pag. 1 xml security. pag. 2 outline security requirements for web data. basic concepts of xml...
TRANSCRIPT
![Page 1: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/1.jpg)
Pag. 1
XML Security
![Page 2: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/2.jpg)
Pag. 2
Outline
• Security requirements for web data. • Basic concepts of XML• Security policies for XML data protection
and release • Access control mechanisms for XML data• XML-based specification of security
informaiton• XML security: future trends
![Page 3: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/3.jpg)
Pag. 3
Web Data: Protection Requirements
• The web is becoming the main information dissemination means for many organizations
• Strong need for models and mechanisms enabling the specification and enforcement of security policies for web data protection and release
![Page 4: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/4.jpg)
Pag. 5
Web Docs: Protection Requirements
• Web documents may have a nested or hierarchical, inter-linked structure
• Different portions of the same document may have different protection requirements
We need a wide spectrum of protection
granularity levels
![Page 5: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/5.jpg)
Pag. 6
Web Docs: Protection Requirements
• Web documents may have an associated description of their structure:– DTDs and XML Schemas for XML documents– Data models for describing the logical
organization of data into web pages
Policies specified both at the schema and at
the instance level
![Page 6: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/6.jpg)
Pag. 7
Web Docs: Protection Requirements
• Documents with the same type and structure may have contents of different sensitivity degree:
Policies that take the document content into
account (content-based policies)
![Page 7: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/7.jpg)
Pag. 8
Web Docs: Protection Requirements
• Supporting fine-grained policies could lead to the specification of a, possibly high, number of access control policies:
Need of mechanisms for exception management and authorization propagation
![Page 8: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/8.jpg)
Pag. 9
Web Docs: Protection Requirements
• Heterogeneity of subjects:– Subjects accessing a web source may be
characterized by different skills and needs and may dynamically change
– Conventional identity-based access control schemes are not enough
Credentials based on subject characteristics
and qualifications
![Page 9: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/9.jpg)
Pag. 10
Web Docs: Protection Requirements
• In a web environment the traditional on user-demand mode of performing access control is not enough:
Security policies enforcing both the pull and push dissemination modes
![Page 10: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/10.jpg)
Pag. 11
Web DataSource
• PULL
• PUSH
Request
Web DataSource
View
Dissemination Policies
![Page 11: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/11.jpg)
Pag. 12
Outline
• Security requirements for web data• Basic concepts of XML• Security policies for XML data protection
and release• Access control mechanisms for XML data• XML-based specification of security
information• XML security: future trends
![Page 12: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/12.jpg)
Pag. 13
Why XML?
• Because XML is becoming a standard for data representation over the web
• XML compatibility is thus an important requirement for security policies, models and mechanisms for Web data sources
![Page 13: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/13.jpg)
Pag. 14
XML
• Building blocks of XML are tagged elements that can be nested at any depth in the document structure
• Each tagged element has zero or more subelements and zero or more attributes
• Elements can be linked by means of IDREF(S) attributes
• Optional presence of a DTD/XMLSchema for describing the structure of documents (well-formed vs valid documents)
![Page 14: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/14.jpg)
<WorldLawBulletin Date=“8/8/1999”><Law Country=“USA” RelatedLaws = “LK75”/> <Topic>Taxation</Topic> <Summary>...</Summary>
</Law><Law Id=“LK75” Country=“Italy”/> <Topic>Import-Export</Topic> <Summary>...</Summary>
</Law><BluePageReport>
<Section GeoArea=“Europe”> <Law Country=“Germany”/>
<Topic>Guns</Topic> <Summary>...</Summary> </Law>
...</Section><Section GeoArea=“NorthAmerica”>
<Law Country=“USA”/> <Topic>Transportation</Topic> <Summary>...</Summary>
</Law>...
