Chip-Secured XML Access
Luc Bouganim **
François Dang Ngoc*
* University of Versailles
78000 Versailles - France
&
** INRIA Rocquencourt
78035 Le Chesnay - France
<Firstname.Lastname>@prism.uvsq.fr
Abstract: Chip-Secured XML Access (C-SXA) is a
versatile XML-based Access Right Controller
embedded in a smart card. C-SXA can be used
either to protect the privacy of on-board personal
data or to control the flow of data extracted from
an external source. C-SXA addresses a broad
range of applications, like secure portable folders,
Digital Right Management, parental control or
exchange of confidential information among a
community of users. We illustrate the effectiveness
of this technology in an example of application, a
collaborative agenda application embedded in a
cellular phone SIM card.
Key words: smart card XML access control, smart
card XML data store.
1
Introduction
Chip-Secured XML Access (C-SXA) is a versatile XMLbased Access Right Controller embedded in a smart card.
C-SXA evaluates the user’s privileges on on-board or
external XML data and delivers the authorized subset of
these data. The use of XML (the de-facto standard to
describe and exchange data) makes C-SXA agnostic
about the kind of data to be protected and then
participates to its versatility. Indeed, an increasing part of
the information accessible through the web (textual
documents, datasets, images, video, sounds, services) is
now represented or annotated in XML.
The first issue addressed by C-SXA is protecting
the privacy of personal data embedded in the smart card.
Existing approaches store row data sequentially and
propose at best rudimentary mechanisms to regulate the
access to these data (e.g., password). C-SXA
implements database features to store effectively XML
data and to share them among multiple users or certified
applications at a much finer granularity (e.g., browser,
agenda or address book applications can share parts of a
user’s profile with different privileges).
The second issue is controlling the access to
external resources. Existing approaches, like secure
storage services, secure data sharing or Digital Right
Management (DRM), implement access control by
means of encryption. In these approaches, the sharing
scenarios among users are crude and pre-compiled at
encryption time. Conversely, C-SXA clearly separates
the concern between data encryption and access control.
C-SXA processes the card holder’s access control rules
on an encrypted XML input document and delivers the
Philippe Pucheral*,**
<Firstname.Lastname>@inria.fr
authorized subset of this document. Several and
personalized access control policies can therefore be
defined on the same document, reflecting different
privileges for different users. These policies can easily
evolve by updating the access control rules without
impacting the document encryption.
Thanks to these two features, C-SXA addresses
important applications emerging in the telecom and
banking domains (e.g., portable folders, DRM, secure
data sharing among family members, friends or business
partners) that cannot be tackled by existing technologies.
While powerful, C-SXA accommodates well the strong
hardware smart card constraints. This equation has been
solved thanks to a long expertise in developing advanced
database components embedded in smart cards [ABB01,
PBV01, BoP02, BoP04, BDP03, BDP04].
The sequel of this paper is organized as follows.
Section 2 presents the main application domains
targeted by C-SXA and discusses the current state of the
technology in these domains (marketing and research
alternatives). Section 3 introduces the principles of CSXA and illustrates its use on a motivating example,
namely a collaborative agenda managed through cellular
phones. Section 4 gives a technical description of the
main C-SXA components. Section 5 discusses the ease
of use and cost-effectiveness of the proposed
technology. Finally, Section 6 concludes.
2
Target applications and alternatives
Storage and protection of on-board data
The rapid growth of smart card stable storage capacity
(from kilobytes to megabytes soon) makes the
management of on-board data realistic and more and
more attractive for a wide range of applications. The
concept of secure portable folder has emerged with the
idea of carrying a patient’s medical history in a smart
card [SCA03]. Since then, the value of smart cards to
secure and share in a controlled way personal
information has been recognized in several domains like
education (scholastic folders), commerce (loyalties),
telecommunication (address book) or mobile computing
(user’s profiles containing licenses, passwords,
bookmarks, etc). MasterCard published recently the
MasterCard Open Data Storage (MODS) Application
Programming Interface “to meet the desire expressed by
customers to better control how much information they
are willing to share with whom” [Mas02]. The IBMHarris report on consumer privacy survey strongly
1
highlights this same requirement [IBM]. According to
MasterCard, MODS gives issuers the market
differentiation they want, merchants the marketing tools
they need, and consumers the convenience and control
they have been asking for.
