Literature Review on XML Security and Access Control to XML Documents

Page 1

www.as‐se.org/sss Studies in System Science (SSS) Volume 2, 2014

Literature Review on XML Security and Access Control to XML Documents A. A. Abd El‐Aziz Ahmend1, A. Kannan2 1

Dept. of Computer & Information Sciences, ISSR, Cairo University, Egypt

2

Dept. of Information Science & Technology, Anna University, India

1

a.ahmed@cu.edu.eg; 2Kannan@annauniv.edu

Abstract In this paper, we present a literature review on XML security and access control to XML documents. It will support the future research and development work and raise the awareness for the presented approaches. In this literature review, we present different articles that describe the XML security standards specifically XML encryption and signature, and we introduce the different approaches for access control to XML documents. Keywords: XML Security; XML Encryption; XML Signature; Access Control

Introduction Nowadays, the main requirement of Internet‐wide security standards, is applying the security to the content created, using XML. XML has been adopted widely for a great variety of applications and types of content. XML is used to apply access control on the structure and content of a document. Moreover, XML is the basis of web services protocols that rely on different XML‐based languages, such as SOAP, Web Service Definition Language (WSDL), and Universal Description Discovery and Integration (UDDI). Therefore, it is important to enforce the security of XML documents, to realize the exchange of XML documents in anonymous and untrustworthy environments, and to ensure confidentiality, integrity, authenticity, and non‐repudiation of XML documents. Xml Security Nordbotten (2009) presented about the XML security standards and web services. The XML security standards include XML signature, XML encryption, XACML, SAML, and XKMS. The web services include WS‐Security, WS‐ Trust, WS‐SecureConversation, Web Services Policy, and WS‐SecurityPolicy. Jensen et al (2009) presented about XML namespaces in the domain of XML signatures since it had critical deficiencies, which can lead to vulnerabilities through XML signature wrapping attacks. Moreover, they described the problem of namespace injection and showed an attack scenario based on this technique. Moreover, they discussed several new approaches to overcome this threat. Doroodchi et al (2009) presented about the service security based on XML and the various forms of XML‐based attacks. Moreover, they provided recommendations and countermeasures for the attacks. Ping & Laihong (2009) presented a new approach that how to use the XML encryption and signature for effective logistics data exchange. Elgedawy et al (2009) proposed a new query‐aware approach for compressing and encrypting large XML documents, while maintaining queriability over the intermediate document. Approach they proposed separated the document structure from its contents using the Ctree+ XML indexing approach. In addition to the separation, it applied context‐ free lossless encryption and compression techniques over the Ctree+ intermediate representations. Rahaman et al (2009) proposed an ontology‐based XML content distribution system to protect the document content from unauthorized users and to protect the document structure form other organizations. Almarimi & Alsahdi (2010) proposed a cryptosystem for the encryption as well as the decryption of XML documents using a hybrid of RSA and Shift cipher algorithms. This system improved the security by enhancing confidentiality, authentication, integrity, and non‐repudiation. Haron et al (2010) proposed a Document Management System (DMS) for a web environment based on C/C++. Their DMS system generated secure documents using the XML encryption. The XML signature was used in their work for signing the documents before sending them to the intended recipients. Somorovsky et al (2010) proposed a streaming‐based Web Services Security Gateway (WeSSeGa) in SOAP messages. They provided a comparison between WeSSeGa and Java XML Digital Signature API. Their experimented works showed that, the streaming‐based approach provided more performance improvements with respect to memory

