Security Overview
The universAAL platform offers a variety of security functionalities as part of the various layers of the platform, partly relying on existing security features provided by the underlying systems. This section provides a brief overvew of some of these functionalities.
Security for the universAAL platform is realized at a number of different layers:
-
universAAL security platform services:
Platform services for security provide the basic security for the universAAL platform such as user authentication, authorization, secure communication, and functional manifests. -
universAAL security application services:
Application services for security provide value added security to the universAAL platform such as document encryption and consent management. -
Container security:
Container-specific security features, e.g. provided by OSGi or Android. OSGi security contributes to the security of the universAAL infrastructure such as OSGi service bundle signing, bundle permission management, and sandboxing. OSGi security also supports some of the security platform services such as secure communication. -
Java security:
Java security provides the Java security model such as the Java sandbox and basic security primitives. The latter is further enhanced with third party cryptographic libraries. -
Device and operating system security (out of scope):
Device and operating system security provides a secure environment for computing and data storage by ensuring a trustworthy execution environment, separation of applications and user accounts, etc.
This section outlines how universAAL addresses security requirements and thereby protects the security and privacy interests of its stakeholders, in particular the assisted persons it wants to service. The focus hereby is on the first two elements of the CIA security principle: confidentiality and integrity.
Authentication of users protects the interests of those users as it ensures that only users themselves can access their data and engage in transactions with services. It is also an essential aspect for services to have a sustainable business model.
The universAAL platform supports authentication of end-users, assisted persons and their family, on their devices to use application services. For this purpose universAAL includes a number of components. The most visible part is the UI (user interaction) component(s) which allow users to enter their login credentials: a username/password form for PCs or a PIN entry form for smartphones. The authentication service validates the entered credentials against the user credentials of the security user’s subprofile stored in the local profile service named Context History Entrepot (CHE). All these functions run in the user’s local uSpace and the result is an authenticated user session. universAAL supports two types of authenticated user sessions. In a (classic) device bound session a session is valid for a certain set of devices. In a location bound session a session is valid for a certain location where the user is located and therefore valid for devices at this location.
The authenticated user session is made available across the service bus, which means that all services that together realize a certain application have knowledge of the authenticated user. The local profile service also stores credentials of external services such as uStore in order to provide seamless integration. For initialization, maintenance, and support by e.g. technicians the platform provides a profile editor. To protect the user’s password during exchange over e.g. the service bus and storage a cryptographic digest is used.
The authenticated user session enables application services to make authorization decisions. For this purpose it checks the authenticated user against the service access policy or against the access policy of an affected user as represented in their profile. This enables for example to give family members controlled access to the calendar of an assisted person.
For specific (healthcare) cases the platform offers an additional application service for consent management which enables capturing and evaluation of consent policies from assisted persons. This service may be invoked by services as part of the authorization decision process.
Communication security is an important aspect for the universAAL platform as applications are composed of multiple collaborating distributed services with sensitive data being exchanged over a service bus. The universAAL platform offers encryption for secure service-to-service communication and node authentication. To make this work services are grouped in uSpaces with each of the services provisioned with keys to allow secure communication with the other services in the group.
universAAL platform services may also engage in communication with other (non-universAAL) entities such as for example online services. universAAL remote interoperability functionality covers authentication and encryption. Alternatively, secure communication preferably utilizes the TLS protocol with certificate-based server authentication.
universAAL application services deal with privacy sensitive data from the assisted persons. The platform protects this data through a number of ways against outsiders and other end-users. Concentrating the storage of this information in the profile service (i.e. CHE) is one of the (architectural) measures contributing to security. Storage security of this profile service depends on the device and operating system it runs on (see security considerations for deploying parties below). Because the profile service will only securely communicate and exchange data with other trusted services data remains protected. Services apply user authentication and access (authorization) control before using data or sharing with other parties. Together these measures realize the required level of data protection.
For specific cases the platform additionally provides the document encryption service which allows the encryption and decryption of data. This functionality may be used for internal platform purposes but especially to securely interoperate with external services, which is enabled by it being based on an international standard (IHE DEN) which in turn is based on proven security and cryptographic techniques.
universAAL platform software and services must be trusted. This is primarily realized through the trusted source principle. The platform software is installed by a trusted technician on the user devices whereas the technician obtains the software from a trusted source such as protected website, DVD, etc. For universAAL services the same principle applies by limiting application services to be downloaded from a preconfigured uStore in combination with authenticated and secure communication between the destination device and uStore. Integrity of and trust in uStore application services is based on a certification scheme for uStore apps enforced by the uStore service. At a technical level security may be enforced as part of the OSGi-based service life-cycle. The combination of these measures protects against malicious, unauthorized or untrusted software to run on the user’s devices.
Host security and service isolation has the objective to protect the host device, application services and their data from malicious (downloaded) code and services. A combination of measures in the universAAL platform protects against this. The universAAL platform allows OSGi services to be isolated from each other and the host platform through manifest files controlling the service permissions. At space-level, the functional manifests extend the underlying OSGi-based service life-cycle mechanism. Similarly the Java VM sandbox may be controlled by defining a security policy for it. Besides these explicit functions the aforementioned software authentication and integrity address this requirement. Although out of scope of the universAAL platform, also device and operating system configuration strongly contributes to this.
Found a problem?
- Report suggestions, missing, outdated or wrong documentation creating an Issue with "documentation" tag
