Databases Reference
In-Depth Information
learning who her doctor is. Bob only learns that Alice has some combination
of properties that satisfy his policy.
Often, possession or non-possession of a sensitive credential is itself sen-
sitive information. For example, suppose that Alice is a CIA employee, and
Bob is looking for people who might be such agents. Bob might query people
for their CIA credentials. Even if Alice has a policy to protect the credential,
her response for Bob's credentials on receipt of such a request can indicate
that she has the credential. In other words, a request for such a credential
may cause the recipient to issue counter-requests for credentials needed to
satisfy disclosure of the sensitive credential. This, in turn, may indicate that
the recipient possesses the sensitive credential. Non-possession may also be
sensitive, and termination of a negotiation upon request for a credential can
indicate non-possession.
If the value of an attribute in a credential is sensitive, then it is possible
for a principal to determine ownership and value of the attribute by the other
negotiating principal based on her replies. For example, suppose that Alice
has a sensitive
date of birth
field in her driver's license. Now, if Bob's policy
has a constraint on age, and upon receipt of Bob's policy, Alice responds by
asking for any further credentials from Bob, then Bob can assume that Alice
has the attribute that satisfies the constraint. By using a scheme similar to
binary search, it is possible for Bob to determine Alice's age, without Alice
revealing it to him.
Under many proposed approaches to trust negotiation [14, 62, 68], an
attacker can even use a
need-to-know attack
to systematically harvest infor-
mation about an arbitrary set of credentials that are not even relevant to
the client's original request [52]. To do this, the attacker rewrites her policies
in such a way that they are logically equivalent to the original policies, but
when used during negotiation, they force the victim into a series of disclo-
sures related to the credentials being harvested. Once the harvest is over, the
negotiation completes as it would have with the original policies.
The most complete solution to these problems is to adopt a negotiation ap-
proach that does not involve direct disclosure of credentials [16, 17, 30, 15, 24,
39]. While these approaches vary in the degree of privacy that they provide,
all of them can avoid the leaks cataloged in this section. The price of this
improved protection, of course, is significantly longer execution times; thus
one may wish to reserve these expensive strategies for policies that are par-
ticularly sensitive, and use direct disclosure elsewhere [41]. In general, these
TN approaches replace direct disclosure with sophisticated cryptography, usu-
ally coupled with special-purpose formats for credentials. These approaches
are very interesting in their own right; due to space limitations, we refer the
reader to the publications listed above for more information.
In some instances, less expensive forms of protection can be effective
against leakage. One approach is that when Bob queries Alice about a sen-
sitive attribute, she does not respond, whether she has that attribute or not
[57]. Only after Bob satisfies the conditions to allow disclosure does Alice