While the need for on-board data management and
sharing facilities is clearly established, few technical
solutions have been proposed yet. Existing solutions are
generally application specific, store data sequentially,
allow basic searches and protect data thanks to
passwords. The Structured Card Query Language
(SCQL) standard [ISO99] is a first attempt to define
database-style storage techniques and privileges.
PicoDBMS [PBV01, ABB01], designed by our team, was
the first full-fledged relational database system embedded
in a smart card, supporting a robust subset of the SQL
standard (and then encompassing SCQL). PicoDBMS is
however a complex technology primarily designed to
manage efficiently huge and well structured embedded
folders. The versatility and wide acceptance of XML
[W3C] makes this standard the best candidate today to
describe, organize, store and share the variety of data that
appear in the above applications. To the best of our
knowledge, C-SXA is the first technology providing a
smart card XML data store and access controller.
Protection of external data
Different requirements motivate a secured access to
external data from a smart card: (1) the management of
personal folders (as above) whose size exceeds the smart
card storage capacity; (2) the sharing of personal or
professional data (e.g., agenda, address book, bookmarks,
etc) among a community of users (family, friends,
colleagues, partners); (3) the consumption of information
disseminated through a license-based distribution channel
or (4) accessed freely through the Internet.
While the internal data are protected by the
tamper-resistance of the chip, external data need be
protected by encryption. The role of encryption differs
depending on the source of threatening. In cases (1) and
(2), encryption is required to preserve the confidentiality
of the data hosted in untrusted servers, considering the
increasing suspicion towards Database Service Provider
(DSP)1 [HIL02] and the vulnerability of database
servers facing external and internal attacks [FBI03]. In
case (3), the role of encryption is protecting digital
assets from illegal access and copying [Sma]. Finally,
case (4) refers to the ever-increasing concern of parents
and teachers to protect children by controlling and
filtering out what they access on the Internet [PIC]. To
meet this last requirement, encryption can take place in
the Web server, in the ISP or in the client device
communication card while the access control and
decryption remains confined in the smart card.
Usually, the data are kept encrypted at the server
and a client is granted access to subparts of them
according to the decryption keys in its possession.
1 Database Service Providers are database hosting ISP (e.g.,
eCriteria, http://amuletc.evsholdingco.com/).
Variations of this basic model have been designed in
different context, such as encrypted backups for
personal data [Sky], encrypted data hosted by untrusted
DSP [HIL02], encrypted relational databases [Ora04,
HeW01], lucrative as well as non-profit publishing
[MiS03, BCF01, Sma]. Despite their respective merit,
these models have in common a static way of sharing
data. Indeed, access control policies are all precompiled
by the encryption, so that changing these policies may
incur a partial re-encryption of the dataset and/or a
potential redistribution of keys [BDP04]. A touch of
dynamicity can be introduced by decomposing each
data in disjoint encrypted parts and leave clients access
subparts of the data according to a license [Sos].
However, decomposing each data and administering the
corresponding licenses is a rather tricky and
cumbersome task.
Unfortunately, they are many situations where
access rules are user specific, dynamic and then difficult
to predict. In medical folders, the rules protecting the
patient’s privacy may suffer exceptions in several
situations (e.g., in case of emergency) [ABM03]. In a
data-sharing scenario, the sharing policies change as the
initial situation evolves (new relationship between users,
new partners or friends, new projects with diverging
interest, etc.). Access control languages like XrML
[XrM] or ODRL [ODR] demonstrates the need for more
expressiveness and flexibility in DRM applications (e.g.,
Alice may listen freely to a piece of music provided she
has listened a given amount of commercial before).
Finally, neither Web site nor Internet Service Provider
can predict the diversity of access control rules that
parents/teachers with different sensibility are willing to
enforce (e.g., rules may depends on religious beliefs,
political opinions, lecture topics, etc.). Again, to the best
of our knowledge, C-SXA is the first technology capable
of supporting the access control flexibility required by
these applications. This flexibility is guaranteed by a
clear separation between encryption and access control
and by a smart and versatile XML access controller
embedded in a secured chip. The resulting benefit is
threefold. First, C-SXA provides a very user friendly and
powerful way to define access control rules (e.g.,
Salary[amount>10000] expresses in a single formula the
protection of all salaries greater than $10.000 in a
complete – group of – document). Second, access control
rules are fully dynamic since they are downloaded by the
smart card on demand. Third, C-SXA applies to any kind
of data described or annotated in XML, a standard
flooding every activity sectors.
Market perspectives
To predict the market impact of emerging applications
is a rather difficult task, especially for non-marketers.
However, elements for this analysis can be delivered.
