Securing XML Documents with AuthorX

1
Securing XML Documents with Author-X

• Elisa Bertino University of Milan
• Silvana Castano University of Milan
• Elena Ferrari University of Como
• Presented by
  
• Michael Alexandrou

2
OUTLINE

• Introduction of the problem, introduction
• of the java based Author- X system.
• Credential-Based Security policies
• System Architecture
• X-Access Dissemination modes
• X-Admin Facilities
• Conclusion

3
Introduction

• XML provides for fine granularity of information
  retrieval because the elements of an XML document
  can be retrieved by XML Queries directly and
  independently
• Fine granularity requires mechanisms to control
  the access at the varying levels of the document
• The setting is a typical three tier architecture

4
(No Transcript)
5
Introduction (continued)

• Author-X is a java based system developed at the
  University of Milans Department of Information
  Science
• Author-X addresses the security issues of access
  control and policy design of XML documents

6
Author-X

• Support for the specification of security
  policies at varying granularity levels
• Support for the specification of user credentials
• Support for content based access control
• Support for controlled release of XML documents
  according to the Push Dissemination and Pull
  Dissemination Modes
• Document updates are distributed through hash
  functions and digital signature techniques

7
Author-X (continued)

• In general security policies state who can access
  what under what conditions
• In Author-X security policies
• Can be set-oriented or instance-
• oriented
• Can be positive or negative
• Include options for controlled
• propagation of access rights
• Include Credential based qualifications
• for users

8
Credential based Security Policies

• Six components implement the security policies of
  Author-X. These are
• User Credentials
• Protection Objects
• Access Modes
• Signs
• Propagation Options
• Policy Base

9
User credentials

• Credentials are a set of properties relevant to
  security policies
• Credential Type is a group of credentials with
  similar structures
• Credentials and Credential Types are encoded by
  an XML language
• XPath expressions that set conditions on
  credentials and credential properties can be used
  to qualify a user

10
User credentials (continued)

• The XPath
• //carrier_employeecompany CCX
• selects all carrier employees that work for
• the company CCX. These employees are
• assigned credentials when subscribe to
• the system as the Figure 2 shows
• XPath is a language for finding information in an
  XML document. XPath is used to navigate through
  elements and attributes in an XML document

11
User credentials (continued)

• XPath treats XML documents as trees of nodes
• XPath uses path expressions to select nodes or
  node-sets in an XML document
• Path expressions look very much like the
  expressions you see when you work with a
  traditional computer file system

12
(No Transcript)
13
User credentials (continued)

• For the rest of the presentation we follow the
  example of the paper. This setting refers to a
  purchase order XML document
• The root element is purchase_order
• Children of root
• Item, Customer, Carrier
• Attributes of root
• Date, OrderId

14
(No Transcript)
15
Protection Objects

• All instances of a given DTD
• Collections of XML documents (well formed or
  valid)
• Selected portions within one or more documents
  (such as elements, attributes, or links or a set
  of any of these)
• Author-X allows the security administrator to
  overwrite the security policy applied on a
  protection object

16
Access Modes

• Browsing
• Allows a user to read information on a
• protection object or navigate through its
• links
• Authoring
• Allows a user to modify (append, write,
• delete, insert) protection objects
  
  
  
  

17
Signs

• Permission or Denial
• This feature allows the security administrator to
  overwrite a policy on a protection object
• Author-X uses strongest-policy principle to solve
  conflicts
• Policies on specific documents prevail
• those in DTD
• Policies on lower level prevail those on
• higher level

18
Propagation Options

• Implicit (automatically)
• DTD-level policies propagate to
• instances
• Policies on specific document or DTD
• element propagate to all associate
• attributes and links

19
Propagation Options (continued)

• Explicit (are stated explicitly)
• NO_PROP
• FIRST_LEVEL
• CASCADE
• The security administrator can overwrite
• the implicit options of propagation

20
Policy Base

• All security policies for an XML source are
  encoded in an XML file called policy base
• In Figure 4 there are five security policies in
  the policy base file
• policy_base is the root of the document
• policy_spec is an element
• cred_expr, path (attrs of policy_spec)
• have values XPath expressions

21
Policy Base (continued)

• target, priv, type, prop are all attributes of
  policy_spec with values that reflect the security
  policies
• Example, the first element on Figure 4 encodes
  the policy that allows the secretaries of the
  sales department to modify and browse all
  purchase orders
• documents

22
(No Transcript)
23
System Architecture

• XML source
• X-bases repositories
• X-Access
• X-Admin

24
(No Transcript)
25
X-bases repositories

• Policy base
• Contains the security policies for the
• documents and DTDs
• Credential base
• Contains the user credentials and
• credential types
• Encrypted document base
• Contains encrypted copy of portions
• of the documents in XML source

26
X-bases repositories (continued)

• Credentials, credential types, and security types
  are encoded in XML
• XML makes them interoperable with one another
• XML facilitates secure submission and
  distribution of them
• XML simplifies information exportation from one
  source to another

