Florian Volk

Security of Sanitizable Signatures Revisited

Sanitizable signature schemes, as defined by Ateniese et al. (ESORICS 2005), allow a signer to partly delegate signing rights to another party, called the sanitizer. That is, the sanitizer is able to modify a predetermined part of the original message such that the integrity and authenticity of the unchanged part is still verifiable. Ateniese et al. identify five security requirements for such schemes (unforgeability, immutability, privacy, transparency and accountability) but do not provide formal specifications for these properties. They also present a scheme that is supposed to satisfy these requirements. Here we revisit the security requirements for sanitizable signatures and, for the first time, present a comprehensive formal treatment. Besides a full characterization of the requirements we also investigate the relationship of the properties, showing for example that unforgeability follows from accountability. We then provide a full security proof for a modification of the original scheme according to our model.

Communicating and visualising multicriterial trustworthiness under uncertainty

Visualisations are often used to communicate trust-worthiness to end users. Showing a number of stars, for example, is a well-known practice in e-commerce applications to communicate the quality of a product or service. Many products or services also have their quality - in terms of trustworthiness - described along more than one dimension, so that not only an overall trust score has to be communicated, but multiple scores, one for each dimension. Current visualisations of such a multicriterial trustworthiness are often based on the display of multiple individual star-like interfaces - a practice that offers room for improvement with regard to intuitive understanding of the displayed trust information. In this paper, we present T-Viz, a trust visualisation based on radar plots and pie charts. T-Viz concurrently shows multiple trust scores, one for each dimension, along with an aggregated trust score. Moreover, T-Viz also shows a reliability measure for every trust score graphically, in the form of a certainty score. The evaluation results from a pilot study with eleven participants indicate that T-Viz is an intuitive, comprehensible and clear interface. It succeeds at visualising and communicating multicriterial trust scores under uncertainty in one, easy to understand, graphical representation.

Efficient, verifiable, secure, and privacy-friendly computations for the smart grid

In this paper, we present a privacy-preserving protocol between an energy provider and smart meters. Many details about the life of customers can be inferred from fine-grained information on their energy consumption. Different from other state-of-the-art protocols, the presented protocol addresses this issue as well as the integrity of electricity bills. Therefore, our protocol provides secure aggregation of measured consumption per round of measurement and verifiable billing after any period. Aggregation of measured consumption ensures that energy suppliers know the consolidated consumption of their customers. Verifiable billing ensures fairness for customers and their energy supplier. We adapt a homomorphic encryption scheme based on elliptic curve cryptography to efficiently protect the data series of measurements that are collected by smart meters. Moreover, energy suppliers can detect and locate energy loss or fraud in the power grid while retaining the privacy of all consumers.

Trust Views for the Web PKI

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure. In this paper, we present the concept of trust views to manage variable trust levels for exactly those CAs actually required by a relying entity. This reduces the set of trusted CAs and minimizes the risk to rely on malicious certificates issued due to CA failures or compromises.

CA trust management for the Web PKI

The steadily growing number of certification authorities (CAs) assigned to the Web Public Key Infrastructure (Web PKI) and trusted by current browsers imposes severe security issues. Apart from being impossible for relying entities to assess whom they actually trust, the current binary trust model implemented with the Web PKI makes each CA a single point of failure and creates an enormous attack surface. In this article, we present CA-TMS, a user-centric CA trust management system based on trust views. CA-TMS can be used by relying entities to individually reduce the attack surface. CA-TMS works by restricting the trust placed in CAs of the Web PKI to trusting in exactly those CAs actually required by a relying entity. This restriction is based on locally collected information and does not require the alteration of the existing Web PKI. CA-TMS is complemented by an optional reputation system that allows to utilize the knowledge of other entities while maintaining the minimal set of trusted CAs. Our evaluation of CA-TMS with real world data shows that an attack surface reduction by more than 95% is achievable.

A Distributed Reputation System for Certification Authority Trust Management

In the current Web Public Key Infrastructure (Web PKI), few central instances have the power to make trust decisions. From a systems perspective, it has the side effect that every Certification Authority (CA) becomes a single point of failure (SPOF). In addition, trust is no individual matter per user, what makes trust decisions hard to revise. Hence, we propose a method to leverage Internet users and thus distribute CA trust decisions. However, the average user is unable to manually decide which incoming TLS connections are trustworthy and which are not. Therefore, we overcome this issue with a distributed reputation system that facilitates sharing trust opinions while preserving user privacy. We assess our methodology using real-world browsing histories. Our results exhibit a significant attack surface reduction with respect to the current Web PKI, and at the same time we only introduce a minimal overhead.

Computational trust methods for security quantification in the cloud ecosystem

In this chapter, we provide an in-depth insight into computational trust methods that are able to reliably quantify the security level of service providers and transparently communicate that level to the users. The methods particularly consider business as well as end user requirements along with a complex specification of security assurances during security quantification. Novel trust methods are validated using formal proofs, industry-accepted security assurance datasets, and user studies.

Integrating Indicators of Trustworthiness into Reputation-Based Trust Models

Reputation-based trust models are essentially reinforcement learning mechanisms reliant on feedback. As such, they face a cold start problem when attempting to assess an unknown service partner. State-of-the-art models address this by incorporating dispositional knowledge, the derivation of which is not described regularly. We propose three mechanisms for integrating knowledge readily available in cyber-physical services (e.g., online ordering) to determine the trust disposition of consumers towards unknown services (and their providers). These reputation-building indicators of trustworthiness can serve as cues for trust-based decision making in eCommerce scenarios and drive the evolution of reputation-based trust models towards trust management systems.

Formalizing and Modeling Fairness for Benefit Distribution in Collaborations

Fairness is not sufficiently formalized to enable the comparison of different fairness requirements. Ad-hoc collaborations in the Internet of Services are driven by trust, and fairness in such collaborations is an expectation that builds trust. We provide formal fairness definitions along with a formal fairness model, which augment collaboration establishment and support building trust. Hence, we are able to reason about fairness and its implications for negotiations.

Advancing Trust Visualisations for Wider Applicability and User Acceptance

There are only a few visualisations targeting the communication of trust statements. Even though there are some advanced and scientifically founded visualisations—like, for example, the opinion triangle, the human trust interface, and T-Viz—the stars interface known from e-commerce platforms is by far the most common one. In this paper, we propose two trust visualisations based on T-Viz, which was recently proposed and successfully evaluated in large user studies. Despite being the most promising proposal, its design is not primarily based on findings from human-computer interaction or cognitive psychology. Our visualisations aim to integrate such findings and to potentially improve decision making in terms of correctness and efficiency. A large user study reveals that our proposed visualisations outperform T-Viz in these factors.