X-Road as a Platform to Exchange MyData

Slides:



Advertisements
Similar presentations
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Inter-Institutional Registration UNC Cause December 4, 2007.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CPR Overview 28-April Agenda Introduction Requirements Data Model Services Model Service Providers Implementation Contact Information.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
SACMAT02-1 Security Prototype Defining a Signature Constraint.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Electronic Transaction (SET)
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Troubleshooting Federation, AD FS 2.0, and More…
ArcGIS Server and Portal for ArcGIS An Introduction to Security
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Belgian EID Card 15/12/2004 Derette Willy eID program manager.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Authentication Presenter Meteor Advisory Team Member Version 1.1.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Training for developers of X-Road interfaces
SFS-HTTP: Securing the Web with Self-Certifying URLs
Cryptography and Network Security
Secure Sockets Layer (SSL)
Information Security message M one-way hash fingerprint f = H(M)
Authentication.
CSCE 715: Network Systems Security
Authentication Applications
CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.
THE STEPS TO MANAGE THE GRID
Public Key Infrastructure (PKI)
Kerberos Kerberos is a network authentication protocol and it is designed to provide strong authentication for client server applications. It uses secret.
Session Initiation Protocol (SIP)
CSCE 715: Network Systems Security
Information Security message M one-way hash fingerprint f = H(M)
Information Security message M one-way hash fingerprint f = H(M)
Google 2 Step Verification Backup Codes Google 2 Steps Verification Backup Codes is very important to get access Gmail account. Backup codes is usually.
Security in ebXML Messaging
Digital Signatures and Forms
Information Security message M one-way hash fingerprint f = H(M)
Digital Certificates and X.509
The Secure Sockets Layer (SSL) Protocol
SharePoint Online Authentication Patterns
(Authentication / Authorization)
The new EDAMIS and its security
National Trust Platform
Presentation transcript:

X-Road as a Platform to Exchange MyData Petteri Kivimäki, CTO 29th August 2018

Table of Contents MyData Roles How Does X-Road Work? X-Road as a Technical Platform for MyData MyData via X-Road What X-Road Does and Does Not Provide

MyData Roles MyData Operator Digital Identity Individual Consent Access Logs Consent Consent Individual – a person who authorizes data flows with consent. MyData Operator – provides a MyData accounts that enable digital consent management. Data Source – provides data about individuals. Data Using Service – uses the data provided by data sources. Data Data Source Data Using Service

How Does X-Road Work? X-Road Core Central Services Registry of trusted parties (organizations, servers) Trust Services Service Consumer Service Provider Security Server Security Server Signature and time-stamping of messages, logging Verify incoming messages, time-spamping, logging, access rights Trust Services Time-stamping of messages Validity of certificates (auth, sign)

X-Road as a Technical Platform for MyData MyData Operator Digital Identity Individual Consent Access Logs Consent Both consent and data are transferred via X-Road. X-Road logs all the requests and the logs are used for providing a centralized view to access logs where the individual can see who has accessed his or her data. X-Road provides Organization level authentication Machine to machine authentication Standardized messaging model Non-repudiation of messages Access rights management Address management and message routing Transportation level encryption. Access Logs Data Data Source Data Using Service X-Road Security Server

MyData via X-Road MyData Operator All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals. 1. Check consent (*) 3.1 Check consent (*) (optional) Access logs (*) Access logs (*) Data Using Service Data Source 2. Send request 4. Return response Security Server Security Server 3. Check access rights (global group) * Checking consents and transfering access logs is done via X-Road.

MyData via X-Road Consents are managed by the MyData Operator. Every data source and data using service must implement the required MyData APIs and enable their services to be connected with MyData accounts. X-Road client/service identifier must be stored by the MyData Operator. Access rights to data sources are managed using X-Road global groups that are centrally managed by the X-Road operator. Registered data using services are added as members of the global group by the X-Road operator. Data sources grant the MyData global group access to their MyData services – all the members of the group then have access to the services.

MyData via X-Road All the registered data using services have access to all the registered data sources. Consents are used for managing authorizations to access the data of individuals. Data using service is responsible for checking the consent before sending a request. No consent is found => no request is sent. Consent is found => request is sent and the ID of the consent is included in the request (with other required parameters, e.g. user ID). Data source trusts the data using service and does not re-check the validity of the consent. Alternatively, data source may re-check the validity of the consent. Increases trust – and overhead.

MyData via X-Road All the requests and responses are logged by X-Road. Information related to MyData requests/responses (consent ID, data using service, data source, user ID identifying the individual, date/time etc.) is made accessible to the MyData Operator. Individuals can view who has accessed their information through their MyData account. Unauthorized use of individuals’ data can be automatically detected by analyzing the logs and is subject to penalties, e.g. exclusion from the service etc.

Certification Authority (CA) MyData via X-Road MyData Operator Central Server MyData Clients (global group): FI.COM.12345-6.Client FI.GOV.XXXX.XXX FI.COM.XXXX.XXX . Register data using service: FI.COM.12345-6.Client Register data source: FI.COM.65432-1.Service.getData.v1 Register data using service (subsystem): FI.COM.12345-6.Client Add subsystem to MyData Clients global group Publish data source: FI.COM.65432-1.Service.getData.v1 Grant MyData Clients access to: FI.COM.65432-1.Service.getData.v1 Data Using Service Data Source Security Server Get auth and sign certificates. Check validity. Security Server FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 Certification Authority (CA)

MyData Account and Consents ID Individual Data Using Service Data Source User ID Validity Label Consent ID – random string Social security number X-Road client identifier of the data using service X-Road service identifier of the data source The ID identifying the individual in the data source, e.g. social security number, Facebook ID, Google ID etc. The period when the consent is valid. Example 619KOZDLS2 121275-123A FI.COM.12345-6.Client FI.COM.65432-1.Service.getData.v1 1.3.2018-31.12.2018 Individuals manage consents through a MyData account. X-Road identifiers are used for identifyind the data using service and data source (not visible to the user). If social media user ID is used, the social media account must be confirmed and linked to the MyData account. In addition, the data source must define the ID that’s used for identifying the user. By default social security number is used.

X-Road Provides Organization level authentication Machine to machine authentication Standardized messaging model Non-repudiation of messages Logging of messages Access rights management Address management and message routing Transportation level encryption.

X-Road Does Not Provide Semantic interoperability Common business data models Standardized business APIs Implementation of the MyData Operator Consent verification.

Questions?

WWW.NIIS.ORG petteri.kivimaki@niis.org +372 7130 802

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.