</Section></BluePageReport>
</WorldLawBulletin>
An XML Document
![Page 15: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/15.jpg)
Pag. 16
Graph Representation
&1
&9&8&6&5&4&3
&2 &7LK75
&10
&12&11
&13
&14 &15
WordLawBulletin
Law
Law
Summary SectionTopic
BluePageReport
Law
Law
Topic
Topic Topic
Summary
SummarySummary
Section
{(Country,”USA”)}
...{(Country,”Germany”)} {(Country,”USA”)}
{(GeoArea,”NorthA.”)}{(GeoArea,E.)}
{(Country,”Italy”)}
Taxation
Guns Transportation
Import-Export
{(Date,”08/08/1999”)}
RelatedLaws
![Page 16: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/16.jpg)
An XML DTD
<!DOCTYPE WorldLawBulletin[
<!ELEMENT WorldLawBulletin (Law*,BluePageReport?)>
<!ELEMENT Law (Topic,Summary)>
<!ELEMENT Topic (#PCDATA)>
<!ELEMENT Summary ANY>
<!ELEMENT BluePageReport (Section+)>
<!ELEMENT Section (Law+)>
<!ATTLIST WorldLawBulletin Date CDATA #REQUIRED>
<!ATTLIST Law Id ID #REQUIRED
Country CDATA #REQUIRED
RelatedLaws IDREFS #IMPLIED>
<!ATTLIST Section GeoArea CDATA #REQUIRED>
]>
![Page 17: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/17.jpg)
Pag. 18
XML & Security
Two main issues:
1. Development of access control models, techniques, mechanisms, and systems for protecting XML documents
2. Use of XML to specify security relevant information, (organizational policies, subject credentials, authentication information, encrypted contents)
![Page 18: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/18.jpg)
Pag. 19
The Author-The Author-XX Project Project
![Page 19: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/19.jpg)
Pag. 20
Author-X
• Java-based system for XML data sources protection
• Security policy design and administration
• Credential-based access control to XML document sources
• Secure document dissemination and update
![Page 20: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/20.jpg)
Pag. 21
Author-X ACPs
• Set-oriented and document-oriented policies
• Positive and negative policies at different granularity levels, to enforce differentiated protection of XML documents and DTDs
• Controlled propagation of access rights
• ACPs reflect user profiles through credential-based qualifications
![Page 21: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/21.jpg)
Pag. 22
Enforcing access control
• Subject specification
• Protection object specification
• Privilege
• Propagation option
![Page 22: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/22.jpg)
Pag. 23
Subject Specification
• User Identifiers
OR
• Subject credential: credential expression
Ex: X.age > 21
Programmer(X) and X.country=“Italy”
![Page 23: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/23.jpg)
Pag. 24
Protection Object Specification
• Identify the portions of a document(s) to which the authorization applies.We want to allow users to specify authorizations
ranging from – sets of documents– to single elements/attributes within documents
specification on DTD or documents
[{doc|*}|{DTD|#}].[pathOfElem|ElemIds].[Attrs|links]
![Page 24: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/24.jpg)
Pag. 25
Privileges
read• browsing navigate
write
• authoring append
delete
![Page 25: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/25.jpg)
Pag. 26
Propagation option
NO PROPAGATION
![Page 26: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/26.jpg)
Pag. 27
Propagation option
FIRST LEVEL
![Page 27: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/27.jpg)
Pag. 28
Propagation option
CASCADE
![Page 28: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/28.jpg)
Pag. 29
Examples of authorization rules
P1 = ((LLoC Employee or European Division Employee), WorldLawBulletin.Law, browse_all, *)
this authorization rule authorizes the LLoC and European
Division Employees to view all laws (not contained in the
BluePageReport element) in all instances of WorldLawBulletin
relations among laws, that is, RelatedLaws attributes,
are also displayed
![Page 29: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/29.jpg)
Pag. 30
Examples of authorization rules
P4 = (European Division Employee,
(WorldLawBulletin.BluePageReport.Section,
GeoArea = Europe), browse_all, *)
this authorization rule authorizes the European
Division Employees to view the section pertaining to Europe of the BluePageReport in all instances of WorldLawBulletin
![Page 30: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/30.jpg)
Pag. 31
access request view administrative operations
user SA
Author-X
DOM/XQL
X-Bases
XML Source
Credentialbase
Policybase
Encrypteddoc.base
X-Access X-Admin
![Page 31: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/31.jpg)
Pag. 33
Excelon File System
XMLXML source source
Information Pull - Architecture
XML Parser XQL X-Path
Server Extension (Server Extension (XX-Access)-Access)Excelon Server
Web Server
XMLVIEW
DTD
Internet Browser CLIENTCLIENT
SERVERSERVER
• queryqueryInternetInternet
![Page 32: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/32.jpg)
Pag. 35
Access request
