Securing eHealth, eGovernment and eBanking with Java - DWX '21
Download as PPTX, PDF0 likes148 views
The document discusses the integration of information and communication technologies in eHealth, eGovernment, and eBanking, emphasizing secure electronic signatures and their legal classifications. It details various types of electronic signatures, including advanced and qualified signatures, as well as the Digital Signature Services (DSS) framework aimed at ensuring interoperability and compliance with European legislation. Additionally, it provides resources such as links to the DSS framework, related projects, and ongoing work on a book about Jakarta EE security.
Securing eHealth, eGovernment and eBanking with Java - DWX '21
- 1. Werner Keil CATMedia Thodoris Bais ABN Amro & Utrecht JUG June 30, 2021 Securing eHealth, eGovernment and eBanking with Java
- 2. Werner Keil Thodoris Bais Jakarta EE Specification Committee Member Jakarta EE Ambassador, EG Member JSR-385 Let’s meet @thodorisbais @wernerkeil
- 3. Agenda 1. eHealth and eGovernment 2. Signatures and Certificates 3. eBanking and eBusiness 4. DSS Framework 5. Demo 6. Links / Q&A
- 4. eHealth refers to the use of information and communications technologies in healthcare. https://www.who.int/ehealth/en/
- 5. eGovernment is the opening up and adaptation of the public sector through information and communication technologies.
- 7. eHealth in DE Long distance communication Health Data Patient Monitoring
- 9. eHealth in NL 80% Access to medical records 75% Health monitoring
- 10. eHealth in NL – How to achieve these goals
- 11. Benefits of eHealth Insight into own health Time saving
- 12. Requirements for Secure Transmission Integrity Identity Authenticity
- 13. Authenticity of Author and Data • Assignment of data to the signer • Protection against denial by signatory • Protection of data against manipulation • On the transmission path • Through the receiver
- 16. Functionality The electronic signature is a cryptographic method that uses two asymmetric keys • Private key • Public key
- 18. Signature Types The signature law distinguishes three (or four) types of signatures: • Simple Electronic Signature (SES) • Advanced Electronic Signature (AdES) • Qualified Electronic Signature (QES) • Qualified Electronic Signature with Provider Accreditation
- 19. Signature Types
- 20. Advanced Electronic Signature Electronic signatures, where: • The owner can be uniquely identified and assigned to the signature • The signature is generated by means which owner can keep under their sole control • It is capable of identifying if accompanying data has changed after the message was signed • The signature can be invalidated in the event of such change
- 21. Scope of Application An advanced electronic signature holder can also be a company, service, app, etc. The advanced electronic signature can therefore be used to sign documents if there are no legal formalities (personal certificates) With the advanced electronic signature, mass signatures are possible, for example to ensure the integrity of documents in the area of electronic invoicing or archiving (functional certificates)
- 22. Qualified Electronic Signature An advanced electronic signature based on a secure signature creation device and a qualified certificate valid at the time of creation. Qualified Certificates • Serial Number • Reference to Qualified Certificate • Name of the owner (natural person) • Signature verification • Period of validity • Certification Service • Usage restrictions
- 23. Qualified Electronic Signature with Accreditation Provision of the PKI by a trust center that has undergone the voluntary accreditation process. Accreditation as a quality label provides proof of comprehensively tested safety. An accredited Qualified Trust Service Provider (QTSP) manages the signature creation.
- 24. Certificates
- 25. Certificates The assignment of the electronic signature to the owner is carried out by means of certificates A certificate is an electronic document linking the public signature verification key to the name of the holder (natural or legal person) The most common format for public key certificates is X.509.
- 26. Signature Formats There are four main types of signatures: • XAdES (XML Document) • CAdES (Common binaries of different kinds) • PAdES (PDF Document) • JAdES (JSON Document) Associated Signature Containers (ASiC) specifies containers to bind signed objects with advanced electronic signatures or timestamp tokens
- 27. Signature Packaging Depending on the signature format, different packaging of the signature and the document are possible: • Enveloped • Enveloping • Detached • Internally Detached
- 28. Signature Creation and Validation
- 31. eIDAS Certificate for PSD2
- 34. DSS Framework
- 35. DSS Framework DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. Three main features can be distinguished within the framework: • Creation of a Digital Signature • Extension of a Digital Signature • Validation of a Digital Signature
- 36. DSS Framework – Features • Formats of the signed documents: XML, PDF, DOC, TXT, JSON, ZIP,… • Packaging structures: enveloping, enveloped, detached and internally-detached • Forms signatures: XAdES, CAdES, PAdES, JAdES and ASiC- S/ASiC-E • Profiles associated to each form of the digital signature • Trust management • Revocation data handling (OCSP and CRL sources) • Certificate chain building • Signature validation and validation policy
- 38. Links CEF Digital Home: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature eGov EU Twitter Account: @eGov_EU CEF DSS: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS DSS Framework on GitHub: https://github.com/esig/dss Bouncy Castle for Java: https://www.bouncycastle.org/java.html Apache Sanctuario: https://santuario.apache.org/ Apache PDFBox: https://pdfbox.apache.org/
- 39. Jakarta Security Book We (Arjan, Thodoris and Werner) are working on a book “The Definitive Guide to Jakarta EE Security” (Apress, 2021) Examples on GitHub: github.com/Apress/definitive-guide-jakarta-ee-security Twitter Account: @jakartasecbook
Editor's Notes
- #8: E-government is the opening up and adaptation of the public sector through information and communication technologies. One distinguishes between: Internal E-Government - Use of IT within the public sector without any contact with the citizen, such as electronic medical records, exchange between public authorities, healthcare providers, pharmacies, etc. External E-Government - Web site and services for citizens, patients, customers, companies, ...