The target applications mentioned above impact
primarily the SIM card market and the banking card
market. Indeed, digital asset consumption through
cellular phones is yet a reality and data sharing among a
community of user is well in the spirit of the SMS
2
phenomenon. At the same time, the customer’s interest
for secure portable folders has been clearly identified by
MasterCard. According to Eurosmart, the telecom
market alone worth 60% of the smart card market's
global sales, estimated at 1.7 billion euros in 2002. ST
Microelectronics indicates that 500M of SIM smart
cards and 200M of banking smart cards have been sold
in 2002 representing roughly 85% of the total market.
As Eurosmart confesses, the development of new SIM
card services is, however, more difficult to quantify.
Anyway, services in relation with DRM will
undoubtedly receive a particular attention considering
the dramatic impact of worldwide digital piracy for the
music industry (loses estimated to $5 billion every year
by the RIAA) and the movie industry (loses estimated to
$3 billion every year by the MPAA). Also, data privacy
(and then secure folders) is becoming a major concern
for most citizen and consumers, as stated in the IBMHarris Multinational Consumer Privacy Survey [IBM].
Parental and teacher control could also generate a
new mass market for smart cards. To illustrate this, the
French government launched an important educational
program to give students and teachers a controlled
access to a wide range of digital assets (book extracts,
encyclopedia elements, geographical maps, works of
art, etc) [Jou04]. As an indication, the number of French
students was estimated by INSEE to 14,4M in 2001.
3
<Agenda>
<Year value="2004">
<Month value="03">
<Day value="19">
<Appointment>
<Category> Work </Category>
<General>
<Start> 10:00 </Start>
<End> 12:00 </End>
<Avail.> Busy </Avail.>
</General>
etc…
Figure 1: XML agenda fragment
Queries can be expressed over an XML document
using the XPath language. Roughly speaking, an XPath
expression allows to navigate in the document through
the parent axis (denoted by /) and the descendant axis
(denoted by //) and to apply predicates on elements and
attributes. The result of an XPath expression is an
element (or a group of elements) along with its subtree.
To illustrate the power and simplicity of XPath, let us
consider
the
two
following
expressions:
/Agenda/Year/Month/Day selects all days in an agenda
while /Agenda//Appointment[Category=“Work”]/Content
selects each content that is a direct child of any
appointment of category “work” reachable from the
Agenda root.
C-SXA baseline
Access control model
We introduce below a simplified access control model
for XML, inspired by the well-accepted Samarati’s
model [BCF01]. In this model, access control rules take
the form of a 3-uple <subject, sign, object>. Subject
corresponds to an authenticated user or user group. Sign
denotes either a permission (positive rule denoted by )
or a prohibition (negative rule denoted by ). Object
corresponds to an XML element (along with its subtree)
identified by an XPath expression. Figure 3 shows an
access control policy defined for regulating the access to
the agenda presented above. This policy states that: by
default, nobody is granted access to any appointment
(rule R1); users belonging to the group Secretary can
access all appointments of category “work” (rule R2),
except the notes that appear in the content (rule R3); a
XML background
XML, the Extensible Markup Language promoted
by the W3C, is become a de-facto standard for the
presentation, exchange and management of information.
Figure 1 and 2 picture an XML agenda sample, both in
its textual form and in its usual hierarchical
representation. This XML agenda will serve as
motivating example in the rest of the paper. Roughly
speaking, an XML document can be seen as a tree of
elements (e.g., Category), each one demarcated by an
opening and closing tag (e.g., <Category> and
</Category>). Attributes (e.g., value) may be
attached to elements. Terminal elements (at the leaves
of the tree) are represented by text (e.g., Work).
Agenda
Year: 2004
Month: 03
etc....
Day: 19
Appointment
Category General
Appointment
Content
Category General
Work
Content
Friend
Start
End
Avail. Contact Contact Title
10:00
12:00
Busy François
Luc
Notes
E-Gate Check paper
Start
End
Avail.
22:00
24:00
Out
Type
Title
Place
Cinema The Mother UGC-Nice
Figure 2: Hirerarchical representation of an XML agenda
3
Rule R1:
Rule R2:
Rule R3:
Rule R4:
Rule R5:
<PUBLIC,
<Secretary,
<Secretary,
<Colleague,
<Cathy,
,
,
,
,
,
// Appointment >
// Appointment [ Category = “Work” ] >
// Appointment [ Category = “Work” ] /Content/Notes >
// Appointment [ // Contact = CURRENT_USER ] / Content >
// Appointment [ Category = “Friend” ] >
Figure 3: Access control policy rules
colleague can see the appointments of category “work”
in which he/she participates (rule R4); finally, Cathy
can access all appointments of category “friend” (rule
R5). Figure 2 pictures in grey the agenda parts that
remains hidden to the secretaries.
