Secure and Selective Dissemination of XML Documents ELISA BERTINO University of Milano and ELENA FERRARI University of Insubria XML (eXtensible Markup Language) has emerged as a prevalent standard for document represen- tation and exchange on the Web. It is often the case that XML documents contain information of different sensitivity degrees that must be selectively shared by (possibly large) user communities. There is thus the need for models and mechanisms enabling the specification and enforcement of access control policies for XML documents. Mechanisms are also required enabling a secure and se- lective dissemination of documents to users, according to the authorizations that these users have. In this article, we make several contributions to the problem of secure and selective dissemination of XML documents. First, we define a formal model of access control policies for XML documents. Policies that can be defined in our model take into account both user profiles, and document contents and structures. We also propose an approach, based on an extension of the Cryptolope TM approach [Gladney and Lotspiech 1997], which essentially allows one to send the same document to all users, and yet to enforce the stated access control policies. Our approach consists of encrypting different portions of the same document according to different encryption keys, and selectively distributing these keys to the various users according to the access control policies. We show that the number of encryption keys that have to be generated under our approach is minimal and we present an architecture to support document distribution. Categories and Subject Descriptors: D.4.6 [Operating Systems]: Security and Protection— access controls; H.2.7 [Database Management]: Database Administration—security, integrity, and protection General Terms: Security Additional Key Words and Phrases: Access control, secure distribution, XML This work was partially supported by a grant from Microsoft Research. Authors’ addresses: E. Bertino, Dipartimento di Scienze dell’Informazione, University of Milano, Via Comelico 39/41, 20135 Milano, Italy, email: bertino@dsi.unimi.it; E. Ferrari, Dipartimento di Scienze Chimiche, Fisiche e Matematiche, University of Insubria, Como, Via Valleggio, 11, 22100 Como, Italy; email: elena.ferrari@uninsubria.it. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or direct commercial advantage and that copies show this notice on the first page or initial screen of a dispaly along with the full citation. Copyrights for components of this worked owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 1515 Broadway, New York, NY 10036 USA, fax +1 (212) 869-0481, or permissions@acm.org. C  2002 ACM 1094-9224/02/0800–0290 $5.00 ACM Transactions on Information and System Security, Vol. 5, No. 3, August 2002, Pages 290–331.