8/17/2019 sli-phd
1/55
On authentication and authorisationissues in e-Health systems
Ph.D. thesis defense Università degli Studi di Firenze
DSI, INF/01
Massimiliano Masi
http://www.tiani-spirit.com
May 14, 2012
http://www.tiani-spirit.com/http://www.tiani-spirit.com/
8/17/2019 sli-phd
2/55
Introduction
The duration of the life of human beings isdramatically increased
The population of developed countries is
agingIn the EU the number of over-65 will bearound 123 millions in 2030 (source:HIMSS 2011)Huge impact on social, economic, andhealth aspects
Massimiliano Masi 2
8/17/2019 sli-phd
3/55
Introduction/2
Access to healthcare treatment is not alwaysgranted in developing countries
Healthcare and communicationsinfrastructures are missingHospitals and clinics are reachable only byhundred kilometers of sand tracksNo coordination on migrants
Massimiliano Masi 3
8/17/2019 sli-phd
4/55
Introduction/3
Electronic health (e-Health) can help to overcome these problems.The wishes are (but not limited to):
to make possible for patients to maintain a mobile and independentlifestyle
to bring electronic healthcare treatments to citizens and regions, whichotherwise would not have access to it (e.g. telemedicine andteleconsulting )to improve the quality of life by having the same quality of care indifferent organizations
What is the status as today?
Massimiliano Masi 4
8/17/2019 sli-phd
5/55
Governmental initiatives
Health Insurance Portability andAccountability Act (HIPAA, 1996,Kennedy/Kassenbaum/Clinton)
Title I: health insurance coverage for workers and their families when they change and lose their jobs
Title II: the establishment of national standards for EHR transactions and
national identifiers for providers, healthinsurance plans and employers
Massimiliano Masi 5
8/17/2019 sli-phd
6/55
Governmental initiatives/2
The Mandate 403
aims at giving to CEN, CENELEC, andETSI the responsibility to determine the
process for the definition of a set of standards to achieve effective
interoperability for specific use cases in
e-Health
each member state must adopt e-Health
agenda in its governmental procedures
Massimiliano Masi 6
8/17/2019 sli-phd
7/55
Motivations
In order to give an answer to such governmental requests, many
standardization initiatives were born, e.g.:Health Level 7, which aims at standardizing health documents(Clinical Document Architectures , such as patient summaries,discharge summaries, dispensation, prescriptions, continuity of care)
DICOM, which aims at providing a common definition of radiologicalimages and laboratory reports
IHE
Among these initiatives, the Integrating the Healthcare Enterprise (IHE)
international body, is acting as a “glue” among other initiatives, tocomputerize specific clinical use cases. IHE provides the basic buildingblocks for international e-Health approaches. IHE defines a ServiceOriented Architecture.
Massimiliano Masi 7
8/17/2019 sli-phd
8/55
Motivations/2
Many projects have been funded with the aim to provide electronic health
care. Among the many:the U.S. project NwHIN. Around three hundreds million of patientsand $ 22.250 billion dollars [GRAMS10]
the E.U. project epSOS. Potentially around five hundreds millions of
patients and e
36.5 million for the first 5 years
Warning
Design errors in such scenarios can impact the safety of patients
Bottom-up approach: applied research on information security for
e-Health is lacking
Only established libraries and standards are accepted as foundation
Only slight modifications are accepted by projects in production