96


Studies in System Science (SSS) Volume 2, 2014 www.as‐se.org/sss

consumption and the evaluation time. Liu & Chen (2011) described a prototype of XML security for a certificate management and presented the design and implementation of the XML signature and encryption. Jensen & Meyer (2011) described the techniques of attackers to intrude to web services communication even in the presence of the XML signatures and described the interrelation between the XML signatures and encryption. Ammari et al (2011) proposed a new model to act as an Intelligent XML tag classification model for the XML encryption. Their model proposed mainly improved the security and efficiency of an XML messaging system. Their model used on‐the‐fly mechanism for classifying XML messages, creating three layers, and applying fuzzy logic approach to determine which parts of the XML message needed to be secured depending on importance level attribute. Fu & Wei (2011) proposed a sequential multi‐signature scheme through a middleware technology to implement it in the electronic document system to sign and verify the HTML documents. Song & Cui (2011) proposed an electronic voting scheme of signature based on the ElGamal blind‐signature algorithm. Their program had the ability to solve voters' fraud in thee‐voting and to prevent multiple votes from the same voter. Pin‐ai & Xiang (2011) analyzed XML security and described an approach on how to apply the XML security technology to the practical integrated circuit card system, to provide confidentiality, integrity, authenticity, and non‐repudiation of the campus smart card system. Somorovsky & Schwenk (2012) analyzed the countermeasures against the new chosen‐ciphertext attack on the XML encryption proposed by Jager & Somorovsky (2011), and they showed the reasons on why the countermeasures cannot handle this attack. Moreover, they proposed two practical countermeasures against it. Wu et al (2012) proposed a technique for the analysis of the OpenXML based on Office series encryption mechanism. Quevedo‐torrero & Erickson (2012) presented a querying implementation of XML. Their framework exploited the Prolog based on data structures leading to the handling of deductive and recursive queries. Nithin & Bongale (2012) proposed a new public key cryptographic algorithm, named XML Batch Multi‐Prime RSA (XBMRSA) to encrypt the XML documents. Their algorithm was based on Multi‐Prime RSA technique. The main idea was using multiple of prime numbers to compute the modulus for both the public and private keys (N), instead of two prime numbers as in the standard RSA. Their techniques needed less computation time for the encryption of the XML documents, and it was more efficient public key cryptographic algorithm than the Standard RSA algorithm. Algarin et al (2012) presented a new UML class diagram, called an XML Schema Class Diagram (XSCD) to transition an XML schema into an UML schema. Moreover, they defined a new UML XML Role Slice Diagram (XRSD) that allowed permissions to be defined against XML schema elements in the XSCD. Finally, they transited these XSCDs into a corresponding security policy to automatically generate an XACML policy for enforcement of the XML schema at the instance level. Li‐yan & Huan (2012) proposed a design and realization of electronic commerce platform based on the XML signature. Cao et al (2013) proposed an efficient evaluation of tree pattern queries on the encrypted XML documents. They embedded each XML document in a hierarchy and created a vector, which encoded the information about each XML document. Moreover, they created a vector for tree pattern queries and matched between the two encrypted vectors. Access Control to XML Documents Lischka et al (2009) proposed the concept of deductive policies in XACML that permitted to specify policies on the Software as a Service (SaaS) service. Their deductive policies helped to deduce the decision. Mondal & Sural (2009) proposed an XML based on policy specification framework, namely, Enhanced Spatio‐Temporal Role Based Access Control (ESTARBAC) for spatio‐temporal RBAC model. Their framework described the spatio‐temporal extent. This extent provided a variety of spatio‐temporal access control policies, such as role hierarchy, separation of duty, and cardinality. Ferrini & Bertino (2009) proposed a new framework by integrating XACML and Web Ontology Language (OWL) frameworks. Therefore, it provided the features of both OWL ontologies and XACML policies, for supporting RBAC. OWL handled the role hierarchy and constraints and XACML handled the authorization policies. Dai et al (2010) proposed the architecture of Usage Control (UCON) model in web services and explained access control models and XACML. Rota et al (2010) proposed an approach to combine the advantages of the XACML policy language and OWL. Moreover, they proposed a practical privacy filtering application to filter out the required information from the XML documents with respect to a set of XACML semantic privacy policies. Bekara et al (2010) proposed a privacy aware XPACML policy language model to combine the advantages of XACML and Platform for Privacy Preferences Project (P3P). Their model allowed users and service providers to define their privacy and policies in XACML format. Chou & Huang (2010) proposed an extended XACML model, namely, EXACML to provide more secure information access to web services. Their model was an extension of XACML and based on the concepts of

