Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Information Security Group Royal Holloway, University of London ACM Workshop on Secure Web Services 2004 George Mason University, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Outline of talk • Introduction and statement of problem • Worked example • Technical summary • Concluding remarks ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Introduction – XML XML is fast becoming the de facto standard for document-based information sharing An XML schema is a “blueprint” for XML documents • Well-formed XML documents define content and have internal tree-like structure defined by schema Becomes possible to specify very fine-grained access control policies • Only certain users may have access to a particular node in the document tree ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Introduction – Access control Traditional access control is based on a “pull” model • Client (user) requests access to resource controlled by server (operating system, DBMS, etc.) • Server processes request, makes decision and provides access to resource if appropriate Increased interest in enforcing an access control policy for published data • Information is “pushed” to subscribers • How do we enforce an access control policy defined for such information ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Introduction – Existing approaches Existing approaches to protecting published XML typically employ cryptographic techniques • XML document is encrypted with a number of different keys • Keys are distributed (via secure channel) enabling authorized user to decrypt appropriate elements of document • Encryption explicitly denies access if user does not have key These approaches suffer from at least one of two problems • Users have to manage several different keys • Complexity of cryptographic keys ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Introduction – The problem How do we implement access control policies for published XML data and (1) give each user a single key (2) limit the size of that key ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton An example <acm-catalog date=" " issue=" "> <journal> <item> <name>...</name> <title>...</title> <date>...</date> <author>...</author> <volume>...</volume> <start-page>...</start-page> <number>...</number> </item> <table-of-contents> <item>...</item> ... <paper> </table-of-contents> <title>...</title> <paper>...</paper> <pages>...</pages> ... <author>...</author> </journal> <abstract>...</abstract> ... <body>...</body> <proceedings> <references>...</references> ... <bibtex-entry>...</bibtex-entry> </proceedings> </paper> ... </acm-catalog> ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton A schematic view of the ACM catalog A ACM catalog B Journals A C Journal papers D Tables of contents B E E Conference proceedings C D F F Conference papers ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton An access control policy Subscriber Access permitted Access forbidden A, B, C, D, E, F full A, B, D, E C, F restricted A, B, C, D E, F journal A, E, F B, C, D proceedings ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Specifying protected objects A protected object is specified using an XPath Filter expression • Identifies set of nodes in document tree • Combines (set of nodes returned by) XPath expressions using set union, intersection and difference <dsig-xpath:XPath Filter="intersect"> //journal </dsig-xpath:XPath> <dsig-xpath:XPath Filter="subtract"> //journal//body </dsig-xpath:XPath> ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Specifying simple XACPs • Subtrees have different pro- tection requirements • Want to distinguish be- 1 tween access for full sub- scribers and other types of 2 subscribers 2 • Integers denote depth of en- 3 3 3 cryption required to protect each region ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Policy enforcement Encrypt regions A, . . . , F with keys k ( A ) , . . . , k ( F ), respectively, encrypting most nested regions first • Region C is first encrypted with k ( C ) • Region B (including region C ) is encrypted with k ( B ) • Finally the whole document A is encrypted with k ( A ) Decryption is performed in reverse order • A user u with k ( A ) will decrypt the whole encrypted document and will be able to read everything except regions B, . . . , F • If u also has k ( B ) then he can decrypt region B • Finally, if u has k ( C ) then he can decrypt region C ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Key generation A trivial solution is to provide • full subscribers with all six keys • journal subscribers with keys k ( A ) , k ( B ) , k ( C ) , k ( D ) • etc. . . How do we generate the keys k ( A ) , . . . , k ( F ) so that each subscriber only requires a single key? ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton The Akl-Taylor scheme Given a partially ordered set X of security labels, for all x ∈ X we define • symmetric encryption key k ( x ) • public parameter e ( x ) If u has security label x and y � x he can use k ( x ) and e ( y ) to derive k ( y ) • Used to enforce a “no read up” policy cryptographically ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton The Akl-Taylor scheme (1) Choose large primes p and q and publish n = pq (2) Choose κ ∈ [2 , n − 1] such that ( κ, n ) = 1 (3) For each x ∈ X , choose a distinct prime e ( x ) (4) For each x ∈ X , define and publish e ( x ) = � y � � x e ( y ) (5) For each x ∈ X , compute secret key k ( x ) = κ e ( x ) mod n ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton The Akl-Taylor scheme 2 1 s s � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ 3 � ❅ 2 . 5 . 13 � ❅ s 5 s 2 . 3 . 7 s s � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ � ❅ s s s s s s 7 11 13 2 . 3 . 5 . 11 . 13 2 . 3 . 5 . 7 . 13 2 . 3 . 5 . 7 . 11 e ( x ) e ( x ) ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton The Akl-Taylor scheme – Key derivation Let y � x and suppose the holder of k ( x ) wishes to compute k ( y ) Then he computes κ e ( x ) � e ( y ) / e ( x ) � ( k ( x )) e ( y ) / e ( x ) mod n = mod n = κ e ( y ) mod n = k ( y ) Note that y � x iff e ( x ) | e ( y ) by construction • The holder of k ( x ) can always compute k ( y ) if y � x • The holder of k ( x ) cannot feasibly compute k ( y ) if y � � x (under the RSA assumption) ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Applying Hierarchical and Role-Based Access Control to XML Documents Jason Crampton Policy hierarchies Policy statement is a pair ( o, d ), s ( F, 3) where o is a subtree and d is the ( C, 3) s ( D, 3) s ❆ ✁✁✁✁ depth of encryption ❆ s ( E, 2) ❆ ✡ ( B, 2) ❆ ✡ s ❅ Partial order on set of policy state- ✡ ❅ ✡ ❅ ments forms a policy hierarchy ❅ ✡ • ( o, d ) � ( o ′ , d ′ ) iff d � d ′ and o s ( A, 1) is contained in o ′ ACM Workshop on Secure Web Services George Mason University, Fairfax, VA, 29 October 2004
Recommend
More recommend
