Security in a Provenance System by Victor Tan vhktecs'soton'ac'uk - PowerPoint PPT Presentation

1 / 47

About This Presentation

Title:

Security in a Provenance System by Victor Tan vhktecs'soton'ac'uk

Description:

Documentation style: signing, anonymous, encryption and ... Documentation style ... Styled Reference P-Assertion with digest ps:interactionPAssertion ... – PowerPoint PPT presentation

Number of Views:63

Avg rating:3.0/5.0

Slides: 48

Provided by: pg30

Category:

more less

Transcript and Presenter's Notes

Title: Security in a Provenance System by Victor Tan vhktecs'soton'ac'uk

1
Security in a Provenance System by Victor Tan
(vhkt_at_ecs.soton.ac.uk)
2
Overview of Todays Talks

Provenance Data Structures
Recording and Querying Provenance
Break (30 minutes)
Distribution and Scalability
Security
Methodology

3
Security Where does it fit in ?

All data processing related activities in
industrial environments will incorporate security
concerns
Recording and querying are two main activities in
the provenance system for which a security
architecture needs to be developed
Scalability and distribution requires further
extensions to a basic security architecture

4
Primary security issues

Integrity and non-repudiation of p-assertions
Federated security
Access control to provenance store
Delegation of identity / access control

5
Integrity and non-repudiation of p-assertions

P-assertion is a subjective view of actor
Need to establish accountability for the creation
of an assertion (non-repudiation)
Ensure that p-assertions are not altered after
being created (integrity)
Directly implemented by signing p-assertions

6
Signed actor state p-assertion
7
Signed relationship p-assertion
8
Signed interaction p-assertion
9
Federated security

Provenance stores can be distributed for
scalability reasons
Stores may be located in different security
domains
Federation of identity may be required for actors
in a given domain to interact securely with
stores in separate domains.

10
Provenance Store Distribution
PS
PS
PS
11
Federated security / Single sign on Approach 1
Provenance store Security domain 1
Provenance store Security domain 2
12
Federated security / Single sign on approach 2
Provenance store Security domain 1
Provenance store Security domain 2
13
Access control to provenance store

Mutual authentication between actors and
provenance store
Secured communication link (encryption,
signatures)
Appropriate authorisation scheme expressed in
suitable authorisation policy language

14
(No Transcript)
15
PS
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
Federated security / Single sign on approach 2
Provenance store Security domain 1
Provenance store Security domain 2
21
(No Transcript)
22
Remote security domain
23
Security architecture of application
24
Delegation of identity / access control

Various components interact with each other in
the logical architecture during a workflow run
Need to be authenticated or authorised to perform
an action or access a resource on behalf of
another component
Requires delegation of identity / access control

25
(No Transcript)
26
Hospital Actors
User Interface
Donor Data Collector
Brain Death Manager
27
Delegation of identity / access control
Provenance store
28
Secondary security issues

Checking asserter identity
Documentation style signing, anonymous,
encryption and reference digest
Integrity of referenced data
Setting authorisation statements for p-assertions

29
Checking asserter identity

Context
Different types of roles asserting actor,
recording actor, querying actor
Asserting actor creates p-assertion, recording
actor submits p-assertion to store
Asserting actor signs p-assertions
Asserting actor may or may not have the same
identity as recording actor

30
Checking asserter identity

Asserter identity is given in view of a
p-structure
This should match with identity on verified
signature on associated p-assertions

31
P-structure view
32
Signed actor state p-assertion
33
Documentation style

In the simplest case, creation of a p-assertion
from original message exchanged involves copying
the message content verbatim
Creation of a p-assertion from original message
can also involve transformation of contents of
original message for various reasons

34
Documentation style Security relevant
transformations

Encryption
Uses a key (secret/public) to encrypt parts of
message that becomes the content of the created
p-assertion
Querying actors with access to the secret /
private key can retrieve the p-assertion and
decrypt the encrypted portion
Anonymous
Some parts of the message are replaced by
anonymous identifiers
Particularly relevant in environments where
privacy is critical (e.g. patientID in hospital
records)