To fully understand the semantics of the access
control model, conflicts between rules have to be
discussed. Indeed, several rules may apply to the same
user and each rule propagates from an element to its
subtree, a source of potential conflicts. Conflicts are
resolved using two principles: Denial-Takes-Precedence
and Most-Specific-Object-Takes-Precedence. DenialTakes-Precedence states that if two rules of opposite
sign are defined on the same object, the negative rule is
favored (e.g., a rule R6 of the form <PUBLIC, ,
//Appointment> will be inhibited by rule R1). MostSpecific-Object-Takes-Precedence favors the rule that
applies directly to an object against the inherited one
(e.g., R3 is more specific than R2).
sensitive appointments. Models compiling access
control policies in the data encryption cannot tackle
these situations. In this application, the agenda is
actually stored in an encrypted form on a remote server
to allow the sharing among partners while protecting the
data confidentiality. Part of the agenda (e.g., the current
week) of a user can also be stored in his own smart card
to give him the ability to consult his agenda thanks to
his cellular phone in a stand-alone mode (e.g., while
being disconnected). Figure 4 pictures the target
architecture.
Let assume now that Alice agrees to share part of
her agenda with Bob and that both Alice and Bob use a
C-SXA enabled SIM card in their cellular phone. Alice
will fix Bob’s access control policy thanks to a user
friendly rights management GUI (default rules are
proposed to manage the usual cases, as pictured in the
figure). These rules are translated in XPath expressions
by the application and are stored in an encrypted form in
the remote server. Later on, Bob connects to the server
and asks for Alice’s agenda. At that time, C-SXA
downloads Bob’s access control policy through a
secured channel in Bob’s SIM card. Bob can then issue
a query on Alice’s agenda, again thanks to a user
friendly GUI (e.g., by clicking on a particular day). The
Scenario
The collaborative agenda application exemplifies the
need for dynamicity. Indeed, access control rules are
likely to evolve while new partners join or leave the
community and ad-hoc rules may be defined for some
Agenda
Address book
Access Rights
Access Rights
C-SXA engine
GUI
Alice agenda
Week 12
XML Documents
Access Rules
Security
Modules
Xpath
Evaluation
GUI
GUI
C-SXA
ML
Engine
Proxy TXH
A
XM
L
XP
TH
A
XP
GUI
Database
Server
Alice
Agenda
Encrypted
XML Documents
C
JDB
C-SXA Proxy
U
APD
Encrypted
Access Rules
Device hosting the e-gate token
Rule conflict
resolution
Figure 4: Target architecture
4
application translates this query in an XPath expression,
then C-SXA interprets it, downloads the relevant day of
Alice’s agenda in a streaming fashion, decrypts it,
checks its integrity and evaluates Bob’s access control
rules to deliver the authorized final result. Bob can issue
an update on an authorized part of Alice's agenda (e.g.,
to notify her from a change in an appointment) exactly
in the same way as a query. If Alice is willing to change
Bob’s access control policy, she uses again the access
access right management GUI, the new policy is sent to
the server and will become active the next time Bob
connects to Alice’s agenda.
As the next section will make clear, the C-SXA
mechanisms are generic and can be applied to any kinds
of XML document. Only the GUI and the application
logic are specific.
4
Technical description
This section gives an outline of the most interesting
technical aspects of C-SXA. The reader interested in a
deeper description of the C-SDA architecture is referred
to [BDP04]. This section is however not mandatory to
understand the rest of the paper. The most important
point in this section is to demonstrate that the
powerfulness of C-SXA regarding access control
management and querying both on embedded and
external XML documents relies on two smart but rather
simple algorithms.
Access control management
For each element of the input document, the access
rule evaluator must be capable of determining the set of
rules that applies to it to determine the outcome for that
element. The access rule evaluator is fed by an eventbased parser [SAX] raising open, value and close events
respectively for each opening, text and closing tag
encountered in the input document.
