May 30 2002 CONTRIBUTIONS Brussels - Cordis - Europa EU

9 downloads 11683 Views 829KB Size Report
May 30, 2002 - concept and content architecting of the EastSpace Portal of Portals to serve ..... Health Technology and Informatics, vol 1, IOS Press Amsterdam, 1991 ..... seamless end-to-end service provisioning across heterogeneously ...
IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

IRG Workshop on Trust and Security technologies Brussels – May 30 2002

CONTRIBUTIONS Brussels – 30 May 2002

Contact Person: Andrea Servida

1

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

2

List of contributions Name Andrade Badii Barber Boudy Boyens Carle Carpentieri Chadwick Cloos Coolen Deistler Dimitrakos Domingo-Ferrer Durand Elliott Gattiker Glott Guest Heger Herrigel Hurtado Hutter Jacobson Jassim Jayaram Jendricke Jensen Jones Katsikas Kearney Kurth Legand Le Métayer Marchetti Marin Lopez Mellstrand Mitchell Mitrakas Monyk Nikander Nikolaidis Nikolaou Olsson Patel Persiano Phenekos Piessens Pikrammenos Preneel Raskin Regazzoni

1st name Maria Teresa Atta Barry Jerome Claus Georg Bruno David Berndt Rutger Albert Theo Josep Alain John Urs Rüdiger Richard Dirk Alexander Mayte Reinhard Jan Sabah Narayana Uwe Christian Simon Sokratis Paul Helmut Patrick Daniel Carlo Andres Per Chris Andreas Christian Pekka Nikos Christos Olle Ahmed Giuseppe Costas Frank Giannis Bart Jean-François Carlo

Company INESC Porto UKAIS Health Data Protection Ltd Institut National des Télécommunications Humboldt University Berlin University of Berlin Univ. of Salerno Univ. of Salford Cloos Consulting TNO Physics & Electronics Lab. City of Cologne ISE group Universitat Rovia I Virgili Thomson Multimedia QinetiQ EICAR Int'l Institute of Infonomics University of Kent Fraunhofer DCT tb-solutions IABG Swedish Nat. Testing & Res. Inst. Univ. of Buckingham University of North London Universitaet Freiburg TCD Loughborough University University of Aegean Btexact Technologies @sec Thales Trusted Logic Univ. of Roma Universidad Carlos III Madrid Blekinge Institute of Technol. Royal Holloway GlobalSign Seibersdorf Research Helsinki Inst. For Inform. Tech. University of Tessaloniki University of Crete SICS Univ. College Dublin Univ. of Salerno (2 contributions) Red Cross Hospital KUL (with B. Preneel) University of Athens KUL ULB Univ. of Genova

Page 4 5 7 19 22 25 26 28 30 32 34 35 39 40 44 46 49 53 54 56 60 62 65 66 68 69 71 64 75 77 80 81 83 85 87 89 89 93 95 97 99 101 112 114 118 121 123 124 126 127 130

IRG Workshop on Trust and Security - CONTRIBUTIONS

Renteria Bilbao Rigby Ryan Savino Schoo Simoncini Sinclair Steinbrecher Stewing Stiegler Tassiulas Trebucq Ward Wiberg Zissis

Silvia Michael Peter Matteo Mario Peter Luca David Sandra Franz-Josef Helmut Leandros Olivier Michael Torbjörn Nikos

Fundacion Robotiker Keele University Univ. of Newcastle Unisannio Docomolab-euro University of Pisa Dublin City University Dresden Univ. of Technology Materna STI-Consulting University of Thessaly Gemplus BT Ignite Solutions Umea University MLS Laserlock Int. Inc.

Brussels May 30 2002

3

133 137 139 141 142 144 150 152 155 160 162 163 165 167 168

IRG Workshop on Trust and Security - CONTRIBUTIONS

1) Andrade Maria Teresa

Brussels May 30 2002

INESC Porto

Contribution from INESC Porto, Multimedia and Telecommunications Unit Contact Point: Maria Teresa Andrade [email protected] tel: +351 22 2094237 http://telecom.inescn.pt fax: +351 22 2084172 We have witnessed during the last decade to remarkable progress in the digital communications and storage scenario. This has made possible to create and make remotely available huge archives and sources of all types of content. The phenomenon of convergence of technologies that started a few years ago and still continues, is creating the conditions for the transport and delivery of that content across heterogeneous networks and its consumption in a variety of receivers. There are still however important aspects to address in order to be able to provide end-users easy, transparent and secure access to that content. Within the content production industry it is very common the use of proprietary systems. Regarding the description of the content itself or essence (text, images, video, audio, etc), there is at present, a great proliferation of different metadata schemes both standardised (e.g. MPEG-7 of ISO/IEC, P/META of EBU, SMPTE, Dublin Core) and proprietary. For the essence, there are also many distinct encoding and representation formats. Another problem encountered is the fact that different content suppliers may use distinct modes of representing, storing and managing their content and distinct ways of promoting the association between the metadata and the essence. They also impose distinct rules for accessing their databases and using the content, applying different access restriction levels. There are thus many distinct data models being used on the content repositories, and many times they are not interoperable. From the point of view of the consumer, it would be desirable to be able to access and consume the content from anywhere, at anytime and from any device with all the peculiarities of the underlying systems and technologies completely hidden to him. This means that are needed integrated and interoperable tools for seamlessly taking content from one delivery context to another. An open framework operating seamlessly between content repositories and consumers, facilitating both the transfer of content across domains and the transparent access to that content from any client device. Besides the requirements for transparency and easiness in accessing the content, from the point of view of the end-user, there is still another aspect to be considered. That aspect is the one of trust, guarantee of integrity and validity of the content being consumed. From the point of view of the content owner and service provider, there is still the issue of being able to effortlessly and dynamically publish the content in any consumable format in order to be able to reach every potential client without restrictions and the issue of being able to efficiently manage and protect Intellectual Proprietary Rights. And finally, addressing in particular the interests of network

4

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

operators but not only, the ability to use as efficiently as possible the available resources. Therefore, one crucial aspect to be addressed in order to facilitate access to remote information is the one of interoperability. It is necessary to develop interoperable tools supervised by an open framework, providing the means to efficiently identify, manage and transfer any digital element found in the content delivery chain. This is the line of work initiated by MPEG-21 and that should be pursuit, tested, improved and augmented and implemented. One particular aspect of this whole scenario that seems to be still lacking attention is the one of setting up the rules and the infrastructures to be able to authenticate in an open, interoperable and easy way, all the content made available on networks, either privately or corporative. The Internet is nowadays a very important source of information for highereducation students, for teachers, researchers, industry and for technologists in general. However in most cases that information is not certified and therefore it is not possible for the person who retrieves the information to be 100% sure that it is accurate, up to date, complete, reliable. If it reflects simply personal points of view or instead, proven methodologies/concepts/technologies. Within this particular context, possible actions to take on could be the development of a framework identifying distinct scientific and technology areas and establish quality criteria and minimum set of requirements to be fulfilled by repositories containing relevant information. To devise and implement tools capable of setting and managing a database of content and repositories conformant to those directives and capable of working across distinct domains. The primary expected benefits would be the widespread dissemination of scientific and technology information with reliability. The provision of means to the consumer, to find and retrieve quality information more rapidly and with less effort. INESC Porto has R&D teams with strong experience and proven knowledge in the area of networking, video coding and distributed systems and information systems. We are actively participating in several standardisation initiatives such as the MPEG-21 framework. We are presently involved in European funded projects under the IST FP5 such as CONTESSA, ARROWS, METAVISION, NUGGETS, MOUMIR, among others. 2) Atta Badii UKAIS

East of England Telematics Development Trust, e2e Research Centre Organisation profile At UCN, Department of Information Systems and in collaboration with the e2e Research Centre, East of England Telematics Development Trust (EETDT), Atta Badii, Reader (Information Systems & Sciences) conducts research with academic and industrial partners within the P3ie Research Group of which the EnCkompass (Online and Mobile Digital Profiling and Content Management for

5

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Mass-Personalisation) International Research Network is a strong and thriving component with some 12 International Research Workshops conducted since the establishment of EnCkompass in October 1999. Research on Advanced WorkflowEmbedded Evaluation Systems forms another plank of our activities within the National Research Network for IS Evaluation (NISE) funded by the UK Government (EPSRC). The East of England Telematics Development Trust is a Partnership of over 80 public and private sector organisations including major ICT, Education and Training systems-and-services providers who have constituted the Trust Partnership established in 1997 as a non-profit distributing company. The Trust provides a vehicle for collaboration in innovation research and development and includes leading national and international telecom corporates, local, regional and central government, healthcare and educational providers such as the regional universities, University for Industry (UFI) and the National Grid for Learning (NFGL) as well as media, systems and software manufacturers and service providers for example BT, Cable & Wireless, Anglia TV, Apple Computer (UK), Cambridgeshire County Council, Apollo Digital Media, East of England Regional Development Authority (EEDA) and UFI East. EETDT's specific mission as a major European Economic Grouping is to pursue Research and Development and to promote, awareness raising, take-up and innovation in exploitation of new ICT for competitive advantage particularly in deployment of new Internet and Broad Band Systems and Services throughout the Region of Eastern England. This includes Cambridgeshire as arguably one of the most ICT progressive regions in Europe with a high concentration of advanced ICT and educational systems-and-services providers as well as a large variety of user organisations. The EETDT staff, Directorate and associate members have each a considerable track record of large RTD project management, education and awareness raising relating to the emerging developments in ICT including Internetsupportive, Internet-native and internet-enabled technologies such as the innovative deployment of integrated BroadBand systems-and-services, demand aggregation frameworks as well as community networks and portals. For example, EETDT and Partners have to-date, successfully obtained and managed large collaborative programmes (over 25 M Euro including matched funding) for the development of a Regional Broadband Network and Demand Aggregation frameworks. The EETDT RTD group constituted as the e2e Research Centre has been responsible for the concept and content architecting of the EastSpace Portal of Portals to serve e-business, e-learning and e-government.

Research interests The EnCkompass Research Manifesto (October 1999) marked a radical departure from superficial, sometimes irritating, user-friendly gimmickry in some current ICT user experiences. This was to focus on the real emancipation of users by overcoming the fundamental bottlenecks towards provision of truly user-intimate systems and services including real-time mobile personalised presentation flow management over community networks and portals. We are interested in Content

6

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

and Systems Convergence frameworks and standards for Mobile e-Systems, eServices and Seamless Roaming, Zero-latency Mobile Personalisation Systems and Services, Broad Band adoption and Demand Aggregation Frameworks, flexible social inclusion and access bridges to e-conurbations, e-forums and e-collaboration systems and generally fundamental capacity and take-up building RTD to serve e/mLearning, e/m-Business and e-Government. Contacts: [email protected] [email protected]

East of England Telematics Development Trust, e2e Research Centre Project idea/idea for Expression of Interest for IPs and NoEs The Exploitation of the new dynamic usability models that we have developed together with advanced online digital profiling to build a fundamental capacity for delivering truly user-intimate and mobile systems and services for sustainable excellence in e/m-learning, e/m-business and e-government. UZIPS : Ubiquitous, Zero-Latency and Intimate Personalisation Systems & Services for Mobile Roaming, Context-aware, Session-state-aware, QOS-aware, Device-aware and Device-Reactive standards. Intelligent Network Meta-Controller models for Traffic Management and Peak-Load Resource Balancing, Multi-e-sourcing service selection and Compound Tariff Optimisation Services Networks of Excellence in Online Real-time Usability Mining and Mobile User Behaviour Modelling Network of Excellence in BroadBand Diffusion Experience Sharing within eConurbations (NEBES) Contacts: [email protected] [email protected]

3) Barry Barber

Health Data Protection Ltd

Info-Vigilance or Safety in Health Information Systems Barry Barbera , François-André Allaertb, Eike-Henner Kluge c a Health Data Protection Ltd, Great Malvern, England

7

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

b

Managing Director of CENBIOTECH, Dijon, France c University of Victoria, Canada

Abstract The paper examines the issues of security and safety in Health Information Systems and focuses the need for the development of appropriate Guidelines for the effective use of IEC 61508 standard. Keywords: ***add keywords here** Introduction Safety-Related Systems In the late 1980s and early 1990s there arose considerable concern about the use of systems and software to control dangerous processes for nuclear reactors, air traffic and the like. This concern was reflected in a joint study report prepared by the Institution of Electrical Engineers and the British Computer Society [1]. This book includes other material on safety-related systems such as the DRIVE Report, which reviewed current tools and techniques for the development of safety-critical software. It, also, provides an overview of the education and training of safetycritical systems practitioners and defence standard 00-55. The concern was shared by the UK Department of Trade and Industry, which set up and co-ordinated SafetyCritical Systems Club to examine these issues. Redmill and Rajan [2] outline the progress that has been made in understanding the issues involved over the last decade. Safety in Medical Informatics Concern over safety was not limited to these areas. During the first phase of the Advanced Informatics in Medicine programme of the European Union, consideration was given to the future in the context of the "Impact Assessment and Forecast" study. This work, published by Roger-France and Santucci [3], developed the idea of regulating Health Telematics according to "Six Safety First Principles". These were elaborated by Barber, Jensen, Lamberts, Roger-France, de Schouwer & Zöllner [4]. The study group was surprised to find the issue of safety arising at this stage because it was confidentiality and not safety that had been the main previous focus of discussions of problems in medical informatics. In retrospect, however, it should not have been surprising since already the Hippocratic Oath states that "I will help the sick according to my ability and judgement but I will never use it to injure or wrong them;" and, again that "I will not use the knife either on suffers from stone but I will give place to such as are craftsmen therein" [5]. These clauses clearly place the issue of safety at the centre of medical concern. Traditionally, security has been concerned with the confidentiality, integrity and availability of information and the accountability for it. Safety has been concerned with wider issues of the overall effect of the use of various systems and generally, the development of standards has been sector specific. In Healthcare the issues of safety and security need to be brought together. Security in Medical Informatics Within the English National Health Service [NHS], the implementation of the Data Protection Act 1984, based on Council of Europe Convention 108 [6], led naturally to an examination of the appropriate security measures as required by

8

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Article 7. A variety of Risk Analyses were undertaken within the NHS utilising the CCTA Risk Analysis and Management Methodology [CRAMM] which was the UK government's own approach to elucidating these issues [7]. In this methodology, problems arising from security breaches were measured in a variety of dimensions but the most interesting from the Healthcare standpoint were the dimensions of financial loss and of damage or death of patients. Significantly, this work called for much more stringent security measures to cope with safety issues than had normally been practiced for purely financial or confidentiality reasons [8]. Within the UK, this work had the effect of raising the issues of the integrity and availability in respect of the use of electronic medical records on the basis of the government's own risk analysis methodology. These considerations were based around the development of "worst case scenarios". "They must not stretch the bounds of credulity but rather represent the a view of events that might be foreseen and expected to happen in particular circumstances by a reasonable person - not every time, not necessarily most times, but from time to time" [9]. In a very real sense the development and maintenance of these worst case scenarios raised major clinical and managerial issues: What would a reasonable person expect to happen in the event of a breach of security? What would such a person, or a court of law, regard as negligence? What Has Gone Wrong? In order to give appropriate answers to these questions, it is important to have some understanding about actual situations where things have gone wrong. However, it is not easy to do this. Many organisations are unwilling to provide access to critical incidents for fear of laying themselves open to legal action and/ or causing an exodus of their patients which could affect their financial viability. This is particularly true when fatalities or serious injuries are involved. Unfortunately, therefore, the most frequent access to reports of such failures is through the press. While such reports provide useful material for training purposes, it is rare that they allow one detailed insight into the facts of the case. Further, since they normally give a journalist's hurried view of a situation, the information they present may well turn out to be wrong when the full facts are reviewed subsequently. The safety-related literature usually holds up the case of the Therac 25 linear accelerator as the best example of a serious breach of Healthcare safety arising from an integrity failure. It is referred to by Redmill and Rajan [2 p 240] and is extensively covered by Peterson [10]. In this instance, there were 6 radiation accidents involving substantial overdoses that led to at least 4 deaths. These accidents were caused by a “complex web of interacting events with multiple contributing technical, human and organisational factors". Correspondingly, the under-dosage reported at the North Staffordshire Royal Infirmary also appears to have arisen from a multiplicity of interacting factors [11]. Another example - the computer project problems of the London Ambulance Service - have been reported in detail by Beynon-Davies [12]. They were blamed for 20 - 30 deaths as a result of the non-arrival of urgently required ambulances. Another case reported at Arrowe Park Hospital on the Wirral [13] involved the modification of patient data. . In this case, a nurse was convicted under section 3 of the Computer Misuse Act 1990 with unauthorised modification of computer material and sentenced to 12 months in prison. The prescription record of a 9 year old was changed to a potentially lethal

9

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

cocktail of atenol, temazepam, benzoflumethiazide and coproxamal. Fortunately, this modification was noticed and not acted upon by the ward sister. Other examples include press reports of medical records ending up on rubbish dumps and on obsolete computers sold on to the public, theft of medical systems containing patient data, private investigators being able to get medical records for specific individuals at will, medical databases being hacked into, losses of medical records, especially research studies, poor software in medical systems and virus infections. The ISHTAR project [14] attempted to establish a database of Healthcare Security Incidents but, although it did develop a Healthcare Incident Reporting Scheme, the Verification Centres of the project were unwilling for their incident reports to be shared. In addition, there are press reports of medical errors concerning inappropriate treatments that sometimes lead to the death of patients: errors that arise from illegible writing, incorrect drug administration, incorrect prescribing, incompatible blood transfusion, misinterpretation of laboratory tests, incompetent surgery, etc. All of these indicate areas in which security breaches in respect of the patients' medical records might lead to serious harm to patients as a result of reliance on the validity of the patients’ records. How Safe Should Medical Systems be? In light of the preceding, it is appropriate to ask how safe medical practice should be. On the one side, there is the fact that one paper reported that a review of five years work of one particular pathologist's "mis-diagnosis" had found 186 errors in 12,000 cases reviewed [14]. More recently, another pathologist claimed that he had an error rate of "no more than 2%, which was average in the UK and better than many doctors abroad. Internationally, the incorrect diagnosis rate varies from 2% to 7%". A review of 10,358 of his cases found 7 patients with a wrong diagnosis that had serious consequences, and 215 cases whose histology had to be revised [15]. In both these cases, the pathologists were considered to have a bad performance record. However, by contrast, it should be noted that in most occupations an error rate of around 2% would be considered good. These figures indicate just how great are our expectations of medical systems. Recently, the BMJ devoted an edition to the issues of Reducing Error and Improving Safety that was introduced by an editorial by Leape and Berwick [17]. They noted that a recent report from the Institute of Medicine [18] had given a great impetus to the examination of safety issues in medicine in the USA, and that Weingart SN, Wilson RM, Gibberd RW and Harrison B [19] had provided comparable results from Australia. Barach and Small [20] examined the characteristics of error and near-miss reporting schemes in other sectors to see what light they might shed on the schemes that need to be developed for the Healthcare sector. Reason [21] explored the permanence of human fallibility and the need for the development of a systems approach within which error-prone humans can work and still achieve highly reliable results. However, the overall conclusion to be drawn was that there needs to be a major change in culture to support confidential incident reporting arrangements that will actively seek out and rectify the causes of safety failures. In order to reduce

10

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

error rates, the culture in which healthcare is delivered, the design of activities and processes and the training of practitioners will all have to change. In fact, the problem is not seen as the fundamental lack of knowledge so much as the lack of a supportive environment within which physicians can report errors and learn, collectively, from their mistakes thus leading to improvements in patient safety. Developments in Healthcare Systems It is at this juncture that safety in informatics becomes relevant. Information systems have been utilised in the various processes of delivering Healthcare for some four decades. However, it is only recently that such systems have been applied to analyse and critique the processes of delivering care. There are now more Healthrelated Information Systems, more Health Professionals using these systems, more non-Health Professionals using these systems, more critical medical systems being used, more reliance on the Information Systems and more fragmentation in the Healthcare delivery arrangements than ever before. All these factors raise concerns that have to be addressed in respect of patient safety. Of course, few Health-related Systems are set up so that they automatically decide on clinical treatment or drug dosage and then implement their decisions. In general, there is a Health Professional in the "air-gap" between the patient and the Information System. In theory, this gives the Health Professional total control of the diagnostic and treatment processes. However, the Health Professional may believe erroneous information provided by the system, may not have the specialist knowledge to validate the data or suggestions offered by the Information System, may be rushed or worried by many other professional and personal matters crowding onto his/her agenda and may not be working in a supportive clinical environment. As a result he/she may fail to protect a patient from damage arising from erroneous information provided by the Information System. He/she may take undesirable therapeutic action from a mistaken belief in the accuracy of the information from the system or he/she may fail to take desirable therapeutic action for similar reasons. The closer that Health-related Information Systems come to the heart of the complex set of clinical processes, the more serious become the security and safety hazards associated with the use of such systems. Another problem is presented by networked information systems. That is to say, Health Professionals increasingly need access to their systems when they are away from their desks – which of course means that access from remote locations must be possible. The technology can improve safety by access to information where this would not previously have been possible. However, this raises safety concerns that centre on the problem of unauthorised access to networked information systems. The lessons on the relative ease with which information systems may be attacked over a network have still to be learned and fully implemented [22]. IMIA and Safety There were five papers at MEDINFO 74 associated with various aspects of Data Protection, and the early establishment of IMIA WG4 makes clear the importance that the International Medical Informatics Association has attached to these issues. Although the clinical issues were not seen as clearly then as they are

11

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

now, the WG4 monograph [23] clearly raises the issue of "Data/program Integrity" and "Usage Integrity". The issues of integrity, availability and accountability have been fully woven into the five working conferences of IMIA WG4 [24 - 28] since that time - in addition to the more traditional issues of confidentiality. Security Requirements of the EU Directive The EU Directive "On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data" [29] sets out specific requirements in respect of the security of personal data. These are that "the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing". The Directive, further, requires that “Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.” These requirements are still clearly focussed on the data that are held in an information system and do not appear fully to take in the requirements for patient safety. However, they do go a long way in that direction. The data are clearly personal health data, and are therefore subject to special safeguards as special category data. In most systems, there will be data transmission over a network even where the application is not specifically one involving telemedicine. Where this system is closely coupled with the delivery of Healthcare, the risks will clearly involve patient safety. This means that security measures need to be up-to-date both in terms of technology and expense. However, it should be noted that that the Council of Europe Recommendation "On the Protection of Medical Data" [30] does not place quite the same emphasis on the cost issue. Ethical Handling of Personal Health Data In view of the fact that electronic patient records are increasingly being relied upon by the Health Professionals, and given that these records are increasingly being networked throughout the caring community, it is time to take a close look at the ethical rules that govern the actions of Healthcare information professionals. A number of ethicists have been doing this but Kluge has developed a set of "Fair Information Principles" that reflect best ethical practice.[27,31,32] These concepts have been developed over the last decade and are now reflected most extensively in a book [33]. It suggests that these Ethical Principles should govern the behaviour of Health Information Professionals, and that they require Health Professionals to take full account of the safety issues and utilise safe systems. What Is a Medical Device? The definition in the EU Directive [34] "Concerning Medical Devices" is tantalising in that it "means any instrument, apparatus, appliance, material or other article, whether used alone or in combination, including the software necessary for its proper application intended by the manufacturer to be used for human beings for the purpose of: Diagnosis, prevention, monitoring, treatment or alleviation of disease, Diagnosis, prevention, monitoring, treatment or alleviation of or compensation for an injury or handicap

12

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Investigation, replacement or modification of the anatomy or of a physiological process, Control of conception, and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means". The accompanying definition of "accessory" identifies it as "an article which whilst not being a device is intended specifically by its manufacturer to be used together with a device to enable it to be used in accordance with the use of the device intended by the manufacturer of the device". The wording appears quite wide, and the words "including software" and "accessory" raise the issue of the point at which a Health Information Systems becomes within the scope of the medical devices legislation. However, there are things to be learned from the medical devices legislation whether or not it is applicable in the strict sense. The legislation establishes a classification scheme for medical devices with increasingly stringent requirements for more risky devices. It establishes a monitoring scheme for collecting information on incidents relating to medical devices put on the market. The Directive makes clear reference to appropriate standards, and it establishes national bodies to oversee the legislation. In addition, there is a clear implication that a medical device shall be recognisable as having been put on the market by a "manufacturer" meaning "the natural or legal person with responsibility for the design, manufacture, packaging and labeling of a device before it is placed on the market". This implies that an information system would have to be identifiable and packaged rather than being purchased as a variety of hardware and software components for which no-one was taking overall responsibility. The Next Steps in Standardisation Curiously, safety and security in respect of information systems seem to be separate concepts in all areas except in the case of Healthcare. This may result from the fact that the focus of interest in Healthcare is that of patient safety, whereas confidentiality and financial loss, although very important, are not quite as central. However, complete and integrated standardisation is really necessary. The conventional UK approach to Information Security Management standards is from the standpoint of BS7799 [35] and the UK Data Protection Commissioner is currently looking for security at this standard. The next step is that of providing Healthcare specific safety guidelines for the use of the IEC 61508 standard [36]. This safety standard has been used successfully in a number of other sectors and, with the increasingly clinical and critical use of Health Information Systems, it is therefore time for that standard to be developed and utilised in Healthcare. The European standards body CEN TC 251 commissioned a technical report [37] which reviewed the various ways forward. CEN is only waiting for the opportunity to take this work forward into the formal standards arena utilising IEC 61508. However, standards by themselves are not sufficient. Standards are only as effective as the people who apply them. Therefore we also need to establish

13

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

A Safety Culture for Health Information Professionals to match the developing culture among Health Professionals A practical Code of Ethics for Health Information Professionals, Appropriate standards for developing and using safe Health Information Systems, and An international body empowered to supervise the application of the relevant codes and standards. References Wichmann B A. Software in Safety-Related Systems. John Wiley for BCS, Chichester, 1992 Redmill F and Rajan J. Human Factors in Safety-Critical Systems. Butterworth-Heinemann, Oxford 1997 Roger-France FH and Santucci G. Perspectives of Information Processing in Medical Applications. Springer Verlag, Berlin 1991 Barber B, Jensen, O A, Lamberts H, Roger-France, de Schouwer P & Zöllner H, The Six Safety First Principles of Health Information Systems: A Programme of Implementation, pp 608-619 in MIE90 ed O'Moore R, Bengtsson S, Bryant J R & Bryden J S, vol 40 in Lecture Notes in Medical Informatics, Springer Verlag 1990 Jones WHS. The Doctor's Oath, Cambridge University Press, 1924, pp 9 - 11 Council of Europe 1981, Convention For the Protection of Individuals with regard to Automatic Processing of Personal Data, Convention 108, January 1981, The CRAMM User Guide, issue 1.0 April 1996, CRAMM software 3.0, The CRAMM Manager, PO Box 1028, London Barber B & Davey J, The Use of the CCTA Risk Analysis and Management Methodology [CRAMM] in Health Information System's, pp 1589 - 1593, in MEDINFO 92, ed Lun KC, Degoulet P, Piemme TE and Rienhoff O, pub for IMIA by North Holland, Amsterdam, 1992 Barber B, Vincent R and Scholes M. Worst Case Scenarios: the Legal Consequences, pp 282 - 288, HC 92: Current Perspectives in Healthcare Computing 1992, ed Richards B, MacOwen H, Bryant JR, Gillies M, Hayes G, Jones R and Roberts J, pub for British Computer Society by BJHC Weybridge, ISBN 0 948198 12 5 Peterson. P Fatal Defect: Chasing the Killer Computer Bugs, pp 27 - 48, Vintage Books, New York, 1995 West Midlands Regional Health Authority, Reports into the Conduct of Isocentric Radiotherapy at the North Staffordshire Royal Infirmary between 1982 and 1991, Birmingham 1992 and 1994 Beynon-Davies P, Information Systems "Failure": the case of the London Ambulance Service's Computer Aided Dispatch project, European Journal of Information Systems, 1995, 4, 171 - 184 Nurse Jailed for Hacking into Computerised Prescription System, British Journal of Health Care Computing, p7, vol 11, February 1994 Implementing Secure Healthcare Telematics Applications in Europe – ISHTAR, IOS Press, Studies in Health Technology and Informatics vol 66, Amsterdam 2001 The Independent, 8 October 1994, London

14

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

The Guardian, 15 June 2000, London Leape KK and Berwick DM, Safe Health Care: Are we up to it? BMJ, 2000;320:725 - 726 Kohn LT, Corrigan JM, Donaldson MS eds, To Err is Human. Building a Safer Health System, National Academy Press, Washington DC, 1999 Weingart SN, Wilson RM, Gibberd RW and Harrison B, Epidemiology of Medical Error, BMJ, 2000;320:774-777 Barach P and Small SD, Reporting and Preventing Medical Mishaps: Nonmedical near miss reporting systems, BMJ, 2000;320:759-763 Reason J, Human Error: Models and Management, BMJ 2000;320: 768-770 Stoll C, The Cuckoo’s Egg, Pan Books, London, 1991, ISBN 0-330-31742-3 23] Griesser GG, Bakker A, Danielddon, Hirel J-C, Kenny D, Schneider W and Wassermann AI, Data Protection in Health Information Systems: Considerations and Guidelines, pp 53-55, North Holland, Amsterdam, 1980, ISBN 0 444 86052 5 Griesser G, Jardel JP, Kenny DK & Sauter K, Data Protection in Health Information Systems: Where Do We Stand?, North Holland, 1983 Amsterdam, ISBN 0 444 86713 9 Barber B, Bakker AR & Bengtsson S, ed Caring for Health Information: Safety, Security and Secrecy, International Journal of Bio-Medical Computing, vol 35, Supplement February 1994 Amsterdam, Bakker AR, Barber B, Pellikka RT K & Treacher A, ed Communicating Health Information in an Insecure World, International Journal of Bio-Medical Computing, vol 43, pp 1-152, Supplement October 1996 Amsterdam Bakker AR, Barber B, Ishikawa K & Yamamoto K, ed Common Security Solutions for Communicating Patient Data, International Journal of Bio-Medical Computing, vol 49, pp 1-137, Supplement October 1998 Amsterdam Bakker AR, Barber B, Moehr J, International Journal of Medical Informatics, vol 60, No 2, 2000 Special Issue: Security of the Distributed Electronic Patient Record European Community Directive 95/46/EC, On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, OJ L281/31 - 50, 24 October 1995 Council of Europe Recommendation, R(97)5, On the Protection of Medical Data, Council of Europe, Strasbourg, 12 February 1997 Kluge E-HW, Medical Information & Education: The Profession or Gate Keeper, Methods of Information in Medicine, 28 (1989) 196-201 Kluge E-HW, . Health Information, the Fair Information Principles and Ethics," Methods Inf Med 1994:33; 336-346 Kluge E-HW, The Ethics of Electronic Patient Records, New York, Peter Lang (in press ). 34] European Community Council Directive 93/42/EEC, Concerning Medical Devices, OJ L169/1-43, 12 July 1993 British Standards Institution, BS7799, London 1999 Code of Practice for Information Security Management[Part 1] and Specification for Information Security Management [Part 2] International Standards Organisation/International Electrotechnical Commission, ISO/IEC 61508 IT Security Techniques - Evaluation Criteria for IT

15

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

16

Security Functional Safety of electrical/electronic/programmable electronic safetyrelated systems Parts 1 to 7 Safety and Security Related Software Quality Standards for Healthcare (SSQS), CEN/TC 251/WG III N 98-036, 26 October 1998, Brussels. Address for correspondece *** add contact info here***

Safety in Health Informatics Barry Barber Health Data Protection Ltd

12 Peterson Court Worcester Road Great Malvern Worcs WR14 4AA England Tel +44-1684-566-220 [email protected]

European Safety First Principles The AIM Impact and Forecast Project developed a set of Six Safety first Principles for European Health Information Systems in 1990 during the first Advanced Informatics in Medicine programme.[1 & 2]. The requirement was that such systems should be:Safe Environment for Patients & Users Secure environment for Patients, Users & Others Convenient Environment for Users Legally Satisfactory Environment Across Europe for Users and Suppliers Legal Protection for Software Products Multi-lingual Systems At the time the issue of safe systems was a surprise to those participating in this work but it has become even more important over the intervening years. The Commission’s Data Protection conference [3] was a key element in developing some of this work and in widening the horizons of those involved in these Data Protection issues in healthcare. The Data Protection legislation drafted in the context of the European Directive [4] has begun to make Health Information Professionals aware of their responsibilities for security. The systems must ensure a level of security that has regard to the state of the art and the costs of implementing the security measures as well as being appropriate to the risks of the processing and the nature of the data being processed. Particular care must be taken in respect of processing over a network. The AIM SEISMED [6 & 5] and the HT ISHTAR [7] projects as well as many others have helped build on national work in using Risk Analysis techniques [eg 8 Worst case & 9 MEDINFO] to uncover the key requirements for the integrity and availability of the increasingly useful and utilised healthy Information Systems.. The Belgirate Workshop [10] drew some of these issues together in its exploration of the “Dependability of critical Systems and Services in the Information Society” in preparation for the Fifth Framework Programme. The EU ISHTAR

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

17

project developed an Incident Reporting Scheme for Health Telematics but it was not able to secure the necessary participation even with extensive security covering the reporting of incident details. Safety in Healthcare Over the last few years the medical profession has become very concerned about the high volume of “adverse incidents” in Healthcare. The impetus came as a result of some American work but this was put into a UK context by Jarman in his 1999 lecture to the Royal College of Physicians [11]. This was followed by a complete issue of the BMJ devoted to the issues of safety and drawing heavily on he American work [12]. We need trustworthy individuals to get the best results but they have to be working within safe systems that have been designed for safety from an engineering point of view. The issues of “adverse incidents” arising from inaccurate identification of individuals, specimens and drugs prescriptions can be directly related to failures of the Data Protection Quality standards. but the safety issues go wider still and embrace the whole of the caring system. Safety-Related Information Systems This work mirrors the interest of the computing profession in the development of “safety critical” or “safety-related” systems that happened a decade ago about the use of systems and software to control dangerous processes for nuclear reactors, air traffic and the like. This concern was reflected in a joint study report prepared by the Institution of Electrical Engineers and the British Computer Society [13]. This concern was shared by the UK Department of Trade and Industry, which set up and co-ordinated Safety-Critical Systems Club to examine these issues. Redmill and Rajan [14] outline the progress that has been made in understanding the issues involved over the last decade. Peterson [15] has highlighted some of the know cases of problems that have developed in critical systems and arising out of these concerns, the International Electrotechnical Commission developed a generic, framework safety standard 61508 [15] which a number of industrial sectors have utilised to provide guidelines for specific industries. European Standards in Healthcare Soon after the establishment of CEN TC 251 to develop and promote the use of standards in Healthcare Informatics, as a result of the first AIM programme, a work item was adopted that envisaged building on the IEC standards work when it had been completed. However, this basic generic work took longer that anticipated at that time and the IEC standard was not completed until the period 1998 t0 2000 when the various parts of IEC 61508 [16] became available. However, TC 251 WGIII has been able to complete a technical report [17] which surveys the field and opens the way for the final step of developing Guidelines for the development of Health Information Systems within the generic context of IEC 61508. At present the funds available to TC 251 WGIII appear to have dried up and there appear to be no prospects of completing the second stage of this work item by this route at the moment. There are of course other avenues of working on these problems by way of EU projects or looking to other standards bodies to fill in this gap IMIA Code of Ethics for Health Information Professionals The International Medical Informatics Association has been actively involved in the Data Protection, Security and Safety issues since the late 1970s with its Working group 4 and the many publications that it has developed from its series of working conferences. At present IMIA is in process of developing a Code of Ethics for Health information Professionals [18] which it is hoped will be adopted by all of the national Health Informatics Societies. The Next Steps in Making Health Informatics Safe

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

18

Following these sorts of activities, it is hoped that Health Telematics will be able to be part of the solution to reducing “adverse incidents” in healthcare rather than part of the problem. The basic tools are available and there is professional recognition of many of the problems. All that remains if for the necessary work to be completed and put into practice. We need Guidelines for Health Information Systems in the context of the IEC 61508 standard and their adoption in practical use. References Roger-France FH and Santucci G. Perspectives of Information Processing in Medical Applications. Springer Verlag, Berlin 1991 Barber B, Jensen, O A, Lamberts H, Roger-France, de Schouwer P & Zöllner H, The Six Safety First Principles of Health Information Systems: A Programme of Implementation, pp 608-619 in MIE90 ed O'Moore R, Bengtsson S, Bryant J R & Bryden J S, vol 40 in Lecture Notes in Medical Informatics, Springer Verlag 1990 EU Commission, AIM Secretariat, Data Protection & Confidentiality in Health Informatics. Studies in Health Technology and Informatics, vol 1, IOS Press Amsterdam, 1991 EU Directive 95/46/EC On the Protection of Individuals with regard to the Processing of Personal data and on the Free Movement of such Data, OJEC 281/31 – 50 dated 23/11/95 SEISMED Consortium ed Barber et al, "Towards Security in Medical Telematics", ed Barber B et al, vol 27 in Studies in Health Technology and Informatics, IOS Press, Amsterdam, 1996, ISBN 90 5199 246 7 SEISMED Consortium, "Data Security for Health Care" volumes in Studies in Health Technology and Informatics, IOS Press, Amsterdam, 1996 Vol I Management Guidelines ISBN 90 5199 264 5 (series vol 31) Vol II Technical Guidelines, ISBN 90 5199 265 3 ((series vol 32) Vol III User Guidelines, ISBN 90 5199 266 1 ((series vol ISHTAR Consortium, Implementing Secure Healthcare Telematics Applications in Europe, 66 in Studies in Health Technology and Informatics IOS Press Amsterdam 2001, ISBN 90-5199-489-3 Barber B, Vincent R and Scholes M, Worst Case Scenarios: the Legal Consequences,pp 282 - 288, "Current Perspectives in Healthcare Computing 1992", ed Richards B et al, pub for British Computer Society by BJHC Weybridge, ISBN 0 948198 12 5 Barber B & Davey J, The Use of the CCTA Risk Analysis and Management Methodology [CRAMM] in Health Information System's, Barber B and Davey J, pp 1589 - 1593, in "MEDINFO 92", ed Lun KC et al, pub for IMIA by North Holland, Amsterdam, 1992, ISBN 0 444 89668 6 Dependability of critical Systems and Services in the Information Society, EU Workshop held at Belgirate, Italy, 4 –6, December 1997 Jarman, B, The Quality of Care in Hospitals, 1999 RCP Harveian Oration, JR Coll Physicians Lond, 2000, vol 34, 75 – 91 BMJ, Reducing Error, Improving Safety, no 7237, 18 March 2000 Wichmann B A. Software in Safety-Related Systems. John Wiley for BCS, Chichester, Redmill F and Rajan J. Human Factors in Safety-Critical Systems. Butterworth-Heinemann, Oxford 1997 Peterson. P Fatal Defect: Chasing the Killer Computer Bugs, pp 27 - 48, Vintage Books, New York, 1995 International Electrotechnical Commission [IEC] Standard 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, Parts 1 to 7, 1998 – 2000 CEN TC 251 WGIII [SSQS], Safety and Security Related Software Quality Standards for Healthcare, WGIII N 98-036, 1998-10-26 Kluge E-H, draft IMIA Code of Ethics for Health Information Professionals, IMIA WG4

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

4) J. Boudy

BIOMET-NET Biometrics Identity Verification Network We are proposing the creation of a Network of Excellence in the Biometrics identity verification domain, regrouping the critical mass of expertise required to promote Europe as a leading force in the field. The BIOMET GET (Groupe des Ecoles des Télécommunications/France) consortium is the starting point of this initiative. 1) Rationale : The proliferation of information access terminals coupled with the increasing use of information sensitive applications such as electronic commerce, e-banking and health care have triggered a real need of reliable, user-friendly, and commonly acceptable control mechanisms for private and critical information. On the other hand, the needs for privacy must be offset and balanced with security requirements for the benefit of the society. Recent worldwide events have shown the importance to provide the police, airport area, and other exposed area, new trusted component security tools. Of course, a compromise will have to be found, between these two, a priori contradictory aspects. Biometric identification and authentication (which have long been successfully used in forensic applications) are a promising solution to this need. In recent years research activity has accelerated in both biometric verification modalities capture devices and methodology (computation theories and algorithms). 2) Objectives : The objectives of this network are twofold : To Identify and Solve the remaining technical challenges in the Biometric field : The network will explore several already known modalities such as voice, signature, fingerprints, hand shape and new emerging one such as ear prints…, Biometric modality fusion will also be deeply explored as a potential way to improve performance. b) To explore non technological aspects of biometrics such as security v.s. privacy, acceptability, fiability. This will be envisaged in the context of both commercial and forensic applications and these two tasks will be studied with deep relationships, as technology influences end-using and vice-versa. 3) General approach foreseen Creation of 3 subtasks : Creation of a European development and evaluation platform for the Technological Research -Capitalize on the results of different pre-existing projects : M2VTS, BIANCA, BIOMET -Development of a European common database

19

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

-Normalization of acquisition protocols -Definition of evaluation protocole -Organization of evaluation campaigns (similar to what NIST organizes in USA) 3.2 Creation of a European Certification Center and end-using observatory center in order to : - Define scenarios in order to evaluate the interest of biometry in different applications :both commercial and forensic. -Evaluate of the human acceptance of the different modalities with respect to privacy and security. -Develop large scale pilots tests 3.3 Support technology : -Explore, with the help of industrial partners the feasability of biometric sensors and algorithms integration (smart card, camera, PDA) -Explore link with mobility Of course, there will be strong interactions between all these tasks 4) Need and Relevance : a) Commercial systems have been successfully developped embedding biometric verification such as fingerprint, human face, hand shape, iris pattern, retina map, voice, and handwriting signature. However, some critical problems still exist: Performance : Most of these systems use a single modality (or at best two modalities) and thus usually leads to poor performances in real conditions (i.e presence of background noise, variable lighting, …). Variability: A biometric signature is strongly related to the physical state of a person, which can be either difficult to capture or even altered during his/her life time (voice may be altered with illness, a finger may be injured, presence/absence of a beard….) User acceptance: This aspect is very often neglected despite its primary importance to guarantee the success of a biometric application. For example, fingerprint recognition is sometimes perceived as linked with criminal aspects and may therefore be directly rejected by some users. Sensor variability: It is also well know that the performances of biometric technology can significantly degrade when a mismatch exists between the training condition and testing environment. b) European Industrial efforts and research activities are disseminated and rather limited. However, some national initiatives exist in some European countries (UK-Association for Biometrics by example) c)Europe has particularities concerning end-using, legislation which have to be studied in order to bring an acceptable and efficient solution, suitable to European usages. 5)Excellence

20

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

- GET (Groupe des Ecoles des Télécommunications) has a great experience in the field of Biometry. It has initiated the BIOMET (Multimodal Biometric identity Verification) project which is a French two-years project, with two main objectives: to build a database, from good quality sensors, containing different modalities such as voice, speech, dynamic signature, fingerprints etc…and to study the interest of fusion. Biomet’s database will serve as a starting platform in Biomet-net but our aim is to further extend this database. - Besides, the network will regroup academic partners involved in the process of different biometric modalities and in their fusion : - Most partners of COST 275 (biometrics identity verification on the internet) will participate to this network : France :GET, Université d’Avignon, Spane : Polytechnical University of Madrid, University of Vigo, E.T.S.I.I.T, Greece : University of Thessaloniki, Italy , Fondazione Ugo Bordoni, United Kingdom : University of Wales Swansea, University of Surrey, University of Hertfordshire, Switzerland : IDIAP, Université de Fribourg, Swiss Federal Institute of Technology Lausanne (EPFL), Sweden : Halmstad University and Chalmers University of Technology, Belgium : Royal Military Academy Belgium Slovenia : University of Ljubljana, Poland : Wroclaw University of Technology. - Other academic partners: Czech Republic : Czech Technical University, Italy : Universita` di Sassari, Turkey : Bogaziçi University, Bulgaria Akad.G.Bonchev, Sofia, Germany : Darmstadt University, Austria : Vienna University of Technology - Industrial partners : France :ST Microelectronique, Germany :ORGA Kartensysteme (authentos-group ) - End-users and Organisations : "Forensic Speech and Audio Analysis Working Group" (FSAAWG) which is part of the "'European Network of Forensic Science Institutes" (ENFSI) (enfsi.org). Spain Guardia civil We are looking for more industrials partners and more end-users in order to enrich our network. The participation of some national initiatives in Biometry is also welcome. 6) Integration, structuring aspects - Contribution to the Normalization aspects : Production of a common european biometric database with several modalities and creation of a European evaluation center. -GET is a leader in french education and research in telecommunications. It is thus specially willing to initiate the creation of a european doctoral formation programme, as well as post-doc exchange programmes. The vocation of the network is also to participate to european notoriety by publications, workshops, conferences…. -Exchanges between the participants will be facilited by an organization in sub-networks and by the use of e-communication (emails, e-conferences etc…) -Participate to the formation and information of the citizen about the risks and interests of biometrics verification. This could be envisaged in particular through elearning facilities.