Massimiliano Masi 8
8/17/2019 sli-phd
9/55
Contributions
We provided a methodology based on formal methods which aims at:guaranteeing interoperability and integration among differentimplementations
proving the absence of security flaws under a specific threat model
expressing security requirements in e-Health projects
We focused on two major industry standards for authentication andauthorisation and:
we model checked SAML-based authentication protocolswe provided a formal semantics of XACML-based access control
Massimiliano Masi 9
8/17/2019 sli-phd
10/55
Authentication
8/17/2019 sli-phd
11/55
A XUA-based protocol [ ICISS09 , JOMS12 ]
The crucial aspect of authentication of healthcare professionals is coveredby IHE in the cross-enterprise user assertion (XUA) profile:
it defines the use of SAML authentication assertions (i.e., anXML-encoded authentication token) for single sign on (by using, e.g.,
Kerberos)it defines a transport method for the assertion
Warning
Unfortunately XUA does not define a method for obtaining theauthentication assertion
Massimiliano Masi 11
8/17/2019 sli-phd
12/55
A XUA-based protocol [ ICISS09 , JOMS12 ]
The crucial aspect of authentication of healthcare professionals is covered
by IHE in the cross-enterprise user assertion (XUA) profile:it defines the use of SAML authentication assertions (i.e., anXML-encoded authentication token) for single sign on (by using, e.g.,Kerberos)
it defines a transport method for the assertion
A security flaw
We discovered a security flaw in the protocol “naively” resulting from
the XUA specification (due to a bad assertion layout, missing channelauthentication)
We proposed an amendment to the protocol (i.e. a more restrictiveuse of the XUA specifications) for a secure token issuance
Massimiliano Masi 11
8/17/2019 sli-phd
13/55
A XUA-based protocol/2
Creator (C ) Intruder STS Registry (REG )
(1). RST (1). RST
(2). Challenge (2). Challenge
(3). Challenge (3). Challenge
(4). SAML Token (4). SAML Token
(5). XDS Query w/SAML
(5). XDS Query Response
(5). XDS Query w/SAML
(5). XDS Query Response
Massimiliano Masi 12
8/17/2019 sli-phd
14/55
A XUA-based protocol/3
How to prove that our protocol solves the security flaw that we discovered?We applied our proposed verification method:
we specified the protocol using the process calculus COWS
we specified the desired security properties using the temporal logicSocL
we model checked the SocL formulæ w.r.t. the terms using the toolCMC (reachability analysis)
Massimiliano Masi 13
8/17/2019 sli-phd
15/55
A XUA-based protocol/4
We have instantiated a well known methodology
Our intruder is based on the well known Dolev-Yao model
Each actor is rendered as a process calculus term
Desired security properties are defined as temporal logic formulæ
The verification of the formulæ over the terms is software assisted
Our favour towards COWS
COWS is designed to cope with the specific characteristics of SOA
COWS provides verification tools
Massimiliano Masi 14
8/17/2019 sli-phd
16/55
The approach
XUA Protocol COWS Spec AnalysisFormulation Analysis
Massimiliano Masi 15
Th h/2
8/17/2019 sli-phd
17/55
The approach/2
XUA Protocol COWS Spec AnalysisFormulation Analysis
* [C] [MsgId1] [User] [Salt] [Iteration] [Timestamp1] [URI] [RST]
sts.rst?.
( -- Retrieve the User’s password sts.getPwd!| [Pwd] sts.getPwdResp?.
( -- Calculate the derived key
sts.hashReq!
| [DKey] sts.hashResp?.
( -- Create the challenge
sts.encReq!
| [Challenge] sts.encResp?.
( -- Send the challenge to the consumer
C.rstr!
