1 · Web viewAccess Control List: The access authority list of multi-roles access to multi-objects...
38
UOML (Unstructured Operation Markup Language) Part 2: Layout-based document security Version 1.0, WD2 – Rev.0 OASIS UOML-X TC March 10, 2014
Transcript of 1 · Web viewAccess Control List: The access authority list of multi-roles access to multi-objects...
UOML (Unstructured Operation Markup
Language) Part 2: Layout-based document security
Version 1.0, WD2 – Rev.0
OASIS UOML-X TCMarch 10, 2014
Table of Contents
1. Introduction.................................................................................11.1. Terminology..................................................................................................................11.2. Summary.......................................................................................................................11.3. Normative References...................................................................................................11.4. No-Normative References.............................................................................................2
2. Documents Structure Related Security.....................................2
3. Identity Authentication..................................................23.1 UOML Objects About Identity Authentication.............................................................2
3.1.1 Role List..........................................................................................................33.1.2 Role..................................................................................................................3
3.2 Process Of Identity Authentication...............................................................................43.3 UOML Instruction About Identity Authentication........................................................6
3.3.1 Insert Role Object.......................................................................................63.3.2 Get Challenge Value..................................................................................83.3.3 Login Docbase.............................................................................................93.3.4 Logout Docbase........................................................................................10
4. Access Control...................................................................114.1 UOML Objects............................................................................................................11
4.1.1 Access Control List.........................................................................................124.1.2 Access Control Table Entry.............................................................................124.1.3 Access Control Item........................................................................................13
4.2 UOML Instructions.....................................................................................................14
5 Digital Signature.......................................................................155.1 UOML Objects............................................................................................................15
5.1.1 Digital Signature List......................................................................................155.1.2 Digital Signature Table Entry..........................................................................165.1.3 Digital Signature Item.....................................................................................16
5.2 Digital Signature Process............................................................................................175.2.1 Signature Process............................................................................................185.2.2 Verifying Signing Process...............................................................................20
5.3 UOML Instructions.....................................................................................................215.3.1 Sub-tree Signature...........................................................................................215.3.2 Verify The Signature Object............................................................................22
6 Communication Channel(Optional)..................................25
Attachment A....................................................................................26
2
3
1. Introduction
1.1. Terminology
Access Control Entry: The access authority of one target role accesses to one target object in Docbase.
Access Control List: The access authority list of multi-roles access to multi-objects in Docbase.
Access Control Table Entry: The access authority of multi-roles access to one object in Docbase.
Digital Signature List: The digital signature list of multi-sub-trees in Docbase.
Identity Authentication: A process to identify the role in Docbase.
Role: Roles in Docbase.
Role List: A list of all roles in Docbase.
Signature Verification: Verify the digital signature of sub-tree and back with results.
1.2. Summary
This standard is the 2nd part of UOML—the security control of layout-based document. It mainly describes identity authentication, access control and digital signature, such contents related to security.
This standard has a close connection with the 1st part of UOML—the operation standard of layout-based document, and through the introduction of this part, the related contents of security has been added into Docbase by UOML instructions.
1.3. Normative References
1
We quote the clause from following documents as the clause of our standard. The revision of all dated referenced standard is not fitted with this standard. However, we encourage the parties which reach an agreement decide whether use the latest revision. The latest revision fits this standard as long as the documents were not dated.
GB/T 18793-2002
Information Technology Extensible Markup Language (XML)1.0(neq W3C RFC-xml-19980210:1998)
W3C XML namespace(xml-names)XML Schema Definition Language(XSDL)1.1 Part1: StructureXML Schema Definition Language (XSDL)1.1 Part2:Data type
X.509
1.4. No-Normative References
2. Documents Structure Related Security
3. Identity Authentication
Identity authentication defines the roles that have authority to access Docbase. Only these permitted roles can log-in Docbase, then performs access control and digital signature according to their authority.
2
3.1 UOML Objects About Identity Authentication
Role List
Role
3.1.1 Role List
The Docbase has multi-roles, and each role can control the object in the Docbase.
Role ListSemantic List of all roles in Docbase.Property N/A.
Sub-element N/A.Parent-object Docbase.
Sub-object Role.
3.1.2 Role
RoleSemantic The role in Docbase.Property id The only identification of role in Docbase, it is optional.There’s
no id property when the object is created. The Docbase builds the id property based on the role certificate(e.g. HASH value of
3
role certificate).cert_type Type of certificate, default value is X.509.
certificateDigital certification of role(base64), it is optional. The login password is generated when the role creates password for login
Sub-element meta list.Parent-object role list.
