Successfully reported this slideshow.
Your SlideShare is downloading. ×

Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference

Ad

Securing eHealth, eGovernment and eBanking
with Java
Werner Keil
CATMedia
Thodoris Bais
ABN Amro & Utrecht JUG

Ad

Werner Keil Thodoris Bais
Jakarta EE Specification Committee Member Jakarta EE Ambassador, EG Member JSR-385
Let’s meet
@t...

Ad

@thodorisbais@wernerkeil
ABN Amro Bank
Financial sector
Amsterdam
Agile organization
20,000
3000+
400+
Total number of emp...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 40 Ad
1 of 40 Ad
Advertisement

More Related Content

Similar to Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference (15)

Advertisement

More from Thodoris Bais (20)

Advertisement

Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference

  1. 1. Securing eHealth, eGovernment and eBanking with Java Werner Keil CATMedia Thodoris Bais ABN Amro & Utrecht JUG
  2. 2. Werner Keil Thodoris Bais Jakarta EE Specification Committee Member Jakarta EE Ambassador, EG Member JSR-385 Let’s meet @thodorisbais@wernerkeil
  3. 3. @thodorisbais@wernerkeil ABN Amro Bank Financial sector Amsterdam Agile organization 20,000 3000+ 400+ Total number of employeesEnterprise bank Headquarters Development Teams DevOps / Hybrid cloud Applications
  4. 4. Agenda 1. eHealth and eGovernment 2. Signatures and Certificates 3. eBanking and eBusiness 4. DSS Framework 5. Demo 6. Links / Q&A
  5. 5. eHealth refers to the use of information and communications technologies in healthcare. https://www.who.int/ehealth/en/
  6. 6. eGovernment is the opening up and adaptation of the public sector through information and communication technologies.
  7. 7. eGovernment in DE ExternalInternal
  8. 8. eHealth in DE Long distance communication Health Data Patient Monitoring
  9. 9. eGovernment in NL
  10. 10. eHealth in NL 80% Access to medical records 75% Health monitoring
  11. 11. eHealth in NL – How to achieve these goals
  12. 12. Benefits of eHealth Insight into own health Time saving
  13. 13. Requirements for Secure Transmission Integrity Identity Authenticity
  14. 14. Authenticity of Author and Data • Assignment of data to the signer • Protection against denial by signatory • Protection of data against manipulation • On the transmission path • Through the receiver
  15. 15. Risks & Solutions
  16. 16. Electronic Signatures
  17. 17. Functionality The electronic signature is a cryptographic method that uses two asymmetric keys • Private key • Public key
  18. 18. Signature Process
  19. 19. Signature Types The signature law distinguishes three (or four) types of signatures: • Simple Electronic Signature (SES) • Advanced Electronic Signature (AdES) • Qualified Electronic Signature (QES) • Qualified Electronic Signature with Provider Accreditation
  20. 20. Signature Types
  21. 21. Advanced Electronic Signature Electronic signatures, where: • The owner can be uniquely identified and assigned to the signature • The signature is generated by means which owner can keep under their sole control • It is capable of identifying if accompanying data has changed after the message was signed • The signature can be invalidated in the event of such change
  22. 22. Scope of Application An advanced electronic signature holder can also be a company, service, app, etc. The advanced electronic signature can therefore be used to sign documents if there are no legal formalities (personal certificates) With the advanced electronic signature, mass signatures are possible, for example to ensure the integrity of documents in the area of electronic invoicing or archiving (functional certificates)
  23. 23. Qualified Electronic Signature An advanced electronic signature based on a secure signature creation device and a qualified certificate valid at the time of creation. Qualified Certificates • Serial Number • Reference to Qualified Certificate • Name of the owner (natural person) • Signature verification • Period of validity • Certification Service • Usage restrictions
  24. 24. Qualified Electronic Signature with Accreditation Provision of the PKI by a trust center that has undergone the voluntary accreditation process. Accreditation as a quality label provides proof of comprehensively tested safety. An accredited Qualified Trust Service Provider (QTSP) manages the signature creation.
  25. 25. Certificates
  26. 26. Certificates The assignment of the electronic signature to the owner is carried out by means of certificates A certificate is an electronic document linking the public signature verification key to the name of the holder (natural or legal person) The most common format for public key certificates is X.509.
  27. 27. Signature Formats There are four main types of signatures: • XAdES (XML Document) • CAdES (Common binaries of different kinds) • PAdES (PDF Document) • Associated Signature Containers (ASiC)
  28. 28. Signature Packaging Depending on the signature format, different packaging of the signature and the document are possible: • Enveloped • Enveloping • Detached • Internally Detached
  29. 29. Signature Creation and Validation
  30. 30. eSENS Document Flow
  31. 31. eBanking with PSD2
  32. 32. eIDAS Certificate for PSD2
  33. 33. eBusiness Fraud https://www.pdf-insecurity.org/index.html
  34. 34. PDF Insecurity https://www.pdf-insecurity.org/index.html
  35. 35. DSS Framework
  36. 36. DSS Framework DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. Three main features can be distinguished within the framework: • Creation of a Digital Signature • Extension of a Digital Signature • Validation of a Digital Signature
  37. 37. DSS Framework – Features • Formats of the signed documents: XML, PDF, DOC, TXT, ZIP,…​ • Packaging structures: enveloping, enveloped, detached and internally-detached • Forms signatures: XAdES, CAdES, PAdES and ASiC-S/ASiC-E • Profiles associated to each form of the digital signature • Trust management • Revocation data handling (OCSP and CRL sources) • Certificate chain building • Signature validation and validation policy • Validation of the signing certificate
  38. 38. Demo Time @thodorisbais@wernerkeil
  39. 39. Links CEF Digital Home: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature eGov EU Twitter Account: @eGov_EU CEF DSS: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS DSS Framework on GitHub: https://github.com/esig/dss Bouncy Castle for Java: https://www.bouncycastle.org/java.html Apache Sanctuario: https://santuario.apache.org/ Apache PDFBox: https://pdfbox.apache.org/
  40. 40. Thank You !

