QTM: Trust Management with Quantified Stochastic Attributes NYU Computer Science Technical Report TR2003-848 Eric Freudenthal and Vijay Karamcheti Courant Institute of Mathematical Sciences New York University {freudent,vijayk}@cs.nyu.edu Abstract Trust management systems enable the construction of access-control infrastructures suitable for pro- tecting sensitive resources from access by unauthorized agents. The “state of the art”in such systems (i) provide fail-safe in that access will be denied when authorizing credentials are revoked, (ii) can mitigate the risk of insider attacks using mechanisms for threshold authorization in which several independent partially trusted agents are required to co-sponsor sensitive activities, and (iii) are capable of enforcing intra- and inter-organizational access control policies. Despite these advantages, trust management systems are limited in their ability to express partial trust. Additionally, they are cumbersome to administer when there are a large number of related access rights with differing trust (and thereby access) levels due to the need for explicit enumeration of the exponential number of agent combinations. More importantly, these systems have no provision for fault tolerance in cases where a primary authorization is lost (perhaps due to revocation), but others are available. Such situations may result in a cascading loss of access and possible interruption of service. In this pape, we propose extending traditional trust management systems through a framework of reliability and confidence metrics. This framework naturally captures partial trust relationships, thereby reducing administrative complexity of access control systems with multiple related trust levels and in- creasing system availability in the presence of authorization faults while still maintaining equivalent safety properties. 1 Introduction Trust management (TM)[1, 6, 4, 5, 3, 2, 8] systems are application-independent infrastructures that can be used to enforce access control policies both within and between organizations. 1 Throughout this paper, we will describe TM, and our stochastically-quantified trust management alter- native in the context of access-control enforcement for a fictional bank named “Lou’s Loans,” a sole propri- etorship owned by a gentleman named “Lou Learner.” Lou’s security policies express the authorization of tellers, managers, and other employees to perform sensitive operations such as endorsing transactions. TM systems map access rights into abstract classes whose permissions can be delegated. Through dele- gation, these abstract classes can be organized into a hierarchy that mirrors the structure of an organization, including support for appropriate local autonomy in policy administration, thereby providing substantial advantages over access control lists (ACLs). For example, the right to administer the rights available to employees a particular corporate unit can be directly administered by members of the organizational entity with appropriate jurisdiction. The same 1 We classify role-based access control systems as examples of trust management systems. 1