UserUser
PasswordPassword
Target Target DocumentDocument
queryquery
![Page 33: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/33.jpg)
Pag. 36
Query result
Query Query resultresult
![Page 34: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/34.jpg)
Pag. 37
Push Dissemination Mode
• Since:– Different subjects -> different views– Wide range of protection granularities– High number of subjects
Number of views can be too large
Solution-> Encryption Techniques
![Page 35: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/35.jpg)
Pag. 38
Push Dissemination Mode
• The approach is based on encrypting different portions of the same document with different keys
• The same (encrypted) copy is then broadcasted to all subjects
• Each subject only receives the key(s) for the portions he/she is enabled to see
![Page 36: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/36.jpg)
Pag. 39
Information Push - Main Issues
• How to encrypt the documents in a source
• Which and how many keys should be distributed to which subjects
• How to securely and efficiently distribute keys to subjects in such a way that keys are received only by the entitled subjects
![Page 37: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/37.jpg)
Pag. 40
How to Encrypt Documents
• Document encryption is driven by the specified access control policies: all the document portions to which the same access control policies apply are encrypted with the same key
• Thus, to determine which keys should be sent to a particular subject it is only necessary to verify which are the access control policies that apply to that subject and then sending the keys associated with these policies
![Page 38: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/38.jpg)
Pag. 41
&1
&13&9&7&6&4&3
&2 &8&5
&10
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
Well-Formed Encryption
![Page 39: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/39.jpg)
Pag. 42
Node encrypted with key K1
&1
&13&9&7&6&4&3
&2 &8&5
&10
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
Well-Formed Encryption
![Page 40: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/40.jpg)
Pag. 43
Nodes encrypted with key K2
&1
&13&9&7&6&4&3
&2 &8&5
&10
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
Well-Formed Encryption
![Page 41: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/41.jpg)
Pag. 44
Nodes encrypted with key K3
&13&7&6&4&3
&2 &8&5
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
&1
&9
&10
Well-Formed Encryption
![Page 42: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/42.jpg)
Pag. 45
Nodes encrypted with key Kd
&13
&8
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
&9&7&6&4&3
&2 &5
&10
&1
Well-Formed Encryption
![Page 43: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/43.jpg)
Pag. 46
&13
&8
&12&11
&14
&15 &16
P1,P3
P1,P3
P2
P1,P3 P1,P3
P3
P3
P1,P3
P1,P3
P1 K2
P2 K1
P3 K2, K3
&9&7&6&4&3
&2 &5
&10
&1
Well-Formed Encryption
![Page 44: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/44.jpg)
Pag. 47
Key Management
• Key assignment scheme such that:– From the key associated with a policy P1 it is
possible to derive the keys associated with all the policy configurations containing P1
• Benefits:– The system should manage in the worst case a
number of keys equal to the size of the Policy Base
– Each subject receives a key for each policy he/she satisfies
![Page 45: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/45.jpg)
Pag. 49
Outline
• Security requirements for web data• Basic concepts of XML• Security policies for XML data protection
and release• Access control mechanisms for XML data• XML-based specification of security
information• XML security: future trends
![Page 46: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/46.jpg)
Pag. 50
Why?
• It allows a uniform protection of XML documents and their security-related information
• It facilitates the export and exchange of security information
![Page 47: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/47.jpg)
Pag. 51
Goals
• Definition of an XML-based language for specifying security-related information for web documents:– Subject credentials– Access control policies for web documents
satisfying the previously stated requirements
An example: X-Sec the XML-based language developed in the framework of Author-X
![Page 48: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/48.jpg)
Pag. 52
X-Sec Credentials
• Credentials with similar structure are grouped into credential types
• A credential is a set of simple and composite properties
• Credential types DTDs
• Credentials XML documents
![Page 49: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/49.jpg)
X-Sec credential type
<!DOCTYPE carrier_employee[
<!ELEMENT carrier_employee (name,address,phone_number*,
email?, company)>
<!ELEMENT name (fname,lname)>
<!ELEMENT address (#PCDATA)>
<!ELEMENT phone_number (#PCDATA)>
<!ELEMENT email (#PCDATA)>
<!ELEMENT company (#PCDATA)>
<!ATTLIST carrier_employee credID ID #REQUIRED
