GPII Security. Washington DC, November 2015

Transcription

1 GPII Security Washington DC, November 2015

2 Outline User data User's device GPII Configuration use cases Preferences access and privacy filtering Work still to do Demo

3 GPII User Data Preferences Device information Environmental information Log in and log out activity User account GPII-enabled websites visited

4 User data: Preferences User preferences expressed both in cross-application terms and application-specific terms Context-specific preferences and definitions of contexts Metadata such as solution priorities (product A with priority X) and required settings Stored: remote Preferences Server, keyed by GPII token Used: in the Match Making process and context selection to build solution settings

5 User data: Preferences "preferences": { " true, " "white-black", " 0.5, " 5, " true, " 300, " { "fontsize": "medium", "highcontrastenabled": true }, " "RuleBased" }

6 User data: Preference contexts contexts : { gpii-default : { preferences : { } }, turn-down-light : { preferences : { } "conditions": [{ "type": " "min": 400, "inputpath": " }] } }

7 User data: Device information Operating System being used Set of available solutions on the device Likely to be extended in the future Used: in the Match Making process

8 User data: Environmental information Such as time of day, luminance level, sound level Used: in context selection

9 User data: log in and log out activity Used: to apply and revert settings by GPII

10 User data: User account Username, password Associated GPII token Set of solutions that have been authorized and selection of preferences the user has shared Stored: remote Authorization Manager within Cloud Based Flow Manager Used: to provide access control to preferences filter preferences access to the Privacy Setting page

11 User accounts Provide stronger authentication than using tokens directly and (in the future) will be capable of managing multiple tokens Associating a token with an account enables sharing of preferences via OAuth 2 and fine grained control of preference sharing A user may edit their privacy settings at any time, including making updates to the preferences that are shared and revoking access

12 User account authentication All account credential entry and verification is done by the Authorization Manager We currently use username and password credentials but in the future other forms of authentication could be supported Authentication of user accounts is independent of keying in with a token and is used to manage privacy settings

13 Information not required in GPII Medical or disability information Address, phone numbers, or other directly personally identifying information

14 User device endpoints We have HTTP based communication between components on the user's device and therefore ports that will accept requests User Listener to Flow Manager Log in Log out Device Reporter Gather information about Operating System and available solutions

15 GPII Configuration use cases Public access workstation Personal devices Anonymous/non-cloud use case

16 User Listeners Device Reporter Preferences Server Token, device info Environment Reporter Untrusted Flow Manager Lifecycle Manager Context Evaluator Lifecycle actions Local machine Match maker output with filtered settings Cloud Based Flow Manager Auth Manager Context Evaluator Solutions Registry Cloud Matchmaker

17 Local machine Cloud User Listeners Device Reporter Environment Reporter Flow Manager Preferences Server Lifecycle Manager Context Evaluator Solutions Registry Lifecycle actions Matchmaker

18 User Listeners Device Reporter Environment Reporter Flow Manager Lifecycle Manager Context Evaluator Lifecycle actions Matchmaker Local machine Cloud Solutions Registry

19 User Listeners Device Reporter Environment Reporter Flow Manager Lifecycle Manager Context Evaluator Lifecycle actions Matchmaker Local machine Solutions Registry Cloud

20 Preference access points with privacy filtering Untrusted Flow Manager Chrome extension Provides filtered settings to web content and cloudbased ATs OAuth 2 authorization code grant protocol Applies privacy filtering of preferences reaching the user's machine Most suited to web content and cloud-based ATs OAuth 2 client credentials grant protocol for adding new preferences

21 Privacy Principles Autonomy: user has full control over who can access their preferences sets, and which parts Prevent privacy leakage: only share the needs & preferences that a solution is capable of accommodating, filter everything else out at the Flow Manager layer

22 Privacy Filtering Users will typically want to control access to their NP set using familiar categories, e.g. Increase Size, Volume, Visual Styling These categories form an ontology defined by the Privacy settings We transform the user s preference set into this ontology on the fly (i.e. categorize the user s preferences sets into containers) Remove all items that the user doesn t want to share. Default policy removes everything (pessimistic or whitelist) Then transform back to flat preferences and continue the normal personalization workflow

23

24 Preferences { } " true, " 200, " true, " 1.5 Privacy Policy { } "visual-alternatives.speak-text.rate": true Filtered Preferences in Privacy ontology { } "visual-alternatives": { "speak-text": { "rate": 200 } } Filtered Settings { } " 200

25 Untrusted Flow Manager Splits the Flow Manager into 2 parts: a local part and a cloud part Matchmaking happens in the cloud and the settings are filtered before being returned to the local Flow Manager

