Existing algorithms for signing graph data typically do not cover the whole signing process. In addition, they lack distinctive features such as signing graph data at different levels of granularity, iterative signing of graph data, and signing multiple graphs. In this paper, we introduce a novel framework for signing arbitrary graph data provided, e g., as RDF(S), Named Graphs, or OWL. We conduct an extensive theoretical and empirical analysis of the runtime and space complexity of different framework configurations. The experiments are performed on synthetic and real-world graph data of different size and different number of blank nodes. We investigate security issues, present a trust model, and discuss practical considerations for using our signing framework. We released a Java-based open source implementation of our software framework for iterative signing of arbitrary graph data provided, e. g., as RDF(S), Named Graphs, or OWL. The software framework is based on a formalization of different graph signing functions and supports different configurations. It is available in source code as well as pre-compiled as .jar-file. The graph signing framework exhibits the following unique features: - Signing graphs on different levels of granularity - Signing multiple graphs at once - Iterative signing of graph data for provenance tracking - Independence of the used language for encoding the graph (i. e., the signature does not break when changing the graph representation) The documentation of the software framework and its source code is available from: http://icp.it-risk.iwvi.uni-koblenz.de/wiki/Software_Framework_for_Signing_Graph_Data

1. A Framework for Iterative Signing of
Graph Data on the Web
May 27, 2014
Andreas Kasten, andreas.kasten@uni-koblenz.de1
Ansgar Scherp, asc@informatik.uni-kiel.de2
Peter Schauß, schauss@uni-koblenz.de1
1 University of Koblenz-Landau, Koblenz, Germany
2 Kiel University and Leibniz Information Centre for Economics, Kiel, Germany

2. ◦ ◦ ◦ ◦ ◦
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 2 / 21

3. • ◦ ◦ ◦ ◦
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 3 / 21

4. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

5. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

6. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

7. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

8. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

9. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

10. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

11. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

12. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

13. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

14. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

15. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

16. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

17. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

18. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

19. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

20. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

21. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

22. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

23. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

24. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

25. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

26. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

27. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

28. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

29. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

30. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

31. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

32. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

33. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

34. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

35. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

36. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

37. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

38. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

39. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

40. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

41. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

42. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

43. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

44. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

45. • ◦ ◦ ◦ ◦
Use Case: Signing Medical Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 21

46. ◦ • ◦ ◦ ◦
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 21

47. ◦ • ◦ ◦ ◦
Signing a Graph: Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 6 / 21

48. ◦ • ◦ ◦ ◦
Signing a Graph: Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 6 / 21

49. ◦ • ◦ ◦ ◦
Signing a Graph: Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 6 / 21

50. ◦ • ◦ ◦ ◦
Signing a Graph: Data
input graph + private key
output graph signature
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 7 / 21

51. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 8 / 21

52. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 8 / 21

53. ◦ • ◦ ◦ ◦
Signing a Graph: Process
Graph signing
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 8 / 21

54. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

55. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
SerializationStep 2
HashStep 3
SignatureStep 4
CanonicalizationStep 1
• normalize the graph
• rename blank nodes
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

56. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
SerializationStep 2
HashStep 3
SignatureStep 4
CanonicalizationStep 1
_:a ex:hasName "Jay" .
_:a ex:hasChild _:b .
_:b ex:hasName "Bob" .
_:g1 ex:hasChild _:g2 .
_:g2 ex:hasName "Bob" .
_:g1 ex:hasName "Jay" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

57. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
HashStep 3
SignatureStep 4
SerializationStep 2
• transform graph into serial form
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

58. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
SignatureStep 4
HashStep 3
• compute hash value of serial form
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

59. ◦ • ◦ ◦ ◦
Signing a Graph: Process
AssemblyStep 5
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
• sign hash value
• use private key
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

60. ◦ • ◦ ◦ ◦
Signing a Graph: Process
CanonicalizationStep 1
SerializationStep 2
HashStep 3
SignatureStep 4
AssemblyStep 5
• add signature to graph
• add metadata to graph
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 21

61. ◦ • ◦ ◦ ◦
Verifying a Signature: Data
input signed graph + public key
output yes or no
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 10 / 21

62. ◦ • ◦ ◦ ◦
Verifying a Signature: Process
ExtractionStep 1
CanonicalizationStep 2
SerializationStep 3
HashStep 4
VerificationStep 5
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 11 / 21

