Rep u tation - Based Tru st Man agem en t by V. Sh m atikov an d C. Talcott Presen ted by Mika Silan d er November 29 th, 2006
Ou tlin e Objectives of the paper Concepts Reputation & reputation m anagem ent A sketch of a possible architecture Two exam ple cases Critique and open issues Conclusions References 2
Objectives To m odel form ally what reputation is Dem onstrate the form al m odel's practical applicability by defining an architectural fram ework The fram ework can be sim ulated by the Maude rewritin g logic system 3
Creation of tru st 4
Rep u tation Reputation vs. credential based trust A recorded history of an agent's previous action s Actions are evaluated against agreed terms of usage (licenses) History info is available to a server agent from agent's own local history other trusted agents Today's access rights are determined based on p revious behaviour 5
Con cep ts Basic types Sets and set operations Actions and events Event histories Resources Licenses Reputation Evidence Reputation m anagem ent Principal 6
Basic typ es 7
En u m erated typ es 8
Sets an d set op eration s Sets Projection s on sets = su bsets Siz es of sets = n u m ber of elem en ts in sets 9
Action s An atom ic interaction between 1- N agents and a resource 10
Even ts an d even t h istories A tim estam ped action Enables partial ordering of actions 11
Resou rces Item s of interest to user agents e.g. program s, websites, databases etc Resource owner defines useok m ethod 12
Access Con trol m od el Giv en license l and ev ent history h: 13
Licen se Defines an agent's perm issions and obligations with respect to a resource Usage of a license considered either as good or bad A history of how the agent used its licenses An agent's reputation Partial license history assum ed to be available when server agents perform access control decisions 14
Licen se/ 2 15
Rep u tation Auxiliary functions m ergeevid en cesets m ergerep u tation s 16
Evid en ce sets in Rep u tation Com p letely fu lfilled licen ses no violations, no m isuses, no future obligations Partially fu lfilled licen ses no violations, no m isuses, license hasn't exp ired, future obligations m ay rem ain Violated licen ses licenses whose obligations have not been fulfilled Misu sed licen ses licensee has used a resource not p erm itted by the license or p erform ed an op eration not p erm itted by the resource 17
Rep u tation m an agem en t Managem ent is local in nature all agents (principals) have a local view on other agents' reputations 18
Arch itectu ral sketch 19
Use case 1 - Peer- to- p eer file sh arin g Arbitrary n u m ber of u p load s p erm itted Dow n loadlicen se refin es Licen se subclass of License class Downloads perm itted on the condition that a m inim um am ount of uploads have been perform ed in between (2down:1up) Ad d resses P2P free- rid er p roblem an d in tegrates well with an on ym ity tech n iqu es 20
Use case 2 - On lin e role- p layin g gam e Gam e ch aracters belon g to clan s or are in d ep en d en t agen ts Gam e ch aracters com p ete in a virtu al world d escribed by a m ap Clan s an d agen ts: clans com p ete with each other and agents collect valuable item s p ut trap s for adversaries try to avoid and d ism antle trap s them selves trad e and interchange m ap info 21
Use case 2 - On lin e role- p layin g gam e/ 2 Un tru sted allies try to bu ild tru st for m u tu al ben efit Dem o version m od els on e clan an d on e free agen t clan = clan lead er + scouts clan lead er owns the clan's m ap scouts d ism antle trap s and rep ort to clan lead er - m ap is up d ated free agent and clan trad e m ap info Mau d e im p lem en tation p resen ted allows d iscoverin g wh at kin d of states th e overall system m ay reach : e.g. wh at typ es of m isu ses are p ossible given an in itial global state? 22
Critique This research paper cannot be read in isolation Rewriting logic Maud e system The fram ework presented does not explicitly m odel tim e, although licences m ay have due and unfulfilled obligations 23
Critique/ 2 Authentication of interacting agents is required prior to reputation based access control(!) rep utation m anagem ent is not self- sufficient? the required authentication step rep laced by a rep utation- based solution? would a HIP- like self- generated identifying p ublic key be enough for authentication? Mutual agreem ent of licenses will require som e sort of digital signatures to ensure nonrepudiation hard to live without a PKI solution 24
Critique/ 3 Suggestion of applicability to financial tran saction s all parties in the model - licensee, license issuers, resource providers - may be dishonest to any extent would financial institutions accept vouched for reputation as a sufficient guarantee of proper use of their services? 25
Critiqu e on arch itectu re Fram ework presented with an objectorientedish form alism : in general not straightforward to map into a pure object- oriented im p lem entation E.g. License has both attributes as well as behaviour Real- life im plem entation im plications: trust p rop agation m essaging exp losion 26
exp ortglobalrep p roblem 27
Op en issu es Two real- life scenarios enough to provide understanding of the system 's virtues and lim its? are licenses flexible enough to define arbitrary access control p olicies? Could the fram ework be m ade to weed out or reduce disinform ation? Redundant event histories, reputations and evidence sets Byz antine Generals p roblem 28
Qu estion s? Mika Silander 2006
References 1. Reputation- Based Trust Managem ent, V. Shm atikov and C. Talcott, Com p uter Science Laboratory, SRI International, USA 2. The MAUDE System, Slid e p resentation by M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martín- Oliet, J. Meseguer and C. Talcott 3. Maude w ebsite, http :/ / m aud e.cs.uiuc.ed u