B-Con
What Real Trust Is
• Posted by Brad Conte on August 13, 2005
• Post Categories: Security
In the world of security, we, from security analysts to system users, frequently have to place trust in certain people or objects. Trust is the most critical element of security systems, and to utilize trust the right way, it is essential to understand exactly what it is.

In the context of security design, “trust” is used to describe the act of assuming a person or thing will perform a reliable task to a certain standard, and no checks or balances are taken to ensure that task is done properly.

Let us assume that there are two people participating in a game of trust, Alice and Bob. By the above definition, if Bob trusts Alice with something, then, as far as that specific situation is concerned, Bob is at the complete mercy of Alice. Alice has full control over the situation in which she is trusted. If Alice, whether on purpose or by accident, does something in that situation that is harmful to Bob, he has no way of preventing it, and will have to suffer the consequences. This means that the very existence of trust is a vulnerable spot — anywhere that there is trust, there is the potential for exploitation.

Let’s say that Alice is the head of a charity that claims to spend all the money it receives on furthering some worthwhile cause. Bob, who is sympathetic to this cause, donates $50 out of his own paycheck to Alice’s charity, expecting them to use the money wisely. That is an act of trust on Bob’s part because the charity could potentially spend Bob’s donated money on a steak dinner for Alice, and Bob would have no way of knowing or preventing it.

However, not all situations that may appear to involve trust actually do. Trust requires risk, which is made up of two elements: value and (a lack of) control. If Bob either has nothing of value at stake or has complete control over Alice in the situation, then he is not really trusting her after all.

First, examine how value is critical to trust. For example, if Alice betrays Bob’s trust and performs malicious actions, but these actions do not hurt Bob in any way, this means that Bob was not actually trusting Alice with anything, because Bob really couldn’t care less what Alice does, as it will not hurt him directly or indirectly. If there is nothing stood to be lost, thus there is no real trust involved.

Assume that, once again, Bob donates to a charity, but this time he only donates 47 cents in change that was cluttering up his pockets. Here, Bob is not really trusting the charity, because he stands to lose nothing if the money is squandered. Bob didn’t really invest anything of real value in the transaction, and thus he stands to lose nothing.

Second, observe how a lack of control is critical to trust. If Bob has a way of overseeing and controlling Alice’s actions, this also means that there is no trust involved. Even if Bob has something of value at stake, if Bob can counter Alice’s malicious actions and fully neutralize them before they hurt him, there is technically no risk on Bob’s part because Bob still has control over the situation. This is not trust, this is control.

Say Bob again donates $50 to charity, but this time, after being screwed out of a steak dinner last time, he does so electronically by setting up an account from which Alice can directly transfer the money to the intended recipient. Bob then informs the bank to await his permission for transfers from that account. (I wish my bank were this cooperative.) Thus, when Alice attempts to transfer that money out of Bob’s account to the Grand Steak House’s account (rather than spending it on something related to her charity), Bob is immediately asked to confirm this action by the bank. When he reviews the details of the pending transaction, he immediately denies it. This situation involves no trust on Bob’s part (at least as far as Alice is concerned) because Bob has complete control over the situation, the charity cannot hurt Bob in any way because Bob will know about it beforehand and counter their actions.

It’s clear that trust requires that there be risk of loss or damage of something of value, but the degree of immediate risk that appears to be entrusted doesn’t have to be the real amount of risk involved. The degree of trust involved is not always what it appears to be at a first glance, it does come in shades of gray. “Gray” trust means that Bob does not necessarily stand to lose everything he entrusts to Alice, but he does stand to lose something. There are two ways gray trust surfaces.

Once type of “gray” trust is a forced kind, where what Bob stands to lose is indirectly related to the situation, and usually it is something that is unavoidable. Assume, once again, Bob donates money (in cash) to Alice’s charity. However, this time he demands that the charity provide him with the original receipt of the transaction in which they spent the money. When the receipt for the Grand Steak House comes to Bob, he sues Alice for his money back. This is partial, aka “gray”, trust. Here, if Alice missuses Bob’s money, Bob can still get it back, but he loses something potentially even more valuable: his time. It takes time to take Alice to court and sue her. Thus, even if Bob recovers all of his money, he is still out the time it took to get it back, and thus he has still been damaged by Alice. In this situation, could be be said that Bob was trusting Alice to not waste his time, although he was doing so indirectly because he didn’t have much of a choice about it. (In the case of the electronic funds transfer example before, the time Bob would have lost simply denying the funds transfer would be negligible.) In this situation, what Bob stands to lose (his time) is not by choice because Bob is doing everything he can to have as much control over the situation as possible. Bob can recover his money, but in order to do that, he is obligated to lose time.

The other type of gray trust is where Bob knows what he stands to lose, but he ensures, on purpose, that it is not as much as what Alice has in her trust. Assume that Bob regularly donates large sums of money to Alice’s charity. Bob charges the task of giving the money to the charity to his employee, whom we’ll call Carol. Once day, when Bob is making a particularly large donation to Alice’s charity, Carol grabs the money and flees the country. Bob has insurance, however, to cover employee theft and he receives most, but not all, of the money back from the insurance company. This is gray trust because Bob was hurt by Carol (he not only lost money but he now has to find a new employee), but the hurt was not as big as the amount of trust he has in Carol appeared to be. It appeared to be that Bob was entrusting a certain sum of money to Carol, but in reality he had the ability to get most of it back, and so he was not really trusting that portion of the money to Carol.

Technically, there is no real thing as “gray” trust. Gray trust is just a situation where it appears that there is X amount of trust at first glance, but in reality there are situations that lower that amount of trust. For example, if Bob gave Carol $50 to donate to charity and the insurance company refunded $40 of it, then Bob really was only trusting Carol with $10 (never mind the time it took to file the claim, the fact that Bob now needs a new employee, and the fact that Bob’s insurance will probably go up). Because it appears that Bob is entrusting Carol with $50, but in reality he only stands to lose $10, it might be said that it is a “gray” or “partial” trust situation.

Thus, it is easy to see that trust is a vulnerable point in any situation, but the risk involved can be minimized by precautionary steps. These steps, however, require time, effort, and probably some degree of trust in and of themselves, so using them is a secondary resort. Instead, the areas in which there is trust should be minimized and eliminated as much as possible, and the remaining areas where trust is needful should have as many precautionary measures stacked on them as realistically practical.
Bloggers' Rights at EFF