| Abstract: | 網路上最常被拿來用於隱私權保護的方法是存取控制 (Access Control)方法,它是一種安全機制透過權限的管理來授予不同使用登入系統後擁有不同的存取權,傳統的存取控制方法是以一整份文件或一個檔案為控制對象,沒辦法對文件或檔案裡的部分內容或功能來做授權,為了克服這個問題,便發展出XML 存取控制系統,目前這種存取控制方式的概念也大量使用於現今的商業模式裡,舉凡出版、共同寫作與控制E-Service存取,當系統裡資訊內容及使用者以爆炸性成長時,如何有效的授權便是一個值得探討的研究議題。此外,網路是一個公開卻不安全的環境,攻擊者常會意圖入侵系統後任意更改系統原先的授權設定,讓非法使用者能超過原先不屬於自身權限來讀取非法授權的內容,就探討目前XML文件的浮水印技術或XML存取控制的文獻來看,目前尚未有學者對授權策略進行保護,故無法保證目前的授權策略的合法性,一旦能掌控系統的授權策略的閱讀與修改權,那麼使用者或被授權者的隱私便很容易因此而洩漏,造成不論是個人名譽或是經濟上很大的損害,故如何讓系統有能力來驗證該授權策略的合法性及保障被授權者的隱私權是日前值得被研究的研究議題。本兩年期計畫以安全及有效的XML存取控制機制為出發點,針對不同目的分二年進行之,逐年的研究主題:第一年針對傳統XML存取控制系統的授權效能評估,從中找到能改進效能的成功關鍵因素,緊接著分析如何滿足這些因素來進一步達成高效能的授權模式,未來也將利用實作及數學最佳化證明來驗證此系統的可行性及最佳化;第二年則是以第一年的研究成果為基礎,但是把觸角進一步伸到授權策略的驗證機制,我們將認證碼與授權內容經由中國餘式定理運算後取代傳統授權策略的描述方式,以期能有效偵測授權策略是否被竄改,並保護被授權者在授權內容上的隱私權。
Extensible Markup Language (XML) provides the exibility to support various types of documents in most applications. Previous works for XML mainly focused on schema revalidation, e-learning, fast query processing, secure dissemination, XML-based authorizations, and XML document searching in P2P (Peertopeer) network. XML-based authorization, called XML access control, can be leveraged in various applications, such as publish business model, to serve different users that subscribe different parts of contents. Specifically, a DOM (Data Object Model) tree is generated for each user in XML access control of a document, where each leaf vertex in the tree corresponds to a part of the document, and the path from the root to each leaf vertex is specified as an XPath, which represents the authorization rule, GRANT or DENY, for the user to access the corresponding part of the document. However, the current XML standard lacks an efficient mechanism to summarize a DOM tree to reduce the number of authorization rules. Therefore, as the document becomes complex, or the number of users with various types of subscriptions increases, the current XML access control incurs a large amount of overhead. To address the above issue, we will formulate a new optimization problem to minimize the number of summarized authorization rules in each DOM tree. To solve the problem, we will design an algorithm to obtain the optimal solution. Our algorithm will be used by servers to increase the scalability and to support complex documents with more users. Afterward, we address the security concerns, including the protection of privacy and integrity for authorization rules. To prevent the rules from being modified by attackers, the current approach utilizes an XML signature for each authorization rule, which defines the XML syntax for digital signatures. However, the current XML signatures cannot protect the privacy of authorization rules. In addition, XML signatures need a large amount computation and storage space. Therefore, this project will propose incorporating the protection of privacy and integrity directly in each authorization rule. Specifically, we leverage Chinese Reminder Theorem (CRT) and devise algorithm to generate the authentication codes and authorization contents. Our approach requires no additional space to store XML signatures. In addition, the authorization rules are protected not only by the pre-shared secret parameters but also the authentication codes. |