cIssuer CDATA #REQUIRED>
]>
![Page 50: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/50.jpg)
<carrier_employee credID=“154”,CIssuer=“CA16”>
<name>
<fname> Bob </fname>
<lname> Watson </lname>
</name>
<address> 24 Baker Street </address>
<phone_number> 8005769840 </phone_number>
<email> [email protected] </email>
<company> UPS </company>
</carrier_employee>
X-Sec credential
![Page 51: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/51.jpg)
Pag. 57
X-Sec Policy Specification
• XML template for specifying credential-based access control policies
• The template is as general as possible to be able to model access control policies for a variety of web documents (e.g., HTML, XML)
![Page 52: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/52.jpg)
Pag. 58
<!DOCTYPE policyBase[<!ELEMENT policyBase (policySpec)*><!ELEMENT policySpec (subject, object, priv, type, prop)><!ELEMENT subject (userID*|credential)><!ELEMENT object EMPTY><!ELEMENT priv EMPTY><!ELEMENT type EMPTY><!ELEMENT prop EMPTY><!ELEMENT userID EMPTY><!ELEMENT credential EMPTY><!ATTLIST userID id CDATA #REQUIRED><!ATTLIST credential targetCredType CDATA #REQUIRED credExpr CDATA IMPLIED><!ATTLIST object target CDATA #REQUIRED path CDATA #REQUIRED><!ATTLIST userID id CDATA #REQUIRED><!ATTLIST priv value CDATA #REQUIRED><!ATTLIST type value CDATA #REQUIRED><!ATTLIST prop value CDATA #REQUIRED>]>
X-Sec Policy Base Template
![Page 53: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/53.jpg)
Pag. 59
Instantiation for XML Sources<policyBase> <policySpec> <subject><credential targetCredType="ACMmember"/></subject> <object>< target="SigmodRecord.xml" path="/issues"/></object> <priv value="READ"/> <type value="grant"/> <prop value="cascade"/> </policySpec>
<policySpec> <subject><credential targetCredType="noACMmember"/></subject> <object>< target="SigmodRecord.xml" path="/issues"/></object> <priv value="READ"/> <type value="grant"/> <prop value="cascade"/> </policySpec>
<policySpec> <subject><credential targetCredType="noACMmember"/></subject> <object>< target="SigmodRecord.xml" path ="/issues/issuesTuple/articles/ articlesTuple/abstract"/></object> <priv value="READ"/> <type value="deny"/> <prop value="no_prop"/> </policySpec> </policyBase>
![Page 54: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/54.jpg)
Pag. 60
Outline
• Security requirements for web data• Basic concepts of XML• Security policies for XML data protection
and release• Access control mechanisms for XML data• XML-based specification of security
information• XML security: future trends
![Page 55: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/55.jpg)
Pag. 61
Research Trends
• Secure publishing of XML documents:– A new class of information-centered applications
based on Data dissemination– Possible scenarios:
• Information commerce: digital libraries, electronic news• Intra-company information systems
• Security requirements:– Confidentiality– Integrity– Authenticity– Completeness
![Page 56: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/56.jpg)
Pag. 62
Secure Publishing
Subject
Information Owner
Traditional Architecture
•The Owner is the producer of information• It specifies access control policies • It answers to subject queries
![Page 57: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/57.jpg)
Pag. 63
Third-Party Architecture
•The Publisher is responsible for managing (a portion of) the Owner information and for answering subject queries
•Benefits:•Scalability•No Bottleneck
Publisher
Docs
Query
View
Subject
Owner
Subscription
![Page 58: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/58.jpg)
Pag. 64
Main References
• B. Dournee, XML Security, RSA Press, 2002.
• E. Bertino, B. Carminati, E. Ferrari, and B. Thuraisingham, XML Security, Addison-Wesley, in preparation.
![Page 59: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/59.jpg)
Pag. 65
Main References
• E. Bertino and E. Ferrari. Secure and Selective Dissemination of XML Documents, ACM Trans. on Information System and Security, to appear
• E. Bertino, S. Castano, e E. Ferrari. Author- X: a Comprehensive System for Securing XML Documents, IEEE Internet Computing, May 2001
• E. Bertino, S. Castano, e E. Ferrari. Securing XML Documents: the Author-X Project Demonstration, Proc. of the ACM SIGMOD Conference 2001
• E. Bertino, S. Castano, E. Ferrari, M. Mesiti. Specifying and Enforcing Access Control Policies for XML Document Sources. World Wide Web Journal, 3(3), 2000
![Page 60: Pag. 1 XML Security. Pag. 2 Outline Security requirements for web data. Basic concepts of XML Security policies for XML data protection and release Access](https://reader031.vdocuments.us/reader031/viewer/2022032307/56649c785503460f9492d8d4/html5/thumbnails/60.jpg)
Pag. 66
Main References
• Web sites:– The XML Security Page: http://www.nue.et-inf.uni-
siegen.de/~geuer-pollmann/ xml/security.html
– OASIS Consortium: http://www.oasis-open.org
– World Wide Web Consortium: http://www.w3.org