Pag' 1

1
XML Security Elisa BertinoCERIAS and CS ECE
DepartmentsPurdue University

2
Outline

• Security requirements for web data
• Basic concepts of XML
• Security policies for XML data protection and
  release
• Access control mechanisms for XML data
• XML-based specification of security information
• XML security future trends

3
Web Data Protection Requirements

• The web is becoming the main information
  dissemination means for many organizations
• Strong need for models and mechanisms enabling
  the specification and enforcement of security
  policies for web data protection and release

4
Web Data

• In the web environment, information distribution
  often takes the form of documents that are made
  available at Web servers, or that are actively
  broadcasted by Web servers to interested clients
• Documents may also be exchanged among the various
  servers

5
Web Docs Protection Requirements

• Web documents may have a nested or hierarchical,
  inter-linked structure
• Different portions of the same document may have
  different protection requirements
• We need a wide spectrum of protection
• granularity levels

6
Web Docs Protection Requirements

• Web documents may have an associated intensional
  description of their structure
• DTDs and XMLSchemas for XML documents
• Data models for describing the logical
  organization of data into web pages
• Policies specified both at the schema and at the
  instance level

7
Web Docs Protection Requirements

• Documents with the same type and structure may
  have contents of different sensitivity degree
• Policies that take the document content into
  account (content-based policies)

8
Web Docs Protection Requirements

• Supporting fine-grained policies could lead to
  the specification of a, possibly high, number of
  access control policies
• Need of mechanisms for exception management
  and authorization propagation

9
Web Docs Protection Requirements

• Heterogeneity of subjects
• Subjects accessing a web source may be
  characterized by different skills and needs and
  may dynamically change
• Conventional identity-based access control
  schemes are not enough
• Credentials based on subject characteristics
• and qualifications

10
Web Docs Protection Requirements

• In a web environment the traditional on
  user-demand mode of performing access control is
  not enough
• Security policies enforcing both the pull and
  push dissemination modes

11
Dissemination Policies
Web Data Source

• PULL

Web Data Source

• PUSH

12
Outline

• Security requirements for web data
• Basic concepts of XML
• Security policies for XML data protection and
  release
• Access control mechanisms for XML data
• XML-based specification of security information
• XML security future trends

13
Why XML?

• Because XML is becoming a standard for data
  representation over the web
• XML compatibility is thus an important
  requirement for security policies, models and
  mechanisms for Web data sources

14
XML

• Building blocks of XML are tagged elements that
  can be nested at any depth in the document
  structure
• Each tagged element has zero or more subelements
  and zero or more attributes
• Elements can be linked by means of IDREF(S)
  attributes
• Optional presence of a DTD/XMLSchema for
  describing the structure of documents
  (well-formed vs valid documents)

15
An XML Document

• ltWorldLawBulletin Date8/8/1999gt
• ltLaw CountryUSA RelatedLaws LK75/gt
• ltTopicgtTaxationlt/Topicgt ltSummarygt...lt/Summary
  gt
• lt/Lawgt
• ltLaw IdLK75 CountryItaly/gt
• ltTopicgtImport-Exportlt/Topicgt
  ltSummarygt...lt/Summarygt
• lt/Lawgt
• ltBluePageReportgt
• ltSection GeoAreaEuropegt
• ltLaw CountryGermany/gt
• ltTopicgtGunslt/Topicgt ltSummarygt...lt/Summarygt
• lt/Lawgt
• ...
• lt/Sectiongt
• ltSection GeoAreaNorthAmericagt
• ltLaw CountryUSA/gt
• ltTopicgtTransportationlt/Topicgt
  ltSummarygt...lt/Summarygt
• lt/Lawgt
• ...

16
Graph Representation
WordLawBulletin
(Date,08/08/1999)
1
BluePageReport
Law
Law
(Country,USA)
(Country,Italy)
RelatedLaws
LK75
2
7
Summary
Section
Section
Summary
Topic
Topic
(GeoArea,E.)
9
8
6
5
4
3
(GeoArea,NorthA.)
Law
Law
...
Import-Export
Taxation
13
10
(Country,Germany)
(Country,USA)
Summary
Topic
Summary
Topic
12
11
14
15
Guns
Transportation
17
An XML DTD

• lt!DOCTYPE WorldLawBulletin
• lt!ELEMENT WorldLawBulletin (Law,BluePageReport?)gt
  
• lt!ELEMENT Law (Topic,Summary)gt
• lt!ELEMENT Topic (PCDATA)gt
• lt!ELEMENT Summary ANYgt
• lt!ELEMENT BluePageReport (Section)gt
• lt!ELEMENT Section (Law)gt
• lt!ATTLIST WorldLawBulletin Date CDATA REQUIREDgt
• lt!ATTLIST Law Id ID REQUIRED
• Country CDATA REQUIRED
• RelatedLaws IDREFS IMPLIEDgt
• lt!ATTLIST Section GeoArea CDATA REQUIREDgt
• gt

