code
VDG, Mar. 15, 2013
Human? Correct Sender & User Behavior Copyright © 2012
16
Asymmetry Reduction by TTPs?
Sender
Receiver
Collateral
TTP escrow
Sender
Collateral ≥ ill-gotten Gain
Fragile: single point of failure for all transactions Impractical: Sender has to post Collateral for all possible Receivers Unsound: both Receiver & unknown Sender must trust (?) the Third Party VDG, Mar. 15, 2013
Copyright © 2012
17
Closure No Behavioral Trust
=> Isolation Sender
Receiver
Behavioral Trust - Beliefs
- Sender trustworthiness=>
Trustworthiness Evidence (future)
- Preferences/Aversions - Risk
=> Recovery
- Betrayal
=> Deterrence =>punishment =>accountability we need: safe increase in train speeds -> increased railroad commerce VDG, Mar. 15, 2013
Copyright © 2012
24