Building Trustworthy Semantic Webs Lecture 5 XML and XML Security Dr Bhavani Thuraisingham September 2006 01 14 19 10 25 5 2 Objective of the Unit 0 This unit will provide an overview of XML and then discuss some security issues 01 14 19 10 25 5 3 Outline of the Unit 0 XML Elements 0 XML Attributes 0 XML DTD 0 XML Schema 0 XML Namespaces 0 Federations 0 Policy Credential 0 Access Control 0 Third Party Publication 0 XML Databases 0 Inference Control 01 14 19 10 25 5 4 What is XML all about 0 XML is needed due to the limitations of HTML and 0 0 0 0 complexities of SGML It is an extensible markup language specified by the W3C World Wide Web Consortium Designed to make the interchange of structured documents over the Internet easier Key to XML used to be Document Type Definitions DTDs Defines the role of each element of text in a formal model XML schemas have now become critical to specify the structure XML schemas are also XML documents 01 14 19 10 25 5 5 XML Elements XML Statement John Smith is a Professor in Texas This can be expressed as follows Professor name John Smith name state Texas state Professor 01 14 19 10 25 5 6 XML Elements Now suppose this data can be read by anyone then we can augment the XML statement by an additional element called access as follows Professor name John Smith name state Texas state access All Read access Professor 01 14 19 10 25 5 7 XML Elements If only HR can update this XML statement then we have the following Professor name John Smith name state Texas state access HR department Write access Professor 01 14 19 10 25 5 8 XML Elements We may not wish for everyone to know that John Smith is a professor but we can give out the information that this professor is in Texas This can be expressed as Professor name John Smith Govt official Read name state Texas All Read state access HR department Write access Professor 01 14 19 10 25 5 9 XML Attributes Suppose we want to specify to access based on attribute values One way to specify such access is given below Professor Name John Smith Access All Read Salary 60K Access Administrator Read Write Department Security Access All Read Professor Here we assume that everyone can read the name John Smith and Department Security But only the administrator can read and write the salary attribute 01 14 19 10 25 5 10 XML DTD DTDs essentially specify the structure of XML documents Consider the following DTD for Professor with elements Name and State This will be specified as ELEMENT Professor Officer Name State ELEMENT name PCDATA ELEMENR state PCDATA ELEMENT access PCDATA 01 14 19 10 25 5 11 XML Schema While DTDs were the early attempts to specify structure for XML documents XML schemas are far more elegant to specify structures Unlike DTDs XML schemas essentially use the XML syntax for specification Consider the following example ComplexType name ProfessorType Sequence element name name type string element name state type string element name access type strong Sequence ComplexType 01 14 19 10 25 5 12 XML Namespaces Namespaces are used for DISAMBIGUATION CountryX Academic Institution DTD Xmlns CountryX http www CountryX edu Instution Xmlns USA http www USA edu Instution DTD Xmlns UK http www UK edu Instution DTD USA Title College USA Name University of Texas at Dallas USA State Texas UK Title University UK Name Cambridge University UK State Cambs CountryX Acedmic Instiution 01 14 19 10 25 5 13 XML Namespaces Country Academic Institution Access Government official Read Access DTD Xmlns CountryX http www CountryX edu Instution Xmlns USA http www USA edu Instution DTD Xmlns UK http www UK edu Instution DTD USA Title College USA Name University of Texas at Dallas USA State Texas UK Title University UK Name Cambridge University UK State Cambs CountryX Academic Institution 01 14 19 10 25 5 14 Federations Distribution Site 1 document Professor name ID 111 ID Name John Smith name State Texas state Professor name Site 2 document Professor salary ID 111 ID salary 60K salary Professor salary 01 14 19 10 25 5 15 XML Query 0 XML QL XQuery etc are query languages for XML 0 XPath is used for query specification 01 14 19 10 25 5 16 Presentations of XML Documents 0 XSLT 01 14 19 10 25 5 17 Credentials in XML Professor credID 9 subID 16 CIssuer 2 name Alice Brown name university University of X university department CS department research group Security research group Professor Secretary credID 12 subID 4 CIssuer 2 name John James name university University of X university department CS department level Senior level Secretary 01 14 19 10 25 5 18 Policies in XML Xml VERSION 1 0 ENCODING utf 8 Policy base policy spec cred expr Professor department CS target annual report xml path Patent Dept CS Node priv VIEW policy spec cred expr Professor department CS target annual report xml path Patent Dept EE Short descr Node and Patent Dept EE authors priv VIEW policy spec cred expr policy spec cred expr Policy base Explantaion CS professors are entitled to access all the patents of their department They are entitled to see only the short descriptions and authors of patents of the EE department 01 14 19 10 25 5 19 Access Control Strategy 0 Subjects request access to XML documents under two modes Browsing and authoring With browsing access subject can read navigate documents Authoring access is needed to modify delete append documents 0 Access control module checks the policy based and applies policy specs 0 Views of the document are created based on credentials and policy specs 0 In case of conflict least access privilege rule is enforced 0 Works for Push Pull modes 01 14 19 10 25 5 20 System Architecture for Access Control Pull Query User X Access Push result X Admin Admin Tools Policy base Credential base XML Documents 01 14 19 10 25 5 21 Third Party Architecture 0 The Owner is the producer of information It specifies access control policies 0 The Publisher is responsible for managing a portion of the Owner information and answering subject queries 0 Goal Untrusted Publisher with respect to Authenticity and Completeness checking XML Source Credential policy base base SE XML Own er Publishe Reply documenr credential t s Query User Subject 01 14 19 10 25 5 22 XML Databases 0 Data is presented as XML documents 0 Query language XML QL 0 Query optimization 0 Managing transactions on XML documents 0 Metadata management XML schemas DTDs 0 Access methods and index strategies 0 XML security and integrity management 01 14 19 10 25 5 23 Inference Privacy