Trust for Security and Security for Trust

A topic paper proposed by Nikolaos Alexopoulos, Technische Universität Darmstadt and SFB CROSSING

Security needs trust

Many cryptographic and security-critical systems implicitly or explicitly depend on a notion of trust towards entities and devices. Some of the applications of these systems are:

Probabilistic trust values (belief theory - subjective logic) can be calculated and propagated through the network.

Blockchain technology (or Open Distributed Ledgers in general - ODLs as we like to call them) cannot alleviate the need for trust in entities altogether, but can help secure these trust infrastructures.

Trust needs security (and Privacy)

Trust infrastructures need to be secure against threats and single points of failure. Transparency and global synchronization can offer a lot to a variety of problems. First, e.g. concerning a PKI, registering an identity as a global identifier is not enough. As suggested in the DPKI paper of the first design workshop, ODLs can offer increased security in this domain. However, a web of trust is still needed to authenticate the identity and the attributes associated with an entity, e.g. for use in a distributed attribute-based access control schema. Smart contracts could also be used to encode access-control rules.

Privacy is also a major challenge and solutions need to be identified. Privacy-preserving cryptocurrencies like Zerocash (also related Zerocoin and Pinocchio Coin) and Monero can offer insights to the techniques that can contribute to this goal (ZK proofs, ring signatures etc.).

Challenges like the choice of blockchain, thin clients etc. are also prevalent as in most similar designs. Formalization is also something generally missing.

Towards a multipurpose trust infrastructure for security