Lecture Notes in Computer Science 5185 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Steven Furnell Sokratis K. Katsikas Antonio Lioy (Eds.) Trust, Privacy and Security in Digital Business 5th International Conference, TrustBus 2008 Turin, Italy, September 4-5, 2008 Proceedings 13 Volume Editors Steven Furnell University of Plymouth School of Computing, Communications and Electronics A310, Portland Square, Drake Circus, Plymouth, Devon PL4 8AA, UK E-mail: sfurnell@jack.see.plymouth.ac.uk Sokratis K. Katsikas University of Piraeus Department of Technology Education and Digital Systems 150 Androutsou St., 18534 Piraeus, Greece E-mail: ska@unipi.gr Antonio Lioy Politecnico di Torino Dipartimento di Automatica e Informatica Corso Duca degli Abruzzi 24, 10129 Torino, Italy E-mail: lioy@polito.it Library of Congress Control Number: 2008933371 CR Subject Classification (1998): K.4.4, K.4, K.6, E.3, C.2, D.4.6, J.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN 0302-9743 ISBN-10 3-540-85734-6 Springer Berlin Heidelberg New York ISBN-13 978-3-540-85734-1 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. Springer is a part of Springer Science+Business Media springer.com © Springer-Verlag Berlin Heidelberg 2008 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12511266 06/3180 543210 Preface This book contains the proceedings of the 5th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2008), held in Turin, Italy on 4–5 September 2008. Previous events in the TrustBus series were held in Zaragoza, Spain (2004), Copenhagen, Denmark (2005), Krakow, Poland (2006), and Regensburg, Germany (2007). TrustBus 2008 brought together academic researchers and industrial developers to discuss the state of the art in technology for establishing trust, privacy and security in digital business. We thank the attendees for coming to Turin to partici- pate and debate upon the latest advances in this area. The conference program included one keynote presentation and six technical paper sessions. The keynote speech was delivered by Andreas Pfitzmann from the Technical University of Dresden, Germany, on the topic of “Biometrics – How to Put to Use and How Not at All”. The reviewed paper sessions covered a broad range of topics, in- cluding trust and reputation systems, security policies and identity management, pri- vacy, intrusion detection and authentication, authorization and access control. Each of the submitted papers was assigned to five referees for review. The program committee ultimately accepted 18 papers for inclusion in the proceedings. We would like to express our thanks to the various people who assisted us in orga- nizing the event and formulating the program. We are very grateful to the program committee members and the external reviewers for their timely and thorough reviews of the papers. Thanks are also due to the DEXA organizing committee for supporting our event, and in particular to Gabriela Wagner for her assistance and support with the administrative aspects. Finally we would like to thank all the authors that submitted papers for the event, and contributed to an interesting set of conference proceedings. September 2008 Steven Furnell Sokratis Katsikas Antonio Lioy Organization Program Committee General Chairperson Antonio Lioy Politecnico di Torino, Italy Conference Program Chairpersons Steven Furnell, University of Plymouth, UK Sokratis Katsikas University of Piraeus, Greece Program Committee Members Vijay Atluri Rutgers University, USA Marco Casassa Mont HP Labs Bristol, UK David Chadwick University of Kent, UK Nathan Clarke University of Plymouth, UK Richard Clayton University of Cambridge, UK Frederic Cuppens ENST Bretagne, France Ernesto Damiani Università degli Studi di Milano, Italy Ed Dawson Queensland University of Technology, Australia Sabrina De Capitani di Vimercati University of Milan, Italy Hermann De Meer University of Passau, Germany Jan Eloff University of Pretoria, South Africa Eduardo B. Fernandez Florida Atlantic University, USA Carmen Fernandez-Gago University of Malaga, Spain Elena Ferrari University of Insubria, Italy Simone Fischer-Huebner University of Karlstad, Sweden Carlos Flavian University of Zaragoza, Spain Juan M. Gonzalez-Nieto Queensland University of Technology, Australia Rüdiger Grimm University of Koblenz, Germany Dimitris Gritzalis Athens University of Economics and Business, Greece Stefanos Gritzalis