University of Cambridge Computer Laboratory, 15 JJ Thompson Avenue, Cambridge, CB3 0FD, United Kingdom firstname.lastname@example.org
Abstract. Emerging peer to peer (P2P) applications have a requirement for decentralised access control. Computational trust systems addressthis, achieving security through collaboration. This paper surveys current work on overlay networks, trust and identity certiﬁcation. Our focus is on the particular problem of distributing evidence for use in trust-based security decisions. We present a system we have implemented that solves this in a highly scalable way, and resists attacks such as false recommendations and collusion.
A Metaphor for Trust-Based Security
In the physical world, there are three main approaches to access control. If we wish to secure a building, we could lock the door and issue keys only to those who work in the building. This makes access less convenient though, so it could be better to leave the door unlocked and save time for our legitimate users. Alternatively, we mightchoose to leave the door unlocked but employ a security guard who sits in the lobby keeping an eye on those who pass by. The guard won’t often have to stop anyone because he will recognise those who work in the building; also he can make an assessment on whether strangers are a threat, based on factors such as if they are being accompanied by someone he does know. In the online world, typically we canonly choose the ﬁrst two alternatives – either to secure the resource and issue (digital) keys to those who are permitted access, or to allow anyone access. Computational trust modelling is a way of implementing the third option (a decision-making security guard) in an internet environment. For many applications this enables a new and more acceptable combination of security and convenience. 1.2Our Approach
We form models for trust and risk in online entities, and use this information to make access control decisions. This is useful in many application domains, such as Internet auctions, spam ﬁltering, P2P storage services and so on. A key feature of our model
P. Herrmann et al. (Eds.): iTrust 2005, LNCS 3477, pp. 273–288, 2005. c Springer-Verlag Berlin Heidelberg 2005
is its use of recommendations to exchange trust information between principals. This creates a requirement for an effective and scalable mechanism to distribute such information across the network. A typical scenario involves millions of principals, most of whom do not know each other. Patterns of interaction may be random and not exhibit much locality of reference. Furthermore, anyinformation sent via the network can be falsiﬁed, including recommendations and routing information, yet the system must be secure. Overlay networks can be used to provide deterministic, scalable data access for P2P applications. Using such techniques we can look up any piece of evidence with a logarithmic number of messages and collate all that is known about each principal in behaviour proﬁles. Wecombine this with a set of Certiﬁcation Agencies to limit attacks by making it expensive to obtain extra identities. Our prototype is named E NTRAPPED (Efﬁcient Network Trust & Recommendation Access by Peer-Peer Evidence Distribution). 1.3 Example: Internet Auctions
Internet auction sites such as E-bay are a familiar example of e-commerce based on trust between mutually unknown participants.E-bay works by allowing buyers to provide feedback on sellers (recommendations). In the case of serious complaints the management can act to bar participants from the site. Consider what would happen if there were no central authority to police the system, no human being in the decision loop for making purchases, and attackers colluding to recommend each other. If we would like our machine to...