21

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

J. Boudy

5)Claus Boyens

Humboldt University Berlin

Written Contribution IST in FP6 consultation workshop related on “Trust and Security” 30 May 2002, Brussels Trust and Protection in ASP and Web Services Claus Boyens Prof. Oliver Günther, Ph.D. Institute of Information Systems Humboldt-Universität zu Berlin Spandauer Str. 1, 10178 Berlin, Germany {boyens, guenther}@wiwi.hu-berlin.de http://www.wiwi.hu-berlin.de/iwi I. Proposed Research and Activities After the dominance of monolithic and client-server application architectures, recent improvements in network infrastructure and Internet access have prompted a major rise in webbased services (a.k.a. hosted services). Besides numerous advantages particularly for small and medium enterprises, a major inconvenience for the use of these services is that potentially sensitive data must be made available to the service provider. Whereas access control and communication confidentiality can be assured by current means, such as the Secure Socket Layer (SSL), customer information still resides on the providers’ hosts in cleartext format. Threats to these important assets may not only e due to attacks from external parties, but also to incompetent or malicious staff on the provider side, or to changes of ownership. Where it is not sufficient to trust the service provider, technical approaches become necessary. One distinguishes between hardware- and software-driven ones: Hardware solutions are based on a physical device, called secure coprocessor, that can be trusted to execute its tasks in a confidential manner even in the presence of physical attack [SmWe99].. The service provider has no opportunity to track the coprocessor’s operations. If the device is tampered, all sensitive data stored is zeroized immediately. However, this approach can only be deployed in selected situations, for cost and performance reasons.

22

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

The seminal software solution was proposed by Rivest et al. [RAD78] and is based on homomorphic encryption functions, so-called privacy homomorphisms (PHs), that allow certain arithmetic operations to be executed on encrypted data. That means that the client can let the server perform, for example, a multiplication without revealing neither the factors nor the result to the server. But this only refers to the basic arithmetic operations (+,-,·,÷). There are some important conclusion for database queries, too: If a PH allows comparison against a constant on encrypted data, the encryption scheme will not be secure. This implies, that e.g. sorting operations are impossible on encrypted tables as long as confidentiality shall be guaranteed. While the theory of PHs mostly deals with the resistance of proposed algorithms against different kinds of cryptographic attacks, an open practical issue still remains the question to what extent PHs may be deployed in specific service applications and whether they can represent a valuable alternative considering cost and benefit aspects. The few practical architectures proposed so far include a database service provider model that allows its clients to transfer encrypted data and to pose encrypted queries to the remote database while still letting the provider perform large parts of the necessary database management computations [HMI+02]. As no secure hardware device is employed, every query must be split into (i) a corresponding query over encrypted relations and (ii) a query that processes the decrypted results of (i) at the client site afterwards. As the client functionality must be amplified significantly to do this kind of post-processing, the main advantages of the web-based service model are neutralized to a certain degree. Proposed research activities include: 1) Develop a PH toolbox for specific service constructs: As cryptographic theory mostly deals with the PH’s resistance of proposed algorithms against different kinds of cryptographic attacks, an open practical issue still remains the question to what extent PHs may be deployed in specific service constructs and whether they can represent a valuable alternative considering cost and benefit aspects. 2) Build a prototype for a secure service infrastructure: The best technical protection that preserves the advantages described above will probably be achieved via a combined architecture of secure coprocessors and PHs: Suited arithmetic operations would be performed by robust PHs, whereas difficult calculations and encryption processes would be delegated to the secure coprocessor. The design of such an environment needs to be strongly adapted to the particular service requirements, as the manifold restrictions do not permit a “one-size-fits-all” solution. 3) Analyse the relevance of different protection means for individual user behaviour: An important question is the relevance of this kind of privacy protection to the potential users themselves. How do different protection means influence the customer benefit? How is the acceptance of the service

23

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

24

affected? 4) Investigate the importance of privacy issues for economic decision processes: The generalized problem of user data protection has important economic implications for the acceptance of web-based services. It is part of the risk portfolio that a potential client (a single person or a company) needs to take into account when subscribing to this kind of services. An open question is in how far technical protection means are able to reduce this risk.

II. Scale, Ambition and Extent of Proposed Work At Humboldt University’s Institute of Information Systems, we are strongly interested in participating in the European Union FP6 projects. We think our research environment is perfectly suited for a partnership in the upcoming project application process. Particular areas of competence include ASP and web service architectures, privacy and security in web-based information systems, database management, data warehouses, as well as data mining. We would like to apply for 2-3 research positions for a period of up to 3 years. These researchers will be embedded in a very productive and inspiring work environment. The current team comprises two senior faculty, two junior faculty, and six Ph.D. students. Their different educational backgrounds (computer scientists, economists, industrial engineers) ensure a high level of interdisciplinarity. Furthermore, we dispose of a broad range of diversified partners: The Institute of Information Systems at Humboldt University is intensely engaged in various scientific and industrial cooperations: The Electronic Business Forum 1 , co-founded in 1999 by the institute’s director Prof. Günther, aims at collaborations between universities, research institutes and industrial partners. Applied research and consulting projects have been completed successfully with BertelsmannSpringer, Siemens ICN, DeTeWe, Porsche AG and many other firms. Prof. Günther also serves as dean of the Berlin-Brandenburg Graduate School in Distributed Infomation Systems 2 , a doctoral school funded by the German Research Society (DFG). The school is comprised of seven senior faculty in the areas of database management and information system. It conducts interdisciplinary research in network-based integration of information systems, the provision of (secure) web-based services, and the development of corresponding markets. All of these contacts could be activated to create a research network in the chosen area of a European joint research project. It would in particular be easily possible to attract industrial partners from Berlin and elsewhere in Germany.

Related Work: [BoGü02] Boyens, C., Günther, O., Trust is not Enough: Privacy and Security in ASP and Web Service Environments, to appear at ADBIS ‘2002, Bratislava [HMI+02] Hacigumus, H., Mehrotra, S., Iyer, B. and Li, C., Executing SQL over Encrypted Data in the Database Service Provider Model. In Proceedings of SIGMOD International Conference on the Management of Data, 2002 [RAD78] Rivest, R.L., Adleman, L., Dertouzos, M.L., On Data Banks and Privacy Homomorphisms. In Foundations of Secure Computation, pp. 169-179, Academic Press, New York, 1978 [SGB01] Spiekermann, S., Grossklags, J., Berendt B., E-privacy in 2nd generation E-Commerce. In Proceedings of ACM EC’01, Conference on Electronic Commerce, Tampa, Florida, October 2001 [SmWe99] Smith, S.W., Weingart, S.H., Building a High-Performance Secure Coprocessor. In Computer Networks, Special Issue on Computer Networks Security, N° 31(1999), S. 831860.

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

6) Georg Carle Fraunhofer FOKUS, Berlin & Technical University Berlin

Workshop on Communication and Network Technologies Position Paper: Dependable Interoperable Internet Services with Instrumentation and Active Control Contact: Dr. Georg Carle Fraunhofer FOKUS, Berlin & Technical University Berlin [email protected]; http://www.fokus.fhg.de/usr/carle Tel. +49-30-3463-7149, Fax +49-30-3463-8149 Outline We see the need a coordinated effort that focus on research issues related to interoperability at network and service level, enabling secure and dependable seamless end-to-end service provisioning across heterogeneously administered network domains and end systems. There are numerous research problems that need to be addressed if the full potential of ubiquitous communication with distributed network-based services is to be realized. We believe that this research will have a wide impact. Key issues are: Authentication, Authorisation and Accounting mechanisms in both network elements and end systems for enabling needed trust relationships Instrumentation of network elements and hosts for accounting of resource usage, monitoring Quality of Service and validating Service Level Agreements Functional extension by means of Programmable Network Elements and Active Network Technology. The following are examples of application areas that benefit of solutions of the above issues: Personalized communication spaces Software architectures for peer-peer services, and grid computing systems Novel server-less applications (including those based on ad hoc and spontaneous networks) systems (including naming services, group membership, etc) large scale dependable and adaptive distributed systems Related Activities The goals and approach of this position paper is aligned with activities in standardisation (IETF), pre-standardisation (IRTF - Internet Research Task Force), and the related scientific working groups of COST, IFIP and IEEE. In Internet standardisation, it refers to the following IETF working groups IPFIX (IP Flow Export) working group, the PSAMP packet sampling activity, as well as the working groups dealing with standardisation of Authentication, Authorisation and Accounting. As part of the scientific networking activities, this expression of interest relies on the activities performed as part of the Cost263 action “Quality of future Internet Services” and is aligned with the IFIP working groups 6.2 on Network and Internetwork Architecture and 6.7 on Smart Networks. Current activities addressing the above issues are performed in the following IST projects

25

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Intermon - Advanced architecture for INTER-domain quality of service Monitoring, modelling and visualisation Moby Dick - Mobility and Differentiated Services in a Future IP Network FAIN - Future Active IP Networks Project Cadenus - Configuration and Provisioning of End-User Services in Premium IP Networks and in the IST Premium IP cluster - IP-QoS projects AQUILA, CADENUS and TEQUILA.

7) Bruno Carpentieri University of Salerno

Secure strategies for the management and delivery of multimedia content. Prof. Bruno Carpentieri Dipartimento di Informatica ed Applicazioni “R. M. Capocelli” Università di Salerno – 84081 Baronissi (SA) Tel.: +39 089 965405 – Fax: +39 089965272 E-mail: [email protected] Exchanging digital information: where is the bottleneck? In these days, there is a rapidly increasing interest in trust and security, that is growing, together, and at the same speed, with the huge information explosion that internet and multimedia are bringing to our society. New hardware and powerful software have made it possible for consumers worldwide to create, manipulate, share, and enjoy the multimedia data. E-mail and internet in general have offered new delivery channels to exchange multimedia information This increasing interest has coincided with significant advances in multimedia technologies, coding and communication. The major difficulties for allowing much broader access of multimedia, and the establishment and deployment of multimedia services no longer lies with bandwidth-related issues, but with assuring that the multimedia content is used for its intended purpose by its intended recipients. The core issue is now the development of secure strategies for the management and delivery of multimedia content. Between the techniques that are today necessary to allow more security in our digital society, a preminent position is certainly occupied by certified E-mail, time stamping and watermarking services. Certified e-mail is a service that enables the delivery of secure, encripted and digitally signed documents or private email, digital time stamping is a service that certifies the datea document was created or last modified, watermarking involves hiding data into a digital object to protect its value. The proposed research It is therefore necessay from the european perspective to achieve excellence and to lead the research, presenting secure solutions in the following areas: Certified E-mail Emails are considered “secure” when the following goals are achieved for each delivery: Privacy: Only the sender and the intended recipient are able to read the message

26

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Authentication: All parties identities have been electronically verified Integrity: Message contents have not been altered in transit Non-Repudiation: The sender cannot deny sending the email message, the recipient cannot deny receiving the message, and the sender cannot falsely claim the recipient received an email. In order to accomplish these requirements, the following must occur: Encryption Keys and Private Keys must be secure Only standard cryptographic algorithms must be used Message contents must be verifiably unaltered Senders must sign alI messages AlI messages must be externally time-stamped Email messages must be encrypted from sender to recipient The opening of the message by the receiver must be certified Receipts must be signed by the recipient Time Stamping of Digital Documents There is often the need to certify the date a document was created or last modified. For example when considering patents it is sometimes crucial to verify the date an inventor first formalized a patentable idea, in order to establish its precedence over competing claims, or, when considering resources, in a situation in which the resources are allocated on the basis of “first come, first served”, it is important to be able to verify the order in which the request have been received. What is needed is a method of time-stamping digital documents with the following two properties. First, one must find a way to time-stamp the data itself, without any reliance on the characteristics of the medium on which the data appears, so that it is impossible to change even one bit of the document without the change being apparent. Second, it should be impossible to stamp a document with a time and date different from the actual one. Watermarking The copyright problems posed by the increasingly easy access to digital multimedia have not yet received an effective response by the scientific community. Digital watermarking is considered a possible solution because it seems to meet the requirements that are desirable: invisibility, unchanged compressibility, high detection reliability, low cost and, hopefully, robustness and security. A digital watermark is an identification code that is permanently embedded in the data and that should remain present within the data after any standard manipulation of the data itself (i.e. compression, scaling, etc.). Digital watermarking involves hiding data into a digital object to protect its value. The real problem is that the security and robustness requirements depend on the application domain and there is no “general” watermarking technique that is suitable to solve copyright issues in all the possible application domains. Applications of watermarking include copyright and content protection, integrity verification, metadata tagging (i.e. including hidden information in the digital data), secret communication. Competence and Critical Mass

27

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

There is a strong competence by european researchers in each of these areas. The instruments of FPS can focus this competence and help to provide efficient solutions to these emerging needs. There is therefore the need of targeting the instruments provided by the Sixth Framework Programme, primarily the Network of Excellence, but also the Integrated Projects, to applied research also on these subjects. The goal is to investigate and provide effective solutions in each of the subareas above indicated, via the integration of competences coming from various european research institutions and the design and implementation of prototypes to demonstrate the proposed solutions. We estimated that this goal can be reached by funding a four year period of targeted reasearch by researchers from six european institutions. As a research institution that has a strong, long time tradition in the fields of security and information transmission we are ready to partecipate and bring our contribution to the solution of these issues: the Sixth Framework Programme comes at the right moment to boost european leadership.

8) David W. ChadwichUniversity of Salford

Trust and Security Workshop Description, need and relevance of the proposed research and activities The information security management standard ISO/IEC 17799, and the ISMS (information security management system) specification contained in BS 7799 Part 2 form a good basis for managing information security within an organisation, covering as they do, confidentiality, integrity and availability of information. Accreditation mechanisms also exist (for example, the one in the UK has been running for more than two years). But currently only about a 100 organisations world wide have been certified to BS 7799-2. This is not surprising, as the process to gain accreditation can be difficult and time-consuming, requiring expertise in many areas. Furthermore once certification has been achieved, maintaining information security requires continual monitoring, evaluation and action. It is a never ending process, that can be viewed as being beyond the capabilities of most SMEs. Few software tools are available to help organisations reach, in a cost effective manner, the levels of information security management made possible by following the best practice and guidelines in ISO/IEC 17799. Finally, organisations, especially SMEs, don’t always appreciate the business benefits of managing information security as described in ISO/IEC 17799, and therefore misjudge the expenses made to achieve information security as pure costs, instead of seeing them as investments in a more secure and reliable way of conducting business. What is needed is a user friendly software system that leads the managers of an organisation, in a cost effective manner appropriate to their business needs, through the process of initiating a secure environment for the storage, retrieval and processing of their information. Such an information security management system, once installed and operational, would control access to the organisation’s information according to the policy decided by the management during initiation, would help management to maintain the secure environment for information on a daily basis, would avoid potential security incidents before they occur, would log

28

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

security incidents if they did occur and notify management and external organisations such as CERTs of such, and finally would continue or restore normal operations if significant incidents did occur. Such a system would link together, coordinate and control all the disparate information security piecemeal products that exist today in the marketplace, such as firewalls, virus protection software, intrusion detection systems, audit trails, and authentication and authorisation processes. This control would be according to the security policy (and all its associated subordinate policies) devised by the organisation as a result of the risk assessment exercise that that managers undertook during system initiation. In short the system would be an automated information security management system conforming to BS 7799-2 that would bring BS 7799-2 certification within easy reach of SMEs. Importantly, the interface to the whole system would be written from a business perspective, rather than a security perspective, so that the managers can clearly understand in business terms what protection the system is providing them with, what that information protection costs, and what the likely business implications would be if the suggested security controls are not implemented. Such a system should have a clear monetary value to an organisation in several ways. Firstly it should be less expensive for an organisation to manage their information security with this software system than without it. Secondly, with the system in place, certification to BS 7799-2 should be much cheaper to obtain, and once certified the organisation becomes more dependable and more competitive in the marketplace. Thirdly, there should be a significant reduction in insurance premiums for financial cover against IT perils once the system is in place.

Scale and ambition of the proposed work, with views on the critical mass to be achieved The scale of the proposed project is huge. It requires a multidisciplinary team with expertise in financial modelling, risk analysis, HCI, information security management, communications protocols, psychology etc in order to produce the information security management system. It requires participation or support from vendors of the various security products available today to be willing to integrate their products into the information security management system through the use of standard interfaces and protocols, or as a minimum for vendors to publish their proprietary interfaces in order to allow standard interfaces to be mapped into theirs. Security policy languages and grammars will need to be standardised to allow the high-level security policy and its various sub policies to be formulated by the IS management system, and then passed off to the various components in order to control them. Roles, in the form of attribute certificates, will need to be allocated to employees in accordance with the security policy, and role based access controls will need to be used to control access to the various information sources managed by the system. Education and training software will need to be linked into the system to ensure that all employees are conversant with the information security policy of the organisation. Asset and incident databases will need to be integrated into the system, as well as secure audit trails. Standby or other secondary systems will need to be linked in, ready to be activated if a failure occurs, whilst the management system itself will need to be resilient to attack, component failure and natural disaster. Looking further ahead (beyond the envisaged scope of the current IP) one could imagine that, given appropriate legislation, the management system could even perform background checks on new employees with sensitive roles, to ensure that no criminal record exists. It could ensure that wireless enabled intelligent filing cabinets

29

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

were locked between the hours of 5pm to 9pm, and that physical access to buildings was enforced according to the security policy. It might even be able to monitor clear desk and clear screen policies for example.

Extent of integration and/or structuring impact Defining standard interfaces and communications protocols between the various system components will allow the various piecemeal products of today to be integrated into this holistic information security management system. The plug and play aspect of the various security components (firewalls, virus checkers, IDSs etc.) will increase the competition between the suppliers, thereby driving down the prices to the consumer. Organisations will then be able to manage their information systems as a whole, rather than as separate parts, and the cost should be less than today whilst providing more comprehensive security. Once organisations have such comprehensive information security management systems in place, and are certified as compliant to BS 7799-2, a natural consequence of this is that trust between organisations will grow, thereby easing the formation of virtual organisation and joint project partnerships etc., since companies will be more willing to share information with each other knowing that the other is certified secure in the way it handles information. David W. Chadwick, BSc PhD Professor of Information Systems Security IS Institute, University of Salford, Salford M5 4WT Tel: +44 161 295 5351 Fax +44 161 745 8169 Mobile: +44 77 96 44 7184 Email: [email protected]

Berndt Cloos Cloos Consulting

Berndt C l o o s (- Eder) Am Fratzenstein 3 63571 Gelnhausen Germany Tel.: +49 6051 16977 Fax: +49 6051 470277 e-Mail: [email protected] INTERNET: http://B.Cloos.bei.t-online.de

May 13th 2002

Discussion paper on: Trust and Security Security is one of the basic needs of human beings. The intrinsic elementary trust, a natures gift, can be lost with one single bad experience and it is difficult to be regained. Nevertheless, some trust is necessary as a basis for a human social society satisfying the security needs and peaceful cohabitation. However, as a saying states:

30

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

„Trust is a good thing, but control is even better“. Fact is, that criminal activities by using computers, communication devices and networks are continuously increasing from year to year. More demand for security will lead to requirements for new IST solutions Information Society Technologies (IST) contribute to meeting major societal needs including safety and security. They will also play a role in achieving other policy goals of pan-European interest such as environmental goals. A major policy pre-occupation is social inclusion, both for the mobility and the information society. Safety is also a major priority in the policy network. There are some major motivators for research and development in this area. Personal, physical security in the living and working environment of European citizens need to be protected respectively improved by using sensoring, computer and communication technologies. This area would include protection of property, access control and privacy. On the other hand, there is the development of the technological infrastructure where computer and communications technologies are available anywhere, anytime, through any device. European citizens will expect seamless access to, and interaction with services anywhere and at any time with assured information quality, security and privacy. This requirement for information security has a potential direct impact on protection of property and even personal, physical security. As an example one can consider e.g. e-Banking and e-Commerce that could ruin an existence and press one into „social security“.

31

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Research into IST needs to address these issues and look at how to pull together these conflicting requirements for the provision of new services, the efficient use of the IST infrastructure, ambient intelligent environment and at the same time grant security and privacy. Integrated Security Systems Integrated Security Systems use information society technologies and intelligent sensoring systems in the ambient intelligent environment and the infrastructure for improving the security and privacy of the citizens. This is an integrated and global approach to security, where the involvement of, and interaction between the citizen and the ambient intelligent environment are addressed together. The focus of the research in Integrated Security Systems will be on Personal Active Assistance Systems for protection and control. This will require seamless services access whilst respecting security including privacy. Major players include all IST industry: system integrators, telecom operators, application developers, security services providers, regional organisations research and user associations. Priority should be given to the inclusion of the „citizens“ trough user associations since the trust of the latter into an integrated security system is of highest importance. Finally, such Integrated Security Systems should be subject of certification in order to increase the citizens trust in the system and involve hence European regulatory authorities. Rapid progress in supporting security and privacy are needed for broad adoption of e-security solutions. - End -

10) Rutger Coolen

TNO Physics & Electronics Lab

Security and Privacy issues in the Next Generation Internet Rutger Coolen, Henk Jan Vink E-mail: [email protected], [email protected] TNO Physics and Electronics Laboratory PO Box 96864, 2509 JG, The Hague, The Netherlands Introduction In this paper some of the main security and privacy issues towards the next generation Internet are highlighted as well as some promising solution areas. Firstly the problems are analysed from the technological perspective. Secondly a view is given on the perspective of users in the European information Society. Technological viewpoint: “Critical mobile infrastructure improvement” The network infrastructure is expected to grow rapidly, with increasing bandwidth and more and more different technologies being used. In particular the wireless part of the network, including technologies such as UMTS, Wireless LAN,

32

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

and Bluetooth, will change the infrastructure significantly by increasing the number of users and devices connected to the network and the type of services offered. Furthermore, the future will bring users, which will be able to connect to different (wireless) networks in an ad hoc and transparent manner with different devices. This results in three different concepts of mobility: (1) mobility of users, (2) mobility of devices, and (3) mobility of software (agents). It is essential to understand the potential weaknesses and vulnerabilities in the critical mobile infrastructure, which is characterised by the keywords: large, distributed, heterogeneous, ad hoc, and mobile. This understanding can be achieved by both modelling and analysing (properties of) the network as well as via a theoretical and practical vulnerability-analysis of the new technologies and interdependencies. More important is however to work towards the currently unavailable generic (network and application independent) security mechanisms. These can be topics of integrated projects (IP) possibly combined with networks of excellence (NoE) on critical (mobile) infrastructure. An important role can also be fulfilled by offering users transparency of the quality of networks, services, and security, offered by different Internet service and application providers. This will help users to compare different providers and products and can hence provide a market-mechanism to improve performance and security of networks. Furthermore, this will also give (national) governments relevant input for their policies on telecommunication and security. Therefore, this is an important area for integrated projects and other research and development, with the objectives to (1) define, standardise and implement metrics for quality of performance, integrity, and confidentiality (2) increase the research, development, and usage of measurement tools, such as Intrusion Detection Systems (IDS). User and information society viewpoint; “Privacy and security issue” An essential element of the information society is the collection, processing and distribution of information on a large scale. Users are ‘always on-line’ and numerous new information services and products are developed, enabling new ways of doing business and of communication within our society. As a result the amount of personal and business information available and used on-line is and will remain increasing coming years. More and more of the on-line products and services are not restricted to a physical location and even offer location-based added value. ‘Wireless communications’, ‘Location-based services’ and ‘ambient intelligence’ are the keywords for the future. For the civilians there is a growing information privacy threat and for business users there is a comparable threat to sensitive business data. Privacy Enhancing Technologies (PET) are a promising solution to be researched and implemented to reduce the privacy (-related) problems. Unfortunately, market drivers for Privacy Enhancing Technologies are still insufficient and community support is therefore at this point still essential. Both integrated projects and one or more NoE should be started to stimulate Privacy Enhancing Technology research as well as development. Privacy Enhancing Technologies should be an integral part of the information society infrastructure. Both content and intelligent analysis (data mining) of this

33

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

content is increasing in the network. These processes need to be analysed for privacy vulnerabilities, and generic solutions for privacy incorporation and disclosure control are to be developed. A particular objective should be to have measures compliant with EU-directives. Related to privacy measures are issues around trust, authentication, and identity management. Security and privacy solutions should be easy-to-use for end-users, preferably transparent, or offered as a managed service. Another possibility is to work towards preventive, reactive and corrective measures at the backbone and provider level. Closely related to security and privacy is the issue of computer crime. There are a couple of important issues in this area to be solved, including efficient international co-operation and harmonised legal systems. But also the more technical R&D issues in the area of digital forensics, law-enforcement access to data, and tracing of Internet delinquents. An important challenge is to develop the required tools for law-enforcement, while preserving the privacy of the citizens. Of course FP6 instruments can only be beneficial to a small part of computer crime issues. For governments another (non-technical) issue is the potential for discrepancy between policies, directives and instruments on the one hand, and the fast technological development and growth of information society on the other hand. This includes embedding of protection and evaluation mechanisms to facilitate ‘trust’ to the information society. A related problem is a lack of commercial drivers and potential for the research and development of security and privacy protection, which is one of the motivations for security and privacy projects in FP6.

11) Albert P. Deistler City of Cologne

Workshop on Trust and Security Written Contribution by Albert P. Deistler, City of Cologne After the events of September 11th 2001 the security demands of citizens and business have increased dramatically. Governments have reacted quickly and established security plans which are now being implemented. These plans not only concern safety of buildings and people, but also protection of the vast range of information held by municipalities and other organisations on their clients. These issues are hot topics for all public administrations. Access to personal data, recognition systems at public events, monitoring of public and private places are all measures that have been introduced to enhance the safety of citizens. The majority of these initiatives are driven by ICT based systems. There are many issues for discussion, and these vary right across Europe. In the United Kingdom for example the introduction of identity cards, which has been commonplace in mainland Europe for some years, is viewed by some as a threat. There is a crucial balance which has to be struck between the needs of public and other bodies and the privacy to which ordinary people are entitled. Another great issue is the use of monitoring systems to control public behaviour, which some see

34

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

as a threat to personal liberty. There is a raft of possible future projects relating to the use of information technology and the enhancement of security such as: data protection, internet protocols, payment and tax systems, biometrics to name but a few. The European network of cities TELECITIES has established a work group on e-security which is chaired jointly by the London Borough of Lewisham and the City of Cologne. The main objectives will be to address first the broad issues touched on above that impinge on the security of the citizen. Then we will look in more detail at various aspects of security initiatives driven by ICT and in particular: To classify security measures taken across Europe and beyond at national and local level. To analyse these plans and the impact they have on the deliver of municipal services. To analyse the impact of these plans on our citizens, and that includes SME’s and other businesses. To analyse the impact of these measures on cross border and partnership working. To seek to identify good practice in this area and make recommendations for European governance. To establish a community of interest in this field and identify issues to be researched in the 6FP of the EU Commission To co-operate with the range of other interested organisations and networks that are already carrying out work in this area, and most particularly the Urban Safety Group of the EUROCITIES network We will draw major conclusions and recommendations from this working group which will focus on: Ensuring the security of all citizens Ensuring the security of all businesses Ensuring the security of public and known buildings and knowing how to build plans for their protection Ensuring sound back up systems for electronic information services Ensuring that systems are in place to enable complete integrity and confidentiality when dealing with sensitive data. Ensuring complete transparency in all administrative processes We will co-operate with the BEEP project (Best eEurope Practices) as a resource for good practices and will integrate own good examples to their data base.

12) Theo Dimitrakos ISE group

Trust and Contract Management for Large Virtual Organisations - Policies, Control Mechanisms and Protocols

35

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

The convergence of communications and information technologies into a massively networked infrastructure for electronic content and services has created an environment where the on-demand creation of Virtual Organisations sharing knowledge and resources in order to achieve common goals, are becoming commonplace. We are already experiencing virtual organisations in experimental form. In this scenery, the Grid paradigm is presented as a technology able to offer interesting solutions for large dynamic virtual organisations. Grid technologies define a new powerful computing paradigm by analogy to the electric Power Grid. Grid architectures were originally developed in a scientific environment aiming at achieving, through sharing of computing resources connected via broadband network, a technological platform able to offer a calculation capability, otherwise not realisable on a single computer. Initially born to niche sectors, the Grid architectural solutions have already shown basic qualities of scalability and adaptability and they are becoming mature enough to face commercialisation. We foresee overstepping the Web, by exploiting the emerging Web services protocols and results obtained by studies on Grid architectures, in order to create to the next generation Internet, where the principle of sharing and collaborating is expanded to any data/computation/information resources and knowledge accessible and manageable through the Grid. Security management is a major obstacle to overcome in the route of commercialising Grid infrastructures. Until now, there is little support for authorisation management, for the specification, interchange and enforcement of managed subsystems with no centrally controlled enforcement of its policies, there is no guarantee that policies will be followed as they are prescribed: members may fail to, or choose not to, comply with the rules and policies. Consequently, there is a need to develop normative control mechanisms for the discretional security policies, for the treatment of cases where the (agents managing the) collaborating resources have no prior knowledge of each other (or their certifying authorities), and for mechanisms and protocols for monitoring contractual performance. Main Objectives The main objectives of this Integrated Project are to develop conceptual and software tools (integrated methodologies, open architectures, protocols and middleware) that provide effective security and trust management solutions that support the on-demand formation and management of Large Virtual Organisation that share resources in order to meet a common goal. Technological objectives & Rationale The project will build on top of a fusion of Web Services technologies and Grid architectures (similar in spirit to the Open Grid Services Architecture) by providing effective mechanisms supporting resource brokerage services that comply with a contractual realisation of QoS requirements publishing, negotiation and exchanging policy statements in a format usable by all stakeholders while being amenable to automated analysis and reasoning. incorporating appropriate trust support services such as networks of trust authorities, and an infrastructure allowing for the dynamic formation of certification chains a trust management framework able to draw a distinction between perceived and actual security, relate trust to enterprise objectives and weigh it against transaction risk

36

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

an autonomous policy-driven security management system, which is able to support the on-demand formation of collectives of entities sharing resources to achieve certain goals. contract performance monitoring, assessing service provision in relation to compliance with VO policies and individual member agreements. Depending on the preferred architecture non-compliance may need to be detected as it occurs or through one member initiating complaint proceedings against other members. economical, social and legal models aiming at the creation of incentives for the members to participate in a collaboration and follow its policies is needed. The sanctioning mechanisms for policy non-compliance shall be incorporated in such framework.

Target User Groups & Applications We intend to demonstrate the applicability of the approach by means of testbeds in the following application areas, either by developing a purpose-built demonstrator or by adapting already existing test-beds. eLaboratory : Providing secure and effective access mechanism to the public data of large-scale scientific experiments and allow for "virtual experiments" to take place through simulation and enhanced reality tools. eHospital: Sharing medical information and resources among different hospitals throughout Europe and supporting the on-demand formation of medical groups for telediagnosis and teleconsultation. eIndustry : The ASPs (Application Service Providers) represent a segment of the outsourcing market which is developing in the latest years, realising a new business model, based on the possibility of accessing, by means of the Network, to applications whose management is executed by the ASP itself. The presence an effective security and contract management infrastructure will allow the realisation of many-to-many and federal ASP business models on Grid environments. eLearning : A European Learning Grid Infrastructure can overcome the difficulty in adopting new advanced learning methodologies such as experiencebased approaches (e.g. learning by doing).which are strongly interactive and are typically based on a rich mix of multimedia (visualisation, simulation, enhanced reality, etc.). Developing enabling trust and contract management solutions is a prerequisite to its successful take-up. Thematic Relevance The emerging global economy necessitates the on-demand creation of Large Virtual Organisations at a European level while the legal and regulatory background, as well as the quality of the network and computing infrastructure, may differ between the European Union states and the EU and NAS countries. We believe that the combination of a need for converging strategic research at a European level, coupled with mechanisms for rapid deployment and realisation of research outputs, makes the exploration of effective security and trust management solutions for Grid architectures an appropriate theme for an Integrated Project under the IST FP6 programme. We are currently building up a consortium that aims to combine research excellence with strong end-user participation in the areas of e-business and egovernment, security service providers, Grid platform providers, and network technology providers. In recognition of the fact that effective solutions to complex

37

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

information society problems require an interdisciplinary approach we aim to combine expertise in information security, network management, Grid architectures, contract management and legal modelling in order to deliver innovative solutions for large dynamic Virtual Organisations based on a fusion of Web Services and Grid technology. The core research and development programme addresses the following research priorities: “1.2.1 Applied IST research addressing major societal and economic challenges” including “Technologies for trust and security” and “Complex problem solving in science, engineering, businesses and for society”; “1.2.2 Communication, computing and software technologies” including “control of complex distributed systems” and “multifunctional service creation environments”; Through the test-beds and field trials, we expect to also contribute to the following research priorities Research addressing work and business challenges (especially in e-Business, e-Government and eLearning) Research addressing societal challenges (especially in the area of e-health and telemedicine). Links to other projects We actively pursue establishing close links with on-going FP5 projects as well as other complementary FP6 Integrated Projects and suitable Networks of Excellence. For example we have already established links with the two recently approved FP5 Thematic Networks (“iTrust – Trust Management in Dynamic Open Systems” http://www.bitd.clrc.ac.uk/Activity/iTRUST and “Learning Grid of Excellence – Working Group” http://www.bitd.clrc.ac.uk/Activity/LeGE-WG), which we expect to evolve into Networks of Excellence within FP6. For more information contact: DR THEO DIMITRAKOS ISE group, Business and IT Department, Central Laboratory of the Research Councils, Rutherford Appleton Laboratory, Oxfordshire, OX11 0QX, UK

13) Josep Domingo-Ferrer

e-mail: [email protected] phone: +44 1235 446387 mobile: +44 7786 987167 WWW http://www.bitd.clrc.ac.uk/Person/T.Dimit rakos

Universitat Rovia I Virgili

Proposals for Research in Trust and Security

38

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Issues (Trust & Security Workshop) Josep Domingo-Ferrer Universitat Rovira i Virgili Dept. of Computer Engineering and Mathematics Av. Pa._sos Catalans 26 E-43007 Tarragona, Catalonia [email protected] Brussels, May 30, 2002

1 Micropayments in Multicast Environments In pay-per-view TV, customers buy a certain TV program in advance and later they receive it. The deployment of high speed network technology allows Internet to be used to deliver multimedia content in real time (audio and video streaming). This paves the way for pay-per-view technology to be applied to sell streamed content. The communication model for this context is multicast, in which a sender transmits data to several receivers (cable TV is a typical multicast scenario). Advance content payment poses a problem, as very often user does not know beforehand whether she will watch the whole contents she has paid for. But payment has been made, there is no opportunity for her to be refunded for non-viewed minutes. The above shortcoming can be solved by using micropayment technology. Rather than paying in advance to buy the whole TV program or movie, the user makes small payments (micropayments) as the content is being received (for instance, every minute or every few kbytes). In this way, in case she does not watch the whole program, she will only have paid for the viewed minutes/kbytes. Research in micropayments has resulted in several solutions for the case of unicast communications (there is only one receiver), but no mechanism exists for a content provider to securely and e_ciently collect micropayment in a multicast scenario.