18
XML Security

• Two main issues
• Development of access control models, techniques,
  mechanisms, and systems for protecting XML
  documents
• Use of XML to specify security relevant
  information, (organizational policies, subject
  credentials, authentication information,
  encrypted contents)

19
The Author-X Project
Joint work with Elisa Bertino, Silvana Castano,
and Marco Mesiti
20
Author-X

• Java-based system for XML data sources protection
• Security policy design and administration
• Credential-based access control to XML document
  sources
• Secure document dissemination and update

21
Author-X ACPs

• Set-oriented and document-oriented policies
• Positive and negative policies at different
  granularity levels, to enforce differentiated
  protection of XML documents and DTDs
• Controlled propagation of access rights
• ACPs reflect user profiles through
  credential-based qualifications

22
Enforcing access control

• Subject specification
• Protection object specification
• Privilege
• Propagation option

23
Subject Specification

• User Identifiers
• OR
• Subject credential credential expression
• Ex X.age gt 21
• Programmer(X) and X.countryItaly

24
Protection Object Specification

• Identify the portions of a document(s) to which
  the authorization applies.
• We want to allow users to specify authorizations
• ranging from
• from sets of documents
• to single elements/attributes within documents
• specification on DTD or documents
• docDTD.pathOfElemElemIds.Attrslink
  s

25
Privileges

• read
• browsing
• navigate
• write
• authoring append
• delete

26
Propagation option
NO PROPAGATION
27
Propagation option
FIRST LEVEL
28
Propagation option
CASCADE
29
Examples of authorization rules

• P1 ((LLoC Employee or European Division
  Employee), WorldLawBulletin.Law, browse_all, )
• this authorization rule authorizes the LLoC and
  European
• Division Employees to view all laws (not
  contained in the
• BluePageReport element) in all instances of
  WorldLawBulletin
• relations among laws, that is, RelatedLaws
  attributes,
• are also displayed

30
Examples of authorization rules

• P4 (European Division Employee,
• (WorldLawBulletin.BluePageReport.Section,
• GeoArea Europe), browse_all, )
• this authorization rule authorizes the European
• Division Employees to view the section pertaining
  to Europe of the BluePageReport in all instances
  of WorldLawBulletin

31
user
SA
access request
view
administrative operations
Author-X
X-Access
X-Admin
DOM
/
XQL
X-Bases
Encrypted doc.base
Credential base
Policy base
XML Source
32
X-Access

• The access control component of Author-X
  enabling
• The enforcement of access control policies on top
  of an XML source
• Pull and push dissemination modes
• Client-Server architecture
• Excelon XML server

33
Information Pull - Architecture
Internet Browser
CLIENT
DTD

• query

XML VIEW
Internet
Web Server
Excelon Server
Server Extension (X-Access)
SERVER
34
Access Control
XML document
user
XML source
35
Access request
36
Query result
37
Push Dissemination Mode

• Since
• Different subjects -gt different views
• Wide range of protection granularities
• High number of subjects

Number of views can be too large
Solution-gt Encryption Techniques
38
Push Dissemination Mode

• The approach is based on encrypting different
  portions of the same document with different keys
• The same (encrypted) copy is then broadcasted to
  all subjects
• Each subject only receives the key(s) for the
  portions he/she is enabled to see

39
Information Push - Main Issues

• How to encrypt the documents in a source
• Which and how many keys should be distributed to
  which subjects
• How to securely and efficiently distribute keys
  to subjects in such a way that keys are received
  only by the entitled subjects

40
How to Encrypt Documents

• Document encryption is driven by the specified
  access control policies all the document
  portions to which the same access control
  policies apply are encrypted with the same key
• Thus, to determine which keys should be sent to a
  particular subject it is only necessary to verify
  which are the access control policies that apply
  to that subject and then sending the keys
  associated with these policies

41
Well-Formed Encryption
42
Well-Formed Encryption
P2
1
Node encrypted with key K1
P1,P3
5
P1,P3
2
8
13
9
7
6
4
3
P3
P1,P3
P1,P3
P1,P3
P1,P3
14
10
P3
12
11
15
16
43
Well-Formed Encryption
P2
1
P1,P3
5
P1,P3
2
8
13
9
7
6
4
3
P3
P1,P3
P1,P3
P1,P3
P1,P3
14
10
P3
Nodes encrypted with key K2
12
11
15
16
44
Well-Formed Encryption
P2
1
P1,P3
5
P1,P3
2
8
13
7
6
4
3
P3
9
P1,P3
P1,P3
P1,P3
P1,P3
14
10
P3
Nodes encrypted with key K3
12
11
15
16
45
Well-Formed Encryption
P2
1
P1,P3
5
P1,P3
8
2
13
P3
9
7
6
4
3
P1,P3
P1,P3
P1,P3
P1,P3
14
10
P3
Nodes encrypted with key Kd
12
11
15
16
46
Well-Formed Encryption
P2
1
P1,P3
5
P1,P3
8
2
13
P3
9
7
6
4
3
P1,P3
P1,P3
P1,P3
P1,P3
14
10
P3
P1
K2
P2
K1
12
11
15
16
P3
K2, K3
47
Key Management

