Embed Size (px)
Citation preview
BY
Saira Kausar
MS-IT(10)
Optimum WEB OF TRUST for PGP based on Social Networks
Supervise By:Dr. Zahid Anwar
Co-Supervise By:Mr Owais A. Malik
Committe Members:Dr. Awais ShibliMr Qasim Rajpoot
2
Roadmap
Introduction
Proposed Solution
Timeline
Problems Identified
Literature Review
Problem Statement
Introduction
4
Background
Symmetric Key
Cryptography
Symmetric Key
Cryptography
Only One Key
Shared between sender & receiver
Key Distribution is problem
Not scalable
Asymmetric Key
Cryptography
Asymmetric Key
Cryptography
Two Keys
Solution to Key Distribution Problem
Key Validation
Spoofing of key
PKI(Public Key
Infrastructure)
PKI(Public Key
Infrastructure)
Solution to Key Validation Problem
Need trusted CAs
Centralized approach
Only CAs can issues certificates
Need to verify a chain of certificates
Still depends on a single trusted root CA
CAs becomes bottleneck
Web Of Trust(WOT) Web Of Trust(WOT)
No need for trusted CAs
Decentralized approach
Everyone can issues certificates
Implemented in PGP, GnuPG and Open PGP
5
What is PGP?
Pretty Good Privacy
1991 – Zimmermann wrote PGP
Send E-mail securely to a known recipient
Digitally sign E-mail so that the recipient(s) can be sure it is from you
Can also be used with file transfers
6
How Does it Work?
7
8
PGP “Web of Trust”
Anyone can upload keys to “Key Servers”-- even fake keys
Authenticity of this public key can be checked as
If you can verify that a key belongs to its owner, you can sign that key, indicating that you have verified ownership
Problem Statement
10
Problem Statement
Develop a generic model for PGP that overcomes the deficiencies of current PGP’s Trust Model.
11
Basic Idea…
Literature Review
1. http://www.ibm.com/developerworks/xml/library/x-foaf.html
2. http://www.foaf-project.org/
3. http://arnetminer.org/viewperson.do?naid=95158&keyword=Zahid%20Anwar
FOAF
14
The Friend of a Friend (FOAF)
The FOAF project defines a mechanism for describing people, and who they know.
Creating a Web of machine-readable pages describing people, the links between them and the things they create.
Simply an RDF vocabulary.
Every user can create one or more FOAF files on his own Web server and share the URLs.
15
Cont...
16
Cont…
17
Conclusion
FOAF is good base for social networks
Easy & Simple
Shows connected
Friends
ConsPros
Create Friends list manually and upload it to web
No Trust level shown
1. Jennifer Golbeck, James Hendler, "Accuracy of Metrics for Inferring Trust and Reputation in Semantic Web-based Networks" EKAW 2004 , ( Engineering Knowledge in the Age of semantic web ), LNAI 3257, pp 116-131
2. Jennifer Golbeck, James Hendler. 2006, " FilmTrust: Movie recommendations using trust in web-based social networks”, Proceedings of the IEEE Consumer Communications and Networking Conference , January 2006.
Jenifer’s work for Trust and reputation
19
Inferring Trust and Reputation in Semantic Web-based Networks
Proposed a method, to infer trust based on user’s reputation in semantic web-based social network.
Quantitative method to infer trust that a user has on next user
Implemented in web email system to infer the trust of emails received from specified user.
Trust/reputation range used {1, -1}
20
Recommendation System
Jenifer Golbeck proposed another method to infer trust for recommendation systems.
All trust levels are combining from source to target and this method is applied to film recommendation system.
21
Conclusion
Provides a good base for trust calculation
Provides Reputation Inference Algorithms
Apply her work in emails, and film
trust
ConsPros
Reputation for each individual node is ignored.
Used only 0,1 as reputation values, round a number between them
Explicit trust rating
https://pgp.webtru.st/
PGP’s Key servers
23
Search results from Key server
Maintains a collection of public PGP keys.
Provide a decentralized, and highly reliable key synchronization.
