Contract No.: 285248 Strategic Objective
Typographical Conventions
Download 1.78 Mb.
|
- Navigate this page:
- 1.6.1Links within this document
- 1.6.2Figures
- 1.6.3Sample software code
- 1.8Keyword list
- 1.9Changes History
- 1.10Table of Content
1.6Typographical ConventionsStarting with October 2012 the FI-WARE project improved the quality and streamlined the submission process for deliverables, generated out of the public and private FI-WARE wiki. The project is currently working on the migration of as many deliverables as possible towards the new system. This document is rendered with semi-automatic scripts out of a MediaWiki system operated by the FI-WARE consortium. 1.6.1Links within this documentThe links within this document point towards the wiki where the content was rendered from. You can browse these links in order to find the "current" status of the particular content. Due to technical reasons not all pages that are part of this document can be linked document-local within the final document. For example, if an open specification references and "links" an API specification within the page text, you will find this link firstly pointing to the wiki, although the same content is usually integrated within the same submission as well. 1.6.2FiguresFigures are mainly inserted within the wiki as the following one: [[Image:....|size|alignment|Caption]] Only if the wiki-page uses this format, the related caption is applied on the printed document. As currently this format is not used consistently within the wiki, please understand that the rendered pages have different caption layouts and different caption formats in general. Due to technical reasons the caption can't be numbered automatically.
http://[SERVER_URL]?filter=name:Simth*&index=20&limit=10 1.7AcknowledgementsThe following partners contributed to this deliverable: THALES, NSN,DT,ATOS SAP, IBM,INRIA, FT-ORANGE 1.8Keyword listFI-WARE, PPP, Architecture Board, Steering Board, Roadmap, Reference Architecture, Generic Enabler, Open Specifications, I2ND, Cloud, IoT, Data/Context Management, Applications/Services Ecosystem, Delivery Framework , Security, Developers Community and Tools , ICT, es.Internet, Latin American Platforms, Cloud Edge, Cloud Proxy. 1.9Changes History
1.10Table of Content1.1Executive Summary 2 1.2About This Document 3 1.3Intended Audience 3 1.4Chapter Context 3 1.5Structure of this Document 5 1.6Typographical Conventions 6 1.6.1Links within this document 6 1.6.2Figures 6 1.6.3Sample software code 7 1.7Acknowledgements 7 1.8Keyword list 7 1.9Changes History 7 1.10Table of Content 7
2.1Preface 8 2.2Copyright 8 2.3Legal Notice 8 2.4Overview 8 2.5Basic Concepts 9 MulVAL Attack Paths Engine 9 Scored Attack Paths 11 Service Level SIEM 12 Botnet Tracking System 13 IoT Fuzzer 14 Android Vulnerability Assessment Tool 15 Remediation 15 Visualisation framework 16 Botnet Trap Design 17 2.6Security Monitoring Architecture 18 2.7Basic Design Principles 21 MulVAL Attack Paths Engine 21 Scored Attack Paths 21 Service Level SIEM 22 IoT Fuzzer 24 Android Vulnerability Assessment Tool 24 Remediation 25 Visualisation framework 25 Botnet trap mitigation 25 2.8Re-utilised Technologies/Specifications 27 MulVAL Attack Paths Engine 27 Scored Attack Paths 33 Service Level SIEM 34 Botnet Tracking System 35 IoT Fuzzer 36 Android Vulnerability Assessment Tool 37 Remediation 38 Visualisation framework 39 2.9Detailed Specifications 42 Open API Specifications 42 2.10Terms and definitions 42 2.11Security Glossary 43 