SlideShare uma empresa Scribd logo

Authentication and signatures overview

Transferir como PPTX, PDF
Marc de Graauw
Marc de Graauw
TecnologiaDiversão e humor
1 de 35
Marc de Graauw marc@marcdegraauw.com Authentication&Digital Signature anoverview
Marc de Graauw marc@marcdegraauw.com Authentication
Marc de Graauw marc@marcdegraauw.com Authentication Smartcard (UZI pass) with: private key (RSA) X.509 certificate (includes public key) PKI-Government Personal pass guard safely no sharing PIN protected
Marc de Graauw marc@marcdegraauw.com Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
Marc de Graauw marc@marcdegraauw.com Secure connection
Marc de Graauw marc@marcdegraauw.com Secure data
Marc de Graauw marc@marcdegraauw.com Security services
Marc de Graauw marc@marcdegraauw.com Authentication with SSL
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com Security with SSL Works well only in simple scenario’s There is no HL7v3 XML at the client The client is (relatively) unsecure SSL lays an impenatrable tunnel across the instution’s secure zone SSL from server to server is fine, but: provides no care provider authentication
Marc de Graauw marc@marcdegraauw.com Context: clients all hospitals, GP’s, pharmacists, other healthcare pros clients: any kind of client latest .NET / Java older dev environments (Delphi, BV, etc.) thin client/browser XSLT heavy XML / no XML WS-* / no WS-* HL7v3 / no HL7v3
Marc de Graauw marc@marcdegraauw.com Context: HL7v3 no HL7v3 at client (HL7v2, OZIS, other) not all data at client Act.id medication codes patient id (BSN) not yet, is reasonable demand destination not always known at client either: require all data available at client or: sign subset of data
Marc de Graauw marc@marcdegraauw.com ‘Lightweight’ authentication token X.509 style message id nonce provides unique identification of message (if duplicate removal has already taken place) time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers
Marc de Graauw marc@marcdegraauw.com SSL security premises: healthcare pro keeps smartcard + pin safe software to establish SSL tunnel not corrupted PKI, RSA etc. not broken assertion: healthcare pro sets up SSL tunnel assumption: messages going over SSL tunnel come from healthcare pro weakness: insertion of fake messages in SSL tunnel measures: abort SSL tunnel after period of inactivity, refresh regularly
Marc de Graauw marc@marcdegraauw.com Lightweight token security premises: healthcare pro keeps smartcard + pin safe software to sign token not corrupted PKI, RSA etc. not broken assertion: healthcare pro signed auth token assumption: message and auth token belong together weakness: fake message attached to valid token
Marc de Graauw marc@marcdegraauw.com Lightweight token security signedData: message id notBefore / notAfter addressedParty coSignedData patient id (BSN) message type (HL7 trigger event id) only possible to retrieve same kind of data for same patient at same time from same destination weakness: tampering with other message parameters for queries: acceptable (privacy not much more broken) for prescription: use full digital signature
Marc de Graauw marc@marcdegraauw.com Hospital workflow doctor makes round 360 seconds per patient nurse has file ready retrieval times are not acceptable pre-signing tokens and pre-fetching data just in time possible with auth tokens, not (so much) with SSL
Marc de Graauw marc@marcdegraauw.com SOAP Envelope SOAP Body Authentication alternatives SOAP Header Auth Token HL7 payload
Marc de Graauw marc@marcdegraauw.com SOAP Envelope Authentication alternatives SOAP Header Auth Token Auth Token Auth Token SOAP Body HL7 payload HL7 payload HL7 payload
Marc de Graauw marc@marcdegraauw.com HL7 Medical Application HL7v3 Medical Content HL7 Control Query Processing Application HL7v3 Acts HL7 Transmission Wrapper Adapter HL7v3 Messages HL7 Web Services Messaging Adapter SOAP Messages HTTP Client / Server
Marc de Graauw marc@marcdegraauw.com Authentication alternatives Authentication tokens in SOAP Headers separate them from the content HL7 sometimes allows multiple payloads, making this problem worse The token has to travel across layers with the paylaod This violates layering principles
Marc de Graauw marc@marcdegraauw.com WS-* WS-* is confused about whether it is a document format or a message format document: relevant to the end user message: relevant to the mailman keep metadata with the document putting document metadata in SOAP headers violates layering design principles
Marc de Graauw marc@marcdegraauw.com Digital Signatures
Marc de Graauw marc@marcdegraauw.com Some philosophy “The President of the United States is John McCain” “Karen believes ‘the President of the United States is John McCain’ ” “John says that ‘the President of the United States is John McCain’ ” “Dr. Jones says: ‘Mr. Smith has the flu’ ”
Marc de Graauw marc@marcdegraauw.com Signed Data
Marc de Graauw marc@marcdegraauw.com <code code=”27” codeSystem=”2.16.840.1.113883.2.4.4.5” /> "Dissolve in water"
Marc de Graauw marc@marcdegraauw.com XML fragment
Marc de Graauw marc@marcdegraauw.com Digitally signed token
Marc de Graauw marc@marcdegraauw.com What You See Is What You Sign
Marc de Graauw marc@marcdegraauw.com Token & XML Signature XML Signature Componenten Met WSS In SOAP Headers SOAP envelope <ws:SecToken> headers Certificate <ws:SecToken> Certificate <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> Sig value Sig value Sig value Sig value Digest Digest Digest Digest Certificate Reference Reference Certificate Getekendegegevens Getekendegegevens body Getekendegegevens HL7v3 bericht Getekendegegevens HL7v3 bericht HL7v3 bericht HL7v3 bericht Prescription1 Prescription 1 Prescription 1 Prescription 1
Marc de Graauw marc@marcdegraauw.com Meerdere Signatures, 1 certificaat Bericht + handtekening Certificate A <Signature1> <SignedInfo> Certificate Sig value 1 Digest 1 <Signature2> <ds:SignedInfo> Signature Sig value 2 persisteren Digest 2 Getekende gegevens Getekendegegevens 1 Getekendegegevens 2 HL7v3 bericht HL7v3 Prescription Prescription 1 Prescription 2

