20160113 - Meeting minutes, Wednesday January 13th 2016 - OpenNCP Specifications and Implementations Deviations

Owned by S
Last updated: Feb 08, 2016
6 min read

Estimated - 11:00 to 12:00 CET.

Performed - 11:00 to 12:20 CET.

Agenda

  1. Housekeeping:
  2. Deviations and relaxations discussion:
  3. AOB:
  4. Next meeting:

Location

Room Passcode:  (Ask if necessary)

-----------------------------------------------------------------------------------------------------------------------------

If you have never attended an Adobe Connect meeting before:

Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm

Get a quick overview: http://www.adobe.com/products/adobeconnect.html

Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Participants

Today's Meeting Participants:

Joao Cunha

Kostas Karkaletsis

Massimiliano Masi

S

Meeting Notes

  1. Housekeeping:
    In this page we will identify the deviations and relaxations between the epSOS specifications and OpenNCP implementation. The following list is meant for discussion between the task force (the numbers at the end of each finding are references to the documentation).

  2. Deviations and relaxations implemented:

    1. Relaxations can be applied to PPT but not OP (not a relaxation, just a statement) 1
      Massimiliano Masi Just a statement to PPT.

    2. SHA-1 can be used instead of SHA-2 in certificates 2:
      Massimiliano Masi Today SHA-2 is the one used, the signature must be SHA-2 because of deprecation of SHA-1.
      Kostas Karkaletsis Ask if it's a relaxation or recommendation?
      Massimiliano Masi One missing component for certificate signature validation

    3. Some PN were also unable to obtain a compliant set of certificates from a Trusted Third Party provider due to organisational constraints (CAs are not required to be authorized by the national authorities listed on the European TSL list.) 2, 7, 8
      Massimiliano Masi Same as point 2 about signature. PN get their certificates from their own certificates authorities. The trust list of Epsos has been done from a legal agreement.
      S Ask about the PKI model but this is linked to the use of Building blocks (CEF).

    4. The previous relaxation has caused that NCP operators / TSLSync import certificates from the central services without their validity/revocation checks. 7, 8
      Massimiliano Masi and Kostas Karkaletsis Related to section 2. The same class checking the certificates profiles is checking of the validity of the to be imported certificates.

    5. Lack of VPN connection between central services and NCPs: planned but never implemented 9
      Massimiliano Masi Behind SMP task force.
      Joao Cunha VPN connection between CS is not mandatory, not sure if it should be applied to the current TSL.

    6. OpenNCPs are not ATNA Secure Nodes 9

      1. No SyncApp, therefore no way to synchronize, e.g., search masks: manual configuration needed:
        Massimiliano Masi NCP ATNA compliant component, definition of secure node and application, available only through a ATNA secure transaction. NCP as a gateway not available to users is not using ATNA secure.
        The syncapp is not present anymore.
        Kostas Karkaletsis is VPN need a root access?
        Massimiliano Masi We need to think root access for the VPN configuration and bootstrap.
        @João Cunha How a new country to join an existing OpenNCP network.
        Massimiliano Masi Not sure but Italy using a script to configure (script executed by root).
        Kostas Karkaletsis Ask if the use of a web interface is possible?
        Massimiliano Masi Syncapp is fetching data and sending audits. Create a webapp could be the best way to do the configuration etc.
        SMP/SML will replace the public area and not the private.
      2. TSL-Sync WAR has a scheduler. The JAR version doesn't (has to be run with, e.g., cron):
        Massimiliano Masi Same discussion as the syncapp.
        Kostas Karkaletsis A control panel to manage all these configuration.

    7. TSL-file is being signed by a non-TL certificate (NCP signature certificate) 9
      Massimiliano Masi Signed by NCP sign not correct, not soft prb organization problem, signature must be checked as explained in point 2.
      Kostas Karkaletsis 3.4 or 3.A certificate process (check).

    8. Certain certificates can be merged/combined. Instead of 5 certificates an NCP can use only 3. 7, 8 (to be confirmed):
      Massimiliano Masi Same as 7.Waiting info from Stéphane Spahni.

    9. Some certificate attribute deviations by some countries (e.g. France) 7, 8 (to be confirmed)
      Massimiliano Masi Same as 7.Waiting info from Stéphane Spahni.

    10. No proper signature verification of NSL lists (TSL-Sync doesn't verify the TSL file) 7, 8
      Massimiliano Masi Same as 7.Not a software topic. Waiting info from Stéphane Spahni.

    11. NCP 2 NCP messages are not signed (signatures are only applied to the assertions) 7, 8, 3 - section 5.5.2
      Massimiliano Masi How the Epsos message protect (VPN netw layer, TLS identification of endpoint) assertion is supporting the evaluation of the message. What is missing it the proteciton token  of the message. Now in 2016, something must be done, ask the TC for per message sig or secure conversation? (important) Suggestion is to learn from TB and use per message sign. It may create performance issues.

