Secure outsourcing of XML data Barbara Carminati University of Insubria at Varese barbara carminati uninsubria it http www dicom uninsubria it barbara carminati Software as a Service Get Pay for What you need When you need it What you use Don t worry about Deployment installation maintenance upgrades Hire train retain people Emerging trend data outsourcing Database Most organizations need efficient data management DBMSs are extremely complex to deploy setup and maintain Require skilled DBAs at very high cost Driven by faster cheaper and more accessible networks as a Service DBaaS why Traditional architecture DBMS Server Client Third party architecture Data Outsourced db Internet Internet Data Provider Data owner Results Queries Client Research issues Distributed query management Consistency Security Privacy Main requirements confidentiality integrity authenticity completeness etc Security Privacy Na ve solution Data providers are trusted they always operate according to owners security and privacy policies Security Privacy To be satisfied even in the presence of an untrusted provider that Can modify delete the data Can access sensitive private information Can send data to non authorized users Can send a user not all the information he she is authorized to access Can be attacked from outside To be satisfied by incurring minimal computation and bandwidth overhead Main requirements Confidentiality Authenticity integrity Completeness Confidentiality Confidentiality Data are disclosed only to authorized users Usually confidentiality requirements are expressed through a set of access control policies Access control Access control policies SAs Authorizations Access granted partially or totally Access request Users Reference Monitor Access denied Confidentiality When data are outsourced confidentiality has a twofold meaning Confidentiality wrt users protect data against unauthorized user s read accesses Confidentiality wrt providers protect the Owner s data from read accesses by untrusted providers Integrity It refers to information protection from modifications it involves several goals Assuring the integrity of information with respect to the original information often referred to as authenticity Protecting information from unauthorized modifications Integrity authenticity Usually enforced through signature techniques When data are outsourced Traditional signature techniques are not enough A user can be returned only selected portions of the data signed by the owner Completeness It refers to ensure that users receive all information they are entitled to access according to the owner policies Secure outsourcing of XML data our proposal Scenario XML Source Credential Policy Base base We focus on XML The Owner is the producer of information It specifies access control policies The Provider is responsible for managing a portion of the Owner information and answering user queries according to the access control policies specified by the Owner XML docs Owner Provider Scenario We focus on XML data The Owner specifies access control policies according to an access control model supporting Fine grained and credential based access control XML based language to express access control policies and credentials X Sec Example X Sec Alice Credential x profile secretary level 7 name Alice Rossi name department marketing type type administrative type email arossi myorganization com email secretary x profile Access Control Policy encoded by X Sec language Cred expression target Path M P secretary level 4 organization xml department dept Marketing employee level 10 R F secretary level 9 organization xml department dept Internet employee R F Example Alice submits this Xpath organization department employee level 4 xml version 1 0 encoding UTF 8 Organization department dept Marketing employee name Alice Rossi name salary 80K salary level 7 level employee employee name Bob Red name salary 50K salary level 5 level employee employee name Tom Black name salary 170K salary level 12 level employee department department dept HR employee name Kim name salary 150K salary level 11 level employee employee name Ann name salary 80K salary level 7 level employee department Organization denied denied denied Access control policy authorizes Alice to see department dept Marketing employee level 10 Problem Provider 2 XML docs XML Source Credential Policy Base base Provider 1 XML docs Strategies for ensuring authenticity and completeness XML confidentiality Owner docs if the provider is not trusted even XML Provider 3 docs Untrusted Provider 4 Proposed solution overall idea The owner outsources to providers a Security Enhanced Encryption of the original XML docs where Authenticity and integrity are enforced by an alternative digital signature devised for XML docs i e Merkle Signature Confidentiality is ensured by the properties of Well formed encryption It contains security information that makes the providers able to evaluate queries Moreover the owner provides users with auxiliary data structures i e Query templates that make them able to submit queries directly to providers and verify the obtained query results Owner side processing Merkle Signature XML document Partioning information Authenticity information Security Information Well formed encryption K1 Kj Km Kp SE ENC document Removal of encrypted content Query Template System architecture Decryption keys OWNER SE ENC document credentials Query User Answer CLIENT PROVIDER System architecture OWNER Query Template SE ENC document Query User Answer CLIENT XML query Reply Document PROVIDER Confidentiality enforcement Confidentiality issues Secure data outsourcing implies two different confidentiality issues Confidentiality with respect to users Confidentiality with respect to providers Confidentiality Problem Providers must be able to evaluate queries and enforce access control policies on XML documents by respecting at the same time confidentiality requirements Solution based on encryption techniques Well Formed Encryption The idea is that before sending a document to a provider the owner encrypts it Well formed encryption The approach is based on encrypting all document portions to which the same set of access control policies apply with the same key Well Formed Encryption 1 2 P1 P3 3 4 P1 P3 P1 P3 5 6 P1 P3 P2 P1 P3 7 P1 P3 P3 11 8 P3 9 13 14 10 12 15 16 Well Formed Encryption 2 P1 P3 3 4 P1 P3 P1 P3 6 P1 P3 1 P2 5 P1 P3 Node encrypted with key K1 7 8 P3 9 13 P1 P3 P3