Workshop On XML Security 

Abstract: As a large quantity of information is presented in XML format on the Web, there are increasing demands for XML security. Until now, research on XML security has been focused on the security of data communication using digital signatures or encryption technologies. As XML is also used for a data representation of data storage, XML security comes to involve not only communication security but also managerial security. Managerial security is guaranteed through access control, but existing XML access control models consider only read queries. These models may make some problems when unauthorized users try to change XML documents or their structure. Therefore the access control of update queries must be executed correctly and efficiently as well as read queries. In this paper, we discuss an XML access control model and propose a technique that supports not only read operations but also update operations. We define new action types to systematically manage complex information of access right and to process various update queries in an efficient manner. Using these action types, the system can save memory and other system resources that are used in DOM-based DTD verification process, and shortens the overall steps of access control by filtering unnecessary queries out at the early stage. Although for read queries the proposed access control model introduces a minor overhead in determining action types, for update queries it shows better performance compared to existing access control models.

Abstract: Security is currently one of the main concerns about XML Web services. Several initiatives are currently ongoing aimed at achieving a standardized way for supporting integrity, confidentiality, and access control for XML Web services. This paper looks into these approaches and gives some hints for future research.

Abstract: The service oriented architecture (SOA) is gaining more momentum with the advent of network services on the Web. A programmable and machine accessible Web is the vision of many,and might represent a step towards the semantic Web. However, security is a crucial requirement for the serious usage and adoption of the Web services technology. This paper enumerates design goals for an access control model for Web services. It then introduces an abstract general model for Web services components, along with formal definitions and notation that can be used as a basis to design an access control processor independent of a particular Web service implementation. It follows the design of a distributed access control processor built upon this general model for Web services, along with implementation guidelines and examples. Main goals for a general authorization framework are identified, and design spaces enumerated.

Abstract: This paper describes an alternative encryption method for XML [1] which is capable to encrypt single XML Information Set [2] items. It is able to hide the size and the existence of encrypted contents. As a result, it prevents a 'traffic analysis', i.e. it's analogous counterpart for documents. In 2001, the W3C launched the XML Encryption working group which, among other things, defined how to encrypt portions of XML documents [3]. The portion must always be a subtree or a consecutive sequence of subtrees. On the other hand, XML Access Control allows more granular restrictions on what portions on an XML document a client is allowed to see: XML Access Control can remove an ancestor node from a document while leaving a descendant node in the document. This paper describes an encryption system which allows to have these 'deep children' in plaintext while having the ancestors encrypted, i.e. bringing the property from XML Access Control to XML Encryption.