Digital+Signatures


 * Running History of This Issue** Please click on this link to see a living document showing the history of the thinking on this topic. This page will be updated with core research findings until this overall task (updating XML-DSig recommendations, if needed) is complete.

**Open Issues/Questions:**
 * Digital Signatures: Open Issues and Questions** Click the link to the left for a list of open issues/questions, related research, and resolutions for these issues.

**Specification Updates:**
 * **Specification** || **Status** || **Draft Versions** || **Discussion** ||
 * Authorization Framework || In Progress || [|NHIN Authorization Framework Production Specification v2_0_0.1.doc] (6/4/2010) ||  ||
 * Messaging Platform || In Progress ||  ||   ||

**References:** Sources of early requirements for Nationwide Health Information Network: [|NCVHS Recommendations Regarding Privacy and Confientiality in the Nationwide Health Information Network (June 22, 2006)] [|NCVHS Functional Requirements Needed for the Initial Definition of a Nationwide Health Information Network (October 30, 2006)] [|Summary of the Nationwide Health Information Network Prototype Architecture (May 2007 Gartner Report)]

**Summary of Proposed Changes Related to Digital Signatures (Work in Progress) **

Authors: Tom Davidson, Eric Heflin

Status Research phase. The below text is expected to change before the Security and Privacy Team issues a final recommendation to the Nationwide Health Information Network Exchange Specification Factory.

Purpose The purpose of this Wiki page is to document the analysis conducted by the Nationwide Health Information Network Specifications Factory's Security and Privacy Subteam regarding the appropriateness (adequacy, necessity, and correctness) of the current Nationwide Health Information Network specifications with respect to their application of XML-Digital Signature (XML-DSig) for SOAP messages sent via 2-way-SSL as part of the Nationwide Health Information Network Exchange. It is not intended to be a comprehensive review of the Nationwide Health Information Network security model.

The Nationwide Health Information Network Security and Privacy Subteam has proposed an update to version 2.0 of the Messaging Platform Specification and version 2.0 of the Authorization Framework to address the problem described below.

Problem Description Nationwide Health Information Network has received an increasing number of comments from implementers reacting to the complexity of various components of NHN specifications. One such area of complexity is the use of digital signatures specified in the Messaging Platform and Authorization Framework specifications. In light of the other security measures included in the Messaging Platform, there is some question as to whether these digital signatures offer sufficient benefits to justify the difficulty in implementing them.

Current State and Specification Overview The Messaging Platform specifies a core set of messaging standards and web service protocols which must be implemented by each Nationwide Health Information Network gateway and applies to all transactions. All Nationwide Health Information Network inter-gateway messages are XML SOAP messages sent over HTTP using web services, using 2-way-SSL.

The Authorization Framework defines the exchange of metadata used to characterize each Nationwide Health Information Network request. The purpose of that exchange is to provide the responder with the information needed to make an authorization decision for the requested function. Each initiating message must convey information regarding end user attributes and authentication using SAML 2.0 assertions.

Nationwide Health Information Network messages, as specified in the Jan 2010 Nationwide Health Information Network Limited Production Specifications set, currently specify the use of two XML-Digital Signatures (XML-DSig) within the SOAP Header:
 * Of the Timestamp element
 * Of the SAML Assertion element

 The SOAP body itself is neither digitally signed nor encrypted, but the entire SOAP message is secured in transport via 2-way SSL, which requires that each party in the transaction (the initiating and the responding Nationwide Health Information Network Gateways) mutually validate the authenticity of the other party using Public Key Infrastructure (PKI) methods. Thus the secure channel is the means of providing assurance of message authenticity, integrity, and confidentiality.

 Analysis and Recommendation  //Why is the time stamp element being signed with XML-DSig?// Time stamping is one of the widely accepted methods of detecting a message replay attack. Signing the time stamp element with XML-DSig gives the receiver of a message a high degree of confidence that the time stamp is correct, and was created by the asserting party.

 //Why is the SAML Assertion element being signed with XML-DSig?// XML-DSig is used to ensure the authenticity and integrity of this element, which is expected to be used by receiving systems to make important access control decisions. In addition, a properly formed SAML Assertion requires the use of XML-DSig.

