Title: Security in a Provenance System by Victor Tan vhktecs'soton'ac'uk
1Security in a Provenance System by Victor Tan
(vhkt_at_ecs.soton.ac.uk)
2Overview of Todays Talks
- Provenance Data Structures
- Recording and Querying Provenance
- Break (30 minutes)
- Distribution and Scalability
- Security
- Methodology
3Security Where does it fit in ?
- All data processing related activities in
industrial environments will incorporate security
concerns - Recording and querying are two main activities in
the provenance system for which a security
architecture needs to be developed - Scalability and distribution requires further
extensions to a basic security architecture
4Primary security issues
- Integrity and non-repudiation of p-assertions
- Federated security
- Access control to provenance store
- Delegation of identity / access control
5Integrity and non-repudiation of p-assertions
- P-assertion is a subjective view of actor
- Need to establish accountability for the creation
of an assertion (non-repudiation) - Ensure that p-assertions are not altered after
being created (integrity) - Directly implemented by signing p-assertions
6Signed actor state p-assertion
7Signed relationship p-assertion
8Signed interaction p-assertion
9Federated security
- Provenance stores can be distributed for
scalability reasons - Stores may be located in different security
domains - Federation of identity may be required for actors
in a given domain to interact securely with
stores in separate domains.
10Provenance Store Distribution
PS
PS
PS
11Federated security / Single sign on Approach 1
Provenance store Security domain 1
Provenance store Security domain 2
12Federated security / Single sign on approach 2
Provenance store Security domain 1
Provenance store Security domain 2
13Access control to provenance store
- Mutual authentication between actors and
provenance store - Secured communication link (encryption,
signatures) - Appropriate authorisation scheme expressed in
suitable authorisation policy language
14(No Transcript)
15PS
16(No Transcript)
17(No Transcript)
18(No Transcript)
19(No Transcript)
20Federated security / Single sign on approach 2
Provenance store Security domain 1
Provenance store Security domain 2
21(No Transcript)
22Remote security domain
23Security architecture of application
24Delegation of identity / access control
- Various components interact with each other in
the logical architecture during a workflow run - Need to be authenticated or authorised to perform
an action or access a resource on behalf of
another component - Requires delegation of identity / access control
25(No Transcript)
26Hospital Actors
User Interface
Donor Data Collector
Brain Death Manager
27Delegation of identity / access control
Provenance store
28Secondary security issues
- Checking asserter identity
- Documentation style signing, anonymous,
encryption and reference digest - Integrity of referenced data
- Setting authorisation statements for p-assertions
29Checking asserter identity
- Context
- Different types of roles asserting actor,
recording actor, querying actor - Asserting actor creates p-assertion, recording
actor submits p-assertion to store - Asserting actor signs p-assertions
- Asserting actor may or may not have the same
identity as recording actor
30Checking asserter identity
- Asserter identity is given in view of a
p-structure - This should match with identity on verified
signature on associated p-assertions
31P-structure view
32Signed actor state p-assertion
33Documentation style
- In the simplest case, creation of a p-assertion
from original message exchanged involves copying
the message content verbatim - Creation of a p-assertion from original message
can also involve transformation of contents of
original message for various reasons
34Documentation style Security relevant
transformations
- Encryption
- Uses a key (secret/public) to encrypt parts of
message that becomes the content of the created
p-assertion - Querying actors with access to the secret /
