Document toolboxDocument toolbox

Dit is de consultatie versie van het Twiin Afsprakenstelsel Release 1.2.0

10.2.10 | Netwerk level security mTLS 1.3

In a secure network, certificates play a crucial role by enabling the establishment of secure connections using TLS. They also ensure the authenticity and integrity of published data.

Both the Sending System and Receiving System expose endpoints that must be protected from unauthorized and malicious interactions. More specifically, access control measures must be applied to the following endpoints:

  • Receiving System: Notification endpoint (FHIR Task endpoint)

  • Sending System: Resource endpoint

Mutual TLS shall be used to protect these endpoints in the following ways:

  • Authentication: The sending and receiving system are mutually verifying each other's identity before establishing a secure connection. In this way only systems that are trusted (are a GtK) are allowed to set up connections.

  • Encryption: an mTLS connection is encrypted. This means that only the sending and receiving systems can read the exchanged data and no third, unauthorized party can ‘listen in’.

  • Integrity: mTLS assures that the data has not been modified by any unauthorized party during transmission. Any tampering attempts would alerting the recipient.

  • Protection against replay attacks: Each message sent over the connection includes a sequence number, and the recipient keeps track of the sequence numbers it has received. If a message with a previously received sequence number arrives, it is considered a replayed message and is rejected. This prevents attackers from intercepting and resending previously valid messages.

Terminology

  • Certificate Authority (CA): A trusted entity responsible for issuing and managing certificates used in secure network connections.

  • Certificate Revocation List (CRL): A list maintained by a Certificate Authority, containing revoked certificates to prevent the use of compromised or invalid certificates.

  • Public Key Infrastructure overheid (PKIo): A PKI structure controlled by the Dutch government, governing the issuance and management of certificates in the Netherlands.

  • Trusted Service Provider (TSP): A party authorized to issue PKIo certificates within the PKIo infrastructure, ensuring the integrity and security of the certificates they issue.

Network level security: mTLS 1.3

On network level mutual TLS (mTLS) must be applied. The TLS-implementation must comply with the security level “Good” as specified by the National Cyber Security Centre (NCSC). At the time of writing, the IT Security Guidelines for Transport Layer Security (TLS) require version 1.3 of the TLS standard for the security level “Good”.

The exchange of a client certificate during the mTLS handshake does not only enable the server to authenticate the client on network level, but it also enables the server to issue certificate bound access tokens as specified in RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens as an additional security measure on application level. See section Resource server authorization: OAuth 2.0 for requirements on application level security using OAuth 2.0.

CRL / OCSP / CPS

Minimaal elk uur check.

PKIoverheid

Both the client and server certificates must be PKIo-certificates that are issued under the CA “Staat der Nederlanden Private Services CA – G1” (this includes UZI server certificates issued by UZI-registry (CIBG)). https://cert.pkioverheid.nl/

Note: that the requirements as specified in this paragraph apply to Notification, FHIR, and token endpoints.

PvE:

 

#

Omschrijving

Domein

Opmerking

5.010

Om zich te kunnen authentiseren, kunnen alle systemen betrokken bij transacties in het kader van Twiin een geldig PKI-certificaat overleggen.

 

Een geldig PKI-certificaat is een UZI-servercertifcaat of een PKIoverheid-certficaat.

5.020

Alle transacties in het kader van Twiin zijn beveiligd met Mutual Transport Layer Security (mTLS).

 

 

5.030

Er wordt enkel gebruik gemaakt van TLS-versies en -algoritmen die zijn geclassificeerd als "goed" of “voldoende“ in de ICT-beveiligingsrichtlijnen voor Transport Layer Security (TLS), versie 2.1 van het NCSC.

 

Een systeem biedt alleen TLS 1.3 aan als deze ook TLS 1.2 aanbiedt. Het is niet verplicht om alle algoritmen aan te bieden die in de genoemde richtlijnen als "goed" zijn geclassificeerd.

5.040

Transacties in het kader van Twiin worden versleuteld volgens TLS, zoals bedoeld in eis 5.020.

 

 

5.050

Voordat daadwerkelijk transport plaats vindt, controleren de Nodes de geldigheid van elkaars certificaten door middel van CRL of OCSP

 

 

5.060

Systemen die de geldigheid van het UZI-servercertficaat van de andere Systemen dienen te controleren, voldoen aan de verplichting van het Certification Practice Statement (CPS) UZI-register

 

Zie https://www.zorgcsp.nl/certification-practice-statement-cps , artikel 4.5.2

5.070

Systemen die de geldigheid van het PKIo-servercertficaat van de andere Systemen dienen te controleren, doen dit door middel van de meest recent gepubliceerde Certificaten Revocatie Lijst (CRL) of via het Online Certificate Status Protocol (OCSP).

 

Zie https://cps.pkioverheid.nl/CPS_PA_PKIoverheid_G2_G3_Root_v4.3.pdf, paragraaf 2.2.

tabel overgenomen vanuit Babyconnect, met aanpassingen ihkv twiin. @Wouter Tesink @Marc eens?

Het Twiin Afsprakenstelsel is onder Creative Common Licentie
CC BY-SA Naamsvermelding-GelijkDelen https://creativecommons.org/licenses/by-sa/4.0/legalcode.nl