7.4 Sensitive Data Storage
7.4.1 <sensitiveDataObject> resource
Secure Environments shall provide a service to store and protect sensitive data. Sensitive data objects are represented as SE-resources and are created and managed within the Secure Environment. Requests to SE-resources are using absolute addressing. A < sensitiveDataObject > resource shall represent sensitive data and related information owned by a creator.
Attributes in <sensitiveDataObject> are shown in table 7.4.1-1.
Table 7.4.1-1: Attributes of <sensitiveDataObject> resource
| Attributes of <sensitiveDataObject> | Multiplicity | RW/ RO/ WO |
Description |
|---|---|---|---|
| resourceType | 1 | RO | Defines the resource type. |
| resourceID | 1 | RO | Defines an identifier for the resource. This attribute shall be provided by the creator. The creator shall assign a resourceID which is unique within its context. |
| creationTime | 1 | RO | Time/date of creation of the resource. The creationTime is set by the CSE hosting the SE when the resource is created. |
| lastModifiedTime | 1 | RO | Last modification time/date of the resource. This attribute is mandatory. The lastModifiedTime value is set by the Hosting CSE when the resource is created, and the lastModifiedTime value is updated when the resource is updated. |
| Creator | 1 | RO | The AE-ID or CSE-ID of the AE or CSE creating the resource. |
| currentByteSize | 1 | RO | Current size in bytes of sensitive data. |
| sensitiveData | 1 | RW | Contains sensitive data and required information to access and manage sensitive data owned by a dedicated creator. |
| accessControlPolicyID | 0..1 (L) | RW | Is used to control access to the resource. If no accessControlPolicyIDs value is configured, the accessControlPolicyIDs of the parent resource shall be applied for privilege checking. |
Table 7.4.1-2: Data types of <sensitiveDataObject> resource specific attributes
| Name |
Request Optionality | Data type |
|
|---|---|---|---|
| Create | Update | ||
| currentByteSize | M | NP | xs:nonNegativeInteger |
| sensitiveData | O | O | xs:byte |
| creator | M | NP | m2m:ID |
7.4.2 <sensitiveDataObject> Resource Procedures
7.4.2.1 CREATE <sensitiveDataObject>
This procedure shall be used for creating a <sensitiveDataObject> resource.
Table 7.4.2.1-1: < sensitiveDataObject > CREATE
| <sensitiveDataObject> CREATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
Following parameters shall exist within the Create request: Operation To: contains M2M-SE-ID From Registree AE or CSE Request Identifier Content: <sensitiveData> Name: name of resource |
| Processing at Originator before sending Request |
Establish security association between creator and SE Requests from an AE or CSE includes their AE-ID or CSE-ID |
| Processing at Receiver | Check seAccessPrivileges and validate request |
| Information in Response message |
Response status codes: ack; successful operation = CREATE; Unsuccessful Operation = C; Request Identifier |
| Processing at Originator after receiving Response | n/a |
| Exceptions | According to oneM2M TS-0001 [2] |
7.4.2.2 RETRIEVE <sensitiveDataObject>
This procedure shall be used for retrieving a <sensitiveDataObject> resource.
Table 7.4.2.2-1: <sensitiveDataObject> RETRIEVE
| <sensitiveDataObject> RETRIEVE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
Following parameters shall exist within the RETRIEVE request: Operation To: contains M2M-SE-ID From Registree AE or CSE Request Identifier |
| Processing at Originator before sending Request |
Establish security association between creator and SE Requests from an AE or CSE includes their AE-ID or CSE-ID |
| Processing at Receiver | Check seAccessPrivileges and validate request |
| Information in Response message |
Response status codes: ack; successful operation = RETRIEVE; Unsuccessful Operation = R; Request Identifier Content = Sensitive Data |
| Processing at Originator after receiving Response | As defined in oneM2M TS-0001 [2] |
| Exceptions | As defined in oneM2M TS-0001 [2] |
7.4.2.3 UPDATE <sensitiveDataObject>
This procedure shall be used for updating the attributes and actual data of a <sensitiveDataObject> resource.
Table 7.4.2.3-1: <sensitiveDataObject> UPDATE
| <sensitiveDataObject> UPDATE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
Following parameters shall exist within the UPDATE request: Operation To: contains M2M-SE-ID From Registree AE or CSE Request Identifier Name Content: sensitive data and/or attributes |
| Processing at Originator before sending Request |
Establish security association between creator and SE Requests from an AE or CSE includes their AE-ID or CSE-ID |
| Processing at Receiver | Check seAccessPrivileges and validate request |
| Information in Response message |
Response status codes: ack; successful operation = UPDATE; Unsuccessful Operation = R; Request Identifier |
| Processing at Originator after receiving Response | As defined in oneM2M TS-0001 [2] |
| Exceptions | As defined in oneM2M TS-0001 [2] |
7.4.2.4 DELETE <sensitiveDataObject>
This procedure shall be used for deleting a <sensitiveDataObject> resource.
Table 7.4.2.4-1: <sensitiveDataObject> DELETE
| <sensitiveDataObject> DELETE request message parameters | |
|---|---|
| Associated Reference Point | Mcs |
| Information in Request message |
Following parameters shall exist within the DELETE request: Operation To: contains M2M-SE-ID From Registree AE or CSE Request Identifier Name |
| Processing at Originator before sending Request |
Establish security association between creator and SE Requests from an AE or CSE includes their AE-ID or CSE-ID |
| Processing at Receiver | Check seAccessPrivileges and validate request |
| Information in Response message |
Response status codes: ack; successful operation = DELETE Unsuccessful Operation = D Request Identifier |
| Processing at Originator after receiving Response | As defined in oneM2M TS-0001 [2] |
| Exceptions | As defined in oneM2M TS-0001 [2] |