97


www.as‐se.org/sss Studies in System Science (SSS) Volume 2, 2014

information flow control to avoid the leakage of information. Helil & Rahman (2010a) tried to solve the XACML complexity by proposing an extended XACML profile for RBAC by using an OWL base approach. Helil & Rahman (2010b) proposed an extension to the XACML profile for RBAC to provide constraints, such as static and dynamic separation of duty and role cardinality. Moreover, they presented an analysis for XACML profile for RBAC model. Ardagna et al (2010) proposed an extension to the XACML rules with two child elements <CredentialRequirements> and <ProvisionalActions>. The former described the credentials that the requester needed to own and the conditions that must be satisfied. The latter described the actions that the requester has to perform. Patel & Atay (2011) proposed an access control model, namely, XML to Relational Authorization Rule (X2RAC) for relational storage of the XML documents. Their model permitted the security administrators to specify all the authorization information in XML, and stored them into relations. Mourad et al (2011) proposed an approach to create XACML policies from XACML profiles. Their approaches were based on the preparation of an abstract language on top of an XACML profile specification, which was translated into an XACML policy, using their compiler. Xu et al (2011) proposed an XACML‐ARBAC profile to specify Administrative Role Based Access Control (ARBAC) polices. Moreover, they extended the Sun's XACML architecture by developing an Administrative Policy Enforcement Point (APEP) and a Lock Manger to provide the security features of a policy management. Stepien et al (2011) proposed the non‐technical XACML presentation notation, to ease the complexity of policy rules. Farooqi & North (2011) used the trust‐based access to XML databases. In trust‐based access control, threats were detected, user privileges were calculated dynamically depending on the users trust value, and the access decision is depended on matching the node trust value and the user trust value. Ma et al (2011) proposed an architecture for sharing information cross social networks, based on XACML securely and effectively. An & Park (2011) proposed an efficient access control labeling scheme. Their schema was used for processing XML queries under dynamic XML data streams securely. Their schema was based on the dynamic roles generated using prime number and group‐based prime number labeling schemas where labels were encoded with ancestor‐descendant and sibling relationships between nodes. Luo et al (2011) proposed an efficient technique, named QFilter, based on Non‐Deterministic Finite Automata (NFA). Their technique translated the user's insecure queries into secure ones, without violating the access control rules. Li & Fan (2012) proposed a combination of the RBAC model and a specific credit management system, to instantiate the model. Moreover, they used UML to explain the model, and XACML to explain the access permission between the users and objects. Chae et al (2012) proposed role attributes for access control in XML databases in which attributes were used to specify the characteristics of a role. Their method extended the XACML RBAC profile to support role attributes by proposing new entities, namely, Role Attribute Point (RAP) and Extended‐PIP (E‐PIP). RAP is used to manage the proposed role attributes. Extended‐PIP (E‐PIP) is an extension of the Policy Information Point (PIP) of XACML. It is connected to RAP to deal with role attributes. Farooqi & North (2012) used the Xlog file as a dynamic and temporary log file for XML databases. They used the Xlog files to evaluate user' behaviors by recording user' transactions and errors. Stepien et al (2012) proposed an algorithm that used a recursive process of subsumption carried out on the original set of policies for reducing the size of access control policies in XACML. The reduced policy sets decrease the risk of conflicts and improve PDP performance. Thi & Dang (2012) proposed an access control model, namely, eXtended XACML for Spatial Temporal Role based access control model with OWL (X‐STROWL). They combined XACML and OWL ontology for providing the NIST standard RBAC model with new data types and functions. Bravo et al (2012) presented techniques to solve inconsistent full and partial policies. They proposed approximate algorithms and showed that, they got reasonable results in practice. Moreover, they evaluated the algorithms and showed that, the consistency and insert–update‐delete repair algorithms run fast and effectively. Ulltveit‐moe & Oleshchuk (2012) proposed a decision cache for fine‐grained XACML authorization and anonymization of elements and attributes in the XML documents. Their model permitted for management of authorization and anonymization policies for the XML documents. Thimma et al (2013) proposed a hybrid XML access control mechanism, called, HyXAC. The proposed technique used QFilter approach to process queries. It defined a sub‐view for each access control rule. Moreover, it allocated dynamically the available resources to materialize and cache sub‐views to improve query performance. Bertolino et al (2013) proposed a set of mutation operators to check the faults of the XACML 2.0 policies. Moreover, they proposed a tool, called XACMUT (XACmlMUTation), for creating mutants. Lin et al (2013) proposed a policy similarity measure approach, to determine similar policies.