2 Copyright Protection One of the properties of digital data is that they can be easily copied without any quality degradation. This is serious threat to multimedia e-commerce pro_tability and to the intellectual property of digitally delivered content. For successful and widespread content distribution to take place over the Internet, content producers need some guarantee that their content will not be illegally copied. 2.1 Watermarking issues Nowadays, the most promising approach to copyright protection is copy detection. In copy detection, a mark (called \watermark") is embedded in the content before delivery. In case an unlawfully redistributed copy of a content is found, the watermark can be recovered and be used to prove ownership of the content. Watermarking schemes must be robust in the sense that the mark has to be very di_cult to remove. Current proposals are only robust against some of the possible attacks. Research must be done to _nd new schemes surviving a broader

39

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

range of attacks. 2.2 Fingerprinting issues Watermarks can also be used as \_ngerprints". In this case, the embedded mark is a serial number which identi_es the buyer who acquired the the content. In this way, later recovery of this serial number from an unlawfully distributed copy allows the dishonest buyer who started redistribution to be identi_ed. Fingerprinting schemes are subject to collusion attacks. These consist of several users who compare their copies in search of small di_erences that allow them to (partially) locate and remove the marks. Current collusion-secure _ngerprinting proposals require marks that are too long for practical usage. Research is needed on alternative coding methods which stay robust against collusions while using shorter marks. Anonymous _ngerprinting is another open problem. Practical _ngerprinting schemes must be devised and implemented whereby the content provider can protect contents without requiring the buyer to reveal her identity; otherwise, copyright-protected anonymous multimedia e-commerce is impossible. Existing proposals for anonymous _ngerprinting are too complex to be used. So this is still an open problem.

14) Alain Durand

Thomson Multimedia

FP6 TECHNOLOGIES FOR TRUST AND SECURITY Expression of Interest Integrated Project “Audio/Video content protection along the digital chain” Need and relevance The audio/video content creation-to-consumption value chain is progressively evolving towards digital. All along this chain, be it in production studios, during delivery, in consumers’ homes or in movie theaters, key challenges exist for protecting digital content against piracy. Today, the lack of trusted solutions for securely handling content and enforcing the rights associated with content is delaying the implementation of an “all digital” world. The convergence of computer, satellite or cable telecommunications, and television broadcast technologies has created new opportunities and the need for a universal approach to protecting Audio/Video content during its lifetime, including for creation, processing, storage, editing, archiving, management, delivery, and consumption. In the next decade the before mentioned technologies will become standard practice in the complete production chain, starting at the front end, where the content is captured. This trend opens the possibility to take, but at the same time

40

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

asks for, the right measures at the front to secure the content and enforce the rights associated with it. Simultaneously, the challenge for the future of the electronic content distribution and consumption should integrate the following evolutions: the digital wireless camera market is becoming a reality, with the risks implied by the sharing of bandwidth by different broadcasters the digital TV broadcasting is moving towards an interactive video networking live television productions over the public net will soon become possible video entertainment is not anymore TV centric only, but should address various Audio/Video-capable devices requesting adapted content quality as well as secure and rights-respectful access to the services all digital devices can potentially be linked together, creating digital home networks new forms of recording and storage, such as Personal Video Recorders, make the protection issue even more critical. Regarding cinema, displays represent a very sensitive part in terms of security at the end of the video channel, as they feature the borderline between digital world and analog world. More and more content providers are complaining of movie hackers, shooting with camcorders at new feature films inside movie theaters and distributing them either over the Internet or thanks to illegal DVD distribution networks. Answering the content security issues generated by new technologies and usages is what the proposed cooperative research action is aiming at, through the creation of an Integrated Project gathering key European players. Indeed, the abovementioned convergence requires cooperation all along the digital chain, not only between suppliers and clients, but also between competitors. Standards for digital Audio/Video technologies already exist at a European level, and others are under development, notably within the Digital Video Broadcasting group. It is therefore compulsory for European professionals in the audio/video chain to jointly mobilize resources to develop technologies for protecting content and therefore speeding up the transition to a digital world. Indeed, the lack of industries-wide agreed upon solutions for securely transmitting and storing digital content is delaying the ubiquitous use and benefit of digital content, as content owners and distributors fear their assets will be pirated if they are not securely handled. Scale of ambition and critical mass Some technologies currently exist for protecting digital assets, but none of them is today concomitantly satisfactory to the content, distribution or the consumer electronics industry. Consequently, piracy risks are also preventing the creation and implementation of new business models taking advantage of all the possibilities of digital technologies. This is detrimental not only to professionals (content providers are not encouraged to produce digital content / content distributors cannot create new digital distribution models / consumer electronics manufacturers are limited in their development and marketing of new digital devices), but also to consumers who can benefit neither from new, high-value digital content, nor from new ways of

41

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

enjoying digital content, which would better fit with their changing and more mobile lives. Discussion groups such as the CPTWG (Copy Protection Technical Working Group, a worldwide inter-industry committee that meets regularly with representatives from various consumer electronics, computer, and entertainment companies) have been tackling the issue for years, but have not been able to reach a consensus yet. The effort Europe is making, notably within the frame of the copyright directive, or through the work performed in the Digital Video Broadcasting - Copy Protection group, needs to be strengthened to ensure the European industries are leading the way for content security. Such a leading position cannot be achieved if players remain on their own. It is indeed necessary to bring together the expertise, experience, manpower, and different views of key players in the field. This will ensure that all the important issues are dealt with, and that proposed solutions are challenged and evaluated by experts, suppliers and customers. Besides, a critical European mass is essential to being able to compete worldwide with good chances of success, so that no non-desired or non-well adapted technologies should be imposed upon European companies, professionals and society. Research in content security has already started in the various elements of the digital content chain. For a start, it did make sense that each part was treated separately, therefore enabling professionals to focus on their own security needs and the possible solutions. However, all the parts of the chain are getting more and more integrated, and all the parties at stake (content industry, device manufacturers, technology providers, consumers…) would most benefit from seamless solutions instead of the current piece meal technologies. A collection of partial solutions that were designed separately, and not necessarily with operability concerns in mind, not only is inconvenient for easy and reliable handling of content, but also bears security risks, and sometimes even holes, at each link.

The key objectives of the proposed Integrated Project are therefore: To define and develop complementary and interoperable technologies for protecting Audio/Video content all along the digital chain, starting right at the point of content capturing, until content consumption To speed up the European process of selection of measures and standards for copy protection technologies, in order to accelerate the deployment of digital products and an “all-digital” world, which will not be made possible without a copy protection solution To build a European professional community capable of conducting the necessary design and product/service development, once technologies have been agreed upon thanks to this very research action To transfer skills and knowledge between current and potential actors concerned with the development of solutions for handling and protecting content all along the digital chain, and stimulate the creation of high-level research and training partnerships in the field

42

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

To study personal content copy scenarios compatible with the consumer market expectations and acceptable for the consumer, to specify next generation of digital devices, and notably content recorders

Integration The proposed Integrated Project aims at finding and coordinating solutions and technologies to protect Audio/Video digital content all along the chain from its creation to its consumption. The chain can be divided in three main areas: Content development, including content production and post-production, film processing or packaged media production. Content distribution: content can take the form of a packaged media (e.g. a DVD) that will be distributed to consumers through retail channels, or of an electronic file that will be distributed through terrestrial broadcast, satellite, cable, or the Internet. This also concerns the distribution of digital movies to movie theaters, and distribution of content between the various professionals who play intermediary roles in the chain. Content access, which includes equipment to receive, store and display content at a consumer level, being also understood that digital devices are tomorrow meant to be interconnected within digital home networks. In these three areas; content is at risk of being pirated. All along the chain, the integration activities shall consist in: identify all possible risks of content hacking specify requirements for content protection in cooperation with the various players on the chain evaluate potential solutions, including encryption and watermarking techniques, for the various applications, and develop state-of-art technologies design the architecture and evolution of systems and networks for securely handling content study the design digital devices for professional and consumer use answering content protection requirements participate in simulations and/or platform constitution conduct tests in a prototype environment develop and protect Intellectual Property coordinate research carried out by the project partners transfer technologies and know how among partners participate in relevant standardization bodies, and promote the Integrated Project’s findings Theses activities will be performed by a group of partners, each specialists in the various domains of expertise needed. Durand Alain

43

IRG Workshop on Trust and Security - CONTRIBUTIONS

15) John Elliott

Brussels May 30 2002

System and Software Engineering Centre, UK

Integrated Project Theme Assuring Dependability for Evolutionary Systems John Elliott, Systems and Software Engineering Centre, QinetiQ, UK Tel: 00 44 1684 895161; [email protected] Need The vision of an EC wide information (knowledge) society is largely founded on continuously evolving open, heterogeneous and distributed systems and infrastructures. These ICT based systems will use advancing software, communication, web and knowledge technologies, for example. The society is becoming increasingly dependent on such systems and assurance is a major issue, especially in e-commerce and e-working scenarios. Moreover, such systems are generally complex, large scale and highly distributed as well as evolutionary, and this adds to the challenges in achieving and measuring assurance. As a result, there is a need for a new approach to assuring the trustworthiness of key functions, services or domains within continuously evolving ‘open’ systems. This assurance capability is limited at present and inadequate for the future challenges towards a more knowledge-oriented society. This challenge requires addressing system (or ‘system of systems’) dependability. Dependability is an important broad systemlevel concept addressing and combining different system properties (includes security and survivability). Scope/Approach This project idea is to re-focus on dependability assurance technologies to be adapted/developed to reflect the special needs of larger-scale, open-ended and evolving systems. Dependability assurance technologies will provide a novel and effective means for assessing the level of system integrity enabling trade-offs between different elements (e.g. safety, survivability, security) to be managed effectively. These elements have tended to be studied as separate properties in previous EC research programmes. This IP will drive the ‘integration’ of such assurance perspectives to provide a wider dependability profile and assurance to utilise and harmonise techniques (e.g. from safety and security) using systems engineering approaches to address system evolution. This IP will use previous/current EC Esprit and IST programmes, where relevant, to create and exploit a key ‘body of knowledge’ about dependability from which to re-visit, integrate, advance and apply new assurance systems and technologies. These technologies will provide methods and tools to support trust/confidence measurements for evolving systems. This IP will thus reuse previous programmes to help solve the bigger and more challenging system problems that arise in the information society. Such an integrated theme will adopt challenging solutions to provide system dependability assurance during development and integration phases, and also more dynamically during run-time operations. Static dependability assurance will assess the impact of any system design change (adding and removing system components) before implementation, e.g. adding a new e-commerce facility or service. In comparison, dynamic dependability assurance may continuously use intelligent knowledge technologies to maintain assurances after implementation (in system

44

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

operation) by watching for dependability patterns or conditions to emerge against policy considerations. Overall, combining static and dynamic approaches to achieving and measuring assurance are desirable, as this will allow for the uncertainties involved as large open systems are constantly changing. The degree of system dependability assurance may be captured, measured and evaluated based on objective arguments (e.g. a dependability case) about achieving affordable system dependability. These arguments may be part generated thorough explanatory-oriented knowledge based models that provide evidence about those risk factors (and their impact) that influence the uncertainty about system integrity. These explanatory models may also be dynamic using knowledge technologies to constitute intelligent learning systems to help recognise and adapt to dependability patterns to predict and track different kinds of system vulnerabilities and weaknesses. The scope of the IP programme will be significant and will address: System evolution modelling and policy controls Generic and context oriented dependability models and measurements Risk and uncertainty management and explanatory modelling Component/COTS based assessment methodologies Special issues with intelligent knowledge technologies Static (during development) and dynamic (during operation) assurance System (cases) argumentation and certification Verification and validation for system integration of open systems The resultant IP’s dependability assurance technologies will be used/evaluated in different domains of interest; this may include many sectors such as commerce, defence, transport, healthcare, public/government, research and engineering. The IP will enable a profile of dependency technologies to be created to enable tailoring to any domain or sector concerns; for example, a security biased profile may be more relevant in commerce than in transport where safety may be the prime issue. Furthermore, some areas such air traffic control has safety (a source of direct harm) and security (a source of indirect harm) concerns; the dependability technology profile will need to reflect different policies, priorities and inter-relationships. The IP approach will be flexible and widely exploitable. Relevance This IP will be increasing confidence in the use of distributed, heterogeneous and open systems. Also, the IP will address the issues associated with the diversity of system components allowing for increasing intelligent knowledge technologies. Without improved assurance and certification technologies, there will be lower growth in future information society services owing to limited and inadequate confidence levels. Scale/ambition/integration The ultimate aim will be to use the dependability assurance technologies to provide some form of ‘trustworthiness’ regulation or certification consistent with support open system evolution. This is a significant ambition that will apply across different domains and sectors irrespective of system size and complexity. The benefit to the EC of this IP will be to provide a critical mass to facilitate an acceleration of applications (arising from increased confidence) to share information and knowledge across different member states for citizens and organisations. This will beneficially impact different EC policy areas.

45

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

The integration activities will be to address and combine these areas listed above.

16) E. Gattiker

Eicar

From: Urs E. Gattiker, Professor (Aalborg University), Ph.D., Scientific Director and Board Member EICAR Tlf direct +45 32 95 50 90, or +45 96 35 89 62 (direct); or cellular +45 222 111 40 Rainer Fahs, Chairman EICAR NATO - NACMA, CIO - Senior Information Security Chief Engineer, Chairman of the ACCS LOC 1 Security Accredition Board as well as Chairman of the ACCS LOC 1 Security Board, Bruxelles, Belgium RE: Early Warning and Information Systems – Uniting Efforts from Universities, Business and Governments [http://security.weburb.net/frame/government/other/unitingefforts.pdf] Sixth Framework Programme (2002-2006) – Integrated Projects and Networks of Excellence [http://europa.eu.int/comm/research/fp6/networks-ip.html] Technologies for Trust and Security [ftp://ftp.cordis.lu/pub/ist/docs/fp6_invitation-letter-01.doc] Council of the European Union, Outcome of Proceedings (Dec. 6, 2001) – Network and Information Security – Council Resolution [http://Security.WebUrb.net/frame/government/other/Concil-Res-Dec01.pdf] Infrastructure Protection – Coordination – European Parliament (May 14, 2002) [http://security.WebUrb.net/frame/show/news/2630]

EICAR is a European non-profit association whose membership is composed of IT Security experts from academia, business and government. In support of the above efforts EICAR is interested in developing, implementing, and supporting the running of a Network of Excellence and the initiating of an Integrated Project. Both efforts are intended to create synergies with each other while, most importantly, supporting efforts in Security and Trust for the benefit of EU citizens. There are more than 70,000 known computer viruses, and an estimated 10-25 new ones are discovered every day. Most fizzle out before they become Nimdas, Melissas and Love Bugs of cyberspace. Similarly, threats and hacking attacks have increased over the last few months making the protecting of critical infrastructure an issue for organizations, countries and their citizens. The crux of the matter is, however, to know how serious a threat each virus, vulnerability or hacking attack poses so it can be dealt with accordingly. This is addressed below. Description, Need, and Relevance of the Proposed Research and Activities To permit effective content checking at ISP and network nodes’ levels against malicious code, while balancing civil rights and liberties requires research efforts that help develop a Framework for Classifying and Categorizing various types of attacks.

46

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

Furthermore, in support of global interoperability and to ensure equal distribution of samples for testing and development to Anti-Virus (AV) and security industry as well as research groups, a Central Database of Malicious Code (DBMC) must be developed and maintained. To avoid any ambiguity and support quick and precise development of AV and intrusion detection systems (IDSs) a Unified Naming Convention for any type of malicious code must be developed and maintained. The mass proliferation of viruses and Trojan horses via email and Distributed Denial of Service (DDoS) attacks makes IT security a global issue and a permanent and constantly evolving threat to critical infrastructure, technology and information systems. Hence frameworks are required that provide rules for interpretation and classification, as well as reporting. Publishing of reports or alerts based on standardized categories and methods, in turn, will be allowing security engineers to determine how serious viruses, vulnerabilities or threats

47

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

really are. Vendors focus on products for customers but threats and vulnerabilities on the Internet are a concern of societies. Consequently, they must take combined action to improve standardized and automated reporting to advance security and thus trust in the digital society where e-commerce/egovernment will be ubiquitous. Scale and Ambition – Critical Mass – Partners’ Profile The Network of Excellence will draw upon EICAR’s members, as well as other organizations’ in Europe that will bring their scientific and technological know-how to support the network’s objectives. University or industry-based, and other experts are herewith invited to join. This project’s major thrust is to encourage and facilitate the development and supply of the tools and techniques needed for Critical Emergency Response Teams (CERT’s), vendors and others to improve their defense mechanisms and technologies for the benefit of citizens and organizations. We are actively looking for partners from: universities, CERTs, vendors, and other experts who will bring the skills and commitment required to design and conduct this research. Additionally, the project requires various field settings to secure high quality field testing of the various prototypes to be developed. Extent of Integration and/or Structuring Impact – Research Content The Network of Excellence will strengthen the exchange and collaboration of European research efforts on cyber security. While many organizations and universities may have resources to be excellent in one are of security, synergies and economies of scale require the rapid and accurate exchange of information and collaboration amongst many experts doing work in this area in various environments. The research component will primarily focus on developing: naming schemata, threat categorization, and rules for interpretation and classifications, database for malicious code and vulnerabilities/threats Once these tasks have been accomplished, their deployment in field settings should provide the necessary testing information to further fine-tune the instruments and make them useable in a variety of setings. The proposed Network of Excellence and the Integrated Project would help to improve the controlled circulation of standardized incident data, collection of such data, their analyses and subsequent reporting. The latter would help in protecting critical infrastructures. The tools and standards developed with this project would provide the unbiased information needed to permit trend analyses. Today’s Alerts and Advisories suffer from a lack

48

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

49

of standards in naming and threat categorizations. This project would help improve on this score, using national centers of excellence including CERTs, eCSIRT.net and a network of experts to expedite this process with the help of a network and an integrated research project [e.g., see http://security.weburb.net/frame/EWISdoc/other/ewis3draft.pdf]. Revision History 2002, May 24: Initial release 2002, May 30: Updated – editing and incorporating of input from IT security experts [e.g., http://security.weburb.net/frame/CIP/vision.html]

17) Rudiger Glott

Int’I Institute of Infonomics

RePDE - Reshaping Personal Data Environments - Integrating the Human Factor into Privacy Technology The Problem Starting-point of the project is the increasing complexity of personal data transactions evolving in the information society. Every application relying on IST is characterised by a complex compilation of transactions in the form of information flows between data repositories. This data environment is a resource to the benefit of citizens, as it can be utilised to create value added services. On the other hand, it can also be a threat when its content is misused. Typical examples for personal data stored at data repositories are personal records (name, address, age, education, social security number, etc.), mobility data, assessments of performance or behaviour, financial transactions and credit history, health records, communication patterns (from ISP, mobile phone operators, etc.), online purchases, and data about interests, ambitions and skills. Each interaction with IST reveals some of this manifold of personal data, and as a result personal data is stored outside the individual’s sphere. Data is partially mirrored, where the number of “mirror sites” is soon innumerable. Furthermore, the data environment of every individual is not only structured by interactions with data repositories of the individual itself, but also by interactions between different institutions that hold data of this particular individual. We call the total of all these data mirrors, and information flow between them, the personal data environment (PDE). It is an essential part of the virtual environment 1 of an individual. The character of IST-mediated interactions causes a general dilemma: on the one hand people are willing to provide personal data in exchange for personalised, value-added services or products, on the other hand they feel concerned about the way data is used to classify and type them. People want to control their personal information, since a loss of control over one’s personal data can be very disconcerting. To counter these concerns, organisations often have to make large efforts, usually combined with high costs. If they do not succeed in the creation of sufficient trust, or if the costs for such an effort are too high, they often have to retrench breadth and quality of their services in order not to raise privacy concerns. Privacy technologies, like public key infrastructures or zero knowledge solutions, 1

By virtual environment we mean the total of all digital sources of information and digital services with which the individual interacts via IST.

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

provide a good, but limited support for companies to protect their customers' privacy. Provided that they make transactions anonymous or otherwise opaque, they will succeed in protecting customers' privacy, but hinder companies to establish a permanent and trustful relation to their customers and to learn to know customers' individual needs and preferences, thus providing another dilemma. The most important negative consequence of the described dilemmata is that companies and organisations face strong market barriers if they want to combine different sources and users of personal data in order to create new services. Such services require detailed knowledge about customers' needs, beliefs and behaviour, their trust preferences, and target groups, to find out what such services and products must feature in order to reach a critical mass. Moreover, cultural, political and legal basic conditions of data and consumer protection must be taken into account. Very often, these conditions differ from country to country, thus limiting strategies to reach a critical mass by offering services and products EU-wide. It is noteworthy that such highly innovative services and products are very promising with regard to profits, customers' quality of life, employment, and growth of the economy at large. The Concept As to our concept of personal data environments, we can state that the more transparent and controllable the exchange relations within a particular individual's data environment are, the weaker become individuals’ concerns towards data collection and flows, the lower become the costs for organisations whose services rely on this data, and the better become chances of innovative services and products. Attempts to make ISTmediated communications more secure, to strengthen the position of the individual within data exchange transactions, and to improve the efficiency of e-commerce and e-administration systems are manifold (e.g. P3P, companies’ privacy policies, general guidelines like those of the OECD). The common feature of all these attempts is that they set limits to data transactions. Isolated measures make it, however, very difficult for the individual and state authorities to control the flow of data between repositories. If the system as a whole remains opaque, the probability for new services to succeed on the market reduces, even if an organisation invests large (and often cost-intensive) efforts in a trustful relationship with its clients. Furthermore, it remains difficult for organisations to assess how their (potential) clients and citizens will react to requests for specific personal data, whether they will regard the request as legitimate and reasonable or whether it will deter them. The crucial question is how companies or organisations can create sufficient trust in order to generate highly innovative e-services, while often not they themselves or the underlying technology is distrusted, but "the system as a whole", or, in our terminology, the Personal Data Environment. This means that a solution that focuses on the company or organisation level alone will not work. In this context also a sole technological enhancement of transmission and data security will not be sufficient. What is missing is an integrated conceptual model of the personal data environment that can be used to articulate individuals’ concerns, that captures business models and requirements on a legal framework. Such a conceptual model will be able to identify the role of current and emerging developments in IST, like P3P and digital signatures. Missing is also a socio-economic understanding of consumers reception of and

50

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002

attitude towards their personal data environment. Evaluating the socio-economic innovation that goes hand in hand with new business models in the context of personal data environments is another important issue. Such insights will integrate systematically human factors of technology usage and trust. They will lead to new functionalities for the individual and businesses to interact with personal data environments in various contexts. We will call bundles of such functionalities PDE-elements. Contributions to these open issues will have the potential to reshape the personal data environment. The objectives of RePDE are thus to come from a conceptual model, via socio-economic research towards the specification and demonstrations of concrete PDE-elements. This approach will help to regain users’ trust and confidence in what is perceived as an overwhelming asymmetric distribution of power. Contribution to Integrated Projects The core task of RePDE is to provide every European user with a tool to visualise and control his / her data flow, which will increase his / her trust in existing and evolving IST. In doing so, RePDE forms an indispensable component of integrated projects concerned with the provision of secure and trustworthy environments for electronic transactions. While technological approaches such as encryption primarily address users’ security concerns related to the transmission and storage of personal data, trust building represents a psychological process arising from customers’ perceived lack of power to control organisations’ actions and secondary use of customer information, thus mainly applying to non-technical areas. Therefore, RePDE contributes a large part to strengthen users’ trust giving them more control over the information they give out. But what is the use of customers’ trust in organisations‘ responsible handling of their personal data, if they have to fear that due to technological weaknesses released information is exposed to external attacks by hackers and other unauthorised persons, and vice versa? This is the reason why RePDE sees its chance and added value as an integral part of projects dealing with technologies for security covering the complementary task of trust building.

51

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 52

Contact: Rüdiger Glott International Institute of Infonomics P.O. Box 616 6200 MD Maastricht The Netherlands Fon: +31 43 3883875 / 3874 Fax: +31 43 3884905 Mail: [email protected] http://www.infonomics.nl

18) Richard Guest

Constanze Stockhammer HiTec – Vereinigung High Tech Marketing Lothringerstrasse 16/4 A-1030 Wien Austria Fon: +43 1 7182530-14 Fax: +43 1 7182530-50 Mail: [email protected] http://www.hitec.at

University of Kent Intelligent Biometrics Integration to Enhance Trust and Security A proposal from the University of Kent, UK

Background The University of Kent has been among the pioneers of biometrics research in the UK, and has an established record of work to develop individual biometric modalities, to study techniques for optimal integration of biometrics, to manage the complexity arising from the design of flexible biometric systems and in the testing and evaluation of biometrics. Our current projects include investigation of multi-modal design techniques (DTI/EPSRC), electronic document security (EPSRC) and evaluation of on-card processing (EU-IST). There is a widespread understanding that authentication robustness and user convenience are two important issues that could either promote or undermine the development and adoption of biometric technologies. The IAMBIC project sponsored by the UK Government’s Department of Trade and Industry and the EPSRC is exploring the use of multimodal biometrics to address these twin issues. The project so far has revealed the advantages of a multimodal approach to improved robustness and accuracy of recognition as well as providing flexibility for the users. The emerging complexity requires special management and in this regard the use of intelligent software agents is proving effective in both user interface handling and negotiations of trust and confidence. Our work with on-card processing is as part of the Finger_Card consortium funded by the EU-IST. The objective of the project is to integrate fingerprint biometrics into a standard smart card for secure and convenient authentication and identification, resulting in a system with higher security and privacy than that provided by existing solutions. We are currently evaluating the system in an application scenario with respect to biometric performance, usability and interoperability. In the area of document security, we are developing a document model which is predisposed to embrace security and trust through its inherent structure. This Secure Document Object (SDO) model introduces a definition mechanism to allow arbitrary data formats to be incorporated with a minimal initial model definition. Significantly, current standards 52

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 53

defining meta-data, such as MPEG-7 and XML, may be incorporated within the model without extension. The model works by defining a mechanism for defining data (or more generally meta-data or even metameta-data ) which may then be used to incorporate any existing standard data definition model including those yet to be defined. The key is to allow an arbitrary level of meta-abstraction thus allowing any standard to be incorporated regardless of the meta level at which it is defined merely by including an extra minimalist meta level for the SDO concepts. The model embodies many features of key importance in relation to maintaining trust and security in its provenance and its use. Our research group has also recently established a state-of-the-art biometrics test facility with funding from the UK Government’s SRIF initiative allowing the evaluation and integration of a range of biometrics devices. Proposal We believe that developing a significant European presence within the broad area of Trust and Security must inevitably include a significant proposal in the area of biometric technologies and the optimal exploitation of biometrics. The commitment to biometrics and the integration of biometric devices within broader systems is now apparent in policy within the USA, and it is important that the expertise and innovation in this area to be found within Europe is encouraged and developed. Our proposal is therefore to specify a large-scale integrated project to develop biometric technologies, to understand the theoretical and practical limits to the use of such technologies, and to develop strategies for successful implementation and exploitation of biometrics as a means of increasing trust and security within applications ranging from access control, through financial and similar transactions to situations involving private and sensitive data such as in the area of e-health and telemedicine. Any such proposal would need to address a range of issues, principal among which would be several areas which would identify as being currently open issues, as follows: Interface issues: Adaptable and learning interfaces User feedback User training and re-training Fusion issues: Inclusion of environmental/ non-biometric data Links with smart-card / performance history Learning fusion algorithms Interoperability issues Standards for multimodal plug-and play biometrics PKI integration Template storage / migration Evaluation issues: Effective protocols for multimodal testing Incremental testing / on-line evaluation Subjective tests A specific project proposal would be based on a study of some or all of these issues. A core project team is already planned through partners on existing projects and through the network of contacts which we have made, but we are also seeking others who might be interested in participating. Our proposed consortium includes research partners, technology developers and end users. Contact: 53

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 54

Professor M.C.Fairhurst Department of Electronics University of Kent Canterbury, Kent CT2 7NT, UK Email: [email protected]

19) Dirk Heger

Fraunhofer

Dependable 1 Information Management and Services in the Internet 1 Starting Point Nowadays, the Internet is used for many business and legally relevant transactions. Of course nobody can be sure of the illegal misuse or modification of his valuable information during the electronic data exchange. The same is true for all Internet based services. One may feel secure at the application level by using the Digital Signature but a remark-able loss of comfort has also to be accepted. This leads to a very slow dissemination of these services in Europe and worldwide. Moreover, these services are actually not se-cure, strictly speaking. Using the backup or application program services through the Internet you may neither be sure of loosing valuable data nor of being spied out. A completely different type of lacking dependability results from the fact that a vast number of program modules are linked through the network. Most of them are complex, care-lessly specified and incompletely documented. Most of them still contain quite a number of errors, some of them undocumented functions. Simply the fact that most of the softwar sources are not open causes major concern. These are some of the reasons for stating a lack of dependability of the information management and the services offered in the Internet. 2 Objective in View Increasing the dependability of information and services offered through the Internet (also Intranets and Extranets) and/or using the internet technologies for the variety of professional and private kinds of usage. Extensive use of the existing and emerging technologies and services functionally needed and relevant on the IT market. 3 State of the Art Workstations are used as runtime systems for local applications and/or as clients connected to servers or host systems. The private and professional market of workstations is dominated by the PC technology in combination with the software products of Micro-soft (standard office applications, Windows operation system and increasingly the MS network technology dot.Net). Unix and Linux environments are challenging Microsoft but their market share will remain relatively small since the combination of the mutually de-pending Microsoft products will most likely not be equaled in the short run. Therefore many software products rely on this Microsoft environment, too. Microsoft’s emerging.NET Server family (incl. the integration of legacy host systems) and the ASP .NET environment are also strong indicators of this trend. While the users, their information and the applications are being linked together closer and closer, the dependability necessary for everyday use of such system will never reach a satisfying level, considering the

54

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 55

complex technology, the complex configuration and administration, the frequent need of software upgrades and a lot of problems such as level of education and training. 1 Dependability is the degree of the fulfillment of the missionrelevant set of tasks. Reliability, availability, security, safety, correctness of the implementation, real time behaviour in the context of the specific application requirements and trustworthiness are components of this complex measure, t.b.d. in the project. 4 Strategic Approach The strategy proposed here for improving the system stability and dependability under such pre-conditions provides a pragmatic catalogue of measures such as: •Usage of the dominating PC and Microsoft technologies as far as useful as a technological platform for “European Applications”. •Reduction of the complexity by means of restriction to a mandatory basic func-tionality, specification and implementation of application specific Profiles. Thereby guaranteed exclusion of undocumented side effects. •Inclusion of the concepts of ubiquitous computing for mobile professional and private applications into the dependability architecture of the whole system, maintaining the approach of breaking down the complexity by application specific pro-files. •Development of transparent configuration procedures for such profiles (client and server systems incl. all layers and all linked software components), of the related policies and of respective, appropriate configuration and administration tools related to the applications and user roles respectively. The configuration and ad-ministration must be simplified to such a degree that they may not exclusively be carried out by expensive (intransparently acting) experts. •Definition of the dependability in this context, modeling of the complete system with respect to the applications and the over-all optimisation. •Deduction of the requirements of the interfaces and the formal specification of the functionality of the system components. •Specification of policies and related procedures for the implementation of the required trust and security level of the whole system. •Development of strict quality assurance procedures and of a certification programme for assuring the conformity and interoperability of the components within the profiles and the external interfaces of these profiles. •Development of an Implementation Guide for components and systems complying with these profiles. •Implementation of Reference Pilot Systems for evaluation and demonstration of the complete system, including the QA procedures and the certification programme. •Implementation of an apropriate PR and dissemination programme. •Conviction of Microsoft to enter a contract to appropriately open the functions of the profiles (specifications and sources) and to make a long-term contractual commitment to the transparent further development of these profiles. This can only be achieved by clustering the market power of the European software vendors, since all international 55

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 56

standardisation in the past have clearly exposed the inertia and inflexibility of such procedures. •The process of international standardisation may follow later and may make use of regional workshops preparing the necessary documents for the standardisation bodies. 5 Integrated Project in the 6th Framework Programme of the EU Based on the experience with former European projects (CNMA and AIT) we are now proposing an Integrated Project in the Thematic Priority Area “Information Society Technologies” (IST) of the 6 th Framework Programme of the European Union. The European project consortia should be composed of important End Users (e.g. Service Providers such as Banks, Insurance Companies, Governmental Authorities), Software Vendors (e.g. SAP, IDS Scheer, CAP Gemini) and independent Research Institutes (e.g. Fraunhofer IITB/Karlsruhe, DFKI/Saabrücken, LAAS/Toulouse). 6 Current Status, further Needs and Steps Currently, the following partners agreed to go for this project and the supply an Expression of Interest to the Commission of the European Community: •Fraunhofer IITB/Germany, •SAP AG (German or Fench branch), •IDS Scheer/Germany, •DFKI/Germany. Therefore this initial group of partners is looking for additional partners (major end users and/or vendors) from European countries. Interested parties should immediately contact: Fraunhofer-Instititut Information and Data Processing attn.: Dr. Dirk Heger Fraunhoferstr. 1 76131 Karlsruhe Phone: +49 (0) 721 6091-320 Fax: +49 (0) 721 6091-413 Mail: [email protected]

20) Herrigel Alexander

DCT

Smart Documents Dr. Alexander Herrigel Email: [email protected] Submission for the EC workshop Trust and Security Introduction Due to the increasing mobility of our society, there is a strong need for the secure verification of authentication, multimedia or brand documents such as driver licenses, ID-cards, passports, images, and labels for different products. Different approaches have been developed and deployed to solve this problem in the last decade for different application domains. The experiences in different countries have shown, that crime groups are increasingly able to fake authentication documents. The September 11 tragedy has illustrated, that national or international crime groups can today pass without any problems with faked authentication

56

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 57

documents borders of different countries (see different cases in Germany and in the US). This affects also the national security policy of the involved countries and especially the authorities responsible for the issuing process of such authentication documents. In addition, recent statistics have shown that the usage of cheap but powerful computers, colour printers, and scanners enable counterfeiters to replace original data or product boxes in such a wide range that different product suppliers or companies are facing very severe damages. In addition, our community as a whole is confronted with this problem, since different industries (textile industry, cigarette industry, pharmacy industry, car manufacturers, security printing) are affected. For example, nobody of us would like to drive in a car with non-original parts that are important for the safety of the car construction or take non-original drugs if he is ill. Different laws are jeopardized affecting the consumer protection and the fair trade between different companies. In Germany today, faked products generate a damage of more than 30 Billion EUR per year and more than 40™000 working places per year are lost. What is the reason for this development? Nearly all document security systems developed and applied in the last decade are based on the basic principle that a proprietary security technique cannot be broken. We call a security technique proprietary, if the procedures of the technology are kept secret. If the details of the dedicated production process to manufacture the security features are not known, it was believed that it would be very hard for the crime groups to counterfeit these techniques. Due to the competing development of these techniques in various countries, most of the analogue security features applied today are, however, in contrast to this assumption, known. In addition, some of this proprietary security knowledge is no longer it the government domain only due to the drastic political changes in some countries. More important is, however, the very advanced technology development for digital image processing and printing as illustrated in the example above. It is easy for a professional to scan a specific driver license and to change the corresponding contents. Due to national laws we have not completed the replacement and adaptation of the different faces. There are many other examples of faked images in practice affecting the personal life of VIP persons. Many analogue security techniques such as holograms, security treads, and optical variable material have been developed as countermeasures on a proprietary basis. These techniques are getting obsolete, since the counterfeiters benefit from the progress in digital imaging technologies, political changes in different countries (many experts have left the government domain), and the non-technical expertise of different consumers and resellers. The developed techniques require also a visual control. In addition, several analogue security techniques have to be applied to a sufficient protection for dedicated application domains such as currency printing. But who if not an expert knows all the security features of a Swiss currency note in the US or in Germany? If the counterfeiter reproduces these notes quite accurately, it is very difficult for the consumer and other persons to distinguish the original note or product from the faked one or for the police to distinguish a faked passport from an original passport. In order to provide an effective solution for the future, new techniques have to be applied in the near future to compete effectively

57

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 58

with crime groups and to protect the business of the product manufacturers that affects also the government losing a huge amount of taxes. State-of-the-art technologies In order to apply a higher level of security, cryptographic and digital watermarking techniques have been proposed utilizing the usage of secret keys you have to know for a successful verification process. Cryptographic technologies realized by chip cards with cryptographic processors offer an effective protection for some authentication documents (see for example the deployment in an Indian county with biometric information). Chip card based solutions are from a commercial perspective, however, very expensive (a cryptographic chip card costs about 8 to 10 EUR), since we need for the target applications only security features providing information that can be printed once but verified many times. There is in the above-described scenarios no need for an active device providing information that can be stored and retrieved many times. This is only needed for e-commerce or on-line transactions. In addition, these techniques can™t verify if a document is original or not. The today proposed digital watermarking technologies from some manufacturers are based on the principle to hide some secret data into images. Given the key applied for the generation of the hidden data, this hidden data can then be extracted knowing the appropriate key. The today proposed solutions from US manufacturers have, however, the following disadvantages. Since a constant key is applied for the embedding, the technology company providing the solution is always able to fake the authentication documents of their customers. This might be an extreme scenario, but may become quite realistic with respect to the different national interests of the different countries. In addition, these techniques are not resistant against the copy attack and other attacks presented by different DCT and CUI specialists at the US SPIEE conference in January 2000, January 2001, and at the Workshop on Information Hiding, April 2001. The copy attack analysis an image with a digital watermark and identifies the watermark. It then copies effectively this watermark into another image. A Security Architecture for Smart Documents Our IST proposal is based on the concept of smart documents. A smart document is a analogue or digital document that allows to answer with the adequate security features or procedures aligned with an adequate security management the following questions: ? ?Who has issued the document? ? ?When was the document issued? ? ?Where was the document issued? ? ?Who is the owner of the document? ? ?Is the document modified? ? ?Where was the document modified? ? ?Is it an original document? The principal direction of the research is to develop and implement in software and hardware new security algorithms and techniques that generate random masks encoding some secret data and to embed these data as hidden, partly visible, or fully visible information on the document applying different techniques of digital imaging processing or crystal allocation procedures. The key issues of this new and fundamental research and development are the following: ? ?Robust against media conversion (digital to analogue, analogue to digital) 58

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 59

? ?Asymmetric verification for a European wide distribution ? ?Kerckhoff principle (no proprietary methods) ? ?Cheap printing of smart documents ? ?Machine verification and control ? ?Easy to use security management ? ?Applicable to different domains such as authentication documents, brand protection documents, multimedia documents. Applying the technology of smart documents in the near future will mean that a police officer in Athens can check the driver license of a Belarus tourist without knowing the particular security features of the Belarus authorities. A bank in Germany may check reliably a paper certificate generated in Italy on the basis of a on-line transaction on the Internet, and a press agency in Hamburg can check if a press photo from Switzerland offered for sale is faked or not. Security attributes generated in the process of an on-line transaction will then be also robust against printing and may be verified later if the corresponding business certificate is stored as a printed document. Exploitation and Scale The market statistics indicate an alarming level of forgery in the different domains. In the US 18% of all forgery cases for currency notes have been based on ink jet printing in 1996. In 1998, 88% of all forgery cases have been based on ink jet printing. In Switzerland, the number of different currency forgeries increased in 1998 from 4576 to 6472 cases. 84™763 currency notes have been faked and the most popular are the 100 and 1000 CHF note. The BAP has realized that a massive fraud increase was based on the fact that computer and ink-jet printing are used for the forgery. In addition, the forged notes are so-close to the original notes that the BAP recommends to verify 7 different security features before any trading action. This recommendation, is, however, close to impractical in daily life. The union against the counterfeiting of brands in Germany has estimated a worldwide damage of 261.2 Billion EUR. 30 Billion EUR have been lost in Germany 1999. Experts have estimated that the damage for the different manufactures cover 5 to 10% from their overall revenue. These experts have testified that today there is no barrier for a counterfeiter to copy for example a textile product from Lacoste. The Levis company is another example. Due to the massive forgery in the jeans production, the company lost important market shares and is today confronted with sever economic difficulties. Since many analogue security features are need today to constitute an acceptable level against the huge damage, there is also a operational problem for the responsible police, since it was not possible for them to apply the recommendations in practice. 90% of all cases have, therefore, not been investigated in Germany. Experts have estimated in Germany, that about 50™000 work places are lost every year because of missing secure and effective brand protection solutions. The value of forged good identified by the German customs has increased fifteen thousand times in the last 10 years. These statistics show the broad application range of the anticipated project and the real commercial need on the market. It seems, that many security printing companies today are not able to provide adequate techniques due to the identified damages mentioned above. The exchange of people within Europe will increase and it is in the national interest of the different countries to minimize the forgery of passports to prevent the moving of criminal groups. A successful execution of these research 59

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 60

project needs a collection of expertise coming from the following areas: cryptography, printing, physics (crystals), communication theory, digital image, video and audio processing, parallel processing (peer-to-peer), networking (detection of digital smart documents during a transaction), and hardware design of chips and opto-electronic systems. It needs also commercial partners that are able to distribute and maintain the resulting products to different customer groups in different countries. First estimations have shown that a work force of at least 60 people is needed to run the project. Along with its different partners DCT has already 35 people identified who are willing to contribute to and to support this project. References 1. S. Voloshynovskiy, A. Herrigel and Thierry Pun, Blur/deblur attack against document protection systems based on digital watermarking, In 4 th International Workshop on Information Hiding, USA, 2001. 2. S. Voloshynovskiy, S. Pereira, A. Herrigel, N. Baumgärtner and T. Pun, Generalized watermark attack based on watermark estimation and perceptual remodulation, In Ping Wah Wong and Edward J. Delp eds., IS&T/SPIE's 12th Annual Symposium, Electronic Imaging 2000: Security and Watermarking of Multimedia Content II, Vol. 3971 of SPIE Proceedings, San Jose, California USA, 23-28January 2000. (Paper EI 3971-34). 3. A.Herrigel, S. Voloshynovskiy, and Y. Rytsar, Template removal attack, Electronic Imaging 2001: Security and Watermarking of Multimedia Content III, San Jose, California USA, 20-24 January 2001. 4. Martin Kutter, Sviatoslav Voloshynovskiy and Alexander Herrigel, Watermark copy attack, In Ping Wah Wong and Edward J. Delp eds., IS&T/SPIE's 12th Annual Symposium, Electronic Imaging 2000: Security and Watermarking of Multimedia Content II, Vol. 3971 of SPIE Proceedings, San Jose, California USA, 23-28 January 2000. (Paper EI 3971-35).

