Applying Hierarchical and Role-Based Access Control to XML Documents - - PowerPoint PPT Presentation

applying hierarchical and role based access control to
SMART_READER_LITE
LIVE PREVIEW

Applying Hierarchical and Role-Based Access Control to XML Documents - - PowerPoint PPT Presentation

Feb 22, 2024 330 likes •654 views

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Information Security Group Royal Holloway, University of London ACM Workshop on Secure Web Services 2004 George Mason University, 29 October 2004 Applying

slide-1
SLIDE 1

Applying Hierarchical and Role-Based Access Control to XML Documents

Jason Crampton

Information Security Group Royal Holloway, University of London

ACM Workshop on Secure Web Services 2004

George Mason University, 29 October 2004

slide-2
SLIDE 2

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Outline of talk

  • Introduction and statement of problem
  • Worked example
  • Technical summary
  • Concluding remarks

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-3
SLIDE 3

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Introduction – XML

XML is fast becoming the de facto standard for document-based information sharing An XML schema is a “blueprint” for XML documents

  • Well-formed XML documents define content and have internal

tree-like structure defined by schema Becomes possible to specify very fine-grained access control policies

  • Only certain users may have access to a particular node in the

document tree

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-4
SLIDE 4

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Introduction – Access control

Traditional access control is based on a “pull” model

  • Client (user) requests access to resource controlled by server

(operating system, DBMS, etc.)

  • Server processes request, makes decision and provides access to

resource if appropriate Increased interest in enforcing an access control policy for published data

  • Information is “pushed” to subscribers
  • How do we enforce an access control policy defined for such

information

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-5
SLIDE 5

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Introduction – Existing approaches

Existing approaches to protecting published XML typically employ cryptographic techniques

  • XML document is encrypted with a number of different keys
  • Keys are distributed (via secure channel) enabling authorized

user to decrypt appropriate elements of document

  • Encryption explicitly denies access if user does not have key

These approaches suffer from at least one of two problems

  • Users have to manage several different keys
  • Complexity of cryptographic keys

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-6
SLIDE 6

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Introduction – The problem

How do we implement access control policies for published XML data and (1) give each user a single key (2) limit the size of that key

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-7
SLIDE 7

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

An example

<acm-catalog date=" " issue=" "> <journal> <name>...</name> <date>...</date> <volume>...</volume> <number>...</number> <table-of-contents> <item>...</item> ... </table-of-contents> <paper>...</paper> ... </journal> ... <proceedings> ... </proceedings> ... </acm-catalog> <item> <title>...</title> <author>...</author> <start-page>...</start-page> </item> <paper> <title>...</title> <pages>...</pages> <author>...</author> <abstract>...</abstract> <body>...</body> <references>...</references> <bibtex-entry>...</bibtex-entry> </paper>

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-8
SLIDE 8

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

A schematic view of the ACM catalog

A ACM catalog B Journals C Journal papers D Tables of contents E Conference proceedings F Conference papers

A B C D F E ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-9
SLIDE 9

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

An access control policy

Subscriber Access permitted Access forbidden full A, B, C, D, E, F restricted A, B, D, E C, F journal A, B, C, D E, F proceedings A, E, F B, C, D

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-10
SLIDE 10

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Specifying protected objects

A protected object is specified using an XPath Filter expression

  • Identifies set of nodes in document tree
  • Combines (set of nodes returned by) XPath expressions using set

union, intersection and difference

<dsig-xpath:XPath Filter="intersect"> //journal </dsig-xpath:XPath> <dsig-xpath:XPath Filter="subtract"> //journal//body </dsig-xpath:XPath>

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-11
SLIDE 11

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Specifying simple XACPs

  • Subtrees have different pro-

tection requirements

  • Want

to distinguish be- tween access for full sub- scribers and other types of subscribers

  • Integers denote depth of en-

cryption required to protect each region

1 2 3 3 3 2 ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-12
SLIDE 12

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Policy enforcement

Encrypt regions A, . . . , F with keys k(A), . . . , k(F), respectively, encrypting most nested regions first

  • Region C is first encrypted with k(C)
  • Region B (including region C) is encrypted with k(B)
  • Finally the whole document A is encrypted with k(A)

Decryption is performed in reverse order

  • A user u with k(A) will decrypt the whole encrypted document

and will be able to read everything except regions B, . . . , F

  • If u also has k(B) then he can decrypt region B
  • Finally, if u has k(C) then he can decrypt region C

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-13
SLIDE 13

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Key generation

A trivial solution is to provide

  • full subscribers with all six keys
  • journal subscribers with keys k(A), k(B), k(C), k(D)
  • etc. . .

How do we generate the keys k(A), . . . , k(F) so that each subscriber

  • nly requires a single key?

