SlideShare a Scribd company logo

Authentication and signatures overview

Download as PPTX, PDF
Marc de Graauw
Marc de Graauw
TechnologyEntertainment & Humor
1 of 35
Marc de Graauw marc@marcdegraauw.com Authentication&Digital Signature anoverview
Marc de Graauw marc@marcdegraauw.com Authentication
Marc de Graauw marc@marcdegraauw.com Authentication Smartcard (UZI pass) with: private key (RSA) X.509 certificate (includes public key) PKI-Government Personal pass guard safely no sharing PIN protected
Marc de Graauw marc@marcdegraauw.com Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
Marc de Graauw marc@marcdegraauw.com Secure connection
Marc de Graauw marc@marcdegraauw.com Secure data
Marc de Graauw marc@marcdegraauw.com Security services
Marc de Graauw marc@marcdegraauw.com Authentication with SSL
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com
Marc de Graauw marc@marcdegraauw.com Security with SSL Works well only in simple scenario’s There is no HL7v3 XML at the client The client is (relatively) unsecure SSL lays an impenatrable tunnel across the instution’s secure zone SSL from server to server is fine, but: provides no care provider authentication
Marc de Graauw marc@marcdegraauw.com Context: clients all hospitals, GP’s, pharmacists, other healthcare pros clients: any kind of client latest .NET / Java older dev environments (Delphi, BV, etc.) thin client/browser XSLT heavy XML / no XML WS-* / no WS-* HL7v3 / no HL7v3
Marc de Graauw marc@marcdegraauw.com Context: HL7v3 no HL7v3 at client (HL7v2, OZIS, other) not all data at client Act.id medication codes patient id (BSN) not yet, is reasonable demand destination not always known at client either: require all data available at client or: sign subset of data
Marc de Graauw marc@marcdegraauw.com ‘Lightweight’ authentication token X.509 style message id nonce provides unique identification of message (if duplicate removal has already taken place) time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers
Marc de Graauw marc@marcdegraauw.com SSL security premises: healthcare pro keeps smartcard + pin safe software to establish SSL tunnel not corrupted PKI, RSA etc. not broken assertion: healthcare pro sets up SSL tunnel assumption: messages going over SSL tunnel come from healthcare pro weakness: insertion of fake messages in SSL tunnel measures: abort SSL tunnel after period of inactivity, refresh regularly
Marc de Graauw marc@marcdegraauw.com Lightweight token security premises: healthcare pro keeps smartcard + pin safe software to sign token not corrupted PKI, RSA etc. not broken assertion: healthcare pro signed auth token assumption: message and auth token belong together weakness: fake message attached to valid token
Marc de Graauw marc@marcdegraauw.com Lightweight token security signedData: message id notBefore / notAfter addressedParty coSignedData patient id (BSN) message type (HL7 trigger event id) only possible to retrieve same kind of data for same patient at same time from same destination weakness: tampering with other message parameters for queries: acceptable (privacy not much more broken) for prescription: use full digital signature
Marc de Graauw marc@marcdegraauw.com Hospital workflow doctor makes round 360 seconds per patient nurse has file ready retrieval times are not acceptable pre-signing tokens and pre-fetching data just in time possible with auth tokens, not (so much) with SSL
Marc de Graauw marc@marcdegraauw.com SOAP Envelope SOAP Body Authentication alternatives SOAP Header Auth Token HL7 payload
Marc de Graauw marc@marcdegraauw.com SOAP Envelope Authentication alternatives SOAP Header Auth Token Auth Token Auth Token SOAP Body HL7 payload HL7 payload HL7 payload
Marc de Graauw marc@marcdegraauw.com HL7 Medical Application HL7v3 Medical Content HL7 Control Query Processing Application HL7v3 Acts HL7 Transmission Wrapper Adapter HL7v3 Messages HL7 Web Services Messaging Adapter SOAP Messages HTTP Client / Server
Marc de Graauw marc@marcdegraauw.com Authentication alternatives Authentication tokens in SOAP Headers separate them from the content HL7 sometimes allows multiple payloads, making this problem worse The token has to travel across layers with the paylaod This violates layering principles
Marc de Graauw marc@marcdegraauw.com WS-* WS-* is confused about whether it is a document format or a message format document: relevant to the end user message: relevant to the mailman keep metadata with the document putting document metadata in SOAP headers violates layering design principles
Marc de Graauw marc@marcdegraauw.com Digital Signatures
Marc de Graauw marc@marcdegraauw.com Some philosophy “The President of the United States is John McCain” “Karen believes ‘the President of the United States is John McCain’ ” “John says that ‘the President of the United States is John McCain’ ” “Dr. Jones says: ‘Mr. Smith has the flu’ ”
Marc de Graauw marc@marcdegraauw.com Signed Data
Marc de Graauw marc@marcdegraauw.com <code code=”27” codeSystem=”2.16.840.1.113883.2.4.4.5” /> "Dissolve in water"
Marc de Graauw marc@marcdegraauw.com XML fragment
Marc de Graauw marc@marcdegraauw.com Digitally signed token
Marc de Graauw marc@marcdegraauw.com What You See Is What You Sign
Marc de Graauw marc@marcdegraauw.com Token & XML Signature XML Signature Componenten Met WSS In SOAP Headers SOAP envelope <ws:SecToken> headers Certificate <ws:SecToken> Certificate <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> Sig value Sig value Sig value Sig value Digest Digest Digest Digest Certificate Reference Reference Certificate Getekendegegevens Getekendegegevens body Getekendegegevens HL7v3 bericht Getekendegegevens HL7v3 bericht HL7v3 bericht HL7v3 bericht Prescription1 Prescription 1 Prescription 1 Prescription 1
Marc de Graauw marc@marcdegraauw.com Meerdere Signatures, 1 certificaat Bericht + handtekening Certificate A <Signature1> <SignedInfo> Certificate Sig value 1 Digest 1 <Signature2> <ds:SignedInfo> Signature Sig value 2 persisteren Digest 2 Getekende gegevens Getekendegegevens 1 Getekendegegevens 2 HL7v3 bericht HL7v3 Prescription Prescription 1 Prescription 2

