The present invention relates to a method for supporting a reputation mechanism in a network, wherein said network includes one or more domains with one or more users being connected to said domains, one or more Identity Providers that manage identity information on behalf of said users, and at least one entity that functions as Web Service Consumer for said users.
Furthermore, the invention relates to a network including a reputation mechanism, said network comprises one or more domains with one or more users being connected to said domains, one or more Identity Providers that manage identity information on behalf of said users, and at least one entity that functions as Web Service Consumer for said users.
In the field of the internet and the World Wide Web, electronic transactions are becoming everyday more and more important. Many daily tasks like going shopping, watching the news or calling friends can be performed by means of electronic transactions. But even more tedious ones like booking a flight or a hotel room, or enrolling at the university, among many others, have been simplified by using the internet.
However, as many more applications appear and become popular, also many security risks threaten its safe working. Due to their impersonal nature, electronic transactions suffer from several security deficiencies that have not been accurately solved yet and are, therefore, slowing down the extensive use of these very useful technologies by the society.
Service Providers from the same domain and even from different domains have to deal with these problems everyday. It is an enormous problem that an entity, in the following mentioned as Web Service Consumer (WSC) has when, in order to provide a requested service to a certain user, the Web Service Consumer needs to previously exchange some information with another entity, in the following mentioned as Web Service Provider (WSP). Currently, many domains carry out such a transaction in a secure way by means of a Service Level Agreement (SLA), as well as by the use of Authentication, Authorization and Accounting (AAA) frameworks. However, the problem is that a Service Level Agreement is not always available between every pair of domains. Moreover, the Service Level Agreement is not always easy to achieve and frequently has associated costs. Thus, many times no such agreement is in place to ensure the validity of the information provided by the other domain.
It is therefore an object of the present invention to improve and further develop a method and a network of the initially described type in such a way that, by employing mechanisms that are readily to implement, a Web Service Consumer of a domain is enabled to determine in an efficient way whether information provided by a Web Service Provider of another domain can be taken as reliable or not.
In accordance with the invention, the aforementioned object is accomplished by a method comprising the features of claim 1. According to this claim such a method is characterized in that, in case a user requests a Web Service Consumer of one of said domains for a web service provided by a Web Service Provider, in particular of another of said domains, said requested Web Service Consumer requests its known Identity Providers regarding a recommendation of said Web Service Provider, wherein said Identity Providers function as recommendation aggregators by collecting reputation assessments of said Web Service Provider from entities being registered on said Identity Providers, in particular users and/or Web Service Consumers, wherein said Identity Providers return an aggregated recommendation to said requested Web Service Consumer that, on the basis of said aggregated recommendation, determines a trust assessment about said Web Service Provider, and wherein a privacy homomorphism is employed for providing an encrypted exchange of recommendation related information between said Identity Providers and said requested Web Service Consumer.
Furthermore, the aforementioned object is accomplished by a network comprising the features of claim 21. According to this claim such a network is characterized in that, in case a user requests a Web Service Consumer of one of said domains for a web service provided by a Web Service Provider, in particular of another of said domains, said requested Web Service Consumer requests its known Identity Providers regarding a recommendation of said Web Service Provider, wherein said Identity Providers function as recommendation aggregators by collecting reputation assessments of said Web Service Provider from entities being registered on said Identity Providers, in particular users and/or Web Service Consumers, wherein said Identity Providers return an aggregated recommendation to said requested Web Service Consumer that, on the basis of said aggregated recommendation, determines a trust assessment about said Web Service Provider, and wherein a privacy homomorphism is employed for providing an encrypted exchange of recommendation related information between said Identity Providers and said requested Web Service Consumer.
