PhD ThesisA Trust Management Framework is a collection of technical components and governing
rules and contracts to establish secure, confidential, and Trustworthy transactions
among the Trust Stakeholders whether they are Users, Service Providers, or Legal
Authorities. Despite the presence of many Trust Frameworks projects, they still fail
at presenting a mature Framework that can be Trusted by all its Stakeholders. Particularly
speaking, most of the current research focus on the Security aspects that may
satisfy some Stakeholders but ignore other vital Trust Properties like Privacy, Legal
Authority Enforcement, Practicality, and Customizability. This thesis is all about
understanding and utilising the state of the art technologies of Trust Management to
come up with a Trust Management Framework that could be Trusted by all its Stakeholders
by providing a Continuous Data Control where the exchanged data would be
handled in a Trustworthy manner before and after the data release from one party to
another. For that we call it: Continuous Trust Management Framework.
In this thesis, we present a literature survey where we illustrate the general picture
of the current research main categorise as well as the main Trust Stakeholders, Trust
Challenges, and Trust Requirements. We picked few samples representing each of
the main categorise in the literature of Trust Management Frameworks for detailed
comparison to understand the strengths and weaknesses of those categorise. Showing
that the current Trust Management Frameworks are focusing on fulfilling most of the
Trust Attributes needed by the Trust Stakeholders except for the Continuous Data
Control Attribute, we argued for the vitality of our proposed generic design of the
Continuous Trust Management Framework.
To demonstrate our Design practicality, we present a prototype implementing its
basic Stakeholders like the Users, Service Providers, Identity Provider, and Auditor
on top of the OpenID Connect protocol. The sample use-case of our prototype is to
protect the Users’ email addresses. That is, Users would ask for their emails not to be
iii
shared with third parties but some Providers would act maliciously and share these
emails with third parties who would, in turn, send spam emails to the victim Users.
While the prototype Auditor would be able to protect and track data before their
release to the Service Providers, it would not be able to enforce the data access policy
after release. We later generalise our sample use-case to cover various Mass Active
Attacks on Users’ Credentials like, for example, using stolen credit cards or illegally
impersonating third-party identity.
To protect the Users’ Credentials after release, we introduce a set of theories and
building blocks to aid our Continuous Trust Framework’s Auditor that would act as
the Trust Enforcement point. These theories rely primarily on analysing the data
logs recorded by our prototype prior to releasing the data. To test our theories, we
present a Simulation Model of the Auditor to optimise its parameters. During some
of our Simulation Stages, we assumed the availability of a Data Governance Unit,
DGU, that would provide hardware roots of Trust. This DGU is to be installed in the
Service Providers’ server-side to govern how they handle the Users’ data. The final
simulation results include a set of different Defensive Strategies’ Flavours that could
be utilized by the Auditor depending on the environment where it operates.
This thesis concludes with the fact that utilising Hard Trust Measures such as DGU
without effective Defensive Strategies may not provide the ultimate Trust solution.
That is especially true at the bootstrapping phase where Service Providers would be
reluctant to adopt a restrictive technology like our proposed DGU. Nevertheless, even
in the absence of the DGU technology now, deploying the developed Defensive Strategies’
Flavours that do not rely on DGU would still provide significant improvements
in terms of enforcing Trust even after data release compared to the currently widely
deployed Strategy: doing nothing!Public Authority for Applied Education and Training in Kuwait, PAAET