Sub-object meta listRelevant information of the role, for example, create time, creator and so on. All the information is used by the application program.
About role in Docbase:1. There is a default role when a new Docbase was generated, and the default role has full
authority. If there isn’t any other role in the Docbase, the default role can login without program intervention. Using the default role, The application can add any kind of new roles in the Docbase such as administrator role, reading-only role. The application can also set the new role’s authority to access the Docbase.
2. It is the application itself to decide how to use the new role. The default role can be deleted by administrator role, which has full authority to Docbase.
3. If a role has the authority to add new role, this kind of role can create a new role in Docbase.
4. When the Docbase administrator deletes itself, the other roles can not delete any role in Docbase, except the role has the authority of role-deleted or document-decryption.
5. Only the role with document-decryption authority can convert documents from secure state to non-secure state.
6. The process of creating, modifying and deleting the role: the application opens the Docbase and get the role list handle, create role, call UOML instruction to insert role, DCMS assigns an id for the role. If the application didn’t assign a certificate to the role, create an assigned-type certificate for the role, if the application did, use the certificate and insert it to role list, back to the login credential and role handle that corresponded with the role that coded by base64, then you can create a role. Login with this role, you can modify the role in Docbase according to the authority you have. You can authorize to role only by your own authority. Roles can be added or delete if the operator has the authority. When a role is deleted, the item of itself in access control table should be deleted at the same time.
7. Currently, Docbase supports two styles to log-in, one is password and the other is X.509
certificate. The algorithm of password log-in is DES encryption algorithm and X.509 certificate is
4
a universal RSA algorithm.
3.2 Process Of Identity Authentication
The process of identity authentication through UOML shows below:
.
Including:
1. First the application opens Docbase and gets the Docbase handle. Then the application gets a challenge value from the DCMS by sending a UOML instruction called ” login_get_challenge”. Next the application uses its private key to encrypt the challenge value into a cipher text. Finally the application logins the Docbase by sending a UOML instruction called “login” and passing it a specified role and the cipher text.
5
2. The DCMS first decrypts the cipher text passed in by the application to a plain text by using the role's password or public key. Then the DCMS compares the plain text with that challenge value, if both are equal, login process is successful. If not, failed.
3. When the application completes the access to the Docbase via a specified role, it can send “logout” instruction to DCMS. Then DCMS performs logout process.
4. Finally, the application closes Docbase.
3.3 UOML Instruction About Identity Authentication
Include:
Insert Role Object
Get Challenge Value
Login Docbase
Logout Docbase
3.3.1 Insert Role Object
Call Instruction:
6
Return Instruction:
7
Properties on insert role objects as follows:Insert a role object
Function Insert a role object in the role list.
Property handle The handle of the RoleList.
RetstringVal The role handle returned by DCMD.binaryVal Login certificate data(base64).
For example:Instructions sent from application to DCMS as follows:<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hRoleList" pos=”-1”> <xobj> <role id="UOML admin" cert_type=”PASSWORD” certificate=”admin_password”> <metainfo> <meta key="cert_type" val="PASSWORD"/> </metainfo> </role >
8
</xobj></uoml:INSERT>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"><stringVal name="handle" val="role"/></uoml:RET>
3.3.2 Get Challenge Value
Call Instruction:
Return Instruction:
Properties on getting challenge value as follows:
9
Get Challenge ValueFunction Get the challenge value is generated by the Docbase.
Properties handle The handle of the Docbase.
Ret binaryVal Challenge value(base 64) is returned by DCMS.
For example: Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <login_get_challenge handle="docbase"/></uoml:SYSTEM>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> < binaryVal name="Challenge" val="password"/></uoml:RET>
3.3.3 Login Docbase
The system encrypts the challenge value for created role, and takes this value as password to login Docbase.
Call instruction:
Returned instruction:
10
The following table lists its complete definition:Login Docbase
Function Login the Docbase in a specified role.
Propertieshandle A handle to Docbase.role_id The only identity of a role in Docbase.encryptval A challenge value that is encrypted by using a role certificate.
Ret boolVal true: login successful;false: login failed.
For example:Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <login handle="docbase" role_id=”admin” encryptval=”password” /></uoml:SYSTEM>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <boolVal name="SUCCESS" val="true"/></uoml:RET>
3.3.4 Logout Docbase
Call instruction:
11
Returned instruction:
The following table lists its complete definition:Logout Docbase
Function Logout the Docbase as a specified role.