| -- Receive the challenge response
Massimiliano Masi 16
Th h/3
8/17/2019 sli-phd
18/55
The approach/3
XUA Protocol COWS Spec AnalysisFormulation Analysis
AG [request(samlToken,requestedBy,c)]
not EF (systemUnderAttack(i) and deliveringResource(to,i))
FAILGlobally (AG), that if ([ ˙ ]) a token is requested by c , then it does not holdthat eventually (EF) the system will not be under attack by i
Massimiliano Masi 17
H lth f d l i t i
8/17/2019 sli-phd
19/55
e-Health for developing countries
Rural areas of (least) developingcountries may not have Internetconnection
Problem when sharing EHRs of
migrant populationsExamples are: Malawi, Limpopo,MpumalangaWe extended our XUA-basedprotocol to provide an authenticatedEHR exchange in (least) developingcountries
Massimiliano Masi 18
8/17/2019 sli-phd
20/55
Th VAN t l
8/17/2019 sli-phd
21/55
The VAN protocol
Again, we used COWS to provide a formalspecification of this protocol
We have defined a threat model, driven bya local risk assessmentWe identified a trusted controller namedsecurity officer, prosecutor
We analysed the protocol w.r.t. the threatmodel, with SocL and CMCWe implemented the protocol
Massimiliano Masi 20
The threat model
8/17/2019 sli-phd
22/55
The threat model
We have identified four types of relevant attacks:
the intruder suppresses a message
the intruder impersonates a clinic by reusing a previously issued SAML
tokenthe intruder obtains a message by listening on the channel representedby the VAN, suppresses it, and sends a new message by reusing theSAML token
the intruder replies the message
Massimiliano Masi 21
The Sebokeng experience [AFRICOMM11]
8/17/2019 sli-phd
23/55
The Sebokeng experience [ AFRICOMM11 ]
In 2008, the Gauteng department of Health(GDoH) established the E-HR.GP:
A Proof-of-Concept running in 3 clinics(around 700 beds)
Three phases: definition of the PoC, fullimplementation, extension to the wholeregionWill run in Gauteng, the smallest provincein South Africa, but the most densely
populated (nine millions, 90% urbanized)
Massimiliano Masi 22
The Sebokeng experience/2
8/17/2019 sli-phd
24/55
The Sebokeng experience/2
Warning
Although the PoC ran without known security issues,the extension of thePoC to the whole Gauteng introduces severe security flaws, due to the fact
that IHE profiles are made for high speed Internet communications
We have shown that our VAN protocol can solve the underestimatedsecurity flaw without affecting the software already in production
Massimiliano Masi 23
Brokered Trust: European use case [EHEALTH10]
8/17/2019 sli-phd
25/55
Brokered Trust: European use case [ EHEALTH10 ]
By means of the EU mandate 403, each government started to havean electronic healthcare agenda
Many national initiatives born, in France, Italy, Austria, UK, exploiting
IHE profiles
We contributed on tailoring our XUA based protocol to fulfill therequirements of an Austrian project, around 1.5 million patients,
covering a direct brokered trust scenario
Massimiliano Masi 24
Cross Community Fetch [XCFStandard]
8/17/2019 sli-phd
26/55
Cross Community Fetch [ XCFStandard ]
In 2008, the EU commission funded the epSOS project with the aim toconnect all the governmental initiatives. We actively participated in thedevelopment of the security infrastructure.
Each country is uniquely identified by a national contact point (NCP),
a gateway which facilitates various aspects of cross border data sharingNCP denotes the boundary between the epSOS infrastructure and acountry’s existing national e-health infrastructure
We contributed in the development of the base protocol for exchangingpatient summaries and e-Prescription, being a new IHE profile
Massimiliano Masi 25
Implementation
8/17/2019 sli-phd
27/55
Implementation
We provided a full implementation of:
the XUA-based protocol, with a new SAML Identity Provider
now integrated in a commercial product
the VAN protocol for disconnected clinics, by exploiting the IHE XDMimplementation of Tiani “Spirit” GmbH
the IHE XCF (reference implementation, being used in the newupcoming IHE connectathon)
the Brokered Trust scenario (now in production in an Austrian Region)
Massimiliano Masi 26
8/17/2019 sli-phd
28/55
Authorization
XACML [ESSOS12]
8/17/2019 sli-phd
29/55
XACML [ ESSOS12 ]
is a widely used implementation of PBAC
defines an XML-based language for writing policies
defines an XML-based language for representing requests
defines how to make authorization decisions (by PDP)is currently used in many large scale projects (e.g., epSOS, NHIN,involving both industries and academia)
is a recommendation from ITU, US VA Office
Massimiliano Masi 28
The XACML workflow
8/17/2019 sli-phd
30/55
The XACML workflow
ContextHandler
PDP
PEPAccess
requester
4. request notification
5. attribute queries
10. attributes
11. response context
3. request
12. response
2. access
requestObligations
Service
Resource
13. obligations
9. resource
content
PIP
8. attribute
6. attribute
query
Subjects
7a. subject
attributes
PAP
1. policy
Environment
7b. environment
attributes
7c. resource
attributes
Massimiliano Masi 29
Motivations
8/17/2019 sli-phd
31/55
Mot at o s
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)
there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies
Massimiliano Masi 30
Motivations
8/17/2019 sli-phd
32/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)
there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies
Example: patient privacy consent policy from epSOS (part1/4)
< P o l i c y
P o l i c y I d =" p o l i c y I d 1 "R u l e C o m b i n i n g A l g I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :
r u l e −c o m b i n i n g−a l g o r i t h m : p e r m i t −o v e r r i d e s ">
< S u b j e c t s >< S u b j e c t >< S u b j e c t M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :
f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">
m e d ic a l d o c to r< / A t t r i b u t e V a l u e >< S u b j e c t A t t r i b u t e D e s i g n a t o r
A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 2 . 0 : s u b j e c t : r o l e "
DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>< / S u b j e c t M a t c h >< S u b j e c t M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :
f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">
TREATMENT< / A t t r i b u t e V a l u e >
. . .
