Selective and Authentic Third-Party distribution of XML Documents - Yashaswini Harsha Kumar - Netaji Mandava (Oct 16 th 2006)

Contents  Terminology  Security Properties  XML Overview  Merkle Hash function  Access Control Model  Architecture  Actor Interactions  References

Terminology  Owner : Producer of information  Publisher : Manages the owner information and answers subject queries.  Subject : A person who produces queries for documents.  Merkle Hash Trees : A Merkle hash tree is a tree of hashes in which the leaves are hashes of data blocks in, for instance, a file or set of files. Nodes further up in the tree are the hashes of their respective children. For example, in the picture to the right hash 0 is the result of hashing hash 0-0 and then hash 0-1. That is, hash 0 = hash( hash 0-0 | hash 0-1 ).

Security properties  Document Source Authenticity :  Document Source Authenticity : The subject receiving a document is assured that the contents of the document originated at the claimed source.  Document Contents Authenticity:  Document Contents Authenticity: The integrity of the document received by a subject with respect to the original document is respected.   Completeness of Response : A subject must be able to verify that he or she has received all the document(s) (or portion(s) of document(s)) that is entitled to access, according to the stated access control policies.

XML revisited…(1)  Nested and tagged XML elements.  Attributes.  Label : Set of element tags and attribute names.  Value : A set of attribute/element values.

XML revisited…(2)  Is an XML document a tuple?

XML revisited…(3)

XML revisited…(4) Edges: element – attribute, element – sub element Link Edges: Links between elements (IDREF).

Merkle Hash function  Ensures Authenticity of the document as well as the schema.  Associate a hash value with each node in the graph representation of the XML document.  The hash value of a node is obtained by applying a hash function over the concatenation of its children.  The hash values are computed using the Merkle Hash Function.

Merkle Hash Function (Mh)

MhXd…  Collision Resistant Hash function (CRHF): hash() is a CRHF if it is hard to find two different messages m1 and m2 such that hash(m1) = hash(m2).  Codomain of MhXd: the codomain of a function f : X → Y is the set Y. Hash is a mapping from a domain (usually called keys) into a codomain (usually called values)

Keypoints   If a subject knows the correct Merkle hash value of a node, the Publisher cannot forge the value of the descendant children.   The Publisher returns the Merkle Hash value of the of the root of an XML document d, along with the query result. The Publisher receives the hash value of the root from the Owner.   The Merkle hash value of the root of the document is critical; therefore, it is signed by the Owner (known as as Merkle Signature) and is verified by the subject. (Please refer to the paper for details on generating the Merkle Signature.)

Access Control Model for XML Documents(1)  Subjects are qualified by means of credentials.   A credential is a set of properties concerning a subject that are relevant for security purposes (for example, age, position within an organization).   Credentials are encoded using an XML-based language, called X-Sec.   Access control policies specify conditions on the credentials and properties of the credentials, using an XPath-compliant language.

Access Control Model(2) The access control model provides varying access granularity levels and can express policies that apply to: 1) 1) all the instances of a DTD/XML Schema 2) 2) collections of documents not necessarily instances of the same DTD/XMLSchema 3) 3) selected portions within a document(s), or a link (or a set of links).

Access Control Model(3)  Access control policies are encoded using X-Sec.  Policy Base: The  Policy Base: The XML file encoding the access control policies of the Owner.

System Architecture (1)

Architecture (2)  Relies on the distinction between the Owner and the Publisher.  The Owner - specifies the access control policies. - sends the Publisher the documents he is entitled to manage along with - sends the Publisher the documents he is entitled to manage along with information on which subjects can access which portions of the document according to the access control policies it has specified. - sends the Publisher, the Merkle Signature of the document. (optional) - The above - The above additional information is encoded in XML and attached to the original document, forming the so-called security enhanced XML document. The structure of the original XML document is also supplied by the Owner in the form of an XML document called secure structure. - The structure of the original XML document is also supplied by the Owner in the form of an XML document called secure structure.

Architecture (3)  The Subject - Registers with the Owner during the mandatory subscription phase. - Receives the subject policy configuration from the Owner in a secure manner. - Submits queries to the Publisher (along with its policy configuration). - Receives a view of the requested document(s). - Verifies authenticity of the answer (for authenticity and completeness).