21) Hurtado Mora Mayte

tb-solutions

NORMALISED COMMUNICATIONS PLATFORM OF ELECTRONIC PUBLIC ADMINISTRATIVE DOCUMENTS IN THE EUROPEAN UNION Current Situation At present, sending of public documents to their addressees is performed on paper support through intermediaries, such as Solicitors or agencies which obtain official documents on clients’ behalf, or directly to the addressee via post or fax. Some initiatives, such as the European AEQUITAS Project, have been taken to computerize these document transmissions guaranteeing aspects such as identity of document signatory, integrity of document contents and confidentiality of document transmission. Description The Project aims to build a system that shall allow secure, reliable transmissions of public administrative electronic documents, using the so called asymmetric key cryptography and electronic certification, by either using a hierarchical or cross certification system. Furthermore, this proposal intends to contribute as an innovation, the creation of a European

60

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 61

state-of-the-art framework in the transmission of these documents, normalizing their transmission through common standards in the European Union. This system would entail the establishment at a national level in each of the participant States of a one and only platform able to recognize the certificates to be used in these interstate communications. All the platforms shall be integrated into a single European Union platform, enabling that these communications through issued certificates by the different PKIs shall not entail any problem. The aim to make compatible the different informatic systems and elements currently existing to make these compatible with each other. Users On the one hand, the European public administrative electronic document issuing entity (judicial and extrajudicial): public administrations (Legal Administration, General State Administration, local and regional Administration, etc…), Notaries, Registrars and similar European entities (Greffiers), etc… On the other hand, anyone liable to receive these documents. We list, as examples, the following: financial entities, agencies which obtain official documents on clients’ behalf, Public Administrations (Tax Office, Courts,…) and professionals (Solicitors, Lawyers, Proctors,…). Elements of the System Public Key Infrastructures (PKIs) from each of the participant organisms that shall issue their members’ certificates and shall administer them (publishing and revoking them). It shall be taken into consideration that all the issued certificates by PKIs be accepted between them, and existing for this purpose an interoperability between the different security systems. For this, research on cross-certification shall be performed, working, as a team, the different European system developers and integrators to extend know-how and determine thus the most optimum solution to implement in each and every state. Platform to be used. A study of the existing platforms shall be performed so as to choose the most adequate for the Project. For example, for the server part JAVA could be used, reusing all the cryptographic modules developed in C/C++ for efficiency reasons. Given the ample variety of documents to be exchanged, the file format to be exchanged should not, at least at an early stage, be too strict. The use of XML headings in these documents would make its usage by different applications, both client and server, easier. The last TCP/IP version (version 6.0) shall be investigated and analysed. This version adds information on the ciphering and authentication mechanisms used in the information packet transmission for its subsequent usage in the platform system. Informatic Tools shall be developed to allow for document selection and transmission as well as their electronic ciphering and signature and proceed then to their signature check. Time-stamping of document sent could be included. Cooperation between Project Participants Legal As a starting point, a study on each participant State’s existing legislation regarding the Project’s theme shall be undertaken. Especially, that which refers to public electronic documents, certification and electronic signature, as well as that pertaining to Certification Authorities, focussing mainly on the formal and technical requirements needed to issue (certificates) required by the different European legislations approved in 61

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 62

transposition of the 1999/93 European Directive on electronic signature. TB·Solutions Advanced Technologies (hereinafter, TB·Solutions) shall coordinate and manage this cooperation. Technical In each of the participant countries, there shall be one or more software developers, researchers or integrators that shall be manage the implementation of a common structure for the compatibility of the existing informatic systems and elements in each of these countries. TB·Solutions, as Project coordinator and director, shall have knowledge of all the technical decisions with regards to the Project adopted by these developers and integrators. In Spain, the developer and integrator tasks shall be realized by TB·Solutions, keeping the mind the following participants: Spanish Registrars, Proctors, Notaries, financial entities, public administrations, and other European partners (Greffiers, Solicitadores,…). Each participant country RTD shall study the feasibility of certifying its security transmission products, one more step towards a European Standard Integration. Once, the technical solution in each country has been developed, TB·Solutions should integrate all these technical solutions proceeding to develop a common software system. We follow on to list, as examples, the in-house tools to be used by TB·Solutions, that shall be the reference point for the other technical developers: STFIC: a client/server application for secure document transmissions signed electronically. This application is currently being used in banking environments and by professional associations, such as Spanish Proctors and Registrars. EasyCert: PKI based on Windows 2000 certification service. eCourie r: A document management system that allows remote introduction of digital documents in an application and its practical usage of document through a predefined internal workflow. The workflow and its norms shall be definable by the system administrator and adaptable to the new social-cultural situations. Advantages The creation of a system as that which has been defined herein shall allow one step forward in the usage of the new technologies in the European Union utilizing systems totally compatible between them, by using standard tools and certified products. Moreover, this shall facilitate a European integration of those administered, citizens and others, through the use of a one and only platform. All this shall lead a quicker communications, thus reduce costs, and time, and provide more expedite communications on behalf of the Administrations with regards to their services rendered.

22) Reinhard Hutter

IABG

- Critical Infrastructure Protection 1- Need and Relevance Modern societies are becoming increasingly vulnerable through their so called “Critical Infrastructures” (CIS) they depend on. All essential Infrastructures as

62

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 63

Telecommunications Traffic (air, rail, street, water) Energy Supply Public Safety Organisations Banking & Finance Systems Health Care & Emergency Services and many others operate to an extremely high degree on an international basis. Their functions and performance rely to more than 90% on Information Technology (IT) – networks, computers, digital components -, and on IT based services. Threats to these infrastructures through the IT-environment may originate from inside the systems as well as from almost any place in the world. The spectrum of attack options reaches from benign hacking to cyber crime operations, to cyber terrorism up to full scale information warfare. Consequently, the protection of critical infrastructures has become a security issue of strategic political, societal and economical rank. During the cold war, on national as well as on international level – NATO, WEU – potential threats, scenarios and military engagements were excessively modelled, simulated, and analysed with the help of computer based Operations Research and other modelling and simulation tools. Critical Infrastructure Protection (CIP) is lacking comparable attention and adequate analytical methods and approaches. Interdependencies between these Infrastructures and – in case of attacks or disturbances consequential damages and cascading effects add additional uncertainty about the behaviour of this highly complex systems, and thus pose new challenges on required R&D. Description of Research Activities Proposed research activities will include (Fig. 1) Threat Analyses (actors and means) Review and evaluation of existing, and development of advanced models and tools Generation of scenarios Demonstration, experimentation and validation of tools and models Analysis and Identification of vulnerabilities and of critical areas of individual infrastructures Analysis of interdependencies between CIS Assessment of the criticality of Infrastructures under threat scenario impact Development of preventive and protective measures Fig. 2 describes the baseline architecture of models and tools required for the analysis and in-depth-unterstanding of the netted world of infrastructures, and for the evaluation of systems, subsystems and critical components of Infrastructures. They will cover Scenario Tools Models of system components Structural Models of Information and Communications on Systems Structural Models of other Infrastructure Networks (e.g. Energy, Traffic) 63

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 64

High level interaction and socio-political models Scale and Ambition The activity area of CIP as specified has not been approached on a scale adequate to its increasing importance, neither nationally nor on international level. The effort is estimated to be in an order of magnitude which will not be provided and performed to the extent necessary by any single nation. This is not only a question of funds but also a question of limited scientific resources working in this domain in individual countries. Infrastructure industries alone, although investing into security on their own, do not view security as a management issue of primary strategic investment priority (with few exceptions). Therefore, the IST appears to be the (maybe the only) organisation with adequate power an independence to establish a program for CIP analysis with particular focus on trans-border-effects, and on the required international co-operation. The capability of Europe to anticipate new types of threats, to analyse their possible impacts on its major infrastructures, and to develop the consequences for Europe’s safety and security through preventive and reactive measures will become an important pillar in support of the security policy and program of the EU. Integration The proposed program will build on partially existing components and capabilities on infrastructure protection methods and public-privatepartnership programs, respectively. It will probably consist of a concerted set of Integrated Projects and a Network of Excellence for the CIP domain. EU-Wide co-operation and interchange structures are already building in FP5 projects like DDSI, ACIP, and AMSD. Work of these preparatory projects is being co-ordinated in order to avoid duplication, and to generate synergies among research institutions and companies involved. The proposed program will bring together the research community, industrial partners from infrastructure providers and users, and national organisations responsible for national security and public safety. The program will integrate locally existing tools, and will jointly develop the described architecture and models. The program will require strong interdisciplinary co-operation among experts on information technology and information science, Infrastructure specialists, and experts in management, organisation and administration, human behaviour, crisis management and decision making. The products – scenarios, models, gaming techniques, evaluation tools will be highly innovative with respect to the subject investigated as well as concerning the technologies (e.g. software technologies) to be applied. They will be demonstrated with and if so desired – also actually applied to Critical Infrastructure scenarios of national and EU dimension. The results will form a baseline for the specification and implementation of technical, organisational and perhaps legal measures for CIP in Europe, and for the harmonisation and fusion of measures throughout member states. Tools will also be suited to support actual CIP operations in terms of decision support during actual crises and for the training of crisis management and operations staff.

64

IRG Workshop on Trust and Security - CONTRIBUTIONS 23) Jan Jacobson

Brussels May 30 2002 65

Swedish Nat. Testing & Res. Inst.

Trust and Security in Embedded Systems Jan Jacobson SP Swedish National Testing and Research Institute Dept. of Electronics P.O. Box 857 SE 501 15 Boras Sweden Telephone +46 33 16 56 97 Telefax +46 33 12 50 38 Email [email protected] http://www.sp.se/electronics/eng/ SP Swedish National Testing and Research Institute works with different dependability issues for IT systems. Most of our work is related to embedded systems. Trust and security are certainly important in many applications. The four areas below are examples.

Embedded systems Distributed control via the internet – Remote control, reading of data and downloading of software enables new functionality. What new risks arise when control is performed via the internet? Response time, data integrity, availability and requirements for secrecy have to be known. Applications include machine control and medical devices. Measuring instruments - Measuring instruments are very often software-controlled. Taximeters, flow meters, meters for electrical energy and weighing instruments are examples. The services provided by the instruments have to be trusted and secure. The threats vary depending on the application. A European directive for measuring instruments is drafted and will implicate requirements for trust and security. Automotive electronics - The automotive industry employs many dependability-related systems in modern vehicles. Telematics provide new services for the driver, but has not yet found the "killer application" which all buyers are prepared to pay for. Safety systems increase the safety for the driver and the passengers and must be possible to trust.

Gaming machines – Gaming machines are software controlled. National regulations exist for functionality and gaming aspects. Trust and security are self-evident in this kind of equipment.

Research combining experiences from safety and security Much research has been carried out both on information security and on embedded systems. The questions on trust and security we face today are new and require further research. A closer cooperation between the fields of information security and embedded systems is needed. The two research communities need deeper cooperation and exchange of experiences. Experiences from "safety", "security" and "reliability" have not yet been combined well enough. Issues on conformity assessment have to be developed further. It is of great importance to be able to demonstrate when then requirements for trust and security are met.

65

IRG Workshop on Trust and Security - CONTRIBUTIONS 24) Sabah Jassim

Brussels May 30 2002 66

University of Buckingham

Multi-resolution Facial Profiling Scheme A tool for Biometrics-based Authentication Infrastructures Introduction. The recent slow down in e-commerce growth, and the demise of many dot-com start-ups maybe attributed to a variety of factors, but the lack of trust and public confidence in the security and privacy of electronic transaction seems to be among the most serious concerns. It is a serious obstacle to the utilisation of information technology in various areas of e-commerce, e-government, as well as eservices. Credit card fraud is becoming a major cause of concern for online trading, its volume is growing annually and costing billions. Fraud by hackers doesn’t seem to be the serious problem that was made to be. In any case, the SSL and the SET protocols were designed to prevent such attacks. The lack of adherence to the strict rules of these protocols undermines their aims. By far, the more serious concern about online credit card transactions is that of repudiation. If a small, but significant, percentage of a business’s online credit card transactions are challenged, then its operation costs mount and may even have its card acquisition service withdrawn. The task of detecting and preventing fraudulent repudiation of web transactions is particularly challenging. Secure and strong Identification/Authentication schemes are essential for tackling the problem of repudiation. The action plan of the eEurope Smart Card Charter stresses the role of smart cards as an essential trust element in a security infrastructure, providing strong identification/authentication as well as proof of transactions. Conventional identification/authentication methods such as passwords and PINs are proving to be inadequate for current requirements of information technology and the security of these methods are being compromised because of human error. Knowledge of a secret and/or the possession of some token such as a card, do not protect against impersonation. Tools are available to those who have the knowledge to forge identities (in the physical as well as digital world) to access unauthorised information and to avoid being detected by law enforcement authorities. In itself, the possession of a card does not prevent theft or fraud. Superimposing a photograph of the cardholder on the surface of (smart)cards, as used in some ID cards, is of limited use in e-commerce application. The recently proposed/issued ID smartcard for asylum seekers in the UK uses fingerprint for transaction authentication, but with a photo of the cardholder, and expected to be carried all the time. The tragic events of September 11th have highlighted the inadequacy of traditional identification to control access to sensitive locations. Rigidly applied passport control checks did not seem to stop the hijackers, the identity of many of whom may remain a mystery for a long time. Recent incidences of theft from within strict security zones at airports re-enforce the urgent need for reliable, efficient, and non-intrusive automatic identification systems. Secure identification/authentication must bind the card to the cardholder’s physical appearance in a way that is less dependent on human intervention. It is not only desirable, but also essential for technologically advanced and networked increasingly mobile society. Biometric-based identification. Biometrics are unique human characteristics that can be used to identify individuals. These include fingerprints, hand geometry, face, iris patterns, retinal pattern, DNA, ear features, facial thermography, and voice recognition. We are mainly concerned with facial features. Biologists 66

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 67

believe that a significant part of human cognitive function evolved to provide efficient ways of recognising other people’s facial features and expressions. But the ability to recognising friends’ faces doesn’t extend well to identifying strangers by photo identity. Hence the need to automate the process of face recognition. Biometrics systems work in two stages: the enrolment stage and the identification stage. In the first stage biometrics characteristic are extracted from a digital image of the person, from which a compact template is created and stored for future reference either on a database or a token (e.g. a smartcard). In the identification stage the biometrics scanner creates a digital representation together with the corresponding template to be compared with the stored version. The rapid growth in Internet and mobile telephony usage in ecommerce led to a surge of interest in using biometric signal processing for identification and authentication. Biometrics-based access control schemes have been an active area of research for sometime, but there are numerous technical challenges ahead. Long term solution to the trust and confidence problem requires building Biometrics-based Authentication Infrastructures (BAI) to complement Public Key Infrastructures. Biometrics for Smartcards Despite the fact that biometrics and smartcard technologies have been around for sometimeand even before the emergence of e-commerce, there has been very little effort in integrating the two technologies. It is now recognised that biometrics can play an important role in making smartcards more secure, and smartcards can make biometrics pervasive and useful. There have been attempts to implement a number of biometricbased identification on a smartcard platform. Smartcards with fingerprintbased identification are available on the market. Such a system is seen as too intrusive to be accepted by many users. Most existing biometrics based identification systems are designed for specific purposes, and may not be particularly suitable for mass use in smartcard platform. Smartcard application, poses serious challenges due to cards constrained memory, limited computational powers, and slow transmission rate (only 9600 bits/sec). Hence, the need for efficient to compute invariant facial featuredependent parameters. At Buckingham University, a multiresolution facial profiling system is being researched for identification/authentication in smartcard application. Elements of the intended facial profiling system arose from an ongoing medical related research project on measuring facial muscle movement during speech. Although computational efficiency is not a serious concern in that research, working with raw image/video data (i.e. in the spatial domain) is made much more cumbersome as a result of data size. Instead, a multiresolution image-decomposition provides the potential to represent patterns as well as anomalies in the decomposed images. Our research revealed a very interesting property that is satisfied by facial features at all resolutions, which provides the necessary elements for fast and efficient facial profiling systems. Associated with each facial feature (eyes, nose, mouth, chin, etc.) in a face image, and at each resolution, there are a small numbers of parameters that can be computed efficiently. Preliminary results indicate that these parameters are sufficient for face recognition and identification. Interestingly, the same source of information can be used to automatically detect the boundaries and location of the main facial features, and thereby providing a powerful and efficient tool to validate the profile data for each feature. This result may also be used to support any other known biometric-based facial identification system. The efficiency of computing the profiling data, 67

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 68

together with its small size makes it suitable for smartcard applications and in particular for identification/authentication purposes. We have also initiated research into a multiresolution version of the widely used Eigenface concept for authentication, as a complementing approach. Future research aim to design a system that provide many authentication functionality including: Authenticating a smartcard holder – Currying a valid smartcard doesn’t prevent fraud or non-repudiation. A facial profile based authentication can remedy this situation, and add to the trust and confidence in smartcard transactions. The card checks against its securely stored profile information, and passes a decision to continue or abort transaction. Authenticating a smartcard and its holder to the issuer – A small size facial profile can be used to authenticate the holder against an existing database of facial profiles. This is particularly useful for applications like smartcard-based passports/visas. There are good potentials for using parameters derived from elements of the holders’ facial profile in a special transaction signing protocol. This would further strengthen the non-repudiation functionality of SmartCards. This work, and similar projects, can contribute to the building of BAI’s an essential trust and confidence measure. Summary The scale of the work in developing and structuring a Biometricsbased Authentication Infrastructure (BAI) is to progressively and ultimately produce a new, global, standard as the basis for integrating current and future biometric research, and commercial systems, from a common, base, platform. Furthermore, specific applications can then set, say, sub-standards and protocols that will negate the effect of "reinventing the wheel". A simplified biometic with smart card identification/ authentication could become one of a number of multiple, interoperable, applications on that smart card - for example, medical records, prescription data, insurance entitlement, credit card, driving licence - would quickly achieve a critical mass in excess of 70%; equally such a smart card need not contain similar, or the same range of, applications.

25) Narayana Jayaram

University of North London

Trust and Security : Challenges - Some old and Some New In this decade, we are inexorably moving fast in to the age of semantic web, web services and virtual organisations. In the past decade, we have witnessed the growing dependence of the delivery of essential public services in health, education and transport as well as critical private services in communication, finance and utilities underpinned by the trust in network systems and security of their infrastructures. In the postSeptember 11, 2001era, given the dependency scenario, organisations large and small are forced to reassess in a unprecedented way, the potential vulnerabilities of and threats to their network infrastructures. This reassessment exercise involves revisiting old challenges and re- examining the appropriateness of trust and security models and adequacy of the solutions that followed as well as generating new thinking

68

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 69

to identify new challenges as the networking technology surges forward into newer domains. The following list gives a few old challenges that need revisiting with a view to update their relevance, and a few new challenges that need new analyses an new solutions. Old challenges: Protocol assessment: for example critical assessment of SNMP vulnerabilities in a knowledge management exercise Role-based trust management framework and its hybrids Asymmetric threats and information gathering Levels of system security and their processes in an organisation context New challenges: Development of new adaptive trust and security models and ontologies to validate the 3Ts: trust in technology, trust in deployment and trust in services Trust and security issues in ubiquitous computing and peer-to-peer networking environments Secure boundaries for virtual organisations New directions in intrusion detection with dynamic, adaptive and learning characteristics.

26) Uwe Jendricke

Universitaet Freiburg

Uwe Jendricke, Prof. Dr. Günter Müller Institute of Computer Science and Social Studies, Dept. of Telematics, University of Freiburg. Friedrichstrasse 50, D-79098 Freiburg, Tel.:+49-(0)761-2034932 E-Mail: [email protected] Web: http://www.iig.uni-freiburg.de/telematik/ Research needs in the area “Trust and Security” There are two main problems in the area of “Trust and Security” which require a huge amount of research work: Usability and Security: Usability tests have shown that most security related software of today is not usable. This means that users either open new security leaks unwittingly by using such software, or the acceptance is so low that they do not use it at all. Mobility and Privacy: With the development of very small computers, hard- and software is becoming increasingly mobile and ubiquitous, which leads to new applications and services causing many new security and privacy problems. Usability and Security Most security applications of today have a poor usability. This is a severe problem because users may open security leaks unwittingly if they use security software (e.g. exporting the private key instead of the public

69

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 70

key), or they do not use the software at all because they cannot handle it. With the increased usage of the Internet and new communication technologies there is a growing need for secure software, e.g. for ecommerce transactions. If the applications are not secure and usable, users will not accept and use these new technologies. To prevent the rejection of these technologies by the user, several research areas have to be emphasized: Usability and Security: This research area is almost non-existent. There is a lot of research into usability and into security, but the problems of the two items combined are not well investigated. Some usability design guidelines have to be changed for security software to prevent security problems caused by incorrect operation. Many security applications use security mechanisms that are hard to understand for a lot of computer users. Here, adequate abstractions of these mechanisms have to be found to prevent the user from working directly with the mechanisms. An example is the usage of public key cryptography. Most users are not used to the concept of private and public keys. This results in usability problems when they are confronted with private and public keys [WhTy1999]. One solution may be provided by the concept of identity management. This is an abstraction of security mechanisms which presents an understandable object (the identity) to the user [JeGe2000]. User Centered Security Engineering: Software engineering for usable security software. The most effective way to build secure and usable software is to regard security and usability aspects during the whole development process. Therefore, the needs and skills of the user have to be considered during the software development process to obtain a usable and secure software product [Ge2002]. Usability testing methods have to be improved to get results that fit directly into the software development process. Mobility and Privacy With the development of very small computers, hard- and software is becoming increasingly ubiquitous. Today, we use the standard PC for eshopping, and our mobile devices are very limited in functionality. In the future, we will carry small and smart devices for many different purposes (ubiquitous computing). This development leads to severe privacy problems: With mobile devices, we publish not only our personal data like name or credit card number, but also add our location information and a unique identifier: the medium access control (MAC)-address. The MACaddress in combination with the changing location of the user is like a footprint: the user leaves his unique trail in every wireless network. Nearly all network protocols of today require the usage of a unique MAC-address. Similar to the problem of usability, the acceptance of the users is important for the mobile technologies. For this, privacy needs to be guaranteed. We propose the following research areas: Integration of privacy aspects in wireless network protocols: Existing and new protocols should respect the privacy needs of the users. Users should have the possibility to change their wireless appearance, e.g. by using temporary MAC addresses. New ways of addressing need to be developed. We propose location addressing [ZuKrMu2001] as an option to addressing types like IP-addresses. Privacy Enhancing Technologies (PET) for mobile and ubiquitous devices. Privacy aspects are mostly ignored in the design of today’s mobile devices. In the future, this may lead to a decreased acceptance of new technologies. Research must find new ways of how to retain the 70

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 71

privacy of mobile users, e.g. by extending the P3P standard or using PETs like identity management for mobile and ubiquitous devices. Development of new, secure software architectures to permit a secure and usable interoperability between heterogeneous systems by spontaneous networking. Conclusions “Usability and Security” is interdisciplinary and consists of very different approaches and research aspects. Experts from the areas of usability, it-security, and software engineering are involved. Furthermore, the research requires the co-operation of academic and industrial partners because of its closeness to the practical development of gadgets, firmware, and applications. Thus, we propose a Network of Excellence “Usability and security, especially of mobile systems”. References [JeGe2000] Uwe Jendricke and Daniela Gerd tom Markotten. Usability meets Security - The Identity-Manager as your Personal Security Assistant for the Internet. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000. ISBN 0-7695-0859-6. http://www.acsac.org/2000/papers/90.pdf [Ge2002] Daniela Gerd tom Markotten. User-Centered Security Engineering. In Proceedings of the fourth EurOpen/USENIX Conference - NordU2002, February 2002. [WhTy1999] Alma Whitten and J.D. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, August 1999. http://www.cs.cmu.edu/~alma/johnny.pdf [ZuKrMu2001] Alf Zugenmaier, Michael Kreutzer, and Günter Müller. Location Addressing: Technical Paradigm for Privacy and Security in a Ubiquitous World. Technical report, Hitachi, August 2001.

27) Christian Jensen

TCD Secure Collaboration in Global Computing Systems

SECURE is a newly started IST project, which addresses secure collaboration among computational entities in emerging global computing systems. The properties of these systems introduce new security challenges that are not adequately addressed by existing security models and mechanisms. The scale and uncertainty of this global computing environment invalidates existing security models. Instead, new security models have to be developed along with new security mechanisms that control access to protected resources. The past decade has seen the globalisation of the information and communication infrastructure. At the same time, distributed systems have grown from company wide networks to include global federations of independent and separately managed systems, e.g., the Internet. Computing and communication capabilities are increasingly embedded into everyday objects; this means that we will soon be able to interact with billions of “intelligent” devices whose owners we do not know and which we should not necessarily trust. The scale of such global computing systems means that security policy must encompass billions of potential collaborators. Mobile computational entities are likely to become

71

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 72

disconnected from their home network, which requires the ability to make fully autonomous security decisions; they cannot rely on a specific security infrastructure such as certificate authorities and authorisation servers. Although a public key infrastructure may be used to reliably establish the identity of other collaborators, this identity conveys no a priori information about the likely behaviour of the principal. Identity alone therefore cannot be used for access control decisions, i.e., all participants are virtually anonymous. This fact excludes the use of most access control mechanisms currently in use on the Internet. The dynamism of global computing systems means that computational entities which offer services will be confronted with requests from entities that they have never met before; mobile entities will need to obtain services within environments that are unfamiliar and possibly hostile. A party faced with such a complex world stands to benefit, but only if it can respond to new entities and assign meaningful privileges to them. The challenges faced by mobile entities in a global computing system are not unlike those faced by human beings confronted with unexpected or unknown interactions with each other. Human society has developed the mechanism of trust to overcome initial suspicion and gradually evolve privileges. Trust has enabled collaboration amongst humans for thousands of years, so modelling trust offers an obvious approach to addressing the security requirements faced by the global computing infrastructure. Trinity College Dublin leads the SECURE project, which aims to develop a new trust-based security model for global computing systems; other partners in the SECURE project are: the universities of Aarhus, Cambridge, Geneva and Strathclyde. The aim of the SECURE project is to develop a formal model in which trust relationships may be established on the basis of interaction between entities, together with a security mechanism expressed in terms of the trust model. Trust is an elusive concept that defies stringent definition. However, we conjecture that a notion of trust can be realised in sufficient detail to be operational for a specific purpose, namely as the underlying principle for a security mechanism applicable in a global context. Trust has been proposed as a mechanism for reducing risk in unknown situations. The explicit use of trust as a defining principle for security models and policy specification makes trust relationships among entities explicit. Trust thus becomes the commodity that allows an entity facing an interaction in an unfamiliar environment to weigh the risks associated with particular actions. Conventional security mechanisms express policy in terms of the privileges allocated to individuals; role-based access control introduces a level of indirection, in which privileges derive from roles, and policy determines which individuals may enter each role. In either case the mapping from the trust model to the risks inherent in the allocation of privileges is implicit. SECURE proposes to establish a trust-based security model in which computational entities interact on a basis of (mutual) trust. Interaction between entities may take many different forms. It is worth looking at one form of interaction in more detail. Suppose that a mobile entity needs to obtain a service from another entity within an unfamiliar environment. The entity that offers the service can identify the potential client, but its attributes and probable behaviour are unknown. We assume here that the functions of the service are categorised and their 72

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 73

integrity protected by role-based access control. The service allows the potential client to enter role(s) on the basis of their mutual trust. The client can then make use of one or more of the functions of the service. This may place the client under an obligation, for example to make a micropayment. When the interaction is complete each party records their experience of it, which will include information about the behaviour of the other. The experience recorded by the service can be used in at least three ways. First, the service performed some function for the mobile entity on the basis of trust alone; the service can learn from the interaction to evolve the mapping between trust and role. Second, the record can be transferred to the mobile client, which can use it as a recommendation when approaching other entities. Finally, the record is available as evidence to modify the reputation of the mobile entity. The accumulation of such experience is what allows trust to evolve. Trust is individually formed through an entity’s observations of the behaviour of other entities; this allows interaction with unknown entities without prior configuration, a fundamental requirement for security in the global computing environment. In the scenario above we pictured a mobile client interacting with some service, but the essential feature is that the properties of each entity are unfamiliar to the other. The mobile entity will write its own account of the interaction, and may as a satisfied user offer it to the service. That record provides an alternative account of the interaction, and the combination of the two gives a lot of potential information. Implicitly this scenario presents a rosy picture of a successful interaction, but a lot of things may go wrong. For example, the service may be performed imperfectly, or the client default on the payment in some way. Worse, the two entities may in fact be in collusion, and present fictitious but consistent accounts of the interaction in order to boost their joint reputation in the world at large. The research presented above is defined in the context of collaboration among mobile users and intelligent devices in a global computing infrastructure. However, it is equally applicable to all areas with great risk and uncertainty and where it is difficult to establish a meaningful identity of other entities, e.g., Internet collaboration, peer-topeer networks, smart environments and e-commerce. SECURE is a Future and Emerging Technologies project supported by the European Commission under contract IST-2001-32486. Please contact: Dr Christian Jensen ? Department of Computer Science, TCD +353 1 608 24 59 E-mail: [email protected]

73

IRG Workshop on Trust and Security - CONTRIBUTIONS 28) Simon Jones

Brussels May 30 2002 74

Loughborough University

INTEGRATED ARCHITECTURES FOR TRUST AND SECURITY ARM/Royal Academy of Engineering Research Professor in Embedded Microelectronic Systems Loughborough University United Kingdom [email protected] Tel: +44 1509 227066 Fax: +44 1509 227107 May 2002 The design and implementation of hardware structures to support trust and security appears a neglected area. This appears to be an omission given that the provision of effective and efficient circuit and processor level constructs provide atomic and highly- tamper resistant mechanisms for key trust and security operations. Currently, designs such as ARM’s Securecore provide useful functionality, but represent a valid, useful, but constrained approach, to security based on incremental improvements on existing designs. While this is an important approach, the demands of complex, highly fluid networks argue that the design of secure processor cores and smartcards would be better served by a ground-up approach which identifies the systemic and architectural requirements for future cores from a trust and security perspective and hence to result in a core design developed from fundamental requirements. As part of a 15-strong research group in this area, we are currently involved in 2 relevant areas of research The study, analysis, design and implementation of innovative hardware architectures based on existing processor cores to support secure and trustable systems The proposal, design and analysis of new processor architectures whose fundamental design requirements are driven by the support of security in highly-agile networks rather than an add-on to existing designs. We have a large thriving research group, well connected with leading CPU design teams in this area and have clear and recognised competencies in advanced hardware architecture design and implementation.

74

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 75

29) Sokratis Katsikas University of Aegean Information & Communication Systems Security Education Prof. Sokratis K. Katsikas Director, Information & Communication Systems Security Lab. Dept. of Information & Communication Systems Engineering University of the Aegean Karlovassi GR-83200 Greece [email protected] In the past few years we have been witnessing an exponential growth and proliferation of Information and Communication Technologies, in every aspect of our everyday life. This phenomenon leads us to what has been very successfully termed the Information Society . The fact that in Europe this term is used, in contrast to the term the net used in the US is not accidental, but reflects the increased sensitivity of Europeans on the social aspects of the phenomenon, in comparison to the more technocratic perception of the same phenomenon that holds true in the US. Information Society changes dramatically the way we live, we work, we learn, we entertain ourselves. This fact has been widely accepted and social scientists have already started focusing their efforts on identifying and fulfilling (or facing) the new needs that the new form of society will create. However, beyond the new social needs, the new form of society – because it is based on a new technological background- is expected to also create increased needs for information security and data protection. Experts in these fields have also identified this need and have been focusing their efforts towards developing the appropriate technological, legal and regulatory frameworks. A significant problem appearing in this process is the fact that all frameworks (regardless of their kind) that attempt to regulate information security are very much dependent on the cultural identity of the individuals comprising the team that is the subject (or the originator) of the framework. This also explains the (significant) deviations of the relevant legislation and regulations that have been adopted within the EU, despite the abundance of relevant directives, recommendations and guidelines. It is, therefore, evident, that as we move closer to the realisation of the Information Society, attempts towards minimising (and eventually eliminating) these deviations must intensify, so that future European citizens will have a unified concept of information security, regardless their –possibly- different cultural characteristics. It is well known that education is a most significant means for smoothing cultural differences. This is the main reson-d-etre of this proposal for organising and co-ordinating educational and research activities in the field of Information and Communication Systems Security at a European level –and beyond. This activity is only part of and fits naturally into a more generic framework of activities of the core of the participating institutions. These activities were initiated eight years ago, they comprise development and carrying out of joint intensive education programmes, joint research projects, joint development of teaching material, joint development and implementation of curricula, etc. and have been supported financially be several EU programmes. 75

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 76

This proposal formally establishes, in the form of a Network of Excellence, existing co-operation between most of the participating institutions. It must be stated here that even though a number of international industrial associations are active in the field, only one international working group (IFIP WG 11.8) delves with issues related to security education. Many of the members of IFIP WG11.8 are also participating in this proposal. Moreover, even though the number of formal education programmes in the field of Information and Communication Systems is rising, it still remains unacceptably low compared to the stated needs of the industry. Indeed, there is very high demand in industry for professionals trained in Information and Communication Systems Security and a very limited number of formal education opportunities in the field, in the form of postgraduate programmes. Moreover, it is clear today that all Computer Science, Informatics and related subjects students should at least be exposed to one or two courses in the field of Information and Communication Systems security; however, there is a clear lack of expertise on the part of European Universities for meeting these minimum requirements. This is partly due to the fact that Information and Communication Systems Security is an interdisciplinary field, comprising aspects of cryptology, networking, operating systems, databases, hardware, human factors, law, management etc. To summarise, there is still significant need for co-operation and collaboration of Universities and industry in the field of Information and Communication Systems Security, with a view towards increasing European cohesion in the respective studies; establishing links and fostering co-operation with industry; monitoring the needs of society and industry in information and communication systems security education; developing, maintaining and disseminating European-wide curricula and intensive programmes in the field. It should be noted that European Universities were activated in the field of security education long before their American counterparts did. However, the “Security Education Centres of Excellence” initiative of the US, that already comprises 14 top American Universities and is being generously funded by the federal government indicates both the significance of such activities and strategic partnerships and the need for maintaining these at European level, if Europe is to remain at the forefront of developments in the specific field. In view of the needs identified above, the proposed NoE aims at Maintaining and expanding an existing network of co-operating Universities in the interdisciplinary field of information and communication systems security; Expanding this network to include industrial participation, as well as other parts of society (e.g. citizens associations), thus stimulating the development and establishment of co-operative and collaborative bonds among them; Formulating a mechanism for the continuous monitoring of change (social, technical, financial) that occurs, mainly in Europe, with a view towards identifying the directions towards which higher education programmes in the field of information and communication systems security should move;

76

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 77

Maintaining and disseminating the results of the activities that have already been successfully concluded by the participating institutions within EU programmes. Towards achieving the objectives above, the following –indicativeactivities will be undertaken: Establishment of an international scientific association in the field of Information and Communication Systems Security Enhancement and extension of staff exchanges between participating institutions Development of new (or modification of existing) intensive programmes in the field of Information and Communication Systems Security, that will address the needs of the society and of industry in training experts in Information and Communication Systems Security Establishment of the European Observatory for Information and Communication Systems Security Education Maintenance and Dissemination of the results of previous activities of the participating institutions, that have been developed under EU and/or national funding. Indicative examples of such results are a complete MSc curriculum on Information and Communication Systems Security, of one year’s duration, formulation of multimedia teaching material and formulation of teaching material suitable for off-line, web-based delivery of the courses and an intensive programme on Information and Communication Systems Security, of two weeks’ duration, formulation of multimedia teaching material and formulation of teaching material suitable for off-line, web-based delivery of the lectures.

