Virgil Gligor - CSIT Belfast

2 downloads 200 Views 4MB Size Report
Mar 15, 2013 - security without secrets; deception, scams & machine learning; trust networks; security that ... acco
On the Foundations of Trust in Networks of Humans and Computers Virgil D. Gligor Carnegie Mellon University Pittsburgh, PA 15213 [email protected]

CSIT  Belfast   March  15,  2013    

VDG, Mar. 15, 2013

Copyright © 2012

1

Joint Work with . . .

V. Gligor, and J. Wing, Towards a Theory of Trust in Networks of Humans and Computers. In Proc. of the 19th International Workshop on Security Protocols. (Cambridge, UK, March 2011). LNCS 7114, Springer Verlag. T. Hyun-Jin Kim, V. Gligor, and A. Perrig, Street-Level Trust Semantics for Attribute Authentication. In Proc. of 20th Security Protocols Workshop, (Cambridge University, UK, April 2012), LNCS 7622, Springer Verlag.

VDG, Mar. 15, 2013

Copyright © 2012

2

Security => Trust Demonstrable Security Properties

Network Security

Trust User Behavior

TTP “insiders”

VDG, Mar. 15, 2013

interactions

Copyright © 2012

3 3

Malware Propagation Methods

Percentage of Attacks Analyzed

Analysis reported in the Microsoft Intelligence Report, vol. 11, 2011

45 -

44.8%

40 35 30 -

26.0%

25 20 -

17.2%

15 10 5

4.4%

-

3.2%

2.4%

0

Exploit User Autorun Autorun File Exploit Network Infection Update Interaction USB Update Long (>1 yr) Available Required Available VDG, Mar. 15, 2013

1.7%

0.3%

≈ 0.0%

Password Office Zero-day Guessing Macros Exploit Brute Force Copyright © 2012

4

Trust => * Foundations * = Sociology, Psychology, Economics, … , Neuroscience (100s of articles)

VDG, Mar. 15, 2013

Copyright © 2012

5

Trust => Security Foundations? 1. Trust Relations among Humans => Productivity & Wealth - countries where people trust more have higher GDP (e.g., trust surveys [Fehr09]) - more trust within a community => higher Total Factor Productivity [Dasgupta09]

2. Trust Relations Networks of Humans and Computers? - more trust relations => larger pool of available services, higher network effect, increased productivity, economic development & wealth

Q1. new trust relations => “street-level” security protocols?

VDG, Mar. 15, 2013

Copyright © 2012

6

Outline 1. Interactive Trust Protocols (ITPs) - questions computer security & crypto can(not) answer - necessary conditions: Value Proposition & Asymmetry

2. “Street-level” Asymmetry Reduction in ITPs - social collateral - measurable proximity - an example: accepting an unknown sender’s certificate

3. Future Research - security without secrets; deception, scams & machine learning; trust networks; security that creates new value

VDG, Mar. 15, 2013

Copyright © 2012

7

Interactive Trust Protocols Certificates

Action: “click & invest, send credit card, account no., problem” … Service: “receive money, solutions, code”

- ID, group, role …

Attributes . . .

Receiver

Sender’s ID, Credentials; Take Action => Receive Service

Either Takes Specified Action or Rejects

VDG, Mar. 15, 2013

Sender

Verifies Receiver’s Action; Provides Specified Service or Does Not

Copyright © 2012

8

Interactive Trust Protocols

Receiver

VDG, Mar. 15, 2013

Sender’s ID, Credentials; No Action => Service Ends

Sender

Copyright © 2012

9

Interactive Trust Protocols

Receiver

Sender’s ID, Credentials; Take Action => Receive Service

Sender

ITP => Value Proposition •  Both parties are honest => Both are better off after session •  Future sessions: rational Receiver Takes Action again

VDG, Mar. 15, 2013

Copyright © 2012

10

Questions Often Asked …

? Receiver

Sender’s ID, Credentials; Take Action => Receive Service

Sender

Sender

Should I accept this unknown Sender’s Certificate? Should I accept this stranger’s invitation? - is it safe?

VDG, Mar. 15, 2013

Copyright © 2012

11

Typical non-answers . . .

Uninformative Good, Useless Advice

VDG, Mar. 15, 2013

Copyright © 2012

12

Typical non-answers . . .

Speculative, adds a little fear

Good, Useless Advice

VDG, Mar. 15, 2013

Copyright © 2012

13

Typical non-answers . . .

Ego busting “Just say No”

VDG, Mar. 15, 2013

Copyright © 2012

14

Interactive Trust Protocols

Sender

Receiver

Accept, Take Specified Action

Dishonest Sender: Verifies Receiver’s Action & provides corrupt service; i.e., bad input, malware

ITP => Asymmetry •  Dishonest Sender is better off than an Honest Sender & Honest Receiver is worse off after session •  Dishonesty discovered => rational Receiver rejects all future sessions VDG, Mar. 15, 2013

Copyright © 2012

15

Asymmetry Reduction Isolation from Sender:

Trustworthiness Evidence (past)

bad input, malware discovered

never sends a bad input, malware

Sender

Receiver Recovery from bad input, malware

Deterrence against sending a bad input, malware => Punishment ⇒  Accountability - Trusted Third Parties (TTPs)? Machine? Correct Sender & Machine Code

VDG, Mar. 15, 2013

Human? Correct Sender & User Behavior Copyright © 2012

16

Asymmetry Reduction by TTPs?

Sender

Receiver

Collateral

TTP escrow

Sender

Collateral ≥ ill-gotten Gain

Fragile: single point of failure for all transactions Impractical: Sender has to post Collateral for all possible Receivers Unsound: both Receiver & unknown Sender must trust (?) the Third Party VDG, Mar. 15, 2013

Copyright © 2012

17

Closure No Behavioral Trust

=> Isolation Sender

Receiver

Behavioral Trust -  Beliefs

- Sender trustworthiness=>

Trustworthiness Evidence (future)

- Preferences/Aversions - Risk

=> Recovery

- Betrayal

=> Deterrence =>punishment =>accountability we need: safe increase in train speeds -> increased railroad commerce VDG, Mar. 15, 2013

Copyright © 2012

24