Recommended

Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and Cryptography
Jack Davis
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
Mohit Modi
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHY
Pavithra Muthu
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurity
feriuyolasyolas
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
 
AS2 vs. SFTP
AS2 vs. SFTPAS2 vs. SFTP
AS2 vs. SFTP
MFT Gateway
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management
Chad Leschefsky
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieee
IT Strategy Group
 

Recommended

Network Security: Standards and Cryptography
Network Security: Standards and CryptographyNetwork Security: Standards and Cryptography
Network Security: Standards and Cryptography
Jack Davis
 
Grid security seminar mohit modi
Grid security seminar mohit modiGrid security seminar mohit modi
Grid security seminar mohit modi
Mohit Modi
 
POST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHYPOST-QUANTUM CRYPTOGRAPHY
POST-QUANTUM CRYPTOGRAPHY
Pavithra Muthu
 
Blockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurityBlockchain for CyberSecurity | Blockchain and CyberSecurity
Blockchain for CyberSecurity | Blockchain and CyberSecurity
feriuyolasyolas
 
Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)Demonstration of secure socket layer(synopsis)
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
 
AS2 vs. SFTP
AS2 vs. SFTPAS2 vs. SFTP
AS2 vs. SFTP
MFT Gateway
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management
Chad Leschefsky
 
Jehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieeeJehyuk jang and heung no lee ieee
Jehyuk jang and heung no lee ieee
IT Strategy Group
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
How encryption works
How encryption worksHow encryption works
How encryption works
RaxTonProduction
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
mahesh tawade
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issues
Marc de Graauw
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
Rohit Bhat
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
CheapSSLUSA
 
Blockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaBlockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by Exela
Drysign By Exela
 
Lecture17
Lecture17Lecture17
Lecture17
Châu Thanh Chương
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document Security
Elissa Renton
 
Ch17
Ch17Ch17
Ch17
Joe Christensen
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
jamesbarns729
 
Django SEM
Django SEMDjango SEM
Django SEM
Gandi24
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
UskuMusku1
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
Michele Orru'
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security Basics
Bipin Jethwani
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the web
Keynectis
 
App Authentication
App AuthenticationApp Authentication
App Authentication
Trevayne Van Niekerk
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
Abdulaziz Mohd
 
Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorg
Marc de Graauw
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ict
Marc de Graauw
 

More Related Content

Similar to Authentication and signatures overview

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
Rohit Bhat
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document Security
Elissa Renton
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
Django SEM
Django SEMDjango SEM
Django SEM
Gandi24
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security Basics
Bipin Jethwani
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the web
Keynectis
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
Abdulaziz Mohd
 

Similar to Authentication and signatures overview (20)

PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Web Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket LayerWeb Security and SSL - Secure Socket Layer
Web Security and SSL - Secure Socket Layer
 
Digital certificates in e commerce
Digital certificates in e commerceDigital certificates in e commerce
Digital certificates in e commerce
 
Hl7v3 schema issues
Hl7v3 schema issuesHl7v3 schema issues
Hl7v3 schema issues
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
Blockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by ExelaBlockchain - The Future of Digital Signatures - DrySign by Exela
Blockchain - The Future of Digital Signatures - DrySign by Exela
 
Lecture17
Lecture17Lecture17
Lecture17
 
VeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document SecurityVeriDoc Global Solution: Document Security
VeriDoc Global Solution: Document Security
 
Ch17
Ch17Ch17
Ch17
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
 
Ssl certificate in internet world
Ssl certificate in internet worldSsl certificate in internet world
Ssl certificate in internet world
 
Django SEM
Django SEMDjango SEM
Django SEM
 
BCS_PKI_part1.ppt
BCS_PKI_part1.pptBCS_PKI_part1.ppt
BCS_PKI_part1.ppt
 
Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...Current standard implementations for security/authorization in distributed c...
Current standard implementations for security/authorization in distributed c...
 