3Security_Open_Specs_APIs 48 4Security-Monitoring: Mulval Attack Path Engine Open API Specification 49 4.1Introduction to the Mulval Attack Path Engine API 49 4.1.1Mulval Attack Path Engine API Core 49 4.1.2Intended Audience 49 4.1.3API Change History 49 4.1.4How to Read This Document 50 4.1.5Additional Resources 50 4.2General Mulval Attack Path API Information 51 4.2.1Adapters 52 4.2.2Core Attack Graph Computation 54 4.2.3Attack Path Visualization 54 4.2.4Metrics Analysis 56 5Security-Monitoring: Mulval Attack Path Engine Web Application Open API Specification 57 5.1Introduction to the Mulval Attack Path Engine Web Application API 57 5.1.1Mulval Attack Path Engine Web Application API Core 57 5.1.2Intended Audience 58 5.1.3API Change History 58 5.1.4How to Read This Document 59 5.1.5Additional Resources 59 5.2General Mulval Attack Path Web Application API Information 59 5.2.1Connector 61 5.2.2Web Application 61 5.2.3Visualization of Attack Graph on the Web browser 61 5.2.4Analysis 61 6Security-Monitoring: Scored Attack Paths Open API Specification 62 6.1Introduction to the Scored Attack Paths API 62 6.1.1Scored Attack Paths API Core 62 6.1.2Intended Audience 62 6.1.3API Change History 63 6.1.4How to Read This Document 63 6.1.5Additional Resources 63 6.2General Scored Attack Paths API Information 63 6.2.1Loading of business impact metric data from an XML file 63 6.2.2Loading of the attack graph 63 6.2.3List all attack paths 64 6.2.4Provide the score of the attack graph 64 7Security-Monitoring:_Remediation_Open_API_Specification 65 7.1Introduction to the Remediation API 65 7.1.1Remediation API Core 65 7.1.2Intended Audience 65 7.1.3API Change History 65 7.1.4How to Read This Document 65 7.1.5Additional Resources 66 7.2General Remediation API Information 66 7.2.1Loading of topological data from the CMDB and generate the attack graph 66 7.2.2Get the attack graph 66 7.2.3List all attack paths 66 7.2.4Get the attack path {id} 66 7.2.5Get the remediations for attack path {id} 66 8Security-Monitoring: Service Level SIEM Open API Specification 67 8.1Introduction to the Service Level SIEM Open Specifications 67 8.1.1Service Level SIEM API Core 67 8.1.2Intended Audience 68 8.1.3API Change History 68 8.1.4How to Read This Document 69 8.1.5Additional Resources 69 8.2General Service Level SIEM Specification Information 69 8.2.1Event Collection 69 Agents 70 Plugins 70 8.3Collection Methods 71 8.4SIEM Event Description 72
Storm cluster 74 Service Level SIEM Topology 75 Service Level Correlation Rules 77 9Security-Monitoring: IoT Fuzzer Open API Specification 80 9.1Introduction to the IoT Fuzzer API Specification 80 9.1.1IoT Fuzzer Open Specification Core 80 9.1.2Intended Audience 80 9.1.3API Change History 80 9.1.4Additional Resources 80 9.2General IoT Fuzzer Open Specification Information 80 9.2.1Data Types 80 The "scenario" Tag 80 The "send" Tag 81 The "recv" Tag 81 The "field" Tag 82 The "test" Tag 82 The "calc" Tag 83 9.3Scenario Definition 83 10Security-Monitoring: Android Vulnerability Assessment Open API Specification 86 10.1Introduction to the Android Vulnerability Assessment API 86 10.1.1Android Vulnerability Assessment API Core 86 10.1.2Intended Audience 86 10.1.3API Change History 86 10.1.4Additional Resources 86 10.2General Android Vulnerability Assessment API Information 87 10.2.1Resources Summary 87 10.2.2Representation Format 87 10.2.3Resource Identification 87 10.2.4Faults 87 Synchronous Faults 87 Provider Web Service 87 Reporter Web Service 88 10.3Data Types 88