27
Java Components

• X-Access implements the access control
• X-Access uses security policies and credentials
  to implement access control
• There are two modes in X-Access
• Pull-Mode and Push-Mode Operations
• X-Admin Facilities
• Provides tools to assist the security
• administrator in managing policies and
• credentials

28
Pull-Modes Operations

• Release of view upon request
• User submits
• r
• Subject is the user requesting, target is the
  requested XML doc, path is the XPath expr that
  selects the portions of the requested doc and
  acc_modality is the type of access requested
  (browsing or authoring)

29
Pull-Modes Operations (continued)

• Pruning phase. X-Access queries the policy base
  for all browsing or authoring (depending on the
  request) policies on the target XML doc
• If query returns empty access denied otherwise
  the algorithm iteratively considers each policy
  and marks the elements and attributes with or
  -.

30
Pull-Modes Operations (continued)

• The minus signs and the unmarked are pruned from
  the target view and the path expression is
  evaluated against the doc
• Example
• rderID2030/item, browsing
• The target doc is Purchase_order.xml

31
Pull-Modes Operations (continued)

• XPath is //Purchase_order_at_orderID2030/item
• Mode is browsing
• Querying the policy base file in Figure 4 we
  select only the browsing (view) mode and then
  reject the minus signs (deny). We are left with 3
  policies and applying these policies on the
  Purchase_order.xml we end up with a pruned doc.
  We evaluate the XPath against the pruned doc and
  select all item elements and date

32
(No Transcript)
33
Push-Modes Operations

• System Periodically broadcasts to viewers
• Different viewers have different viewing rights
• Instead of generating different views of
  different users Author-X generates the same view
  to all subjects with encrypting different
  portions of it with different keys for different
  security policies.
• Push-Modes Operations for both browsing and
  authoring access

34
Browsing access for Push mode

• From the policy base in Figure 4
• All secretaries will receive all keys K1,K2,K3,K4
  because they have browsing access to all portions
• All carrier employees will receive K1 - browsing
  rights to date and customer
• All publicity agents will receive K3,K4
  browsing rights to purchase order, description

35
(No Transcript)
36
Browsing access for Push mode (continued)

• Two different key distribution methods
• Online (Documents and keys together)
• Offline (keys are retrieved through further
  interactions with the system
• Two different ways of online key distribution
• One way is to place all keys with the doc in one
  package

37
Browsing access for Push mode (continued)

• Every user gets the same package, then with
  his/her private unlocks his keys to decrypt the
  corresponding portions
• A great number of users means great number of
  keys
• All keys in one place. One could delete keys and
  launch a denial of service attack

38
Browsing access for Push mode (continued)

• The second way of online key distribution is to
  send the keys to subjects with secure email
  technique
• In the offline mode only the encrypted doc is
  sent to the users
• Keys are stored at the server using the
  Lightweight Directory Access Protocol

39
Authoring access for Push mode

• In the case where XML documents flow from one
  subject to another along a predefined
  distributed and cooperative update path the
  following authoring access is achieved Encrypted
  document with respective keys are sent to all
  users. Users use the key to decrypt received
  document and can modify only the authorized
  portions

40
Authoring access for Push mode (continued)

• Example monthly report might first be modified
  by a secretary, for example, then signed by a
  manager, and passed along up the chain of
  command.

41
(No Transcript)
42
X-Admin Facilities

• There are two tools to assist the security
  administrator
• Credential manager. Supports the sec. admn. in
  specifying and maintaining credential types and
  associated credentials
• Policy Manager. Supports the sec. admn. in
  specifying the security policies, with
  specification forms

43
X-Admin Facilities (continued)

• Credential Manager and Policy Manager are build
  on top of five facilities
• The Document/DTD viewer. Displays target XML
  documents or DTD. Similar to conventional XML
  editing and parsing tools
• The Policy viewer. Displays the users and the XML
  documents related to a given policy

44
X-Admin Facilities (continued)

• The propagation viewer. Displays all policies on
  a given target document by using all explicit and
  implicit propagation principles
• The Conflict viewer. Shows all policy conflicts
  for the target document or DTD and also shows the
  default conflict resolution based on the
  strongest-policy principle

45
X-Admin Facilities (continued)

• The Credential viewer. Displays the structure of
  credential types and user credentials, provides
  an editing environment for specifying credential
  expressions

46
(No Transcript)
47
X-Admin Facilities (continued)

• Because documents and security-related
  information are specified in XML syntax, viewer
  facilities work internally on document object
  model (DOM) representations
• Document Object Model. A platform- and
  language-neutral interface that allows programs
  and scripts to dynamically access and update the
  content, structure and style of documents

48
Conclusion

• The authors believe that XML is the most standard
  for information exchange and interoperability
• XML access control will constitute the core
  security mechanism of web based enterprise
  archtectures