Harvesting credentials in trust negotiation as an honest-but-curious adversary

Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society Pub Date : 2007-10-29 DOI:10.1145/1314333.1314345

L.E. Olson, Mike Rosulek, M. Winslett

引用次数: 11

Abstract

Need-to-know is a fundamental security concept: a party should not learn information that is irrelevant to its mission. In this paper we show that during a trust negotiation in which parties show their credentials to one another, an adversary can systematically harvest information about all of a victim's credentials that the attacker is entitled to see, regardless of their relevance to the negotiation. We present examples of need-to-know attacks with the trust negotiation approaches proposed Yu, Winslett, and Seamons; by Bonatti and Samarati; and by Winsborough and Li. Finally, we propose possible countermeasures against need-to-know attacks, and discuss their advantages and disadvantages.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

作为一个诚实但好奇的对手，在信任谈判中获得信任

“需要知道”是一个基本的安全概念:一方不应该了解与其任务无关的信息。在本文中，我们展示了在各方相互展示其凭证的信任谈判中，攻击者可以系统地获取攻击者有权看到的所有受害者凭证的信息，而不管它们与谈判的相关性如何。我们用Yu、Winslett和Seamons提出的信任协商方法展示了需要知道攻击的例子;博纳蒂和萨马拉蒂;温斯伯勒和李。最后，我们提出了针对需要知道攻击的可能对策，并讨论了它们的优缺点。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society

自引率

0.00%

发文量

期刊最新文献

A Study of Users' Privacy Preferences for Data Sharing on Symptoms-Tracking/Health App. Preserving Genomic Privacy via Selective Sharing. For human eyes only: security and usability evaluation Secure communication over diverse transports: [short paper] A machine learning solution to assess privacy policy completeness: (short paper)