According to the invention it has first been recognized that the need of a service level agreement between a pair of domains for enabling entities of one domain to securely access data or systems of another domain seamlessly can be overcome by employing a reputation mechanism. Specifically, it has been recognized that a reputation mechanism can be employed in such an advantageous way that the trustworthiness of a service provider can be determined. According to the invention in case a user requests a Web Service Consumer of one of the domains for a web service provided by a Web Service Provider, in particular of another of the domains, the requested Web Service Consumer requests all its known Identity Providers regarding a recommendation of the Web Service Provider. A web service provided by a Web Service Provider in this context can already mean that the Web Service Consumer needs to retrieve and exchange some information with the Web Service Provider in order to provide or deliver the corresponding web service to the requesting user. Further, each of the Identity Providers functions as recommendation aggregator by collecting reputation assessments of the Web Service Provider from entities being registered on the Identity Provider, in particular users and/or Web Service Consumers. This means that the Identity Providers collect the opinions of the entities being registered on them. Moreover, each of the Identity Providers returns an aggregated recommendation to the requested Web Service Consumer that, on the basis of the aggregated recommendation, determines a trust assessment about the Web Service Provider.
Consequently, the Web Service Consumer can decide by means of the trust assessment whether the information received in the context of the web service from the Web Service Provider is reliable or not. With respect to safety and security, a privacy homomorphism is employed for providing an encrypted exchange of recommendation related information between the Identity Providers and the requested Web Service Consumer. The use of the privacy homomorphism allows the aggregation of some sensitive information within the reputation mechanism in a privacy preserving way without revealing the information.
Thus, the method or the network according to the invention can advise a domain when it has to decide whether to exchange some necessary information with another domain or not, depending on the trustworthiness and reputation of the other domain.
According to a preferred embodiment the aggregated recommendation returned by the Identity Providers to the requested Web Service Consumer may be a single aggregated value for recommendations of the users being registered on the Identity Providers. Equally, the aggregated recommendation may be a single aggregated value for recommendations of the Web Service Consumers being registered on the Identity Providers. Furthermore, the aggregated recommendation may be a single aggregated value for recommendations of the users and the Web Service Consumers that are registered on the Identity Providers.
According to a preferred embodiment the ElGamal encryption scheme may be applied as privacy homomorphism. The encryption scheme according to ElGamal as described in Taher ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms”, Springer-Verlag, 1998, is a multiplicative privacy homomorphism. This encryption scheme may be adapted to elliptic curve (EC) mapping the homomorphism in an additive group. As in most elliptic curve based schemes, the security of the scheme will depend on the choice of the elliptic curve E, prime p and the choice of generator G. The elliptic curve E should be chosen in such a way that the Elliptic Curve Discrete Log Problem (ECDLP) is verified.
EC-EG offers the properties that are required, e.g. a low bandwidth cost, flexibility and efficient operations. For example, in case it is chosen p to be a 163-bit number, then the ciphered text will take up 2*(163+1) bits. The scheme is versatile and flexible. Moreover, the cost of addition and multiplication with a scalar are a point addition and two point multiplications with small numbers that is respectable. A point addition is considered a cheap operation in EC and the complexity of the point multiplication depends on the size of the operands. These reasons make the following scheme the perfect candidate to apply for the method according to the invention:
Since EC-EG functions in terms of points in the EC, a function map(x) and its reverse function rmap(x) may be required. These functions should map an integer number to a point in the curve, and vice versa, such that the privacy homomorphism properties are maintained throughout all operations on encrypted text. Although there are standard mechanisms to translate an integer into a point in the curve, due to the restriction explained above, it may be opted for a mechanism introduced in Mykletun, Girao and Westhoff, “Public key based cryptoschemes for data concealment in wireless sensor networks”, in IEEE International Conference on Communications, Istanbul, Turkey, June 2006, which defines map(x)=xG and rmap(x) as the brute force of the ECDLP. Since in the context of the invention it is intended to work with relatively small numbers, in particular less than 32 bits, this restriction is acceptable. Thus, by using this cryptographic tool, a purely private system can be achieved, wherein storage points and intermediaries, in particular Identity Providers, do not have direct access to sensitive data.
With regard to the encryption of sensitive information, it may be provided that in a very first step, the requested Web Service Consumer sends its public key to the Identity Providers, together with a default initial weight for all the entities being registered on the Identity Providers, and wherein the initial weight is encrypted with the public key of the requested Web Service Consumer.