Recomendados

Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and CryptographyJack Davis
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPavithra Muthu
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityferiuyolasyolas
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Mumbai Academisc
 
AS2 vs. SFTP
AS2 vs. SFTPAS2 vs. SFTP
AS2 vs. SFTPMFT Gateway
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management Chad Leschefsky
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeIT Strategy Group
 

Recomendados

Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and CryptographyJack Davis
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modiMohit Modi
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPavithra Muthu
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityferiuyolasyolas
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Mumbai Academisc
 
AS2 vs. SFTP
AS2 vs. SFTPAS2 vs. SFTP
AS2 vs. SFTPMFT Gateway
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management Chad Leschefsky
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeIT Strategy Group
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
How encryption works
How encryption worksHow encryption works
How encryption worksRaxTonProduction
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issuesMarc de Graauw
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Blockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaBlockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaDrysign By Exela
 
Lecture17
Lecture17Lecture17
Lecture17Châu Thanh Chương
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityElissa Renton
 
Ch17
Ch17Ch17
Ch17Joe Christensen
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Nancy Thanki
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
Django SEM
Django SEMDjango SEM
Django SEMGandi24
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security BasicsBipin Jethwani
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the webKeynectis
 
App Authentication
App AuthenticationApp Authentication
App AuthenticationTrevayne Van Niekerk
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorgMarc de Graauw
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ictMarc de Graauw
 

Mais conteúdo relacionado

Semelhante a Authentication and signatures overview

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commercemahesh tawade
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL CertificateCheapSSLUSA
 
Blockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaBlockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaDrysign By Exela
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityElissa Renton
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Nancy Thanki
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet worldjamesbarns729
 
Django SEM
Django SEMDjango SEM
Django SEMGandi24
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.pptUskuMusku1
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Michele Orru'
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security BasicsBipin Jethwani
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the webKeynectis
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 