OVAL_ProviderWS_Answer Element 88 OVAL_ProviderWS_AnswerHeader Element 88 Definitions Element 89 Definition Element 89
OVAL_UploaderWS_Answer Element 90 OVAL_UploaderWS_AnswerHeader Element 90 10.4API Operations 90 10.4.1Provider Web Service 90 /rest/hello 90 /rest/summary 90 /rest/fetch_defs/get_all 91 /rest/fetch_defs/by_id/{id} 91 /rest/fetch_defs/by_date/{date} 91 /rest/download/{id_download} 91 /rest/search_defs/list_all 91 /rest/search_defs/by_cve/{cve} 91 /rest/search_defs/by_tags/{tags} 92 /rest/raw_defs/get_all 92 /rest/raw_defs/list_all 92 /rest/raw_defs/by_id/{id} 92 /rest/raw_defs/by_date/{date} 92 10.4.2Reporter Web Service 92 /rest/hello 92 /rest/summary 93 /rest/upload 93 /rest/list_results 93
Target usage 95 11.1.5Basic Concepts 95 Relevant Concepts and Ideas 95 User Life-Cycle Management 95 Flexible Authentication for End Users 96 3rd Party Login to Services 96 Web Single Sign-On 96 Hosted User Profile Management 96 Multi-Tenancy 96 Example Scenarios 97 General roles and responsibilities 97 Integration scenarios: Simple scenario with a single storefront 97
Architecture 101 Modules and Interfaces 102 Interface Descriptions 103 Overview on provided standardised interfaces 103 SAML 105
OAuth 109 OpenID 112 Username / Password 113 eID – card 113 Access information API 114
Main Functionality 117 Resolution of Technical Issues 118
Open Specification 118 Open API Specification 119 References 119 11.2Re-utilised Technologies/Specifications 119 11.3Terms and definitions 120 12Identity Management Generic Enabler API Specification 124 12.1Introduction to the Identity Management GE (IdM GE) API 124 12.1.1IdM GE API Core 124 12.1.2Intended Audience 124 12.1.3API Change History 124 12.1.4How to Read this Document 125 12.1.5Additional Resources 125 12.2General Identity Management Generic Enabler API Information 126 12.2.1Resources Summary 126 12.2.2Authentication 126 12.2.3Representation Format 127 12.2.4Representation Transport 127 12.2.5Resource Identification 127 12.2.6Limits 127 12.2.7Extensions 127 12.2.8Faults 127 Synchronous Faults 127 12.3Example Identity Management GE implementations 128
13.1Preface 130 13.2Copyright 130 13.3Legal Notice 130 13.4Overview 130 13.5Basic Concepts 131 13.5.1Pseudonyms 132 13.5.2Credentials and Key Binding 133 13.5.3Presentation 133 13.5.4Issuance 134 13.6Main Interactions 134 13.6.1Credential Issuance 135 13.6.2Token Presentation 136 13.7Basic Design Principles 138 13.8References 138 13.9Detailed Open Specifications 138 13.9.1Open API Specifications 138 13.9.2Other Open Specifications 139 13.10Terms and definitions 139 13.11Security Glossary 139
14.1Introduction to the Privacy API 144 14.1.1Privacy-preserving Authentication API Core 144 14.1.2Intended Audience 144 14.1.3API Change History 144 14.1.4How to Read This Document 144 14.1.5Additional Resources 145 14.2General Privacy API Information 145 14.2.1Resources Summary 145 14.2.2Representation Format 147 14.2.3Resource Identification 147 14.2.4Limits 147 14.2.5Versions 147 14.2.6Extensions 147 14.2.7Faults 147 14.3Protocol Specification 147 14.3.1Terminology and Notation 148 Notational Conventions 148 Namespaces 149
Credential Specification 149 Issuer Parameters 160 Inspector Public Key 162 14.3.3Revocation 164 Revocation Authority Parameters 164 Revocation Information 165 Non-Revocation Evidence 167 14.3.4Presentation 168 Presentation Policy 168 Presentation Token 176 Functions for Use in Predicates 183 14.3.5Issuance 185 Issuance Policy 187 Issuance Token 189 Issuance Messages 190 Issuance Log Entries 191 Revocation History 192 Credential Description 194
