Embed Size (px)
Citation preview
Supporting User Privacy Preferences on InformationRelease in Open Scenarios
Claudio A. Ardagna1 Sabrina De Capitani di Vimercati1
Sara Foresti1 Stefano Paraboschi2 Pierangela Samarati1
(1) DTI - Università degli Studi di Milano
(2) DIIMM - Università degli Studi di Bergamo
W3C Workshop on Privacy and Data Usage ControlOctober 5, 2010 – Cambridge, MA, USA
c!Pierangela Samarati 1/20
Starting scenario (1)
• Open scenarios where clients interact with remote parties andaccess remote resources
• Depart from the assumption that clients are authenticated beforeevaluating access requests
• The policy at the server refers to credentials/properties that theclient must have (in contrast to client’s identity)
=⇒ Attribute-based/credential-based access control
c!Pierangela Samarati 2/20
Starting scenario (2)
• Attribute-based access control requires re-thinking how accesscontrol process works
• Most proposals focus on the server side aspect of the problem
◦ regulate how the server specifies policies
◦ provide partial evaluation of the policy
◦ define how to communicate policies to the client
◦ they assume to adopt a symmetric approach at the client
c!Pierangela Samarati 3/20
Motivation
Access-control based specifications do not fit well the problem at theclient side
+ they allow users to specify whether some information can be orcannot be released
− they do not allow users to express the fact that they might prefer torelease some information over other when given choices
=⇒ Need to provide users with means to effectively regulate therelease of their information
c!Pierangela Samarati 4/20
Goal of our work
Enable users to effectively regulate disclosure of their properties andcredentials
• identify requirements and concepts that need to be captured
• organize of users properties and credentials in the user portfolio
• enable users to specify how much she values the disclosure ofdifferent components of the portfolio
• provide possible technical approaches for supporting user’spreferences
• provide a basis for investigating user-friendly/user-understandableapproaches for regulating release of user’s properties
c!Pierangela Samarati 5/20
Client portfolio modeling
• The information of the client forms a client portfolio
• Credential: certificate issued and signed by a third party
◦ certifies a set of properties
◦ has a type, an identifier, and an issuer
• Declaration: property stored as a self-signed credential
• Hierarchy of abstractions of credential types H (T ,$isa)(e.g., id_card$isaid , id$isacredential)
c!Pierangela Samarati 6/20
Client portfolio – Properties
• Credential-independent:the value depends onlyon the credential’sowner (e.g., birth date)
Credential-dependent :the value depends onthe certifying credential(e.g., credit cardnumber)
!"#$%&'!"#$
(")!%&'()'(*+,
*+,-!-./#0123
*./0*+,-!/./+,
122&-33!45
-4+.5!/6789:12
67"$-!+;*<:::<)==
c!Pierangela Samarati 7/20
Client portfolio – Properties
• Credential-independent:the value depends onlyon the credential’sowner (e.g., birth date)
• Credential-dependent:the value depends onthe certifying credential(e.g., credit cardnumber)
!!"#$!"#$#%%&'
!%#&'()!()*
*%+!&#+',+'-.$
",$-!/01)2345
"./0",$-!101.$
122(-33!67
!!"#$!$8"#%%%'9
-4,.5!1:;<=%34
67%&-!.9->%%%>,""
c!Pierangela Samarati 7/20
Client portfolio – Credentials
• Atomic: released as awhole (e.g., X.509)
non-atomic: propertiescan be selectivelyreleased,proof-of-possession canbe certified (e.g., Idemix,U-Prove)
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
!"()!"#$%&'(")#%
!!"#$!*+,+--./
!%#&'()!012
*%+!.+3/43/56,
",$-!7891:&';
"./0",$-!9896,
122(-33!<=
!!"#$!,>*+---/?
-4,.5!9@A)"-&'
67%&-!6?5B---B4**
c!Pierangela Samarati 8/20
Client portfolio – Credentials
• Atomic: released as awhole (e.g., X.509)
• Non-atomic: propertiescan be selectivelyreleased,proof-of-possession canbe certified (e.g., Idemix,U-Prove)
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
c!Pierangela Samarati 8/20
Disclosure
A disclosure is a subsetof the client portfolio thatsatisfies:
• certifiability: eachproperty is certified by acredential
• atomicity: if a property ofan atomic credential isdisclosed, all itsproperties are disclosed
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
Does not satisfy atomicity!
c!Pierangela Samarati 9/20
Disclosure
A disclosure is a subsetof the client portfolio thatsatisfies:
• certifiability: eachproperty is certified by acredential
• atomicity: if a property ofan atomic credential isdisclosed, all itsproperties are disclosed
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
E
Does not satisfy atomicity!