30) Paul Kearney

Btexact Technologies

Position Statement to be presented at Consultation workshop related on Trust and Security, 30 th May 2002, Brussels Paul Kearney Security Research Group Leader, BTexact Technologies B61-MH pp2/4, BT Adastral Park Martlesham Heath, Ipswich IP5 3RE, UK [email protected] Disclaimer: This is a position statement presents personal views and should not be taken as the official position of BTexact Technologies or BT Group. Introduction Development of a coherent framework for security and trust for the future global information and communication system is a significant challenge requiring large-scale a coordinated activity across technical, service provider and end-user communities. Effective security requires many interlocking elements to mesh together so an integrated approach is vital. The new Integrated Project instrument presents an excellent opportunity to build a programme on the required scale and breadth of vision. Motivation

77

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 78

Traditionally, information systems are seen as networks of computers linked by communication channels. The conventional approach to information security has been to establish protective barriers around trusted domains within the larger information system, and apply control measures limiting access to these domains and also restricting communication flows crossing the domain boundaries provide secure communication channels linking trusted domain. Current trends and developments are placing this model under strain. Even within a single company of modest size, it is difficult to manage the internal network as a unitary trusted domain. In the future it will be increasingly difficult even to draw a clear boundary around the company's resources and user base. The following are highlighted as significant factors behind this prediction: Increasing use of hosted services, including application services, web servers and data storage/management The growing weight of support behind emerging XML-based standards for web services (SOAP, UDDI, WSDL, etc.) and collaborative e-business (ebXML, RosettaNet, etc.). These will allow business processes and the systems the support and implement them to be connected across company boundaries in a very direct way. Grid computing technology and associated 'utility computing' models. These are loosening the connection between software and the hardware it executes on. Essentially, Grid technology enables computing and storage resources to be federated in a dynamic way to form flexible ad hoc virtual super computers. Utility computing evokes the image of processing capability being available on tap in much the same way as electricity or water. In particular, the emerging XML-based standards are likely to unleash an avalanche of disruptive changes. There is a considerable backlog R&D results that have been maturing for some time, but depend upon inter-operability for their effective exploitation. The consensus around the new generation of standards looks like providing the required level interoperability. General approach

78

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 79

Collaborative applications

Web services Internet + Grid Devices and comms

It is useful to look at the global information system as a series of layers. Each layer is network, with higher level networks being composed of more abstract entities. One plausible set of layers is (from the bottom up): the network consists of computers and other electronic devices connected by communication channels; the network consists of virtual computational and data resources. The way these map onto layer 1 is complex and dynamic e.g. making use of GRID and network storage technology. This is a dynamic network of functional components providing and using services and interacting using XML-based web service standards (SOAP, etc.) Here the network concerns people and organisations engaged in collaborative activity (communities of interest, supply chain partnerships, etc.). The primary security issues of confidentiality, integrity and availability manifest themselves differently in each layer, and different solutions are required. However, these solutions also need to mesh seemlessly across layers as well. Layer 1 research would include consideration of new network technologies (e.g. ad hoc networks) and integration of different types of network (e.g. fixed / mobile / WLAN /LAN integration). Shape of the project It is envisaged that the integrated project would include a number of sub-projects focusing on: Security Solutions within a layer Integration across layers 'Vertical' end-user driven application oriented sub-projects

79

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 80

In some cases, specialised topics may merit being becoming projects in their own right, in which case the Integrated Project could play an 'umbrella' role. The project would benefit from a wide mix of participants including: end-user organisations, security specialists, network operators, computer/electronic device manufacturers, content providers, hosted service providers. Because of the scale of the project and the somewhat open-ended objectives, a rolling programme (proposed as one of the possible models for IPs) might well be appropropriate.

31) Helmut Kurth

@sec Contribution to the Workshop on Trust and Security Helmut Kurth atsec information security GmbH

This statement presents my personal view on one aspect of Trust and Security and why this is important for the provision of information services. There are several other aspects that also need to addressed. But at this time I want to focus on the aspect of „Information Security Management“. We all know that our dependency on information services will grow. We also know that those services will get more and more complex, which makes it very hard to get the required level of confidence that the services is provided with the required level of security. Technical security features are just one aspect of the picture, the control and management of the security of a service is another one. I will not talk about specific technical security features today, but concentrate on the control and management aspects. Questions that any service provider should ask himself every day are: 1. Are the systems that are involved in providing the service configured such that the security is not compromised? 2. Have any problems been recently identified that can have an impact on the security of the service? 3. Are all the procedures in place that are necessary to support the technical security features to provide the service with a defined level of security? 4. Are all the security measures monitored in an appropriate way such that problems can identified in an early stage? 5. Would it be noticed if the service is under attack? 6. Have all the necessary incident management and escalation procedures been defined and are they used in the case of an incident? These are just some of the questions that should be addressed by a Security Management System. With the increasing dependency on information services the answers to those (and similar) questions become more and more important. Information Security Management is viewed as important but integrated Information Security Management systems are not yet something that is widely established and used in the industry. One of the problems here that I want to address is the lack to good supporting tools

80

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 81

for Information Security Management. In most cases service providers rely heavily on manual procedures that are known to be not very reliable. My strong suggestion therefore is to develop more sophisticated tools that support the management of the security of information services. Just two examples: Example 1: Today there are a lot of sources on the Internet that publish new vulnerabilities of products. They all do this in their own, unstructured way. Some effort has been undertaken in the US to establish a database with a description of those vulnerabilities (CVE operated by Mitre) but the entries in this database still lack some imprtant information and are hard to process in an automated way. As a result a large number of „CERT“ teams have been established that analyse those vulnerability reports and send out warnings. The problem is: They usually don’t know who needs to be informed because he is operating the product where the vulnerability has been reported. As a consequence many system administrators are flooded with messages about vulnerabilities of products they are not interested in. In my view this is an area where research should help to define commonly accepted criteria for the description of vulnerabilities as well as a format for the description that can be more easily used by automated tools. On the basis of this automated tools for the information of system administrators should be developed. Example2: Another problem area is the detection of attacks and intrusions. Today a lot of IDS tools exist, which nevertheless are not very useful. The basic problem of those tools is their lack of knowledge“ if specific systems are vulnerable to specific attacks. As a result those tools generate a lot of irrelevant alarms. What is required here is the enhancement of those tools with the knowledge about the configuration and vulnerabilities of the system components that contribute to the provision of a service. One has to keep in mind that it is not always possible to remove all known vulnerabilities but has to accept them since otherwise the service can not be provided or needs to be restricted. This are just two examples where additional tools are required for an efficient management of security within the provision of information services. Those tools will be essential for the efficient management and are in my opinion as important as the technical security measures most research and development efforts in the area of security have been spent on in the past. My suggestion is therefore to set up projects for the definition and development of tools that assist in the efficient management of security for service provider.

32) Legand Patrick P ROPOSED OBJECTIVES TO SECURITY ACTIVITIES IN FP6 Keywords : e-Business, cross-certification, digital signature The development of e-Business, e-Government and e-Work bring new constraints on world-wide information systems infrastructures, specially in the ability to handle online business transactions on cross-

81

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 82

organisation / cross-border relationships (financing, banking, contracting, virtual arbitration, mediation, conflict resolution…), with a high level of trust. The necessary provision of electronic authentication of transmitted documents, proof of origin, time stamping, non-repudiation, integrity services, needs frameworks for the legal recognition and usage of electronic signatures, in a multi-jurisdictional environment. As one can see on the market and, to a certain extent, on some already proposed European pilots willing to demonstrate such cross-border interoperable e-Work solutions, hierarchical certification architectures have mostly been adopted to date by vendors and service providers all around the world. The management of digital certificates for public keys is performed from a hierarchy of subordinate Certificate Authorities (CAs) which depends on a root-CA, generally owned by a Certification Service Provider (CSP), a company which provides the service (Verisign, Thawte, PwC…). Within a hierarchical model, a trust path between two users involves all CAs from one user up to the first CA which has both users within its sub-tree, and all CAs down another branch of this sub-tree to the other user. If such a trust model has fully demonstrated its efficiency and its ability to respond to a growing demand, it is not really satisfactory with respect to the governments or business industry interests: a government will never accept that the credentials could be handled by an foreign nation, or a business entity can not accept its credentials are handled by an external organisation (which may act as a competitor or may have links to competitors), just because it provides the service, and not because it is a “trusted” organisation. In addition, considering that enterprise-toenterprise relationships need also confidentiality (establishment of secure communication channels between parties, document / mail encryption…), the development of e-Business is limited to the level of trust an organisation grants to the one which manages its certificates. It is likely that considerable e-Market opportunities will be missed while companies, organisations, nations in general are not totally free to independently manage their own keys when a peer-to-peer business link is initiated. To respond to this requirement, security standards and protocols have defined – and already been developed within research activities and by vendors – cross-certification methods that enables, typically by crosscertification between the root-CAs of each autonomous administrative domain, verification of the trustworthiness of a user’s certificate issued and signed in an other separate domain. Typically, a CSP accredited in one domain (country, business organisation, association…) is able to crossrecognise a CSP of another domain, without any administrative link. Unfortunately, despite the availability of the technology and several national and international initiatives from vendors and standard bodies (PKI Forum Technical Work Group…), cross-certification trust models have not been fully deployed yet. This is due to several reasons: still existing open issues might be taken into consideration (end to end encryption…), existing non-interoperable solutions between PKI vendors, a large availability of hierarchical CAs infrastructures, etc. Considering the diversity of the European states and the high level of collaboration needed among the European organisations and institutions, Europe is certainly a right place to develop a network of “trusted” CSPs that would provide cross-certification services, at least at the country level or at the enterprise level. As such, Europe – FP6 could be an efficient framework to achieve this objective – should encourage the deployment of open cross-certification trust models, by putting in place e82

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 83

Business pilots that would make use of such certificate infrastructures, providing a high degree of reliability in managing the community of trust. The objective is not to look at interoperability between products supplied by different vendors (several domains could use the same technology), but to set up and experiment a new method of work, demonstrate and validate the feasibility and the efficiency of such multi-security domains for future e-Markets developments.

33) Daniel Le Métayer

Trusted Logic IST FP6 Trust and security workshop Trusted Logic contribution Daniel Le Métayer [email protected]

Because of the pervasive penetration of IT technologies in our society and their impact on everyday life, it is of prime importance to be able to deliver appropriate solutions to ensure they don’t put the security (confidentiality, integrity, privacy, etc.) of user assets at risk. It is our view that the two most important challenges to be met to reach this goal are “compositionality (w.r.t. security)” and “security evaluation”: 1. Compositionality is required because modern systems are extremely complex and this complexity can only be mastered through well defined architectures and reusable components. Compositionality has already received a lot of interest in the software engineering community in the past but considering it in the context of security introduces a considerable change of focus, with new problems and new opportunities. 2. Security evaluation is a necessary step for increasing trust in IT systems. Evaluation criteria (Common Criteria for security) have been defined and they are now used for critical components (typically credit cards or identity cards). Much progress has still to be made however to decrease the cost of evaluations (and thus generalise their practice) and provide better estimations of the level of guarantee that they provide (added value). The common features of the above topics is that they both represent technical challenges requiring new research investments and significant business opportunities. We mainly focus on technical issues in this document. 1. Compositional development of secure systems Among the new challenges introduced by security in terms of compositionality, let us mention the following: ? ?Global security architecture: security is by essence a global notion, it is thus necessary to get a global understanding of the role and responsibilities of each actor and component of an IT system as well as their possible interactions. This step is a prerequisite for designing secure architectures; it is also the necessary basis to address legal issues such as non repudiation. Last but not least, it provides the arguments needed to justify the security guarantees required for each component and the separation of the valuable pieces of information (e.g. user assets) among the components of the architecture. ? ?Security specification of the components: components of the architecture should be characterised, not only in terms of their functionalities but also with respect to their security requirements and

83

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 84

commitments (“security contract”). Such specifications can be used to prepare the selection and assembling of components on a given platform when specific security requirements have to be achieved (e.g. secure provisioning of open platforms). Ideally, each component should be developed together with its security evaluation documents to prepare the evaluation of the integrated system (see Section 2). ? ?New security components have to be proposed, specified, developed and interfaces have to be standardised (interoperability issues). Such key security components should include validation tools for secure application downloading, integrity, confidentiality, privacy APIs, etc. In other words, security should go beyond cryptography. ? ?Security administration of large systems is a complex problem, where new solutions are badly needed. Among the issues involved, let us mention: remote management of security, configuration, user-control security (need to define security policies and ensure that they are properly understood by the users), balance between security and ease of use, user privacy in a global electronic environment, etc. Further R&D investment on these topics will make it possible to provide the new methods and new tools that are required to develop secure systems at acceptable costs. 2. Security evaluation Applying good software engineering practices is a good starting point for the development of secure systems. It is not quite sufficient for security critical components though: security also needs to be evaluated (with the evaluation ultimately leading to the delivery of a security certificate). The Common Criteria for security are a widely used standard for security evaluations (ISO/IEC IS 15408). They represent the outcome of long term efforts to define criteria for security evaluations. They should thus be taken as a basis for any further work on security evaluation. But the Common Criteria are far from answering all the needs for the evaluation of modern IT systems. Among the most important R&D issues for the next decade, we stress the following: ? ?Compositional evaluation: as mentioned in Section 1, large systems will be based on components which have been developed and possibly evaluated independently. But the question of the compositional evaluation of large systems is left open in the Common Criteria. New methodologies have to be proposed and instrumented for compositional evaluations. ? ?Heterogeneous systems: large systems introduce another source of complexity, which is tied to the fact that the components of the architecture may be evaluated at different assurance levels. A related question is thus the evaluation of heterogeneous systems. ? ?Modelisation and justification of the assurance levels: the seven assurance levels of the Common Criteria are based on increasing levels of rigour and details in the required documents (the upper levels involving the use of formal methods and formal proofs). But no underlying security and assurance model is available to justify these levels and ensure that they provide uniform sets of requirements. In addition to justifying assurance levels, such models would make it possible to characterise the guarantees provided by an evaluation at a given level (thus helping decision makers to opt for the appropriate level considering their product environment, estimated risks and business impact). They could also be used to justify the need for a given technique (at a given level) and

84

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 85

to argue about the complementarity of the different techniques (functional testing, semi-formal and formal verification, vulnerability analysis, etc.). ? ?Instrumentation: last but not least, it is of prime importance to provide innovative tools to implement methodologies because it is the only way to decrease evaluation costs, and thus the overall cost of secure products. Such tools should cover risk analysis, security analysis and development, validation (testing, verification, etc.). Contact : Daniel Le Métayer, Trusted Logic, 5 rue du Bailliage, 78000 Versailles, France Email : [email protected] Tel: +33 1 30 97 25 14 Fax: +33 1 30 97 25 19 http://www.trusted-logic.fr

34) Carlo Marchetti

University of Rome

Roberto Baldoni, Carlo Marchetti, Sara Tucci Piergiovanni Dipartimento di Informatica e Sistemistica Università di Roma “La Sapienza” Via Salaria 113, 00198 Roma, Italy Email: {baldoni,[email protected]} Ph. +39-06-4991-8481 – Fax. + 39-06-8530-0849 Applying FP6 Instruments Middleware for Survivable Systems

to

Build

Next-generation

The Information Society Technologies research programme in FP6 will concentrate on forward-looking high-risk research that is vital for developing the future generation of technologies, applications and services. Research will focus on technologies in which computers, interfaces and networks will be integrated into the everyday environment and will render accessible, through easy and "natural" interactions, a multitude of services and applications. This vision of "ambient intelligence" seeks to place the user, the human being, at the centre of the future development of the knowledge-based society [1]. A ubiquitous computing environment will be required to realise the vision of ambient intelligence; in such an environment processors will be everywhere and will be interconnected by a diverse array of networks, from ad-hoc to the global Internet. Constructing the software infrastructure - the next generation middleware - for ubiquitous computing environment poses a number of scientific and technical challenges. A recent Programme Consultation Meeting (PCM) report on Software Technologies, Services and Distributed Systems [3] stated that “there are many difficult problems to solve in systems and software infrastructures. Adaptability, reconfigurability, composability, reliability and security are some examples that pose hard problems”. Meeting such class of QoS requirements is made harder in a large scale, ubiquitous computing environment where new services and customised services are expected to be added into (existing) applications at an alarming rate. In this complex framework, survivability plays a major role. Survivability is the last frontier of computer security; it means that, in addition to preventing an enemy from reaching your secret data, we make sure that you can reach it 85

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 86

even in presence of malicious attacks. Current technologies from both industry and academia bear little vision for the scale and the widespreading that applications require, and often with no foresight of the need to survive failures caused by malicious penetrators. In fact, the usual view of the matter is that security and fault tolerance are added last, as an afterthought, and this never works well. Another recent PCM report on Trust and Confidence in the Mobile Information Society [4] noted that “From a security infrastructure perspective, we will have a large number of networks forming and dissolving rapidly. Furthermore the terminals themselves while hopping frequently from network to network will remain permanently on-line exposing them to a wide range of attacks”. The PCM report went to identify several hard problems, including “scalable security policies which enable appropriate and acceptable levels of security for a diverse environment with minimal user involvement”. The design of the next generation middleware meeting these challenges requires proper system structures and models. The ISTAG report on ‘Scenarios for Ambient Intelligence in 2010’ describes many application scenarios that strongly indicate the need for such middleware support [2]. In this framework the new “instruments” provided by FP6 (IP and NoE) can play a major role. Current middleware technologies, such as CORBA, Java, EJB, Jini and Web Services, etc are becoming increasingly popular for building both embedded and enterprise applications. Unfortunately, many of the middleware mechanisms and techniques are mostly in the practitioners' domain, and there has been very little research into the fundamental theoretical and design principles underlying the development of middleware. As middleware gains widespread adoption, it becomes essential to investigate, and to capture, the basics and the methodologies of middleware technologies. It is also essential to extend these platforms to support survivable application development in large scale, open distributed systems. A Network of Excellence could help resolving the dichotomy among the research communities of system designer and developers, distributed system, and system security. Tight interactions and exchanges among researchers of these large communities could bring to a common vision on next generation middleware services for large-scale systems. To be effective, such vision should capture many aspects of next generation middleware e.g. scalability, quality of service, manageability and programmability. Vision effectiveness and scale would turn into effective solutions. Also, a devised Integrated Project could allow the actual integration of current middleware platforms technologies towards a deep understanding and knowledge of the fundamental building blocks for building survivable, composable, adaptable middleware services. There still exist several open issues in middleware that need to be addressed, while the diversity and the growth of middleware technologies increase the difficulty of this task. The scale of an IP project on next generation middleware would bring several positive effects and advantages ranging from the development of a standardized set of fine grained, well-defined

86

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 87

services up to the discovery of new marketplaces and potential users, other than introducing new and flexible ways to design survivable applications. References [1] EU Document, Proposal for a DECISION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL CONCERNING THE MULTIANNUAL FRAMEWORK PROGRAMME 2002-2006 OF THE EUROPEAN COMMUNITY FOR RESEARCH, TECHNOLOGICAL DEVELOPMENT AND DEMONSTRATION ACTIVITIES AIMED AT CONTRIBUTING TOWARDS THE CREATION OF THE EUROPEAN RESEARCH AREA. Brussels, 21.2.2001 COM (2001). [2] Final Report, SCENARIOS FOR AMBIENT INTELLIGENCE IN 2010, The IST Advisory Group (ISTAG), February, 2001. [3] Programme Consultation Meeting Report - Software Technologies, Services and Distributed Systems, June 2001. [4] Programme Consultation Meeting Report - Trust and Confidence in the Mobile Information Society, May 2001.

35) Marin Lopez Future wireless communications (4G) will enable powerful networks in ubiquitous environments, offering new services, and forcing the mixture of available wireless infrastructure elements to be used in a more transparent way. Body and personal area networks (BANs and PANs) are envisaged to be of great impact on our everyday activities, and to integrate in a seamless manner with traditional networks. To achieve a seamless integration of services, the protocols and applications should share a common view on discovery/advertisement, proxying/caching, invocation, authorization, authentication and trust model. 4G mobile services should be designed for the limited capabilities of pervasive devices like PDAs, handheld PCs, embedded computers and mobile phones. This fact leads us to the following propositions: • cost/efficiency trade off with respect to partly limited bandwidth in the use of networks has to be addressed at the same level as the service management, via smart caching; • personalisation is paramount for services, data and devices. User profiling and personal assistants are invaluable for the user and for ’value added’ companies, they should be also addressed at the same level as service management; • adaption of user interfaces has to be considered for each individual de-vice in order to efficiently communicate with services/people and to control monitor other devices. Due to lack of standards and the completely different hardware and software properties like display size, loud speaker, voice recognition etc, content and control has to be individually adapted for each device, user and application. • tamper-proof hardware crypto tokens (i.e. as smartcards) should be the base of the security and authentication demands including biometrical user identification (e.g., fingerprint and facial information) and authorization as well as profile management – multifunctional smartcard provide basis for security in private networks as well as business networks in order to mange data with intellectual property rights.

87

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 88

• security requirements in this environment include among others the following: Single Sign-On (SSO), support for multidomain trust policies and authorization, cryptographic processing, secure applicationbased transaction management, and uniform credentials/certification infrastructure. As mentioned, in ubiquitous networks, it is necessary a mechanism to let users have seamless, transparent and trusted access to the network resources. The SSO mechanism lets a user to perform only an initial authentication and authorisation in order to permit him access to resources, without the need to authenticate or authorise subsequent times. Deploying mechanisms such as SSO in this environment imply a great complexity and traditional authorisation solutions based on PKI authentication plus Access Control Lists (ACLs) have important scalability problems. To overcome this problem, it is necessary the utilisation of a new generation of infrastructures, the Authentication and Authorisation Infrastrcutures (AAIs), to manage Attribute Certificates (ACs) and provide mechanisms for privilege delegation and revocation. On the other hand, discovery/advertisement phase is very important when nodes in a network can change their placing. An incoming node must find out where to connect to the net and should notify its position to the others members in the network. In the same way, an existing node should advertise the world whether it is an access point to the net or not. These mechanisms become more involved when nodes are continously in motion, then handovers and roaming aspects appear. In such scenarios where the involved parties are limited capa-bilities devices the minimization of bandwidth usage and computation is critical. Current works in other scenarios such as multicast security rekeying allow a node to join or leave a group with a minimum number of protocol messages. These messages are intended to update the network state and to deliver a shared secret in order to achieve group privacy. We are interested in the development of multicast-like architectures and protocols for ubiquitous networks which enable secure discovery and advertisement messages using minimum bandwidth and computation resources. Among the computation models, autonomous and collaborative agents are the best suited for such an heterogenous environment. Despite its benefits, working with agents raises some serious security issues, especially if they are mobile agents. Protection of hosts from hostile code coming in a mobile agent can be achieved by suitable access control and protection on execution environment. Protection of agents while traversing untrusted networks can be performed by well-known cryptographic protocols. But there is no effective solution to protect the agent against a hostile site, i.e. the problem of malicious hostsas it is known. Mechanisms to assure the integrity and privacy of agents have to be performed in ubiquitous environments in order to solve the problem of malicious host without loosing the benefits of a mobile agent system. In general, we are interested in the development of architectures and protocols for ubiquitous environments which enable user-centered services, specially in the fore-mentioned security requirements. There are a number of emerging networks beyond 3G that could benefit from an approach like ours, for ex-ample: mixed ad hoc/infrastructure networks, smart environments and sensor networks, networks providing locationdependent wireless services, home net-works, infrastructure networks, spontaneous networks of people engaging in a common activity for work and leisure, smart spaces equipped with lots of cheap sensors and 88

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 89

actuators, or networks of vehicles on the highway keeping track of each other and in uencing each other for safety reasons. There are plenty of potential application areas for this project including tourism, financial applications, ticketing/subscription, pricing, account charging, communities and entertainment, gaming, education, health care, collaborative work in virtual organisations, mobile support, remote monitoring and maintainance, private home networks, private data storage, knowledge management, advanced process control support, and enterprise applications.

36) Per Mellstrand

Blekinge Institute of Technol. Research Proposal Per Mellstrand

[email protected] 1.0 Introduction Security is one of the most important aspects of all modern software systems. A perfectly functioning system that lacks proper security mechanisms is useless in many contexts. A problem today is the view of software system security in terms of bugs, vulnerabilities and fixes. I propose research on attributes of software security and methods that can be used to assess security attributes and improve software security. 2.0 Background Some software systems have a reputation of being secure, others don’t have any particular reputation regarding security, and still others have a reputation of having bad, or no, security. The reputation a system have in regard to security is typically based on known vulner-abilities, version maturity and different peoples’ opinion. When we describe non-functional requirements of software we typically use terms such as performance, scaleability and robustness. These are well-defined attributes which describe a particular set of properties of the software system respectively. As software security has mostly been a matter of vulnerabilities and bugs we don’t have a similar terminology of security attributes to that of common software attributes. 3.0 Aims and Objectives The aim of this project is to identify generic attributes in software systems that relate to system security, and to identify tools and methods used when secure systems has been engineered that relate to these generic security attributes. Objectives: A study of the different type of requirements on software systems in terms of security. A study of design and implementation used in systems which has had few security- related defects. A study of the methods and tools used when engineering systems which has had few defects.

37) Chris Mitchell

University of London

Advances in Mobile Privacy and Security - AMPS Scope The AMPS Expression of Interest identifies a programme of work to be conducted as an Integrated Project, or as a sub-project within some

89

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 90

larger Integrated Project, in an area which is judged to be of critical importance to the success of future mobile communications developments and innovations. It concerns the provision of supporting security and privacy measures in mobile and wireless communications : privacy, confidentiality and trust for personal users (private and business); trust and confidence in e-business and e-work; security, privacy and integrity for the networks, their operation and the services they support. Objective of Expression of Interest The goal of the EoI is to establish recognition and support for the need for extensive work leading to the provision of relevant and economic security measures needed for the maturity of 3G and the evolution to post-3G technologies, the application and exploitation of 3G and post-3G technologies, and their interaction and evolution with existing technologies. To achieve this we propose an Integrated Project of sufficient scope to address the whole spectrum of needs and wishes of the broad constituency of interests: end-users; service providers; network operators; applications and service providers; administrations and regulators; legal bodies and law-enforcement agencies. Need AMPS responds directly to the continuing transformation of the economy and society through the creation of new ways of working and new types of business. These then lead to contributions towards solutions to major societal challenges such as healthcare, environment, safety, mobility and employment that will have far reaching implications on our everyday life. Without the accompanying effort to provide pervasive security, technological innovation in other areas of communications will be of little value. Since the security and privacy challenges in the mobile/wireless sector are particularly severe (user mobility, heterogeneity of access methods, dynamically reconfigurable systems and networks, etc.), results from the mobile sector should be capable of providing solutions in other fields of IST. Regular scare-stories predicting the melt-down of global communications are not uncommon; they tend to be exaggerations of real problems, but they do underline the need for solutions to keep ahead of the attacker – or of non-malicious mis-operation or malfunction. The anticipated extent of the work is such as to require the concerted effort of a large segment of the mobile telecommunications industry and its clients. Previous work towards 3G security was accomplished by relatively small teams leading other efforts towards the establishment of standards, notably in 3GPP. Later work towards selected aspects of post-3G is being conducted in the same sort of way. Here, the scope outlined above is much wider and more comprehensive; it calls for concerted effort by a larger team with coherent strategic, technical and management direction. Relevance The mobile terminal in its different forms will increasingly be the de facto personal communication and computing device. Consequently, new technologies, facilities and application areas will generate new requirements for security of user and service information, protection of services and other digital assets, safety and integrity of management, and 90

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 91

control of underlying systems and infrastructure. New trends include general ubiquity (moving towards the pervasive and ambient communication environment), new context-aware applications and services, new network and terminal technologies, and flexible spectrum management and dynamic reconfiguration of terminals and networks in response to user mobility, user behaviour and capacity optimisation. Need for concerted European effort Following on from the success of GSM, European collaboration has played a central role in ensuring a single set of standards in 3G systems to the benefit of users and of suppliers of equipment and services worldwide. The EoI identifies an expanding need to give special attention to security and privacy measures to accompany the development and use of mobile/wireless communications technologies and services. Also the interaction with existing and evolving fixed network standards and technologies needs to be assured to avoid fragmentation of communications technology. The risk from not working towards future unity of approach and standards is that users will adopt fragmented, proprietary solutions, possibly divergent, incompatible and of limited lifetime. The area of work covered by the EoI builds on results from FP5 and earlier framework programmes, in which the partners have had considerable successful involvement, influence and experience. IST priorities and challenges As the deployment of 3G develops, further challenges will be identified. Some of the more readily identifiable ones are already being addressed in the IST project SHAMAN, to which many members of this EoI belong. Key questions to be addressed include: what will be the new modalities for mobile access to ework/business and to services for users and organisations, and what are the resulting challenges to security and privacy that these raise for all concerned? what new technologies, mechanisms, procedures, services and agencies are required to provide a security and privacy framework that can provide for this broad spectrum of needs? what are the likely parameters and bounds set by legal, regulatory, economic and usability requirements? how should medium and long term research in this field be planned, established, managed and executed? Goals and objectives The goal of the associated IP would be to conduct an extensive programme of work leading to the provision of relevant and economic security measures needed for the maturity of 3G and for the evolution to post-3G mobile and wireless technologies and their exploitation and their fields of application. Response to new developments Given the anticipated size and duration of the IP, it would be necessary to allow for dynamic adjustment of priorities and reallocation of resources to accommodate the latest developments and technologies in the project. In addition to the challenges that we can identify now, new issues will arise during the lifetime of the project: through the breakdown or obsolescence of current solutions; through the development of new security techniques; through new protection requirements from new communications technologies and services or developing social needs. 91

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 92

The aim of the IP is to represent a consensus across a constituency comprising all sectors with interests and concerns in this field. This means that no significant contributions or opinions are overlooked, and that IP members will sponsor interests from outside the project, and ensure that their voices are heard. Tasks for the IP In the past, mobile networks have basically been monolithic systems, based upon a single set of standards to ensure vendor interoperability, and serving mainly a single application, voice telephony. Recently, the range of applications has grown broader with messaging, email and corporate network access becoming widespread. However, the potential of upcoming 3G mobile systems and beyond is very much larger, and we are yet to witness the mobile Internet “revolution”. Mobile information services, mobile healthcare, mobile payment, ticketing, voting and shopping will have a significant impact on the way we live. While 2.5G/3G network infrastructure and end user devices are starting to become available throughout Europe, there is still a large complex of issues around privacy and security for these types of mobile applications that has not yet been addressed and solved in a consistent manner. New types of attacks and threats become conceivable that cannot be tackled by simply copying solutions from the Internet/IT world. Locationdependent and context-aware services become technically feasible in which a multitude of players collect and control different fragments of information about the users’ identities, profiles, preferences, etc. Monolithic networks are being replaced by multi-access, multi-layer environments, ranging from Body Area Networks (BANs), Personal Area Networks (PANs, W-LANs), to cellular, broadcast, and Fixed Wireless Access (FWA). Novel network topologies, such as multi-hop ad-hoc networks, also impose new security challenges. We are seeing the increasing end-user awareness of privacy and security issues. Drivers for this development seem to be the recent discussions around location-aware applications with location information obviously being of a highly privacy-sensitive nature, as well as the explosion of spam e-mailing and spam wireless messaging. Only if these issues can be addressed in such a way that the user trusts the systems, devices and applications they are employing, and feels that they are aware of and in control of the security and privacy risks, will they start to broadly adopt new mobile services. This is obviously particularly true for services like high-value commercial transactions. It should be noted that user trust and confidence will never be achieved solely by technological means. In addition to security- and privacy-enhancing technologies, internationally compatible legislation and regulation needs to be in place, along with effective means of enforcing them. On the technological side, standardisation will be required in order to ensure interoperability and vendor-independence. Examples of new challenges and requirements new access modalities for personal and business uses novel application scenarios and their implications personal security via third parties and security tokens trusted platforms privacy in context-aware mobile/wireless applications new risks and threats to networks and information Resourcing

92

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 93

The participants in this EoI are leading contributors to the current developments and past successes in this field. They envisage playing a significant part in the work of related IP as core members. Network operators: T-Mobil (DE); Vodafone (UK); etc. Equipment suppliers: Ericsson (DE); Nokia (FI), Siemens (DE); etc. Smartcard suppliers: G&D (DE); etc. Research Institutions: K.U. Leuven (BE); Royal Holloway (UK); Telematica (NL); etc. Related work The work covered by this EofI relates to other current or anticipated parallel activities that will require strong co-ordination, including the following: ENCRYPT EofI arising from STORK project (q.v.) ? EofI to cover the whole field of IST security WWRF EofI to cover the whole of mobile/wireless communications PAMPAS FP5 project working on strategic roadmap for the area covered by this EofI STORKFP5 project working on strategic roadmap for future cryptographic needs ? FP5 project working on strategic roadmap for secure mobile transactions and applications Chris Mitchell Keith Howker Silke Holtmanns

38) Andreas Mitrakas

Global Sign

Introduction Early day observers of electronic transactions had suggested that the regulation of electronic signatures is likely to boost the usage of electronic transactions. In an effort to promote trust and confidence in the transactions the EU Directive on electronic signatures and national implementations have largely responded to this call. At the transactions level the EU has come up with the electronic commerce Directive to address matters commonly associated with the aspects of the transaction. An array of directives addresses aspects such as Intellectual Property Rights, consumer protection and data protection. In certain areas, reaching further than anticipated the EU Commission has opted for a process dubbed co- regulation to ensure the involvement of the industry and member states in the promulgation of electronic signature regulation and standards. Present day criticism suggests that despite law electronic transactions may still fail to attract users. There are a few reasons related to that reluctance that include: The lengthy standardisation process for electronic signatures. The pace of the implementation of the directives associated with electronic transactions. The end of the hype for electronic services. Conceptual shortcomings in the implementation of the desired solutions. The legal element being left only partially addressed.

93

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 94

To address this criticism additional effort is required to meet the requirements of the transacting community with regard to authentication, non-repudiation and legal safety. Action areas Three sample action areas for additional research can be addressed along the following lines: Electronic signatures to sign only? Coining the immediate business need for non-repudiation, legislation has propelled the standardisation of electronic signatures. Other business needs, essential for electronic transactions, such as authentication

Recommendation: Encourage further work in the area of authentication by means of electronic signatures. This work area can be complementary to qualified signatures and associated work accomplished pursuant to the electronic signatures directive. have been left neglected.

The electronic commerce rush of the mid 90's has resulted in number of fallacies propelled by the apparently easy access to on line resources. In spite of the euphoria, which was typical of the zeitgeist, the fact has remained that transactions stay under the control of whoever initiates them. There are just few examples of transactions that make use of the early day open concept. If trust is a local phenomenon it should be treated as such, also by allowing electronic transactions to feature standardized trust bearing elements. L Recommendation: Consider transactions as areas of interest that require the development of elements of eTrust. While transactions require to be seen within an integrated framework that addressed all aspects gof the problem, to date transactions are viewed at the level of principles as they emanate from the aelectronic commerce directive. Elements of trust must be built in features of the transactions to lcomplement electronic signatures in its non-repudiation function. Signature Policies can be seen example areas where signatures and transactions come close together.

s a fety Users of electronic transactions have difficulty to come to terms with the reality of the battle of forms exacerbated by electronic transactions. In spite of electronic commerce legislation prompting transparency, there is a considerable deficit in the area of on line tools for Recommendation: The ICC ETERMS Repository of the International Chamber of Commerce has provided an early day example of a conceptual model for the storing and usage of legal terms on line. To enhance the legal safety of electronic transactions it is necessary to address the area of legal terms that can be viewed, audited and used by reference. In the absence of legal safety, there can be no Trust.

the comparison and the generation of legal terms pertaining in a transaction.

94

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 95

Scale of the proposed work It is essential to address current shortcomings in the notion of Trust through an activity that includes stakeholders in an array of transactions including B2B, B2C, A2B and A2C. Participants are required to originate from member states with varying penetration rates of electronic transactions. An additional requirement is to feed any associated results into the standardisation process for further formalisation and processing. Conclusion It is essential to take into account aspects of the transaction when it comes to regulating electronic commerce. To date this regulation has been effected at a systematic or principles level. A more proactive stance at the level of standardization and structures will enhance the level of the services offered by electronic means and will boost the confidence of end users, including consumers, in the electronic transactions at hand.

39) Christian Monyk

Seibersdorf Research

Development of an industrial prototype for quantumcryptographic data encryption A Project of ARC Seibersdorf research GmbH in co-operation with the Institute for Experimental Physics (University of Vienna) In the last years numerous research projects have been carried out with the goal to enable the use of quantum-mechanical effects for encoding sensitive data. These research activities were promoted also in the 5th frame programme, in which under the FET action line of IST a number of projects dedicated to this theme have been submitted and financed by the Commission. After the initial work in this area, the basic physical research in quantum cryptography has reached the point, after which the concrete conversion of knowledge to practical implementation can be planned. ARC Seibersdorf research took up the task of developing an industrially applicable prototype for quantum-cryptographic key-generation and exchange. This work will be done in close collaboration with the Institute for Experimental Physics of the University of Vienna (Professor Anton Zeilinger, one of the pioneers in the ascending quantum computer science). The secure exchange of data becomes a vital issue for particular groups of users; large enterprises with subsidiaries in different countries, banks and other companies offering financial services, public administration and health service organisations require a high standard of secure communication. On the other hand breaking the widely used encoding methods becomes increasingly feasible due to the constantly growing performance of computers, which are also available for potential “spies”, the development of new cryptoanalytic techniques, etc. Quantum cryptography offers a solution, which makes secure key generation and transfer and therefore secure communicating possible. The practical application of quantum cryptography can however not be ensured by developing the encoding device alone. Likewise it is 95

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 96

necessary to provide the integration of the device into existing security infrastructures, to develop the protocols necessary for communication between the parties as well as to create a unique method for authentication of the parties. Quantum-cryptographic procedures are subject to constraints due to physical laws, whereby the exchange of the code is only possible between two fixed parties and over distances of no more than 100 kilometers due to absorption and depolarization in optical fibres. An economically meaningful applicability requires however world-wide communication between any parties. Therefore an appropriate infrastructure, which meets the needs of the future users, must be also developed for a reasonable application of quantum cryptography. Beside the tasks within the areas of infrastructure and system integration there are still some fundamental problems to be solved in the area of device development: The opto-electronic components, necessary for producing, manipulating and registering the single photons, that are indispensable for a practical application of all methods presently developed in quantum computer science, are not currently available in the necessary quality. Additionally the electronic components, which are needed for real time data processing, particularly taking into account the necessary system security, have still to be developed. Effective algorithms that allow to register data, to analyse the results of measurements, to correct the occurring errors as well as to calculate the code must be found and/or further developed. To achieve that goal – the development of a quantum cryptographic industrial prototype – co-operations with a set of partners are necessary. These partners will advance on the one hand the technological development of components relevant for the project and on the other hand will develop software packages, which permit the integration of the quantum-cryptographic system into existing infrastructures. Additional partners will focus on the development of network infrastructures necessary for global operation and thus ensure that the quantumcryptographic equipment can be actually used at the point in time, at which the hardware is available. All these partners will form a consortium, which executes all development activities necessary for practical use under leadership of the ARC Seibersdorf research. The close contact to basic scientific research groups is ensured by the participation of Professor Zeilinger and his team, who participate in a scientific network on quantum computer science. In this way the current know-how transfer from the basic university research to close-to-applications developers is guaranteed. Quantum cryptography represents a first application in the much broader field of quantum computer science. Quantum computer science promises a complete re-orientation of the entire computer technology. All quantum-information applications however require components and know how in a field, which in contrast to currently proliferated technologies, allows handling of single photons. The developments of all project partners on this target will prepare European economy, pave the way for future technologies in this area and provide a substantial advantage in the global competition.