Each access rule (i.e., XPath expression) is
represented by a non-deterministic finite automaton
[HoU79], named Access Rule Automaton (ARA for
short). An ARA is made of states connected by
transitions (see Figure 5). Tokens traverse the ARA
while transitions are triggered, at document parsing
time. An ARA has one target final state (representing
the element targeted by the access rule) and may have
zero, one or more predicate final states (one for each
predicate involved in the access rule). When all final
states of an ARA have been reached by a token, the
corresponding access rule becomes active, meaning that
it applies to the forthcoming elements. Figure 5 shows
the token positions in the ARA corresponding to rule R3
at the time the parser analyses the leftmost element of
the agenda (i.e., category=work, see Figure 2). The
following data structures are maintained in the smart
card to manage the set of ARA representing a given
access control policy:
 Token Stack: The Token Stack memorizes the
progress of tokens in all ARA and allows
backtracking in the ARA.
State
Target final state
Token
Transition
*
Appointment
Predicate final state
Content
Notes
Appointment
*
Category
="Work"
R3:  //Appointment[Category=“Work”]/Content/Notes
Figure 5: Access control rule automaton
 Authorization Stack: The Authorization Stack
registers the rules having reached their target final
state and is used to solve conflicts between rules.
The status of a rule present in the stack can be:
positive-active ( : forthcoming elements will be
delivered), positive-pending (? : the delivery of the
forthcoming elements is conditioned by a predicate
not yet evaluated), negative-active ( : forthcoming
elements can be skipped), negative-pending (? : the
skip of the forthcoming elements is conditioned by a
predicate not yet evaluated).
 Predicate Set: this set memorizes the predicates
already evaluated.
The outcome of the current element can be easily
determined from the information kept in these data
structures, thanks to the conflict resolution algorithm
presented in Figure 6. In the algorithm, AS denotes the
Authorization Stack and AS[i].RuleStatus denotes the
set of status of all rules registered at level i in this stack.
In the first call of this recursive algorithm, depth
corresponds to the top of AS.
DecideElement(depth)  Decision  {, ,?}
1: If depth = 0 then return ‘’
2: elseif ‘’ AS[depth].RuleStatus then return ‘’
3: elseif ‘’  AS[depth].RuleStatus and
4:
‘?’  AS[depth].RuleStatus then return ‘’
5: elseif DecideNode(depth -1) = ‘’ and
6:
‘?’  AS[depth].RuleStatus then return ‘’
7: elseif DecideNode(depth -1) = ‘’ and
8:
‘?’  AS[depth] RuleStatus then return ‘’
9: else return ‘?’
Figure 6: Conflict resolution algorithm
Query management
Queries are XPath expressions and then are
managed exactly as access rules are, except that they do
not take part in the conflict resolution algorithm. Thus, a
query is represented by a non-deterministic finite
automaton. When the final state(s) of this automaton has
been reached, forthcoming elements are candidate to
participate in the result (their final outcome depends on
the conflict resolution algorithm).
5
1 2[2004] 3[03] 4[19] 5 6[Work] 7 8[10:00] 9[12:00] 10[Busy] 11 12[François] 12[Luc] 13[E-Gate]
14[Check paper]
5 6[Perso] 7 8[22:00] 9[24:00] 10[Out] 11 15[Cinema]
13[The Mother] 16[UGC-Nice]
Figure 7: Compressed Agenda Fragment
As a conclusion, the algorithm managing the nondeterministic finite automata and the conflict resolution
algorithm form the core of C-SXA. These two
algorithms support alone the access control and the
querying facilities, contributing to the global simplicity
of the C-SXA technology.
Internal storage
The size of the embedded documents being a
concern, we compress the document structure thanks to
a dictionary of element names, also called tags
[ABC04]. As pictured in Figure 7, this compression
technique replaces each tag (of type string) in the
document by a reference to the corresponding tag
dictionary entry. In practice, the structure of an XML
document represents between 50% and 90% of the
document [MBV03]. Thus, this rather simple
compression scheme achieves a compression ratio
between 40% and 80%. In many cases, the tag
dictionary is not confidential (e.g., when the application
domain is based on an XML namespace) and can be
stored outside from the smart card, increasing further
the storage benefit.
RULES
DOCUMENTS
External Storage
This simple compression scheme is used both for
documents stored inside and outside the smart card (i.e.,
on the server). The reason for this is to use the same
XPath evaluator to process access control rules and
queries both on internal and external documents. This
drastically reduces the complexity of the smart card
code. More complex data structures could be devised to
store XML documents. However, the simple scheme
proposed is well adapted to streaming (a requirement for
external documents) and matches well the future smart
card stable storage Flash technology (a requirement for
internal documents) where data are stored by chunks.