98


Studies in System Science (SSS) Volume 2, 2014 www.as‐se.org/sss

Conclusion We present a literature review of XML security (signature and encryption) and access control to the XML documents. It explains that, the temporal attributes are not considered as special attributes, the security features of XML databases are violated or tampered with by malicious users, and there is no proposal about how to overcome the complex structure of XACML, which is useful to express and interchange access control policies and requests/responses effectively. REFERENCES

[1]

Algarin, ADLR, Demurjian, SA, Berhe, S & Pavlich‐mariscal, J 2012, ‘A Security Framework for XML Schemas and Documents for Healthcare’, Proceedings of the 2012 IEEE International Conference on Bioinformatics and Biomedicine Workshops (BIBMW) pp. 782–789.

[2]

Almarimi, A & Alsahdi, U 2010, ‘Developing a Cryptosystem for XML Documents’, Proceedings of the 2nd International Conference on Computer Technology and Development (ICCTD), pp. 240–244.

[3]

Ammari, FT, Lu, J & Abur‐rous, M 2011, ‘Intelligent XML Tag Classification Techniques for XML Encryption Improvement’, Proceedings of the 2011 International Conference on Privacy, Security, Risk, and Trust, and the IEEE International Conference on Social Computing, pp. 795–798.

[4]

An, D & Park, S 2011, ‘Efficient access control labeling scheme for secure XML query processing’, Computer Standards & Interfaces, vol. 33, no. 5, pp. 439–447.

[5]

Ardagna, CA, Vimercati, SD, Neven, G, Paraboschi, S, Preiss, FS, Samarati, P & Verdicchio, M 2010, ‘Enabling Privacy Preserving Credential‐Based Access Control with XACML and SAML’, Proceedings of IEEE 10th International Conference on Computer and Information Technology (CIT 2010), pp. 1090–1095.

[6]

Bekara, K, Mustapha, YB & Laurent, M 2010, ‘XPACML eXtensible Privacy Access Control Markup Language’, Proceedings of 2nd International Conference on Communications and Networking (ComNet), pp. 1–5.

[7]

Bertolino, A, Daoudagh, S, Lonetti, F, & Marchetti, E 2013, ‘XACMUT: XACML 2.0 Mutants Generator’, Proceedings of the 2013 IEEE 6th International Conference on Software Testing, Verification and Validation, pp. 28–33.

[8]

Bravo, L, Cheney, J, Fundulaki, I & Segovia, R 2012, ‘Consistency and repair for XML write‐access control policies’, VLDB Journal, vol. 21, no. 6, pp. 843–867.

[9]

Cao, J, Rao, FY, Kuzu, M, Bertino, E, & Kantarcioglu, M 2013, ‘Efficient Tree Pattern Queries On Encrypted XML Documents’, Proceedings of the Joint EDBT/ICDT 2013 Workshops, pp. 111–120.

[10] Chae, H, Jung, J, Lee, JH & Lee, KH 2012, ‘An Efficient Access Control Based On Role Attributes in Service Oriented Environments’, Proceedings of the 6th ACM International Conference on Ubiquitous Information Management and Communication, pp. 1–7. [11] Chou, SC & Huang, CH 2010, ‘An extended XACML model to ensure secure information access for web services’, The Journal of Systems and Software, vol. 83, no. 1, pp. 77‐ 84. [12] Dai, C, Gong, W & Liu, J 2010, ‘The Research of Access Process in Web Services Based on XACML’, Proceedings of the 2nd International Workshop on Database Technology and Applications (DBTA), pp. 1–4. [13] Doroodchi, M, Iranmehr, A & Pouriyeh, SA 2009, ‘An investigation on integrating XML‐based security into Web services’, Proceedings of 5th IEEE GCC Conference & Exhibition, pp. 1–5. [14] Elgedawy, I, Srivastava, B & Mittal, S 2009, ‘Exploring Queriability of Encrypted and Compressed XML Data’, Proceedings of the 24th International Symposium on Computer and Information Sciences (ISCIS), pp. 141–146. [15] Farooqi, N & North, S 2011, ‘Trust‐Based Access Control for XML Databases’, Proceedings of the 6th International Conference on Internet Technology and Secured Transactions, pp. 764–765. [16] Farooqi, N & North, S 2012, ‘Logging in XML Databases: Xlog File for Trust Based Access Control’, Proceedings of World Congress on Internet Security (WorldCIS), pp. 174–175.

