The document discusses authentication and digital signatures for healthcare messaging. It describes using smartcards with private/public key pairs for authentication. Lightweight authentication tokens containing a digital signature are proposed as an alternative to using SSL for every message. These tokens would include a message ID, time limits, and signed elements like patient ID and message type. Full digital signatures are still recommended for prescriptions while tokens may suffice for queries. Signing multiple parts of a message with the same certificate is also discussed.

1. Marc de Graauwmarc@marcdegraauw.comAuthentication&Digital Signatureanoverview

2. Marc de Graauwmarc@marcdegraauw.comAuthentication

3. Marc de Graauwmarc@marcdegraauw.comAuthenticationSmartcard (UZI pass) with:private key (RSA)X.509 certificate (includes public key)PKI-GovernmentPersonal passguard safelyno sharingPIN protected

4. Marc de Graauwmarc@marcdegraauw.comSenderReceiver“Hello world”“Hello world”SHA-1 hash:5llABaWYzxCrKIdjS...Public key:MIICHzCCAYygAwIBAgI.....OKPrivate key:shhhh.....RSA sig value:c9fVK7vYAdvs2DRZVtS...RSA sig value:c9fVK7vYAdvs2DRZVtS...

5. Marc de Graauwmarc@marcdegraauw.com

6. Marc de Graauwmarc@marcdegraauw.comSecurity Services (X.800)AuthenticationAuthorizationData ConfidentialityData IntegrityNon-repudiation

7. Marc de Graauwmarc@marcdegraauw.comSecure connection

8. Marc de Graauwmarc@marcdegraauw.comSecure data

9. Marc de Graauwmarc@marcdegraauw.comSecurity services

10. Marc de Graauwmarc@marcdegraauw.comAuthentication with SSL

11. Marc de Graauwmarc@marcdegraauw.com

12. Marc de Graauwmarc@marcdegraauw.com

13. Marc de Graauwmarc@marcdegraauw.com

14. Marc de Graauwmarc@marcdegraauw.comSecurity with SSLWorks well only in simple scenario’sThere is no HL7v3 XML at the clientThe client is (relatively) unsecureSSL lays an impenatrable tunnel across the instution’s secure zoneSSL from server to server is fine, but:provides no care provider authentication

15. Marc de Graauwmarc@marcdegraauw.comContext: clientsall hospitals, GP’s, pharmacists, other healthcare prosclients: any kind of clientlatest .NET / Javaolder dev environments (Delphi, BV, etc.)thin client/browserXSLT heavyXML / no XMLWS-* / no WS-*HL7v3 / no HL7v3

16. Marc de Graauwmarc@marcdegraauw.comContext: HL7v3no HL7v3 at client (HL7v2, OZIS, other)not all data at clientAct.idmedication codespatient id (BSN) not yet, is reasonable demanddestination not always known at clienteither: require all data available at clientor: sign subset of data

17. Marc de Graauwmarc@marcdegraauw.com‘Lightweight’ authentication tokenX.509 stylemessage idnonceprovides unique identification of message(if duplicate removal has already taken place)time to livesecurity semantics can expiretime to store & check nonceaddressedPartyreplay against other receivers

18. Marc de Graauwmarc@marcdegraauw.comSSL securitypremises:healthcare pro keeps smartcard + pin safesoftware to establish SSL tunnel not corruptedPKI, RSA etc. not brokenassertion:healthcare pro sets up SSL tunnelassumption:messages going over SSL tunnel come from healthcare proweakness:insertion of fake messages in SSL tunnelmeasures:abort SSL tunnel after period of inactivity, refresh regularly

19. Marc de Graauwmarc@marcdegraauw.comLightweight token securitypremises:healthcare pro keeps smartcard + pin safesoftware to sign token not corruptedPKI, RSA etc. not brokenassertion:healthcare pro signed auth tokenassumption:message and auth token belong togetherweakness:fake message attached to valid token