The external documents and the access control
rules can be stored on any kind of data repository. In our
prototype we selected a relational database server
(MySQL) in order to benefit from all the database
functionality. The main tables are represented in Figure
8. Columns pictured in grey are encrypted thanks to the
Owner
Type
XPath
Philippe Agenda
2[2004] 3[03] 4[18]
Philippe Agenda
2[2004] 3[03] 4[19]
Philippe Agenda
2[2004] 3[03] 4[20]
Owner
Type
Grantee RuleId
owner secret key. To allow downloading a subpart of a
document when a client issues a query, we split a
document into encrypted fragments. The scope and size
of fragments is determined by the application. In the
Agenda application, each fragment corresponds to a
particular day. The XPath column is a (compressed)
XPath expression identifying each fragment of a
document, itself identified by (owner, type). Type and
XPath can be stored in plaintext since they do not
divulgate information. Note that the XPath (for
documents) and RuleId (for rules) are stored both in
plaintext and encrypted form in order to allow the smart
card checking the correspondence between client
request and server answer. Finally, note that documents
can optionally be indexed by n-grams to allow keywords searches in the encrypted data [HiL02].
4.1
Security features
Confidentiality and Integrity
Encryption and hashing are required to guarantee
respectively the confidentiality and the integrity of
external documents and access rules. Standard integrity
checking methods must be adapted to tackle the
memory limitation of the smart card. This imposes to
implement integrity checking in a streaming fashion.
In our context, the attacker is the user himself. For
instance, a user being granted access to an appointment
X may try to extract unauthorized information from an
appointment Y. Let assume that the document is
encrypted with a classic block cipher algorithm (e.g.,
DES or triple-DES) and that blocks are encrypted
independently (e.g., following the ECB mode [Sch96]),
identical plaintext blocks will generate identical
ciphered values. In that case, the attacker can conduct
different attacks: substituting some blocks of
appointments X and Y to mislead the access control
manager and decrypt part of Y; building a dictionary of
known plaintext/ciphertext pairs from authorized
information (e.g., X) and using it to derive unauthorized
information from ciphertext (e.g., Y); making statistical
inference on ciphertext. Additionally, if no integrity
checking occurs, the attacker can randomly modify
some blocks, inducing a dysfunction of the rule
N-gram
Encrypted data
1100111000100 1 2[2004] 3[03] 4[18] 5 6[Work] 7 8[08:00] 9[12:00] 10[Busy] 11 12[Luc] 13[ACI …
5 6[Work] 7 8[14:00] 9[17:00] 10[Busy] 11 12[François] …..
1 2[2004] 3[03] 4[19] 5 6[Work] 7 8[08:00] 9[12:00] 10[Busy] 11 12[Luc] 13[ACI …
0100011101110
5 6[Perso] 7 8[22:00] 9[24:00] 10[Out] 11 15[Cinema] …
1 2[2004] 3[03] 4[20] 5 6[Perso] 7 8[10:00] 9[12:00] 10[Out] 11 15[Sport] 13[…
1100111000111
5 6[Perso] 7 8[13:00] 9[16:00] 10[Out] 11 15[Museum] …
Encrypted rule
Philippe Agenda
Luc
7
7  : //Appointment[//Contact = "Luc"]/Content
Philippe Agenda
Luc
8
8  : //Appointment/General
Figure 8: Data stored on the server
6
processor (e.g., Bob is authorized to access
appointments starting after 6 PM and he randomly alters
the ciphertext storing the starting time).
To face these attacks, we exploit two techniques.
Regarding encryption, the objective is to generate
different ciphertexts for different instances of a same
value. This property is obtained by using a Cipher Bloc
Chaining (CBC) mode in place of ECB, meaning that
the encryption of a block depends on the preceding
block [Sch96]. Regarding integrity checking, the
document is split into chunks whose size is determined
by the memory capacity of the smart card. Each chunk
contains an encrypted ChunkDigest (computed using a
collision resistant hash function (e.g., SHA-1). To avoid
chunk substitution or removal, a chunk digest is
computed over the union between the chunk content
itself and the digest of the preceding chunk (see figure
9-a). The document is thus protected against tampering
and confidentiality attacks while remaining agnostic
regarding the encryption algorithm used to cipher the
elementary data.
Key distribution
Separating data encryption from access control allows
using potentially a single encryption key for all
documents and access rules present in the system.