Advantageously, it may be provided that each of the Identity Providers stores a weight given by the requested Web Service Consumer to each of the entities being registered on the Identity Providers, and wherein the weight is encrypted with a public key of the requested Web Service Consumer. Thus, the Identity Providers cannot discover the actual weight of an entity.
In a further step, the requested Web Service Consumer may decrypt the aggregated recommendation returned by the Identity Providers with its private key to obtain a weighted recommendation of the entities being registered on the Identity Providers.
According to a preferred embodiment each of the Identity Providers may perform the aggregated recommendation of users being registered on the Identity Providers according to
wherein RecU
Furthermore, the Identity Providers may perform the aggregated recommendation of Web Service Consumers being registered on the Identity Providers according to
wherein RecWSC
Once, in case the recommendations of the Web Service Provider has been collected from the entities being registered on the Identity Providers, a trust assessment in the form of a global trust value may be given to the Web Service Provider, by aggregating the collected recommendations. The trust of the users regarding the Web Service Provider, for example TU ∈ [0,1], may be computed by a weighted sum of the recommendations of each user Ui and for example RecU
wherein ωU
Equally, the trust of the Web Service Consumers regarding the Web Service Provider, may be computed according to
With regard to the assessment of the Web Service Provider, the trust assessment may be determined according to
GT=(ωD·TD)+(ωU·TU)+(ωWSC·TWSC) (3)
wherein GT is the trust assessment in the form of a global trust value assigned to the Web Service Provider, wherein TD is a direct trust, i.e. direct experiences, placed on the Web Service Provider, wherein TU is the aggregated trust received from other users, wherein TWSC is the aggregated trust received from other Web Service Consumers, and wherein ωD, ωU and ωWSC are the corresponding weights with e.g. ωD,ωU,ωWSC ∈ [0,1]. If the requested Web Service Consumer has no past experiences with the Web Service Provider, then TD may take an initial value of 0.5, otherwise TD may take the last computed trust assessment, i.e. TD=GT.
Advantageously, it may be provided that the first time a transaction is to be carried out between the requested Web Service Consumer and the Web Service Provider formula (3) is applied. However, for the nth transaction it may be provided that the trust assessment GT of the Web Service Provider may be computed according to
that is equal to
In doing so, it is noted that it should be applied
Therefore if, for instance, ωD=1 then GT(n)=TD, i.e. only the direct trust is taken into consideration, and if ωD=0 then GT(n)=ωU·TU+ωWSC·TWSC, which means that only the trust of users and Web Service Consumers is accepted.
The requested Web Service Consumer may define trust levels, wherein the requested Web Service Consumer fits the trust assessment of the Web Service Provider in one of the trust levels. Advantageously, it may be provided that fuzzy sets are employed in order to represent the trust levels.
According to a preferred embodiment the requested Web Service Consumer may request the web service to the Web Service Provider, wherein the requested Web Service Provider provides more or less parameters depending on which trust level the Web Service Provider is placed. Thus, after computing the trust assessment, the requested Web Service Consumer may have to decide whether to carry out the whole transaction with the Web Service Provider, to carry it out partially or even not to have any interaction with the Web Service Provider. This decision may depend on which trust level the Web Service Provider is placed. In doing so, the requested Web Service Consumer may define its own trust levels.
According to a preferred embodiment rewards and/or punishments may be performed on the users and/or on the Web Service Consumers being registered on the Identity Providers according to accuracy and reliability of their recommendations.
Advantageously, it may be provided that the requesting user gives a feedback to the requested Web Service Consumer, wherein the feedback includes the satisfaction of the requesting user with the provided web service.
According to a preferred embodiment the requested Web Service Consumer may send the satisfaction together with a threshold δ to the Identity Providers, wherein the threshold δ is employed to determine whether to punish or reward the users and/or the Web Service Providers being registered on the Identity Providers. Both the satisfaction and the threshold need not be ciphered.