Propertieshandle The handle of the Docbase.role_id The only identity of a role in the Docbase.
Ret boolVal true: Logout successful;false: Logout failed.
For example:Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <logout handle="docbase" role_id=”admin”/></uoml:SYSTEM>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <boolVal name="SUCCESS" val="true"/></uoml:RET>
12
4.Access Control
4.1 UOML Objects
UOML objects about the Access Control List:
Access Control List
Access Control Table Entry
Access Control Item
4.1.1 Access Control List
This object defines access control information to Docbase, and stores the information under Docbase object.
The following table lists its complete definition:Access Control List
Semantics The right of multi-roles access to multi-objects in the Docbase.Property N/A.
Sub-element N/A.Parent-object Docbase.
Sub-object Access control table entry.
13
4.1.2 Access Control Table Entry
Each access control table entry includes the access right that every role owns for a specific object. Currently, the specific object includes Docbase, doc, page and layer. That means the authority of the contents under layer can not be controlled.
The following table lists its complete definition:Access Control Table Entry
SemanticsThe right of multi-roles access to specific objects(Docbase, doc, page, layer)in the Docbase.
Properties object_id The only identification of the accessed objects in Docbase.Sub-element N/A.Parent-object Access Control List.Sub-object Access Control Item.
4.1.3 Access Control Item
Access control item is under the access control table entry, it defines an access authority that a role owns for the object.
14
The following table lists its complete definition:
Access Control ItemSemantics The right of the specific role access to the specific object in the Docbase.
Properties
role_id The only identification of the role in the Docbase.allow Allow right (Multiple character strings separated by commas).
forbidForbidden right (Multiple character strings separated by commas).
Sub-element N/A.Parent-object Access Control Table Entry.Sub-object METALIST
The METALIST can be used to extend the properties of the access control item, such as start, end, repeat, dev type and so on. DCMS only takes charge for saving and loading, not to explain the authority.
The access authority to sub-object in document can be inherited from the parent-object.
Among them, right strings that used by allow and forbid are as follows:
Category Right Strings RightsGrant and PRIV_GRANT A role can grant its rights to other roles.
15
revoke rights PRIV_REVOKE Revoke others’ rights granted by owner.
Universal rights
OBJ_TITLEView the object title(Only Doc object and its parent-object that have the title).
OBJ_ADD Add object.OBJ_DEL Delete object.OBJ_GET Get the object’s content.OBJ_SET Set the object’s content.
Docrights
DOC_READRead the document(that is, get the bitmap of the age).
DOC_ABSTRACT Extract the document content.DOC_RPM To decrypt the managed document.
Rolerights
ROLE_ADD Add role.ROLE_DEL Delete role.ROLE_UPD_KEY Update role certificate.
In addition to the default rights that have defined above, users can increase the rights according to their requirement. The key word of the rights should be started by USR_, and followed by the five user-defined chars that identifies a corporation or any other thing. The Docbase saves the definitions of rights defined by users, and the application explains the specific meaning.
4.2 UOML Instructions
UOML can achieve the access control without adding new instructions, UOML-I can completely satisfy the access control needs by the basic instructions.
For example:Instructions sent from application to DCMS as follows:<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hACLList" pos=”-1”> <xobj> <acl object_id="Page0" </acl> </xobj></uoml:INSERT>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"><stringVal name="handle" val="acl"/></uoml:RET>
16
<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hACL" pos=”-1”> <xobj> <acl entry rold_id="role1" allow=” OBJ_SET_PROP,OBJ_GET_SUB,OBJ_GET_PROP”> </acl> </xobj></uoml:INSERT>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"><stringVal name="handle" val="aclentry"/></uoml:RET>
5 Digital Signature
5.1 UOML Objects
UOML objects about digital signature:
Digital Signature List
Digital Signature Table Entry
Digital Signature Item
5.1.1 Digital Signature List
This object defines the digital signature of all roles in Docbase, and stores the information under Docbase object.
The following table lists its complete definition:
Digital Signature
17
Semantics Digital signature of multi-trees in the Docbase.Properties N/A.
Sub-elements N/A.Parent-object Docbase.
Sub-object Digital signature table entry.
5.1.2 Digital Signature Table Entry
Each digital signature table entry includes a digital signature to a specific object by every role. Currently specific object only includes four layer, which is Docbase, doc, page and layer, that means the content below layer can not be digitally signed.
The following table lists its complete definition:Digital Signature Table Entry
Semantics Digital signature of specific sub-tree in Docbase.
