UOML (Unstructured Operation Markup Language) Part 2 Version 1.0
UOML (Unstructured Operation Markup Language) Part 2 Version 1.0
Part 2: Layout-based document security specification
Table of Contents
1. Instruction 1
1.1. Terminology 1
1.2. Normative References 1
1.3. Non-Normative References 2
2. Documents Structure Related Security 2
3. Identity Authentication 2
3.1UOML Objects About Identity Authentication 2
3.1.1 Role List 2
3.1.2 Role 3
3.2 Process Of Identity Authentication 4
3.3 UOML Instruction About Identity Authentication 5
3.3.1 Insert Role Object 6
3.3.2 Get Challenge Value 8
3.3.3 Login Docbase 9
3.3.4 Logout Docbase 10
4 Access Control 11
4.1 UOML Objects 11
4.1.1 Access Control List 11
4.1.2 Access Control Table Entry 12
4.1.3 Access Control Item 12
4.2 UOML Instructions 14
5 Digital Signature 15
5.1 UOML Objects 15
5.1.1 Digital Signature List 15
5.1.2 Digital Signature Table Entry 16
5.1.3 Digital Signature Item 16
5.2 Digital Signature Process 18
5.2.1 Signature Process 18
5.2.2 Verifying Signing Process 19
5.3 UOML Instructions 20
5.3.1 Sub-tree Signature 20
5.3.2 Verify The Signature Object 21
Attachment A 24
1. Instruction
This is the 2nd part of UOML, the security control of layout-based document, described identity authentication, access control and digital signature, such contents related to security.
This standard has a closely connection with the 1st part of UOML—the operation standard of layout-based document, and through the instruction of this part, the related contents of security has been added into Docbase.
1.1. Terminology
Access Control Entry: The authority of target role access to target object in Docbase
Access Control List: The access authority list of multi-roles to objects in Docbase.
Access Control Table Entry: The authority of multi-roles access target object in Docbase.
Digital Signature List: The digital signature list of multi-sub-tree in Docbase.
Identity Authentication: A process to identify the role in Docbase.
Role List: A list of all roles in Docbase.
Role: Roles in Docbase.
Signature Verification: Verify the digital signature of sub-tree and back with result.
1.2. Normative References
We quote the clause from following documents as the clause of our standard. The revision of all dated referenced standard are not fitted with this standard. However, we encourage the parties which reach an agreement decide whether use the latest revision. The latest revision are fitted this standard as long as the documents were not dated.
GB/T 18793-2002 / Information Technology Extensible Markup Language (XML)1.0(neq W3C RFC-xml-19980210:1998)W3C / XML namespace(xml-names)
XML Schema Definition Language(XSDL)1.1 Part1: Structure
XML Schema Definition Language (XSDL)1.1 Part2:Data type
X.509
1.3. Non-Normative References
2. Documents Structure Related Security
3. Identity Authentication
Identity authentication defines the roles that have authority to access Docbase. Only these permitted roles can log-in Docbase, then performs access control and digital signature according to their authority.
3.1UOML Objects About Identity Authentication
n Role List
n Role
3.1.1 Role List
The Docbase has multi-roles, and each role can control the object in the Docbase.
Role ListSemantic / List of all roles in Docbase.
Property / N/A.
Sub-element / N/A.
Parent-object / Docbase.
Sub-object / Role.
3.1.2 Role
The role in Docbase:
RoleSemantic / The role in Docbase
Property / id / The only identification of role in Docbase, it is optional. The Docbase builds the id property based on the role certificate(HASH value of role certificate).
cert_type / Type of certificate, default value is X.509.
certificate / Digital certificate of role(base64), it is optional. The login password is generated when the role creates password for login.
Sub-element / meta list.
Parent-object / role list.
Sub-object / meta list / Relevant information of the role, for example, create time, creator and so on. All the information are used by the application program.
About role in Docbase:
1. There is a default role when a new Docbase was generated, and the default role has full authority. If there isn’t any other role in the Docbase, the default role can login without program intervention. Using the default role, The application can add any kind of new roles in Docbase such as administrator role, reading-only role. The application can also set the new role’s authority for access the Docbase.
2. It is the application itself to decide how to use the new role. The default role can be deleted by administrator role, which has full authority to Docbase.
