Implement XForms' "digest" function

freedim · February 24, 2020, 2:23pm

Hi there,

I have used a couple of ODK-based survey apps and made an extensive use of hashings to secure preloaded sensitive data and password-protect some parts of the forms in case the tablet is grabbed from an enumerator during an interview.

Hashings are most probably relying on the ‘digest()’ function of XForms. It would be great to have an implementation of this function in KoboToolbox since humanitarian data very often involve sensitive bits.

Cheers

stephanealoo · February 24, 2020, 3:35pm

Hi,
Welcome to the community forum. Could you please update your suggestion to conform to other detailed suggestions. Kindly have a look at other suggestions to get a feel of what is expected when posting on suggestion box.

Stephane

freedim · February 24, 2020, 4:57pm

Hi Stephane,

There it is. Sorry i overlooked the usage while in a rush…

Thanks for the heads up

wroos · February 24, 2020, 7:26pm

Dear freedim,
as this is an important issue, could you share here, please, a best practice example for your “extensive use of hashing …” for sensitive data.
Thanks in advance.

freedim · February 24, 2020, 8:55pm

Hi Wroos,

In the humanitarian context, there are often attached csv files with all the names, ID numbers, phone numbers, household composition, medical conditions etc. of families that are to be interviewed. Those files are feeding dropdown lists and / or verification fields.

In order to scramble the link between names, ID numbers, addresses and whatever other personal data, i use a strategy in two points:

to prevent a hostile person who grabs the tablet from an enumerator while they were conducting an interview to reach the sensitive data visible in some parts of the form, i put an extra password to be entered in a text field at the beginning of the group of sensitive fields. Obviously, the password tentatives must be tried against the hashed password stored in the form.
to prevent anyone to see the link between a given name, a given ID number, a given sensitive data etc. in the attached data, i split it in many CSV files, each with a few columns (ideally a couple of columns), including one that is the hashes of the original IDs (to which I add some salt or pepper, different for each CSV file). Hence even if someone can access those CSVs at any point of the workflow, they won’t be able to make sense of them.

stephanealoo · February 25, 2020, 5:56pm

Hi @freedim
Could you confirm whether you have ever done this with XLSForm, or if you always constructed the XForm manually. Theoretically, if it works in XLSForm, you should be able to upload the XLS to KoBo, avoid opening it in the form builder , deploy, and collect data

Regards,
Stephane

freedim · February 25, 2020, 6:34pm

Yes i have done it with XLSForms. But concerning KoBo, I have not tried to upload an XLSForm with a digest function. I have just tried to enter the digest function in a calculated field in the online graphical form builder and got an error message like “{}digest function does not exist”

Xiphware · February 28, 2020, 7:06pm

digest() is a supported XPath function in ODK, so it should work in KoboCollect (its been in javaRosa for a while…). See digest() and make sure you are specifying the required arguments.

freedim · February 28, 2020, 8:39pm

I have tried extensively and never succeeded (through the online form builder).

Grateful if you can share with me a form where it works. My user is “camealeon_admin” on kc.humanitarianresponse.info

Cheers!

Xiphware · February 28, 2020, 11:35pm

This appears to be a bug in javaRosa: digest() presently only works if you give it an actually string to hash, but will cause a (false positive) validation error if you give it a ref like ${foo}. We’ve opened a new defect against javaRosa here: https://github.com/opendatakit/javarosa/issues/547

Good catch, thanks! Please track the above defect for progress. Once fixed in the javaRosa master branch it should get picked up in the next Kobo update.

freedim · February 29, 2020, 5:20pm

Thanks for taking this forward

However, even when i provide an actual hard-coded string, whether in the online builder or by uploading an XLS form, i get the same error message saying {}digest does not exist.

For the record, i already encountered this problem more than one year ago. At the time i was in a rush and quickly needed a solution so i just ruled out KoboToolbox and did not take the time to file a bug report…

Beat!

Xiphware · March 2, 2020, 8:59pm

So digest() isnt currently supported in Enketo [but it will be according to @martijnr]. Enketo is the web-renderer that KoboToolbox uses for previewing forms or filling them in online.

Sorry.

FYI You can track progress of Enketo support here: Replace XPath evaluator · Issue #163 · enketo/enketo · GitHub

freedim · March 3, 2020, 9:38pm

Great, thanks

Also, I could indeed reproduce having a correct hash in the Android app when the first argument is hardcoded and an error when it is a variable.

Hopefully the two bugs will be quickly solved and then I will be able to design and recommend very secure workflows for various partners…

Cheers!

almaayn · June 25, 2020, 1:51am

Hi everyone,

stephanealoo · July 3, 2020, 6:04pm

Hi @almaayn
Welcome to the community forum. Do you have a specific support request so that we look at it?
Stephane

almaayn · July 3, 2020, 7:53pm

Hi @stephanealoo,

This issue has been fixed in javarosa, please check this link

So please, when we can use expressions in digest arguments in KoboToolbox?

stephanealoo · July 3, 2020, 8:40pm

Hi @almaayn
Just notified our developers and they will be responding to this.

Stephane

martijnr · July 3, 2020, 8:50pm

Just want to update that digest() will probably quite soon also be available in Enketo. No ETA though. Keep your eye on the issue @Xiphware mentioned above and the Enketo Express change log (search for “digest”)

almaayn · July 3, 2020, 8:51pm

Thank you dear @stephanealoo

atorrado · January 4, 2021, 8:43pm

Hi @martijnr digest() is not already available, right?