• Key assignment scheme such that
• From the key associated with a policy P1 it is
  possible to derive the keys associated with all
  the policy configurations containing P1
• Benefits
• The system should manage in the worst case a
  number of keys equal to the size of the Policy
  Base
• Each subject receives a key for each policy
  he/she satisfies

48
Key Distribution

• Two modes
• Online the XML source delivers both the keys
  and the encrypted document to subjects
• Offline subjects retrieve the keys through
  further interactions with the XML source (LDAP
  directory)

49
Outline

• Security requirements for web data
• Basic concepts of XML
• Security policies for XML data protection and
  release
• Access control mechanisms for XML data
• XML-based specification of security information
• XML security future trends

50
Why?

• It allows a uniform protection of XML documents
  and their security-related information
• It facilitates the export and exchange of
  security information

51
Goals

• Definition of an XML-based language for
  specifying security-related information for web
  documents
• Subject credentials
• Access control policies for web documents
  satisfying the previously stated requirements
• An example X-Sec the XML-based language
  developed in the framework of Author-X

52
X-Sec Credentials

• Credentials with similar structure are grouped
  into credential types
• A credential is a set of simple and composite
  properties
• Credential types DTDs
• Credentials XML documents

53
X-Sec credential type

• lt!DOCTYPE carrier_employee
• lt!ELEMENT carrier_employee (name,address,phone_num
  ber,
• email?, company)gt
• lt!ELEMENT name (fname,lname)gt
• lt!ELEMENT address (PCDATA)gt
• lt!ELEMENT phone_number (PCDATA)gt
• lt!ELEMENT email (PCDATA)gt
• lt!ELEMENT company (PCDATA)gt
• lt!ATTLIST carrier_employee credID ID REQUIRED
• cIssuer CDATA REQUIREDgt
• gt

54
X-Sec credential

• ltcarrier_employee credID154,CIssuerCA16gt
• ltnamegt
• ltfnamegt Bob lt/fnamegt
• ltlnamegt Watson lt/lnamegt
• lt/namegt
• ltaddressgt 24 Baker Street lt/addressgt
• ltphone_numbergt 8005769840 lt/phone_numbergt
• ltemailgt bwatson_at_ups.com lt/emailgt
• ltcompanygt UPS lt/companygt
• lt/carrier_employeegt

55
X-Profiles

• To simplify credential evaluation all the
  credentials a subject possesses are collected
  into an X-profile

56
X-profile

• ltX-profile sbjIDbw585,PIssuerCA16gt
• ltcarrier_employee credID154,CIssuerCA16gt
• ltnamegt
• ltfnamegt Bob lt/fnamegt
• ltlnamegt Watson lt/lnamegt
• lt/namegt
• ltaddressgt 24 Baker Street lt/addressgt
• ltphone_numbergt 8005769840 lt/phone_numbergt
• ltemailgt bwatson_at_ups.com lt/emailgt
• ltcompanygt UPS lt/companygt
• lt/carrier_employeegt
• ltstockholder credID254,CIssuerCA16gt
• ltnamegt lt/namegt
• ltcompanygt
• ltnamegt Paragon lt/namegt
• ltstocknumbergt 400 lt/stocknumbergt
• ltstockvaluegt 1000 lt/stockvaluegt
• lt/companygt

57
X-Sec Policy Specification

• XML template for specifying credential-based
  access control policies
• The template is as general as possible to be able
  to model access control policies for a variety of
  web documents (e.g., HTML, XML)