Massimiliano Masi 30
Motivations
8/17/2019 sli-phd
33/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)
there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies
Example: patient privacy consent policy from epSOS (part2/4)
. . .< S u b j e c t A t t r i b u t e D e s i g n a t o r
A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : p u r p o s e o f u s e "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>
< / S u b j e c t M a t c h >< / S u b j e c t >
< / S u b j e c t s >< R e s o u r c e s >< R e s o u r c e >
< Re s o u r c e M a t c h M a t c hI d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :f u n c t i o n : s t r i n g −e q u a l ">
< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">34133 −9
< / A t t r i b u t e V a l u e >< R e s o u r c e A t t r i b u t e D e s i g n a t o r
A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 : r e s o u r c e : r e s o u r c e −i d "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>
< / R e s o u r c e >< / R e s o u r c e s >
. . .
Massimiliano Masi 30
Motivations
8/17/2019 sli-phd
34/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)
there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies
Example: patient privacy consent policy from epSOS (part3/4)
. . .< D e s c r i p t i o n >
Ma tch es a l l t he READ o p e r a t i o n s t o r e q u e s t s c o n t a i n i n g t hec o r r e c t p e r m i s s i o n s
< A c t i o n s >< A c t i o n >< A c t i o n M a t c h M a t c h I d=" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 :
f u n c t i o n : s t r i n g −e q u a l ">< A t t r i b u t e V a l u e D ata Ty pe=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g ">
Read< / A t t r i b u t e V a l u e >< A c t i o n A t t r i b u t e D e s i g n a t o r
A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x a c m l : 1 . 0 : a c t i o n : a c t i o n −i d "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>
< / A c t i o n >
< / A c t i o n s >
< C o n d i t i o n >
. . .
Massimiliano Masi 30
Motivations
8/17/2019 sli-phd
35/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
it makes writing XACML policies awkward by using common editors(XML is not neither readable nor writable by human)
there exist ad-hoc policy editors, but they are cumbersome andineffective when dealing with real-world policies
XACML comes without a formal semantics
the standard is written in prose
it contains loose points that may give rise to different interpretations(this could lead to different implementation choices)
the portability of XACML policies could be undermined
Example: patient privacy consent policy from epSOS (part4/4)
. . .
< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −003
< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">
u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −005< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">
u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −010< / A t t r i b u t e V a l u e >< A t t r i b u t e V a l u e Da ta Ty pe=" ht t p : //www. w3 . or g /2001/XMLSchema#s t r i n g ">
u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n : P R D −016
< S u b j e c t A t t r i b u t e D e s i g n a t o r
A t t r i b u t e I d =" u r n : o a s i s : n a m e s : t c : x s p a : 1 . 0 : s u b j e c t : h l 7 : p e r m i s s i o n "DataType=" ht t p : //www. w3 . o rg /2001/ XMLSchema#s t r i n g "/>
< / C o n d i t i o n >
Massimiliano Masi 30
Motivations
8/17/2019 sli-phd
36/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
Massimiliano Masi 31
Motivations
8/17/2019 sli-phd
37/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
XACML comes without a formal semantics
the standard is written in natural language (english)
it contains loose points that may give rise to different interpretations
(this could lead to different implementation choices)
the portability of XACML policies could be undermined
no formal reasoning on policies can be carried out
Massimiliano Masi 31
Contributions of this work
8/17/2019 sli-phd
38/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
XACML comes without a formal semantics
Massimiliano Masi 32
Contributions of this work
8/17/2019 sli-phd
39/55
Designing XACML policies is a difficult and error-prone task
The language has an XML syntax
XACML comes without a formal semantics
Our proposal
An alternative syntax
A formal semantics
An implementation driven by the formal semantics
Massimiliano Masi 32
A BNF-like syntax
8/17/2019 sli-phd
40/55
Syntax
PDPpolicies ::= {Palg ; Policies } (Retrieved policies)
Palg ::= only-one-applicable | Ralg (Policy-combining alg.)