96

IRG Workshop on Trust and Security - CONTRIBUTIONS 40) Pekka Nikander

Brussels May 30 2002 97

Helsinki Ins t. For Inform. Tech.

Understanding Trust and Trustworthiness in the Digital Domain (tentative) Pekka Nikander and Martti Mäntylä Helsinki Institute for Information Technology Tammasaarenkatu 3, FIN-00180 HELSINKI, FINLAND

[email protected] Rationale and relevance Trust is an intrinsic human phenomenon that even after years of focused research is still relatively poorly understood. At the same time, though, it is a very essential part of our economics and social life. The gradual shift from the economy of tangible goods into the so called information economy or digital economy seems to recreate a number of problems that within the industrial economy were mostly solved between the 16th and 19th centuries in Europe, including the problem of how to create and represent trust relationships and how to convey information about experiences of trustworthy or untrustworthy behaviour. One way of characterising the current situation is to claim that many nations are today spending their previously built up social capital; that is, the incentives for trustworthy behaviour, and therefore trusting other people, are diminishing, leading to general erosion in many aspects of the societies. That in turn, will gradually lead to more friction, higher transaction costs, and slower growth within the economy. Formation of trust both in real life and in virtual organisations has been extensively studied, but the results are still inconclusive. There have been a number of studies on trustworthy user interface design, leading to a number of initial results that still ask for much research. Similary, there has been active research on the so called Trust Management Systems within the computer and communications security community, bringing forth theoretical results but with relatively little real life impact, at least so far. Further more, a number of economists have recently started to pay more attention to the role of trust in economic growth and activity, leading to new understanding about the value of social capital. However, there has been relatively little interaction between these threads of research. Consequently, the purpose of this proposed Network of Excellence is to bring together active researchers of trust and trustworthiness from the research communities within social sciences, jurisprudence, computer science, computer and communications security research, and economics research. This will lead to deepened and extended understanding of trust, trustworthiness, the value of trustworthy behaviour, and related phenomena, basically creating new, interdisciplinary research results. As a more practical goal, it is anticipated that this understanding will eventually lead to a way to representing human trust relationships and past experiences on trustworthy or untrustworthy behaviour in a digital and fully secured form, thereby leading to new incentives, both economic and normative -understood in a very broad sense -that would bring back the society to the track of collecting social capital instead of spending it. In the IST part of FP6,technologies for trust and security are recognised as a key area within the more general framework of applied IST research addressing major societal and economic challenges (research priority 1.1.2.i).As such, trust and trustworthiness cut across many other themes in the IST programme. Trust can be seen as an essential 97

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 98

infrastructure component for the future networked digital environment, and understanding trust is necessary for creating new methods for work and electronic commerce. In particular, trust management can be seen as a necessary piece of technology for widely deploying mobile and personal communication system, including cellular and personal or local area networks. At the same time, it is an essential component for e Europe, facilitating network security and potentially accelerating e-commerce. Without proper trust infrastructures large scale peer-to-peer systems will remain fallacy and never become reality. At the same time, better tools for digital trust management allow citizens to create new kinds of informal and social networks. In the long term, we see a possibility where trust and trustworthiness becomes an asset like instrument, creating new value structures and new markets that support and augment the traditional economy, which is based on tangible goods and a single type of value measuring instrument. Main objectives and working approach The main objective of this Network of Excellence is to bring together established researchers that have years of experience on understanding trust in their respective research areas and that are interested in the nature of trust and trustworthy behaviour, and especially their impact on economics in the increasingly digital world. The aim is to accelerate information exchange between previously distinct elds of research. The main method to achieve this will be exchange of researchers. In our opinion, only long term personal contacts lead to effective information exchange between such distinct elds. The individual researchers can acquire deep enough understanding beyond their own primary .eld of expertise only by spending considerable amount of time together. Researcher exchange will be facilitated and augmented with an array of other forms of networking, such arranging regular open or semiopen workshops, providing post-graduate level intensive seminars and special courses, and establishing and maintaining shared information epositories. Naturally, these activities also facilitate the dissemination of the results of the work. Research areas The actual work of the NoE will be organised in a number of research areas that integrate and structure the research efforts of the consortium members. In particular, we intend to continue existing activities or start new activities in the following or similar areas: ? Understanding the role of trust networks and trustworthy behaviour as a partial explanation for the economic success in Silicon Valley, Singapore/China, and Finland during the last few years. ? Representing past experiences about trustworthy or untrustworthy behaviour in a distributed but reliable manner. ? Matching Credentials Based Access Control with human aspects so that the resulting systems become usable for end-users without posing usability or security risks. ? Better understanding of the formation and practical effects of social capital, including trust, and the economic effects of explicitly representing trust relationships in a reliable digital form. ? Need for and effects of new legislation and other regulative actions that could create trust, in one hand, and how other planned and executed actions have affected trust. ? Mapping Trust to Risk Management models. ? Effects of User Interface Design on Trust. 98

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 99

? Architectures to support the negotiation, establishment and maintenance of trust between parties. ? Relationship between trust and security policy. Links to other NoEs and IPs To be filled in Participants To reach its objectives, the core consortium of the network should consist of the leading experts in the various disciplines relevant for understanding trust and trustworthiness. The following researchers and research institutions have tentatively indicated their interest in joining the core part of the network. ? Dr. Pekka Nikander (computer security), Prof Jukka Kemppinen (law), Dr Pekka Himanen (philosophy), Mr Matti Kalliokoski (political science), Ms Kristiina Karvonen (human factors), Helsinki Institute for Information Technology,Finland ? Dr Raphael Yahalom (security, formal methods), MIT Sloan School of Management, and Onaro Research, Israel ? Dr Simon N.Foley (security, formal methods),University College Cork, Ireland ? Dr M. Angela Sasse (human factors), University College London,UK ? Prof Joachim Biskup (computer security), Universität Dortmund, Germany ? Prof Kai Rannenberg (computer security), Microsoft Research Cambridge, UK and Frankfurt University, Germany The core part of the network will be expanded with multidisciplinary teams, preferably with strong background on economics, human factors, and computer security, so that the network reaches a critical mass size of at least10-12 research institutions.

41) Nikos Nikolaidis

Artificial Intelligence and Inform. Anal. Lab.

Nikos Nikolaidis and Ioannis Pitas Artificial Intelligence and Information Analysis Laboratory Department of Informatics Aristotle University of Thessaloniki Contribution to the Trust and Security Workshop Despite the fact that watermarking is among the hottest research topics of the last years, attracting scientists from diverse fields like signal & image processing, communications, information theory and cryptography, the problem of watermarking-based IPR protection and management is far from being solved. Thus efforts of a pan-european scale are needed to provide viable technical solutions that, combined with appropriate business models for multimedia content delivery, will lead to a secure and trustworthy distribution environment. Within FP6, watermarking can find its place either in Integrated Projects and Networks of Excellence focusing mainly on IPR management or as a subtopic in Integrated Projects and Networks of Excellence dealing with applications that involve DRM (digital libraries, preservation of cultural heritage in digital repositories, music & video technology etc. ).

99

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 100

The focus of most research efforts and commercial products on watermarking is currently on copyright protection of video and still images. There are, however, other media that deserve the attention of scientist due to the significant commercial value they represent. Such media are: Digital objects: the term digital objects is used here in a scope broad enough to include video objects in MPEG4, 3-D CAD models, 3-D graphics & animated graphics models, voxel-based 3-D images etc. Digital objects are involved in many applications and are usually of high commercial value since their construction is time- and resourceconsuming. Furthermore, in certain applications, challenging requirements and restrictions might apply (examples: watermarked medical 3-D images should be of extremely high quality, tolerable changes in CAD models are limited by the allowable deviation from the nominal object dimensions). Graphics images and binary images (including text in image format). Such images require special watermarking techniques due to their distinct characteristics (large homogeneous areas, limited number of colours). Text documents. Another very interesting and promising area that has emerged only recently is that of fingerprinting (or passive watermarking) of digital media. Fingerprinting deals with finding suitable media descriptors (fingerprints) that are robust to media manipulations and allow fast verification or identification of digital objects. Unlike watermarking, fingerprinting techniques do not alter the media where they are applied. Fingerprinting can find applications like distribution monitoring, people metering, digital rights management etc. This new research area can benefit a lot from previous work in the area of multimedia indexing and retrieval. Infusing this knowledge in fingerprinting might yield very interesting results. Both fingerprinting and watermarking of “new” media should be considered within IST in FP6. The Artificial intelligence and Information Analysis (AIIA) Laboratory at the Department of Informatics of the University of Thessaloniki (http://poseidon.csd.auth.gr/) is extremely interested in joining Integrated Projects or Networks of Excellence dealing with these topics. The group has been working for eight years in copyright protection of multimedia data. Its broader area of expertise (accumulated in the twenty years of its existence) covers digital signal, image and video processing & analysis, computer vision as well as other related areas. It has undertaken 25 R & D projects (mostly European). The following projects are related to IPR and DRM: CERTIMARK, Certification for Watermarking Techniques, RTD, IST, EU. INSPECT, Innovative Signal Processing Exploiting Chaotic Dynamics, LTR, EU OKAPI, Open Kernel for Access to Protected Interoperable Interactive Services, ACTS, EU ACCOPI , Access Control and Copyright Protection of Images, RACE, EU Development of Digital Signatures for Multimedia Applications, Greek Secretariat for Research & Technology Contact persons: 100

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 101

Professor Ioannis Pitas Department of Informatics Aristotle University of Thessaloniki Greece Email [email protected] Tel/Fax +30310996304 (office) +30310996361 (lab) Dr Nikos Nikolaidis Department of Informatics Aristotle University of Thessaloniki Greece Email [email protected] Tel +30310998566 Fax +30310996304

42) Christos Nikolaou

University of Crete

Expression of Interest by the iTrust Working Group on Trust Management in Dynamic Open Systems (IST – 2001- 34910, 1 July 2002 – 31 June 2005) For the formation of A Network of Excellence on Trust Management Prepared by Christos Nikolaou, Professor, Computer Science Department University of Crete And iTrust coordinator Statement of Purpose The iTrust working group on Trust management (a new working group starting its activities on 1 July 2002) is interested in preparing a proposal for an FP6 Network of Excellence on Trust Management. A network on trust management could be built easily using and expanding on the community being created by iTrust that already includes leading academic and research institutions in Europe doing research on trust management for dynamic open systems. It is worth noting that this community is already highly interdisciplinary (computer scientists, sociologists, philosophers, lawyers, etc.) and is looking forward in becoming more so. iTrust has also significant links with the international community such as member cooperation with the IBM Institute for Advanced Commerce, DSTC in Australia, etc. We intend to strengthen the industrial component of the network and we are actively soliciting industrial partners interested in joining the consortium. We are preparing an EoI for the NoE on trust where we shall briefly describe several activities in terms of projects, training courses, scientific exchanges, postdoc mobility, etc. To better present ourselves we include in this document an extract from the Technical Annex of iTrust. 101

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 102

Extracts from the Technical Annex of the IST iTrust Working Group: 1 Project summary .P The iTrust Working Group (WG) is to organize a series of workshops to give its partners the opportunity to present to each other their ongoing research efforts in the area of trust management, and to allow them to benefit from each other's experience and expertise. These workshops constitute the project's major milestones. Moreover, the iTrust WG will support brief exchanges (up to two weeks) between its members, so as to foster a collaborative environment and set the basis for further larger-scale activities in the target research area. The iTrust WG’s timeline is divided into 6-month slots, with a workshop scheduled to take place within each slot. Three internal and three public workshops are scheduled, each with duration of 3 days. The internal workshops will be restricted to participants from the iTrust WG, with an average of 20- 25 attendees. The public workshops are expected to have 30-40 attendees, and will include internationally renowned invited speakers. For the public workshops, the iTrust WG will solicit submissions from the research community through open calls. All workshops will include discussions and briefings on current technology and standardization developments, so as to keep the iTrust WG consortium up-to-date. Each workshop, whether internal or public, is to combine sessions on disciplinary-specific sessions, and plenary sessions with particular emphasis on trust modelling, trust-based decision making, relationship management, and trust management frameworks. The topics are to be discussed and subjected to multidisciplinary questioning and criticism. The ongoing activities of the iTrust partners cover all these aspects, and expect to attract invited speakers that can provide valuable input and alternative perspectives (20)

102

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 103

Milestones and expected results (maximum 500 characters) Organization of 3 public workshops, with distinguished invited speakers from Multiple disciplines and 3 internal workshops (for consortium members only). 2 Project Objectives Project Rationale Recent years have seen an unprecedented acceleration in the evolution of the Internet as the technological vehicle underpinning the expansion of service provision in virtually all sectors. The scale of commercial investment in pursuit of early market share in these nascent markets witnessed a widespread belief in the future importance of this modality of service provision. The evolution of e-marketplaces and ecommunities in “internet-time” sets new targets for the maturation of technology from the research arena into industrial practice. On the other hand, it is also recognised that lack of consumer confidence is limiting the growth of e-business and has contributed to the current volatility in the dot-com market. Consumers are often skeptical of environments where a bewildering variety of software entities enter at any time, without centralized control, and, what is more, without prior certification by a reliable authority. These entities compete for attention and resulting revenue, offering at the same time both a tremendous potential for the development of new services and applications, and for undesirable, even catastrophic, failures and deviations from expected norms. E-commerce transactions and e-community interactions suffer from loss of face-to-face human contact and trust-building codes, gestures and word-of-mouth references, all of which were and still are the traditional catalysts of transactions and interactions in conventional marketplaces and communities. The sheer scale of the emerging global infrastructure, combined with the need for fully autonomous operation, surpass the usefulness of existing security infrastructures such as authorization services and certificate issuance and validation services. Merely having a certified identity in a dynamic and open environment does not a priori guarantee an acceptable behavior and performance. In particular, it is not enough for informed decisions on access restrictions and controls, selection among potential candidates for interaction, and even less adequate for reasoning about the expected behavior and dependability of entities for which no prior knowledge is available. Entities need to be distinguished not only based on their static (certified) identities but also based on their (un)expected, dynamically varying qualities that are relevant to the specific interaction context. Furthermore, such judgments, by necessity subjective due to the requirement for fully autonomous operation, need to be reviewed and possibly revised on a regular basis. Therefore, there is a need for practical, scalable and adaptable technology to capture measure and manage the trusting relationships that underlie the interaction of entities in dynamic open systems. For e-services to achieve the same levels of acceptance as their conventional counterparts, trust management has to become an intrinsic part of eservice provision. The Internet, by its very nature, encompasses a heterogeneous variety of systems and technologies, but its utility requires extensive and transparent communication and co-operation on a global scale. Furthermore, the strongly competitive nature of the internet-based 103

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 104

marketplace, coupled with the need for consensus, necessitates proactive mechanisms for the transfer of knowledge between all parties. In view of the widespread commercial investment in this area, such flows need to be not only from academia to industry, but also between different research disciplines and from industry to academia. This combination of a need for targeted long term strategic research, coupled with mechanisms for rapid deployment and realisation of research outputs, makes the area of Trust Management in Dynamic Open Systems most appropriate for a thematic network. Main Objectives The aim of iTrust is to provide a forum for cross-disciplinary investigation of the application of trust as a means of establishing security and confidence in the global computing infrastructure, recognizing trust as a crucial enabler for meaningful and mutually beneficial interactions. The proposed forum will bring together researchers with a keen interest of complementary aspects of trust, from both technology-oriented disciplines and the field of law, social sciences and philosophy. Hence providing the consortium participants (and the research communities associated with them) with the common background necessary for advancing toward an in-depth understanding of the fundamental issues and challenges in the area of trust management in open systems. We expect iTrust to lead to the definition of a number of closely interacting research projects focusing in different aspects of trust management or introducing trust management into existing and emerging technologies, regulatory and legislative frameworks. Primary Scientific and Technological Goals In summary the main objectives of the iTrust proposal are the following: To facilitate the cross-disciplinary investigation of fundamental issues underpinning computational trust models by bringing together expertise from technology oriented sciences, law, philosophy and social sciences. To facilitate the emergence of a widely acceptable trust management process for dynamic open systems. To facilitate the development of new paradigms in the area of dynamic open systems which effectively utilise computational trust models. To facilitate the harmonisation of regulatory and legislative frameworks and facilitate their evolution so as to support the fast take-up of the emerging technologies in the area of dynamic open systems. To incorporate trust management elements in existing standards and prepare the ground for the standardisation of emerging technologies by submitting recommendations to the appropriate standardisation bodies. Operational Objectives iTrust will provide the consortium partners and the wider research community with the common background necessary for advancing toward an in-depth understanding of the fundamental issues and challenges in the area of trust management in open systems. This will lead to the definition of a number of closely interacting research projects focusing in different aspects of trust management or introducing trust management into existing and emerging technologies, regulatory and legislative frameworks. In particular, iTrust is intended to prepare the ground for in-depth research activities through a series of preparatory actions, which include:

104

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 105

the establishment of an information portal with up-to-date information about the latest research developments in the area of trust management, regular working group meetings in conjunction with targeted workshops, and The organisation of international workshops where experts from EU and non-EU countries will also be invited to lecture and participate. Links to the community The iTrust thematic network entails the establishment of a forum for facilitating collaboration between researchers that have a keen interest on trust management issues, and complementary viewpoints: distributed software systems formal methods and mathematical modelling security engineering human-computer interaction (HCI) sociology law (privacy, guarantees, compensation) philosophy (epistemology, semantics, ethics of trust)

Figure 1: iTrust as a forum for exchanges between ongoing projects. The iTrust consortium will actively seek to form synergies between ongoing projects (as shown in the figure above) that exhibit overlap of activity, from complementary viewpoints, on trust issues: risk assessment and management (SECURE, IST-2001-32486) security assurance through the application of model-based risk analysis (CORAS, IST-2000-25031) formal treatment of trust models (ALFEBiiTE, IST-1999-10298) Dynamics of cluster formation (iCities, IST-1999-11337).

105

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 106

Emphasis is also given on supporting exchanges and collaboration in training and research activities among the iTrust partners. 3 Participant List

Partic Partic .Role* .no.

Participant name

Participant short name

Country

C P

1 2

UOC CCLRC

Greece United Kingdom

P

3

ICSTM

United Kingdom

P

4

University of Crete Council for the Central Laboratory of the Research Councils Imperial College of Science Technology and Medicine University of Strathclyde

P

5

P P P

6 7 8

P

9

P P

10 11

P

12

INTRACOM S.A Institute of Cognitive Sciences and Technologies of CNR Nine By Nine Co.

P

13

Hewlett-Packard Ltd

P

14

P

15

P P

16 17

P

18

Universitat Autonoma de Barcelona Plefsis Information Systems S.A Virtual Trip Ltd. University of Oslo Norwegian Research Center for Computers and Law SINTEF Telecom and Informatics

STRATHC LYDE University QMW

Queen Mary College Trinity College Dublin University of Dortmund Institut National de Recherche en informatique et automatique King’s College

TCD Uni Do INRIA

KCL

United Kingdom United Kingdom Ireland Germany France

United Kingdom

ICOM Greece CNR - ISTC Italy

NINE BY NINE HP UAB

United Kingdom United Kingdom Spain

Plefsis S.A

Greece

Virtual trip UIO

Greece Norway

SINTEF

Norway

C = coordinator, P- Principal contractor, A- Assistant contractor ** Normally insert “start of project” and “end of project”, 4 Contribution to programme/key action objectives

106

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 107

The Information Society Technologies (IST) programme 2 has as its general objective the realisation of a user-friendly Information Society. Central to this objective must be an expectation that the information technology infrastructure supporting the Information Society can be trusted in the face of the myriad of threats to which it is increasingly exposed, and that meaningful and mutually beneficial interactions can be realised. For a truly pervasive computing and communications infrastructure, it is absolutely essential to provide a reasoning framework for informed decisions on trust issues. This framework is to be applied by both human and software entities, in settings that cannot be fully anticipated a-priori, and that fall outside the scope of most currentgeneration technologies for security. By proposing to explore the limits and possible extensions of such technologies, the iTrust working group proposal is directly addressing the objective of creating a user-friendly Information Society. The Internet is a large-scale open distributed system that is not owned and controlled by any single authority. An open system is fundamentally heterogeneous, consisting of components that were designed independently and are operated by autonomous authorities acting independently. Moreover, the run-time environment is dynamic, with services being introduced, altered, or withdrawn at any time without central coordination. A natural consequence is an increase in uncertainty and risk arising from the intentional hostility or carelessness of on-line entities. In such an environment, the general concept of "trustworthiness" becomes a fundamental requirement. In relation to the Key Action Objectives of the IST programme, the iTrust proposal addresses the objectives of key actions II (New Methods for Work and Electronic Commerce)3 and IV (Essential Technologies and Infrastructures)4 . Key action II has as its objective the creation of the next generation of interoperable systems to meet user demands for flexible access, for everybody, from anywhere, at any time with special attention being given, amongst other issues, to the security and privacy of information. Key action IV addresses the convergence of information processing, communications and networking technologies and infrastructures with a focus on technologies and infrastructures common to several applications. These objectives are central to the iTrust proposal as it addresses an application-independent approach to security in large-scale pervasive information systems. The iTrust proposal addresses exactly the class of systems identified in the scientific goals of the Global Computing initiative 5 - those 1) composed of autonomous computational entities where activity is not centrally controlled, 2) where entities are mobile, 3) where the configuration of entities varies dynamically and 4) where entities operate with incomplete information about the environment. To achieve security in such systems requires an approach such as that being proposed by iTrust since each entity must be able to decide autonomously what information it can trust on the network and what communication partners to believe.

3

Key Action I - Systems and Services for the Citizen http://www.cordis.lu/ist/bwp_en2.htm#3.1 Key Action IV - Essential Technologies and Infrastructures http://www.cordis.lu/ist/bwp_en5.htm#iv 5 Global Computing Proactive Initiative: Scientific Goals http://www.cordis.lu/ist/fetgc.htm#goals 4

107

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 108

The iTrust proposal also fits well within the scope of the Future and Emerging Technologies programme 6 since it is both visionary and exploratory. The project considers a radical departure from currentgeneration technologies for security and proposes a unifying framework for relationship management in dynamic and open environment. Elements from multiple disciplines need to be considered, including not only computing and communications technologies, but also the social sciences, philosophy and law. This departure constitutes a risk, albeit a highly attractive one, since the nature of the resulting security models is difficult to predict in advance. 5 Membership The iTrust project addresses the new and difficult security and privacy issues that arise from the deployment of a global computing infrastructure through a trust-based security and privacy model. Global computing allows entities to reason about the trustworthiness of other entities and to make autonomous security decisions on the basis of trust. This requires the development of a computational trust model that enables entities to reason about trust and to verify the security properties of a particular interaction. The global computing infrastructure is highly dynamic with continuously appearing or disappearing entities and services. It is vital that the associated computational trust model is able to incorporate this dynamism and that equally flexible legislative and regulatory frameworks emerge. The iTrust Working Group aims to establish a forum for collaboration among partners that have already exhibited a keen interest in trust issues. Our common goal is to interact with each other, as well as with experts from multiple disciplines outside of the consortium, to gain a deeper understanding of the key issues and to prepare for further in-depth investigation. The partners of iTrust cover a wide interdisciplinary area of expertise that is necessary for addressing issues related to Trust Management. Following is a list of these issues and the partners who have expertise on them: The ethics, sociology and psychology of trust (S. Tsinorema, M. Samatas, University of Crete, M. Wilson, M. Prime, CLRC, invited speakers): Information society and human values. Philosophical investigation of cognitive and social values, taxonomy of values and theories of normative judgment, nature of trust as a value-concept. Different ethical approaches to trust and their impact on trust management: ethical individualism and collectivism, ethical atomism and holism, Cyber-libertarianism, -liberalism and -communitarianism. Conditions of trust, achieving security and confidence. Can and should there be agreement on common rules and regulations internationally, or does the existence of different cultural values among countries make them impossible? Cultural relativism and ethical universalism, and their impact on trust management. Cyberspace freedom vs. safeguarding consumer confidence and trusting relations. Establishing a reasoning framework for informed decisions in such contexts. Moral psychology of trust.

6

Introduction to Future and Emerging Technologies http://www.cordis.lu/ist/fetintro.htm#what

108

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 109

A computational model of trust presupposes a naturalistic approach to normative and value-concepts. Naturalistic versions of values, ethics and choices should be explored, analyzed, defended and applied in specific case studies, for the computational model to acquire its necessary epistemological grounding and practical credibility. Sociological models of the interaction between human and electronic agents in the emerging e-communities. Trust policies in public and private organizations. Dynamic assessment of the levels of trust associated with a service. Legal issues underpinning the management of Trust (Nikos Alivizatos, University of Athens and Jon Bing et al. NRCCL, H. Weaver, et al CLRC invited speakers) Analysis of existing legislative frameworks within and outside the European Union, recommendations on possible harmonization of these frameworks. Legal issues of electronic agents as participants in contracts. Embodiment of trust elements in contract negotiation, execution monitoring, re-negotiation and arbitration. Models and semantics of trust (S. Tsinorema, University of Crete, Morris Sloman et al, Imperial College, Heiko Krumm et al, University of Dortmund, Andrew J.I. Jones et al, King’s College, C. Castelfranchi et al, ICST – CNR, K. Stolen et al, SINTEF, P. Nixon et al, University of Strathclyde, J. Bicarregui, T. Dimitrakos, CLRC and invited speakers): Trust notations usable by all stakeholders and amenable to automated analysis and reasoning. Computational trust models. Reasoning in the presence of inconsistency, tracking the causes or sources of inconsistencies, making incremental revisions to the so far established facts and valuations. Epistemology and semantics of trust. Clarification of meaning and domains of application, fundamental definitional questions. Informal and formal accounts of trust. limits, scope and explanatory force of formal accounts, and their relation to informal ones. Logic of Norms [as trust is a normative notion]. Modal-logical specifications of conditions of trusted and trusting agents, classification of normative modalities for formal analyses of trust, agents’ intentions, interests, etc. Epistemology of reasons for trusting: The epistemic nature of reasoning processes, the epistemology and psychology of reason-giving in trust situations. Epistemology of intentional notions involved in trusting (belief, attitude, awareness, etc.). It delivers analyses and clarifies questions such as, “in what sense can electronic agents be trusted agents?” Design of trust based architectures and decision-making mechanisms for e-community and e-service interactions (C. Nikolaou, University of Crete, D. Tsigos, Virtual Trip, E. Samaras and M. Marazakis et al, Plefsis, Joan Borrell et al, UAB, S. Shiu et al, HP Labs, Graham Klyne, Nine by Nine, D. Raptis, Intracom, V. Issarny et al, INRIA, C. Jensen, Trinity College, S. Poslad, Queen Mary College, K. Jeffery, T. Dimitrakos, B.M. Matthews et al, CLRC and invited speakers): 109

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 110

Architectures that facilitate locating services and selecting among the potential candidate services. Mechanisms for publishing quality of service and access control policies. Certification mechanisms, recommendation and reputation systems underpinning the service selection process. Incorporation of trust requirements in service goals. Including trust and risk metrics in contract and service level agreement negotiation. Monitoring services to determine violations of agreements and automatically taking corrective action. … Dissemination iTrust will use the proceedings from the internal and public workshops as the primary vehicle for the dissemination of research results related to Trust Management. Other dissemination channels include Liaisons with industry, through established contacts of partners with research laboratories of major companies Liaison with standardization bodies, such as W3C, OMG and FIPA Journal publications of selected partner or invited speaker contributions to the workshop proceedings Brochures and other material suitable for media distribution according to available resources and Steering Committee decisions. Exploitation The close contacts already established between the academic partners of iTrust and industry will allow a continuous flow of ideas on trust management from universities and research centers to industry. Technology take-up by industry is thus facilitated by iTrust. The interaction of iTrust with standardization bodies will also be beneficial for the standardization and specifications efforts currently under way in trust management. 6 Workplan: The iTrust Working Group (WG) is to organize a series of workshops to give its partners the opportunity to present to each other their ongoing research efforts in the area of trust management, and to allow them to benefit from each other’s experience and expertise. These workshops constitute the project’s milestones. The iTrust WG’s timeline is divided into 6-month slots, with a workshop scheduled to take place within each slot. Three internal and three public workshops are scheduled, each with duration of 3 days. The internal workshops will be restricted to participants from the iTrust WG, with an average of 20-25 attendees. The public workshops are expected to have 30-40 attendees, and will include internationally renowned invited speakers. For the public workshops, the iTrust WG will solicit submissions from the research community through open calls. All workshops will include discussions and briefings on current technology 110

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 111

and standardization developments, so as to keep the iTrust WG consortium up-to-date. 9.1 General description Each workshop, whether internal or public, is to combine the following tracks, which are considered to be tightly intertwined: Initial kick-off session where all participate Separation into smaller groups (internal workshops) or sessions (public workshops) that focus on uni-disciplinary aspects - e.g. definitions of trust, ethical issues, legal issues, socio-economic issues, psychological issues, software architecture and mechanisms issues, etc. Plenary sessions where specific topics are discussed and subjected to multidisciplinary questioning and criticism such as: Trust modelling (through formal logic approaches, operational computing oriented approaches etc.) Trust-based decision making & relationship management (extend in which this can be automated, human-computer interaction issues, legal issues, etc.) Trust management frameworks (architecture considerations, formal models, how ethics, law is embedded, etc.) The three cycles of workshops (each comprising an internal and a public workshop) will however proceed from a relatively deep examination of the meaning of trust and the various ways of modelling it (the first two workshops) to an examination of how trust can be used to select services and build relationships over the Internet (the next two workshops) to an in-depth discussion of trust management frameworks, consistent with the various trust models and where trust relationships can be embedded (the final two workshops). The ongoing activities of the iTrust consortium partners cover all these topics, and expect to attract invited speakers that can provide valuable input and alternative perspectives. A non-exhaustive list of workshop topics, to be included in the open calls for paper submissions, is as follows: Formation, evolution, and propagation of trust Formal logic formulations for trust Formal methods for specifying system properties Frameworks for reasoning about trust Dynamic and collaborative aspects of trust Trust from a Human Computer Interaction perspective Distributed systems aspects of trust management Relationship management Guarantees and accountability in open systems Service selection based on recommendations Security assurance methodologies and their relation to trust Clusters and communities on the Internet Access control policies on the basis of trust Legal aspects of computer security, in particular privacy and trust management Social and ethics foundations for trust-based reasoning Applications of trust management to e-business Algorithms and mechanisms for trust enforcement

111

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 112

We consider these topics to be of increasing importance as the Internet develops into a pervasive utility, hosting a vast array of services from autonomous entities, with increasing interdependencies. Potential “invited speakers” have already been identified, and every effort will be made to ensure that the public workshops will benefit from the participation of active researchers in the area of trust management as well as social scientists, experts on matters of law and policy, and representatives of standardization bodies. … An outline of the proposed event schedule is shown in the following table. The minutes of internal workshops, and the proceedings of the public workshops, will be the deliverables of the iTrust WG. These documents will be accessible through the consortium’s Web pages. 43) Olle Olsson

SICS Position Paper - Trust and Security SICS, April 3, 2002, version 1.0 Olle Olsson, Kia Höök, Gunnar Sjödin, Babak Sadighi, {olleo | kia | sjodin | babak } @sics.se

Vision & Challenges The envisioned eEurope is based on the concepts of ambient intelligence, with ubiquitous infrastructure (computing and communication) and invisible as well as natural interfaces. The individual citizen, as well as commercial organisations and public institutions will be able to access and use rich knowledge spaces, and new forms of cooperation and services will emerge. This increased dependence on a pervasive infrastructure introduces critical new challenges in the areas of security, privacy and trust. To realise the full potential of new technological infrastructures, there is a need to provide solutions not only to existing problems, but also to the problems that emerge when new ways of work and life evolve, triggered by societal needs and enabled by new technological possibilities. The major challenge is how to restore confidence in the critical ITinfrastructure of society as a whole, as well as in specific services. Problems & Drivers The commercial sector will be driven by market needs, both in terms of what they can offer, and in terms of what they need to ensure the integrity of their own information and processes. Emerging needs can be identified in areas like virtual organisations, where new forms of cooperation must be seamlessly supported. Citizen of society will store, manage, and provide sensitive information to service providers as well as to different classes of communities. They will also be in continuous interaction with the surrounding digital space, exchanging all sorts of information with this environment. Such information can be explicit as well as implicit, and as the amount of personal information is rapidly growing, easy-to-use methods for safeguarding sensitive information become a critical precondition for new technology to be accepted. Key approaches

112

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 113

Proposed research and activities are grouped under three main headings: models, technologies & methods, and evaluation. These three dimensions complement each other, with technologies & methods as the major one, from an effort point of view. Models - conceptual frameworks: Privacy from cognitive, cultural, legal, and technical perspectives. Security and privacy must be understood in several dimensions of society. One obvious dimension is the legal perspective, and the possible domains of formal regulations, self-regulated sectors, and technology must be matched to each other, determining how they offer trade-offs and how they complement each other. Authority, policies, and contracts. Requirements on security and privacy must be expressed in operational ways. When the infrastructure is being populated by autonomous entities, desired protection must be enforced partly by mechanical means. This requires a better understanding of concepts like policies and contracts, how they should be understood, and how they can be enforced. Technologies & methods - mechanisms and tools: Cryptographic techniques for secure co-operation and communication. Applied cryptographic techniques can be used to achieve secure communication while still enabling distributed computations. The need for a group of actors to achieve common result, without disclosing sensitive information, but where the common result depends on this sensitive information. This description applies to peer-to-peer computations, where entities belonging to multiple authority domains co-operatively provide certain services. A specific example is the application of multiparty computations to decentralised applications, like voting or group decisionmaking. Secured personal information environments. Protecting sensitive personal information in managed spaces. Policies state rules about how information may be used and by whom, and how information may be distributed. The owner of information, e.g. an ordinary citizen of society, must be able to state constraining policies, as well as understand the consequences of stated policies. Communities of trust. Globally decentralised user communities can be related by trust relationships. Trust exists between parties in a community and between members of a community and external parties. The community can be empowered through sharing of trust, based on experiences. Trust is created through explicitly stated policies, and adapted through evaluation of behaviour w.r.t. expectations and policies. Operational models of trust can serve as decision aids to users, and may guide autonomous entities in the digital community. Authorisation management. Authorisations state rights to access entities or services. Authority can be delegated, according to stated policies, and enable new rights to emerge. Decentralised management enables flexibility and adaptation to characteristics of situations. Rights may be associated to obligations. Failure to live up to authorisations and obligations may be detected and/or prevented. Authority delegations and revocations implicitly create and modify a management structure of an organisation, real or virtual. Methods and paradigms.