Properties object_idThe multi-identification of the sub-trees in Docbase that is separated by comma. (That is the unique identification of sub-tree node in the Docbase).
Sub-element N/A.Parent-object Digital Signature List.
Sub-object Digital signature item.
5.1.3 Digital Signature Item
The digital signature item is below the digital signature table entry, and defines a digital signature to the sub-tree-object by a role.
18
The following table lists its completely definition:Digital Signature Item
Semantics Digital signature of specific sub-tree in Docbase.
Properties
cert_typeThe type of signature certificate, the default value is X.509, ECC.
key_type The type of key, RSA,ECC.keytypepara The parameter of key, e.g. 1024,2048,160 and etc.
hashtype digest algorithms: SM3,SHA1,MD5. Default value is SHA1
pubcertificate Public certification(base64)pricertificate Private certification(base64)signature Signature data(base64)
Sub-element Meta List.Parent-element Digital signature list.
Sub-objectMeta list(METALIST), include the name of graphic object, creator, creating time and etc.
5.2 Digital Signature Process
There are two processes in digital signature, Signed and Verified. The login role should have the authority to modify the current document. In the verification, you can use verifying operation, no matter login with any role.
19
5.2.1 Signature Process
At present, digital signature can only be achieved in four objects, Docbase, documents, pages and layers. The basic process of signature for these specific sub-trees through UOML is as below:
(1) Signature of external applications
20
1. The application gets the handle of the root node object of the sub-tree.
2. DCMS creates the signature table entry by the handle which the application getting from
the root node object of the sub-tree(if there’s a signature table entry already, return the
handle). Then create a signature item and return the handle of the signature item.
3. Set the public key of a signature item, digest algorithms and etc.
4. DCMS gets the sub-tree’s digest by the handle which the application getting from the
root node object of the sub-tree.
5. The application gets the digest of the sub-tree successfully, does the external signature,
and generates the signature data.
6. Set the signature data by the handle (the result of the step 2) of the signature item.
(2). Signature in UOML
21
1. The application gets the handle of the root node object of the sub-tree successfully.
2. DCMS creates the signature table entry by the handle which the application getting from
the root node object of the sub-tree (if there’s a signature table entry already, return the
handle). Then create a signature item and return the handle of the signature item.
3. Set the parameters of the signature item (certification, key and etc.).
4. Apply signature by calling the signature interface.
5.2.2 Verifying Signing Process
The process of verifying sub-tree by UOML:
22
1. According to the identification of sub-tree that the application is preparing to verify in
the Docbase (that is the identification of the root node of the sub-tree in Docbase) to
form a string, and separated each sub-tree by comma, take this string as parameter and
send “verifying specific sub-tree” to DCMS.
2. DCMS checks the digital signature table entry in the list by this unique string in
Docbase, and search the digital signature object according to the digital signature table
entry. Then get the parameters of the signature object.
3. DCMS calculates the digest value of the sub-trees, call the public key of the digital
signature object to get the signature result, and compares the result with the signature
data of the signature object.
4. Return the verifying results.
5.3 UOML Instructions
UOML instructions about digital signature:
Sub-tree Signature
Verify the signature object
5.3.1 Sub-tree Signature
Call instruction:
23
Returned instruction:
The following table lists its complete definition:Sub-tree Signature
FunctionSign the specific sub-tree, insert the signature object in the list, and return the handle of new signed-object to users.
Parametersobject_id
The multi-identification of the sub-trees in Docbase that is separated by comma (that is the identification of sub-tree node in the Docbase).
handle_ref The object handle of the associated graph object (it is optional).Ret stringVal The handle of signature object.
For example:
24
Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <sign handle="page, page1, page2" /></uoml:SYSTEM>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <stringVal name="sign" handle="hSign"/></uoml:RET>
5.3.2 Verify The Signature Object
Call instruction:
Returned instruction:
The following table lists its complete definition:25
Verify the object signatureFunction Verify the signature of the specific sub-tree, and return the signed result.
Parameters object_idThe multi-identification of the verifying sub-trees in Docbase that is separated by comma. (That is the identification of the sub - tree node in the Docbase).
Ret boolVal The result of verifying signature, successful or failed.
Example:Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <verify handle="page, page1, page2" /></uoml:SYSTEM>Instructions returned from DCMS to application as follows:<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0"> <boolVal name="SUCCESS" val="true"/></uoml:RET>
26
6 Communication Channel(Optional)
To communicate between the database and the application needs to establish a secure transmission channel. The data transmission of all communication process should be transmitted ciphertext in order to guarantee the security of data, recommend using the SSL protocol to make authentication and data encryption transmission of the communication between the application and Docbase.