University of the Aegean, Greece Ehud Gudes Ben-Gurion University, Israel Sigrid Gürgens Fraunhofer Institute for Secure Information Technology, Germany Carlos Gutierrez University of Castilla-La Mancha, Spain Organization VIII Marit Hansen Independent Center for Privacy Protection, Germany Audun Jøsang Queensland University of Technology, Australia Tom Karygiannis NIST, USA Dogan Kesdogan NTNU Trondheim, Norway Hiroaki Kikuchi Tokai University, Japan Spyros Kokolakis University of the Aegean, Greece Costas Lambrinoudakis University of the Aegean, Greece Leszek Lilien Western Michigan University, USA Javier Lopez University of Malaga, Spain Antonio Mana Gomez University of Malaga, Spain Olivier Markowitch Université Libre de Bruxelles, Belgium Fabio Martinelli CNR, Italy Chris Mitchell Royal Holloway College, University of London, UK Guenter Mueller University of Freiburg, Germany Eiji Okamoto University of Tsukuba, Japan Martin S. Olivier University of Pretoria, South Africa Rolf Oppliger eSecurity Technologies, Switzerland Maria Papadaki University of Plymouth, UK Ahmed Patel Kingston University, UK Guenther Pernul University of Regensburg, Germany Andreas Pfitzmann Dresden University of Technology, Germany Hartmut Pohl FH Bonn-Rhein-Sieg, Germany Karl Posch University of Technology Graz, Austria Torsten Priebe Capgemini, Austria Gerald Quirchmayr University of Vienna, Austria Christoph Ruland University of Siegen, Germany Pierangela Samarati University of Milan, Italy Matthias Schunter IBM Zurich Research Lab., Switzerland Mikko T. Siponen University of Oulu, Finland Adrian Spalka CompuGROUP Holding AG, Germany A Min Tjoa Technical University of Vienna, Austria Allan Tomlinson Royal Holloway College, University of London, UK Christos Xenakis University of Piraeus, Greece Jianying Zhou I2R, Singapore External Reviewers Carlos A. Gutierrez Garcia University of Castilla-La Mancha, Spain Andrea Perego University of Insubria, Italy Table of Contents Invited Lecture Biometrics–HowtoPuttoUseandHowNotatAll? 1 Andreas Pfitzmann Trust A Map of Trust between Trading Partners 8 John Debenham and Carles Sierra Implementation of a TCG-Based Trusted Computing in Mobile Device 18 SuGil Choi, JinHee Han, JeongWoo Lee, JongPil Kim, and SungIk Jun A Model for Trust Metrics Analysis 28 Isaac Agudo, Carmen Fernandez-Gago, and Javier Lopez Authentication, Authorization and Access Control Patterns and Pattern Diagrams for Access Control 38 Eduardo B. Fernandez, G¨unther Pernul, and Maria M. Larrondo-Petrie A Spatio-temporal Access Control Model Supporting Delegation for Pervasive Computing Applications 48 Indrakshi Ray and Manachai Toahchoodee A Mechanism for Ensuring the Validity and Accuracy of the Billing Services in IP Telephony 59 Dimitris Geneiatakis, Georgios Kambourakis, and Costas Lambrinoudakis Reputation Systems Multilateral Secure Cross-Community Reputation Systems for Internet Communities 69 Franziska Pingel and Sandra Steinbrecher Fairness Emergence through Simple Reputation 79 Adam Wierzbicki and Radoslaw Nielek X Table of Contents Combining Trust and Reputation Management for Web-Based Services 90 Audun Jøsang, Touhid Bhuiyan, Yue Xu, and Clive Cox Security Policies and Identity Management Controlling Usage in Business Process Workflows through Fine-Grained Security Policies 100 Benjamin Aziz, Alvaro Arenas, Fabio Martinelli, Ilaria Matteucci, and Paolo Mori Spatiotemporal Connectives for Security Policy in the Presence of Location Hierarchy 118 Subhendu Aich, Shamik Sural, and Arun K. Majumdar BusiROLE: A Model for Integrating Business Roles into Identity Management 128 Ludwig Fuchs and Anton Preis Intrusion Detection and Applications of Game Theory to IT Security Problems The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset 139 Gina C. Tjhai, Maria Papadaki, Steven M. Furnell, and Nathan L. Clarke A Generic Intrusion Detection Game Model in IT Security 151 Ioanna Kantzavelou and Sokratis Katsikas On the Design Dilemma in Dining Cryptographer Networks 163 Jens O. Oberender and Hermann de Meer Privacy Obligations: Building a Bridge between Personal and Enterprise Privacy in Pervasive Computing 173 Susana Alcalde Bag¨u´es, Jelena Mitic, Andreas Zeidler, Marta Tejada, Ignacio R. Matias, and Carlos Fernandez Valdivielso A User-Centric Protocol for Conditional Anonymity Revocation 185 Suriadi Suriadi, Ernest Foo, and Jason Smith Preservation of