However, to increase security and robustness, several
keys can be used, e.g., one per user. In this case, when
Alice wants to share (part of) her document with Bob,
Alice’s secret key must be transmitted to Bob’s smart
card. A secure key distribution can be implemented by
means of a classical Public Key Infrastructure (PKI).
Our prototype is open to this alternative. However, to
simplify the demonstrator, we do not make use of a PKI
and we statically store inside each card the secret keys
of the card holder’s partners.
Secured communications
Documents and rules transmission messages have to be
protected against tampering (e.g., Bob may try to drop
all negative rules transmitted by the server). To avoid
checking integrity twice (at the communication level
and at the rule/document chunk level), the message
digest is computed on the message header and on the
rule/document digest, as pictured in Figure 9.b and c.
Finally, an increasing counter is added to each message
to prevent replay attacks (e.g., Bob may try to substitute
a rule update message with an old one containing no
negative rules).
5
C-SXA ease of use and cost-effectiveness
The ease of use is a primary concern for the end-user.
To this respect, the benefits provided by C-SXA are the
following. First, any kind of data can be represented in
XML and then can be stored inside the smart card for
personal use or outside from the smart card for a
collaborative use, as easily as saving a file on a PC.
Second, the declarative expression of access control
policies and the dynamicity of these policies strongly
SHA-1
SHA-1
XML chunk 1
XML chunk 2
(a) Integrity of encrypted XML
SHA-1
HEADER
SHA-1
XML chunk 1
SHA-1
XML chunk 2
SHA-1
(b) Integrity of transmitted XML
SHA-1
HEADER
RULE 1
SHA-1
RULE 2
SHA-1
RULE 3
Sha-1
(c) Integrity of transmitted rules
Figure 9: Integrity
simplify their administration. To simplify further this
administration, each application can provide a dedicated
GUI allowing the end-user to click on a list of
predefined policies, in a way similar to Internet
Explorer content advisor or MSN parental controls. The
Agenda rights management GUI presented in Figure 4
illustrates this principle. Queries will also be
automatically generated by clicking on the main
application’s GUI (e.g., click on a particular day of the
Agenda is translated by the application in an XPath
expression). At demonstration time, we will show the
use of the GUI developed for two application samples,
namely a collaborative Agenda and a collaborative
address book and will show the effectiveness of the
approach in terms of local storage and access control
management.
Ease of use is also a strong argument for the
application developer. C-SXA tackles this requirement
in two ways. First, all the complexity of the storage,
access control, query and security management is
confined in the smart card and smart card proxy codes,
so that the application developer can concentrate on the
application logic. Second, C-SXA complies with the
standards. Documents are described in XML and both
access control rules and queries are expressed in XPath,
two very popular W3C standards.
Finally, the cost-effectiveness for the smart card
manufacturer or the C-SXA distributor (if different)
comes from the simplicity and the versatility of the CSXA engine. The same engine will be shared by all
applications concerned either with local data storage,
access control or query management. Its development
and deployment cost can then be amortized on very
large-scale markets. In the long term, and depending on
the market demand, C-SXA could even be integrated in
the smart card OS as a native functionality.
6
Conclusion
In this paper, we proposed a smart card-based versatile
XML Access Right Controller tackling the requirements
expressed by several promising applications in the
telecom and banking domains. While more powerful
and flexible than existing alternatives, our technology
accommodates well the strong smart card hardware
constraints. Indeed, the theoretical foundation of C-SXA
7
helped us to isolate the fundamental concepts of an
embedded XML access right controller and to translate
them into a simple, robust and generic software
component. Our current implementation exhibits
acceptable performance on the e-gate smartcard (a few
seconds to get a small document). Clearly, the limiting
factor of our technology remains the smart card
communication bandwidth. Higher communication
bandwidths expected soon for USB smart cards will
undoubtedly give a new dimension to the C-SXA
proposal.
7
[HoU79]
[ISO99]
[IBM]
References
[ABB01] N. Anciaux, C. Bobineau, L. Bouganim, P.
Pucheral, P. Valduriez, "PicoDBMS:
Validation and Experience", 27th Int. Conf.
on Very Large Data Bases (VLDB), demo
session, 2001.
[ABC04] A. Arion, A. Bonifati, G. Costa, S.
D'Aguanno, I. Manolescu, A. Puglies,
"Efficient
Query
Evaluation
over
Compressed Data", EDBT, 2004.
[ABM03] A. El Kalam, S. Benferhat, A. Miege, R.
Baida, F. Cuppens, C. Saurel, P. Balbiani, Y.
