Nat Sakimura Nomura Research Institute

Click to edit Master title style

© 20101 by Nat Sakimura.

Coping with Information AsymmetryCoping with Information Asymmetry

SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies SESSION G: Managing Risk & Reducing Online Fraud Using New Security Technologies

Nat SakimuraNomura Research Institute

www.oasis-open.org

© 20101 by Nat Sakimura. 2

IdP RP

AliceHow can I trust this

RP that it will treat my data as promised?

How can I trust that the user is Alice?

Is the data provided accurate?

Can I trust this RP?

Can I trust Alice?


Market Failure


Empirical Study Funded by Ministry of Internal Affairs and

Communication (MIC) n=117, distributed same as the population. Observed testing combined with F2F interviews

Source: Based on the Report on Identity Federation Substantial Experiment


Restaurant Search Engine + Restaurant Sites (Both Mobile and PC)

Users are told to find the restaurants they want to go and reserve.

Registration requires various user information depending on the site.

Some are traditional “Form Submission” Some are using Identity Federation and

attribute sharing.


IdP

②

AuthZed AttrsSent to RP

User

①

AuthN + Attr AuthZ

RP

③

No need to fill in the info that the user authzed to be

sent

Attribute Sharing

AuthZed Attrsis being sent

from IdP to RP

- Results - How It looked like

Users needed to fill-in the attrsnot sent by IdP

NamePost CodeAddressTelephoneMail AddressSexOccupationAge



(N=177)

Without Attr. Sharing

With Attrs Sharing

1’33” 0’19”

19.6% 7.1%

Time Req. to completeregistration

Input ErrorRate

（ Down 80% ）

（ Down 65% ）

Both Time Required to complete And the Error Rate were reduced.

- Results - Attribute Sharing Greatly improves the user experience

IdP

②

AuthZed AttrsSent to RP

User

①

AuthN + Attr AuthZ

RP

③

No need to fill in the info that the user authzed to be

sent

Attribute Sharing



StronglyYes53%

Yes41%

Never0%

Do notWant3%

Don'tKnow

3%

-User Feedback - 94% Answered that they want to use Attribute Sharing Services.

Do yo want to use such Attribute Sharing Services?



72.6

63.2

42.7

33.3

24.8

31.6

41.9

52.1

2.6

4.3

14.5

14.5

0

0.9

0.9

0

0% 20% 40% 60% 80% 100%

Very Much Somewhat Not So Much Not At All

Additional Features Wanted by the Users

Assist users to find out if the RP is trustworthy

Selectively Send the attributes (e.g., not sending telephone no.)

Automatically notify/update the selected RPs when Attrs changed.

Select one from Multiple “profiles” when sending attrs.

-User Feedback - 97% Users wanted to have a way to find out the trustworthiness of the RP

Additional Features Requested



How? Third Party Audit

E.g., Open Identity Trust Framework Reputation

“Reputation is a subjective evaluation of the assertion about an entity being true based on factual and/or subjective data about it, and is used as one of the factors for establishing trust on that subject for a specific purpose. Reputation can be aggregated by rolling up opinions from smaller sets like individuals. ”

Open Reputation Management Systems (ORMS) TC


ORMS Reference Model

Input data collection/ generation




Individual & demographic data – entity E

Oberved data – Entity E

Real-world data: entity E

Inferred data: Entity E

subjective data – Entity E


…

ReputationComputer

Context

Reputation System

Reputation ofInput entities

(local)Reputation

PortableReputation

Computation of Trust by (external)Consuming party

Pub-Sub

Portable Reputation Data InputComputation of

Trust by (external)Consuming party

Source: ORMS TC, “Use Cases”


Reputation Format Requirements1. Reputation result XML needs to have an identifier of

somebody being scored. It may include PII (e.g., Social Security Number), so it may be

wise to mandate that this be a hash(identifier, salt)?=>Protocol Consideration

2. The same for who is scoring, and sometimes for who is receiving.

3. For what criteria, this reputation score was made. 4. Input Data Range 5. For the reputation to be aggregatable, it has to have a

distribution that we know about the aggregated distribution (such as normal distribution).

6. The information about the distribution, including what distribution, mean, and standard deviation must be published together with the score.

7. Display score should be intuitive for an average person.8. Date that score was made 9. Signature by the score maker so that it will be tamper

proof.

Source: ORMS TC, “Use Cases”


Protocol Requirements PR1. The reputation consumer SHOULD be able to obtain

the reputation file by specifying the assertion including the subject identifier.

PR2. Since the reputation data itself is often an sensitive data including PII, it SHOULD have the following security considerations:

SubjectID SHOULD be represented so that it cannot be traced back to the Subject, e.g., sha256(SubjectID, salt). This implies that the protocol should be a request-response protocol since otherwise the receiver cannot map the file to the Subject.

Be able to make the source detectable in the case of the leakage, the file should contain the requester ID.

To make the request forgery-proof, the request should contain the digital signature of the requesting party.

To protect from eavesdropping and MITM attacks, the response should be encrypted using a content encryption key (session key) which in turn is encrypted by the requesting party’s public key.

Considering that the mere fact that an entity is requesting a reputation representation of the subject may be a privacy risk, the request probably should be encrypted in the same manner as the response, with reputation authority’s public key.Source: ORMS TC, “Use Cases”


Example Reputation Display

Last Login, How Many Times in the Past.

Reputation

Authorize


Documents

Nat Sakimura Nomura Research Institute