63. ◦ • ◦ ◦ ◦
Verifying a Signature: Process
VerificationStep 5
ExtractionStep 1
identical to
signing process
CanonicalizationStep 2
SerializationStep 3
HashStep 4
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 11 / 21

64. ◦ ◦ • ◦ ◦
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 12 / 21

65. ◦ ◦ • ◦ ◦
Signing Framework: Characteristics
• formally specifies signing process
• supports different configurations
• implementation-independent
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 13 / 21

66. ◦ ◦ • ◦ ◦
Signing Framework: Features
• signing of named graphs
• signing of distributed graphs
• iterative signing
• signature is encoding-independent
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 14 / 21

67. ◦ ◦ • ◦ ◦
Signing Framework: Formalization
• defines input & output of each step
• guideline for new algorithms
canonicalize κ : G → ˆG, κ(G) := ˆG
serialize ν : G → 2{0,1}∗
, ν(G) := G
hash λ : {0, 1}∗
→ {0, 1}d
, λ(b) := h
: 2{0,1}d
→ {0, 1}d
, ({h1, . . . , ho}) := h
λG : 2{0,1}∗
→ {0, 1}d
, λ(G) := ({λ(b1), . . . , λ(bo)})
sign : K× {0, 1}d
→ {0, 1}d
, (k, b) := s
assemble ς : K× 2G → G,
ς(k, {G1, . . . , Gm}) := (aS , S, {G1, . . . , Gm})
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 15 / 21

68. ◦ ◦ ◦ • ◦
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 16 / 21

69. ◦ ◦ ◦ • ◦
Configurations: Overview
Configuration Approach
Carroll [Car03]
Tummarello et al. [TMPP05]
Fisteus et al. [FGFK10]
Sayers & Karp [SK04]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 21

70. ◦ ◦ ◦ • ◦
Configurations: Overview
Configuration Approach
Carroll [Car03] sort all statements
rename blank nodes
add statements for difficult blank nodes
Tummarello et al. [TMPP05]
Fisteus et al. [FGFK10]
Sayers & Karp [SK04]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 21

71. ◦ ◦ ◦ • ◦
Configurations: Overview
Configuration Approach
Carroll [Car03] sort all statements
rename blank nodes
add statements for difficult blank nodes
Tummarello et al. [TMPP05] sign sub-graphs separately
Fisteus et al. [FGFK10]
Sayers & Karp [SK04]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 21

72. ◦ ◦ ◦ • ◦
Configurations: Overview
Configuration Approach
Carroll [Car03] sort all statements
rename blank nodes
add statements for difficult blank nodes
Tummarello et al. [TMPP05] sign sub-graphs separately
Fisteus et al. [FGFK10] sort all statements based on hash value
rename blank nodes
Sayers & Karp [SK04]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 21

73. ◦ ◦ ◦ • ◦
Configurations: Overview
Configuration Approach
Carroll [Car03] sort all statements
rename blank nodes
add statements for difficult blank nodes
Tummarello et al. [TMPP05] sign sub-graphs separately
Fisteus et al. [FGFK10] sort all statements based on hash value
rename blank nodes
Sayers & Karp [SK04] add statements for all blank nodes
compute hash incrementally
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 21

74. ◦ ◦ ◦ • ◦
Configurations: Theoretical Analysis
Configuration Runtime Space Signature Overhead
Carroll [Car03] O(n log n) O(n) bh + metadata
Tummarello et al. [TMPP05] O(n log n) O(n) bh + r metadata
Fisteus et al. [FGFK10] O(n log n) O(n) metadata
Sayers & Karp [SK04] O(n) O(n) b + metadata
n number of triples
b number of blank nodes
bh ≤ b number of difficult blank nodes
r ≤ n number of sub-graphs
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 18 / 21

75. ◦ ◦ ◦ ◦ •
Outline
Motivation
Signing and Verification Process
Signing Framework
Configurations
Conclusion
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 19 / 21

76. ◦ ◦ ◦ ◦ •
Best-Practice Guidelines
• use Sayers & Karp for graphs with few blank nodes
• use Carroll for graphs with many blank nodes
• only use Tummarello et al. with fast signing functions
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 20 / 21

77. Get the Java R
API from
https://github.com/akasten/signingframework

78. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Appendix Outline I
Iteratively Signing Graph Data
Reasoning on Signed Data
XML Signature Syntax
Java R
Implementation
Signature Verification
Complete Formalization
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 1 / 80

79. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Appendix Outline II
Blank Nodes & Canonicalization Functions
Tummarello et al.
Security
Semantic Web Layer Stack
Provenance Tracking
Evaluation
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 2 / 80

80. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Appendix Outline III
References
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 3 / 80

81. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 4 / 80

82. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 80

83. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 80

84. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 80

85. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 80

86. • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Iteratively Signing Graph Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 5 / 80

87. ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Reasoning on Signed Data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 6 / 80

88. ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Signed Data
• signature covers original data
• any modification will invalidate the signature
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 7 / 80

89. ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Inferred Data
• inferred data is additional data
• inferred data modifies original data
• inferred data invalidates signature
. . . if stored in the same graph
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 8 / 80

90. ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Solution
• store signed data separately from inferred data
• sign inferred data again if desired
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 9 / 80

91. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 10 / 80

92. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Goals [BBF+
08]
• support signatures for any digital content
• define signing process
• define verification process
• specify signature format
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 11 / 80

93. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Syntax [BBF+
08]
<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 12 / 80

94. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Signing RDF?
• signing RDF is possible
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 13 / 80

95. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Signing RDF?
• signing RDF is possible
• signature will only cover specific serialization
• signature can only be verified having this serialization
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 13 / 80

96. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Signing RDF?
• signing RDF is possible
• signature will only cover specific serialization
• signature can only be verified having this serialization
• signature becomes fragile
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 13 / 80

97. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Example
<rdf:RDF ...>
<ex:Person rdf:about="http://www.example.com#Shakespeare">
<ex:diedIn>1616</ex:diedIn>
<ex:wrote rdf:resource="http://www.example.com#Hamlet" />
<ex:hasFriend rdf:nodeID="a" />
</ex:Person>
<rdf:Description rdf:nodeID="a">
<ex:hasAge>42</ex:hasAge>
</rdf:Description>
</rdf:RDF>
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 14 / 80

98. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Example
<rdf:RDF ...>
<rdf:Description rdf:nodeID="a">
<ex:hasAge>42</ex:hasAge>
</rdf:Description>
<ex:Person rdf:about="http://www.example.com#Shakespeare">
<ex:diedIn>1616</ex:diedIn>
<ex:wrote rdf:resource="http://www.example.com#Hamlet" />
<ex:hasFriend rdf:nodeID="a" />
</ex:Person>
</rdf:RDF>
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 14 / 80

99. ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
XML Signature Syntax: Example
<rdf:RDF ...>
<rdf:Description rdf:nodeID="a">
<ex:hasAge>42</ex:hasAge>
</rdf:Description>
<ex:Person rdf:about="http://www.example.com#Shakespeare">
<ex:hasFriend rdf:nodeID="a" />
<ex:wrote rdf:resource="http://www.example.com#Hamlet" />
<ex:diedIn>1616</ex:diedIn>
</ex:Person>
</rdf:RDF>
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 14 / 80

100. ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Java R
Implementation
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 15 / 80

101. ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Java R
Implementation
• proof-of-concept
• contains 4 configurations
• foundation for evaluation
• usable as API or stand-alone application
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 16 / 80

102. ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Signature Verification
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 17 / 80

103. ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Verifying a Signature: Data
input signed graph + public key
output yes or no
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 18 / 80

104. ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Verifying a Signature: Process
1. extract
2. canonicalize
3. serialize
4. hash
5. verify
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 19 / 80

105. ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Verifying a Signature: Process
1. extract
2. canonicalize
3. serialize
4. hash
5. verify
• extract signature value
• extract metadata
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 19 / 80

106. ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Verifying a Signature: Process
1. extract
2. canonicalize
3. serialize
4. hash
5. verify
• re-create signature value
• compare with hash value
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 19 / 80

107. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Complete Formalization
Graphs and Named Graphs
Graph Signing Function
Canonicalization Function
Serialization Function
Hash Function for Graphs
Signature Function
Assembly Function
Signature Verification Function
Verification Function
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 20 / 80

108. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Graphs and Named Graphs
set of triples T = (R∪ B) × P× (R∪ B∪ L)
graph G
set of graphs G = 2T
named graph NG = (a, A, {C1, C2, . . . , Cl })
set of named graphs GN = ((R∪ B) × G× 2GN ) ∪ {(ε, ∅, G)}
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 21 / 80

109. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦
Graph Signing Function
σN : Ks × 2GN
→ {0, 1}d
σN(ks, {NG1, . . . , NGm}) := s
σN(ks, {NG1, . . . , NGm}) := (ks, λ(νN(κN(NG1))·. . .·νN(κN(NGm))))
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 22 / 80

110. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦
Canonicalization Function
κ : G → ˆG
κ(G) := ˆG
κN : GN → ˆGN
κN(NG) := ˆNG
κN(NG) :=
(ε, (∅, ∅), ˆG) if NG = (ε, (∅, ∅), G), G ∈ G
(a, ˆA, { ˆC1, . . . , ˆCl }) if NG = (a, A, {C1, . . . , Cl })
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 23 / 80

111. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Serialization Function
ν : G → 2{0,1}∗
, ν(G) := G
νN : GN → 2{0,1}∗
νN(NG) := NG
νN(NG) :=
G if NG = (ε, (∅, ∅), G), G ∈ G
{a} ∪ A ∪ C1 ∪ . . . ∪ Cl if NG = (a, A, {C1, . . . , Cl })
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 24 / 80

112. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦
Hash Function for Graphs
λ : {0, 1}∗
→ {0, 1}d
λ(b) := h
: 2{0,1}d
→ {0, 1}d
({h1, h2, . . . , ho}) := hN
λN : 2{0,1}∗
→ {0, 1}d
λN(NG) := hN = ({λ(b1), λ(b2), . . . , λ(bo)})
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 25 / 80

113. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Signature Function
: Ks × {0, 1}d
→ {0, 1}d
(ks, b) := s
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 26 / 80

114. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Assembly Function
ςN : Ks × 2GN
→ GN
ςN(ks, {NG1, . . . , NGm}) := (aS , S, {NG1, . . . , NGm})
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 27 / 80

115. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Signature Verification Function
δ : Kp × {0, 1}d
→ {0, 1}d
δ(kp, s) := b
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 28 / 80

116. ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Verification Function
h := λN(νN(κN(NG1)) ∪ . . . ∪ νN(κN(NGm)))
γN : Kp × 2GN
× {0, 1}∗
→ {TRUE, FALSE}
γN(kp, {NG1, . . . , NGm}, s) :=
TRUE if δ(kp, s) = h
FALSE otherwise
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 29 / 80

117. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Blank Nodes & Canonicalization Functions
Blank Nodes
Canonicalization Functions
Example Canonicalization
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 30 / 80

118. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Blank Nodes: Problem
• local IDs may change
• local IDs influence graph’s hash value
• local IDs influence graph’s signature
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 31 / 80

119. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Blank Nodes: Example
_:a foaf:name "A" .
_:a foaf:knows _:b .
_:b foaf:name "B" .
_:d foaf:name "A" .
_:d foaf:knows _:c .
_:c foaf:name "B" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 32 / 80

120. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Blank Nodes: Solution
• deterministically rename blank nodes
• apply canonicalization function
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 33 / 80

121. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Stability of Canonicalization Functions
• canonicalization normalizes graphs by renaming blank nodes
• canonicalization functions operate deterministically
• sorting statements not necessary for canonicalization
may be part of serialization function or hash functions
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 34 / 80

122. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Example Scenario: Using a Triple Store
1. sign RDF/XML document
2. load RDF/XML document into triple store
3. rename blank nodes in triple store
4. change order of statements in triple store
5. write data in triple store to RDF/XML document
6. verify signature?
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 35 / 80

123. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Example Scenario: Signing Process
• signing requires canonicalization
• canonicalization renames blank node IDs
may use sorting the statements
• statement ordering irrelevant for canonicalization
if relevant for hash value, hash function will cover it
• canonicalization is deterministical
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 36 / 80

124. ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Example Scenario: Verification Process
• verification performs canonicalization
• result is identical to first canonicalization
• following hash value is also identical
• signature can be verified
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 37 / 80

125. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Tummarello et al.
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 38 / 80

126. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Disadvantages
• high signature overhead
• high runtime
• iterative signing (natively) not supported
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 39 / 80

127. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Signing a Graph: Original Graph
ex:Fred foaf:knows _:a .
_:a foaf:age "42" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 40 / 80

128. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Signing a Graph: 1. Signature Graph
_:b rdf:type rdf:Statement .
_:b rdf:subject ex:Fred .
_:b rdf:predicate foaf:knows .
_:b rdf:predicate _:a .
_:b dbin:PGPCertificate http://public.dbin.org/cont/238785872.asc .
_:b dbin:Base64SigValue "McwOPX...A7xcB5w==" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 41 / 80

129. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Signing a Graph: Attaching the 1. Signature
ex:Fred foaf:knows _:a .
_:a foaf:age "42" .
_:b rdf:type rdf:Statement .
_:b rdf:subject ex:Fred .
_:b rdf:predicate foaf:knows .
_:b rdf:predicate _:a .
_:b dbin:PGPCertificate http://public.dbin.org/cont/238785872.asc .
_:b dbin:Base64SigValue "McwOPX...A7xcB5w==" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 42 / 80

130. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Signing a Graph: 2. Signature Graph
_:c rdf:type rdf:Statement .
_:c rdf:subject ex:Fred .
_:c rdf:predicate foaf:knows .
_:c rdf:predicate _:a .
_:c dbin:PGPCertificate http://public.dbin.org/cont/4565543215.asc .
_:c dbin:Base64SigValue "MAhiuad...HUAash==" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 43 / 80

131. ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦
Signing a Graph: Attaching the 2. Signature
ex:Fred foaf:knows _:a .
_:a foaf:age "42" .
_:b rdf:type rdf:Statement .
_:b rdf:subject ex:Fred .
_:b rdf:predicate foaf:knows .
_:b rdf:predicate _:a .
_:b dbin:PGPCertificate http://public.dbin.org/cont/238785872.asc .
_:b dbin:Base64SigValue "McwOPX...A7xcB5w==" .
_:c rdf:type rdf:Statement .
_:c rdf:subject ex:Fred .
_:c rdf:predicate foaf:knows .
_:c rdf:predicate _:a .
_:c dbin:PGPCertificate http://public.dbin.org/cont/4565543215.asc .
_:c dbin:Base64SigValue "MAhiuad...HUAash==" .
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 44 / 80

132. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦
Security
Security Requirements
Security Analysis
Key Management
Trust Model
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 45 / 80

133. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 46 / 80

134. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 46 / 80

135. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Security Requirements
• authenticity
• integrity
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 46 / 80

136. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Security Analysis: Attacker Model
• remove existing statements
• insert additional statements
• replace existing statements with different statements
• modify statements in the graph
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 47 / 80

137. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Security Analysis: Basic Idea
• analyze all cryptographic operations
basic hash function λ
combining function
signature function
• analyze all configurations
break down all steps into atomic operations
distinguish between cryptographic and non-cryptographic
operations
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 48 / 80

138. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Key Management: Goal
• protects a key pair. . .
. . . from being compromised
. . . from being misused by unauthorized parties
• ensures that. . .
. . . a signature key is only known to its owner
. . . a verification key can be related to the owner of the key pair
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 49 / 80

139. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Key Management: Tasks
• secure creation of keys
• secure storing of keys
• secure destroying of old keys
• revoking compromised keys
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 50 / 80

140. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Trust Model: Goal
• defines trustworthy management of public keys
• certificate authorities (CAs) sign public key certificates
• trustworthiness of public keys depend on trustworthiness of CAs
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 51 / 80

141. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
Trust Model: Models
• X.509 [CSF+08]
hierarchical model
few trusted & pre-configured root CAs
• PGP [Zim95]
decentrally organized (web of trust)
all participants are both end users and CAs
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 52 / 80

142. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Semantic Web Layer Stack
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 53 / 80

143. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Semantic Web Layer Stack
User Interface & Applications
Trust
Proof
Crypto
Unifying Logic
Ontology: OWL
RDF-S
RDF
XML
URI/IRI
Rule:
RIF
SPARQL
[Bra07]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 54 / 80

144. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Semantic Web Layer Stack
User Interface & Applications
Trust
Proof
Crypto
Unifying Logic
Ontology: OWL
RDF-S
RDF
XML
URI/IRI
Rule:
RIF
SPARQL
[Bra07]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 54 / 80

145. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦ ◦
Semantic Web Layer Stack
User Interface & Applications
Trust
Proof
Crypto
Unifying Logic
Ontology: OWL
RDF-S
RDF
XML
URI/IRI
Rule:
RIF
SPARQL
[Bra07]
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 54 / 80

146. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Provenance Tracking
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 55 / 80

147. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
Goals of Provenance Tracking
• document creation of (digital) objects
• document modification of (digital) objects
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 56 / 80

148. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
W3C PROV: Goal [GM13]
define a format for provenance tracking covering
• involved agents
• involved documents (entities)
• involved activities
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 57 / 80

149. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
W3C PROV: Types of Provenance [GM13]
agent-centered parties creating and/or modifying the data
object-centered origins of data and its parts
process-centered actions and/or steps producing the data
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 58 / 80

150. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦ ◦
W3C PROV: Signatures?
PROV − Signatures
• assertions can be forged
• assertions can be
manipulated
PROV + Signatures
• assertions are authentic
• assertions are integer
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 59 / 80

151. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Evaluation
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 60 / 80

152. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Input and Output
Variables
• different configurations
• 10K–250K statements
• 0%–50% blank nodes
Measured Values
• runtime
• memory usage
• signature overhead
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 61 / 80

153. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ • ◦
Setup
RAM 100 GB
CPU 2.00 GHz Intel R
Xeon R
OS Debian 7
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 62 / 80

154. Runtime of Canonicalization Function
105 106 2.5 · 106
100
101
102
103
no. of statements
runtime(ms)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

155. Memory Usage of Canonicalization Function
105 106 2.5 · 106
10−3
10−1
101
103
no. of statements
memory(mb)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

156. Runtime of Hash Function
105 106 2.5 · 106
102
103
no. of statements
runtime(ms)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

157. Memory Usage of Hash Function
105 106 2.5 · 106
102
103
no. of statements
memory(mb)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

158. Runtime of Carroll
105 106 2.5 · 106
101
102
103
104
107
no. of statements
runtime(ms)
Canonicalization Hash Sign Assembly

159. Runtime of Tummarello et al.
105 106 2.5 · 106
101
102
103
104
107
no. of statements
runtime(ms)
Canonicalization Split Hash Sign Assembly

160. Runtime of Fisteus et al.
105 106 2.5 · 106
102
103
104
107
no. of statements
runtime(ms)
Canonicalization Hash Sign Assembly

161. Runtime of Sayers & Karp
105 106 2.5 · 106
101
102
103
104
107
no. of statements
runtime(ms)
Canonicalization Hash Sign Assembly

162. Overall Runtime (Fixed Blank Node Percentage)
105 106 2.5 · 106
102
103
104
105
106
no. of statements
runtime(ms)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

163. Overall Memory Usage (Fixed Blank Node Percentage)
105 106 2.5 · 106
102
103
104
no. of statements
memory(mb)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

164. Overall Runtime (Varying Blank Node Percentage)
105 106 2.5 · 106
104
105
106
no. of statements
runtime(ms)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

165. Overall Memory Usage (Varying Blank Node Percentage)
105 106 2.5 · 106
103
104
105
no. of statements
memory(mb)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

166. Overall Signature Overhead (Varying Blank Node
Percentage)
105 106 2.5 · 106
101
103
105
107
% of blank nodes in graph
overhead(triples)
Carroll Tummarello et al. Fisteus et al. Sayers & Karp

167. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
References
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 76 / 80

168. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
References I
Mark Bartel, John Boyer, Barb Fox, Brian LaMacchia, and
Ed Simon.
XML signature syntax and processing.
W3C recommendation, W3C, 2008.
http://www.w3.org/TR/xmldsig-core/.
Steve Bratt.
Semantic web, and other technologies to watch, 2007.
www.w3.org/2007/Talks/0130-sb-W3CTechSemWeb/.
Jeremy J. Carroll.
Signing RDF graphs.
In ISWC 2003, pages 369–384. Springer, 2003.
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 77 / 80

169. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
References II
David Cooper, Stefan Santesson, Stephen Farrell, Sharon Boeyen,
Russell Housley, and Tim Polk.
Internet X.509 public key infrastructure.
RFC 5280, IETF, 05 2008.
Jesus Arias Fisteus, Norberto Fern´andez Garc´ıa, Luis S´anchez
Fern´andez, and Carlos Delgado Kloos.
Hashing and canonicalizing Notation 3 graphs.
JCSS, 76(7):663–685, 2010.
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 78 / 80

170. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
References III
Yolanda Gil and Simon Miles.
Prov model primer.
Working group note, W3C, 04 2013.
http:
//www.w3.org/TR/2013/NOTE-prov-primer-20130430/.
Craig Sayers and Alan H. Karp.
Computing the digest of an RDF graph.
Technical report, HP Laboratories, 2004.
Giovanni Tummarello, Christian Morbidoni, Paolo Puliti, and
Francesco Piazza.
Signing individual fragments of an RDF graph.
In WWW, pages 1020–1021. ACM, 2005.
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 79 / 80

171. ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ •
References IV
Philip R Zimmermann.
The official PGP user’s guide.
MIT press, 1995.
A. Kasten et al. – A Framework for Iterative Signing of Graph Data on the Web 80 / 80