Internet Security Basics
Internet Security BasicsInternet Security Basics
Internet Security Basics
 
Tips for safe purchasing on the web
Tips for safe purchasing on the webTips for safe purchasing on the web
Tips for safe purchasing on the web
 
App Authentication
App AuthenticationApp Authentication
App Authentication
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 

More from Marc de Graauw

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorg
Marc de Graauw
 
Tokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detailTokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detail
Marc de Graauw
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web services
Marc de Graauw
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspunten
Marc de Graauw
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de keten
Marc de Graauw
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruiker
Marc de Graauw
 

More from Marc de Graauw (12)

Elektronische handtekening in de zorg
Elektronische handtekening in de zorgElektronische handtekening in de zorg
Elektronische handtekening in de zorg
 
Identiteit in de ict
Identiteit in de ictIdentiteit in de ict
Identiteit in de ict
 
Tokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detailTokenauthenticatie en xml signature in detail
Tokenauthenticatie en xml signature in detail
 
Reliable messaging
Reliable messagingReliable messaging
Reliable messaging
 
Overzicht aorta
Overzicht aortaOverzicht aorta
Overzicht aorta
 
Hl7v3 and web services
Hl7v3 and web servicesHl7v3 and web services
Hl7v3 and web services
 
XML tekortkomingen en pluspunten
XML tekortkomingen en pluspuntenXML tekortkomingen en pluspunten
XML tekortkomingen en pluspunten
 
Versioning theory
Versioning theoryVersioning theory
Versioning theory
 
Versiecontrole in de keten
Versiecontrole in de ketenVersiecontrole in de keten
Versiecontrole in de keten
 
Unicode
UnicodeUnicode
Unicode
 
Luister niet naar de gebruiker
Luister niet naar de gebruikerLuister niet naar de gebruiker
Luister niet naar de gebruiker
 
Overzicht hl7v3
Overzicht hl7v3Overzicht hl7v3
Overzicht hl7v3
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Authentication and signatures overview