Keys submitted to server will quickly be distributed to all key servers
This key server is open-PGP compliant
24
Cont…
25
Cont...
A. Abdul-Rahman. The PGP trust model. EDI-Forum: the Journal of Electronic Commerce, 10(3):27–31, 1997.
The PGP trust Model
27
Levels of trust in Open PGP
28
Key Validation in PGP
Accept a given public key in the key ring as completely valid, if either:
The public key belongs to the owner of the key ring,
The key ring contains at least C certificates from completely trusted introducers with valid public keys,
The key ring contains at least M certificates from marginally trusted introducers with valid public keys.
29
GnuPG’s Trust Assignment
In PGP, Trust can be assigned to deliberate users manually
1. Jacek Jonczy, Markus Wüthrich, Rolf Haenni , “A probabilistic trust model for GnuPG” — 2006 — In 23C3, 23rd Chaos Communication Congress.
2. Rolf Haenni and Jacek Jonczy, “A New Approach to PGP's Web of Trust”, ENISA/EEMA 07, Paris, France, June 12.
A probabilistic trust model for GnuPG
31
How Trustworthy is the PGP Trust Model?
32
Probabilistic Key Validation
Depending on A’s own validation policy, e.g. by specifying a validity threshold [0, 1], the key may be accepted as valid or not.
For instance, if A has a strict acceptation policy, she sets accordingly a high threshold, say = 0.9.
In this case, A would not accept K’s public key as valid, since 0.581 < .
On the other hand, A would neither reject the key, but rather collect more evidence in form of further certificates.
33
Conclusion
Several weaknesses of PGP’s trust model are
eliminated.
Gradual levels of validity are
introduced
Avoids counter-intuitive scenarios.
Eliminates limited levels of trust and
validity
ConsPros
Trust levels are not defined
Trust can be assigned in arbitrary way
Explicit trust
Implemented in GnuPG release
1.4.5
Problem Hidden Dependencies is remain
Proposed Architecture
35
Proposed Architecture
Social Network (e.g. Facebook, Orkut, LinkedIn)
Get Friend Lists
Privacy setting for each friend
My Application
Make Graph for Immediate friend
Calculate Trust Values Using Fuzzy rules
Share Graph with friends
Merge Graph
Show Trust Level for each Friend
Trust Level: Very high, High, Medium, Low, very Low
Embed these trust levels in Open PGP
36
Get Friend List
I have use facebook APIs to get friend list.
Friends: https://graph.facebook.com/me/friends?access_token=...
37
I have used these Privacy settings
•Profile Picture
•Photo album
•Likes and interest
Photo Albums: https://graph.facebook.com/me/albums?access_token=...
Profile feed (Wall): https://graph.facebook.com/me/feed?access_token=...
Getting Privacy Settings
Although Facebook has a lot of privacy settings of our interest, but they are not easily accessible through graph APIs.
38
Calculating Trust Value
Use the Privacy parameters and calculate Trust for each connect node as
Privacy Profile Photo
Photo album
Likes & Interest
Trust Value
Output
Trust Weights
0.2 0.5 0.3 1
√ √ √ 1 Very High
√ √ X 0.7 High
√ X √ 0.5 Medium
√ X X 0.2 Low
X X X 0 Very Low
39
Proposed Approaches
We may apply both techniques and compare results and adopt better one
40
Trust calculation: First step
41
Trust calculation: Second step
42
Potential Applications
Open PGP
Timeline
44
Proposal Defense, User study and get data from different users(done)
Final Defense
TIMELINE
Jan
Apply algorithm on real scenario and get results
aaFeb
Graph Exchange AlgorithmsMarch
Implementation on Fuzzy Toolbox and compare resultsApril
Paper Write-up & Mid DefenseMay
Final DefenseJune
Problem Definition & Literature Review, Proposed Solution, Processing of TH-1, TH1-Internal, TH-2, TH-2A and proposal defense
Processing of TH-3 & In-House
Thesis Write-up
July
TH-3 (Final Oral Exam)
TH-4 (Thesis Acceptance))
DoneSept- Dec
These write-upAug
Proposed solution
Timeline
