Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Slides:



Advertisements
Similar presentations
© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Secure Communication Architectures.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.
Using Digital Credentials On The World-Wide Web M. Winslett.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Public Key Infrastructure from the Most Trusted Name in e-Security.
CSCI 6962: Server-side Design and Programming
Country Update: Austria Herbert Leitold Secure Information Technology Center - Austria
Belgian proposal of an organization model for an electronic identity card Frank Robben General Manager Crossroads Bank for Social Security Sint-Pieterssteenweg.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Strategic importance of identity and access management (IAM) The case of the Belgian social and health sector Frank Robben General manager Crossroads Bank.
Identity and Access Mgmt and electronic Identities Belgian Federal Government Walter Van Assche January 16 th, 2012 Chisinau.
Integrated Electronic User and Access Management in the Belgian Public, Social and Health Care Sector Frank Robben General manager Crossroads Bank for.
How can I trust the rest of Europe ? Requirements and a possible organisation with regard to epSOS and eHealth Frank Robben General manager eHealth platform.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Be-Health as a driving force of electronic cooperation in the Belgian health care sector, based on the experience in the social sector Frank Robben General.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Compliance Defects in Public- key Cryptography “ A public-key security system trusts its users to validate each others’s public keys rigorously and to.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
PKI in the Swedish public sector Decentralised administration - each agency make their own decisions PKI in different situations: internally within an.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
1 European eGovernment Awards 2007 European eGovernment Awards 2007 Workshop for Finalists July, Brussels LIMOSA Belgium Reference project number.
SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Brenda Watkins Director Policy and Business Strategies Information.
Belgian EID Card 15/12/2004 Derette Willy eID program manager.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
The pillars of E-government Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public Service for ICT Sint-Pieterssteenweg.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Cross border electronic signature services Ingmar Vali Head of Court Registers Department Centre of Registers and Information Systems
Efficient and secure transborder exchange of patient data
Cryptography and Network Security
Identity Management and Authorization
Public private partnership concerning user and access management (UAM): the vision of the federal
Dashboard eHealth services: actual mockup
A practice testimony on the implementation of information security and data protection at the Crossroads Bank for Social Security and the eHealth platform.
Presentation transcript:

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides

Secrets of Successful eID Environments 3 High-level actors Different sectors – eGovernment Collect and store data once, reuse where possible – eHealth Make patient records available to health care service providers – eCommerce & eBusiness Provide ability to correctly identify involved parties – Avoiding online fraud, preparing effective anti-spam measures Citizen/Customer BusinessGovernment

Secrets of Successful eID Environments Success depends on joined forces of public and private sector – Private sector requires return on investment (ROI) Number of contacts between a citizen and its eGovernment only does not justify huge investments – Public sector prefers eID enablers for use in public and private sector Avoid reinventing the wheel – Need to exchange of experience with successes and *failures* – Risk of lacking focus to create interoperable solutions Caveat: Systems focusing on any single sector are inherently incompatible with *similar* systems

Design Decisions – Basic Concepts Federated architecture – Each sector operates autonomously – Interfaces with other sectors through bus system Built around authoritative sources – Master copy of data is available at exactly one repository – Master copy = authoritative source Maximal reuse of information – No data replication – Administrations cannot re-request data already available Integrated system for user and access management – eID for all – Citizens & organizations – Autonomous management of access & use policies

Design Decisions – Benefits Guaranteed interoperability enhances security! – Modularity respects each organization’s sovereignty Prevents vender-lock-in – Exchanging information using standard and open protocols and data formats Guaranteed flexibility – Modularity allows updating and following Security standards Good/best practices

Identification & Authentication Unique identification of – Citizens – Professionals – Companies and other Service Providers (public and private sector) eID for all: Authentication & Identification tokens – Federal token – eID card – Belgian citizens & foreigners – Other tokens – companies, organizations, individuals

eID Card Types CitizensKids Aliens eID cardKids-ID Foreigners’ card

eID Card Content ID ADDRESS Authentication Signature PKICitizen Identity Data RRN = National Register Root CA CA RRN SIGNATURE RRN SIGNATURE RRN SIGNATURE RRN SIGNATURE 140x200 Pixels 8 BPP Bytes

eID Card = 4 Functions Non-electronic Non-electronic 1.Visible Identification of a person Electronic Electronic 2.Digital identification Data capture Data capture 3.Prove your identity Authentication signature Authentication signature 4.Digitally sign information Non-repudiation signature Non-repudiation signature eFunctionality Enabler of eServices

