Anonymity preserving
Techniques in Trust
Negotiations
I. Ray, E. Bertino, A. Squicciarini, E. Ferrari
PET Workshop, Dubrovnik May 30th 2005
Trust Negotiations
•Trust negotiation is a promising approach to
carry on secure transactions between two
parties by first establishing trust through a
bilateral, iterative process of requesting and
disclosing digital credentials and policies.
• Each subject specifies disclosure policies
stating the types of credentials and attributes
the counterpart has to provide. The
counterpart, in response, provides a disclosure
set containing the necessary credentials and
attributes.
Identity disclosures
Digital Credentials
Alice
-Julie
-3 kids
-Married
-American
-Julie
-Julie
-American
- Married
-Date of
Birth
Company B
Want to know marital status
Identity disclosure
occurs
if the submitter
has to disclose
data that uniquely
identify him/her
(directly or
indirectly).
Company A
Want to know citizenship
Referenced from http://www.credentica.com/technology/overview.pdf
Anonymity in Trust Negotiations:
the issue
• A user may want to carry out negotiations that
cannot be linked to him;
– non-linkability.
• If a negotiation party wants to remain
anonymous, its disclosure sets should not
contain identity revealing information.
• We propose anonymization techniques using
which a subject can transform its disclosure set
into an anonymous one.
Anonymity in TN- overall
approach
• Trust negotiation requirements are expressed at
different level of abstraction: property based policy
and/or disclosure policies.
• Pbp can be translated into a number of disclosure
policies each of which requires different
credentials.
• The anonymous disclosure set will not satisfy the
original disclosure policy and the TN cannot
proceed.
• Even if an anonymous disclosure set does not
satisfy the original disclosure policy, it may satisfy
an equivalent disclosure policy and the trust
negotiation can proceed.
Overall approach
Specifying Trust Negotiation
policies
• Usually TN requirements are specified by
means of credentials:
– digitally signed documents containing attributes that
describe properties of the subject.
– instances of credential types
• Credential types provide a syntactic structure
of information but do not specify anything
about the interpretation of the attributes
contained in the credential types
The issue of credentials semantic
• The lack of semantic in credentials/attributes
makes it impossible to automatically detect
relationships between attributes belonging to
different credentials.
To solve this problem of semantic conflicts, we
introduce the use of ontologies
Ontologies provide formal specification of
concepts and their interrelationships and play
an essential role in complex web service
environments
Ontologies in Trust Negotiation
• In trust negotiations ontologies have the purpose of
sharing information about credentials and their
attributes, needed for establishing trust.
• Concept as tuple C= <KeyWordSet, Langset>
Set of Keywords
Set of Attributes
– Each attribute in LangSet implements concept C
– We make use of a Translation function to compare
values of two semantically equivalent attribute
conditions
Ontologies – example
• We assume that there are a number of
finite well-defined concepts in the
ontology.
• A same concept can be implemented by
alternative credentials/attributes
• Example:
<{sex, gender}{passport.gender, drivingLicence.sex}>
keywords
Set of alternative attribute
names and/or credentials
Property-based policies
• A property based policy lists the
properties the counterpart has to provide
and the conditions it must satisfy in
order to obtain some resources
– (loan, {MaritalStatus, Country}, {country=USA})}
• Disclosure policies implement property based policies
by associating credential/attribute names to concepts
– Loan,MarriageCertificate(),id_card(country=USA)},
Disclosure sets
• A disclosure set is a set of
attributes/credentials aiming at satisfying
a given disclosure policy or PbP
• A disclosure set contains two kinds of
attributes: requested and non-requested.
– Requested: explicitly mentioned in the
policy
– Non requested: not requested but present
because it cannot be blinded
Disclosure sets - example
• R Marriage_Certificate(), id(age > 25).
• To satisfy this disclosure policy, the subject can
either provide the disclosure set
DSet_1 = {Marriage_Certificate, id.age, id.country}
DSet_2 = {Marriage_Certificate, id.age}
• The subject will provide DSet_2 if it can blind
all other attributes of id. The subject may
provide DSet_1 if the most blinded view
containing age also reveals id.country.
Disclosure set- example (ct’d)
• In this case id.age is a requested attribute and
id.country is a non-requested one. By
disclosing DSet_1 the subject provides two
credentials and no attributes.
• DSet_2 implies disclosure of one credential
and one attribute. Indeed, in order to satisfy the
disclosure policy disclosure of the whole id is
not necessary. Attribute id.age can be released
while the remaining attributes in id can be
blinded.
Anonymity of Disclosure sets
• Attributes may be revealing identity related
information:
– Identifier
• SSN
– Quasi identifier groups
• {lastname, address}, {Country, date of birth}
• Disclosure sets may or may not breach subject
anonymity.
• Anonymity preserving disclosures: no
identifier is included and at least an element in
any possible quasi identifier group is missing
Anonymization techniques:
substitution
{Id.age
Non
Id.country} ≡{BirthCert.dob}
requested attribute
• Suppose that id.country is present in the disclosure set because it
cannot be blinded. Assume that id.country is a quasi-identifier and
disclosing it will reveal the identity.
• To ensure anonymity we remove id.country from DSet. This is
only possible if the credential containing id.age is removed from
the DSet. Since id.age is a requested attribute, this will cause the
trust negotiation to fail. We thus need to substitute id.age with an
alternate attribute, say birthCert.dob, such that Cid.age =
CbirthCert.dob.
Anonymization techniques:
generalization
City
Area Code
Phone Number
Fax Number
Contact
Information
Postal Address
• The concept graph is able to
capture semantic
relationships among data
conveyed in different
credentials.
• Directed acyclic graph in
which each node n
corresponds to a concept and
each edge (ni,nj) indicates
that the concept nj is a
generalization of a concept
represented by node ni
Generalization
• Generalization consists of replacing an
attribute/credential with a more general one, which
preserves anonymity.
address
city
concepts
Suppose
id.address is a requested
attribute that causes an
identity
disclosure. The
generalization technique
will replace id.address
with an alternative
attribute,
say id.city
Is anonymization enough?
Anonymity-preserving disclosures may
• In general, a student's department and nationality do not cause an
not guarantee
anonymity.
anonymity breach.
Consequently,
a subject may not specify these
as a quasi-identifier group.
addressifthis
problem,
we only
needFrench
to assign
to each
disclosure
set
• •To
However,
a student
is the
student
in the
Computer
aScience
degree department,
of anonymity-safety.
then releasing information about his
• nationality
If the degree
of his
anonymity-safety
of a adisclosure
is k, we will
and
department causes
breach ofset
anonymity.
refer to it as k-anonymity-safe.
k-anonymity-safe, there are k other distinct subjects having
an identical disclosure set.
Summary
• Introduction of ontologies to express
trust negotiation policies
• Property based policies
• Anonymity techniques
– Generalization
– Substitution
• K-anonymization techniques