This Article 
 Bibliographic References 
 Add to: 
Selective and Authentic Third-Party Distribution of XML Documents
October 2004 (vol. 16 no. 10)
pp. 1263-1278
Third-party architectures for data publishing over the Internet today are receiving growing attention, due to their scalability properties and to the ability of efficiently managing large number of subjects and great amount of data. In a third-party architecture, there is a distinction between the Owner and the Publisher of information. The Owner is the producer of information, whereas Publishers are responsible for managing (a portion of) the Owner information and for answering subject queries. A relevant issue in this architecture is how the Owner can ensure a secure and selective publishing of its data, even if the data are managed by a third-party, which can prune some of the nodes of the original document on the basis of subject queries and access control policies. An approach can be that of requiring the Publisher to be trusted with regard to the considered security properties. However, the serious drawback of this solution is that large Web-based systems cannot be easily verified to be secure and can be easily penetrated. For these reasons, in this paper, we propose an alternative approach, based on the use of digital signature techniques, which does not require the Publisher to be trusted. The security properties we consider are authenticity and completeness of a query response, where completeness is intended with regard to the access control policies stated by the information Owner. In particular, we show that, by embedding in the query response one digital signature generated by the Owner and some hash values, a subject is able to locally verify the authenticity of a query response. Moreover, we present an approach that, for a wide range of queries, allows a subject to verify the completeness of query results.

[1] World Wide Web Consortium, Xml,http://www.w3.orgXML, 2004.
[2] E. Bertino, B. Carminati, and E. Ferrari, A Temporal Key Management Scheme for Secure Broadcasting of XML Documents Proc. Ninth ACM Conf. Computer and Comm. Security, pp. 31-40, 2002.
[3] E. Bertino, S. Castano, and E. Ferrari, On Specifying Security Policies for Web Documents with an XML-Based Language Proc. Sixth ACM Symp. Access Control Models and Technologies, pp. 57-65, 2001.
[4] E. Bertino, S. Castano, and E. Ferrari, "Securing XML Documents with Author-X," IEEE Internet Computing, vol. 5, no. 3, May/June 2001, pp. 21-31.
[5] S. Charanjit and M. Yung, Paytree: Amortized Signature for Flexible Micropayments Proc. Second Usenix Workshop Electronic Commerce, 1996.
[6] L. Cranor and J. Reagle, The Platform for Privacy Preferences Comm. ACM, vol. 42, no. 2, pp. 48-55, 1999.
[7] L. Cranor and P. Resnick, Protocols for Automated Negotiations with Buyer Anonymity and Seller Reputations Proc. Telecomm. Policy Research Conf., Sept. 1997.
[8] P. Devanbu, M. Gertz, C. Martel, and S. Stubblebine, Authentic Third-Party Data Publication Proc. 14th Ann. IFIP WG 11.3 Working Conf. Database Security, Aug. 2000.
[9] P. Devanbu, M. Gertz, A. Kwong, C. Martel, G. Nuckolls, and S. Stubblebine, Flexible Authentication of XML Documents Proc. Eighth ACM Conf. Computer and Comm. Security, 2001.
[10] H. Hacigumus, B. Iyer, C. Li, and S. Mehrotra, Executing SQL over Encrypted Data in the Database Service Provider Model Proc. SIGMOD Conf., 2002.
[11] H. Hacigumus, B. Iyer, and S. Mehrotra, Providing Database as a Service Proc. Int'l Conf. Data Eng., 2002.
[12] H. Maruyama, K. Tamura, and N. Uramoto, Digest Values for Dom (Domhash) Network Working Group,, 2004.
[13] R. Merkle, A Certified Digital Signature Proc. Conf. Advances in Cryptology (Crypto '89), 1989.
[14] M. Naor and K. Nissim, Certificate Revocation and Certificate Update Proc. Seventh USENIX Security Symp., 1998.
[15] W. Stallings, Network Security Essentials: Applications and Standars. 2000.
[16] B. Thuraisingham, The Use of Conceptual Structures for Handling the Inference Problem, and Cover Stories for Database Security Proc. Fifth IFIP WG 11.3 Working Conf. Database Security, 1991.
[17] B. Thuraisingham, Security Checking in Relational Database Management Systems Augmented with Inference Engines Computers and Security, vol. 6, pp. 479-492, 1987.

Index Terms:
Secure publishing, third-party publication, XML, authentication, completeness.
Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani Thuraisingham, Amar Gupta, "Selective and Authentic Third-Party Distribution of XML Documents," IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 10, pp. 1263-1278, Oct. 2004, doi:10.1109/TKDE.2004.63
Usage of this product signifies your acceptance of the Terms of Use.