• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Security Infrastructure

Trust Negotiation

Objective:
Authenticating a subject's identity doesn't help if the subject is a stranger you've never heard of before. In dynamic coalitions, if authorization decisions are based on subject identity, as organizations enter and leave the coalition the rate at which identities must be administered by coalition members can become unmanageably large. The Advances in Trust Negotiation (ATN) project is studying an approach to making application-level authorization decisions without using subject identity by basing those decisions on subject properties that can be mapped to roles without requiring additional information about the subject. By placing those properties in credentials, such as attribute certificates, the approach allows properties to be authenticated off-line. Property-based credentials contain potentially sensitive data and must be protected. Automation is needed to manage a potentially large number of credentials. We call the automated or semi-automated exchange of protected credentials Trust Negotiation. We use the term "property-based role derivation" to refer to authentication of properties other than identity, together with the mapping of those properties to roles. The six-month ATN project will assess requirements and evaluate key technologies that must be developed to enable property-based role derivation to be widely deployed. While some specification work is planned, the central goal is to provide a clear roadmap for further work in Trust Negotiation and a basis for evaluating its likely impact.

Approach:
Property-based role derivation enables trust to be established in a subject on first contact, with no prior knowledge of that subject. It supports role-based access control, mapping a subject to a role based on attributes of the subject other than identity. In a coalition, this means that organizations do not need to maintain databases that associate roles with each subject in each coalition-member organization. Instead, a subject's roles within her home organization are used as the basis for determining her roles and rights in interactions with partner organizations. These home-organization roles are documented as subject properties in cryptographically signed credentials, which can be verified off-line, enhancing system survivability. Part of the current effort will analyze requirements of a suitable credential system and evaluate the suitability of existing credential systems for use in property-based role derivation and Trust Negotiation.

The model we use maps credentials to roles and then uses role-based access control. For instance, a student subscript rate might be available only to subjects in the student role, and a student id credential might be used to authenticate its owner to the student role. In this case, the role-derivation policy, which defines the mapping from credentials to roles, must identify recognized issuers of student ids. For instance, it might state that issuers of student ids (e.g., universities) must possess a credential from a known academic accrediting board. In that case, the student would probably have to present this credential, as well has her own, to get the student subscription rate.

In the ATN project, property-based role derivation in dynamic coalitions will be governed by a role-derivation policy that maps home-organization credentials to an appropriate coalition or "visitor" role in the foreign organization. There will be three parts of such a role-derivation policy. The first part maps credentials to home-organization roles. This is the part that specifies which credentials must be held by the issuer of the subject's credentials (and by the issuers of those credentials, etc., as necessary). It determines who is trusted as an authority on each credential's contents and, in that way, traces a chain of trust. This part of the role-derivation policy will typically be authored by the subject's home-organization, not by the foreign organization that authenticates the subject. The second part of the role-derivation policy identifies partner organizations, as well as the roles that those organizations have in the coalitions. It maps home-organization roles to coalition roles, and will typically be authored by the coalition. (This part must be updated each time the coalition membership changes. However, this update is at the organizational level, which requires far less administrative effort than would a separate update for each subject in the organization whose coalition-membership status has changed.) The third part of the role-derivation policy is optional and may be used to map coalition roles to "visitor" roles. When it is used, this part will be authored by the foreign organization that authenticates the subject. At the time when an organization joins the coalition, if some such "visitor" role already has suitable rights to the resources that the organization makes available to the coalition, then mapping the coalition role to that visitor role eliminates the need to modify the access controls for those resources. Part of the current effort will analyze the suitability of various existing policy languages for use in role-derivation policy definition.

Many of the subject's roles within her home organization will be sensitive, and must be protected. This means that credentials must be exchanged incrementally and in both directions. Also, each subject may have a potentially large number of roles, requiring automated (or at least assisted) selection of which credentials to submit. We call the automated or semi-automated exchange of protected credentials Trust Negotiation. The Trust-Negotiation approach to property-based role derivation will provide credential-exchange protocols that protect sensitive credentials by enforcing credential access control policies. Mutual trust is automatically established between software agents through a sequence of credential exchanges in which an agent discloses a credential only when its access-control policy has been satisfied by credentials from the other agent. Several Trust Negotiation protocols previously have been proposed. However, part of the current effort includes investigation of further protocols.