private key can retrieve the p-assertion and
decrypt the encrypted portion - Anonymous
- Some parts of the message are replaced by
anonymous identifiers - Particularly relevant in environments where
privacy is critical (e.g. patientID in hospital
records)
35Interaction in the Organ Transplant Process
Request healthcare record for patient PID1
Donor Data Collector
Electronic Healthcare Management System
36Request Message Contents
- ltsoapenvelopegt
- ltsoapheadergtlt/soapheadergt
- ltsoapbodygt
- ltechrsrequestgt
- ltechrspatientgt PID1 lt/echrspatientgt
- lt/echrsrequestgt
- lt/soapbodygt
- lt/soapenvelopegt
37Documentation style Anonymous
- ltpsinteractionPAssertiongt
- ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
- ltpsdocumentationStylegt
- http//www.pasoa.org/.../stylesAnonymisedPa
tient - lt/psdocumentationStylegt
- ltpscontentgt
- ltsoapenvelopegt
- ltsoapheadergtlt/soapheadergt
- ltsoapbodygt
- ltechrsrequestgt
- ltechrsanoymisedPatientgtx78df2 lt/
echrsanoymisedPatientgt - lt/echrsrequestgt
- lt/soapbodygt
- lt/soapenvelopegt
- lt/pscontentgt
- lt/psinteractionPAssertiongt
38Documentation style Security relevant
transformations
- Signing
- An asserting actor may receive proxy certificates
from other actors - The keys in these proxy certificates can be used
to sign parts of the contents of a p-assertion by
the asserting actor - These signatures can be used to indicate the
signed parts were associated with a delegated
operation
39Delegation of identity / access control
Provenance store
40Signing with proxy certs
Presentation UI 1
p-assertion contents
Presentation UI 2
Provenance store
Presentation UI 3
41Documentation style Security relevant
transformations
- Referenced-digest
- P-assertions may contain references to data
rather than the actual data - To ensure that the data that the reference is
eventually resolved to was the original data, a
digest of the original data is included along
with the reference in p-assertion
42External References cont.
- ltsoapenvelopegt
- ltsoapheadergtlt/soapheadergt
- ltsoapbodygt
- ltechrsstoregt
- ltechrspatientRecordgt
- ltpidgt1lt/pidgt
- ltxraygtj8ladfhaufjalkdjkfaslalkfd
jaljfafjaljajfdlja - adfhaldfjhaslfjdasldfja
slfj. - lt/xraygt
- lt/echrspatientRecordgt
- lt/echrsstoregt
- lt/soapbodygt
- lt/soapenvelopegt
43Styled Reference P-Assertion
- ltpsinteractionPAssertiongt
- ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
- ltpsdocumentationStylegt
- http//www.pasoa.org/.../stylesReference
- lt/psdocumentationStylegt
- ltpscontentgt
- ltsoapenvelopegt
- ltsoapheadergtlt/soapheadergt
- ltsoapbodygt
- ltechrsstoregt
- ltechrsrefgt http//DataRepository/LPR
1 lt/ echrsrefgt - lt/echrsstoregt
- lt/soapbodygt
- lt/soapenvelopegt
- lt/pscontentgt
- lt/psinteractionPAssertiongt
44Styled Reference P-Assertion with digest
- ltpsinteractionPAssertiongt
- ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
- ltpsdocumentationStylegt
- http//www.pasoa.org/.../stylesReference
- lt/psdocumentationStylegt
- ltpscontentgt
- ltsoapenvelopegt
- ltsoapheadergtlt/soapheadergt
- ltsoapbodygt
- ltechrsstoregt
- ltechrsrefgt http//DataRepository/LPR
1 lt/ echrsrefgt - ltechrsdigestValuegt
df4e5ee88tg345 lt/ echrsdigestValuegt - lt/echrsstoregt
- lt/soapbodygt
- lt/soapenvelopegt
- lt/pscontentgt
- lt/psinteractionPAssertiongt
45Setting authorisation statements
- Newly created p-assertions must have
authorisation statements associated with them - These can be
- set statically by provenance store system
administrator - provided by the recording actor submitting the
p-assertion - The appropriate use depends on application
dependent requirements
46Summary
- Primary security issues
- Integrity and non-repudiation of p-assertions
- Delegation of identity / access control
- Access control to provenance store
- Federated security
- Secondary security issues
- Checking asserter identity
- Documentation style
- Integrity of referenced data
- Setting authorisation statements for p-assertions
47Questions ?
- Victor Tan
- vhkt_at_ecs.soton.ac.uk