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-14
SLIDE 14

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

The Akl-Taylor scheme

Given a partially ordered set X of security labels, for all x ∈ X we define

  • symmetric encryption key k(x)
  • public parameter e(x)

If u has security label x and y x he can use k(x) and e(y) to derive k(y)

  • Used to enforce a “no read up” policy cryptographically

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-15
SLIDE 15

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

The Akl-Taylor scheme

(1) Choose large primes p and q and publish n = pq (2) Choose κ ∈ [2, n − 1] such that (κ, n) = 1 (3) For each x ∈ X, choose a distinct prime e(x) (4) For each x ∈ X, define and publish e(x) =

yx e(y)

(5) For each x ∈ X, compute secret key k(x) = κe(x) mod n

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-16
SLIDE 16

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

The Akl-Taylor scheme

s

7

  • s

11

❅ ❅ ❅ ❅

  • s

13

❅ ❅ ❅ ❅ s

3

  • s5

❅ ❅ ❅ ❅ s

2

e(x) s

2.3.5.11.13

  • s

2.3.5.7.13

❅ ❅ ❅ ❅

  • s

2.3.5.7.11

❅ ❅ ❅ ❅ s

2.5.13

  • s2.3.7

❅ ❅ ❅ ❅ s

1

e(x)

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-17
SLIDE 17

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

The Akl-Taylor scheme – Key derivation

Let y x and suppose the holder of k(x) wishes to compute k(y) Then he computes (k(x))e(y)/e(x) mod n =

  • κe(x)e(y)/e(x)

mod n = κe(y) mod n = k(y) Note that y x iff e(x) | e(y) by construction

  • The holder of k(x) can always compute k(y) if y x
  • The holder of k(x) cannot feasibly compute k(y) if y x (under

the RSA assumption)

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-18
SLIDE 18

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Policy hierarchies

Policy statement is a pair (o, d), where o is a subtree and d is the depth of encryption Partial order on set of policy state- ments forms a policy hierarchy

  • (o, d) (o′, d′) iff d d′ and o

is contained in o′ s

(A, 1)

❅ ❅ ❅ ❅ ✡ ✡ ✡ ✡ ✡ s

(B, 2)❆

❆ ❆ ❆ ✁✁✁✁ s(E, 2) s

(C, 3)

s(D, 3) s(F, 3)

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-19
SLIDE 19

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Key hierarchies

Associate keys with roles (sub- scriber classifications)

  • k′ for full subscribers
  • k for journal subscribers
  • · · ·

Apply Akl-Taylor to key hierarchy

  • k′ can be used to derive all
  • ther keys

s

k(A)

❅ ❅ ❅ ❅ ✡ ✡ ✡ ✡ ✡ s

k(B)❆

❆ ❆ ❆ ✁✁✁✁ sk(E) s

k(C) ✁✁✁✁

sk(D) ❆ ❆ ❆ ❆ sk(F) ❏ ❏ ❏ ❏ ❏ s

k

  • s

k′

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-20
SLIDE 20

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Applying Akl-Taylor

s

19

❅ ❅ ❅ ❅ ✡ ✡ ✡ ✡ ✡ s

13❆

❆ ❆ ❆ ✁✁✁✁ s17 s

5 ✁✁✁✁

s7 ❆ ❆ ❆ ❆ s11 ❏ ❏ ❏ ❏ ❏ s

3

  • s

2

e(x) s

κ2.3.5.7.11.13.17

❅ ❅ ❅ ❅ ✡ ✡ ✡ ✡ ✡ s

κ2.3.5.7.11.17❆

❆ ❆ ❆ ✁✁✁✁ sκ2.3.5.7.11.13 s

κ2.3.7.11.17 ✁✁✁✁

sκ2.3.5.11.17 ❆ ❆ ❆ ❆ sκ2.3.5.7.13 ❏ ❏ ❏ ❏ ❏ s

κ2.11.17

  • s

κ

k(x)

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-21
SLIDE 21

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Summary of formal aspects

Protected objects are specified using XPath Filter expressions Policy statements are pairs (o, de)

  • o is determined by an XPath Filter expression
  • de is the depth of encryption
  • de d, where d is depth of o in XML document tree

Policy statements partially ordered

  • (o, d) (o′, d′) iff o ⊆ o′ and d d′

Policy hierarchy embedded into role hierarchy

  • Keys associated with roles
  • Keys generated using Akl-Taylor scheme

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-22
SLIDE 22

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Advantages

Users have a single key

  • Miklau and Suciu distribute several keys to users
  • Example in paper includes 8 keys

Complexity of keys much reduced (compared to scheme of Bertino et al)

  • Largest key in example in our scheme is κ2.3.5.7.11
  • Largest key in scheme of Bertino et al contains 16 large primes in

the exponent Makes use of RBAC

  • Most schemes for protection of XML documents based on access

control matrix

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-23
SLIDE 23

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Limitations

Only applies to nested sub-trees of the document How do we implement a policy that includes a sigsac subscriber?

  • Has full access to TISSEC and the proceedings of SACMAT and

CCS

  • These regions of the catalog have non-empty intersection with

the restricted and journal subscriber categories How do we implement a policy that has conflicting requirements?

  • Ensure that policy doesn’t have conflicting requirements!
  • This may not be an issue with published data

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-24
SLIDE 24

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

User views using Akl-Taylor and XSLT

Transform the document so that every element t in the schema includes a priority attribute

  • The value of this attribute is e(x) where x is the XPath filter

that contains t For each class of subscriber generate a view using a transformation that

  • takes a subscriber value e(x) as a parameter
  • only outputs an element if e(x) divides the priority attribute of

the element

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-25
SLIDE 25

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

A prioritized catalog

<acm-catalog prty="2.3.5.7.11.13.17"> <journal prty="2.3.5.7.11.17"> <name>...</name> <date>...</date> <volume>...</volume> <number>...</number> <table-of-contents prty="2.3.5.11.17"> <item>...</item> ... </table-of-contents> <paper prty="2.3.7.11.17">...</paper> ... </journal> ... <proceedings prty="2.3.5.7.11.13"> ... </proceedings> ... </acm-catalog> The view for journal subscribers: “priority” equal to 2.11.17 <acm-catalog> <journal> <name>...</name> <date>...</date> <volume>...</volume> <number>...</number> <table-of-contents> <item>...</item> ... </table-of-contents> <paper>...</paper> ... </journal> ... </acm-catalog>

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-26
SLIDE 26

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

A view of the prioritized catalog

<acm-catalog prty="2.3.5.7.11.13.17"> <journal prty="2.3.5.7.11.17"> <name>...</name> <date>...</date> <volume>...</volume> <number>...</number> <table-of-contents prty="2.3.5.11.17"> <item>...</item> ... </table-of-contents> <paper prty="2.3.7.11.17">...</paper> ... </journal> ... <proceedings prty="2.3.5.7.11.13"> ... </proceedings> ... </acm-catalog> The view for journal subscribers: “priority” equal to 2.11.17 <acm-catalog> <journal> <name>...</name> <date>...</date> <volume>...</volume> <number>...</number> <table-of-contents> <item>...</item> ... </table-of-contents> <paper>...</paper> ... </journal> ... </acm-catalog>

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-27
SLIDE 27

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Advantages of user views

Can be used for push or pull access control paradigm Doesn’t require super-encryption on publisher side

  • This may be important because of the expansion required by

XML encryption

  • Doesn’t require multiple decryption on receiver side
  • End user acceptance is likely to be higher

Doesn’t require Akl-Taylor keys

  • Number of primes in exponent of Akl-Taylor keys is proportional

to number of nodes in hierarchy

  • This may be a limiting factor in complex applications with many

roles and protected objects

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-28
SLIDE 28

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Further details

Paper covers

  • Details of policy specification including XPath Filter expressions
  • Related work and examples due to Bertino et al and to Miklau

and Suciu

  • Alternative use of Akl-Taylor scheme to create user views
  • Preliminary investigation into more complex XACPs

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-29
SLIDE 29

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Future work – Immediate priorities

  • Develop richer notion of policy

– Possibly use policy framework of Miklau and Suciu

  • Develop strategies for implementing complex XACPs
  • Implementation

– XPath Filter (XML Digital Signature), XML Encryption – Any offers?

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-30
SLIDE 30

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

Future work – Longer term

  • Use of identifier-based encryption techniques to personalize

access control – Encrypt certain information with key derived from subscriber’s identity

  • Complex policies may result in very large keys

– Is it possible to specify a threshold t such that no user is given more that t keys – In other words, simplify the role hierarchy but give users a small number of keys ( t) rather than one in order to limit the number of primes used in key exponents?

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004

slide-31
SLIDE 31

Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton

References

[1] S.G. Akl and P.D. Taylor. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems, 1(3):239–248, 1983. [2] E. Bertino, B. Carminati, and E. Ferrari. A temporal key management scheme for secure broadcasting of XML documents. In Proceedings of the 8th ACM Conference on Computer and Communications Security, pages 31–40, 2002. [3] G. Miklau and D. Suciu. Controlling access to published data using cryptography. In Proceedings of 29th International Conference on Very Large Data Bases (VLDB 2003), pages 898–909, 2003.

ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004