To minimize unnecessary disclosure of credentials, some trust-negotiation protocols exchange explicit requests for credentials, thereby focusing disclosures on credentials that are relevant to establishing the quality and variety of trust required. Credential requests use the same notation as role-derivation policies, and may be derived in part from those policies. Part of the current effort includes the specification of an algorithm that takes as input an incoming request for locally-owned credentials and the local access policies that govern those credentials. The algorithm returns a counter request for credentials whose disclosure would unlock a set of credentials that satisfies the original input request. Prior results have shown the following property of the protocol that uses this algorithm. If the derived counter request is necessary and sufficient to unlock credentials that satisfy the original request, then the protocol ensures that no credentials are disclosed unless a successful negotiation is possible (in which case the protocol always succeeds). Note that the counter request incorporates content from policies that govern requested credentials. This raises the problem of protecting sensitive policy content. Part of the current effort is to investigate protocols that protect sensitive policy content and to analyze the impact on protocol properties. (For instance, it may no longer be possible to guarantee that no credentials will flow unless the negotiation will succeed.)

A further part of this project analyzes and makes recommendations regarding the dynamic determination of trust requirements. The level and quality of trust required for the desired transaction may depend on many factors. Prior work has focused only on server-determined trust requirements that are based on access-control policies associated with static web pages.

Through subcontracts with their academic institutions, several leaders in the new area of Trust Negotiation are engaged in the project. This interaction fosters cross-fertilization and enables the participants to plan carefully the interaction of the elements of Trust Negotiation being developed at the different institutions.

Recent Accomplishments:
This project is a new start.

Current Plan:
The project comprises four efforts that are coordinated, but independent. Each is lead by a senior researcher with independent authority over their component and responsibility to coordinate with the other project leaders. These four efforts are discussed further below.

Effort 1 (SPARTA ISSO): Develop linguistic support for trust negotiation protocols that require credentials to be requested explicitly. Develop an algorithm that, given a set of credentials with associated access-control policies, and given an incoming request for credentials, derives a counter request for credentials whose satisfaction (in the form of credentials presented) is a necessary and sufficient requirement to unlock credentials that satisfy the original request. This technical result is essential to enable the "parsimonious" trust negotiation protocol. The distinguishing characteristic of the parsimonious protocol is that it discloses no credentials unless the negotiation is guaranteed to succeed in establishing the level of trust required for the desired transaction. Analyze the impact of policy language on the complexity of this algorithm, which must be performed several times during trust negotiation. Assess the available policy language alternatives for use in this kind of protocol. Deliver recommendations concerning language selection and future prototyping of the parsimonious trust negotiation protocol.

Effort 2 (North Carolina State University): Determine the desirable properties of open-system credentials for trust negotiation. This task will result in requirements for any credentials and/or credential systems suitable for use in trust negotiation. Evaluate currently available credentials and credential systems against the desiderata determined above. Both commercial and research systems will be evaluated to determine how effective they will be in trust negotiation. Formulate a plan for creating the open system credentials needed to support trust negotiation. Depending on the results of the previous tasks, this plan will be for (1) deploying an existing commercial system, (2) implementing a research prototype, or (3) proposing a new credential system that meets the desiderata.

Effort 3 (Brigham Young University): Investigate the issues and identify potential mechanisms for protecting sensitive policy information during trust negotiation. Provide a preliminary assessment of the impact on current trust negotiation protocols of protecting sensitive policy information. Analyze the requirements for ubiquitous trust negotiation focusing on negotiation strategies and dynamic determination of content-based client trust requirements for interacting with unknown servers. Outline potential solutions.

Effort 4 (University of Illinois): Develop new and extend existing trust negotiation protocols that exchange credentials and policy content incrementally, respecting their access control policies.

Technology Transition:
The ATN project is a new start and is currently funded to produce and document conceptual results through final task reports. This preliminary, six-month project will deliver analysis, requirements, algorithms, assessments, and recommendations. These will be promulgated to the research community through papers and presentations.

ATN results will have bearing on a wide variety of military and commercial coalition operations. In particular, the goals of ATN are key to the DARPA/Army Future Combat System (FCS). FCS requires rapid deployment and joint, international interoperability. Rapid deployment of new and changing coalitions requires an authorization infrastructure that can be administered efficiently, such as the one being designed by the ATN project.

Other likely military contexts for deployment of this technology include the U.S. Army Communications-Electronics Command (CECOM), where Joint Vision 2010 aims to maximize information systems integration and interoperability while increasing system/platform effectiveness. Integration of forces will require subjects, including intelligent software agents, from multiple organizations to be able to establish trust with one another rapidly, automatically, and effectively.

ATN aims to address a fundamental problem confronting dynamic coalitions throughout the military and commercial sectors: how to make authorization decisions without requiring prior local knowledge of each subject in the coalition. More generally, this problem confronts any pair of subjects attempting to establish trust with no prior contact or knowledge of one another. The number of situations where this problem will be unavoidable is enormous, and currently there is no satisfactory alternative solution.