Presentation 197 Arguments sent to the UI for Presentation 197 Return Value sent by the UI for Presentation 210 Issuance 212 Arguments sent to the UI for Issuance 212 Return Value sent by the UI for Issuance 212
CredentialSpecificationAndSystemParameters 214 IssuancePolicyAndAttributes 214 IssuanceMessageAndBoolean 215 RevocationReferences 215 PresentationPolicyAlternativesAndPresentationToken 216 AttributeList 217 ABCEBoolean 217 URISet 217 IssuerParametersInput 217 IssuanceReturn 218 14.4API Operations 219 14.4.1ABCE methods for Issuers 219 14.4.2ABCE methods for Users 222 14.4.3ABCE methods for Verifiers 227 14.4.4ABCE methods for Revocation Authorities 228 14.4.5ABCE methods for Inspectors 232 15FIWARE OpenSpecification Security Data_Handling_Generic_Enabler 234 15.1Preface 234 15.1.1Copyright 234 15.2Legal Notice 234 15.3Overview 234
15.4Basic Concepts 235 15.4.1Relevant Concepts and Ideas 235 15.4.2PII and PPL 236 15.4.3PPL Architecture 237 15.4.4Example Scenarios 238 Use Case: Privacy Aware Online File Store 238 Store Data with Sticky Policies 238 Retrieve Data from the file store 239 15.5Main Interactions 241
Block Diagram 241 Sequence Diagram 242 15.6Basic Design Principles 242 15.6.1Detailed Specifications 243 Open API Specifications 243 15.7Appendix 243
15.8Architecture Description of the Accountability Feature 243 15.8.1Copyright 243 15.8.2Legal Notice 243 15.8.3Overview 243 Target usage 244 15.8.4Basic Concepts 244 Relevant Concepts and Ideas 244 Compliance Check of a PPL Log 245
References 246 15.9Re-utilised Technologies/Specifications 246 15.10Terms and definitions 246 15.11Security Glossary 247
16.1Introduction to the Data Handling GE API 251 16.1.1Data Handling GE API Core 251 16.1.2Data Handling GE API Identity Based Encryption feature 252 16.1.3Intended Audience 252 16.1.4API Change History 252 16.1.5How to Read This Document 253 16.1.6Additional Resources 253 16.2General Data Handling GE API Information 253 16.2.1Resources Summary 253 16.2.2Representation Format 255 16.2.3Representation Transport 255 16.3API Operations 256 Retrieve the file of the Pii identified by the given uniqueId and Owner 256 Store a Pii (file) with its StickyPolicy 256 Store a Pii with its StickyPolicy 256 Update a Pii (File) and its StickyPolicy identified by the given UniqueId and Owner 257 Update a Pii and its StickyPolicy identified by the given UniqueId and Owner 257 Delete a Pii identified by the given UniqueId and Owner 258 Request files (Pii) identified by its name (resource) for the user (subject) 258 Request Piis identified by its name (resource) for the user (subject) 258 Identity Based Encryption Feature API 259 Request certificate by the given informations ( commonName, Alias(email), organization, organizationalUnitName) 259 Decrypt or encrypt the inputStream / File for the given alias,mode € = { encrypt, decrypt } 259 Keypair create a key depending on the keyType € = {publickey, privatekey, keypair} 259 Parameters returned can be used to regenerate the cipher from another application 260
17.1Preface 261 17.2Copyright 261 17.3Legal Notice 261 17.4Overview 261 17.5Basic Concepts 262 17.5.1Example Scenario 262 17.5.2(OAuth) Resource Owner 263 17.5.3(OAuth) Client Application 263 17.5.4(OAuth) Resource Server 263 17.5.5OAuth Authorization Endpoint 263 17.5.6OAuth Token Endpoint 264 17.5.7Policy Decision Point (PDP) 264 17.5.8Policy Administration Point (PAP) 264 17.5.9Policy Repository (PRP) 264 17.5.10Policy Enforcement Point (PEP) 264 17.6Main interactions 264 17.7Basic Design Principles 265 17.8References 266 17.9Detailed Open Specifications 266
