Secure RESTful Interface Profile Phase 1 Briefing

Slides:

Advertisements

Similar presentations

How Will it Help Me Do My Job?

Advertisements

OMV Ontology Metadata Vocabulary April 10, 2008 Peter Haase.

1 SensorWebs and Security Experiences Dan Mandl Presented at WGISS Meeting in Toulouse, France May 11, 2009.

Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.

Yammer Technical Solutions Overview

Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.

Mobile Devices in the DoD

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

Akshat Sharma Samarth Shah

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Supportive Services for Veteran Families (SSVF) HMIS and the Impact of Outcomes in Prevention Services Sponsored by: National Center on Homelessness Among.

HIT Policy Committee Federal Health IT Strategic Plan April 13, 2011 Jodi Daniel, ONC Seth Pazinski, ONC.

FRED Interlinked Registries DRAFT roadmap for consideration.

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

IETF OAuth Proof-of-Possession

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

© 2015 The MITRE Corporation. All rights reserved. Secure RESTful Interface Profile Pilot Overview Briefing The MITRE Corporation January 6, 2015 Approved.

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

EsMD Background Phase I of esMD was implemented in September of It enabled Providers to send Medical Documentation electronically Review Contractor.

TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.

HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6,

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.

Electronic Submission of Medical Documentation (esMD)

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

Secure Mobile Development with NetIQ Access Manager

Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.

Dr. Michael B. Jones Identity Standards Architect at Microsoft

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Consuming OAuth Services in Alfresco Share

OAuth WG Conference Call, 11th Jan. 2013

Migrating SharePoint Add-ins from Azure ACS to Azure AD

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

OpenID Connect Working Group

SharePoint Online Authentication Patterns

Office 365 Development.

SMART on FHIR for managed authorised access to medical records

Mary Montoya, CIO Bogi Malecki, Project Manager

Token-based Authentication

SMART on FHIR Scot Post van der Burg FHIR Developer Days November 25,

Computer Network Information Center, Chinese Academy of Sciences

D Guidance 26-Jun: Would like to see a refresh of this title slide

Veterans Health Administration

Presentation transcript:

Secure RESTful Interface Profile Phase 1 Briefing Mark Russell – Phase 1 Task Lead July 30, 2014

Background Task Summary: Sponsor: Dr. Paul Tibbits, VA Office of Information & Technology (OIT) Architecture, Strategy, & Design (ASD) Outcome: Integration with Mission Partners: The VA interoperates seamlessly with mission partners enabled by architectural alignment Task Area: Modern Open Architecture Technical contributions to accelerate VA use of open standards and open architectures to successfully serve our nation and facilitate mission partner interoperability Outcome Lead: Mary Pulvermacher VA Task POC: Joe Paiva / Tim McGrail, ASD Office of Technology Strategies Task Summary: Phase 1 - Develop a profile for distributed information sharing using the RESTful architecture style Use open standards Must be secure and compliant with VA requirements Must support lightweight web clients and mobile devices Phase 2 - Demonstrate the viability of this approach through a pilot deployment

Secure RESTful Interface Profile Scope How to provide: Secure Transport Authentication Authorization Across a diverse population of: Users .gov/.mil partners Commercial organizations Veterans Citizens Client software Web services Native apps Browser apps …For external RESTful Interfaces, using open standards

API Design & Content Authorization Authentication Transport Security Scope, continued Transport Security Authentication Authorization API Design & Content Not In Scope In Scope API content and messaging are not in scope REST APIs such as HL7 FHIR* do not (and should not) dictate particular security mechanisms Security elements can be layered over many different APIs serving different kinds of use cases * Health Level 7 Fast Healthcare Interoperability Resources: http://www.hl7.org/implement/standards/fhir/

Open Security Standards for RESTful Interfaces A stack of interrelated protocols in wide use on the web can help meet security requirements for RESTful interfaces UMA (User-Managed Access) OpenID Connect (Identity Federation) OAuth (Authorization) JWT (Secure Tokens) JOSE (Signed & Encrypted Data) TLS (Secure Transport) JWK JWS JWE JWA Acronyms: TLS: Transport Layer Security JSON: JavaScript Object Notation JWK: JSON Web Key JWS: JSON Web Signature JWE: JSON Web Encryption JWA: JSON Web Algorithms JOSE: JSON Object Signatures & Encryption JWT: JSON Web Tokens

RESTful Security Patterns The Use Cases document outlines three patterns for REST security: Client Delegation, using OAuth 2.0 Identity Federation, using OpenID Connect 1.0 VA as Relying Party (RP) VA as OpenID Provider (OP) Profiles and security guidance for OAuth and OpenID Connect will be developed to support VA use of these patterns

Client Delegation Pattern Examples: A veteran delegates access to his/her Electronic Health Record (EHR) to a web application for tracking blood pressure A veteran delegates access to his/her EHR to a mobile application, limiting the scope of access to information pertaining to a particular medical condition A veteran uses a personal health monitoring device which uploads measurement data to an external web application; the veteran delegates access to the web service to upload this Patient- Generated Data (PGD) to a VA system