27
Attachment A
<xs:complexType name="ROLE"><xs:sequence minOccurs="0">
<xs:element name="metainfo" type="uoml:METALIST"/></xs:sequence><xs:attribute name="id" type="xs:string" use="optional"/><xs:attribute name="cert_type" type="xs:string" use="required"/><xs:attribute name="certificate" type="xs:base64Binary" use="required"/>
</xs:complexType><xs:complexType name="ROLELIST"/><xs:complexType name="ACL">
<xs:attribute name="object_id" type="xs:string" use="required"/></xs:complexType><xs:complexType name="ACLENTRY">
<xs:attribute name="role_id" type="xs:string" use="required"/><xs:attribute name="allow" type="xs:string" use="required"/><xs:attribute name="forbid" type="xs:string" use="required"/><xs:attribute name="start" type="xs:dateTime" use="optional"/><xs:attribute name="end" type="xs:dateTime" use="optional"/><xs:attribute name="repeat" type="xs:unsignedInt" use="optional"/><xs:attribute name="dev_type" type="xs:string" use="optional"/><xs:attribute name="device" type="xs:string" use="optional"/>
</xs:complexType><xs:complexType name="ACLLIST"/><xs:complexType name="SIGN">
<xs:attribute name="object_id" type="xs:string" use="required"/></xs:complexType><xs:complexType name="SIGNENTRY">
<xs:sequence minOccurs="0"><xs:element name="metainfo" type="uoml:METALIST"/>
</xs:sequence><xs:attribute name="filter" type="xs:string" use="required"/><xs:attribute name="cert_type" type="xs:string" use="required"/><xs:attribute name="certificate" type="xs:base64Binary" use="required"/><xs:attribute name="signature" type="xs:base64Binary" use="optional"/><xs:attribute name="object_id_ref" type="xs:string" use="optional"/>
</xs:complexType><xs:complexType name="SIGNLIST"/>
28
<xs:element name="INSERT"><xs:complexType>
<xs:sequence><xs:element name="xobj" type="uoml:COMPOUND"/>
</xs:sequence><xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="pos" type="xs:int" use="optional"/>
</xs:complexType></xs:element><xs:element name="SYSTEM">
<xs:complexType><xs:choice>
<xs:element name="flush"><xs:complexType>
<xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="path" type="xs:string" use="optional"/>
</xs:complexType></xs:element><xs:element name="login_get_challenge">
<xs:complexType><xs:attribute name="handle" type="xs:string" use="optional"/>
</xs:complexType></xs:element><xs:element name="login">
<xs:complexType><xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="role_id" type="xs:string" use="required"/><xs:attribute name="encryptval" type="xs:base64Binary"
use="required"/></xs:complexType>
</xs:element><xs:element name="logout">
<xs:complexType><xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="role_id" type="xs:string" use="required"/>
</xs:complexType></xs:element><xs:element name="sign">
<xs:complexType><xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="filter" type="xs:string" use="required"/><xs:attribute name="handle_ref" type="xs:string" use="optional"/>
</xs:complexType></xs:element>
29
<xs:element name="verify"><xs:complexType>
<xs:attribute name="handle" type="xs:string"/></xs:complexType>
</xs:element><xs:element name="use_plugins">
<xs:complexType><xs:attribute name="handle" type="xs:string" use="optional"/><xs:attribute name="plugins" type="xs:string" use="required"/>
</xs:complexType></xs:element><xs:element name="query" type="uoml:QUERY"/>
</xs:choice></xs:complexType>
</xs:element><xs:element name="RET">
<xs:complexType><xs:choice maxOccurs="unbounded">
<xs:element name="boolVal" type="uoml:BOOLEAN"/><xs:element name="intVal" type="uoml:INT"/><xs:element name="floatVal" type="uoml:DOUBLE"/><xs:element name="dateVal" type="uoml:DATE"/><xs:element name="timeVal" type="uoml:TIME"/><xs:element name="dateTimeVal" type="uoml:DATETIME"/><xs:element name="durationVal" type="uoml:DURATION"/><xs:element name="stringVal" type="uoml:STRING"/><xs:element name="binaryVal" type="uoml:BINARY"/><xs:element name="compoundVal" type="uoml:COMPOUND"/>
</xs:choice></xs:complexType>
</xs:element>
30