58
X-Sec Policy Base Template
lt!DOCTYPE policyBase lt!ELEMENT policyBase
(policySpec)gt lt!ELEMENT policySpec (subject,
object, priv, type, prop)gt lt!ELEMENT subject
(userIDcredential)gt lt!ELEMENT object
EMPTYgt lt!ELEMENT priv EMPTYgt lt!ELEMENT type
EMPTYgt lt!ELEMENT prop EMPTYgt lt!ELEMENT userID
EMPTYgt lt!ELEMENT credential EMPTYgt lt!ATTLIST
userID id CDATA REQUIREDgt lt!ATTLIST credential
targetCredType CDATA REQUIRED credExpr CDATA
IMPLIEDgt lt!ATTLIST object target CDATA REQUIRED
path CDATA REQUIREDgt lt!ATTLIST userID id CDATA
REQUIREDgt lt!ATTLIST priv value CDATA
REQUIREDgt lt!ATTLIST type value CDATA
REQUIREDgt lt!ATTLIST prop value CDATA
REQUIREDgt gt
59
Instantiation for XML Sources
ltpolicyBasegt ltpolicySpecgt
ltsubjectgtltcredential targetCredType"ACMmember"/gtlt
/subjectgt ltobjectgtlt target"SigmodRecord.xml"
path"/issues"/gtlt/objectgt ltpriv
value"READ"/gt lttype value"grant"/gt ltprop
value"cascade"/gt lt/policySpecgt
ltpolicySpecgt ltsubjectgtltcredential
targetCredType"noACMmember"/gtlt/subjectgt
ltobjectgtlt target"SigmodRecord.xml"
path"/issues"/gtlt/objectgt ltpriv
value"READ"/gt lttype value"grant"/gt ltprop
value"cascade"/gt lt/policySpecgt
ltpolicySpecgt ltsubjectgtltcredential
targetCredType"noACMmember"/gtlt/subjectgt
ltobjectgtlt target"SigmodRecord.xml" path
"/issues/issuesTuple/articles/
articlesTuple/abstract"/gtlt/objectgt ltpriv
value"READ"/gt lttype value"deny"/gt ltprop
value"no_prop"/gt lt/policySpecgt lt/policyBasegt
60
Outline

• Security requirements for web data
• Basic concepts of XML
• Security policies for XML data protection and
  release
• Access control mechanisms for XML data
• XML-based specification of security information
• XML security future trends

61
Research Trends

• Secure publishing of XML documents
• A new class of information-centered applications
  based on Data dissemination
• Possible scenarios
• Information commerce digital libraries,
  electronic news
• Intra-company information systems
• Security requirements
• Confidentiality
• Integrity
• Authenticity
• Completeness

62
Secure Publishing

• The Owner is the producer of information
• It specifies access control policies
• It answers to subject queries

63
Third-Party Architecture

• The Publisher is responsible
• for managing (a portion of)
• the Owner information and
• for answering subject
• queries
• Benefits
• Scalability
• No Bottleneck

64
Third-Party Architecture
XML Source
Credential Base
Policy Base
SE-XML
SE-XML
Owner
Untrusted Publisher
Reply document
Reply document
credentials
policy configuration
Query
Query
Subject
65
Security Enhanced XML doc

• Merkle Signature
• Policy information
• The identifiers of the policies that apply to the
  document
• Information about the set of policies that
  applies to a specific element/attribute

66
Merkle Signature
title
Newspaper
date
Frontpage
Politic_page
Literary_page
Sport_page
Leading
Paragraphs
Article
Politic
news
news
Author
title
paragraph
paragraph
topic
topic
title
Author
title
Author
topic
topic
title
Author
title
Author
MhX(Author)h(h(Author)h(Author.value))
MhX(title)h(h(title)h(title.value))
MhX(paragraph)h(h(paragraph)h(paragraph.content
)MhX(Author)MhX(title))
67
Merkle Signature
paragraph
MhX(paragraph)h(h(paragraph)h(paragraph.content
)MhX(Author)MhX(title))
MhX(paragraphs)h(h(paragraphs)h(paragraphs.cont
ent) MhX(paragraph) MhX(paragraph))
68
Merkle Signature
paragraph
MhX(Newspaper)h(h(Newspaper)h(Newspaper.content
)MhX ()MhX()MhX())
Merkle Signature of Newspaper XML file
MhX(Newspaper)
69
Reply document
view
Merkle Signature
Merkle Hash Path
70
Main References

• B. Dournee, XML Security, RSA Press, 2002.
• E. Bertino, B. Carminati, E. Ferrari, and B.
  Thuraisingham, XML Security, Addison-Wesley, in
  preparation.

71
Main References

• E. Bertino and E. Ferrari. Secure and Selective
  Dissemination of XML Documents, ACM Trans. on
  Information System and Security, to appear
• E. Bertino, S. Castano, e E. Ferrari. Author- X
  a Comprehensive System for Securing XML
  Documents, IEEE Internet Computing, May 2001
• E. Bertino, S. Castano, e E. Ferrari. Securing
  XML Documents the Author-X Project
  Demonstration, Proc. of the ACM SIGMOD
  Conference 2001
• E. Bertino, S. Castano, E. Ferrari, M. Mesiti.
  Specifying and Enforcing Access Control Policies
  for XML Document Sources. World Wide Web Journal,
  3(3), 2000

72
Main References

• Web sites
• The XML Security Page http//www.nue.et-inf.uni-s
  iegen.de/geuer-pollmann/ xml/security.html
• OASIS Consortium http//www.oasis-open.org
• World Wide Web Consortium http//www.w3.org