Editor's Notes

  • E-government is the opening up and adaptation of the public sector through information and communication technologies.
    One distinguishes between:

    Internal E-Government - Use of IT within the public sector without any contact with the citizen, such as electronic medical records, exchange between public authorities, healthcare providers, pharmacies, etc.

    External E-Government - Web site and services for citizens, patients, customers, companies, ...
  • Currently, Germany is still at an early stage of the application of e-health or M-Health. There are, however, already some advantages and possibilities to see how both are used or can be used soon. For example for:

    Communication over long distances, regardless of location. Especially in rural areas, or where there is a shortage of doctors

    Computer-based procedures for the collection, transmission and evaluation of health data.

    The monitoring of patients, for example, the chronically ill, or voluntary self-monitoring (Quantified Self)
  • eIDAS: accessing Dutch government services online
    The introduction of the Electronic Identification and Trust Services Regulation (eIDAS) means EU citizens from other member states can access Dutch government services online.
    What government services can I access in the Netherlands?
    You can use your login details for any approved European electronic identification scheme to access all the same services as Dutch people can using their DigiD. If, for example, you are a German national working in the Netherlands, you can log in using your ‘Neuer Personalausweis’ to:
    see how much pension you have built up through the Social Insurance Bank (SVB);
    submit your tax return to the Tax and Customs Administration;
    check your pension payments to your pension provider;
    object to the assessment of the value of your property under the Valuation of Immovable Property Act (WOZ);


    BSN ?
  • The government is encouraging the healthcare sector to expand telehealth (eHealth) services. Below the goals set by the Dutch government:
    Access to medical records At least 80% of chronically ill people should have access to their own medical records by 2019, and at least 40% of other members of the population.
    Health monitoring
    By 2019 75% of chronically ill people and vulnerable elderly people should be able to monitor certain aspects of their own health and share the data with their health provider. This would include things like blood pressure and cholesterol levels.
    Online contact with care provider
    People receiving care and support at home should be able to communicate with their care provider 24 hours a day via a screen, if they wish.
  • Support for innovators via online platform
    Healthcare innovators wishing to make a new digital application can go to zorgvoorinnoveren.nl (in Dutch), where they will find support to help them develop their idea swiftly and effectively into a working application. The site also has tips on getting funding.
    Making digital data sharing easier
    The government is consulting with healthcare administrators on standards that should facilitate digital data sharing. They are also talking to suppliers of IT systems.
    Sharing eHealth knowhow
    The government is bringing healthcare innovators and other parties together. It has established a startup network, for example, which includes healthcare providers, patients and lawyers. The network allows them to share knowledge and help startups and innovations advance to the next stage. Another project uses telehealth to help elderly people live independently for longer.
    Personal digital healthcare environment
    Some healthcare providers and IT suppliers already offer patients the opportunity to draw up and manage a personal health record (PHR). But safely combining and sharing personal health information is a complex matter, and is currently possible to only a limited extent. Various parties in the healthcare sector are therefore collaborating on a programme to give people more control over their own health.
  • Time saving
    Patients can schedule their own appointment with their care provider online. No need to leave their home if they can arrange an online consultation (e.g. video link)

    Insight into own health
    A personal digital healthcare environment gives people more insight into their health. If they wish, they can share all or part of their data with a healthcare provider, so that they do not have to repeatedly relate their entire medical history. This allows the healthcare provider to work more effectively, determine the right treatment more quickly, and avoid mistakes. Patients gain more control over their own health thanks to a greater understanding of their health situation.

    Lower administrative burden
    Doctors have less paperwork and can share information securely and easily with colleagues.


    Not all healthcare providers currently offer telehealth. But healthcare providers and patients are becoming more aware of the benefits. Many doctors now offer patients the opportunity to schedule appointments online. Around 46% of patients would like to have online access to their medical records (source: eHealth Monitor 2015), but this can only be done if there are good safeguards for privacy.
  • Integrity Messages should not be able to be falsified unnoticed

    Identity
    A message should be clearly assigned to the sender

    Authenticity The identity of the sender should be verifiable

    Confidentiality Messages should not be read by unauthorized persons
  • E-communication entails risks
    Who is my counterpart?
    Who is reading?
    Has anyone changed something?


    Solutions: E-Signature & Encryption
    Unauthorised third parties cannot read an encrypted message
    Electronically signed documents can not be changed unnoticed, neither during transmission nor through the receiver
    -Sender can not deny text (e.g., binding offer)
  • The private key to be kept secret is used to encrypt the hash value of the document (= "Compressed text consisting of a sequence of binary values)
    The public key can only be used for decryption and matches only one private key. It can be publicly retrieved and is often sent with the message

  • The private key to be kept secret is used to encrypt the hash value of the document (= "Compressed text consisting of a sequence of binary values)
    The public key can only be used for decryption and matches only one private key. It can be publicly retrieved and is often sent with the message


  • e-SENS (Electronic Simple European Networked Services)
  • PSU = Payment Service User
    TPP = Third Party Provider
    PISP = Payment Initiation Service Provider
    AISP = Account Information Service Provider
    PIISP = Payment Instrument Issuer Service Provider

    ASPSP = Account Servicing Payment Service Providers
    XS2A = Access 2 Accounts

  • NCA = National Competent Authority
    CSR = Certificate Signing Request
    QTSP = Qualified Trust Service Provider
  • Add the 4 versions of signature validation

×