20. Marc de Graauwmarc@marcdegraauw.comLightweight token securitysignedData:message idnotBefore / notAfteraddressedPartycoSignedDatapatient id (BSN)message type (HL7 trigger event id)only possible to retrieve same kind of data for same patient at same time from same destinationweakness: tampering with other message parametersfor queries: acceptable (privacy not much more broken)for prescription: use full digital signature

21. Marc de Graauwmarc@marcdegraauw.comHospital workflowdoctor makes round360 seconds per patientnurse has file readyretrieval times are not acceptablepre-signing tokens and pre-fetching data just in timepossible with auth tokens, not (so much) with SSL

22. Marc de Graauwmarc@marcdegraauw.comSOAP EnvelopeSOAP BodyAuthentication alternativesSOAP HeaderAuth TokenHL7 payload

23. Marc de Graauwmarc@marcdegraauw.comSOAP EnvelopeAuthentication alternativesSOAP HeaderAuth TokenAuth TokenAuth TokenSOAP BodyHL7 payloadHL7 payloadHL7 payload

24. Marc de Graauwmarc@marcdegraauw.comHL7 Medical ApplicationHL7v3 MedicalContentHL7 Control Query Processing ApplicationHL7v3 ActsHL7 Transmission Wrapper AdapterHL7v3 MessagesHL7 Web Services Messaging AdapterSOAPMessagesHTTP Client / Server

25. Marc de Graauwmarc@marcdegraauw.comAuthentication alternativesAuthentication tokens in SOAP Headers separate them from the contentHL7 sometimes allows multiple payloads, making this problem worseThe token has to travel across layers with the paylaodThis violates layering principles

26. Marc de Graauwmarc@marcdegraauw.comWS-*WS-* is confused about whether it is a document format or a message formatdocument: relevant to the end usermessage: relevant to the mailmankeep metadata with the documentputting document metadata in SOAP headers violates layering design principles

27. Marc de Graauwmarc@marcdegraauw.comDigital Signatures

28. Marc de Graauwmarc@marcdegraauw.comSome philosophy“The President of the United States is John McCain”“Karen believes ‘the President of the United States is John McCain’ ”“John says that ‘the President of the United States is John McCain’ ”“Dr. Jones says: ‘Mr. Smith has the flu’ ”

29. Marc de Graauwmarc@marcdegraauw.comSigned Data

30. Marc de Graauwmarc@marcdegraauw.com<code code=”27” codeSystem=”2.16.840.1.113883.2.4.4.5” /> "Dissolve in water"

31. Marc de Graauwmarc@marcdegraauw.comXML fragment

32. Marc de Graauwmarc@marcdegraauw.comDigitally signed token

33. Marc de Graauwmarc@marcdegraauw.comWhat You See Is What You Sign

34. Marc de Graauwmarc@marcdegraauw.comToken & XML SignatureXML SignatureComponentenMet WSSIn SOAP HeadersSOAP envelope<ws:SecToken>headersCertificate<ws:SecToken>Certificate<ds:Signature><ds:SignedInfo> <ds:KeyInfo><ds:Signature><ds:SignedInfo> <ds:KeyInfo><ds:Signature><ds:SignedInfo> <ds:KeyInfo>Sig valueSig valueSig valueSig valueDigestDigestDigestDigestCertificateReferenceReferenceCertificateGetekendegegevensGetekendegegevensbodyGetekendegegevensHL7v3 berichtGetekendegegevensHL7v3 berichtHL7v3 berichtHL7v3 berichtPrescription1 Prescription 1 Prescription 1 Prescription 1

35. Marc de Graauwmarc@marcdegraauw.comMeerdere Signatures, 1 certificaatBericht + handtekeningCertificate A<Signature1><SignedInfo>CertificateSig value 1Digest 1<Signature2><ds:SignedInfo>SignatureSig value 2persisterenDigest 2GetekendegegevensGetekendegegevens 1Getekendegegevens 2HL7v3 berichtHL7v3PrescriptionPrescription 1 Prescription 2