Cyber-Trust

Trust pervades the economic and societal interactions on which the Information Society is built. This paper applies economic analysis to issues of trust and identifies trust considerations affecting market structure, conduct and performance. The analysis highlights the impact of ISTs and the impact on a range of stakeholders

Formal analysis of privacy in Direct Anonymous Attestation schemes

This article introduces a definition of privacy for Direct Anonymous Attestation schemes. The definition is expressed as an equivalence property which is suited to automated reasoning using Blanchet's ProVerif. The practicality of the definition is demonstrated by analysing the RSA-based Direct Anonymous Attestation protocol by Brickell, Camenisch & Chen. The analysis discovers a vulnerability in the RSA-based scheme which can be exploited by a passive adversary and, under weaker assumptions, corrupt issuers and verifiers. A security fix is identified and the revised protocol is shown to satisfy our definition of privacy

Tisa: Toward Trustworthy Services in a Service-Oriented Architecture

Verifying whether a service implementation is conforming to its service-level agreements is important to inspire confidence in services in a service-oriented architecture (SoA). Functional agreements can be checked by observing the published interface of the service, but other agreements that are more non-functional in nature, are often verified by deploying a monitor that observes the execution of the service implementation. A problem is that such a monitor must execute in an untrusted environment. Thus, integrity of the results reported by such a monitor crucially depends on its integrity. We contribute an extension of the traditional SoA, based on hardware-based root of trust, that allows clients, brokers and providers to negotiate and validate the integrity of a requirements monitor executing in an untrusted environment. We make two basic claims: first, that it is feasible to realize our approach using existing hardware and software solutions, and second, that integrity verification can be done at a relatively small overhead. To evaluate feasibility, we have realized our approach using current software and hardware solutions. To measure overhead, we have conducted a case study using a collection of Web service implementations available with Apache Axis implementation

Legal Environments for Digital Trust:Trustmarks, Trusted Computing and the Issue of Legal Liability

Trusted Computing and Trustmarks are two approaches developed to enhance internet security and trust and we claim that they are structurally similar and an exercise in mutual learning would be of great benefit for both. We argue that TC philosophy could possibly supplement TMOs so that TMs become to TMOs more than just a mere link while we address critical questions regarding reliance liability. With our present study we propose that the model for adequate TMO liability could possibly be an example of how to deal with the issue of TC’s reliance liability

Bootstrapping trust in service oriented architecture

Services in a service-oriented architecture are designed to meet desired functional and non-functional requirements. Conformance of a service implementation to its functional requirements can be tested by observing the interface of the service but it is hard to enforce non-functional requirements such as data privacy and safety properties by monitoring the interface alone. Instead the implementation of the service need to be monitored for its conformance to the non-functional properties. A requirement\u27s monitor can be deployed to check this conformance. A key problem is that such monitor must execute in an untrustworthy environment (at the service provider\u27s location).;We argue that the integrity of the reported results of such a monitor crucially depends on the integrity of the monitor itself. Previous research results on trustworthy computing has shown that static properties, such as the checksum, of a remote program can be verified using a hardware-based mechanism called trusted platform module.;This thesis makes two contributions. First, we extend the traditional notion of a service-oriented architecture to accommodate the requirements for trust. Second, we propose a dynamic attestation mechanism that serves to support our extensions. To evaluate our approach, we have conducted a case study using a commercial requirements monitor and a collection of web service implementations available with Apache Axis implementation. Our case study demonstrates the feasibility of verifying the conformance of a web service executing in an untrusted environment with respect to a class of non-functional requirements using our approach. Lack of data privacy during online transactions is a major cause of concern among e-commerce users. By providing a technique to monitor such properties in a decoupled environment our work promises to address the issue of guaranteeing the privacy of confidential client data on the provider\u27s side in a Service Oriented Architecture

Forme di controllo delle informazioni digitali: il Digital Rights Management

Non è la prima volta che le strutture giuridiche sulle quali poggia il controllo delle informazioni – in primo luogo: la proprietà intellettuale – traballano sotto i colpi del progresso tecnologico (si pensi alla fotografia, al grammofono, al cinema, alla radio ed alla televisione). Ma la carica rivoluzionaria delle tecnologie digitali sembra paragonabile solo (ed è con tutta probabilità superiore) agli sconvolgimenti innescati dalla stampa a caratteri mobili. Tra le tante ricadute della crittografia digitale vi sono anche i sistemi di Digital Rights Management (DRM) ovvero i sistemi per la gestione delle regole di accesso ed utilizzo delle informazioni digitali. Il saggio è dedicato ad effettuare una breve esplorazione della storia della tutela delle opere dell’ingegno (paragrafo 2), ad accennare alla struttura economica del diritto d’autore (paragrafo 3), a ripercorrere alcuni tratti del rapporto tra tecnologie digitali e controllo delle informazioni (paragrafo 4), ad inquadrare il DRM nell’ambito delle diverse possibili forme di controllo delle informazioni digitali (paragrafo 5), a descrivere gli abusi a cui si presta il potere di controllo generato dal DRM (paragrafo 6), a delineare la logica ed i difetti dell’attuale disciplina legislativa di tutela delle misure tecnologiche di protezione (paragrafo 7), nonché a mettere in luce alcuni profili salienti degli scenari attuali (paragrafo 8)