Ralg ::= deny-overrides | permit-overrides (Rule-combining alg.)| first-applicable| ordered-deny-overrides| ordered-permit-overrides
Policies ::= (Policies)
{Palg ; target :{ [ Targets ] } ; Policies } (policy set)| Ralg ; target :{ [ Targets ] } ; rules :{Rules } (policy)| Policies Policies
Targets ::= MatchId (value,name) (Targets)| Targets ∨ Targets | Targets ∧ Targets | Targets Targets
MatchId ::= string-equal | integer-equal (Match functions)| integer-greater-than | . . .
Rules ::= (Effect [ ; target :{ Targets } ] (Rules)[ ; condition :{expression} ] )
| Rules Rules
Effect ::= permit | deny (Effects)
Massimiliano Masi 33
A BNF-like syntax: an example
8/17/2019 sli-phd
41/55
Example: patient privacy consent policy from epSOS
permit-overrides ;target :{ string-equal(“medical doctor”, subject.role)
∧ string-equal(“TREATMENT”, subject.purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;
rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;
condition :{ string-subset(
string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })
(deny) }
The policy specifies in its target:
a subject: a medical doctor with an healthcare TREATMENT purpose
a resource : a patient summary (identified by the code 34133-9)
Massimiliano Masi 34
A BNF-like syntax: an example
8/17/2019 sli-phd
42/55
Example: patient privacy consent policy from epSOS
permit-overrides ;target :{ string-equal(“medical doctor”, subject.role)
∧ string-equal(“TREATMENT”, subject.purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;
rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;
condition :{ string-subset(
string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })
(deny) }
The policy contains two rules:the first has effect permit if the requestor aims at performing a Read actionand has at least the permissions PRD-003 . . . PRD-016
the second has always effect deny
Massimiliano Masi 35
Formal semantics
8/17/2019 sli-phd
43/55
General idea
The semantics is given in a denotational style
Massimiliano Masi 36
Formal semantics
8/17/2019 sli-phd
44/55
General idea
The semantics is given in a denotational style
It is defined by a function [[·]]R given a policy/policy set
and given a set R of requests(e.g. all possible requests, requests with given structure, a single request)
Massimiliano Masi 36
Formal semantics
8/17/2019 sli-phd
45/55
General idea
The semantics is given in a denotational style
It is defined by a function [[·]]R given a policy/policy set
and given a set R of requests(e.g. all possible requests, requests with given structure, a single request)
[[·]]R returns a decision tuple of the form
( permit : R p ; deny : R d ; not-applicable : R n ; indeterminate : R i )
where R p , R d , R n, and R i are a partition of R
Massimiliano Masi 36
Example
8/17/2019 sli-phd
46/55
Taking into account the previous policy
Example: patient privacy consent policy from epSOS
permit-overrides ;target :{ string-equal(“medical doctor”, subject.role)
∧ string-
equal(“TREATMENT”,
subject.