    12. Current architecture doesn't respect differentiation between Trust Zones

      Massimiliano Masi OpenNCP implement security relax.
      Kostas Karkaletsis different trust zones between Portal and NCP B. NCP client connector provides Web services same TZ.
      1. Portal and NCP-A/B are in the same TZ
        Massimiliano MasiThere must be a decoupling from the NCP and the Portal. User session, NCP must have it's own trust broker. The session must be handle by Wfl manager. client own session and ncp epsos session.SAML assertions.
        Kostas Karkaletsis NCPB provides client connector  wait XCPD request, epsos issue how it is created?
        Massimiliano Masi not issue, cannot inject identity assertion created by the portal. The relaxation was to use portal (portal) because there is not spec who define a portal (NI).
        Massimiliano Masi will write and Joao Cunha will review schema or sample about this.
      2. Portal (which should be in TZ3) issues the IdA (a TZ2 artifact) instead of a dedicated NCP-B STS in TZ2. TRC-STS (which should be in TZ3) issues the TRCA (a TZ3 artifact) and stores it in the Portal.
      3. NCP-A STS (that validates the IdA and the TRC) should be part of NCP-A in TZ2. TRC Validator should be in TZ3 (is this correct?? It's not specified by epSOS). Clarify which standards to use in each operation (WS-Trust, SAMLv2 HTTP-POST Web Browser SSO) (This is not clear what does it means. The trC is validated by the NCPA, and then forwarded to the NIA. The portal is not specified by epSOS, thus the SAMLv2HTTPPOST is coming from Tiani Implementation) Section 5.
        Massimiliano Masi Behind eId  TF, Standard discussion should be postponed and discussed in relation to SMP. Which standard to use to get SAML assertion.(keep in mind).
        Joao Cunha e-send BB back end integration could be use for this task.

    13. ATNA log files format: epSOS log files were based on RFC 3881, which was deprecated by IHE and IETF. Audit log is now based on DICOM audit schema, which OpenNCP doesn't support. 5 (not sure if this fits in this list)
      This is not a security relaxation. Related to audit trail not secured node.

    14. No separate secure storage for audit trails 6 - section 6.8.1 (to be confirmed)
      D3.A.7 epSOS EED AuditTrail states in Appendix A: Massimiliano Masi "One should not constrain where audit data is stored as long as the defined security requirements are followed." with the subsequent change made "Requirement for storing audit data outside the NCP was dropped." Massimiliano Masi Audit trails and non repudiation long story. Definition of storage has never been worked done. I would ask either someone from SANTE or E-Sens a study about the storage of the evidences. Next bi-weekly.

    15. Non-repudiation: No signed Acknowledge for every received message 6 - section 7.8.1 (to be confirmed) (Is this somehow related to #11?)
      This is ETSI REM

    16. No WorkflowManager: Liferay Portal implements business logic.
      Massimiliano Masi Same as point m).

    17. IdA: XSPA role "medical doctor" is not among the list of possible values in D3.A.7 epSOS EED SAML Binding v1.1 - 2.3, but it's used in the sample assertion (not sure if this is a relaxation, it's just something I noticed)
      Joao Cunha Is it an issue? Next bi-weekly Markus (Unlicensed).

    18. TSL-Editor creates TSL files with fields marked in the specification as "MUST NOT be used for epSOS".
      Massimiliano Masi It's a bug. Try to findout the list.

    19. Somehow related to #16. Liferay bus implements the business logic which has never been specified by epSOS. The portal MUST NOT be required to run the OpenNCP gateway. The IdA MUST NOT be used by the portal, but the WorkfFlow manager MUST inject the credentials from the NI (e.g., the portal, or the hospital) to respect the framework agreement. The trust model is based on brokered trust which is implemented by the NCP-B STS (which is not implemented). Portals and hospitals MUST use the workflow manager to connect (not just APIs, but a living component).
      Massimiliano Masi If NCPA accept assertions generated by client and not NCP-B it doesn't respect the fwk agreement.

    20. The EPSOS_PROP is a environment variable which should not be used (https://www.securecoding.cert.org/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables). Actually it was done to interoperate amongst the common components. Attackers can easily poison the environment variables. In general, how the security coding is done?
      Massimiliano Masi shortcut to use and configure all components; Discuss this into the TC and STF how to replace or change.

    21. No Application server environment:
      As an infrastructure portal, Liferay Portal can support over 3,300 concurrent users on a single server with mean login times under half a second and maximum throughput of 79+ logins per second. OpenNCP portal has significant degradations after 40 concurrent login (true?). Since the same components are used by the gateway (highly coupling), the OpenNCP is not done for huge data transfer.This will result in DoS attacks.
      Massimiliano Masi Load test results.

    22. Missing Access Control context:
      Kostas Karkaletsis Inspect the code of Policy Manager component.

  3. AOB:
    In general, I would appreciate to start with decoupling the NCP with the portal, create workflow manager and STS. This will be a significant improvement of the above mentioned relaxations, and security issues highlighted by the Security TF.

    Documentation:

    1. D3.A.7 – epSOS EED X.509 Certificate Profiles
    2. D3.A.7 – epSOS EED Cryptographic Algorithms
    3. D3.A.7 - epSOS EED Messaging Binding v1.0
    4. D3.A.7 - epSOS EED SAML Binding v1.1
    5. IHE ITI - Add RESTful Query to ATNA
    6. D3.7.2 - Section II - epSOS Security Services
    7. D3.10.1 - App.7 -  epSOS Security Deviations Fact Sheet 
    8. OpenNCP and central services PKI
    9. eHealth cross border central services status quo and outlook v0.4
    10. D3.A.7 - epSOS EED AuditTrail
  4. Next meeting:
    Adhoc meeting if necessary.