99


www.as‐se.org/sss Studies in System Science (SSS) Volume 2, 2014

[17] Ferrini, R & Bertino, E 2009, ‘Supporting RBAC with XACML+OWL’, Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 145–154. [18] Fu, D & Wei, Z 2011, ‘Research and implementation of a digital signature scheme based on middleware’, Proceedings of the International Conference on Electrical and Control Engineering (ICECE), pp. 72468–2471. [19] Haron, GR, Maniam, D & Ngiap, ST 2010, ‘Revisiting Secure Documents with XML Security: A Component‐Based Approach’, Proceedings of the 2010 Developments in E‐systems Engineering (DESE), pp. 257–262. [20] Helil, N & Rahman, K 2010a, ‘Extending XACML Profile for RBAC with Semantic Concepts’, Proceedings of the International Conference on Computer Application and System Modeling (ICCASM), pp. V10–69–V10–74. [21] Helil, N & Rahman, K 2010b, ‘RBAC Constraints Specification and Enforcement in Extended XACML’, Proceedings of the International Conference on Multimedia Information Networking and Security (MINES), pp. 546–550. [22] Jager, T & Somorovsky, J 2011, ‘How to Break XML Encryption’, Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 413–422. [23] Jensen, M & Meyer, C 2011, ‘Expressiveness Considerations of XML Signatures’, Proceedings of the IEEE 35th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 1– 6. [24] Jensen, M, Liao, L & Schwenk, J 2009, ‘The curse of namespaces in the Domain of XML Signature’, Proceedings of the 2009 ACM Workshop on Secure Web Services, pp. 29–36. [25] Li, M & Fan, B 2012, ‘The Modeling of RBAC Model Based on UML and XACML’, Proceedings of the International Conference on Systems and Informatics (ICSAI), pp. 1533–1537. [26] Li‐yan, Z, & Huan, W 2012, ‘The application of XML digital signature in an e‐business platform about furniture city’, Proceedings of 2012 4th Electronic System‐Integration Technology Conference, pp. 770–772. [27] Lin, D, Rao, P, Ferrini, R, Bertino, E & Lobo, J 2013, ‘A Similarity Measure for Comparing XACML Policies’, IEEE Transactions on Knowledge and Data Engineering vol. 25, no. 9, pp. 1946–1959. [28] Lischka, M, Endo, Y & Cuenca, MS 2009, ‘Deductive Policies with XACML’, Proceedings of the 2009 ACM Workshop on Secure Web Services, pp. 37– 44. [29] Liu, B & Chen, H 2011, ‘Implementation a Prototype of XML Security for Certificate Management’, Proceedings of the International Conference on Control, Automation and Systems Engineering (CASE), pp. 1–6. [30] Luo, B, Lee, D, Lee, WC & Liu, P 2011, ‘QFilter: rewriting insecure XML queries to secure ones using non‐deterministic finite automata’, The VLDB Journal, vol. 20, no. 3, pp. 397–415. [31] Ma, CM, Zhuang, Y & Fong, S 2011, ‘Information Sharing over Collaborative Social Networks using XACML’, Proceedings of the 8th IEEE International Conference on e‐Business Engineering (ICEBE), pp. 161–167. [32] Mondal, S & Sural, S 2009, ‘XML‐Based Policy Specification Framework for Spatiotemporal Access Control’, Proceedings of the 2nd ACM International Conference on Security of Information and Networks, pp. 98–103. [33] Mourad, A, Otrok, H, Yahyaoui, H & Baajour, L 2011, ‘Toward an Abstract Language on Top of XACML for Web Services Security’, Proceedings of the 6th International Conference on Internet Technology and Secured Transactions, pp. 254–259. [34] Nithin, N & Bongale, AM 2012, ‘XBMRSA: A New XML Encryption Algorithm’, Proceedings of the World Congress on Information and Communication Technologies, pp. 567–571. [35] Nordbotten, NA 2009, ‘XML and Web Services Security Standards’, IEEE Communications Surveys & Tutorials, vol. 11, no .3, pp. 4–21. [36] Patel, J & Atay, M 2011, ‘An Efficient Access Control Model for Schema Based Relational Storage of XML Documents’, Proceedings of the 49th Annual ACM Southeast Regional Conference, pp. 97–102. [37] Pin‐ai, H & Xiang, C 2011, ‘Study On XML Data Safety Transmission Scheme Of Campus IC Card System’, Proceedings of the 3rd International Conference Computer Research and Development (ICCRD), pp. 156–160. [38] Ping, K & Laihong, D 2009, ‘The Research on Control Algorithm of Logistics Data Exchange Based on XML’, Proceedings of

