Christian Damsgaard Jensen

Using trust for secure collaboration in uncertain environments

The SECURE project investigates the design of security mechanisms for pervasive computing based on trust. It addresses how entities in unfamiliar pervasive computing environments can overcome initial suspicion to provide secure collaboration.

Secure Internet Programming

ions for Mobile Computations (Luca Cardelli) 51 Type-Safe Execution of Mobile Agents in Anonymous Networks (Matthew Hennessey and James Riely) 95 Types as Specifications of Access Policies (Rocco De Nicola, GianLuigi Ferrari, and Rosario Pugliese) 117 Security Properties of Typed Applets (Xavier Leroy and Frangois Rouaix) 147

Trust propagation in small worlds

The possibility of a massive, networked infrastructure of diverse entities partaking in collaborative applications with each other increases more and more with the proliferation of mobile devices and the development of ad hoc networking technologies. In this context, traditional security measures do not scale well. We aim to develop trust-based security mechanisms using small world concepts to optimise formation and propagation of trust amongst entities in these vast networks. In this regard, we surmise that in a very large mobile ad hoc network, trust, risk, and recommendations can be propagated through relatively short paths connecting entities. Our work describes the design of trust-formation and risk-assessment systems, as well as that of an entity recognition scheme, within the context of the small world network topology.

Trading privacy for trust

Both privacy and trust relate to knowledge about an entity. However, there is an inherent conflict between trust and privacy: the more knowledge a first entity knows about a second entity, the more accurate should be the trustworthiness assessment; the more knowledge is known about this second entity, the less privacy is left to this entity. This conflict needs to be addressed because both trust and privacy are essential elements for a smart working world. The solution should allow the benefit of adjunct trust when entities interact without too much privacy loss. We propose to achieve the right trade-off between trust and privacy by ensuring minimal trade of privacy for the required trust. We demonstrate how transactions made under different pseudonyms can be linked and careful disclosure of such links fulfils this right trade-off.

Cryptographic access control in a distributed file system

Traditional access control mechanisms rely on a reference monitor to mediate access to protected resources. Reference monitors are inherently centralized and existing attempts to distribute the functionality of the reference monitor suffer from problems of scalability.Cryptographic access control is a new distributed access control paradigm designed for a global federation of information systems. It defines an implicit access control mechanism, which relies exclusively on cryptography to provide confidentiality and integrity of data managed by the system. It is particularly designed to operate in untrusted environments where the lack of global knowledge and control are defining characteristics.The proposed mechanism has been implemented in a distributed file system, which is presented in this paper along with a preliminary evaluation of the proposed mechanism.

End-to-End Trust Starts with Recognition

Pervasive computing requires some level of trust to be established between entities. In this paper we argue for an entity recognition based approach to building this trust which differs from starting from more traditional authentication methods. We also argue for the concept of a ”pluggable” recognition module which allows different recognition schemes to be used in different circumstances. Finally, we propose that the trust in the underlying infrastructure has to be taken into account when considering end-to-end trust.

Trust enhanced ubiquitous payment without too much privacy loss

Computational models of trust have been proposed for use in ubicomp environments for deciding whether to allow customers to pay with an e-purse or not. In order to build trust in a customer, a means to link transactions using the same e-purse is required. Roughly, trust is a result of knowledge. As the number of transactions increases, the resulting increase in knowledge about the user of the e-purse threatens privacy due to global profiling. We present a scheme (and its prototype) that mitigates this loss of privacy without forbidding the use of trust for smoothing payment by giving the opportunity to the user to divide trust (i.e. transactions) according to context (e.g. location, users current activity or subset of shops).

Trust-based route selection in dynamic source routing

Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Nodes rely on each other to route packets to other mobile nodes or toward stationary nodes that may act as a gateway to a fixed network. Mobile nodes are generally assumed to participate as routers in the mobile wireless network. However, blindly trusting all other nodes to respect the routing protocol exposes the local node to a wide variety of vulnerabilities. Traditional security mechanisms rely on either the authenticated identity of the requesting principal or some form of credentials that authorise the client to perform certain actions. Generally, these mechanisms require some underlying infrastructure, e.g., a public key infrastructure (PKI). However, we cannot assume such infrastructures to be in place in an ad hoc network. In this paper we propose an extension to an existing ad hoc routing protocols, which selects the route based on a local evaluation of the trustworthiness of all known intermediary nodes (routers) on the route to the destination. We have implemented this mechanism in an existing ad hoc routing protocol, and we show how trust can be built from previous experience and how trust can be used to avoid routing packets through unreliable nodes.

Privacy recovery with disposable email addresses

Disposable e-mail address (DEA) services are a privacy recovery mechanism for the growing spam problem. However, this problem is clearly more complex than simply closing DEA; as the rolling e-mail address protocols (REAP) system demonstrates, recovery approaches must accommodate different normal states.

Trust transfer: encouraging self-recommendations without sybil attack

Trading privacy for trust thanks to the linkage of pseudonyms has been proposed to mitigate the inherent conflict between trust and privacy. This necessitates fusionym, that is, the calculation of a unique trust value supposed to reflect the overall trustworthiness brought by the set of linked pseudonyms. In fact, some pieces of evidence may overlap and be overcounted, leading to an incorrect trust value. In this approach, self-recommendations are possible during the privacy/trust trade. However, this means that Sybil attacks, where thousands of virtual identities belonging to the same real-world entity recommend each other, are potentially easier to carry out, as self-recommendations are an integral part of the attack. In this paper, trust transfer is used to achieve safe fusionym and protect against Sybil attacks when pieces of evidence are limited to direct observations and recommendations based on the count of event outcomes. Trust transfer implies that recommendations move some of the trustworthiness of the recommending entity to the trustworthiness of the trustee. It is demonstrated and tailored to email anti-spam settings.