35
Interaction in the Organ Transplant Process
Request healthcare record for patient PID1
Donor Data Collector
Electronic Healthcare Management System
36
Request Message Contents

ltsoapenvelopegt
ltsoapheadergtlt/soapheadergt
ltsoapbodygt
ltechrsrequestgt
ltechrspatientgt PID1 lt/echrspatientgt
lt/echrsrequestgt
lt/soapbodygt
lt/soapenvelopegt

37
Documentation style Anonymous

ltpsinteractionPAssertiongt
ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
ltpsdocumentationStylegt
http//www.pasoa.org/.../stylesAnonymisedPa
tient
lt/psdocumentationStylegt
ltpscontentgt
ltsoapenvelopegt
ltsoapheadergtlt/soapheadergt
ltsoapbodygt
ltechrsrequestgt
ltechrsanoymisedPatientgtx78df2 lt/
echrsanoymisedPatientgt
lt/echrsrequestgt
lt/soapbodygt
lt/soapenvelopegt
lt/pscontentgt
lt/psinteractionPAssertiongt

38
Documentation style Security relevant
transformations

Signing
An asserting actor may receive proxy certificates
from other actors
The keys in these proxy certificates can be used
to sign parts of the contents of a p-assertion by
the asserting actor
These signatures can be used to indicate the
signed parts were associated with a delegated
operation

39
Delegation of identity / access control
Provenance store
40
Signing with proxy certs
Presentation UI 1
p-assertion contents
Presentation UI 2
Provenance store
Presentation UI 3
41
Documentation style Security relevant
transformations

Referenced-digest
P-assertions may contain references to data
rather than the actual data
To ensure that the data that the reference is
eventually resolved to was the original data, a
digest of the original data is included along
with the reference in p-assertion

42
External References cont.

ltsoapenvelopegt
ltsoapheadergtlt/soapheadergt
ltsoapbodygt
ltechrsstoregt
ltechrspatientRecordgt
ltpidgt1lt/pidgt
ltxraygtj8ladfhaufjalkdjkfaslalkfd
jaljfafjaljajfdlja
adfhaldfjhaslfjdasldfja
slfj.
lt/xraygt
lt/echrspatientRecordgt
lt/echrsstoregt
lt/soapbodygt
lt/soapenvelopegt

43
Styled Reference P-Assertion

ltpsinteractionPAssertiongt
ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
ltpsdocumentationStylegt
http//www.pasoa.org/.../stylesReference
lt/psdocumentationStylegt
ltpscontentgt
ltsoapenvelopegt
ltsoapheadergtlt/soapheadergt
ltsoapbodygt
ltechrsstoregt
ltechrsrefgt http//DataRepository/LPR
1 lt/ echrsrefgt
lt/echrsstoregt
lt/soapbodygt
lt/soapenvelopegt
lt/pscontentgt
lt/psinteractionPAssertiongt

44
Styled Reference P-Assertion with digest

ltpsinteractionPAssertiongt
ltpslocalPAssertionIdgt1lt/pslocalPAssertionIdgt
ltpsdocumentationStylegt
http//www.pasoa.org/.../stylesReference
lt/psdocumentationStylegt
ltpscontentgt
ltsoapenvelopegt
ltsoapheadergtlt/soapheadergt
ltsoapbodygt
ltechrsstoregt
ltechrsrefgt http//DataRepository/LPR
1 lt/ echrsrefgt
ltechrsdigestValuegt
df4e5ee88tg345 lt/ echrsdigestValuegt
lt/echrsstoregt
lt/soapbodygt
lt/soapenvelopegt
lt/pscontentgt
lt/psinteractionPAssertiongt

45
Setting authorisation statements

Newly created p-assertions must have
authorisation statements associated with them
These can be
set statically by provenance store system
administrator
provided by the recording actor submitting the
p-assertion
The appropriate use depends on application
dependent requirements

46
Summary