Upload
pascal
View
27
Download
3
Embed Size (px)
DESCRIPTION
Coping with Information Asymmetry SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies. Nat Sakimura Nomura Research Institute. www.oasis-open.org. Alice. How can I trust that the user is Alice? Is the data provided accurate?. IdP. RP. Can I trust this RP? - PowerPoint PPT Presentation
Citation preview
Click to edit Master title style
© 20101 by Nat Sakimura.
Coping with Information AsymmetryCoping with Information Asymmetry
SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies
Nat SakimuraNomura Research Institute
www.oasis-open.org
© 20101 by Nat Sakimura. 2
IdP RP
AliceHow can I trust this
RP that it will treat my data as promised?
How can I trust that the user is Alice?
Is the data provided accurate?
Can I trust this RP?
Can I trust Alice?
© 20101 by Nat Sakimura. 3
Market Failure
© 20101 by Nat Sakimura. 4
Empirical Study Funded by Ministry of Internal Affairs and
Communication (MIC) n=117, distributed same as the population. Observed testing combined with F2F interviews
Source: Based on the Report on Identity Federation Substantial Experiment
© 20101 by Nat Sakimura. 5
Restaurant Search Engine + Restaurant Sites (Both Mobile and PC)
Users are told to find the restaurants they want to go and reserve.
Registration requires various user information depending on the site.
Some are traditional “Form Submission” Some are using Identity Federation and
attribute sharing.
© 20101 by Nat Sakimura. 6
IdP
②
AuthZed AttrsSent to RP
User
①
AuthN + Attr AuthZ
RP
③
No need to fill in the info that the user authzed to be
sent
Attribute Sharing
AuthZed Attrsis being sent
from IdP to RP
- Results - How It looked like
Users needed to fill-in the attrsnot sent by IdP
NamePost CodeAddressTelephoneMail AddressSexOccupationAge
Source: Based on the Report on Identity Federation Substantial Experiment
© 20101 by Nat Sakimura. 7
(N=177)
Without Attr. Sharing
With Attrs Sharing
1’33” 0’19”
19.6% 7.1%
Time Req. to completeregistration
Input ErrorRate
( Down 80% )
( Down 65% )
Both Time Required to complete And the Error Rate were reduced.
- Results - Attribute Sharing Greatly improves the user experience
IdP
②
AuthZed AttrsSent to RP
User
①
AuthN + Attr AuthZ
RP
③
No need to fill in the info that the user authzed to be
sent
Attribute Sharing
Source: Based on the Report on Identity Federation Substantial Experiment
© 20101 by Nat Sakimura. 8
StronglyYes53%
Yes41%
Never0%
Do notWant3%
Don'tKnow
3%
-User Feedback - 94% Answered that they want to use Attribute Sharing Services.
Do yo want to use such Attribute Sharing Services?
Source: Based on the Report on Identity Federation Substantial Experiment
© 20101 by Nat Sakimura. 9
72.6
63.2
42.7
33.3
24.8
31.6
41.9
52.1
2.6
4.3
14.5
14.5
0
0.9
0.9
0
0% 20% 40% 60% 80% 100%
Very Much Somewhat Not So Much Not At All
Additional Features Wanted by the Users
Assist users to find out if the RP is trustworthy
Selectively Send the attributes (e.g., not sending telephone no.)
Automatically notify/update the selected RPs when Attrs changed.
Select one from Multiple “profiles” when sending attrs.
-User Feedback - 97% Users wanted to have a way to find out the trustworthiness of the RP
Additional Features Requested
Source: Based on the Report on Identity Federation Substantial Experiment
© 20101 by Nat Sakimura. 10
How? Third Party Audit
E.g., Open Identity Trust Framework Reputation
“Reputation is a subjective evaluation of the assertion about an entity being true based on factual and/or subjective data about it, and is used as one of the factors for establishing trust on that subject for a specific purpose. Reputation can be aggregated by rolling up opinions from smaller sets like individuals. ”
Open Reputation Management Systems (ORMS) TC
© 20101 by Nat Sakimura. 11
ORMS Reference Model
Input data collection/ generation
Input data collection/ generation
Input data collection/ generation
Input data collection/ generation
Individual & demographic data – entity E
Oberved data – Entity E
Real-world data: entity E
Inferred data: Entity E
subjective data – Entity E
Input data collection/ generation
…
ReputationComputer
Context
Reputation System
Reputation ofInput entities
(local)Reputation
PortableReputation
Computation of Trust by (external)Consuming party
Pub-Sub
Portable Reputation Data InputComputation of
Trust by (external)Consuming party
Source: ORMS TC, “Use Cases”
© 20101 by Nat Sakimura. 12
Reputation Format Requirements1. Reputation result XML needs to have an identifier of
somebody being scored. It may include PII (e.g., Social Security Number), so it may be
wise to mandate that this be a hash(identifier, salt)?=>Protocol Consideration
2. The same for who is scoring, and sometimes for who is receiving.
3. For what criteria, this reputation score was made. 4. Input Data Range 5. For the reputation to be aggregatable, it has to have a
distribution that we know about the aggregated distribution (such as normal distribution).
6. The information about the distribution, including what distribution, mean, and standard deviation must be published together with the score.
7. Display score should be intuitive for an average person.8. Date that score was made 9. Signature by the score maker so that it will be tamper
proof.
Source: ORMS TC, “Use Cases”
© 20101 by Nat Sakimura. 13
Protocol Requirements PR1. The reputation consumer SHOULD be able to obtain
the reputation file by specifying the assertion including the subject identifier.
PR2. Since the reputation data itself is often an sensitive data including PII, it SHOULD have the following security considerations:
SubjectID SHOULD be represented so that it cannot be traced back to the Subject, e.g., sha256(SubjectID, salt). This implies that the protocol should be a request-response protocol since otherwise the receiver cannot map the file to the Subject.
Be able to make the source detectable in the case of the leakage, the file should contain the requester ID.
To make the request forgery-proof, the request should contain the digital signature of the requesting party.
To protect from eavesdropping and MITM attacks, the response should be encrypted using a content encryption key (session key) which in turn is encrypted by the requesting party’s public key.
Considering that the mere fact that an entity is requesting a reputation representation of the subject may be a privacy risk, the request probably should be encrypted in the same manner as the response, with reputation authority’s public key.Source: ORMS TC, “Use Cases”
© 20101 by Nat Sakimura. 14
Example Reputation Display
Last Login, How Many Times in the Past.
Reputation
Authorize
Source: Based on the Report on Identity Federation Substantial Experiment