-
Notifications
You must be signed in to change notification settings - Fork 1
Query string obfuscation
Standard for Trial Use
Within an http request, the query string can contain personal identifiable data. If the query string is available to an unauthorised user (e.g. within log files, on proxy servers, in browser history) they may be able to identify the patient and hence triangulate further information about the individual. For example, consider:
https://sider.nhs.uk/fhir/Patient?family=Smith&birthdate=1971-01-01&hiv-positive=true
As the query string is visible within a browser a malicious actor could change the query string to view other details. By obfuscating the query string, the requestor can reduce the risk of a malicious actor bypassing the system by altering parameters. For example:
https://sider.nhs.uk/fhir/Patient?enc=akeyid|LKJHADF8HGL2398ADFJDFKDF456
None
The requestor must provide a query string parameter in the format:
enc=<keyname>|<encryptedstring>, where:
-
keynameis the unique name of the encryption key. The requestor is responsible for choosing a key understood by the endpoint. -
encryptedstringis a query string that has been encrypted using the encryption key
Only one enc parameter is permitted.
The endpoint must only respond to https, with encryption meeting or exceeding NHS cryptographic standards (TLS1.1, TLS1.2, 256bit keys).
The endpoint should handle the request using a query with the enc key replaced with the decrypted key/value pairs. For the example above, a request to https://sider.nhs.uk/fhir/Patient?enc=akeyid|LKJHADF8HGL2398ADFJDFKDF456 should be handled as if it were a request to https://sider.nhs.uk/fhir/Patient?family=Smith&birthdate=1971-01-01.
The endpoint should retain all other key/value pairs within the query. For example, https://sider.nhs.uk/fhir/Patient?enc=akeyid|LKJHADF8HGL2398ADFJDFKDF456&_count=5 should be handled as https://sider.nhs.uk/fhir/Patient?family=Smith&birthdate=1971-01-01&_count=5.
AES256
Keys will be distributed privately amongst project partners.
If the service cannot expand the enc key within the query string, it will return 400 Bad request.
If the app cannot expand the enc key within the query string, it will display an error message to the user.
A reference implementation is provided. This includes a set of test cases with plaintext/ciphertext query strings that can be used to ensure consistency between implementations.