- #9: Currently, Germany is still at an early stage of the application of e-health or M-Health. There are, however, already some advantages and possibilities to see how both are used or can be used soon. For example for: Communication over long distances, regardless of location. Especially in rural areas, or where there is a shortage of doctors Computer-based procedures for the collection, transmission and evaluation of health data. The monitoring of patients, for example, the chronically ill, or voluntary self-monitoring (Quantified Self)
- #10: eIDAS: accessing Dutch government services online The introduction of the Electronic Identification and Trust Services Regulation (eIDAS) means EU citizens from other member states can access Dutch government services online. What government services can I access in the Netherlands? You can use your login details for any approved European electronic identification scheme to access all the same services as Dutch people can using their DigiD. If, for example, you are a German national working in the Netherlands, you can log in using your ‘Neuer Personalausweis’ to: see how much pension you have built up through the Social Insurance Bank (SVB); submit your tax return to the Tax and Customs Administration; check your pension payments to your pension provider; object to the assessment of the value of your property under the Valuation of Immovable Property Act (WOZ); BSN ?
- #11: The government is encouraging the healthcare sector to expand telehealth (eHealth) services. Below the goals set by the Dutch government: Access to medical records At least 80% of chronically ill people should have access to their own medical records by 2019, and at least 40% of other members of the population. Health monitoring By 2019 75% of chronically ill people and vulnerable elderly people should be able to monitor certain aspects of their own health and share the data with their health provider. This would include things like blood pressure and cholesterol levels. Online contact with care provider People receiving care and support at home should be able to communicate with their care provider 24 hours a day via a screen, if they wish.
- #12: Support for innovators via online platform Healthcare innovators wishing to make a new digital application can go to zorgvoorinnoveren.nl (in Dutch), where they will find support to help them develop their idea swiftly and effectively into a working application. The site also has tips on getting funding. Making digital data sharing easier The government is consulting with healthcare administrators on standards that should facilitate digital data sharing. They are also talking to suppliers of IT systems. Sharing eHealth knowhow The government is bringing healthcare innovators and other parties together. It has established a startup network, for example, which includes healthcare providers, patients and lawyers. The network allows them to share knowledge and help startups and innovations advance to the next stage. Another project uses telehealth to help elderly people live independently for longer. Personal digital healthcare environment Some healthcare providers and IT suppliers already offer patients the opportunity to draw up and manage a personal health record (PHR). But safely combining and sharing personal health information is a complex matter, and is currently possible to only a limited extent. Various parties in the healthcare sector are therefore collaborating on a programme to give people more control over their own health.
- #13: Time saving Patients can schedule their own appointment with their care provider online. No need to leave their home if they can arrange an online consultation (e.g. video link) Insight into own health A personal digital healthcare environment gives people more insight into their health. If they wish, they can share all or part of their data with a healthcare provider, so that they do not have to repeatedly relate their entire medical history. This allows the healthcare provider to work more effectively, determine the right treatment more quickly, and avoid mistakes. Patients gain more control over their own health thanks to a greater understanding of their health situation. Lower administrative burden Doctors have less paperwork and can share information securely and easily with colleagues. Not all healthcare providers currently offer telehealth. But healthcare providers and patients are becoming more aware of the benefits. Many doctors now offer patients the opportunity to schedule appointments online. Around 46% of patients would like to have online access to their medical records (source: eHealth Monitor 2015), but this can only be done if there are good safeguards for privacy.
- #14: Integrity Messages should not be able to be falsified unnoticed Identity A message should be clearly assigned to the sender Authenticity The identity of the sender should be verifiable Confidentiality Messages should not be read by unauthorized persons
- #16: E-communication entails risks Who is my counterpart? Who is reading? Has anyone changed something? Solutions: E-Signature & Encryption Unauthorised third parties cannot read an encrypted message Electronically signed documents can not be changed unnoticed, neither during transmission nor through the receiver -Sender can not deny text (e.g., binding offer)
- #18: The private key to be kept secret is used to encrypt the hash value of the document (= "Compressed text consisting of a sequence of binary values) The public key can only be used for decryption and matches only one private key. It can be publicly retrieved and is often sent with the message
- #19: The private key to be kept secret is used to encrypt the hash value of the document (= "Compressed text consisting of a sequence of binary values) The public key can only be used for decryption and matches only one private key. It can be publicly retrieved and is often sent with the message
- #31: e-SENS (Electronic Simple European Networked Services)
- #32: PSU = Payment Service User TPP = Third Party Provider PISP = Payment Initiation Service Provider AISP = Account Information Service Provider PIISP = Payment Instrument Issuer Service Provider ASPSP = Account Servicing Payment Service Providers XS2A = Access 2 Accounts
- #33: NCA = National Competent Authority CSR = Certificate Signing Request QTSP = Qualified Trust Service Provider
- #39: Add the 4 versions of signature validation