Privacy in Thwarting the Ballot Stuffing Scheme 195 Wesley Brandi, Martin S. Olivier, and Alf Zugenmaier Author Index 205 Biometrics – How to Put to Use and How Not at All? Andreas Pfitzmann TU Dresden, Faculty of Computer Science, 01062 Dresden, Germany Andreas.Pfitzmann@tu-dresden.de Abstract. After a short introduction to biometrics w.r.t. IT security, we derive conclusions on how biometrics should be put to use and how not at all. In particular, we show how to handle security problems of biometrics and how to handle security and privacy problems caused by biometrics in an appropriate w ay. The main conclusion is that biometrics should be used between human being and his/her personal devices only. 1 Introduction Biometrics is advocated as the solution to admission control nowadays. But what can biometrics achieve, what not, which side effects do biometrics cause and which challenges in system design do emerge? 1.1 What Is Biometrics? Measuring physiological or behavioral characteristics of persons is called biomet- rics. Measures include the physiological characteristics – (shape of) face, – facial thermograms, – fingerprint, – hand geometry, – vein patterns of the retina, – patterns of the iris, and – DNA and the be havioral characteristics – dynamics of handwriting (e.g., handwritten signatures), – voice print, and – gait. One might make a distinction whether the person whose physiological or behav- ioral characteristics are measured has to participate explicitly (active biomet- rics), so (s)he gets to know that a measurement takes place, or whether his/her explicit participation is not necessary (passive biometrics), so (s)he might not notice that a measurement takes place. S.M. Furnell, S.K. Katsikas, and A. Lioy (Eds.): TrustBus 2008, LNCS 5185, pp. 1–7, 2008. c  Springer-Verlag Berlin Heidelberg 2008 2A.Pfitzmann 1.2 Biometrics for What Purpose? Physiological or behavioral characteristics are measured and compared with ref- erence values to Authenticate (Is this the person (s)he claims to be?), or even to Identify (Who is this person?). Both decision problems are the more difficult the larger the set of persons of which individual persons have to be authenticated or even identified. Particularly in the case of identification, the precision of the decision degrades with the number of possible persons drastically. 2 Security Problems of Biometrics As with all decision problems, biometric authentication/identification may pro- duce two kinds of errors [1]: False nonmatch rate: Persons are wrongly not authenticated or wrongly not identified. False match rate: Persons are wrongly authenticated or wrongly identified. False nonmatch rate and false match rate can be traded off by adjusting the decision threshold. Practical experience has shown that only one error rate can be kept reasonably small – at the price of a unreasonably high error rate for the other type. A biometric technique is more secure for a certain application area than an- other biometric technique if both error types occur more rarely. It is possible to adapt the threshold of similarity tests used in biometrics to various application areas. But if only one of the two error rates should be minimized to a level that can be provided by well managed authentication and identification systems that are based on people’s knowledge (e.g., passphrase) or possession (e.g., chip card), today’s biometric techniques can only provide an unacceptably high error rate for the other error rate. Since more than two decades we hear announcements that biometric research will change this within two years or within four years at the latest. In the mean- time, I doubt whether such a biometric technique exists, if the additional features promised by advocates of biometrics shall be provided as well: – user-friendliness, which limits the quality of data available to pattern recog- nition, and – acceptable cost despite possible attackers who profit from technical progress as well (see below). In addition to this decision problem being an inherent security problem of bio- metrics, the implementation of biometric authentication/identification has to en- sure that the biometric data come from the person at the time of verification and are neither replayed in time nor relayed in space [2]. This may be more difficult than it sounds, but it is a common problem of all authentication/identification mechanisms. [...]