Advantageously, the divergence between the satisfaction Sat of the requesting user and a previously given recommendation RecU
Furthermore, in case a reward is to be performed on user Ui, the weight of user Ui may be increased according to
φ(ωU
wherein in case a punishment is to be performed on user Ui, the weight ωU
In case a reward is to be performed on Web Service Consumer WSCi, the weight ωWSC
φ(ωWSC
wherein in case a punishment is to be performed on user Ui, the weight of user Ui may be decreased according to
According to a preferred embodiment, each of the Identity Providers may calculate an average deviation of the satisfaction of the requesting user with the recommendations of the users and/or the Web Service Consumers being registered on the Identity Providers, wherein the Identity Providers sends the average deviation to the requested Web Service Consumer.
Advantageously, the requested Web Service Consumer may perform a corresponding reward or punishment on the weights ωU and ωWSC on the basis of the average deviation received from the Identity Providers.
There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claim 1 on the one hand and to the following explanation of preferred embodiments of the invention by way of example, illustrated by the drawing on the other hand. In connection with the explanation of the preferred embodiments of the invention by the aid of the drawing, generally preferred embodiments and further developments of the teaching will we explained. In the drawing
This information exchange between two domains is usually done under a well known and accepted Service Level Agreement (SLA). By means of a SLA, every domain can be sure that the information provided by the other domain is trustworthy.
However, it is not always possible to find a SLA between every pair of domains. Therefore, there is need of a mechanism to allow a domain to somehow determine if the information provided by another, maybe unknown, domain can be taken as reliable or not. The mechanism that is applied is a reputation and trust model. The Identity Providers (IdPs) manage identity information on behalf of users and provide assertions of users' authentication to other Providers. The Identity Providers act as recommendation aggregators, i.e. the Identity Providers collect the opinions of the users belonging to each Identity Provider IdP and return a single aggregated value.
According to the application scenario of
Once this revision has been done, WSC1 asks other users, regardless the domain they are connected to, that have had past experiences with WSP about its behaviour. And finally, WSC1 also asks other WSCs who have had past interactions with WSP, as well, about their satisfaction with the performed interaction. In doing so, every user and every WSC has to record its satisfaction with every transaction (or at least the last n ones) carried out with every WSP belonging to another domain.
As soon as WSC1 has collected all that information, WSC1 assesses how trustworthy or reputable WSP is, according to some self-defined trust levels. That means that every domain can determine its own trust levels depending on its needs and on how confident or unconfident it is. Thus, according to the trust level where WSC1 placed WSP, the information exchange will be totally or partially done, or even not carried out.
Supposing that WSC1 trusts in WSP enough to let the information exchange to happen, the service is then provided to the user who requested it. This user also informs WSC1 about its satisfaction with that specific received service. This feedback information can help WSC1 to increase or decrease its trust in the Web Service Provider, according to its self-defined trust levels, and also to punish or reward the recommendations given in the previous step. Nevertheless, even more important than if WSC1 trusts in exchanged information of the Web Service Provider may be that if the Web Service Provider trusts in WSC1 as the legitimate receiver of that information, because if the latter does not occur, the information is not be given to WSC1, and the service is not be delivered.
But if WSC1 does not trust in WSP's information, the information exchange can be performed anyway, if the user authorizes it. Equally, if WSCi trusts in WSP, but the user does not trust at all in WSP, the service will not be delivered. So the user's opinion about WSP will be decisive when computing the trust level from the point of view of WSC1.
The first step of
In the second step of
In the third step of
After receiving the service, the user sends back his/her satisfaction with that certain service to the domain that provided it, namely to the Web Service Consumer. In the last step of
a shows the first approach, wherein WSC1 asks all the users through their corresponding Identity Provider IdP if they have had any transaction with the Web Service Provider every time it needs to compute its trust in that specific Web Service Provider. In case they had, then WSC1 requests them their recommendation about the Web Service Provider. In doing so, WSC1 can weight each user's recommendation individually.
b shows a second approach that consists of WSC1 asking only to those users who have actually had a transaction with the Web Service Provider. WSC1 can weight each user's recommendation individually, but using less messages than the approach of
c shows a third approach of gathering recommendations from the users about the Web Service Provider, wherein only Identity Providers are asked that WSC1 knows. Each Identity Provider IdP will give back an aggregated recommendation of all of its users who have had a transaction with Web Service Provider in the past. Thus, WSC1 does not need to know who has had an interaction with the Web Service Provider. This is the approach that uses less of messages than the approaches of
The same three approaches of
According to
Thus, WSC1 can weight each user's recommendation individually, using few messages and the actual recommendation value of each user is only known by its corresponding IdP.