Semelhante a Authentication and signatures overview (20)

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issues
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
Blockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaBlockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by Exela
 
Lecture17
Lecture17Lecture17
Lecture17
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document Security
 
Ch17
Ch17Ch17
Ch17
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
Django SEM
Django SEMDjango SEM
Django SEM
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security Basics
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the web
 
App Authentication
App AuthenticationApp Authentication
App Authentication
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 

Mais de Marc de Graauw

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorgMarc de Graauw
 
Tokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detailTokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detailMarc de Graauw
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web servicesMarc de Graauw
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenMarc de Graauw
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de ketenMarc de Graauw
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruikerMarc de Graauw
 

Mais de Marc de Graauw (12)

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorg
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ict
 
Tokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detailTokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detail
 
Reliable messaging
Reliable messagingReliable messaging
Reliable messaging
 
Overzicht aorta
Overzicht aortaOverzicht aorta
Overzicht aorta
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web services
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspunten
 
Versioning theory
Versioning theoryVersioning theory
Versioning theory
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de keten
 
Unicode
UnicodeUnicode
Unicode
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruiker
 
Overzicht hl7v3
Overzicht hl7v3Overzicht hl7v3
Overzicht hl7v3
 

Último

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Authentication and signatures overview

  • 1. Marc de Graauw marc@marcdegraauw.com Authentication&Digital Signature anoverview
  • 2. Marc de Graauw marc@marcdegraauw.com Authentication
  • 3. Marc de Graauw marc@marcdegraauw.com Authentication Smartcard (UZI pass) with: private key (RSA) X.509 certificate (includes public key) PKI-Government Personal pass guard safely no sharing PIN protected
  • 4. Marc de Graauw marc@marcdegraauw.com Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
  • 5. Marc de Graauw marc@marcdegraauw.com
  • 6. Marc de Graauw marc@marcdegraauw.com Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
  • 7. Marc de Graauw marc@marcdegraauw.com Secure connection
  • 8. Marc de Graauw marc@marcdegraauw.com Secure data
  • 9. Marc de Graauw marc@marcdegraauw.com Security services
  • 10. Marc de Graauw marc@marcdegraauw.com Authentication with SSL
  • 11. Marc de Graauw marc@marcdegraauw.com
  • 12. Marc de Graauw marc@marcdegraauw.com
  • 13. Marc de Graauw marc@marcdegraauw.com
  • 14. Marc de Graauw marc@marcdegraauw.com Security with SSL Works well only in simple scenario’s There is no HL7v3 XML at the client The client is (relatively) unsecure SSL lays an impenatrable tunnel across the instution’s secure zone SSL from server to server is fine, but: provides no care provider authentication
  • 15. Marc de Graauw marc@marcdegraauw.com Context: clients all hospitals, GP’s, pharmacists, other healthcare pros clients: any kind of client latest .NET / Java older dev environments (Delphi, BV, etc.) thin client/browser XSLT heavy XML / no XML WS-* / no WS-* HL7v3 / no HL7v3
  • 16. Marc de Graauw marc@marcdegraauw.com Context: HL7v3 no HL7v3 at client (HL7v2, OZIS, other) not all data at client Act.id medication codes patient id (BSN) not yet, is reasonable demand destination not always known at client either: require all data available at client or: sign subset of data
  • 17. Marc de Graauw marc@marcdegraauw.com ‘Lightweight’ authentication token X.509 style message id nonce provides unique identification of message (if duplicate removal has already taken place) time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers
  • 18. Marc de Graauw marc@marcdegraauw.com SSL security premises: healthcare pro keeps smartcard + pin safe software to establish SSL tunnel not corrupted PKI, RSA etc. not broken assertion: healthcare pro sets up SSL tunnel assumption: messages going over SSL tunnel come from healthcare pro weakness: insertion of fake messages in SSL tunnel measures: abort SSL tunnel after period of inactivity, refresh regularly
  • 19. Marc de Graauw marc@marcdegraauw.com Lightweight token security premises: healthcare pro keeps smartcard + pin safe software to sign token not corrupted PKI, RSA etc. not broken assertion: healthcare pro signed auth token assumption: message and auth token belong together weakness: fake message attached to valid token
  • 20. Marc de Graauw marc@marcdegraauw.com Lightweight token security signedData: message id notBefore / notAfter addressedParty coSignedData patient id (BSN) message type (HL7 trigger event id) only possible to retrieve same kind of data for same patient at same time from same destination weakness: tampering with other message parameters for queries: acceptable (privacy not much more broken) for prescription: use full digital signature
  • 21. Marc de Graauw marc@marcdegraauw.com Hospital workflow doctor makes round 360 seconds per patient nurse has file ready retrieval times are not acceptable pre-signing tokens and pre-fetching data just in time possible with auth tokens, not (so much) with SSL
  • 22. Marc de Graauw marc@marcdegraauw.com SOAP Envelope SOAP Body Authentication alternatives SOAP Header Auth Token HL7 payload
  • 23. Marc de Graauw marc@marcdegraauw.com SOAP Envelope Authentication alternatives SOAP Header Auth Token Auth Token Auth Token SOAP Body HL7 payload HL7 payload HL7 payload
  • 24. Marc de Graauw marc@marcdegraauw.com HL7 Medical Application HL7v3 Medical Content HL7 Control Query Processing Application HL7v3 Acts HL7 Transmission Wrapper Adapter HL7v3 Messages HL7 Web Services Messaging Adapter SOAP Messages HTTP Client / Server
  • 25. Marc de Graauw marc@marcdegraauw.com Authentication alternatives Authentication tokens in SOAP Headers separate them from the content HL7 sometimes allows multiple payloads, making this problem worse The token has to travel across layers with the paylaod This violates layering principles
  • 26. Marc de Graauw marc@marcdegraauw.com WS-* WS-* is confused about whether it is a document format or a message format document: relevant to the end user message: relevant to the mailman keep metadata with the document putting document metadata in SOAP headers violates layering design principles
  • 27. Marc de Graauw marc@marcdegraauw.com Digital Signatures
  • 28. Marc de Graauw marc@marcdegraauw.com Some philosophy “The President of the United States is John McCain” “Karen believes ‘the President of the United States is John McCain’ ” “John says that ‘the President of the United States is John McCain’ ” “Dr. Jones says: ‘Mr. Smith has the flu’ ”
  • 29. Marc de Graauw marc@marcdegraauw.com Signed Data
  • 30. Marc de Graauw marc@marcdegraauw.com <code code=”27” codeSystem=”2.16.840.1.113883.2.4.4.5” /> "Dissolve in water"
  • 31. Marc de Graauw marc@marcdegraauw.com XML fragment
  • 32. Marc de Graauw marc@marcdegraauw.com Digitally signed token
  • 33. Marc de Graauw marc@marcdegraauw.com What You See Is What You Sign
  • 34. Marc de Graauw marc@marcdegraauw.com Token & XML Signature XML Signature Componenten Met WSS In SOAP Headers SOAP envelope <ws:SecToken> headers Certificate <ws:SecToken> Certificate <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> Sig value Sig value Sig value Sig value Digest Digest Digest Digest Certificate Reference Reference Certificate Getekendegegevens Getekendegegevens body Getekendegegevens HL7v3 bericht Getekendegegevens HL7v3 bericht HL7v3 bericht HL7v3 bericht Prescription1 Prescription 1 Prescription 1 Prescription 1
  • 35. Marc de Graauw marc@marcdegraauw.com Meerdere Signatures, 1 certificaat Bericht + handtekening Certificate A <Signature1> <SignedInfo> Certificate Sig value 1 Digest 1 <Signature2> <ds:SignedInfo> Signature Sig value 2 persisteren Digest 2 Getekende gegevens Getekendegegevens 1 Getekendegegevens 2 HL7v3 bericht HL7v3 Prescription Prescription 1 Prescription 2