17.10Re-utilised Technologies/Specifications 266 17.11Terms and definitions 267 17.12Security Glossary 267 18FIWARE OpenSpecification Security AccessControlGE Authorization Open RESTful API Specification 271 18.1.1Introduction to the Access Control GE's Authorization API 271 Authorization API Core 271 Intended Audience 271 API Change History 271 How to Read This Document 272
Authorization API Core 272 Intended Audience 272 API Change History 272 How to Read This Document 273 Additional Resources 273 18.1.3General API Information 274 Resources Summary 274 Authentication 274 Representation Format 274 Representation Transport 274 Resource Identification 274 Links and references 275 Limits 275 Versions 275 Faults 275 18.1.4API Operations 276 18.1.5General API Information 277 Resources Summary 277 Authentication 277 Representation Format 277 Representation Transport 277 Resource Identification 277 Links and references 278 Limits 278 Versions 278 Faults 278 18.1.6API Operations 279 19FIWARE OpenSpecification Security Optional_Security_Enablers DBAnonymizer 280 19.1Preface 280 19.2Copyright 280 19.3Legal Notice 280 19.4Overview 280 19.5Basic Concepts 282 19.5.1Relevant Concepts and Ideas 282 19.5.2Input Format 282 19.5.3Use Case 284 19.6Main Interactions 286 19.6.1DB Anonymizer Architecture 286 19.7Basic Design Principles 288 19.8Detailed Specifications 288 19.9References 289 19.10Re-utilised Technologies/Specifications 289 19.11Terms and definitions 289 19.12Security Glossary 289
20.1Introduction to the DB Anonymizer API 294 20.1.1DB Anonymizer API Core 294 20.1.2Intended Audience 295 20.1.3API Change History 295 20.1.4How to Read This Document 296 20.1.5Additional Resources 296 20.2General DB Anonymizer API Information 296 20.2.1Resources Summary 296 20.2.2Representation Format 298 20.2.3Representation Transport 298 20.2.4Resource Identification 298 20.2.5Links and References 298 20.2.6Versions 298 20.2.7Extensions 298 20.2.8Faults 298 Synchronous Faults 298 Asynchronous Faults 299 20.3API Operations 299 20.3.1Operations 299 21FIWARE OpenSpecification Security Optional_Security_Enablers SecureStorageService 304 21.1Preface 304 21.2Copyright 304 21.3Legal Notice 304 21.4Overview 304 21.5Basic Concepts 305 21.6Main Interactions 305 21.7Basic Design Principles 306 21.8Re-utilised Technologies/Specifications 307 21.9Terms and definitions 307 21.10Security Glossary 307
22.1Copyright 312 22.2Legal notice 312 22.3Introduction to the Secure Service Storage Optional GE API 312 22.3.1Overview 312 Basic Concepts 313 22.3.2Intended Audience 313 22.3.3API Change History 313 22.3.4Additional Resources 314 22.4General SSS API Information 314 22.4.1SSS Optional GE API Core 314 22.4.2Representation Format 315 22.4.3Representation Transport 315 22.5API Operations 315 Glossary 315
Create a User identified by his Credentials 316 Delete a User identified by his Credentials 316 Store a file (XML) associated to its user 317 Update a File identified by the its UniqueId and UserID 317 Delete a File identified by its UniqueId and UserId 318 23FIWARE OpenSpecification Security Optional_Security_Enablers ContentBasedSecurity 319 23.1Preface 319 23.2Copyright 319 23.3Legal Notice 319 23.4Overview 319