Client Delegation with OAuth 2.0: Authorization Code Flow User interacts with client & initiates request for protected resource at VA Client redirects user agent to AS with authorization request User authenticates & authorizes client access OK! Authorization Server redirects user to Client with an Authorization Code (AC) Authorization Code Access Token Refresh Token Client submits AC & client credentials to AS’s Token Endpoint AS validates AC. If valid, AS issues Access Token (AT) and optional Refresh Token (RT) Access Token Client accesses Protected REST API, passing AT as proof of authorization Client can use optional Refresh Token to obtain a new Access Token when AT expires

Federation (VA as Relying Party) Pattern Examples: A VSO employee authenticates to a VA system through an OP operated by the VSO organization A specialist authenticates to a VA system through an OP operated by the external health care provider organization in order to view the EHR of a referred patient A pharmacy employee authenticates to a VA system through an OP operated by the pharmacy to upload veteran immunization records Veterans authenticate through the OP of their choice as an alternative to DS Logon

Federation (VA as Relying Party) Pattern: OpenID Connect 1.0 Authorization Code Flow Unauthenticated user attempts to access protected resource at VA VA Relying Party (RP) redirects user to OpenID Provider’s (OP) Authorization Server (AS) with an Authentication Request OK! Authorization Code Access Token User authenticates to AS & authorizes the RP to access identity information ID Token AS redirects user to RP with an Authorization Code (AC) RP authenticates to the OP and submits the Authorization Code OP validates Authorization Code and issues ID Token and Access Token RP extracts user identity and other claims from ID Token If additional claims are needed, RP requests them from OP using the Access Token for authorization

OAuth Attack Categories and Countermeasures Attack Category Countermeasures Extracting credentials or tokens in captured traffic TLS encryption Impersonating authorization server or resource server TLS server authentication Manufacturing or modifying tokens Issue tokens as signed JWTs Redirect manipulation Require clients to declare redirect URIs during registration Guessing or interception of client credentials Used signed JWTs for client authentication Client session hijacking or fixation Use the State parameter to ensure continuity of client session throughout the OAuth flow

Profiling Security Standards – Examples from the OAuth 2.0 Profile The authorization server SHOULD require all clients to register their redirection endpoint prior to utilizing the authorization endpoint. The authorization server SHOULD require the client to provide the complete redirection URI An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. … Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements. Clients using the authorization code or implicit grant types MUST register their full redirect URIs. The Authorization Server MUST validate the redirect URI given by the client at the authorization endpoint using strict string comparison. The server MUST issue tokens as JWTs with, at minimum, the following claims… The access tokens MUST be signed with JSON Web Signature (JWS). The authorization server MUST support the RS256 signature method for tokens and MAY use other asymmetric signing methods. RFC6749 – The OAuth 2.0 Authorization Framework Secure RESTful Interface Profiles for OAuth 2.0

Next Steps Phase 2 of the Secure RESTful Interface Profile Project Collaborating with VHA & ONC on potential pilot integration Next steps towards VA adoption of the profiles and security guidance: Host additional discussions with VA stakeholders Sponsor discussions with external parties Perform technical integration analysis Plan for client developer support Define client standards and registration process, and make them transparent Incorporate REST standards profiles and other guidance into EA Questions Identified: Need for common agreement on how to pass authentication context between VA and its partners Need consensus on assurance requirements for common health use cases Federal policy regarding system interconnections needs more clarity

Potential Future Work Advanced OAuth security options identified in the OAuth profile Client authentication to protected resources, proof of possession tokens User-Managed Access (UMA) Promising protocol for patient consent management – technology not quite ready for production use, but actively being pursued by ONC Feasibility of including this in Phase 2 pilot activities is in question

Backup Slides

Approach Inputs Task Work Products Ongoing Collaboration & Feedback Use Cases and Distributed Security Requirements Approach Briefing Standards Profiles Pilot Implementation Secure RESTful Interfaces Profile VA Security Policies PHASE 1 Identify use cases Analyze requirements Define standards profiles Document security guidance Standards Documents PHASE 2 Identify pilot use case(s) Coordinate implementation with VA Implement pilot Update documents based on lessons learned Ongoing Collaboration & Feedback Existing Profiles BlueButton+

Secure RESTful Interface Profile Work Products Secure RESTful Interfaces: Business-oriented Use Cases & Associated Distributed Security Requirements (5/16/14) Describes three RESTful Security patterns with relevant use case examples Describes a potential future pattern based on User-Managed Access (UMA) Secure RESTful Exchange Approach Briefing (6/12/14) Draft Open Standards Profiles (6/30/14) Profiles of OAuth and OpenID Connect applicable to a wide range of VA use cases Includes advanced security options for high-assurance use cases Secure RESTful Interface Profile Security Analysis and Guidance (7/28/14) Security analysis of OAuth 2.0 and OpenID Connect 1.0 Rationale for profiling decisions Analysis of applicable VA and Federal policies and potential impacts Next steps and identified issues