 Update: The below text is likely to be changed. Some of the latest research indicates that other specifications may require SAML Assertions to be signed.

 The use of XML-DSig is not required by SAML for the sender-vouches and holder-of-key subjectConfirmation methods since the channel is encrypted and uses mutual authentication. Avoiding a message reply attack is redundantly achieved with the current use of both XML-DSig and 2-way-SSL. The existing digital signatures do not significantly increase message security given the following assumptions:


 * 1) Nationwide Health Information Network Exchange messages are transmitted over the public (insecure) Internet using a secure (2-way SSL channel). The authenticity of the end points is assured to a high degree of confidence due to the PKI involved (Nationwide Health Information Network controlled Certification Authority issuing the x.509 key pairs, obtaining public keys and service end points from the Nationwide Health Information Network controlled UDDI registry, and frequent OCSP or CRL based cert revocation checking).
 * 2) Scope of Nationwide Health Information Network Exchange messaging is limited only to gateway-gateway transactions
 * 3) The Nationwide Health Information Network intends non-repudiation for the provider signature of the clinical content (as per HITSP C26). Since XML-DSig of the Timestamp or SAML Assertion elements does not provide for non-repudiation of the clinical content, it is not relevant for this purpose.
 * 4) Nationwide Health Information Network Exchange Gateways are recommended to implement well known security best practices such as keeping systems updated and properly configured.

<span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;"> Since the SOAP body is unsigned and from purely a SOAP messaging perspective, the authenticity, integrity, and confidentiality of the SOAP Body cannot be guaranteed. That is, in theory, an attacker or errant process could modify the SOAP body, which contains clinical and patient data, and such a modification would not be detectable by only examining the SOAP message itself.

<span style="font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;"> Nationwide Health Information Network nodes must be only allowed to exchange with other Nationwide Health Information Network nodes, and must be configured and maintained using IT best practices (patching, perimeter replay attack response, TLS re-negotiation, etc.).

<span style="font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;"> **For a more detailed analysis of related threats, please see the** **Digital Signature Threat Analysis page.**

<span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt;">Update: The below text is likely to be changed

<span style="color: #365f91; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;"> Proposed Changes
 * 1) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Update version 2.0 of the Nationwide Health Information Network Messaging Platform Specification to remove the use of XML-DSig on the Timestamp element of the SOAP message.
 * 2) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Make use of XML-DSig optional for SAML header for the initiating gateway.
 * 3) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Possibly make use of XML-DSig of the SAML header optional for the responding gateway.
 * 4) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Phase in the new approach by recommending it for all new implementation work and deprecating the current XML-DSig approach, within an NTC-specified sunset period.
 * 5) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Ask that ONC/Nationwide Health Information Network policy issues, identified by the Nationwide Health Information Network Spec Factory Security team in on a separate Digital Signature ONC Policy Issues page, be clarified by the appropriate body.
 * 6) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Document the assumptions (the sending gateway would be the entity potentially signing the SAML header, 2-way-SSL, hold-of-key and sender-vouches methods, logging, etc.).

<span style="color: #365f91; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;"> Implications of Proposed Changes
 * 1) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Easier implementation and testing of Nationwide Health Information Network 2010 specifications
 * 2) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Removal of redundant security mechanisms for Nationwide Health Information Network exchange transactions
 * 3) <span style="color: #000000; font-family: 'Arial','sans-serif'; font-size: 10pt; line-height: 115%;">Confidentiality, integrity, and non-repudiation of origin are only achieved via the use of 2-way-SSL, Nationwide Health Information Network policy, and ATNA logs. Any future Nationwide Health Information Network messaging variations may require different mechanisms such as XML-Encryption plus XML-DSig of the entire SOAP message to achieve these goals.
 * 4) Security of the message is only Nationwide Health Information Network Gateway to Nationwide Health Information Network Gateway. End-to-end security is not provided.

This issue is being tracked as issue #40 in the Google Documents issue tracker spreadsheet.