Diagram of a fraud: Here, Alice is a malicious agent who collected as much information as possible on Bob who disclosed his SEC certificate on step 4. Alice did not commit to the end of the interaction to disclose her credential in step 5. If Alice is a clever hacker, she could then impersonate Bob and start fraudulent activities. Image courtesy of Winslett, 2006

(Our latest opinion piece comes from a team at the University of Westminster.)

One of the key challenges posed in Virtual Organizations (VO)—which are the core components of the grid—is establishing trust relationships between a grid service provider and a consumer.

A key aspect of a VO is the ability to provide access to computers, software, data and other resources. This sharing is highly controlled, with resource providers and consumers explicitly outlining what is shared, who is allowed to share, and the conditions under which sharing takes place. However, introducing intelligent access control decisions for large-scale open systems is a very complex task, due to a potentially limitless number of users and resources that exist in an environment with few guarantees regarding pre-existing trust relationships.

In current grid systems, the authorization policies for building trust have the problems of scalability and flexibility, due to interdependent institutions and their corresponding policies. In addition, VO authorizations lack the ability to securely negotiate suitable trust and privacy requirements.

Current grid security systems require information—such as previous transactions—in
order to acquire trust. For example, service provider A will not trust a complete
stranger such as service consumer B in the case of A disclosing its certificates to
B. Service consumer B could be a malicious agent intent on getting private
information on A and then impersonating A to other service consumers to get other
consumers’ payment details. In current grid systems, provider A will only trust
consumer B if there is a history of interactions or recommendations from other
agents. Thus, when a party enters an environment for the first time without any
history of previous interactions, deciding who to trust becomes problematic. Our
proposed negotiation mechanisms could address this problem and help establish trust between
complete strangers since our approach requires no prior knowledge between
participants.

In addition, in the current grid there is the risk of malicious users attempting to collect as much
information as possible about other users without intending to reach the end of the
interaction and send their final credentials. This can happen when participants
are disclosing their credentials *during* the interaction without any guarantee of a
successful negotiation and a binding agreement. In contrast, our approach allows
participants to negotiate on what credentials they wish to disclose/exchange *once*
participants have acquired enough mutual trust between themselves.

How WSTN would work. Image courtesy of Dilal Miah

Enter Web Service Trust Negotiation

Given the limitations of current VO authorization systems when faced with malicious parties, Shamima Paroubally (primary researcher), Dilah Miah and Zahid Khan at the University of Westminster, UK proposed a bilateral negotiation framework called Web Service Trust Negotiation (WSTN) to incrementally build trust between web services.

The idea is to develop  both both simple and complex, dynamic, environmentally adaptive negotiation algorithms that negotiate a list of credentials to be exchanged between web services for secure and trustworthy service provision. 

For example, when two participants negotiate over a grid service by examining the credentials of an X.509 certificate, negotiations can vary along a number of quantitative and qualitative credentials such as certificate issuer, serial number, role, the nature of the contract and type of reporting policy. In contrast, the WSTN uses algorithms that adapt to various negotiation time deadlines, taking into account the participants’ first choices, reserved offers and counter-offers. It also takes the number of negotiation iterations into consideration, and determines how many concessions should be generated in a participant’s counter-offer, depending on the time left. Thus, WSTN can better approach real-world human negotiation by utilizing initial offers, counter offers, acceptances and rejections instead of the outright accept/reject which is currently the norm within VOs.

Trust is a complex and subjective issue, that sometimes requires a more complex mechanism
than a simple yes/no authorization system. For example, even when a consumer logs in
a provider’s site, the provider does not trust the consumer to give the latter his payment details.

Authorization indeed can be a simple yes or no decision based system. However, when
you have potentially many parties entering a VO, all whom have their own
authorization policy, thus managing this can be a big challenge. In our approach, we provide that flexibility of allowing interested parties to negotiate over the credentials of an X509 certificate as means of obtaining security and trust and thus promote a more flexible negotiation mechanism.

The system is not closed, as in identity-based systems, where the interacting participants need to have a prior relationship. Instead, it establishes trust in stages, through negotiation about which credentials need to be exchanged for building a mutual relationship between the parties. Thus, our negotiation mechanisms can help in the formation of VOs involving a number of cooperating organizations. In our case, we do not assume any prior trust or knowledge between participants, and the SLA for sharing resources can be achieved after agreeing on a list of credentials that would bring about sufficient trustworthiness for the participants.

Resource providers could accept this model because trust is iteratively built, and involves the exchange of certificates at the end. Agreement can be found, where before parties would not trust each other. It also brings in better security and prevents malicious behavior.

Related work and Further Reading:

http://www.csc.liv.ac.uk/~mjw/pubs/acm-aas-2007.pdf

http://portal.acm.org/citation.cfm?id=1329457

http://www.ncsa.uiuc.edu/~jbasney/sempgrid.pdf

—Dilal Miah, University of Westminster