113

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 114

To be able to build systems, components and services that enhance the protection of both the infrastructure and the users of the infrastructure, systematic methods need to be developed, methods that are based on understandable paradigms in the area of security and trust. Field studies and evaluation - knowledge building Exploring critical concepts in situated contexts and evaluating usability of proposed approaches. Especially in the area of privacy, the rapid change in technology as well as globalisation of cultural attitudes makes it necessary to provide a sound empirical basis for proposed solutions to security risks. Usability evaluations (the end-user perspective) must be take into account the different attitudes prevalent in diverse regions, as well as the expected market-driven requirements, and expressed societal needs, with special reference to the long-term evolution of society. A common denominator of most of the technical work described above is the concept of "policy". We argue that this concept is critical for understanding what security and trust actually means, and how to ubiquitous computational environment can be controlled so that it fulfils desired requirements. Integration - towards a plan of actions Security of information and communication must be investigated from a multidisciplinary point of view. Clarifying the domains of application of different types of instruments will be a precondition for achieving the level of confidence required by the eEurope of the future. Security-related issues permeate system structures (it is not an addon feature), and in this sense is intrinsically intertwined with other technology. This brings integration issues to the surface, issues that are too complex to solve in isolation. Such issues need to be explored, though, but in the context of broad co-operative work. We propose that R&D in the technological areas, described above, will act as critical enablers for a improved security and enhanced trust in society and business. ---end---

44) Ahmed Patel

University College Dublin Building Technological Support for Cybercrime Investigation Contribution to FP6 Consultation Workshop on Trust and Security Brussels, 30 May 2002 Dr. Ahmed Patel, University College Dublin, Ireland

Need and Relevance The importance of IT security is well known and security technology has been the subject of extensive research. However, security in the conventional sense is no longer enough to maintain trust in the infrastructure connecting users (private, commercial and governmental) through intermediate systems and networks, or to maintain the safety of that infrastructure. There is a wide range of undesirable and unacceptable activities possible in the electronic environment which can be neither prevented nor controlled by existing or foreseeable security technologies; for example, unauthorised access, fraud or the distribution of

114

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 115

illegal/harmful material. Furthermore, the complex issue of abuse by trusted users (who by definition can bypass security mechanisms) is in many ways beyond the scope of conventional IT security. As the information society becomes established, technological support for investigative and audit activities will be an important component of security technology which increases confidence in the information infrastructure. It can provide additional tools of importance to security by giving investigators the ability to pursue and successfully prosecute wrongdoers. It can also give auditors effective tools for detecting fraud and other abuses. It is particularly important in dealing with abuses by trusted users, and with abuses which cannot be detected/prevented by conventional security. There is also a need for investigation of security violations, whether detected by automatic security systems or by human observers. Audit will be increasingly important to maintain trust and confidence in the electronic infrastructure, and supporting technology for audit activities is essential. Investigative technology and methodologies must be extended and developed to deal successfully with the current environment, and most importantly with the rapidly emerging environment based on nextgeneration mobile systems, Internet 2, etc. It will be necessary to address management aspects, particularly the relationship between investigations and general security management. Related Work Law enforcement cooperation is being addressed to some extent in other EU programmes (e.g. OISIN, FALCONE). However, there is a distinct need for research and development to support investigative and audit work because the existing work is chiefly focused on organisational issues rather than on technology issues. This work has identified a need for training and awareness activities, preferably coordinated at European level. There is ongoing work by police organisations (Interpol, Europol) on developing best practices for law enforcement investigators. A number of commercial products and services to support investigations exist. These are very limited in scope, dealing mainly with evidence recovery from isolated systems in a single jurisdiction. Moreover, they are very ad hoc in nature, are labour intensive, and rely on the investigator’s expertise rather than assisting an investigator. There has been some recent work on developing standards in this area. The IETF has published RFC documents in relation to collection of evidence and on technological support for network tracing. In the USA, the NIST has undertaken work on standardised disk imaging tools and a database supporting disk analysis. ETSI is developing technology standards for lawful interception of telecommunications, and similar work is taking place in the USA. The legal environment is developing rapidly. In particular, the Council of Europe Convention on Cybercrime is creating a common framework for investigations by law enforcement agencies throughout Europe and further afield. There are also important developments in copyright protection and in relation to the complex issues surrounding the balance between privacy and the public interest. There has been some international work on the handling of electronic evidence, e.g. the principles set out by the G8. However most of this work is as yet at a very high level and substantial effort is needed to translate it into technologies and methodologies which are useful in practice. Description of Proposed Research and Activities Some Key RTD Issues in Forensic Computing 115

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 116

Detection/investigation/audit techniques for new technologies Investigative tools: advanced methods for investigation and analysis of evidence development methodologies to ensure quality standardisation and certification of tools Forensic information modelling; formats for storage, exchange, etc. Assurance of correctness and reliability of forensic examination of IT systems Codes of practice e.g. evidence handling, search and seizure, routine collection of information Protection of rights (e.g. privacy, data protection) in investigations and audits Identifying needs for new or amended legislation to cope with technology change Design of systems incorporating strict legal and investigative requirements Inter-organisation issues: sharing of potential evidence Technology support for cooperation of investigative agencies Management of security to support investigative activities Possible Approaches Investigative platforms: their requirements; design and implementation methodologies Formal approaches to requirements, design, reliability and reproducibility Advanced algorithms, techniques and tools for investigators: detection, capture and presentation of evidence Development of codes of practice and standards, e.g. for evidence gathering, evidence handling, information exchange and disclosure, management Pilot deployments to validate research results Training and awareness activities to achieve rapid deployment of results Scale of Proposed Work All issues and approaches must be considered in the international context. This greatly increases the complexity of the subject and makes it particularly suitable for coordinated international research, since national or industry-led work is unlikely to be able to deal adequately with this aspect. Furthermore, research must be multidisciplinary: technology expertise must be matched by expertise from law enforcement and legal perspectives if useful results are to be achieved. In the context of FP6, it appears that Integrated Projects provide a suitable instrument for addressing the needs. Each IP should have representation from most (ideally all) Member States to ensure adequate coverage of the varied legal and procedural environments in the EU. The desired research results are usually beyond the resources available to the participants individually and so large-scale cooperation is the only means to make acceptable progress. Targeted research projects can provide a suitable way to stimulate and support research on topics within the area, e.g. the development of investigative technology or a standard to address a particular need identified by practitioners. 116

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 117

In order to achieve maximum benefit from the proposed research, the creation of one or more networks of excellence in the area is highly desirable. This could be done simultaneously with the integrated projects to ensure maximum benefit from interactions between projects. Impacts The impact of the proposed research would be to: increase awareness of the needs in this area throughout Europe create standardised technology with a strong legal and procedural basis to allow effective investigations of cybercrime create opportunities for the sharing of results which individual participants require but cannot usually develop alone create a research infrastructure which allows new investigative technologies to be identified and developed

Dr. Ahmed Patel Computer Networks & Distributed Systems Research Group Dept. of Computer Science University College Dublin Belfield, Dublin 4, Ireland

Phone: +353171624 76 Fax: +35312697262 Email: [email protected]

Research Interests: Technological Support for Cybercrime Investigation FP6 Consultation Workshop on Trust and Security, Brussels, 30 May 2002 Dr. Ahmed Patel University College Dublin, Ireland Investigative platforms requirements for investigative tools design and implementation methodologies how to achieve legal conformance use of formal approaches to requirements, design, and implementation Advanced algorithms, techniques and tools for investigators detection and alerting of incidents capture of evidence, especially in heterogeneous networked environments presentation of evidence Development of codes of practice and standards evidence gathering evidence handling information exchange and disclosure management issues, especially security management Training and awareness development of professional training courses and training syllabuses incorporating security/investigative topics in undergraduate and postgraduate courses 117

IRG Workshop on Trust and Security - CONTRIBUTIONS

45) Giuseppe Persiano

Brussels May 30 2002 118

University of Salerno

The need for openness of the software in Security A position paper submitted to the Consultation Workshop on Trust and Security Giuseppe Persiano Dipartimento di Informatica ed Appl. Università di Salerno 84081 Baronissi SA Italy [email protected] The debate over open-source software vs. closed-source software is one of the main topics of discussion and, besides technical considerations, it also touches upon the economic and social aspects of the software industry. However, when it comes to security and cryptographic software it is obvious that open-source software is a requisite. A security software whose source code cannot be inspected could be itself a security threat. By its nature software systems are very complex objects and it is easy to hide backdoors in any software. A backdoor is a simple mechanism by which whenever a specified event occurs, the system starts behaving in a malicious way. For example, a web server could hide a trapdoor that is activated whenever a special HTTP command (say GET /start_malicious) is received. The action of the trapdoor is to execute undocumented malicious code that, for example, sends to a specified address sensitive files from the system on which it is running. Notice that in this case, as with all network applications, the trapdoor can be remotely activated. If the source code of the web server is not available it is very difficult to spot such a behaviour. On the other hand, it is also very difficult to hide such a behaviour in an open-source web server like Apache [1]. Fortunately, several open source projects offer a reliable and well documented development toolkit for security among which we point the OpenSSL project [2]. The OpenSSL project has been the starting point of several open source projects and provides the basic API for handling, among other things, complex objects like certificates and implements most of the cryptographic primitives (from multiple precision integer arithmetic to operation in finite fields) and algorithms (like RSA, TripleDES, AES). User Privacy in Electronic Government A position paper submitted to the Consultation Workshop on Trust and Security Giuseppe Persiano Dipartimento di Informatica ed Appl. Università di Salerno 84081 Baronissi SA Italy [email protected] The ongoing revolution in the field of telecommunication and information technology makes it necessary to rethink the role of the 118

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 119

government in modern society. Several functions of the government (intended in the widest sense) are affected by the new technology: issuing credentials, printing money, running elections just to name a few. We concentrate here on the issues regarding Credentials and how the privacy of the individual is affected and on the problem of sharing power of the government in the information society. We also discuss in a non-technical manner the cryptographic protocols that could be the base of practical and secure solutions to the issues presented. Credentials Individuals and organizations often have a legitimate need to verify the identity or other personal information of the individuals they transact with. This need has been recognized by the society and mechanisms and infrastructures have been deployed to this aim. Traditionally, the task of deploying and maintaining the infrastructure for issuing and managing credentials has been paper-based (for lack of a better technology) and it has been under the control of the government. Paper-based credentials (like passports, id-cards et cetera) have no place in the age of information technology as they do not interface in a satisfactory way with the modern communication systems that handle most of the commercial transactions. This state of things has motivated the design of a new infrastructure for handling electronic credentials. Currently, the most accepted paradigm is centred around the concept of a Certification Authority and uses digital signatures. A Certification Authority issues what is called a digital certificate that consists of a bearer's name (or, more generally, an identifier), a list of attributes (like date and place of birth, marital status, academic achievements and others) and the bearer's public key. The whole is digitally signed by the Certification Authority that vouches for the validity of the attributes and the linking of the public key to the bearer. Digital certificates are just a sequence of bits that can be verified with perfect accuracy by computers and can be used in electronic transactions without human intervention. Their special mathematical structure guarantees that it would take millions of years to forge a digital certificate. Roughly speaking, a digital certificate is like a passport only much more so in the sense that any kind of data can be specified. Unfortunately, the century-old practice of paper-based credentials with its inherent inefficiency provided a formidable shield to privacy that is dissolved by the new electronic version of certificates. Digital certificates can be instantaneously and effortlessly followed around and traced to the bearer as it moves and performs transactions over the network. Personal dossiers including financial situation, medical history, habits and preferences can be updated in real time and cannot be repudiated as each move has been digitally signed by the bearer of the certificate. Recent research trends in cryptography have started to focus on the design of cryptographic primitives and protocols that could protect the individual's right to privacy in a world of electronic transactions. This seems at first an impossible task as the need to accurately identify the parties in a transaction and the right to privacy of the individual seem to contradict each other. Currently the most promising proposal of cryptographic protocols for the protection of the privacy lie along one of two lines of thought. The first line of research relies on the simple observation that for several transactions, it is not necessary to identify the individual that is conducting the transaction but only that he/she belongs to a qualified group of individuals. This is best explained by the following example. 119

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 120

Consider a web-based newspaper-browsing service that for a monthly fee gives access to the daily edition of a number of newspapers. It would come natural to ask each subscriber to register to the service by presenting a digital certificate from which billing information can be derived. Each subscriber is required to present his/her certificate in order to gain access to the database, and thus the manager can discriminate between users that have paid the monthly fee and users that have not. Since access to the service is granted only if a certificate is presented, the service manager can build an accurate reading profile from which, for example, the political orientation of the subscriber can be derived. Observe though that the information contained in the digital certificate is not essential to the role of the service manager which consists in making sure that only qualified users access the database. What the service manager really needs is a proof that the requester of the service belongs to the qualified set of users that have paid the fee for the current period. The problem is thus reduced to the design of a practical anonymous group identification protocol that allows one party (in our example, the subscriber) to prove membership to a qualified group (in our example, the set of subscribers for the current period) without revealing his/her identity. Recently, such a protocol has been proposed [1] and the viability of this approach has been shown for web-based subscription services. The proposal can be made to work using regular X.509v3 certificates with RSA keys. A second complementary approach lies on the observation that exhibiting a digital certificate shows, obviously, the values of all the attributes even though for the specific transaction being performed only a subset of the attributes is relevant. In some situations people with a chronic disease benefit of exemption for some specific prescriptions related to their condition. So it is conceivable to have an attribute on the certificate carrying this information. However, although convenient, having too much information on the certificate is dangerous for the individual. A person with diabetes uses his certificate to buy drugs on the web (in which case the extension specifying his condition is relevant) and to access the company web server (in which case the extension is not only irrelevant but potentially dangerous for his career). The concept of private credentials put forth by S. Brands [2] is very powerful as it allows individuals for selectively disclose attributes while hiding any other information. A concrete implementation of private credentials is based on the mathematical properties of logarithm in cyclic groups. The concept of crypto-certificate introduced in [1] offers the same features and can be implemented using well-known cryptographic algorithms like RSA and hash algorithm (like SHA and MD5). Sharing the power of government an even more subtle issue comes from the consideration that electronic practice tends to concentrate enormous power in one hand. Just think of the power that comes from being the manager of Certification Authority (a corrupted CA can issue ``valid'' certificates for any person in the world and use them to impersonate anyone). A well-learned lesson from the past is that it is better to distribute power among several entities. The aim of threshold cryptography is to establish primitives and to design protocols that split the work of a logical entity (for example a CA) among several parties so that the output (for example, the certificate) is valid only if at least a certain number (called 120

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 121

the threshold) of the parties have actively takes part. For the specific case of the CA, one would like to delegate two or more parties in such a way that a certificate is valid only if all the delegates have taken part in issuing it. Thus if one of the parties is corrupted then he cannot just issue a certificate for, say, the CEO of a big company and use it to sign contracts without the help of the other parties. An added value of sharing the work among several parties is that (by a careful choice of the threshold) the whole system is fault-tolerant. Project Coca [3] at Cornell University is a first example of a CA based on threshold cryptography. [1] Pino Persiano and Ivan Visconti, "A Secure and Private System for Subscription-Based Remote Services", unpublished manuscript. A preliminary version appeared as User Privacy Issues Regarding Certificates and the TLS Protocol (The Design and Implementation of the SPSL Protocol), in Proceedings of the 7th ACM Conference on Computer and Communications Security, 2000, pp. 53-63. The home page of the SPSL project is found at http://www.security.unisa.it/spsl [2] Stefan A. Brands , "Rethinking Public Key Infrastructures and Digital Certificates". MIT Press, Cambridge, MA, August 2000. [3] Lidong Zhou, Fred B. Schneider, and Robbert van Renesse. COCA: A Secure Distributed On-line Certification Authority. A preliminary version is available as Technical Report 2000-1828, Department of Computer Science, Cornell University, Ithaca, NY USA. December 2000. The home page of the COCA project is found at http://www.cs.cornell.edu/home/ldzhou/coca.htm [1] http://www.apache.org [2] http://www.OpenSSL.org

46) Costa Phenecos M. D

Red Crosso Hospital

Research on Trust and Security within the context of the 6 th Framework Programme Costas Phenekos M.D Director,Department of Endocrinology and Metabolism,Red Cross Hospital, Athens,Greece.Tel 3010-6414737,Fax: 3010-6414800. email:[email protected] The proposals, ideas and comments of this document will be focused on the aspect of medical records security issues due to my involvement in the FP4 and FP5 funded telematics project "Diabcard" related to the development of a smart card for facilitating the storage and dissemination of patients' medical information amongst health professionals. 1.Description, need and relevance of the proposed research and activities. The technological development in the field of security of electronically stored records has progressed considerably and although adequate in technical terms has met with difficulties related to its implementation due to: a. Failure of standardisation of relative hardware, software and coding of medical information within the E.U. b. Opposition and/or lack of cooperation of individual subjects, private organisations protecting personal data, or failure of proposed security 121

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 122

features to comply with National Constitutional provisions related to the subject. c. Failure of communication and agreement between informatics specialists and health professionals on issues related to security characteristics, the extent of the inherent security features required and the grading of access to the stored information. d. Lack of adequate back-up features in case of loss of data or forgetting the relative P.I.N and codes for accessing the data. All these issues make mandatory the coordinated research not so much in developing new technological features but in inventing methods of standardising the systems required and mainly implementing on a large scale the mutually agreed on a EU level methods for storing and securing the medical information. The number of patients, especially those suffering from non-infectious chronic degenerative diseases such as diabetes, arthritis, osteoporosis has increased greatly over the last 2-3 decades imposing a major load on the national health care systems where electronic storage of individual patient data or of demographic parameters of individual diseases need to be accessed promptly and only by authorised personnel. 2.Scale, ambition, critical mass. The proposed research priority should be considered major in terms of joint effort, pooling of knowledge, skills and funding. A successful implementation of methods to secure patient and epidemiological data will contribute enormously to the social need for better health care, prevention of the disease and reduction and enhanced costeffectiveness of funds spent on health system services. It will also help in augmenting scientific research on health issues by proving uniformly coded patient data ready for evaluation by physicians, researchers and statisticians-epidemiologists. The critical mass to be achieved should consist of technological institutions, medical research centers, hospitals, governmental bodies, patient organizations and industry. The minimum number of partners that should be considered either in the context of centers of excellence or integrated projects cannot be less than 15 with optimal 20-25. 3.Extent of integration or structuring impact. The pooling of technical and human resources towards a common goal that of developing unique software programmes and the relative infrastructure required to implement a standardised and universally applied security system for keeping coded medical information will certainly have a major integrating and structural effect on this particular research field at a European level. The successful outcome of the joint effort will provide knew knowledge, help in technology transfer, educate and train the personnel involved and eventually satisfy society needs for better health and at the same time guarantee the respect deserved to personal individuals data. The main prerequisite for the proper application of the research tools (Centres of excellence or integrated projects) towards achieving a successful outcome is the technological development to serve well defined consumer and society needs and not just the technological development per se.

47) Frank Piessens

KUL

122

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 123

Building a well-structured source for quality-controlled information about security in the information technology society Description, Need and Relevance Security is a complex issue. Not only are the technologies used to secure information systems increasingly complex. But technology alone is insufficient to secure a real-world system. Laws must support the technological solutions and some legal knowledge is often necessary even to pick an appropriate technology. Moreover, the deployment and maintenance of a security solution needs to be managed in an appropriate way. In addition, security is a fast-evolving field, so yesterday’s state-ofthe-art may be insufficient today. Therefore, it is extremely important in this information society to have access to high-quality information about IT security issues, both on a technological, legal and management level. While there is a wealth of information available on the Internet, the quality of much of this information is doubtful. And for a non-expert in security, it is very hard to assess the quality of this information. So we believe there is a strong need for a quality-controlled information source about all aspects of IT security. To ensure the quality of the information, we feel that a consortium of academia, industry and government people must maintain such an information source. The goal of the proposed project is to set up such an information repository, accessible via an easy to navigate website. The repository will be edited by a team of editors coming from security research groups in universities, and security experts from industry and government. The repository should carry educational material, technology assessments and announcements, product assessments and announcements, research results and so on. We believe such a repository will be useful for a very broad audience, and will help increase awareness and knowledge about security issues as well as help devise better solutions to security problems. Scale and ambition The proposed project for building a quality-controlled information repository has already started on a very limited scale. But to be able to cover a significant area of the IT security field, we believe the involvement of ten to twenty editors coming from different European countries and having different backgrounds is necessary. We believe the Leuven area is the perfect place to start this initiative, because of its high concentration of security expertise (see for instance the website of the Leuven Security Excellence Consortium, www.l-sec.be), but of course involvement of participants from all over Europe is important. Extent of the integration and/or structuring impact We believe the potential impact to be significant: the fact that information for the repository is produced by, and obtained from people with widely varying background, and the fact that this varied information is then structured in an appropriate way for easy dissemination ensures the value of the information.

123

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 124

Moreover, the information repository can serve as a dissemination tool for results from other projects: as such, it can help ensure that results of security-related research and development projects will reach a wide audience. Many universities and companies already spend quite some time on technology-watch, and trying to stay up-to-date on security technologies. In this project, these islands of knowledge would be integrated and structured into one integrated and structured knowledge repository. Prof. Dr. Frank Piessens Dept. of Computer Science Katholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Heverlee, Belgium E-mail: [email protected]

48) Giannis Pikrammenos

Prof. Dr. Bart Preneel Dept. of Electrical Engineering Katholieke Universiteit Leuven Kasteelpark Arenberg 10 B-3001 Heverlee, Belgium [email protected]

University of Athen

Smart Media as the Secure Transactions Mediator of the future. Most industry observers agree that the much-hyped Information Highways will spread more quickly in the professional world than they will in the consumer world. Nevertheless, in both cases, the experts also agree, an essential ingredient to their overall success will be more security. Not centralised security but widely available security services required to encourage businesses, big or small, and even individuals, to conduct transactions in all confidence and actually trust the "information at their fingertips". Modern requirements for better cryptography, biometry, easier and faster customisation, and higher-bandwidth data-handling, prompt the industry towards the Smart Card technology with secure processors and advanced Operating Systems architectures. Enhanced architectures incorporating numerical processors and high store capacity embedded both on a Smart Card IC chip allow the hosting of secure applications that satisfy such requirements. Diverse forms of IC coating give rise to Smart Tags, Smart Labels or Smart Stickers, implying an attached version of Smart Cards, allowing for the portability and the decentralization of the information in the most effective manner. Additionally, the usage of Barcodes could be combined into the same Smart Media, allowing for the better utilisation of both technologies. The numerous encryption and security methodologies developed for such transactional applications are blurring the insight to the procedural progress. The lack of awareness of the 124

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 125

methodology followed and the functionality of the instruments used in order to realise transactions give rise to mistrust and discomfort, prohibiting from participation into such transactions. The need for separation of the transactions in distinct steps is rising from the highly diversified requirements of the set of feasible applications as and the variety of the available methodologies. Each application has its particular characteristics regarding to the transaction to be realised or to other applications. A variety of available methodologies could be applicable for each case, allowing for the unintended common coverage of required functionalities. Partitioning of the transactions into steps shall allow the classification of applications and methods, making feasible the grating and grouping of them into case-driven applications. In order to further enhance security issues and to raise the trust relationships between the authenticated and authenticator, a combination of existing procedures should be realised along with the conscious interaction of the participating parts. By combining two or more authentication procedures in the same step raises the factor of security without implying compulsorily the addition of tremendous cost (in time, effort and investment spent). Having the participating parts undertaking active roles in the stepwise transaction process raises their awareness of the procedural progress and assures their comprehension and approval. Smart Cards have a wide range of applications, incorporating many of the day-to-day activities of people lives such as: From GEMPLUS Content provision (Pay TV, telephone cards, Uni campus lab cards) Loyalty (club cards) Electronic payments (e-purse, smart-VISA) Asset tracking (corporate assets on-the-move like refrigerators and crates or products in store) Logistics (super market products on selves, stock inventory) Authentication and security (CDs, Airline tickets, books, clothes) Access control (corporate employee IDs) E-government (document tracking) Health care (medical record cards) Automotive (car insurance, car service, toll-road) Consumables and consumer products. Ticketing By elevating the involvement of customisable, portable media into daily transactions that have distinct requirements on authentication and trust along with the procedural reshaping of the security methodologies in order to incorporate the energetic participation of the transaction parts, it will become feasible to formulate a new environment of the transactions of tomorrow. The application-oriented shaping of such procedures shall 125

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 126

thrust research based on market and implementation experience, allowing the high involvement of SMEs focusing on target segments satisfaction while the industry shall further enhance the available products towards a classified transactional environment. Since 1986 the Telecommunications Laboratory has been extensively involved in the RACE I & II, ESPRIT, BRITE EURAM, CTS, Telematics and ACTS programs. A number of graduate and PhD students as and faculty members are consisting the laboratory personnel, resulting to more than 100 persons. NTUA has participated in the HARP project (IST-1999-10923, KA I). Giannis A. PIKRAMMENOS, PhD., MBA, Senior Recearch Associate of National Technical University of Athens (NTUA), Electrical Engineering & Computer Science Dptm., Telecommmunications Laboratory, Eroon Politechniou 9, 15773 Zografou, Athens, GREECE Tel: (+30 10) 772 2583 Mobile: (+30) 977 341764 Fax: (+30 10) 772 2534 E-mail: [email protected]

49) Bart Preneel

KUL ECRYPT European Network for Cryptologic Research

The goal of this Network of Excellence is to bring together key European researchers in the area of cryptology. Cryptology is an interdisciplinary research area with a high strategic impact for European industry and for the society as a whole, as it is a fundamental enabler for security and privacy in the Information Society. The research goals of the network are the design and evaluation of advanced cryptographic algorithms and protocols and the development of tools supporting the design and evaluation process. This work is motivated by the changing threat environment and the new requirements for cryptographic algorithms and protocols, such as cryptology resistant to quantum computers, cryptology resistant to side-channel analysis and lightweight/low-cost cryptology. The network will have a strong industrial component; a substantial effort will be spent on training and on dissemination of its research towards industry and standardisation bodies. Prof. Dr. Bart Preneel Dept. of Electrical Engineering Katholieke Universiteit Leuven Kasteelpark Arenberg 10 B-3001 Heverlee, Belgium [email protected]

126

IRG Workshop on Trust and Security - CONTRIBUTIONS

50) Jean-François Raskin

Brussels May 30 2002 127

ULB

A Game Approach to the Formal Verification of Optimistic Exchange Protocols Steve Kremer and Jean-François Raskin Université Libre de Bruxelles Département d'Informtique skremer,[email protected] http://www.ulb.ac.be/di/ssd/groupverif.html Abstract: We present recent works on the automated formal verification of optimistic exchange protocols. Those protocols whose correctness is difficult to ensure will be more and more necessary for the development of electronic commerce. Our group proposes new ways to formalize and automatically verify the robustness of those complicated protocols. The methods that we are currently developing can be a valuable technology to ensure the trust that we need in security protocols on which is based electronic commerce. KEYWORDS: Security protocols, optimistic exchange protocols, verification, model checking, games. Context of the research During the last decade, open networks, above all the INTERNET, have shown an impressive growth. The INTERNET is already used to do electronic commerce but security is a real issue. As a consequence, the need for secure protocols, and the difficulty to avoid errors when designing these protocols increase dramatically. Optimistic exchange protocols are particularly important. Application of this class of protocols regroups (i) electronic purchase of digital goods: exchange of an electronic item against an electronic payment; (ii) digital contract signing: exchange of digital signatures on a given electronic document; (iii) non-repudiation protocol: exchange of an electronic item and a non-repudiation of origin evidence against a nonrepudiation of receipt evidence; (iv) certified e-mail: exchange of an electronic message against a proof of receipt; (v) barter: an electronic item of value is exchanged against another electronic item of (similar) value; ... These situations have in common that they want to achieve an exchange between two, potentially dishonest entities, without giving the possibility to one of the entities to receive the expected item, without the other one, also getting the item he expects. In 1980, Even and Yacobi showed that no deterministic contract signing like protocol exists, without the participation of a trusted third party (TPP). A rather simple solution consists in using a trusted third party as an intermediary. Both, Alice and Bob send their respective signature to the , who collects the signatures and forwards them to the other entity. However, due to the communication and computation bottleneck created at the , this solution has been considered as inefficient. More recently, Micali [8] and Asokan et al. [2] introduced the optimistic approach. The idea is that a trusted third party only intervenes when a problem arises, e.g. an entity is trying to cheat or a network failure occurs at a crucial moment during the protocol. Such protocols generally consist in a main protocol and one or several subprotocols. In addition to be quite complicated, those protocoles must ensure sophisticated properties. Consider those following examples. A first property is fairness. A protocol between Alice and Bob is fair if at the end of the

127

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 128

protocol either all, both Alice and Bob got their expected item or none of them got any valuable information. Intuitively, this property prevents an entity from cheating the other one. A second property is timeliness. A protocol respects timeliness, if at any moment in the protocol, each entity can reach a point where it can stop the protocol, achieving fairness. This is needed to prevent a situation, where one entity does not know whether he can stop the protocol without loosing fairness, or whether he still has to wait for a message to arrive. Recently, Garay et al. [4] introduced a new property, that is specific to contract signing: abuse-freeness. A protocol is abuse-free if neither Alice nor Bob, has the power to prove to an external party, Charlie, that he can either successfully finish or stop an engaged contract signing protocol. Suppose that a contract signing protocol is not abuse-free, and that Alice has the power to decide of the outcome of the protocol. If, for instance, Alice wants to sell a house to Charlie, she could engage a contract with Bob, having the mere goal to force Charlie to increase his offer. It is clear that a protocol that is not abuse-free gives an undesirable advantage to Alice. It is now widely recognized that formal methods are useful to ensure correctness of those complicated protocols. Unfortunately, the methods propose to verify other security protocols, like authentication, are not well suited for this class of protocols. We propose in this context, a new approach to their verification. A Game-based Method for their Verification There are some fundamental differences between authentication protocols and exchange protocols. Generally one of the most difficult problems in authentication protocols is to deal with the presence of an intruder. In exchange protocols we do not need to model an intruder, but we have to consider that either Alice or Bob, the two entities taking part in the protocol, may cheat (cf also [9] and [3]). The probably most important difference is that exchange protocols, above all optimistic ones, are not linear. Generally authentication protocols are ping pong protocols and only allow very few different traces. On the other hand, exchange protocols are divided in several subprotocols (e.g. a main and a recovery protocol), making branching possible, although they are intended to be executed in a given order by a honest entity. Changing the order of execution could result in subtle errors. This is the reason why we propose a new method for the specification and the verification of exchange protocols. First, we want to model the actions that are possible in the course of the protocol and not stick to a given predefined order of execution. In that way, we give a malicious entity the potential not to follow the protocol, but to construct an attack against the honest entity. Second, we consider the execution of the protocol as a game: each entity and each communication channel are players. We can think of designing a protocol as finding a strategy: the strategy proposed by the protocol has to defend a honest entity against all possible strategies of malicious parties that are trying to cheat. This point of view also allows us to express formally the required properties as strategies. For instance, a property such as fairness for Alice can be expressed as follows: ``a coalition of Bob and all the communication channels does not have a strategy to obtain a non-repudiation of origin evidence without Alice having a strategy to obtain a non-repudiation of receipt evidence''. Here, we have rephrased the property as the existence of a strategy. The main advantage of

128

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 129

modeling such protocols as games is that we directly and formally take into account the possibility of adversarial or cooperative behaviors. As the communication channels are also modeled as players, they can cooperate with dishonest protocol entities, to model the fact that either the channels are not well-functioning or that they are controlled by a given player. By using alternating transition systems and alternating-time temporal logic of Alur et al. [1], we are able to formalize the non-repudiation protocols and their requirements in a direct way. Using the model-checker MOCHA, we can automatize their verification. Perspectives In the future, as the advances of electronic commerce will increase, more and more european companies will face the difficulty of constructing dedicated versions of those protocols. Formal methods and computer aided verification can be a valuable technology to ensure the trust that we will need in the electronic commerce of the future. Our research group is willing to cooperate with other research groups and companies interested in the correct design of fair exchange protocols and their use in electronic commerce. Publications Here is a list of recent publications where you will find more details about our work: [5,6,7]. Bibliography 1 R. Alur, T. Henzinger, and O. Kupferman. Alternating-time temporal logic. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science, pages 100-109. IEEE Computer Society Press, 1997. 2 N. Asokan, M. Schunter, and M. Waidner. Optimistic protocols for fair exchange. In T. Matsumoto, editor, 4th ACM Conference on Computer and Communications Security, pages 6, 8-17, Zurich, Switzerland, Apr. 1997. ACM Press. 3 C. Boyd and P. Kearney. Exploring fair exchange protocols using specification animation. In The Third International Workshop on Information Security, Lecture Notes in Computer Science, pages 209-223, Australia, Dec. 2000. Springer-Verlag. 4 J. A. Garay, M. Jakobsson, and P. MacKenzie. Abuse-free optimistic contract signing. In Advances in Cryptology: Proceedings of Crypto'99, volume 1666 of Lecture Notes in Computer Science, pages 449-466. Springer-Verlag, 1999. 5 S. Kremer and J.-F. Raskin. A game-based verification of non-repudiation and fair exchange protocols. In K. Larsen and M. Nielsen, editors, Concurrency Theory - Concur 2001, volume 2154 of Lecture Notes in Computer Science, pages 551-565, Aalborg, Denmark, Aug. 2001. Springer-Verlag. 6 S. Kremer and J.-F. Raskin. A game-based verification of non-repudiation and fair exchange protocols. Technical Report 451, ULB, 2001. 7 S. Kremer and J.-F. Raskin. Game analysis of abuse-free contract signing. In S. Schneider, editor, 15th IEEE Computer Security Foundations Workshop, Cape Breton, Nuova Scotia, Canada, june 2002. IEEE press.

129

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 130

8 S. Micali. Certified E-mail with invisible post offices. Available from author; an invited presentation at the RSA '97 conference, 1997. 9 S. Schneider. Formal analysis of a non-repudiation protocol. In 11th IEEE Computer Security Foundations Workshop, pages 54-65, Washington - Brussels - Tokyo, June 1998. IEEE.

51) Carlo Regazzoni

University of Genova

From 3G surveillance systems to personalized global security environments Carlo Regazzoni, Lucio Marcenaro Dept. Of Biophysical and Electronic Engineering University of Genova, Genova, Italy Contribution to Trust and Security consultation workshop Genova, May 14, 2002. Need Trust by humans in automatic mechanisms increases with use and with familiarity. The above statement is specially true when the underlying technology depositary of human trust satisfies a set of minimal requirements that are related with different factors. In this sense, security is one of the main factors that can influence trust in a given technology. Trust in the use of a technology by a single person is by itself a complex problem. An additional element of complexity comes out when either the use of a technological tool or service is shared, completely or in part, with others or the communications needed to control the technological tool are public to a certain extent. For example, let us consider the case when one needs to obtain a certificate from an office. Bidirectional information exchange is needed to allow the task to be performed. Passed information can be characterized by different degrees of criticality: for example, the information about the type of certificate or the credit card number on which to charge office expenses can be sample of information exchanged characterized by different criticality. A trade-off must foreseen between time necessary to ensure secure information and the level of security. Risk-based sharing of information is part of life. The correct selection of different degrees of criticality in information sharing is part of each task of natural living strategy. Nevertheless, the increased required information exchange rate associated with higher available bandwidth and information processing capability of current technology impose some constraints that are related with the perceived feeling of security: the higher the communication rate, the larger the amount of data transmitted or the lower the time within which critical decisions can be taken. Due to the limitations of technology users like humans as information processing machines, the necessity arises to overcome limitations of current technology in providing required adaptive security levels for different type of tasks and contexts.

130

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 131

Relevance The relevance of ensuring security in all actions that concern with processing of signals and information within computer and communication mobile and fixed networks is more and more important as generic data transmission at high rate made it possible to transmit everywhere every type of information in few seconds. The problem of maintaining high the level of confidence related to such information can concern everyone in most actions of his life. Description The problem of security when producing new information by signal processing tasks is often solved by establishing written procedures or, sometimes, simply generally agreed procedures. Security procedures are often used not only as a mean to increase security but also as a mean to increase trust in a given tool or service. Security procedures can be invasive in the sense that, for example, they can violate privacy. However, in many contexts privacy violation is eliminated by an agreement between parts of levels of availability of different types of information exchanged. For example, after September 11security procedures at airports have required a re-balance of privacy vs security by a re-definition of procedures; in that case procedures must be accepted by users if they want to get access to the airport service. Moreover, security procedures can change depending on the way a technological tool is used when producing new information by processing available signals; in particular, the change can depend on the value of the information produced by the service. The added informative value of the service can be objective, i.e. recognized by a very large community, (e.g. exchange of money, goods,etc.) or subjective, i.e. recognized by the people exchanging information by means of the service and by a restricted additional number of people not sharing the tool at that moment (e.g. often exchange of verbal information can be relevant for people talking and for few others, as well as the signals associated with such change can do). The problem of assessing a level of security sufficient to allow people to trust the service or the technological tool they are using for exchanging digital signals is a difficult one, specially because of subjectivity aspects, Trust and confidence in a technology can be given by several aspects, ignorance of physical and technological principles on which the technological tool not being the last. In a wide open market, we cannot expect that all people using the technology has nor a clear technological knowledge that allows them to establish the objective security level of a service or the time to check if high level security procedures for a signal communication are followed. Therefore, it is necessary to provide to the user a security feeling. One way by which such security feeling can be communicated is to allow users to have access to information about the context in which such signals have been produced (if they feel it is necessary). In other words, the goal can be to ensure the user that commonly accepted and coded behaviors have been followed by most actors of the context in which the signal has been produced. Such feeling should be perceivable by all actors respecting the context rules which require such an additional security information. A possible way to allow actors to perceive context in which signals have been generated is that a trusted system is charged to control transactions between actors in the secure domain. However, attention must be paid to not make such “authentication” systems too invasive with respect to privacy. 131

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 132

As an authentication tool should first aim at keeping trace and to make it accessible to remote users situations occurring in a given context, one must be aware when he enters that context. In fact, entering the new environment, signals can be recorded that can concern with information generated by himself (so potentially violating his privacy at different levels) in order to globally increase the feeling of security. Scale and ambition/ Extent of integration When dealing with such problems within a research program the necessity arises: to identify technological tools or services for which increase of security feeling is required. In case such tools or services are composed by simpler ones, to define how simple secure technological tools can be combined to build up complex secure technological tool (or services). The spatial extent of a technological tool or service can be used to index research sub-programs within a FP6 EU program: local area, wide area, etc. secure systems can be addressed as separate research domains at different spatial scale in which either a simple or complex secure technological service are used. A key aspect of the research will be to increase the security feeling; from the above considerations, we can say that authentication ambient intelligence (AmI) systems can play an important role for their capability of making it available to users that require it information about the context under which received signals have been generated. This side information can contribute to increase the level of confidence associated with received signals. Due to the extent of the problem, that implies the necessity to develop different type of authentication ambient intelligence systems (e.g. for communications, for local site and wide area monitoring, etc.) the research must have an European dimension and must be interdisciplinary in its nature. However, some discipline will have a larger importance and research in those areas can be expected to have a larger impact on the development of this kind of systems. Digital signal processing and data fusion are example of such disciplines, as it can be expected that on-line analysis and distributed recording of occurring events within AmI systems will be based on signals acquired by multiple sensors and processed within computer and communication networks. In this sense, there exist in Europe many experiences and excellence centers whose resources and skills can be addressed towards the development of the necessary basic tools for developing a diffuse structure of authentication AmI systems. Clearly, the European community can greatly benefit from the development of such tools, both in terms of society organization/ security feeling and in terms of gained competitiveness. As an example of an EoI for a network of excellence that is going to be presented we can mention the EoI called “Methods for Image and Video Processing in Ambient Intelligence applications” (MIVAI) coordinated by Univ. of Trieste and including a number of research centers and industries around Europe. Other examples can be a project under negotiations that can constitute the core of similar activities in a mobile authentication AmI system perspective, like project INMOVE coordinated by VTT, Finland, as well as new excellence networks in the

132

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 133

video surveillance field for which high level competencies there exist through Europe.

52) Silvia Renteria Bilbao

Fundacion Robotiker

EXPRESSIONS OF INTEREST TO IDENTIFY RESEARCH ACTIONS READY FOR SPECIFIC PROGRAMME TOPICS AS A BASIS FOR THE PREPARATION OF WORK PROGRAMMES FOR THE 6TH FRAMEWORK PROGRAMME FOR RESEARCH GURU Global secUrity ceRtification Universal system INTEGRATED PROJECTS Sub-Thematic Priority : SUMMARY OF THE PROPOSED RESEARCH ACTION (Approx. 1/2 to 2/3 of a page) Rationale for Research Action à why necessary7 At the moment all kind of private information is distributed among different sites and accessing to it is conditioned by the user’s location and granted in a per service basis. Thus we have several credit cards for payment, various identification documents (passport, ID card, driving license, etc.), other cards for accessing our public or private healthcare system, another one for entering our company premises, etc. This kind of information is too sensitive to be stored in global systems. It is difficult to grant access to specific pieces of information to specific people or systems. Each organisation uses different systems for storing information and giving access privileges to it. users don’t share it because they are not confident that the law on data privacy is fulfilled. Moreover they don’t know who will be able to use the information and with which intention. This mistrust in sharing information leads to poor expansion of information technologies and affects all the development fields of the European Union, administration, healthcare, industry, security, services, society, etc. As stated in the results of the IPTS Futures Project “Trust, security and personal privacy could be barriers to growth”. à leading to key ambitions Therefore it is essential to strengthen the use of information systems avoiding the fear of private information theft and fraudulent use of it. Public trust must be built and it is necessary to offer a better way to share sensitive information among users and organisations without the threat of loosing neither control nor information ownership. 7

Providing the justification and rationale of the proposed research involves answering the question of why the research should be done. Why should subjects have to pay the price of being involved in your research? For example, a proposed research would presumably be justified if it seemed likely that it would help to resolve a significant issue societal/global problem or has a direct impact on European industrial competitiveness. It would not be justified by reason of the fact that you were simply interested in the question being researched

133

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 134

The privacy, confidentiality, security and integrity of sensitive information must be preserved along with the capability of sharing it with the ones and in the way you want to. The use of private information by third parties should be traced to verify that all conditions are met. Improving security of distributed data will also encourage people and companies mobility around the countries using the system. Objectives à in support of ambitions The objective of this Integrated Project is the development of a Global Security Certification Universal System that allows the controlled access to private information in a universal way. The system must be generic enough so that it can be adapted to all the different peculiarities that exist in the present and future organisations. All the security standards, certificates, legislation, etc. existing in each participating country must be taken into account and be controlled by the system. Anonymity must be preserved when needed. All the uses made with the private information must be logged in a secure way so that fraudulent use must be traced and prosecuted. The system must be applicable to all the different fields of the European Union: industry, commerce, services, administration, finances, law, society, healthcare, education, research, security, safety, leisure, etc. General Approach à to achieve objectives The development of this project must undertake several stages: Survey of all the organisations involved in the use, storage, access and management of sensitive information. Study their needs regarding kind of information, processes involved, security requirements, protection types, identification, authentication, encryption, etc. Participate in and promote the establishment of standards and regulations at international level. Development of systems, tools, environments, techniques and methodologies. Development of a migration methodology for existing systems. Start up of a pilot project introducing the new system in several representative organisations. Results dissemination and support tasks for the formal adoption of the system by other organisations. The system will be based on a standardised registry containing all kind of sensitive information categories. It must be able to atomise the type of information to be protected, collecting from general common data (identification, economic data, etc.) to information particular to companies, associations, individuals, etc. This registry will be something similar to the ones used by some computer’s operative systems for collecting all the information needed for applications execution. Once all the information levels are organised following this philosophy, access to the information will be granted using a profile crossing between the information’s owner profile and the one belonging to the person or organisation that wants to access to the information. Using this approach the owner of any sensitive information can define who (which profile) can access each atomised information. On the other hand, the one wanting to access sensitive information must identify himself as a valid profile for that information. A very simple illustrative example:

134

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 135

Person A defines in his/her sensitive information registry that his/her medical data can be read only by doctors. Other person B (identified as a doctor in his own registry) could access that information if necessary. The system should be able to collect the referee number of the doctor accessing the information and trace the use he makes with it.