According to
Each trust level has associated an amount and/or type of information that can be exchanged if the communicating party is placed in that level. For instance, in the example shown in
In order to find out the trust level of a Web Service Provider from its global trust value GT there is a need to know the values returned by the membership functions of every fuzzy set containing GT as an element. In the example shown in
In a generic way, the probability of the Web Service Provider of being placed in trust level TLj being εi, i=1 . . . ,n the values returned by every membership function (and n the number of trust levels), could be obtained through the next formula:
If εj=0,∀j, the fuzzy set TLk with εk ≠ 0 for the closest value ν<GT is selected.
Both punishment and reward are proportional to the distance between the recommendation given by the user and the satisfaction perceived by the customer. That is, the closer those values are, the greater is the reward, and the farther those values are, the greater is the punishment.
Since |Sat−Reci|, ωi ∈ [0,1], the private homomorphism φ is needed to carry out the following operations: If |Sat−Reci|<δ, i.e., if a reward is to be performed on user ui, increasing its weight ωi,
φ(ωi)|Sat−Rec
and if |Sat−Reci|≧δ, i.e., if user ui must be punished, decreasing its weight ωi,
Once all the users' weights stored in an IdP have been appropriately modified, the weights have to be normalized in order to preserve the condition shown in equation (4) according to
It is important to notice that a value δ→1 means a low reward and low punishment, while δ→0 means high reward and high punishment. It is also important to note the relevance of δ parameter since it controls the punish and reward mechanism. A low value of δ implies that too few users will be rewarded and too many punished, but those of them who are rewarded, will be highly rewarded. On the other hand, a high value of δ means that too many users will be rewarded and the few ones who will be punished, will be slightly punished.
Thus, the following implications can be concluded:
δ→0ρ→−1ω→0
δ→1ρ→1ω→1
That is, the lower δ is, the more strict and severe is the punishment. And the greater δ is the higher is the reward scheme. Thus, a good initial value is δ=0.5. However, it can also be updated dynamically along the time in order to avoid oscillating the behaviours of the Web Service Provider, and each Web Service Consumer would be responsible for managing its own δ parameter value individually.
ωD=0.5
ωU=ωWSC=0.25
Moreover, the evolution of these weights along the time depend on the accuracy and reliability of each source. Thus, if users (equally Web Service Consumers) are always being punished, the influence of their opinions in the assessment of the trust assessment in the form of the global trust GT should be decreased. On the other hand, if the entities of an information source are always being rewarded, a greater weight should be given to that precise source when computing the global trust value.
So let ρU be the average between the amount of rewards and punishments received by all the queried users, computed as follows:
ρWSC would be obtained in a similar way. It is important to notice that both ρU, ρWSC ∈ [−1,1]. A value ρU=−1 means that absolutely all the users have received the maximum punishment (i.e. |Sat−Reci|=1≧δ, ∀i), so their weight should be decreased to 0.
Alternatively, if ρU=1 implies that all the users have received the maximum reward possible (that is, |Sat−Reci|=0≦δ, ∀i), so their weight should take the maximum value.
Finally, if ρU=0, on average term half the users have given a bad recommendation (and therefore have been punished) and the other half have received a good reward due to their accurate recommendations. In this case, the weight ωU given to users in formula (3) should remain invariable.
In order to achieve these conditions, both weights ωU and ωWSC might be redefined after the last step of punishing and rewarding has been completed, according to the following formulae, as it can be observed in
Finally, in order to preserve the relation shown in equation (4), weights need to be normalized, that is
Another normalization is also needed when a new user joins or registers to the Identity Provider. In that case, the new user is initially given the default weight φ(ω0), but since this incorporation breaks the condition shown in equation (4), the following operation has to be performed, again:
The steps illustrated in
Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
Number | Date | Country | Kind |
---|---|---|---|
09013609.4 | Oct 2009 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP10/06612 | 10/29/2010 | WO | 00 | 6/7/2012 |