  • 1. Marc de Graauw marc@marcdegraauw.com Authentication&Digital Signature anoverview
  • 2. Marc de Graauw marc@marcdegraauw.com Authentication
  • 3. Marc de Graauw marc@marcdegraauw.com Authentication Smartcard (UZI pass) with: private key (RSA) X.509 certificate (includes public key) PKI-Government Personal pass guard safely no sharing PIN protected
  • 4. Marc de Graauw marc@marcdegraauw.com Sender Receiver “Hello world” “Hello world” SHA-1 hash: 5llABaWYz xCrKIdjS... Public key: MIICHzCCAY ygAwIBAgI..... OK Private key: shhhh..... RSA sig value: c9fVK7vYAdv s2DRZVtS... RSA sig value: c9fVK7vYAdv s2DRZVtS...
  • 5. Marc de Graauw marc@marcdegraauw.com
  • 6. Marc de Graauw marc@marcdegraauw.com Security Services (X.800) Authentication Authorization Data Confidentiality Data Integrity Non-repudiation
  • 7. Marc de Graauw marc@marcdegraauw.com Secure connection
  • 8. Marc de Graauw marc@marcdegraauw.com Secure data
  • 9. Marc de Graauw marc@marcdegraauw.com Security services
  • 10. Marc de Graauw marc@marcdegraauw.com Authentication with SSL
  • 11. Marc de Graauw marc@marcdegraauw.com
  • 12. Marc de Graauw marc@marcdegraauw.com
  • 13. Marc de Graauw marc@marcdegraauw.com
  • 14. Marc de Graauw marc@marcdegraauw.com Security with SSL Works well only in simple scenario’s There is no HL7v3 XML at the client The client is (relatively) unsecure SSL lays an impenatrable tunnel across the instution’s secure zone SSL from server to server is fine, but: provides no care provider authentication
  • 15. Marc de Graauw marc@marcdegraauw.com Context: clients all hospitals, GP’s, pharmacists, other healthcare pros clients: any kind of client latest .NET / Java older dev environments (Delphi, BV, etc.) thin client/browser XSLT heavy XML / no XML WS-* / no WS-* HL7v3 / no HL7v3
  • 16. Marc de Graauw marc@marcdegraauw.com Context: HL7v3 no HL7v3 at client (HL7v2, OZIS, other) not all data at client Act.id medication codes patient id (BSN) not yet, is reasonable demand destination not always known at client either: require all data available at client or: sign subset of data
  • 17. Marc de Graauw marc@marcdegraauw.com ‘Lightweight’ authentication token X.509 style message id nonce provides unique identification of message (if duplicate removal has already taken place) time to live security semantics can expire time to store & check nonce addressedParty replay against other receivers
  • 18. Marc de Graauw marc@marcdegraauw.com SSL security premises: healthcare pro keeps smartcard + pin safe software to establish SSL tunnel not corrupted PKI, RSA etc. not broken assertion: healthcare pro sets up SSL tunnel assumption: messages going over SSL tunnel come from healthcare pro weakness: insertion of fake messages in SSL tunnel measures: abort SSL tunnel after period of inactivity, refresh regularly
  • 19. Marc de Graauw marc@marcdegraauw.com Lightweight token security premises: healthcare pro keeps smartcard + pin safe software to sign token not corrupted PKI, RSA etc. not broken assertion: healthcare pro signed auth token assumption: message and auth token belong together weakness: fake message attached to valid token
  • 20. Marc de Graauw marc@marcdegraauw.com Lightweight token security signedData: message id notBefore / notAfter addressedParty coSignedData patient id (BSN) message type (HL7 trigger event id) only possible to retrieve same kind of data for same patient at same time from same destination weakness: tampering with other message parameters for queries: acceptable (privacy not much more broken) for prescription: use full digital signature
  • 21. Marc de Graauw marc@marcdegraauw.com Hospital workflow doctor makes round 360 seconds per patient nurse has file ready retrieval times are not acceptable pre-signing tokens and pre-fetching data just in time possible with auth tokens, not (so much) with SSL
  • 22. Marc de Graauw marc@marcdegraauw.com SOAP Envelope SOAP Body Authentication alternatives SOAP Header Auth Token HL7 payload
  • 23. Marc de Graauw marc@marcdegraauw.com SOAP Envelope Authentication alternatives SOAP Header Auth Token Auth Token Auth Token SOAP Body HL7 payload HL7 payload HL7 payload
  • 24. Marc de Graauw marc@marcdegraauw.com HL7 Medical Application HL7v3 Medical Content HL7 Control Query Processing Application HL7v3 Acts HL7 Transmission Wrapper Adapter HL7v3 Messages HL7 Web Services Messaging Adapter SOAP Messages HTTP Client / Server
  • 25. Marc de Graauw marc@marcdegraauw.com Authentication alternatives Authentication tokens in SOAP Headers separate them from the content HL7 sometimes allows multiple payloads, making this problem worse The token has to travel across layers with the paylaod This violates layering principles
  • 26. Marc de Graauw marc@marcdegraauw.com WS-* WS-* is confused about whether it is a document format or a message format document: relevant to the end user message: relevant to the mailman keep metadata with the document putting document metadata in SOAP headers violates layering design principles
  • 27. Marc de Graauw marc@marcdegraauw.com Digital Signatures
  • 28. Marc de Graauw marc@marcdegraauw.com Some philosophy “The President of the United States is John McCain” “Karen believes ‘the President of the United States is John McCain’ ” “John says that ‘the President of the United States is John McCain’ ” “Dr. Jones says: ‘Mr. Smith has the flu’ ”
  • 29. Marc de Graauw marc@marcdegraauw.com Signed Data
  • 30. Marc de Graauw marc@marcdegraauw.com <code code=”27” codeSystem=”2.16.840.1.113883.2.4.4.5” /> "Dissolve in water"
  • 31. Marc de Graauw marc@marcdegraauw.com XML fragment
  • 32. Marc de Graauw marc@marcdegraauw.com Digitally signed token
  • 33. Marc de Graauw marc@marcdegraauw.com What You See Is What You Sign
  • 34. Marc de Graauw marc@marcdegraauw.com Token & XML Signature XML Signature Componenten Met WSS In SOAP Headers SOAP envelope <ws:SecToken> headers Certificate <ws:SecToken> Certificate <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> <ds:Signature> <ds:SignedInfo> <ds:KeyInfo> Sig value Sig value Sig value Sig value Digest Digest Digest Digest Certificate Reference Reference Certificate Getekendegegevens Getekendegegevens body Getekendegegevens HL7v3 bericht Getekendegegevens HL7v3 bericht HL7v3 bericht HL7v3 bericht Prescription1 Prescription 1 Prescription 1 Prescription 1
  • 35. Marc de Graauw marc@marcdegraauw.com Meerdere Signatures, 1 certificaat Bericht + handtekening Certificate A <Signature1> <SignedInfo> Certificate Sig value 1 Digest 1 <Signature2> <ds:SignedInfo> Signature Sig value 2 persisteren Digest 2 Getekende gegevens Getekendegegevens 1 Getekendegegevens 2 HL7v3 bericht HL7v3 Prescription Prescription 1 Prescription 2