3. If a role has the authority to add new role, this kind of role can create a new role in Docbase.
4. When the Docbase administrator is deleted, the other roles can not delete any role in Docbase, except the role has the authority of role-deleted or document-decryption.
5. Only the role with document-decryption authority can convert documents from secure state to non-secure state. All the roles will be deleted and the default role will be created when the Docbase was decrypted.
6. The process of creating, modifying and deleting the role: the application opens the Docbase and get the role list handle, create role, call UOML instruction to insert role, DCMS assigns an id for the role. if the application didn’t assign a certificate to the role, create an assigned-type certificate for the role, if the application did, use the certificate and insert it to role list, back to the login credential and role handle that corresponded with the role that coded by base64, than you can create a role. Login with this role, you can modify the role in Docbase according to the authority you have. You can authorized to role only by your own authority. Roles can be added or delete if the operator has the authority. when a role is deleted, the item of itself in access control table should be delete at the same time.
7. Currently, Docbase supports two styles to log-in, one is password and the other is X.509 certificate. The algorithm of password log-in is DES encryption algorithm and X.509 certificate is universal RSA algorithm.
3.2 Process Of Identity Authentication
The process of identity authentication through UOML shows below:
.
Including:
1. When the application opens Docbase successfully and gets the Docbase handle, sends an instruction called ”get the challenge value”, and then DCMS returns the challenge value to application.
2. Challenge value is a random string created by DCMS, the application encrypts the challenge value by using role certificate maintained by application itself, and takes this value as parameter to send “login Docbase” instruction to DCMS. DCMS decrypts the challenge value to plaintext by using the role's password or public key, and verifies the plaintext with challenge value. if the two data are consistent, login process is successful, if not, failed.
3. The application completes the access to the Docbase via a specified role, can send “logout” instruction to DCMS, then DCMS performs logout process.
4. The application closes Docbase.
3.3 UOML Instruction About Identity Authentication
Include:
n Insert Role Object
n Get Challenge Value
n Login Docbase
n Logout Docbase
3.3.1 Insert Role Object
Call Instruction:
Return Instruction:
Properties about insert role object as follows:
Insert a role objectFunction / Insert a role object into the role list.
Property / handle / The handle of the RoleList.
Ret / stringVal / The role handle returned by DCMD.
binaryVal / Login certificate data(base64).
For example:
Instructions sent from application to DCMS as follows:<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hRoleList" pos=”-1”
<xobj>
<role id="UOML admin" cert_type=”PASSWORD” certificate=”admin_password”>
<metainfo>
<meta key="cert_type" val="PASSWORD"/>
</metainfo>
</role
</xobj>
</uoml:INSERT>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<stringVal name="handle" val="role"/>
</uoml:RET>
3.3.2 Get Challenge Value
Call Instruction:
Return Instruction:
Properties about get challenge value as follows:
Get Challenge ValueFunction / Get the challenge value is generated by the Docbase.
Properties / handle / The handle of the Docbase.
Ret / binaryVal / Challenge value(base 64) is returned by DCMS.
For example:
Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<login_get_challenge handle="docbase"/>
</uoml:SYSTEM>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
< binaryVal name="Challenge" val="password"/>
</uoml:RET>
3.3.3 Login Docbase
The system encrypts the challenge value for created role, and takes this value as password to login Docbase.
Call instruction:
Returned instruction:
The following table lists its complete definition:
Login DocbaseFunction / Login the Docbase in a specified role.
Properties / handle / A handle to Docbase.
role_id / The only identity of a role in Docbase.
encryptval / A challenge value that is encrypted by using a role certificate.
Ret / boolVal / true: login successful;false: login failed.
For example:
Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<login handle="docbase" role_id=”admin” encryptval=”password” />
</uoml:SYSTEM>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<boolVal name="SUCCESS" val="true"/>
</uoml:RET>
3.3.4 Logout Docbase
Call instruction:
Returned instruction:
The following table lists its complete definition:
Logout DocbaseFunction / Logout the Docbase as a specified role.
Properties / handle / The handle of the Docbase.
role_id / The only identity of a role in the Docbase.
Ret / boolVal / true: Logout successful;false: Logout failed.
