Funded by a $1.5 million U.S. Department of Defense grant, members of Brigham Young University's Internet Security Research Lab are working on ways to defend unsuspecting victims from identity theft, prevent unwelcome pornography from polluting E-mail accounts and hinder hackers from breaking in to computer systems.

Specializing in trust negotiation -- the process of verifying strangers' trustworthiness before giving them access to sensitive information -- the ISRL's mission is to uncover online security techniques that help improve privacy and security in online transactions.

"Almost all existing digital credential systems, like Internet passwords, work like real-world credential systems such as drivers' licenses or social security cards," says Kent Seamons, a computer science professor who leads the research efforts. "This is problematic if you reveal personal information online to someone who is going to sell it to spammers or store it on an insecure server."

To help in the fight for privacy and security, the ISRL developed its own software to test and demonstrate its security research. Called TrustBuilder, the software manages the credentials of people seeking access to confidential resources over the Internet.

Instead of requiring traditional, identity-based credentials, such as a social security number, that can be used to build detailed files of personal information, TrustBuilder works by asking for attribute-based credentials such as security clearance, political party or training before granting access to a database or top-secret file. And because little or no sensitive personal information is exchanged during the verification process, TrustBuilder guards against identity theft.

"Students have been playing a vital role in developing this new research area," says Seamons, who has mentored more than 20 undergraduate and graduate students in his lab. "It's exciting to observe high-quality undergraduates contribute substantively to research efforts. The ISRL gives students the opportunity to participate in leading-edge security research."

Security solutions developed by the BYU researchers will be released as free software, which may first make its way into the U.S. government's intelligence community and large businesses and may later appear in consumer software.

Jason Holt, a BYU graduate student who began working in the ISRL as an undergraduate, says, "There is technology out there that can be used to increase our privacy and that can actually improve the security of society as a whole. It's great to be on the front lines of this kind of research."

Recently Holt and fellow undergraduate researcher Robert Bradshaw presented a scholarly paper at a conference in Washington, D.C., that focused on privacy protection systems and identity theft. Their research explored the idea of hidden credentials, the electronic "decoder rings" used to supply attribute-based information during trust negotiation.

"If a secret agent wants to send a message to the CIA, but they aren't sure the recipient is really part of the CIA, they can send an encrypted message that says, 'I am interested in doing business with you, if you can understand this message,'" says Holt. "The message can only be decoded by a special CIA 'decoder ring,' to which the CIA can respond with an encrypted message of 'Yes, we would like to do business with you, but only if you are a secret agent.'"

In addition to the ISRL's Department of Defense grant, the National Science Foundation is providing two additional grants involving BYU worth a combined $14.25 million. The first, worth $1.75 million, will be used by BYU, George Mason, University of Illinois, Purdue, Stanford and the University of Southern California to uncover more state-of-the-art trust negotiation technology that protects personal information contained in digital credentials.

The second, worth $12.5 million, will help researchers from BYU, UC-Irvine, UC-San Diego, University of Colorado, University of Illinois at Urbana-Champaign, University of Maryland and ImageCat, Inc., explore information technology's potential to improve response actions taken during crisis situations and natural disasters.

Writer: Hilary Smoot