... in a few decades, will possibly undermine the security of biometrics which are predictable from these data – Genome databases and ubiquitous computing (= pervasive computing = networked computers in all physical things) will undermine privacy primarily in the physical world – we will leave biological or digital traces wherever we are – Privacy spaces in the digital world are possible (and needed) and. .. instead of trying to gather and store traffic data for a longer period of time at high costs and for (very) limited use (in the sense of balancing across applications) Acknowledgements Many thanks to my colleagues in general and Rainer B¨hme, Katrin Borceao Pfitzmann, Dr.-Ing Sebastian Clauß, Marit Hansen, Matthias Kirchner, and Sandra Steinbrecher in particular for suggestions to improve this paper and. .. in a world where several countries with different legal systems and security interests (and usually with no regard of foreigners’ privacy) accept entry of foreigners into their country only if the foreigner’s country issued a passport with machine readable and testable digital biometric data or the foreigner holds a stand-alone visa document containing such data? 6 A Pfitzmann 5.3 Stand-Alone Visas Including... between Bayesian and Maximum Entropy Inference In: Bayesian Inference and Maximum Entropy Methods in Science and Engineering, pp 445–461 American Institute of Physics, Melville (2004) 15 Paris, J.: Common sense and maximum entropy Synthese 117, 75–93 (1999) 16 Sierra, C., Debenham, J.: The LOGIC Negotiation Model In: Proceedings Sixth International Conference on Autonomous Agents and Multi Agent Systems... platform and transferred to another platform The TPM provides a range of cryptographic primitives including SHA-1 hash, and signing and verification using RSA There are also protected registers called PCR MPWG defines a new specification on MTM which adds new commands and structures to existing TPM specification in order to enable trusted computing in a mobile device context Integrity Measurement and Verification... structure authorizing a measurement value that is extended into a Platform Configuration Register (PCR) defined in the RIM Cert RIM Cert is a new feature introduced in MPWG [2][3] We wrote a program called RIMCertTool for generating a RIM Cert which is inserted into a section in Executable and Linkable Format (ELF) file As, nowadays, ELF is the standard format for Linux executables and libraries, we use... distributions x and y Finally merging Eqn 3 and Eqn 1 we obtain the method for updating a distribution Xi on receipt of a message µ: Pt+1 (Xi ) = Γi (D(Xi ), Pt (Xi(µ) )) (4) This procedure deals with integrity decay, and with two probabilities: first, the probability z in the percept µ, and second the belief Rt (α, β, µ) that α attached to µ The interaction between agents α and β will involve β making contractual... model (as described in Section 3.1) then the (Shannon) information in u with respect to the distributions in M t is: I(u) = H(M t ) − H(M t+1 ) Let N t ⊆ M t be α’s model of agent β If β sends the utterance u to α then the information about β within u is: H(N t ) − H(N t+1 ) We note that by defining information in terms of the change in uncertainty in M t our measure is based on the way in which that update... give a succinct view of trust References 1 Reece, S., Rogers, A., Roberts, S., Jennings, N.R.: Rumours and reputation: Evaluating multi-dimensional trust within a decentralised reputation system In: 6th International Joint Conference on Autonomous Agents and Multi-agent Systems AAMAS 2007 (2007) 2 Ramchurn, S., Huynh, T., Jennings, N.: Trust in multi-agent systems The Knowledge Engineering Review 19,... according to the German constitution, nobody can be forced to co-operate in producing evidence against himself or against close relatives As infrastructures, e.g., for border control, cannot be upgraded as fast as single machines (in the hands of the attackers) to fabricate replicas of fingers, a loss of security is to be expected overall 3.2 Stealing Body Parts (Safety Problem of Biometrics) In the . researchers and industrial developers to discuss the state of the art in technology for establishing trust, privacy and security in digital business. We. Conference on Trust, Privacy and Security in Digital Business (TrustBus 2008), held in Turin, Italy on 4–5 September 2008. Previous events in the TrustBus