c!Pierangela Samarati 9/20
Privacy preferences – Requirements
• Clients may prefer to disclose some properties/credentials overothers =⇒ different portfolio elements have different sensitivity
• Privacy preference specifications are needed to:
◦ automatically regulate the disclosure of sensitive information
◦ minimize the disclosure of sensitive information
• A solution to express privacy preferences must support:
◦ fine-grained control on sensitive information
◦ specifications on the sensitivity of associations
◦ constraints on the disclosure of information
c!Pierangela Samarati 10/20
Portfolio sensitivity
• Privacy preferences expressed as sensitivity labels
• Sensitivity labels reflect how much a client values the disclosure ofcredentials/properties in the portfolio
• Sensitivity labels are characterized by:
◦ partial order relationship %
◦ composition operator ⊕ for computing sensitivity of a set ofelements, can be based on− additivity: the sensitivity of a combined disclosure is the sum of the
sensitivities of the disclosed elements
− maximum: the sensitivity of a combined disclosure is the upperbound of the sensitivities of the sensitivities of the disclosed elements
c!Pierangela Samarati 11/20
Sensitivity labels – Examples
• Sensitivity labels as integer values
◦ % is the ≥ total order relationship
◦ ⊕ is the sum + of values (additivity)
(e.g., ! (Name)=1, ! (DoB)=5, ! (Name)⊕! (DoB)=6)
• Sensitivity labels as multilevel security classifications
◦ % is the total order relationship on security classes
◦ ⊕ is the least upper bound (maximum)
(e.g., ! (Name)=unclassified, ! (DoB)=secret, ! (Name)⊕! (DoB)=secret)
For this talk we assume sensitivity labels as integer values
c!Pierangela Samarati 12/20
Sensitivity of properties and credentials
Specify how a client valuesinformation in her portfolio
• ! (p): sensitivity ofproperty p individuallytaken
• ! (c): sensitivity of theexistence of credential c
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
c!Pierangela Samarati 13/20
Sensitivity of associations
! (A): sensitivity of an associ-ation A={pi, . . . ,pj,ck, . . . ,cn},whose joint release carries:
more information thanthe release of eachelement in A=⇒ sensitive view
less information than therelease of each elementin A=⇒ dependency
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
c!Pierangela Samarati 14/20
Sensitivity of associations
! (A): sensitivity of an associ-ation A={pi, . . . ,pj,ck, . . . ,cn},whose joint release carries:
• more information thanthe release of eachelement in A=⇒ sensitive view
less information than therelease of each elementin A=⇒ dependency
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
c!Pierangela Samarati 14/20
Sensitivity of associations
! (A): sensitivity of an associ-ation A={pi, . . . ,pj,ck, . . . ,cn},whose joint release carries:
• more information thanthe release of eachelement in A=⇒ sensitive view
• less information than therelease of each elementin A=⇒ dependency
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
c!Pierangela Samarati 14/20
Disclosure constraints
Set A={pi, . . . ,pj,ck, . . . ,cn}of elements whose releasemust be controlled
forbidden view: therelease of A is prohibited
disclosure limitation: atmost n elements in Acan be released
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
"./0",$-!<+<:0
122(-33!?@
!!"#$!0A./1113B
-4,.5!<-C)"1&'
67%&-!:B9D111D8..
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
A disclosure is valid if no disclosure constraints is violated
c!Pierangela Samarati 15/20
Disclosure constraints
Set A={pi, . . . ,pj,ck, . . . ,cn}of elements whose releasemust be controlled
• forbidden view: therelease of A is prohibited
disclosure limitation: atmost n elements in Acan be released
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
A disclosure is valid if no disclosure constraints is violated
c!Pierangela Samarati 15/20
Disclosure constraints
Set A={pi, . . . ,pj,ck, . . . ,cn}of elements whose releasemust be controlled
• forbidden view: therelease of A is prohibited
• disclosure limitation: atmost n elements in Acan be released
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
A disclosure is valid if no disclosure constraints is violated
c!Pierangela Samarati 15/20
Disclosure constraints
Set A={pi, . . . ,pj,ck, . . . ,cn}of elements whose releasemust be controlled
• forbidden view: therelease of A is prohibited
