EPAK will be presented at the 23rd Annual Computer Security Applications Conference (ACSAC).

Abstract

People today are concerned with how information about them is collected, stored and used. This thesis proposes a protocol that allows users to negotiate privacy policies with Internet sites that want to collect data about them. The Or Best Offer Negotiation protocol improves on existing protocols in that it is guaranteed to reach an end state within a fixed number of negotiation rounds. It uses a graph-based model to allow the specification of fine-grained but flexible privacy preferences for users. Also, the protocol is fair to both participants in the negotiation.

All are invited to attend!

Title: Browser Based Trust Negotiation

Abstract:
Trust negotiation allows two parties on the Internet to establish trust in each other according to the digital credentials that each other possesses. Traditionally, trust negotiation uses certificates as digital credentials. However, certificates make trust negotiation difficult to use since people rarely have certificates available to them, and they must physically possess and secure all needed certificates in order to negotiate.

To avoid these problems, this thesis proposes that credential authorities negotiate on behalf of the user. This thesis defines Browser- Based Trust Negotiation (BBTN) as a method for negotiating with credential authorities using the Secure Assertion Markup Language (SAML).

Title: Trust Negotiation for Open Database Access Control

Paul’s research will integrate concepts from trust negotiation into database authentication and access control. This will result in a database system that can be accessed by qualified outsiders. He will focus on Hippocratic databases that support strong privacy guarantees for protecting sensitive personal information. The database subjects are able to set the access control requirements regarding who can access their data.

See talk slides

Abstract:

Java and .NET have a sophisticated, configurable way of minimizing the risks of executing certain application code by restricting this code to a limited set of operations. This allows cautious users to be as safe as possible while still allowing potentially valuable applications to run. This improved model allows one to authenticate the author of the code and set policies restricting what resources the foreign code can access based on that authentication. My presentation will cover the basics of this model and will contrast the differences between the Java and the .NET approach.

At the same time, the old Yoda machine that used to serve as both our public web server as well as an internal file/cvs server has gone into hiding (although not quite so far as Dagobah). It is now no-longer accessible directly from outside the lab. The younger and hopefully more diplomatic Padme has taken it’s place as the public face of the ISRL. At the moment, the DNS situation is a little murky (yoda.cs.byu.edu points to padme), but as soon as the CS department system administrators come back from vacation, the entries for yoda.cs.byu.edu and padme.cs.byu.edu will be fixed.

Title: TrustBroker: A Defense Against Identiy Theft from Online Transactions

Abstract:

The proliferation of online services over the years has encouraged more and more people to participate in Internet activities. Many web sites request personal and sensitive information needed to deliver the desired service. Unfortunately, with such growth, it has become difficult to distinguish the sites that can be trusted to protect such information from those that cannot. Many attempts to make the Internet easier to use introduce new security and privacy problems. On the other hand, most attempts at creating a safe online environment produce systems that are cryptic and hard to use. The TrustBroker system is based on a specialized online repository that safelystores user information and helps the user determine which sites can be trusted with
their sensitive information. Also, the repository facilitates the transfer of the user’s information. The overall effect of the system is to inspire greater confidence in online participation among users who desire to protect their personal information.