23.5Basic Concepts 322 23.5.1Example Scenario 323 23.6Main Interactions 324 23.6.1Protecting Data 324 23.6.2Removing Protection from Data 325 23.7Basic Design Principles 326 23.8References 327 23.9Detailed Open Specifications 327 23.9.1Open API Specifications 327 23.9.2Other Open Specifications 327 23.10Re-utilised Technologies/Specifications 327 23.11Terms and definitions 328 23.12Security Glossary 328 23.13Content Based Security Glossary 332
Content Based Security API Core 333 Intended Audience 333 API Change History 333 How to Read This Document 334 Additional Resources 334 24.1.2General CBS API Information 334 Resources Summary 334 Authentication 334 Representation Format 334 Representation Transport 334 Limits 335 Versions 335 Extensions 335 Faults 335
Type: UnprotectedContainer 336 Type: ProtectedContainer 337 Type: KeyValue 337 24.1.4API Operations 337 CBS Producer 337 Request 337 Request Parameters 337 Request Body 337 Response 338 Example Request 338 Example Response (Success) 339 Example Response (Failure) 339 CBS Consumer 340 Request 340 Request Parameters 340 Request Body 340 Response 340 Example Request 340 Example Response (Success) 341 Example Response (Failure) 342
25.1Preface 343 25.2Copyright 343 25.3Legal Notice 343 25.4Overview 343
25.5Basic Concepts 344 25.5.1Example Scenario 345 25.6Main Interactions 345 Description 345 Operations 345 Scan a binary file 345 Distance of a binary file 346 List malware database 348
25.7Basic Design Principles 350 25.7.1Design Principles 350 25.8Detailed Specifications 350 25.8.1Open API Specifications 350 25.9References 350 25.10Terms and definitions 351 25.11Security Glossary 351 25.12Malware Detection Service Glossary 354
26.1Introduction to Malware Detection Service 359 26.1.1Malware Detection Service Core 359 26.1.2Intended Audience 359 26.1.3Service Change History 359 26.1.4How to Read This Document 359 26.1.5Additional Resources 360 26.2General Malware Detection Service Information 360 26.2.1Resources Summary 360 26.2.2Authentication 360 26.2.3Representation Format 360 26.2.4Representation Transport 360 26.2.5Resource Identification 360 26.2.6Links and References 360 26.2.7Limits 361 Malware Detection Engine Limits 361 Absolute Limits 361
26.3Malware Detection Service Operations 361 Scan a binary file 361 Distance vector of a binary file 363 List malware database 365
27.1Preface 367 27.2Copyright 367 27.3Legal Notice 367 27.4Overview 367
27.5Basic Concepts 369 27.6Main Interactions 370
27.7Basic Design Principles 370 27.8Detailed Specifications 371
27.9Re-utilised Technologies/Specifications 371 27.10Terms and definitions 371 27.11Security Glossary 371 28Android Flow Monitoring Open Specification 376 28.1Introduction to the Android Flow Monitoring Open Specification 376 28.1.1Android Flow Monitoring Open Specification Core 376 28.1.2Intended Audience 376 28.1.3Specification Change History 376 28.1.4Additional Resources 376 28.2General Android Flow Monitoring Open Specification Information 377 28.2.1Geolocation Field Type Definitions 377 28.2.2Android Field Type Definitions 377 28.3Templates Specifications 378 28.3.1IPv4, TCP 378 28.3.2IPv4, UDP 379 28.3.3IPv4, ICMP 379 28.3.4IPv6 380 29FI-WARE Open Specifications Legal Notice 382 Use Of Specification - Terms, Conditions & Notices 382 License 382 Patents 382 General Use Restrictions 382 Disclaimer Of Warranty 382 Trademarks 383 Issue Reporting 383 30Open Specifications Interim Legal Notice 384 General Information 384 Use Of Specification - Terms, Conditions & Notices 384 Copyright License 384 Patent License 384 General Use Restrictions 385 Disclaimer Of Warranty 385 Trademarks 385 Issue Reporting 385
Download 1.78 Mb. Share with your friends:
|