26 User Listeners Device Reporter Preferences Server Token, device info Environment Reporter Untrusted Flow Manager Lifecycle Manager Context Evaluator Lifecycle actions Local machine Match maker output with filtered settings Cloud Based Flow Manager Auth Manager Context Evaluator Solutions Registry Cloud Matchmaker

27 Untrusted Flow Manager user data Preferences: complete preferences on remote server, filtered settings returned to the user's device Device information: sent to Cloud Based Flow Manager Environmental information: on user's device Log in and log out activity: log in initiates communication with server, log out not sent User account: authentication on remote server for Privacy Settings

28

29

30

31 Untrusted Flow Manager Log in 1) Gather device information and send to the Cloud Based Flow Manager 2) Retrieve user preferences and respond with instructions for applying the user's preferences 3) Use the Lifecycle Manager to apply the received instructions

32 Step 1: User logs in Gather local device information Send GPII token and device information to the Cloud Based Flow Manager GET /<GPII token>/untrusted-settings/<device info>

33 Device Information { "OS": { "id": "win32", "version": " " }, solutions: [ { "id": "com.microsoft.windows.highcontrast" }, { "id": "com.microsoft.windows.magnifier" }, { "id": "org.nvda-project" } ] }

34 Step 2: Cloud Based Flow Manager Retrieve user preferences Retrieve privacy policy for GPII token Perform match making Filter the settings according to the privacy policy Select context Build instructions to configure solutions

35 Untrusted Flow Manager response { "solutionsregistryentries": "usertoken": "li", "matchmakeroutput": "activecontextname": "gpii-default", "activeconfiguration": { "applications": { "org.nvda-project": { "active": true, "settings": { " 200 } } } }, "lifecycleinstructions": }

36 matchmakeroutput "gpii-default": { "applications": { "org.nvda-project": { "active": true, "settings" { " 200 } } } }, "turn-down-light": { "applications":... "conditions": [{ "type": " "min": 400, "inputpath": " }] }

37 lifecycleinstructions { "org.nvda-project": { "settingshanders": "start": "stop": "active": true } }

38 Chrome Extension Web sites and applications receive user settings through a browser extension Implemented as a GPII Settings Handler Uses Web Sockets The settings seen by each site will be subject to the user s privacy policy

39 OAuth 2 Authorization Code

40 OAuth 2 Authorization Code user data Preferences: complete preferences on remote server, filtered client settings returned via HTTP Device information: not involved Environmental information: not involved Log in and log out activity: local machine GPII not directly involved User account: authentication on remote server

41

42 Step 1: Redirect the user to request preferences access GET /authorize response_type: code client_id: <solution id> redirect_uri: <URL to send users after authorization> state: <unguessable string>

43

44

45 Step 2: GPII redirects back to site code: <authorization code> state: <string sent in Step 1>

46 Step 3: Exchange the authorization code for an access token POST /access_token grant_type: authorization_code code: <the authorization code> redirect_uri: <must match that specified in Step 1> client_id: <the solution id> client_secret: <the solution client secret> JSON response access_token: <access token> token_type: Bearer

47 Step 4: Use the access token to retrieve the user's preferences GET /settings Authorization: Bearer <access token> Preferences are filtered according to user's privacy policy for the solution

48 OAuth 2 Client Credentials for adding preferences Currently working to integration the First Discovery Tool for adding new user preferences

49

50

51

52

53

54 OAuth 2 Client Credentials user data Preferences: sent from the First Discovery Tool to GPII Device information: not involved Environmental information: not involved Log in and log out activity: not involved User account: not involved

55 Step 1: Request an access token POST /access_token grant_type: client_credentials scope: add_preferences client_id: <solution id> client_secret: <the solution client secret> JSON response access_token: <access token> token_type: Bearer

56 Step 2: Add new preferences POST /add-preferences Authorization: Bearer <access token> Post body containing preferences JSON Response Generated GPII token

57 Server Deployment HTTPS for all HTTP traffic Only public APIs exposed to the internet Whitelist filtering of API endpoints Logging and monitoring to check health and diagnose issues

58 Work to do Bug fixing User account infrastructure Local machine security Work through all GPII use cases and determine suitable approaches to realize each use case with appropriate security Bearer tokens Secured endpoints for all user data access Audit all HTTP endpoints

59 Work to do Tighter integration with other parts of GPII Solutions Registry Match making Authenication mechanisms such as two-factor authenciation, face-recognition, and devices such as YubiKey Server mechanisms to protect user accounts such as detecting and blacklisting IP addresses performing brute-force attacks

60 Questions What else are we missing? Best practices for local machine traffic using HTTP Provide authentication on devices that is both secure and convenient

61 Demo