Levels of Assurance (LoA) of Authentication Federated identity management model – E.g., Shibboleth, Liberty Alliance, CardSpace… LoA 4+ (qualified plus biometric) Setting access policies LoA 4 (qualified cert with smart card EAL4+) Sensitive medical records (e.g. HIV), Consultant notes containing opinions. Ability to Break the Glass. Bank to bank transfers LoA 3 (2-factor authentication, non-qualified cert, EAL4 smart card) Patient confidential records (non- sensitive) LoA 2 (one time password) Some Internet banking applications System administration LoA 1 (uid/password, Verisign Class 1 cert) Retrieve degree certificate. Completing public service employment application LoA 0 (no authentication) Public data

eID – Level 3 + 4

Citizen’s Federal Token – Level 2

How to Choose a Security Level? Responsibility of the service provider under supervision of the Privacy Commission Based on risk assessment and depending on – Type of processing: communication, consultation, alteration,… – Scope of the service: does the processing only concern the user or also concern other persons ? – Degree of sensitivity of the data processed – Possible impact of the processing In addition to right security level – Use of an electronic & time-stamped signature might be needed

Interoperable & Secure by Design Mandates & authorization credentials based on open standards, e.g., – XACML – SAML Revocation services setup by mandate manager and certification authority – OCSP – CRL Certificates, Signatures and timestamps, e.g., – X.509 – XADES-* Communication protocols – SSL/TLS

XAXML – Allow/Deny Service Requests…

Generic Policy Enforcement Model XACML-based Information Request/Reply Policy Retrieval Authentic Source Information Request/Reply Policy Repository Manager Policy Management Authentic Source Policy Enforcement (PEP) Action on application Decision Request Decision Reply Action on application PERMITTED Action on application DENIED User Application Policy Decision (PDP) Policy Administration (PAP) Policy Information (PIP) Policy Information (PIP) Slide inspired by Frank Robben

APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider PIP Attribute Provider Role Provider DB UMAF PIP Attribute Provider DB XYZ WebApp XYZ APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER WebApp XYZ PIP Attribute Provider PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider Role Provider DB Management VAS PIP Attribute Provider DB XYZ PIP Attribute Provider DB Bailiffs PIP Attribute Provider DB Mandates Be-Health APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Provider DB Mandates Social sector (CBSS) Non social FPS (FedICT) Management VAS DB XYZ Re-using Architecture Slide inspired by Frank Robben

Conclusion eGovernment Services are accessible – Via open standards – With strong authentication & access management Federated system permits use of common basic services securely – Without losing any autonomy! System allows permanent evolution – Continuously changing user & organization requirements

Food for Thought Trust is Good – Control is Better!

you! Danny De Cock Researcher Applied Cryptography Slides: © fedict All rights reserved

eID Card Issuing Procedure (8) (9) (10b) Citizen PIN & PUK Certification Authority (CA) Municipality National Register (RRN) Card Personalizer (CP) Card Initializer (CI) (0) (3) (4) (5) (7) (6) (13) (12) (11) Citizen (10a”) (10a’) Face to face identification (1) (2)

eID Card Issuing Procedure 0: Citizen receives a convocation letter or takes the initiative 1: Visit municipality with photo 2: Formal eID request is signed 3,4: CP receives eID request via RRN 5: CP prints new eID card, CI starts on-card key pairs generation 6: RRN receives part of the eID card activation code PUK1 7: CA receives certificate requests 8: CA issues two new certificates and issues new CRLs 9: CI stores these certificates on the eID card 10a: CI writes citizen data (ID, address,…) to the card, deactivates the card 10b: CI sends invitation letter with citizen’s PIN and activation code PUK2 11: Citizen receives invitation letter 12: Civil servant starts eID card activation procedure 13: eID card computes a signature with each private key, CA removes certificates from CRL

Certificates for Government web servers, signing citizen files, public information,… Card Administration: update address, key pair generation, store certificates,… eID Certificates Hierarchy Card Admin Cert Admin Auth Cert Card Admin CA CRL Citizen CA CRL Gov CA CRL Belgium Root CA ARL Belgium Root CA Server Cert RRN Cert Non- rep Cert Code sign Cert 1024-bit RSA 2048-bit RSA 2048-bit RSA Auth Cert Foreign - ers‘ CA CRL Non- rep Cert

12 May May May 2015 Slide 24 Introducting Belgian eID Cards & eGovernment Context 3 Context 2 Context 1 Abstract eGovernment Ecosystem A C F E G H B D

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.