Inproceedings,
Partial Encryption of RDF Graphs
M. Giereth.The Semantic Web — ISWC2005, Heidelberg, Springer-Verlag, (2005)
Abstract
In this paper a method for Partial RDF Encryption (PRE) is
proposed in which sensitive data in an RDF-graph is encrypted for a set
of recipients while all non-sensitive data remain publicly readable. The
result is an RDF-compliant self-describing graph containing encrypted
data, encryption metadata, and plaintext data. For the representation
of encrypted data and encryption metadata, the XML-Encryption and
XML-Signature recommendations are used. The proposed method allows
for fine-grained encryption of arbitrary subjects, predicates, objects and
subgraphs of an RDF-graph. An XML vocabulary for specifying encryption
policies is introduced.
- BibTeX key
- giereth_partial_2005
- entry type
- inproceedings
- address
- Heidelberg
- booktitle
- The Semantic Web — ISWC2005
- year
- 2005
- publisher
- Springer-Verlag
- comment
- A different approach from Jeremy's. Whereas Jeremy tries to define a canonical serialization of a Graph (and take it from there with the usual encryption techniques), this one concentrates on a moreRDF-like and granular approach. Let us suppose we know how to encode a URI value or a literal. We can then exchange any URI value or a literal by an XML Literal (using theXML-enc structures). Doing that, we can take an RDF graph, a specific subject, say, encode it and transform the graph so that the original subject is replaced by a blank node with an extra property pointing at the XML Literal containing the encoding of the original subject. The same type of tricks can be done with objects or predicates (using reification for the latter). The nice thing is that you get an RDF graph as a result, nothing different, with parts of the information encoded. Giereth adds some extra predicates in a separate namespace to make this possible and off it goes! The blank node problem is solved by UUID to give a unique URI (via a URN) to a blank node, encode that one and put that back in the graph (it is slightly more complex than that, but that is the idea). The problem is that this will not work for signature: the same graphs’ blank nodes will be UUID encoded differently in time and machine (the UUID algo uses time, machine’s mach address, things like that...). However… maybe combining Jeremy’s algo with this might work. After all, what Jeremy’s algo does is to give a unique and reproducible naming of all blank nodes for a specific RDF graph. If that is combined with the naming of a graph (again Jeremy’s point) than you get a naming scheme for the blank nodes that are (I think) o.k. even via merging. Then this could be used signing a specific node, or all the nodes. (Hm… this may not be very efficient. What would one sign anyway? A set of nodes or predicates? Not sure…) 2007-07-06: the encoding relies on XML. What it does is to serialize, say, a set of triples in some format, and encrypts that. I wonder whether this could be avoided by somehow encrypting the literals and uri-s directly... Also, the data structures are stored as bit XML pieces (and then as XML Literals). I wonder why not store that in RDF, too?
Tags
Users
Comments and Reviewsshow / hide
Cite this publication
More citation styles
- please select -%0 Conference Paper
%1 giereth_partial_2005
%A Giereth, Mark
%B The Semantic Web — ISWC2005
%C Heidelberg
%D 2005
%I Springer-Verlag
%K RDF security semantic_web
%T Partial Encryption of RDF Graphs
%X In this paper a method for Partial RDF Encryption (PRE) is
proposed in which sensitive data in an RDF-graph is encrypted for a set
of recipients while all non-sensitive data remain publicly readable. The
result is an RDF-compliant self-describing graph containing encrypted
data, encryption metadata, and plaintext data. For the representation
of encrypted data and encryption metadata, the XML-Encryption and
XML-Signature recommendations are used. The proposed method allows
for fine-grained encryption of arbitrary subjects, predicates, objects and
subgraphs of an RDF-graph. An XML vocabulary for specifying encryption
policies is introduced.
@inproceedings{giereth_partial_2005,
abstract = {In this paper a method for Partial {RDF} Encryption {(PRE)} is
proposed in which sensitive data in an {RDF-graph} is encrypted for a set
of recipients while all non-sensitive data remain publicly readable. The
result is an {RDF-compliant} self-describing graph containing encrypted
data, encryption metadata, and plaintext data. For the representation
of encrypted data and encryption metadata, the {XML-Encryption} and
{XML-Signature} recommendations are used. The proposed method allows
for fine-grained encryption of arbitrary subjects, predicates, objects and
subgraphs of an {RDF-graph.} An {XML} vocabulary for specifying encryption
policies is introduced.},
added-at = {2009-02-19T16:36:30.000+0100},
address = {Heidelberg},
author = {Giereth, Mark},
biburl = {https://www.bibsonomy.org/bibtex/2148b382cd0b5e2419caa9ca496a42288/ivan},
booktitle = {The Semantic Web — {ISWC2005}},
comment = {A different approach from Jeremy's. Whereas Jeremy tries to define a canonical serialization of a Graph (and take it from there with the usual encryption techniques), this one concentrates on a {moreRDF-like} and granular approach. Let us suppose we know how to encode a {URI} value or a literal. We can then exchange any {URI} value or a literal by an {XML} Literal (using {theXML-enc} structures). Doing that, we can take an {RDF} graph, a specific subject, say, encode it and transform the graph so that the original subject is replaced by a blank node with an extra property pointing at the {XML} Literal containing the encoding of the original subject. The same type of tricks can be done with objects or predicates (using reification for the latter). The nice thing is that you get an {RDF} graph as a result, nothing different, with parts of the information encoded. Giereth adds some extra predicates in a separate namespace to make this possible and off it goes!
The blank node problem is solved by {UUID} to give a unique {URI} (via a {URN)} to a blank node, encode that one and put that back in the graph (it is slightly more complex than that, but that is the idea).
The problem is that this will not work for signature: the same graphs’ blank nodes will be {UUID} encoded differently in time and machine (the {UUID} algo uses time, machine’s mach address, things like that...).
However… maybe combining Jeremy’s algo with this might work. After all, what Jeremy’s algo does is to give a unique and reproducible naming of all blank nodes for a specific {RDF} graph. If that is combined with the naming of a graph (again Jeremy’s point) than you get a naming scheme for the blank nodes that are {(I} think) o.k. even via merging. Then this could be used signing a specific node, or all the nodes. {(Hm…} this may not be very efficient. What would one sign anyway? A set of nodes or predicates? Not sure…)
2007-07-06: the encoding relies on {XML.} What it does is to serialize, say, a set of triples in some format, and encrypts that. I wonder whether this could be avoided by somehow encrypting the literals and uri-s directly... Also, the data structures are stored as bit {XML} pieces (and then as {XML} Literals). I wonder why not store that in {RDF,} too?},
interhash = {26786c2702bb09a473494d9258714e68},
intrahash = {148b382cd0b5e2419caa9ca496a42288},
keywords = {RDF security semantic_web},
publisher = {{Springer-Verlag}},
timestamp = {2009-02-19T16:36:30.000+0100},
title = {Partial Encryption of {RDF} Graphs},
year = 2005
}