Architecture (4)  The Publisher - Receives documents, access control policies, secure structure and optional Merkle Signature from the Owner. - On receiving a query from a Subject, the Publisher computes a view of the requested document(s) - On receiving a query from a Subject, the Publisher computes a view of the requested document(s) which contains all and only those portions of the requested document(s) for which the subject has an authorization according to the access control policies in place at the Owner site. - Responds to the Subjects’ query with a Reply Document (view + hash values computed over parts of the document not contained in the view)

Subject – Owner Interaction(1)

Subject – Owner Interactions(2) Policies P1 and P2 apply to Alice Brown. Only policy P6 applies to Tom Moore. Thus, the policy configuration of Alice Brown and Tom Moore are, respectively, the signatures of the identifiers 1, 2, and 6 with the Owner’s private key.

Owner – Publisher Interaction (1)  Security Enhanced XML Document: Which access control policies apply to the corresponding document? - Policy information is specified at the element level. - Policy Configuration (PC) is an additional attribute of the corresponding element whose value is the ‘set’ of policies that apply to the element. It is represented as a string of hexadecimal values. PC should not be confused with Subject Policy Configuration. Each policy in the set is identified by a policy identifier unique to the Policy base. - The element ‘Policy’ in the security enhanced XML document contains the identifiers of all policies. (Refer to the paper for the formal definition of the Security Enhanced XML Document.)

Owner – Publisher Interaction(2)  Secure Structure: The secure structure of the XML document is generated by hashing with a standard hash function, each tag and attribute name.

Subject – Publisher Interaction(1)  Subject ‘s’ submits a query + his/her policy specification to a Publisher.  Publisher determines the set of nodes that need to be returned to ‘s’.  The Publisher also computes the additional information required by ‘s’ for authentication and completeness verification.  The set of nodes and additional information are organized into a an XML document called Reply Document.

Subject – Publisher Interaction(2)  Reply Document s : Subject s : Subject q : query from Subject ‘s’ PC(s) : Policy Configuration for Subject ‘s’ View() : is a function Input : q and PC(s) Output : well formed XML document with answer nodes for which ‘s’ has necessary authorization. (Refer to the paper for the formal definition of the Reply Document)

Subject – Publisher Interaction(3)  Relative Merkle Hash Path:

Reply Document Generation(3)  Evaluate() :  Evaluate() : takes as input a query ‘q’ submitted on document ‘d’, and returns a well-formed XML document ‘r’ containing all and only the nodes satisfying ‘q’.  ReBuild() :  ReBuild() : takes as input the obtained set of nodes and transforms them into a well- formed XML document. (Please refer to the paper for the algorithm.)

Reply Document Generation(2)  Function Evaluate() returns a well formed XML document ‘r’ containing all nodes satisfying ‘q’.  Determine the access control policies that apply to each node in ‘r’.  Remove nodes that ‘s’ is not authorized to access.  Replace all attributes in ‘r’ with an AttributeElement element.  An additional attribute called MPath is inserted in each node to be returned.  Insert the Merkle signature of document ‘d’.  Rebuild ‘r’.

Subject Verification   Upon receiving a reply document and a secure structure, the Subject can verify the authenticity and the completeness of the corresponding query answer.

Authenticable Element

Authentic Element

Completeness Verification  Difficult,  Difficult, greatly depends on the kinds of queries that are submitted to a Publisher.   Types of Queries: - structure queries - content-dependent queries

Attack Analysis  Subject attacks  Publisher attacks

Performance Issues  Update management  Storage complexity of security related information

One attribute for the Merkle signature, and atmost 2Ne attributes representing the PC, and PCAttr attributes, respectively. let Np be the number of access control policies that apply to document d. The size of the policy configuration of an element e in d is Np/4 characters. let Na be the number of attributes associated with an element e, the size of the policy configuration of attributes of e is Na*(Np/4) characters. Thus in the worst case, the size of the original document is increased of Ne*(Np/4 + NAttr*Np/4) SE-XML version

HashSize *Nce +sum fEpath(e) HashSize*(2 + lsib(f)l ) Reply document

Related Work

Conclusions

References   

Backup Slides

Credential base policy base XML Source User/Subject Owner Publisher Query Reply document SE-XML credentials