Lecture Notes in Computer Science 6264 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Sokratis Katsikas Javier Lopez Miguel Soriano (Eds.) Trust, Privacy and Security in Digital Business 7th International Conference, TrustBus 2010 Bilbao, Spain, August 30-31, 2010 Proceedings 1 3 VolumeEditors SokratisKatsikas UniversityofPiraeus DigitalSystems Piraeus18534,Greece E-mail:[email protected] JavierLopez UniversityofMalaga ComputerScienceDepartment 29071Malaga,Spain E-mail:[email protected] MiguelSoriano TechnicalUniversityofCatalonia DepartmentofTelematicsEngineering 08034Barcelona,Spain E-mail:[email protected] LibraryofCongressControlNumber:2010932039 CRSubjectClassification(1998):C.2,K.6.5,D.4.6,E.3,H.4,J.1 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-642-15151-5SpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-15151-4SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. springer.com ©Springer-VerlagBerlinHeidelberg2010 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper 06/3180 Preface This book presents the proceedings of the 7th International Conference on Trust, Pri- vacy and Security in Digital Business (TrustBus 2010), held in Bilbao, Spain during August 30–31, 2010. The conference continued from previous events held in Zaragoza (2004), Copenhagen (2005), Krakow (2006), Regensburg (2007), Turin (2008) and Linz (2009). The recent advances in information and communication technologies (ICT) have raised new opportunities for the implementation of novel applications and the provision of high-quality services over global networks. The aim is to utilize this ‘information society era’ for improving the quality of life for all citizens, disseminating knowledge, strengthening social cohesion, generating earnings and finally ensuring that organiza- tions and public bodies remain competitive in the global electronic marketplace. Un- fortunately, such a rapid technological evolution cannot be problem-free. Concerns are raised regarding the ‘lack of trust’ in electronic procedures and the extent to which ‘information security’ and ‘user privacy’ can be ensured. TrustBus 2010 brought together academic researchers and industry developers, who discussed the state of the art in technology for establishing trust, privacy and security in digital business. We thank the attendees for coming to Bilbao to participate and debate the new emerging advances in this area. The conference program included one keynote presentation and six technical paper sessions. The keynote talk, “Trust, Risk and Usage Control,” was delivered by Fabio Martinelli from CNR (Italy). The reviewed paper sessions covered a broad range of topics, from access control models to security and prevention systems, and from pri- vacy to trust and security measurements. The conference attracted many high-quality submissions, each of which was assigned to at least three referees for review, and the final acceptance rate was 37%. We would like to express our thanks to the various people who assisted us in orga- nizing the event and formulating the program. We are very grateful to the Program Committee members and the external reviewers, for their timely and rigorous reviews of the papers. We would also like to thank our Publication Chair, Carmen Fernan- dez-Gago, and Publicity Chair, Isaac Agudo. Thanks are also due to the DEXA Orga- nizing Committee for supporting our event, and in particular to Gabriela Wagner for her help with the administrative aspects. Finally, we would like to thank all of the authors that submitted papers for the event, and contributed to an interesting set of conference proceedings. August 2010 Sokratis Katsikas Javier Lopez Miguel Soriano Organization Program Committee Co-chairs Sokratis Katsikas University of Piraeus (Greece) Javier Lopez University of Malaga (Spain) General Chair Miguel Soriano UPC (Spain) Publication Chair Carmen Fernandez Gago University of Malaga (Spain) Publicity Chair Isaac Agudo University of Malaga (Spain) Program Committee Members Alessandro Acquisti Carnegie Mellon University (USA) Cristina Alcaraz University of Malaga (Spain) Vijay Atluri Rutgers University (US) Marco Casassa Mont HP Labs Bristol (UK) David Chadwick University of Kent (UK) Nathan Clarke University of Plymouth (UK) Frederic Cuppens ENST Bretagne (France) Ernesto Damiani Università degli Studi di Milano (Italy) Sabrina De Capitani di University of Milan (Italy) Vimercati Josep Domingo-Ferrer University Rovira i Virgili (Spain) Eduardo Fernandez University of Castilla la Mancha (Spain) Eduardo B. Fernandez Florida Atlantic University (USA) Josep L. Ferrer University Islas Baleares (Spain) Simone Fischer-Huebner Karlstad University (Sweden) Sara Foresti University of Milan (Italy) Jordi Forne UPC (Spain) Steven Furnell University of Plymouth (UK) Juergen Fuss University of Applied Science in Hagenberg (Austria) VIII Organization Juan M. Gonzalez-Nieto Queensland University of Technology (Australia) Dimitris Gritzalis Athens University of Economics and Business (Greece) Stefanos Gritzalis University of the Aegean (Greece) Marit Hansen Independent Center for Privacy Protection (Germany) Jordi Herrera UAB (Spain) Audun Josang Oslo University (Norway) Yuecel Karabulut SAP Labs (USA) Dogan Kesdogan University of Siegen (Germany) Spyros Kokolakis University of the Aegean (Greece) Kostas Lambrinoudakis University of the Aegean (Greece) Antonio Lioy Politecnico di Torino (Italy) Olivier Markowitch Université Libre de Bruxelles (Belgium) Stephen Marsh Communications Research Centre (Canada) Fabio Martinelli CNR (Italy) Vashek Matyas Masaryk University (Czech Republic) Chris Mitchell Royal Holloway, University of London (UK) Haris Mouratidis University of East London (UK) Yuko Murayama Iwate Prefectural Universty (Japan) Pablo Najera University of Malaga (Spain) Eiji Okamoto University of Tsukuba (Japan) Martin S. Olivier University of Pretoria (South Africa) Rolf Oppliger eSecurity Technologies (Switzerland) Maria Papadaki University of Plymouth (UK) Ahmed Patel Kingston University (UK)- Kebangsaan University (Malaysia) Günther Pernul University of Regensburg (Germany) Andreas Pfitzmann Dresden University of Technology (Germany) Mario Piattini University Castilla la Mancha (Spain) Hartmut Pohl FH Bonn-Rhein-Sieg (Germany) Joachim Posegga University of Passau (Germany) Kai Rannenberg Goethe University Frankfurt (Germany) Arturo Ribagorda University Carlos III Madrid (Spain) Carsten Rudolph Fraunhofer Institute for Secure Information Technology (Germany) Christoph Ruland University of Siegen (Germany) Pierangela Samarati University of Milan (Italy) Ingrid Schaumueller-Bichl University of Applied Science in Hagenberg (Austria) Matthias Schunter IBM Zurich Research Lab (Switzerland) Antonio F. Skarmeta University of Murcia (Spain) Stephanie Teufel University of Fribourg (Switzerland) A Min Tjoa Technical University of Vienna (Austria) Allan Tomlinson Royal Holloway, University of London (UK) Edgar Weipl SBA (Austria) Christos Xenakis University of Piraeus (Greece) Jianying Zhou I2R (Singapore) Organization IX External Reviewers Jorge Bernal Bernabé Michael Netter Katrin Borcea-Pfitzmann Christoforos Ntantogian Katja Böttcher Vinh Pham Mohamed Bourimi Henrich C. Pöhls Bastian Braun Denis Royer Christian Broser Rainer Schick Sebastian Clauß Agusti Solanas Rafael Deitos Boyeon Song Jaromir Dobias Yannis Soupionis Stelios Dritsas Mark Stegelmann Ludwig Fuchs Andriy Stetsko Manuel Gil Pérez Petr Svenda Andre Groll Dionysia Triantafyllopoulou Stephan Heim Rolando Trujillo Jan Holle Bill Tsoumas Benjamin Kellermann Pavel Tucek Stefan Köpsell Alexandre Viejo Tracy Ann Kosa Benedikt Westermann Ioannis Krontiris Lei Zhang Juan Manuel Marín Pérez Table of Contents Invited Talk Usage Control, Risk and Trust..................................... 1 Leanid Krautsevich, Aliaksandr Lazouski, Fabio Martinelli, Paolo Mori, and Artsiom Yautsiukhin Prevention Systems Attacking Image Recognition Captchas: A Naive but Effective Approach ....................................................... 13 Christoph Fritsch, Michael Netter, Andreas Reisser, and Gu¨nther Pernul An Insider Threat Prediction Model................................ 26 Miltiadis Kandias, Alexios Mylonas, Nikos Virvilis, Marianthi Theoharidou, and Dimitris Gritzalis A Call Conference Room Interception Attack and its Detection ........ 38 Nikos Vrakas, Dimitris Geneiatakis, and Costas Lambrinoudakis Safe and Efficient Strategies for Updating Firewall Policies ............ 45 Ahmed Zeeshan, Abdessamad Imine, and Micha¨el Rusinowitch Privacy I A Privacy-PreservingArchitecture for the Semantic Web Based on Tag Suppression ..................................................... 58 Javier Parra-Arnau, David Rebollo-Monedero, and Jordi Forn´e Context-Aware Privacy Design Pattern Selection..................... 69 Siani Pearson and Yun Shen Real-Time Remote Attestation with Privacy Protection............... 81 Aimin Yu and Dengguo Feng Private Searching on MapReduce .................................. 93 Huafei Zhu and Feng Bao Privacy II In Search of Search Privacy ....................................... 102 Martin S. Olivier and Wesley Brandi Untraceability and Profiling Are Not Mutually Exclusive.............. 117 S´ebastien Canard and Amandine Jambert XII Table of Contents Privacy Policy Referencing ........................................ 129 Audun Jøsang, Lothar Fritsch, and Tobias Mahler Access Control Formal Proof of Cooperativeness in a Multi–Party P2P Content Authentication Protocol .......................................... 141 Almudena Alcaide, Esther Palomar, Ana I. Gonza´lez–Tablas, and Arturo Ribagorda Extending XACML Access Control Architecture for Allowing Preference-BasedAuthorisation.................................... 153 Gina Kounga, Marco Casassa Mont, and Pete Bramhall An Agent Based Back-End RFID Tag Management System ........... 165 Evangelos Rekleitis, Panagiotis Rizomiliotis, and Stefanos Gritzalis Security and Trust Concepts Assessing the Usability of End-User Security Software ................ 177 Tarik Ibrahim, Steven M. Furnell, Maria Papadaki, and Nathan L. Clarke Building ISMS through the Reuse of Knowledge ..................... 190 Luis Enrique S´anchez, Antonio Santos-Olmo, Eduardo Ferna´ndez-Medina, and Mario Piattini Mechanizing Social Trust-Aware Recommenders with T-Index Augmented Trustworthiness ....................................... 202 Soude Fazeli, Alireza Zarghami, Nima Dokoohaki, and Mihhail Matskin Security for Dynamic Collaborations Security for Dynamic Service-Oriented eCollaboration: Architectural Alternatives and Proposed Solution ................................ 214 Christoph Fritsch and Gu¨nther Pernul Analyzing Information Security Awareness through Networks of Association ..................................................... 227 Aggeliki Tsohou, Maria Karyda, Spyros Kokolakis, and Evangelos Kiountouzis Efficiency Improvement Of Homomorphic E-Auction ................. 238 Kun Peng and Feng Bao Author Index.................................................. 251 (cid:2) Usage Control, Risk and Trust Leanid Krautsevich1,2, Aliaksandr Lazouski1,2, Fabio Martinelli2, Paolo Mori2, and Artsiom Yautsiukhin2 1 Departmentof Computer Science University of Pisa 2 Istituto di Informatica eTelematica Consiglio Nazionale delle Ricerche Abstract. In this paper we describe our general framework for usage control(UCON)enforcementonGRIDsystems.ItallowsbothGRIDser- vices levelenforcement of UCON aswell as fine-grainedone at thelevel oflocalGRIDnoderesources.Inaddition,nexttotheclassicalchecksfor usage control: checks of conditions, authorizations, and obligations, the framework also includes trust and risk management functionalities. In- deed,weshowhowtrustandriskissuesnaturallyarisewhenconsidering usagecontrolin GRIDsystemsandservicesandhowourarchitectureis flexible enough to accommodate both notions in a pretty uniform way. 1 Introduction Usage control (UCON) is a conceptual model, developed by Park and Sandhu (e.g. see [25]), which is able to embody and encompass most of existing access control models. The main features are attribute mutability that allows a flexi- ble managementof policies andcontinuity of the usage decisionprocess,i.e. the resourceaccesshasadurationandthespecificauthorizationfactorsmustcontin- uouslyhold.Thisenhancedflexibilityw.r.t.theusualaccesscontrolframeworks, where, for instance, authorizations are checked once before the access, induces several opportunities as well as new challenges. Usage control seems a particularly suitable model for managing resources in GRID systems. Those systems often consist of federations of resource providers and users, with many long-lived executions and several conditions and factors to be considered during the usage decision process. For instance, it is common to have GRID computations lasting for hours/days.During the access it is pos- sible that conditions that were satisfied when the access to the computational resources was requested, change by demanding a revocation of access to the resource itself. GRID systems allow for remote execution of code, where the user that sub- mittedthecodeisoftenaprioriunknown.Thisfeaturedemandsforbothcoarse grained usage control, managing the access to the GRID services (also taking (cid:2) ThisworkhasbeenpartiallysupportedbytheEUFP7projectContext-aware Data- centric Information Sharing (CONSEQUENCE). S.Katsikas,J.Lopez,andM.Soriano(Eds.):TrustBus2010,LNCS6264,pp.1–12,2010. (cid:2)c Springer-VerlagBerlinHeidelberg2010