purposeofuse) string-equal(“34133-9”, resource.resource-id) } ;rules :{(permit ; target :{ string-equal(“Read”, action.action-id) } ;
condition :{ string-subset(string-bag(“PRD-003”,“PRD-005”,“PRD-010”,“PRD-016”),subject.permission) })
(deny) }
Massimiliano Masi 37
Example
8/17/2019 sli-phd
47/55
Doctor’s request (∈ R p ):
request :{ (subject.role,“medical doctor”)(subject.purposeofuse,“TREATMENT”)(subject.organization,“NewYorkGH”)(subject.permission,“PRD-003”)
(subject.permission,“PRD-005”)(subject.permission,“PRD-010”)(subject.permission,“PRD-016”)(resource.resource-id,“34133-9”)(action.action-id,“Read”) } ;
response :{ id :{“34133-9”} ; permit }
Nurse’s Request (∈ R d )
request :{ (subject.role,“nurse”)(subject.purposeofuse,“EMERGENCY”)(subject.organization,“NewYorkGH”)
(subject.
permission,
“PPD-003”)(subject.permission,“POE-007”)(resource.resource-id,“34133-9”)(action.action-id,“Read”) } ;
response :{ id :{“34133-9”} ; not-applicable }
Massimiliano Masi 38
PDP engine implementation
8/17/2019 sli-phd
48/55
We have a prototype tool that implements a XACML PDP. Theimplementation is driven by the formal semantics
.xacml file
.req file
Policy
compiler
Request
compiler
.java
policy
.java
request
.class
policy
.class
request
Decision
Java
compiler
XACML
XML Policies /
Requests
We have a GWT frontend that implements epSOS policies
We have a tool that translates from XACML policies to our syntax
Massimiliano Masi 39
8/17/2019 sli-phd
49/55
Conclusions
Conclusions
8/17/2019 sli-phd
50/55
We have:
Introduced a methodology based on formal methods for thespecification of standard based protocols for e-Health scenarios
Proposed a protocol based on IHE XUA for a secure healthcareprofessional authentication
Proposed a protocol for secure EHR exchange in (least) developingcountries
Proposed a formal semantics for the XACML standard
Massimiliano Masi 41
Ongoing work
8/17/2019 sli-phd
51/55
We plan to enhance our XUA-based protocol by:
including the LoA and trust elevation methods in the model
studying the applicability of XML rewrite attacks, e.g., analysingalready existing results with our approach
considering also social security aspects that can occur in (least)developing countries, and the applicability of the VAN protocol with
low bandwidth network connections
In particular, we are actually working on:
applying our formal semantics to XACML 3.0 (draft)
study the behavior of XACML with highly dynamical and
context-sensitive policies
improve the implementation by adding CASE tools (i.e., an Eclipseplugin for our syntax)
Massimiliano Masi 42
8/17/2019 sli-phd
52/55
Thank You
Relevant Publications I
8/17/2019 sli-phd
53/55
M. Masi, R. Pugliese, F. TiezziOn Secure Implementation of an IHE XUA-Based Protocol forAuthenticating Healthcare ProfessionalsICISS09 , Volume 5905 of LNCS, 55-70
M. Masi, R. Pugliese, F. Tiezzi
A standard-driven communication protocol for disconnected clinics in ruralareasIEEE HEALTHCOM11, 304-311
M. Masi, R. Pugliese, F. Tiezzie-Health for Rural Areas in Developing Countries: Lessons from the
Sebokeng ExperienceAFRICOMM11, Volume 92 of LNICST
Massimiliano Masi 44
Relevant Publications II
8/17/2019 sli-phd
54/55
M. Masi, R. MaurerOn the usage os SAML delegate assertions in an healthcare scenario with
federated communitieseHealth 2010 , volume 69 of LNICST, 212-220
S. Bittins, M. MasiCross Community FetchIHE IT Infrastructure Technical Framework , supplement for trialimplementation
M. Masi, R. Pugliese, F. TiezziSecurity Analysis of Standards-Driven Communication Protocols for
Healthcare Scenarios
Journal of Medical Systems, 2012
M. Masi, R. Pugliese, F. TiezziFormalisation and Implementation of the XACML Access Control Mechanism
ESSoS 2012 , Volume 7159 of LNCS, 60-74
Massimiliano Masi 45
For further readings I
8/17/2019 sli-phd
55/55
R. Grams.The Obama EHR Experiment.Journal of Medical Systems , Volume 36, Number 2 (2012), 951-956
Massimiliano Masi 46