For example:
Instructions sent from application to DCMS as follows:<uoml:SYSTEM xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<logout handle="docbase" role_id=”admin”/>
</uoml:SYSTEM>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<boolVal name="SUCCESS" val="true"/>
</uoml:RET>
4 Access Control
4.1 UOML Objects
UOML objects about the Access Control List:
n Access Control List
n Access Control Table Entry
n Access Control Item
4.1.1 Access Control List
This object defines access control information to Docbase, and stores the information under Docbase object.
The following table lists its complete definition:
Access Control ListSemantics / the right of multi-roles access to multi-objects in the Docbase.
Property / N/A.
Sub-element / N/A.
Parent-object / Docbase.
Sub-object / Access control table entry.
4.1.2 Access Control Table Entry
Each access control table entry includes the access right that every role owns for a specific object. Currently, the specific object includes Docbase, doc, page and layer. That means the authority of the contents under layer can not be controlled.
The following table lists its complete definition:
Access Control Table EntrySemantics / The right of multi-roles access to specific objects(Docbase, doc, page, layer)in the Docbase.
Properties / object_id / The only identification of the accessed objects in Docbase.
Sub-element / N/A.
Parent-object / Access Control List.
Sub-object / Access Control Item.
4.1.3 Access Control Item
Access control item is under the access control table entry, it defines an access authority that a role owns for the object.
The following table lists its complete definition:
Access Control ItemSemantics / The right of the specific role access to the specific object in the Docbase.
Properties / role_id / The only identification of the role in the Docbase.
allow / Allow right (Multiple character strings separated by commas).
forbid / Forbidden right (Multiple character strings separated by commas).
start / The start time for the access right. If this property is not existent, it means that there is no start time limit. The right will not work before this time.
end / The end time for the access right. If this property is not existent, it means that there is no end time limit. The right will not work after this time.
repeat / The repeat times for the access right from the start time to the end time. If this property is not existent, it means that there is no time limit.
dev_type / The type of device which bonded to the right.
device / The identification of device which bond to the right. If this property is nt existent, it means that the right is not bonded to any devices.
Sub-element / N/A.
Parent-object / Access Control Table Entry.
Sub-object / N/A.
The properties of access control item, such as start, end, repeat, dev type, devices are the extended attribute of the manufacturer. DCMS only takes charge for saving and loading, not to explain the authority.
The access authority to sub-object in document can be inherited from the parent-object.
Among them, right strings that used by allow and forbid are as follows:
Category / Right Strings / RightsGrant and revoke rights / PRIV_GRANT / A role can grant its rights to other roles.
PRIV_REVOKE / Revoke others’ rights granted by owner.
Universal rights / OBJ_TITLE / View the object title(Only Doc object and its parent-object that have the title).
OBJ_ADD / Add object.
OBJ_DEL / Delete object.
OBJ_GET / Get the object’s content.
OBJ_SET / Set the object’s content.
Doc
rights / DOC_READ / Read the document(that is, get the bitmap of the age).
DOC_ABSTRACT / Extract the document content.
DOC_RPM / To decrypt the managed document.
Role
rights / ROLE_ADD / Add role.
ROLE_DEL / Delete role.
ROLE_UPD_KEY / Update role certificate.
In addition to the default right that has defined above, users can increase the rights according to the requirement, the key word of the rights should be started by USR_. The Docbase saves the definitions of rights that defined by users, and the application explains the specific meaning.
4.2 UOML Instructions
UOML can achieve the access control without adding new instructions, UOML-I can completely satisfy the access control needs by the basic instructions.
For example:
Instructions sent from application to DCMS as follows:<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hACLList" pos=”-1”
<xobj>
<acl object_id="Page0"
</acl
</xobj>
</uoml:INSERT>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<stringVal name="handle" val="acl"/>
</uoml:RET>
<uoml:INSERT xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0" handle="hACL" pos=”-1”
<xobj>
<acl entry rold_id="role1" allow=” OBJ_SET_PROP,OBJ_GET_SUB,OBJ_GET_PROP”>
</acl>
</xobj>
</uoml:INSERT>
Instructions returned from DCMS to application as follows:
<uoml:RET xmlns:uoml="urn:oasis:names:tc:uoml:xmlns:uoml:1.0">
<stringVal name="handle" val="aclentry"/>
</uoml:RET>
5 Digital Signature
5.1 UOML Objects
UOML objects about digital signature: