Need-to-know is a fundamental security concept: a party should not learn information that is irrelevant to its mission. In this paper we show that during a trust negotiation in which parties show their credentials to one another, an adversary can systematically harvest information about all of a victim's credentials that the attacker is entitled to see, regardless of their relevance to the negotiation. We present examples of need-to-know attacks with the trust negotiation approaches proposed Yu, Winslett, and Seamons; by Bonatti and Samarati; and by Winsborough and Li. Finally, we propose possible countermeasures against need-to-know attacks, and discuss their advantages and disadvantages.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Cassandra: Distributed Access Control Policies with Tunable Expressiveness, Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, p.159, June 07-09, 2004
	2	Trust-X: A Peer-to-Peer Framework for Trust Establishment, IEEE Transactions on Knowledge and Data Engineering, v.16 n.7, p.827-842, July 2004  [doi>10.1109/TKDE.2004.1318565]
	3	Piero Bonatti , Pierangela Samarati, Regulating service access and information release on the Web, Proceedings of the 7th ACM conference on Computer and communications security, p.134-143, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352620]
	4	Jan Camenisch , Els Van Herreweghen, Design and implementation of the idemix anonymous credential system, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586114]
	5	Jason E. Holt , Robert W. Bradshaw , Kent E. Seamons , Hilarie Orman, Hidden Credentials, Proceedings of the 2003 ACM workshop on Privacy in the electronic society, October 30, 2003, Washington, DC  [doi>10.1145/1005140.1005142]
	6	J. Li and N. Li, "OACerts: Oblivious Attribute Certificates," Conference on Applied Cryptography and Network Security, New York, NY, Jun. 2005.
	7	J. Li, N. Li, and W. H. Winsborough, "Automated Trust Negotiation Using Cryptographic Credentials," to appear in Transactions on Information and System Security, 2007.
	8	Ninghui Li , Wenliang Du , Dan Boneh, Oblivious signature-based envelope, Proceedings of the twenty-second annual symposium on Principles of distributed computing, p.182-189, July 13-16, 2003, Boston, Massachusetts  [doi>10.1145/872035.872061]
	9	L. E. Olson, M. J. Rosulek, and M. Winslett, "A Generalized Honest-But-Curious Strategy for Automatically Harvesting Credentials," Technical Report UIUCDCS-R-2007-2892, Department of Computer Science, University of Illinois, Aug. 2007.
	10	Tatyana Ryutov , Li Zhou , Clifford Neuman , Travis Leithead , Kent E. Seamons, Adaptive trust negotiation and access control, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden  [doi>10.1145/1063979.1064004]
	11	N. Li , W. Winsborough, Towards Practical Automated Trust Negotiation, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), p.92, June 05-07, 2002
	12	Ting Yu , Marianne Winslett , Kent E. Seamons, Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.1-42, February 2003  [doi>10.1145/605434.605435]