Deswarte, G. Trouessin, "Organization based
access control", IEEE 4th Int. Workshop on
Policies for Distributed Systems and
Networks, 2003.
[BCF01] E. Bertino, S. Castano, E. Ferrari, "Securing
XML documents with Author-X", IEEE
Internet Computing, 2001.
[BDP03] L. Bouganim, F. Dang Ngoc, P. Pucheral, L.
Wu,
"Chip-Secured
Data
Access:
Reconciling Access Right with Data
Encryption", 29th Int. Conf. on Very Large
Data Bases (VLDB), demo session, 2003.
[BDP04] L. Bouganim, F. Dang Ngoc, P. Pucheral,
"Client-Based Access Control Management
for XML Documents", INRIA internal report,
february 2004. http://www-smis.inria.fr/
~bouganim/Publis/BDP04.pdf
[BoP02] L. Bouganim, P. Pucheral, "Chip-Secured
Data Access: Confidential Data on Untrusted
Servers", 28th Int. Conf. on Very Large Data
Bases (VLDB), 2002.
[BoP04] L. Bouganim, P. Pucheral, "Procédé de
sécurisation de bases de données", Europeean
patent
n° 02779619.2-2212-FR0202824,
march 2004. Extension requested to US, JP
and CA.
[FBI03] Computer Security Institute, "CSI/FBI
Computer Crime and Security Survey"
http://www.gocsi.com/forms /fbi/pdf.html.
[HeW01] J. He, M. Wang, "Cryptography and
Relational Database Management Systems",
IDEAS, 2001.
[HIL02] H. Hacigumus, B. Iyer, C. Li, S. Mehrotra,
"Executing SQL over encrypted data in the
[Jou04]
[Mas02]
[MBV03]
[MiS03]
[ODR]
[Ora04]
[PIC]
[PBV01]
[SAX]
[SCA03]
[Sch96]
[Sma]
[Sky]
[Sos]
[W3C]
[XrM]
database-service-provider model", ACM
SIGMOD, 2002.
J. Hopcroft, J. Ullman, "Introduction to
Automata
Theory,
Languages
and
Computation", Addison-Wesley, 1979.
International Standardization Organization
(ISO). Integrated Circuit(s) Cards with
Contacts – Part 7: Interindustry Commands
for Structured Card Query Language
(SCQL). ISO/IEC 7816-7, 1999.
IBM-Harris Multinational Consumer Privacy
Survey:
http://www.pco.org.hk/english/
infocentre/files/westin.doc
JournalduNet, ‘L’espace numérique des
savoirs’, http://www.journaldunet.com/0302/
030207espacessavoirs.shtml
MasterCard, ‘MasterCard Open Data Storage
(MODS)’, 2002. https://hsm2stl101.mastercar
d.net/public/login/ebusiness/smart_cards/one
_smart_card/biz_opportunity/mods
L. Mignet, D. Barbosa, P. Veltri, "The XML
Web: a First Study", WWW 2003.
G. Micklau, D. Suciu, "Controlling Access to
Published Data Using Cryptography", 29th
Int. Conf. on Very Large Data Bases
(VLDB), 2003.
The Open Digital Rights Language Initiative,
http://odrl.net/.
Oracle Advanced Security Administrator's
Guide 10g Release 1 (10.1). http://otn.oracle.
com/pls/db10g/db10g.to_pdf?pathname=netw
ork.101%2Fb10772.pdf&remark=portal+%2
8Administration%29
W3C consortium, “PICS: Platform for
Internet Content Selection”, http://www.w3.
org/PICS.
P.Pucheral, L. Bouganim, P. Valduriez, C.
Bobineau,
"PicoDBMS: Scaling down
Database Techniques for the Smart card",
Very Large Data Bases Journal (VLDBJ),
Vol.10, n°2-3, 2001.
Simple API for XML,
http://www.saxproject.org/.
Smart Card Alliance, HIPAA Compliance
and Smart Cards: Solutions to Privacy and
Security Requirements, 2003.
B. Schneier, “Applied Cryptography”, 2nd
Edition, John Wiley & Sons, 1996.
‘The Smartright content protection system’.
http://www.smartright.org/
SkyDesk : @Backup (Storage Service
Provider). http://www.backup.com/index.htm
Sospita Secure Web. http://www.sospita.com/
files/support/ssw_white_paper.pdf
www.w3.org/XML
XrML eXtendible rights Markup Language,
http://www.xrml.org/.
8