Financial Data

Economic Data Academic Data

Medical Data

INTERNE T

Justification à of approach methodology NEED AND RELEVANCE Doctor (Approx.Tax 1 &1/2 to 2 pages) Inspector Commerce Background to Research Area Teacher Vendor Data Owner à brief state of the art to support objectives Existing standards Tools: encryption, digital signature, digital certificates, smart cards, biometric recognition Legislation Projects related to distributed security (UE-wide healthcare card by 2005, others) Economic and social position à problems and benefits à to support objectives Need à for multidisciplinary European mobilisation à in support of objectives Justification à resultant benefits of IP through achieving ambitions and objectives à benefits are scientific, social, economic, political, environmental, etc. à also coherence, training, reduced dependence, etc Relevance

à to thematic areas of call

(NEED & RELEVANCE: How the proposed research activities contribute to realising the objectives of a priority thematic area and why it requires a European mobilisation of activities and resources through the means of a Integrated Project.)

135

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 136

SCALE OF AMBITION, CRITICAL MASS AND INTEGRATION (Approx. 2&1/2 to 3 pages) Objectives à in support of ambitions Workprogramme à overview of planned structure and why à essential task elements, R&D, demonstration, training, dissemination, management, etc 8 Structure à multidisciplinary shape of the IP Innovation à what’s new & why necessary Justification of approach à including timeframes Justification of critical mass à minimum and maximum with respect to workprogramme à with respect to European excellence Feasibility of critical mass à including documentation of key partners9 Additional partner requirements à including list of names in Annex Roles of key partners à description, justification and benefits of key roles The different roles needed for this project are the following ones: Certification and standardisation organisations Software developers specialised in security systems over open environments. Hardware developer specialised in smart cards and biometrics identification systems Security experts and consultants Jurists specialised in information systems and related law. Final users from different fields: industry, services, commerce, education, healthcare (public and/or private), government (administration, law, security). (SCALE OF AMBITION & CRITICAL MASS: Suitably ambitious objectives, particularly in terms of their strategic impact on reinforcing competitiveness or on solving societal problems. Description of the strategic importance to Europe of the research activities proposed, including a justification of the timeliness of the research activities for the implementation of the Integrated Project and the critical mass in Europe needed to achieve it; demonstration of how the Integrated Project would enhance European excellence in terms of major scientific and technological advances and new knowledge. INTEGRATION: An adequate description of the necessary integration activities (research and, as appropriate, technological development, demonstration, and training) as well as of resources needed to achieve the objectives. Description of all activities needed to achieve the objectives (research and technological development, innovation related activities, including demonstration, training and any other actions needed) 8

9

A detailed workprogramme is not required. Rather a summary of the workprogramme areas and typical tasks. (i.e. further detailed research into the role of “widgets” in modifying “transmogrification” in parallel with task group two who will develop the ethical issues of such application.) Each partner description should include one sentence describing them and maximum two sentences giving a short description of their potential role. No more is necessary at this stage. If you already have more than 10 partners lined up, detail the primary management core in the text (say 5 or 6) and detail the rest in an annex.

136

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 137

plus readiness and availability of the scientific and technological excellence, multidisciplinary skills; a list of the leading industrial and academic European research centres and other major envisaged participants, together with a very short description of their potential role.) ANNEX: ADDITIONAL PARTNER INFORMATION Remaining partners already acquired à Names and details. Potential partners required à List of names Next tasks

53) Michael Rigby

Keele University

Centre for Health Planning and Management, Keele University, United Kingdom Observations on Trust and Security There are two aspects to Trust and Security – 1. Trust in the integrity and security of the technology of communication and processing. 2. Trust in the accuracy and integrity of the data, and of the remote party. Most research, understandably, has focused on the technology. Without this the data cannot travel, and information-based services cannot be enabled. But it is inappropriate to ignore the data, and the changed behaviour (beneficial and malicious) of those who adopt it. The technology itself is unintelligent and neutral – it can convey fraudulent information as effectively as any more positive kind. Whilst the creators of new technologies cannot be held responsible for society in general, it is important to ensure that appropriate checks and balances are developed alongside new technologies in order to minimise misuse – particularly where that cannot easily be detected by the citizen. Rightly, current EU policy priorities include Protection of the Citizen and Consumer, as well as promotion of the Information Society. It is important to develop the content and use trust and integrity of information technologies alongside the technological aspects, for two reasons – one, the moral duty of social responsibility in science, and the other the commercial advantage for Europe in having effective advanced trust measures. A European Commission Fourth Framework project in the health sector – TEAC-Health (Towards European Accreditation of Health Informatics Services) - produced strategic findings that are generic 1-4. It identified three types of informatics service, all currently open to abuse which could seriously undermine the otherwise major benefits: Software and related services: There is currently no guarantee that the design of software is appropriate for purpose, nor that products

137

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 138

perform as promised. Redress is limited and complex, as product liability laws are difficult to apply. Telemedicine and similar Tele-Services: Though bringing many potential advantages, these services can be abused by impersonation, false claims of competence, fraud, and misuse of personal data, whether webbased or using point-to-point technology. Internet Sites: There is no guarantee of the authenticity of Internet-based information, nor of the identity or integrity of site owners. Numerous attempts at voluntary codes of conduct indicate the size of the problem, but also the futility of a purely voluntary approach. The problem continues to be identified internationally 5 . The TEAC study identified potential solutions, largely based on approaches and concepts already well-developed in Europe. These include: Labelling: following development of definitions of standard information, and making its provision and accuracy a legal requirement. CE Marking: could readily be extended to many of these fields. Third Party Seals: would confirm compliance with defined Codes of Conduct; the proposal is for an internationally recognised EuroSeal system using CE Marking principles. Codes of Conduct: would define trade association and consumer special interest group expectations, enabling special interests and vulnerable groups to define voluntary standards in a way that would protect their integrity through the EuroSeal proposal by guarding against false claims. The TEAC project was a feasibility study – it showed a need, and suggested outlines of solutions which would benefit the European consumer and commerce. It would form a strong framework to build upon in Framework 6. NEED AND RELEVANCE: Trust in informatics applications continues to be a growing anxiety, increasing as the Information Society increases. It is an unmet need in Europe, but one where Europe also has chance to set a global lead. EXCELLENCE: The TEAC team was small, but the work widely acclaimed and published. There is thus a nucleus to build on in applied projects in Framework 6, either to develop the proposals, or to contribute to other suitable projects. INTEGRATION AND STRUCTURING EFFECT: The need, and the possible solutions, are pan-European. By virtue of the fact that ICT services cross national boundaries, so European solutions are needed. Summary However trusted the ICT technologies, the citizen is only protected, and feels safe, if there are means of supporting trust and security regarding the information accuracy and integrity, and the authenticity and integrity of the service providers. Experience from a strategic analysis project gives a set of findings ideally placed to make an impact in a future integrated project, and drawing upon the experience gained by key participants. 138

IRG Workshop on Trust and Security - CONTRIBUTIONS

Michael Rigby, Senior Lecturer

Brussels May 30 2002 139

([email protected])

References 1. Project site: www.multimedica.com/TEAC. 2. Forsström J, Rigby M, Roberts R, Nilssen S-I, Wyatt J, Beier B, Delfosse I. Towards Evaluation and Certification of Telematics Services for Health (TEAC-Health) - Key Recommendations (Final Report of the EU Health Telematics Application Programme project HC 4101, Towards European Accreditation and Certification in Health (TEAC-Health)); University of Turku, Turku, 1999. 3. Forsström J, Rigby M. TEAC-Health – Research-based Recommendations for European Certification of Health Telematics Services; in Hasman A, et al: Medical Infobahn for Europe: Proceedings of MIE2000 and GMDS2000, IOS Press, Amsterdam, 2000. 4. Rigby M, Forsström J, Roberts R, Wyatt J. Verifying Quality and Safety in Health Informatics Services; British Medical Journal, 323, 7312, 552-556, 2001. 5. Eysenbach G, Powell J, Kuss O, Eunryoung S. Empirical studies assessing the quality of health information for consumers on the World Wide Web: A systematic review, Journal of the American Medical Association, 2002; 287: 2691-2700.

54) Peter Ryan

University of Newcastle The Dynamics of Trust Position statement for the Trust and Security Consultation Meeting, 30 May 2002, Brussels. P Y A Ryan, CSR, University of Newcastle. Draft 10 May 2002

Whilst it is clear that information plays an increasingly ubiquitous and critical role in our lives, we should note that raw information is of little value. We need to trust the mechanisms and processes that create, store and process information. Trust is itself a valuable commodity an essential part of the very fabric of society. However, the concept of trust, how it is created, transformed and how it evolves remains poorly understood. We must distinguish between trustworthy and trusted. A system may be trusted yet not trust-worthy or vice versa. Ideally our systems should be both trust-worthy and trusted. In principle we understand how to construct and evaluate trust-worthy systems. The challenge that remains is how to instil and maintain trust in complex, critical systems. Trust is multi-faceted: you might, for example, trust a principal to be honest or to be competent but not necessarily both. It involves human psychology and cannot be defined or established by purely technical means, though these contribute. It necessarily involves social and legal processes. Trust is not a binary or static notion. The decision whether or not to buy a book through Amazon depends on an evaluation of the relative risks or having one’s credit card number stolen balanced against the benefits of

139

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 140

cost and convenience. How humans evaluate such risks and balance them against benefits is typically highly informal and often faulty. The most persuasive argument is probably the fact that the customer won’t be held liable for losses. Thus insurance and shifting liability often acts as a surrogate for trust. Levels of trust typically evolve. One might start with a very hesitant trust in internet shopping but increase levels of confidence as one’s history of successful “shopping experiences” builds up. Of course one bad experience and trust plummets. Thus people act roughly as Baysian processes with an initial, hesitant level of confidence which is updated in the light of experience. Behaviour may evolve accordingly. You might make more extravagant purchases as your confidence increases and even be prepared to lighten your security mechanisms as your estimate of threats decreases. This suggests that systems should be designed to allow reconfiguration of defensive postures. A further complication is that most systems of interest will be open and dynamic. The set of users and environment will not be definable a priori. Technologies and requirements will evolve in unpredictable ways. New threats will emerge. Trust and behaviour patterns will evolve in a coupled dynamics. Generalising further we observe that we are in the realms of nonzero-sum, partial knowledge game theory. Typically we are faced with adversaries who are seeking to undermine a system’s security, erode or exploit trust. A really sophisticated adversary might allow trust to increase, defences and alertness to decrease and then spring at an optimal moment. In summary, we are a long way from understanding the dynamics of trust. Given the ingredients of human psychology and game theory it is unlikely that we will ever identify the “equations of motion” for trust. However we can perhaps hope to gain a better understanding of the factors that influence the evolution of trust. We can for example design systems to contain the impact of security failures so ensuring that trust is less volatile. We should also recognise that most failures of “secure” systems are actually due to non-technical aspects: “social engineering”, poorly chosen passwords, failure to install patches etc. Often technical solutions are sought to such problems but these are typically ineffective or simply introduce new problems. It is essential therefore to understand which aspects of security are best addressed using technical mechanisms and which are better addressed using socio-technical. Some security requirements appear to involve semantic considerations that are not reducible to the purely syntactic constraints on access to information and resources. Typically such threats are associated with “insider” activities, though we should note that the notion of insider is often very fuzzy. Another departure from the traditional approaches is the move away from the notion of absolute security. Absolute security is now widely recognised as not feasible. Security must be cost-effective, countermeasures should balance credible threats. Furthermore, security must not be imposed at the cost of system usability. If the security controls render the system unusable it will either not be used or considerable effort and ingenuity will be invested by the users in by-passing the controls. Security mechanisms should therefore be, as far as possible, transparent to the users. Of course this too involves compromises, for example, single signon can introduce vulnerabilities, as can the need to balance entropy with 140

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 141

memorability of passwords. In short, security must work for and with the users, not against them. Trust ultimately depends on evidence. Such evidence can take many forms: experience, recommendation or various styles of argument. In the context of security we have the ITSEC, the Common Criteria etc but by and large these have had little impact. Evaluations conducted under them are regarded as expensive, protracted and to have little credibility. This suggests that we need to understand better what forms of evidence would be regarded as convincing to various stakeholders and how trust evolves in the light of experience. Perhaps we should be striving to construct security arguments, analogous to safety arguments. Indeed there is much to be learnt from the safety/dependability community. In the DIRC programme, http://www.dirc.org.uk/, we are specifically aiming to address both the socio-technical and technical aspects of dependable systems. In particular, a newly started work package within DIRC, is addressing trust and security from an interdisciplinary point of view.

55) Matteo Mario Savino

Unisannio

NEW TRACEABILITY TECHNIQUES BY AUTOMATION AND PROCESS SUPERVISORY IN WINEMAKING AND OLIVE OIL PRODUCTION AND LOGISTICS PROCESSES

Agroindustrial organisations, also with respect to Vision 2000 certification are intersted to guarantee the traceability of their products along the entire production and logistic chain. A traceability system in agroindustrial area is intrinsically complex due to the complexity of the production process itself and to the wide distribution and correlations of the different production phases. In fact to each production phase are related features and data on the semi-finished product that can be of relevant importance for the next phase, and are strictly dependent on the productino data of the previous phases The research has three main objectives: The realisation of an automated system aimed at having a supervision and control of the production process in the winemaking and olive oil production; Realise transfer technology methodologies able to define and correlate information related to each production phase, with devices useful to the determination on the production line of the parameters of relevance; Obtaning a traceability system with the following objectives: To relate the production data to the process traceability. For this feature in the winemaking area the research will be focused on the analytic process sensor for those molecules of relevance for the process, while in the olive oil the biosensors technology will be applied to the biocatalytic techniques. The second objective addresses the task of realising a data structure and a network distributed software able to trace the logistic chain of each product after the outcome from the production plant The proposed research work will involve two universities and, at beginning, five wine firms and three olive oil firms. The test of the prototype realised will involve nine wine firms and four olive oil firms.

141

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 142

We think that, in spite of the common european quality regulations (Vision 2000) the utilisation of the result of this research will be used by the most part of the european Community. In our previsions we think that it could be a standard to guarantee traceability in wine and olive oil production that will be able to be proposed to the most part of EU and non EU firms. Matteo Mario Savino

56) Peter Schoo

Docomolab-euro Security Related Research Issues in Systems Beyond 3G Peter Schoo [email protected] DoCoMo Euro-Labs, Munich

Project: Workshop on Trust & Security, Brussels, 020530 Version: V1.0 Status of document version: final Focal point of interest for DoCoMo Euro-Labs is research on systems beyond 3G (B3G), especially adequate security technology on the network level as well as application layer security (ALS) suitable for the new generation mobile of communication system. The ITU-R WP8F has started to discuss the technical requirement of 4th Generation mobile communication services and systems B3G. Based on this impulse the World Radio Conference (WRC) will decide for starting in 2003 - 2006 the standardisation of the new air interface, aiming with 4G for 50–100 Mbps deployable ~2010. This ITU-R vision encompasses the idea of "Optimally Connected Anywhere, Anytime" that shall result in seamless networks including a variety of interworking access systems, which are available already today. Such integration and interworking of heterogeneous network technologies motivate not only the development of appropriate security mechanisms for the 4G air interface, but sets also requirements for security mechanisms that shall establish the necessary trusts and confidence demanded by users, service providers and network operators despite the heterogeneous network technologies. Further trends for systems B3G raise from Software Defined Radio (SDR) and secure download systems Migration from IPv4 to IPv6 Increased collaboration among network operators, and, last not least, An increasing openness to 3rd party service providers Inherent Research Issues The heterogeneity in systems B3G on the network side, the trends in terminal development and the increased openness for 3rd party service provider will impact the future research activities. The major issues for such activities are outlined in the following. The Network Side Mix of Layer 2 and Layer 3 security mechanisms: Security mechanisms are technology specific. Some wireless access network technologies have defined their own mechanisms, like WiFi or Bluetooth. Others are yet open as in the case of the new 4G air interface.

142

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 143

Consequence of the heterogeneity, however, can only be to resolve the required security assertions on an appropriate level, i.e. L3. This may, in turn mean that the L2 mechanisms influence too strongly the performance. A well-balanced mix is required suitable also for the authentication and the integrity mechanisms in the air link in fast handovers. Initial access: Traditionally there’s no access given to a mobile terminal that finds a new access network, as the usage of communication resources shall of course be charged appropriately. However, it cannot be excluded that this schema might change. Based on requirements for handovers between heterogeneous access network technologies that shall be considerable fast, it might well be considered to grant free access for a short period. In this short period it should be achievable to check the authentication or authorisation of the user. Mapping authetication and authorisation in legacy systems: When systems B3G shall enable the integration of existing network technologies, then it is necessary to find an appropriate mapping of the authentication and authorisation mechanisms that are already in place. Example: GSM authorises the user against the network, whereas UMTS AKA suggests a mutual authentication. In case of handovers from GSM to UMTS is the same level of trust maintained? Trust amongst network operators in handovers: When considering handover mechanisms this can go beyond the scope of intertechnology handovers. The selection of links according to the ABC (always best connected) concept, can also involve the handover from one network operator domain to another network operator domain. The design goals of security mechanisms supporting such inter-domain handovers factor by the square the complexity. This is however a mid term research topic. Preventive measures to secure network component: From a functional point of view the future networks will be enhanced by mobility management, QoS support and session control. There's no doubt about, internally the network operators have to be prepared to protect their software processes appropriately, since they commit their customers the reliability and availability of their network and application services. However, at the current point in time, there's no clear line telling how for example routers, routing information or QoS data can be protected in an effective and efficient manner. The Terminal Side Future mobile terminals will especially be influenced by the current trends in SDR technology, which shall enable updates and reconfigurations of the terminal residential software. It supports not only applications specific software (browser plug ins) or the runtime environment (like MExE), but also the software for the base band signalling processing. Main requirements relate to secure local wireless communications and into the network secure application environments on the terminal and application integrity secure access to programs, information and services, and secure downloads for updates of base band signalling processing and applications. IP on the terminal: The future networks will be all-IP based. Some proposals even suggest developing terminals with a full IP stack. This has consequences not only for the authorisation to use specific services, but also opens the door for all the vulnerabilities that are well known form the Internet. 143

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 144

Application Layer Security In the future more applications with serious security requirements will come up, e.g. the classes of m-business or m-Commerce applications. Main questions of interest are what is the ALS support network operator should provide for such applications to service providers? is the technical suitability, the practical usability and market uptake of new standards in the UMTS Integrated Circuit Card (UICC) domain given, what is needed to complete it? the deployability in a network environment increasingly build on IPv6 and supporting to a higher extend mobility in access networks. How can service providers take benefit from this fact? Required Research Activities Required research activities have to result in sound practical guidelines for how to employ existing security mechanisms and new standards, if for interoperability reasons a international harmonisation is required or, in case of the new 4G air interface, a standard solution is missing. For these reasons test bed experiences in almost realistic environments should be exploited to drive the integration of security mechanisms within heterogeneous network technologies. This shall help to identify shortcoming of existing products and stimulate further developments. Network technologies is evolving, terminal capabilities are yet a research field on itself and the many folded ALS solutions depend highly on application specific requirements. Each of these fields has its dynamics and specifics not related to security issues. Therefore, an important influence will have the expertise of partners that carry out such research.

57) Luca Simoncini

University of Pisa

Trust & Security FP6 Consultation Workshop – Brussels, May 30, 2002 Contribution for discussion Luca Simoncini, CNUCE-CNR and University of Pisa, Italy Andrea Bondavalli, University of Florence, Italy This document presents the results (adapted to the present situation) of the workshop on “Dependability in Information Society: future scenarios and R&D challenges”, held in Toulouse (F) on 13th –14th December 2001 1. Main socio-economic drivers The main drivers identified were: The competitiveness of the EU: Several vital industries rely on dependability technologies for their competitiveness (e.g. automotive). EU has some strong sectors in the ICT industries, sectors where dependability can be a key factor. Advanced research and technology development can help in preventing the brain drain. The pervasive deployment of ICT, shaped by:

144

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 145

The diminishing costs of hardware, but with economic implications (e.g. total cost of ownership of systems). The technology push in the hardware and software sectors. The evolution of a global, trans-national, networked information infrastructure. The complexity of applications, and the poor understanding of their interdependencies (and of the interdependencies with other systems and infrastructures or our society). The exposure to new threats (e.g. cyber-crime) and the relevance of some consequences (e.g. privacy). The reaction of society and lay people to ICT: Legal issues (e.g. data ownership) that affect the design and operation of systems and the treatment of failures. Attitudes to dependability and risk perception. 2. Main technological challenges and problems The following themes were identified as the main technological challenges: Enlargement of the field of dependability: Dependability of new applications and computing paradigms would require the use of dependability concepts and methods: the GRID, networked embedded systems, critical infrastructures, nomadic systems, peer-to-peer wireless, etc. Emergent issues for dependability, including: Privacy and legal issues Privacy needs to be related to dependability considering its implications in different legal contexts (within and outside the EU). Its scope is wider than dependability, and needs to be supported for the proper technical support. IPR and liability are issues relevant to risks and failures, and there is a need to bridge legal and technical matters. Allocation of responsibility in complex engineering systems. Consideration of the perception of risk, related to the acceptance of critical ICT. Computer security incident handling and fault treatment in largescale systems. Quality-of-Service, and its interpretation in terms of dependability attributes. Risk management for operators and users of ICT systems. Interdisciplinarity It is fundamental for the whole life-cycle of systems, but it is not easy to foster. It could be difficult even among the different disciplines related to dependability (e.g. security vs. critical infrastructures, vs. fault tolerance), for reasons of commonality of and language. Systems have to be considered in their deployment context, and therefore there should be a close consideration of human, social, business aspects. There is an increasing demand for cost characterization and analysis and business justification of dependability engineering tasks. Standards related to dependability are relevant in different topics: open SW, dependable interfaces, etc. This have to consider all legal and business implications, including the enforcement of any regulation. Reasoning about systems

145

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 146

The validation and evaluation of systems is a challenge for the diversity and novelty of applications (mobile, heterogeneous and embedded networked systems). Some topics are: Evaluation before deployment, validation as support to diverse engineering tasks, approaches to certification. Composability of dependability properties. Scalable verification of large-scale systems. Metrology (e.g. modeling and measurement of dependability attributes). Benchmarking for dependability characterization. Issues related to temporal behavior. The understanding of complex systems : Failure and the problem of systems as nodes in networks. Cognitive complexity, and its implications for e.g. design diversity. Emergent critical properties. Several applications present unavoidable uncertainties: The actual system is indeterminate, components and connections change. The interactions of systems with users and their context cannot be predicted: e.g. the usage patterns. Critical infrastructures: The hardware and software systems parts of the information infrastructure interconnect other critical applications. Interdependencies are a key issue. Understanding the dependability of these systems in the context of the risks for other applications is fundamental. Effects in infrastructure can cascade and scale up. Local modeling is certainly insufficient. Failures and disturbances have to be comprehended in a wider context. The engineering of dependability Rigorous design and validation of systems (one representative case that of networked embedded systems). Human and organization aspects of systems, the allocation of responsibility. Quality-of-Service, and its relation with dependability attributes. Cost modeling, considering all dependability attributes and the whole system life-cycle. The management of dependability requirements. Design and development support: architectures, formal methods, dealing with intentional and accidental faults, etc. Education, competency and culture There is a need to share resources between industry and academia for supporting a better education of dependability matters in universities. There is also need to raise the awareness and general preparation of the general public with respect to dependability. People depend on ICTbased systems and they should understand the implications of this dependence and the associated risks. 3. How to proceed? There was an agreement on the opportunities presented by the 6th R&D Framework Programme of the European Commission to the constitution on an integrated initiative on dependability. Although dependability has already been considered as a priority theme by the IST Advisory Group and in the plans for FP6, and there is a general perception of its importance in society and by policy makers, an initiative on

146

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 147

dependability will need to be well organized and defended for being successful. This initiative should be comprehensive , including all parties with an interest in the development of dependability technologies. Based on dependability as a overarching concept, the industrial and academic communities more traditionally concerned with dependability issues should try to develop a common initiative with other communities with related interests, namely critical infrastructures and trust and confidence. Therefore, it is urgent to lead and manage the plans for constituting this initiative on dependability - mainly if several communities will be convoked, with representatives from industries and academia. The initiative should be based on a clearly conceived R&D roadmap, including long-term research, applied research, and relevant actions in education and standardization. Industry should participate with an active role. RTD projects should be led by industrial concerns. There is a need to balance basic research and applied projects, conceptual and experimental research, training with dissemination of results. Existing projects and programmes, including the national ones, should be considered. In the light of the 6th Framework Programme, there was no final standpoint on which mechanisms would be more adapted for the implementation of the initiative on dependability. Although several points were presented and discussed on the organizational structure that the initiative could take (both during its preparation and during its implementation), there was no common position. The first impression is that the initiative could take the form of an Integrated Project (which will be the initiative “programme”), correlated with several Networks of Excellence for specific themes. 4. Present status. An accompanying measure called AMSD (Accompanying Measure on System Dependability – IST 2001-37553) has been approved by EEC and its starting date is June 1st , 2002. The objectives of AMSD are: Achieve a high level synthesis of the results of the many on-going road-mapping activities related to various aspects of system dependability, identifying any gaps and overlaps, and hence produce an overall road-map for the subject of system dependability as a whole. Develop a detailed road-map, covering the various aspects of dependability for one particular class of system, namely dependable embedded systems, as a contribution both to the planning of research on embedded systems and, alongside road-maps being produced by other projects, to the development of the overall dependability road-map. Identify the appropriate constituents , and balance, of a possible wide-ranging Information Society Dependability Initiative (ISDI) within FP6, that will gain the widespread support of industry, governments and academia. Undertake constituency and consensus-building activities that will help to mobilise this support, and to maximise the likelihood of a successful outcome from such an Initiative.

147

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 148

Interaction of problems Ubiquit .

Massivey deployed embedded Transnat.

Infrastruct.

Privacy and Individual issues

Classes of application

Requiremts and policies

Meta data

Design and development support

Dealing with uncertainties

Cost modelling

Reasoning about systems

Standards Evaluation validation certification

Understand. systems

Evidence about systems

Culture of Dependabil.

Classes of failures

Interdiscipl.

Legal issues

Dealing with failures

Education and competency

148

Proposed use on ofTrust instruments IRG Workshop and Security - CONTRIBUTIONS

Brussels May 30 2002 149

Roadmapping activities V FP

AMSD

RM2

….

RMn

Joint Liason Comm.

VI FP Scientific Committee

Board of Trustees

Administration

P1

P2

Pn



Evaluation

Integrated Project

Basic researc h

Trainin g

..

Educati on

Evaluation

Network(s) of Excellence

149

IRG Workshop on Trust and Security - CONTRIBUTIONS 58) David Sinclair

Brussels May 30 2002 150

Dublin City University

“Trust and Security” in FP6 In order to build an electronic society in Europe we must build an electronic culture in Europe where the majority of citizens are comfortable taking part in electronic commerce (e-commerce). For this to happen each citizen must have confidence in the mechanisms used in e-commerce. This lack of confidence is a key factor in the relatively low up-take of e-commerce, particularly in the B2C (business to customer) arena. Participation in e-commerce in B2B (business to business) arena is relatively higher than the B2C arena. A major reason for the higher participation in e-commerce in the B2B arena compared to B2C arena is that B2B applications are generally built upon existing business relationships. The electronic B2B application generally replaces an existing business relationship. In B2C applications there generally is no pre-existing business relationship. This leads to a lack in confidence on the part of the supplier and, particularly, the customer. Add to this a “horror story” where a customer’s experience of a e-commerce transaction is unsuccessful and not only do you have someone who is unwilling to engage in further e-commerce transactions but you also have someone who is likely to disseminate this bad experience to others. Confidence and trust are increased in small increments but lost in vast tracts. In order to build an electronic society, I believe that within FP6 we should concentrate on the following three areas. Techniques and tools for the design and development of mathematically proven systems. In order to prevent “horror stories” we need to design systems that can be proven to have required properties. This will require the formal mathematical verification of the complete e-commerce system not just the cryptographic protocols used to establish secure communications channels and to authenticate users. While significant work has been done in this area, none of the techniques and tools proposed to-date can be used by the average software developer to design and verify industrial-sized systems. These tools either require expert knowledge of the tool and its underlying techniques (theorem provers and assistants), or are limited in the size of system that can be verified (model checkers). These tools need to improved and merged in order to verify industrial-sized systems. In addition, these verification tools need to be integrated into a complete tool-supported design methodology. Techniques and tools to enable correct implementation of verified systems. Even if we can design verifiably correct systems, these will be of little practical use if these systems cannot be implemented correctly. In fact an incorrectly implemented verified design does immense damage to the public reputation of verified systems. If the design has been the product of complete design methodology (including verification) then there is a greater probability that the system will be correctly implemented, but as long as humans are involved in the implementation there is a chance that system will be incorrectly implemented. This leaves us with several possibilities: Automatic generation of code from the verified design.

150

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 151

A very difficult task, but one which is achievable in restricted environments such as the generation of code to implement a verified cryptographic protocol using a small set of operations. An implementation that is a proven refinement of the verified design. Given a verified design, this involves the successive refinement of the design from the “design language” to an “implementation language”. While this alternative is academically attractive (having a substantial body of theory) and allows a design to move from a language suitable for design to a language suitable for implementation in a safe and provably correct manner, this technique requires the user to discharge several proof obligations at each refinement. Without proper, user-centred, tool support this approach will not experience significant up-take by practicing software developers. An automatically generated monitor that throws an exception when an implementation violates a verified design. A formally verified design provides a definition of the correct observable behaviour of the system. A monitor process automatically generated from this verified design will monitor the implementation produced by the developer and notify the developer if the implementation performed an action that is not consistent with the verified design. This does not guarantee that an implementation will correctly implement a design but it will prevent an implementation from invalidating the properties of a verified design. Lots of successful demonstrator projects throughout the European Community. The best way to build trust and confidence in the general public is to have many successful, and hopefully high profile, demonstrator projects. The more the general public successfully uses e-commerce applications the more confidence and trust they will have in e-commerce in general. In many way the life cycle of e-commerce mirrors that of credit cards. In the early days there was much skepticism of credit cards by both the supplier and the customer. Many of the same concerns and fears were voiced. The more a credit card holder used their credit card the more confidence they had in them and their concerns over the security issues relating to credit cards lessened. The more people that used credit cards the more confidence this instilled in the rest of the public. The more people that used them the greater became the market for a supplier to exploit. I believe the same life cycle will occur for e-commerce. Therefore we need many successful demonstrator projects throughout the European Community. One of the greatest tools for introducing the general public to e-commerce is successful online bookstores such as Amazon.com. In summary, in order to promote an e-culture throughout Europe we must build confidence in the use of e-commerce by the general public. This means that we must have many provably correct and correctly implemented demonstrator projects. This requires us to focus on methodologies, techniques and tools for designing provably correct systems that are correctly implemented. Each successful e-commerce transaction is a small but valuable step in building confidence in e-commerce. Each unsuccessful e-commerce transaction is a large step in undermining confidence in e-commerce. “Two steps forward and one step back” will not advance the cause of e-commerce and an e-society. We must have provably correct designs that are faithfully implemented. Dr. David Sinclair, Centre for Secure Distributed Systems, School of Computer Applications, Dublin City University, Glasnevin, Dublin 9, Ireland. 151

IRG Workshop on Trust and Security - CONTRIBUTIONS 59) Sandra Steinbrecher

Brussels May 30 2002 152

Dresden University of Technology

Contribution to the 'Workshop on Trust and Security Preparing the first Calls in FP6' Sandra Steinbrecher, Dresden University of Technology, Germany; 14th May, 2002. Human beings and institutions founded by them usually interact with each other in different contexts. E.g., a customer consults an insurance company to enter into a health insurance contract. Every interactor has a certain time- a+nd context-specific expectation of the other interactors' behavior that might fit the other's behavior or not. This interaction needs ex- or implicit trust in each other that own expectations and the other's behavior are equivalent. In the real world this trust is a result of several factors (previous experience, recommendation, reputation, ...). E.g., the assurance company may only accept the customer's contract after a physician has examined her, and the customer might only consult this insurance company because of its reputation. In the electronic world also an adequate level of trust between interactors has to be reached to realize interactions in which every interactor's behavior fits the other's expectation. Normally before an interaction both have to agree on the desired outcome. As confidence-building measures there must be mechanisms that allow to estimate an interactor's behavior beforehand as well as some that expose and punish willful misconduct of interactors afterwards. An interactor must be able to prove that he behaved correctly while he is not able to prove that if he did not. On the other hand an interactor must be able to prove that the other did not follow the agreement if he did not, but not if he did. Also every interactor usually wants to protect a certain grade of his privacy. In the real-world he can control the information he directly gives to persons/institutions about himself although there might be several indirect information flows. In the electronic world by using common internet service providers, web browsers and e-mail clients, everyone leaves digital traces that form profiles of his personality if they are collected. And this collection of users' traces already is in full swing while many users are not aware of this. E.g., the customer looking for a health insurance usually does not tell everyone in the real-world all the illnesses he ever had, but by filling in his profile in insurance calculators in the electronic world he enables at least the provider of the calculator to collect it. Our vision of an privacy-enhancing identity and security management system in a trusted sphere, which is linked into a secure but privacy-friendly infrastructure for accessing on-line services, is as follows: Users manage, through their identity management tool located in their trusted sphere, their multiple identities, the disclosure of their personal data, and the relationship and linkability between disclosed data. They are kept informed of their rights, of privacy policies and reputation of service providers, and on the implications of privacy choices. The interface of the tool is intuitive for users regardless of their level of experience or their knowledge of underlying technologies. Users can view and interact with their identity management tool through different fixed and portable devices that share privacy-relevant aspects of the user's 'digital life'. The identity and security management infrastructure is widely adopted by Internet services. This allows them to offer acceptable levels of 152

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 153

privacy, while enforcing strong authentication and access control, and verifying certified attributes of users, also when they act under a pseudonym. Service providers state privacy policies that allow users a choice between different privacy levels and mechanisms, but also enable them to understand the advantages and disadvantages of disclosing or linking personal data. Trust in the infrastructure is motivated by the seal of independent organizations that conducted public review of the technologies involved, by the ability of users to choose their trusted entities, and by the knowledge that no single entity or service can link all the data that represent a user's digital life.Only the development of such a privacyenhancing identity and security management system will enable the necessary trust and privacy in any e-business, e-work, and e-government scenario. One major challenge comprise both legal and technological elaboration to bridge the gap between privacy and authenticity or even law enforcement. Because privacy-enhancing technologies are just emerging, and business models are sought, the market perspectives in this area are still to be elaborated. This development of a privacy-enhancing identity and security management system supports the priorities of the IST Programme in FP6 (1.1.2.i) by concentrating on users' interest in reaching the same level of privacy and trust/security in the electronic world he would have had in an equivalent situation in the real world. It is absolutely necessary to integrate projects making this attempt in the first call for the IST Programme in FP6 because the stakes are high, as the provision of privacy-enhancing identity and security management represents a major enabler in achieving users' acceptance of the Information Society and on the development of the notion of privacy and users' rights in general. What we urgently need is a reference architecture considering and being applicable to computers as well as on mobile devices. Even lowbrow users should benefit from the technology without the need to understand its complexity. In realizing a privacy-enhancing identity and security management system we want to respond to the efforts made by the European Commission to foster initiatives that can urgently address privacy and identity management issues. A privacy-enhancing identity and security management system must run on trusted hardware and operating systems to disable possible attacks on a user's privacy and trust on a lower architecture level. The network used for communication has to provide anonymous communication. So the system must be integrated in a secure environment. We need close collaboration with related initiatives building these secure environments. Some efforts have already been made, but it would be suggestive if in FP6 also projects concentrating on a secure infrastructure could be realized. An identity and security management system based on a secure environment and using anonymous networks will contribute substantial and appropriate resolution of these issues for the benefits of European citizens, organizations, and the society in general. For designing the system the possible actors of an identity and security management system and their options for functional, security, and legal requirements depending on the specific applications have to be identified. Further the trust model for a certain requirement will identify under which conditions this requirement will be satisfied. In particular this will identify the parties that an individual or organization has to trust for their security and privacy. Our approach on building an architecture would recursively refine the system into subsystems and components, and their 153

IRG Workshop on Trust and Security - CONTRIBUTIONS

Brussels May 30 2002 154

interactions. Prototypes of selected components should be implemented to demonstrate central functions such as the use of pseudonyms, of anonymous credentials, of anonymous communication channels, and the negotiation of privacy policies. When possible, the implemented components should be released as open source code in order to make basic building blocks available and trigger the implementation of future privacy-enhancing commercial products and services in line with our architecture. The use of open source components will facilitate an independent international review and evaluation process of privacy and security.

154

IRG Workshop on Trust and Security - CONTRIBUTIONS 60) Franz-Josef Stewing

Brussels May 30 2002 155

Materna

How to Configure Security Applications ?

Employees of the personnel department have to be able to access the personnel index.

? con fig ure

Firewall

default policy REJECT on all chains ipchains -P input REJECT ipchains -P forward REJECT ipchains -P output REJECT #default policy REJECT on all chains inbound path ipchains -P input REJECT ipchains -A i n p u t -i eth0 -p tcp -s 192.168 ipchains -P forward REJECT ipchains -A forward -i eth1 -p tcp -s 192.168 ipchains -P output REJECT ipchains -A output -i eth1 -p tcp -s 192.168 #flush all chain ipchains -F #inbound path outbound path ipchains -A input -i eth0 -p t c p -s 192.168 ipchains -A i n p u#default t -i eth1 policy -p tcp REJECT -s 192.168 on all chains ipchains -A forward