Research On Ontology-based Automated Trust Negotiation And Its Security

With the development of Internet, sharing resources and conducting business trans-actions across security domains in open distributed computing, like peer-to-peer network,grid computing and ubiquitous computing, have becoming more and more perversive.How to establish mutual trust between collaborative principals in such an environmentbecomes an important problem. Automated trust negotiation (ATN) is an approach toestablishing mutual trust between two strangers by iterative disclosure of the credentialsand access control policies. ATN has becoming one of the most promising approach toestablishing trust and access control in distributed environment.Although ATN has been thoroughly studied, and the application of it has beenexpanded to many felds, there are still some problems in ATN research need to be solved.These problems include: diferent ATN systems using various notations negatively afectinteroperability across heterogeneous domains; Access control policy is of vital importantin the protection of resources from unauthorized access. How to analyze access controlpolicy against security objectives is a critical task; The semantics of ATN componentsare not considered by most existing ATN systems. These ATN systems are not completesince the negotiation may fail in some cases where it would succeed if the semantics areexploited; Finally, how to verify that the ATN system is safe and can protect the privacyof negotiations. To solve the above-mentioned problems, an ontology-based approach toautomated trust negotiation is proposed, and the formal security verifcation of the ATNsystem is performed.The main work and novelties are listed as follows:1) The abstract model and architecture of ontology-based ATN are proposed. ATNcomponents and their relationships are defned as a shard ontology, called ATN on-tology. ATN ontology helps to build a common understanding of ATN componentsacross domains and facilitate the semantic interoperability among negotiators. TheDescription Logic (DL) SHOIN(D) is exploited to formalize the ATN ontology.2) Since ATN ontology is formalized by Description Logic, an approach to analyzingthe security properties of negotiators’ access control policies by DL reasoning is pro- posed. Security analysis will insure policy makers that their security objectives aresatisfed. ATN access control policies and their security properties including safety,availability and role containment are mapped to DL axioms. Security propertiesare analyzed not only for the current policies but also for policies changing in termsof the restriction rules of policy. Closed world assumptions are added to policyknowledge base so as to make the open world reasoning of the Description Logicsuitable for policy verifcation. Besides presenting analysis result, explanations ofthe result are extracted by using non-standard inference services of the DescriptionLogic. These explanations are useful for policy makers to understand the efect ofpolicies and construct policies that satisfy the security objectives.3) A semantically relevant negotiation strategy (SRNS) is proposed which disclosesonly credentials and access control policies that are semantically relevant to thenegotiation target. By exploring the semantics provided by ATN ontology, SRNS iscomplete semantically since SRNS can fnd a successful negotiation sequence when-ever the success of the negotiation is semantically possible. Since the relationshipsamong attributes formed by delegations are defned in ATN ontology, SRNS cansupport attribute delegations which are not considered by most existing negotia-tion strategies. Meanwhile SRNS can protect sensitive attributes of negotiators byenforcing the attribute acknowledge policies (ACK). The properties of negotiationstrategies including completeness, termination, relevance and efciency are analyzedfor SRNS and the comparison of SRNS with other major negotiation strategies ismade. A negotiation system using SRNS is implemented and the performance ofthe implementation is evaluated.4) Using the specifcation and analysis techniques for security protocols, a novelformalization of ATN system and its attacking model in the Applied Pi calculusis proposed. The automated trust negotiation process is modeled as the parallelcomposition of two processes corresponding to two negotiators, while the securityrequirement of ATN system is formalized by observational equivalence of the Ap-plied Pi calculus. In contrast to other formalizations of ATN process, our modelingof ATN is a static specifcation. The behaviors of negotiators and dynamic autho- rization decisions need not be modeled specifcally. The process corresponding toa negotiator is just the formalization of his credentials and authorization policies.With the assistance of an automatic protocol analyzer, ProVerif, the security ofATN system is analyzed automatically.