100


Studies in System Science (SSS) Volume 2, 2014 www.as‐se.org/sss

the International Conference on E‐Learning, E‐Business, Enterprise Information Systems, and E‐Government, pp. 137–140. [39] Quevedo‐torrero, JU & Erickson, G 2012, ‘XML Querying using Data Logic Structures and Primitives’, Proceedings of the 9th International Conference on Information Technology‐ New Generations, pp. 548–553. [40] Rahaman, MA, Roudier, Y, Miseldine, P & Schaad, A 2009, ‘Ontology‐Based Secure XML Content Distribution’, Proceedings of the IFIP Advances in Information and Communication Technology, Emerging Challenges for Security, Privacy and Trust, pp. 294–306. [41] Rota, A, Stuart, S & Ashiqur, RM 2010, ‘XML secure views using semantic access control’, Proceedings of the 13th ACM International Conference on Extending Database Technology/International Conference on Database Theory (EDBT/ICDT), pp. 1–10. [42] Somorovsky, J & Schwenk, J 2012, ‘Technical Analysis of Countermeasures against Attack on XML Encryption‐ or‐ Just Another Motivation for Authenticated Encryption’, Proceedings of 2012 IEEE 8th World Congress on Services (Services), pp. 171–178. [43] Somorovsky, J, Jensen, M & Schwenk, J 2010, ‘Streaming‐based Verification of XML Signatures in SOAP Messages’, Proceedings of the 6th World Congress on Services (Services‐1), pp. 637–644. [44] Song, F & Cui, Z 2011, ‘Electronic Voting Scheme About ElGamal Blind‐signatures Based on XML’, Proceedings of the International Workshop on Information and Electronics Engineering (IWIEE), Elsevier, pp. 2721‐2725. [45] Stepien, B, Matwin, S & Felty, A 2011, ‘Advantages of a Non‐Technical XACML Notation in Role‐Based Models’, Proceedings of 9th Annual International Conference on Privacy, Security and Trust, pp. 193–200. [46] Stepien, B, Matwin, S & Felty, A 2012, ‘An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption’, Proceedings of the 7th International Conference on Availability, Reliability and Security, pp.161–167. [47] Thi, QNT & Dang, TK 2012, ‘XSTROWL: A Generalized Extension of XACML for Context‐aware Spatio‐Temporal RBAC Model with OWL’, Proceedings of the 7th International Conference on Digital Information Management (ICDIM), pp. 253– 258. [48] Thimma, M, Tsui, TK, & Luo, B 2013, ‘HyXAC: a Hybrid Approach for XML Access Control’, Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, pp. 113–124. [49] Ulltveit‐moe, N & Oleshchuk, V 2012, ‘Decision‐cache based XACML authorisation and anonymisation for XML documents’, Computer Standards & Interfaces, vol. 34, no. 6, pp. 527–534. [50] Wu, X, Hong, J & Zhang, Y 2012, ‘Analysis of OpenXML‐based Office Encryption Mechanism’, Proceedings of the 7th International Conference on Computer Science & Education (ICCSE), pp. 521–524. [51] Xu, M, Wijesekera, D & Zhang, X 2011, ‘Runtime Administration of an RBAC Profile for XACML’, IEEE Transactions on Services Computing, vol. 4, no .4, pp. 286–299.

101


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.