Selective and Authentic Third-Party Distribution of XML Documents
Author
E. Bertino, B.Carminati, E.Ferrari, B. Thuraisingham, A. Gupta
Tech report number
CERIAS TR 2004-69
Abstract
Third-party architectures for data publishing over the Internet today are receiving growing attention, due to their scalability
properties and to the ability of efficiently managing large number of subjects and great amount of data. In a third-party architecture,
there is a distinction between the Owner and the Publisher of information. The Owner is the producer of information, whereas
Publishers are responsible for managing (a portion of) the Owner information and for answering subject queries. A relevant issue in this
architecture is how the Owner can ensure a secure and selective publishing of its data, even if the data are managed by a third-party,
which can prune some of the nodes of the original document on the basis of subject queries and access control policies. An approach
can be that of requiring the Publisher to be trusted with regard to the considered security properties. However, the serious drawback of
this solution is that large Web-based systems cannot be easily verified to be secure and can be easily penetrated. For these reasons,
in this paper, we propose an alternative approach, based on the use of digital signature techniques, which does not require the
Publisher to be trusted. The security properties we consider are authenticity and completeness of a query response, where
completeness is intended with regard to the access control policies stated by the information Owner. In particular, we show that, by
embedding in the query response one digital signature generated by the Owner and some hash values, a subject is able to locally
verify the authenticity of a query response. Moreover, we present an approach that, for a wide range of queries, allows a subject to
verify the completeness of query results.
Journal
IEEE Transactions on Knowledge and Data Engineering
Key alpha
Secure publishing, third-party publication, XML, authentication, completeness
Publication Date
2004-08-01
Contents
1 INTRODUCTION
2 BASIC CONCEPTS
3 OVERALL ARCHITECTURE
4 SUBJECT-OWNER INTERACTION
5 OWNER-PUBLISHER INTERACTION
6 SUBJECT-PUBLISHER INTERACTION
7 SUBJECT VERIFICATION
8 ATTACK ANALYSIS
9 PERFORMANCE ISSUES
10 RELATED WORK
11 CONCLUSIONS
Location
A hard-copy of this is in the CERIAS Library
Subject
Third-Party Distribution