• disclosure limitation: atmost n elements in Acan be released
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
A disclosure is valid if no disclosure constraint is violated
c!Pierangela Samarati 15/20
Disclosure sensitivity
The sensitivity ! (D) of a dis-closure D is the sum of thesensitivity labels of released:
properties
credentials
associations
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 1+5+5+10+1+3+5 = 30
c!Pierangela Samarati 16/20
Disclosure sensitivity
The sensitivity ! (D) of a dis-closure D is the sum of thesensitivity labels of released:
• properties
credentials
associations
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 1+5+5+10+1+3+5 = 30
c!Pierangela Samarati 16/20
Disclosure sensitivity
The sensitivity ! (D) of a dis-closure D is the sum of thesensitivity labels of released:
• properties
• credentials
associations
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 1+5+5+10+1+3+5 = 30
c!Pierangela Samarati 16/20
Disclosure sensitivity
The sensitivity ! (D) of a dis-closure D is the sum of thesensitivity labels of released:
• properties
• credentials
• associations
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 1+5+5+10+1+3+5 = 30
c!Pierangela Samarati 16/20
Server request
Request R: disjunction of simple requests
• Simple request R: conjunction of terms
◦ term r=type.{p1, . . . ,pm}: disclosure of {p1, . . . ,pm} from cs.t. type(c)$isatype=⇒ type is an abstraction of credential type type(c) in H
ExampleR = r1∧r2r1 = id .{Name,Address}r2 = cc.{Name,CCNum}
c!Pierangela Samarati 17/20
Min-disclosure problem
A disclosure D :
• satisfies R if it satisfies atleast a R in R
• satisfies R if, ∀r=type.{p1, . . . ,pm} in R, itincludes c s.t.:◦ c certifies {p1, . . . ,pm}◦ type(c)$isatype
is minimum if ! a validdisclosure D ′ s.t. D ′
satisfies R and! (D ′)<! (D)
c!Pierangela Samarati 18/20
Min-disclosure problem
A disclosure D :
• satisfies R if it satisfies atleast a R in R
• satisfies R if, ∀r=type.{p1, . . . ,pm} in R, itincludes c s.t.:◦ c certifies {p1, . . . ,pm}◦ type(c)$isatype
is minimum if ! a validdisclosure D ′ s.t. D ′
satisfies R and! (D ′)<! (D)
R = id .{Name,Address} ∧ cc.{Name,CCNum}
c!Pierangela Samarati 18/20
Min-disclosure problem
A disclosure D :
• satisfies R if it satisfies atleast a R in R
• satisfies R if, ∀r=type.{p1, . . . ,pm} in R, itincludes c s.t.:◦ c certifies {p1, . . . ,pm}◦ type(c)$isatype
is minimum if ! a validdisclosure D ′ s.t. D ′
satisfies R and! (D ′)<! (D)
R = id .{Name,Address} ∧ cc.{Name,CCNum}
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 1+8+1+5+5+15 = 35
c!Pierangela Samarati 18/20
Min-disclosure problem
A disclosure D :
• satisfies R if it satisfies atleast a R in R
• satisfies R if, ∀r=type.{p1, . . . ,pm} in R, itincludes c s.t.:◦ c certifies {p1, . . . ,pm}◦ type(c)$isatype
• is minimum if ! a validdisclosure D ′ s.t. D ′
satisfies R and! (D ′)<! (D)
R = id .{Name,Address} ∧ cc.{Name,CCNum}
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D) = 35 =⇒ D is not minimum
c!Pierangela Samarati 18/20
Min-disclosure problem
A disclosure D :
• satisfies R if it satisfies atleast a R in R
• satisfies R if, ∀r=type.{p1, . . . ,pm} in R, itincludes c s.t.:◦ c certifies {p1, . . . ,pm}◦ type(c)$isatype
• is minimum if ! a validdisclosure D ′ s.t. D ′
satisfies R and! (D ′)<! (D)
R = id .{Name,Address} ∧ cc.{Name,CCNum}
!"#$%&!"#$%&'(")#%
!"$'!&%(")#%
'()*!%$"*)#)'&+,
!"+,!"#$%&'(")#%
!"-.)(/0(!%#(*&"$,-$
!!"#$!./0/1123
!%#&'()!456
*%+!2/738739:0
",$-!;+<5=&'>
.//(-00!?@
!!"#$!0A./1113B
-1,23!<-C)"1&'
45%&-!:B9D111D8..
"267",$-!<+<:0
!"
!#
!$
!%
!&
!"
!#
!#
!'
!"&
!"#
!(
!$
!"
!!#
!)'
"
! (D ′) = 30 =⇒ D ′ is minimum
c!Pierangela Samarati 18/20
Computing a minimal disclosure
The problem of computing a disclosure that minimizes release ofinformation is NP-hard
• exploit graph-based representation of portfolio and requests,providing heuristics based on graph-matching [PASSAT’10]
• exploit Max-SAT representation of the problem and existing SATsolver [WPES’10]
c!Pierangela Samarati 19/20
Work to be investigated
• Sensitivity labels assigned to proofs (provided by non-atomiccredentials)
• Sensitivity labels based on context
• Integration with server-side solutions and more expressive serverrequests
• User-intuitive approaches for expressing preferences (andpossibly translate them to sensitivity labels)
• Consideration of previous disclosures
c!Pierangela Samarati 20/20
