GDPR(一般データ保護規則)とFIDO標準について

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
 2
 
  TOKYO Seminar 2018 FIDOアライアンス セクレタリー / FIDO Europe WG共同座長、ジェマルト 戦略的パートナーシップ担当バイスプレジデント アラン・マーティン
Share
Transcript
  • 1. All Rights Reserved | FIDO Alliance | Copyright 20181 FIDO SUPPORT FOR THE GDPR ALAIN MARTIN CO-CHAIR FIDO EUROPE WG VP STRATEGIC PARTNERSHIPS - GEMALTO
  • 2. All Rights Reserved | FIDO Alliance | Copyright 20182 AGENDA • Review of relevant GDPR requirements • How FIDO helps to meet these requirements
  • 3. All Rights Reserved | FIDO Alliance | Copyright 20183 GDPR – GENERAL DATA PROTECTION REGULATION • Applies since 25 May 2018 • Very large fines for infringement: Up to €20,000,000 or 4% total worldwide turnover • Data protection • Consent of data subject • Data subject rights • Adequacy, relevance, etc. of data collection • … The subject of today
  • 4. 4 SECURITY OF PROCESSING • Personal data shall be protected against unauthorised processing, unauthorized disclosure or access (articles 5, 32.2) • Level of security to be appropriate to the risk (article 32.1) All Rights Reserved | FIDO Alliance | Copyright 2018
  • 5. All Rights Reserved | FIDO Alliance | Copyright 20185 PROTECTION AGAINST UNAUTHORIZED ACCESS Are passwords still OK ? ➔Strong authentication may be required
  • 6. All Rights Reserved | FIDO Alliance | Copyright 20186 RECENT HEALTHCARE DATA BREACHES July 2018 – Singapore “Hackers stole data of PM Lee and 1.5 million patients in 'major cyberattack' on SingHealth” October 2018 – USA “US Center for Medicare & Medicaid Services says 75,000 individuals' files accessed in data breach” July 2018 – USA “1.4M records breached in UnityPoint Health phishing attack” July 2018 – USA “Patient data exposed for months after phishing attack on Sunspire”
  • 7. 7 SPECIAL CATEGORIES OF DATA • Processing of this data prohibited, unless allowed in specific cases (article 9.1) • If allowed, requires • Explicit consent (article 9.2) • Suitable safeguards to protect personal data • Data protection impact assessment (article 35) • Assessment of the measures, safeguards and mechanisms envisaged for mitigating risk and ensuring the protection of personal data Special Categories of data Political opinions Racial or ethnic origin Healthcare Sexual life Religious beliefs Biometric data All Rights Reserved | FIDO Alliance | Copyright 2018
  • 8. 8 USER CONSENT • Data subject must give consent to processing of his/her personal data (article 6.1) • The controller should be able to demonstrate this consent (article 7.1) • For special categories: explicit consent (article 9.2) All Rights Reserved | FIDO Alliance | Copyright 2018
  • 9. All Rights Reserved | FIDO Alliance | Copyright 20189 EXPLICIT CONSENT Is ticking a box the best practice ? ➔Strong authentication could be a good practice ➔Creating a non forgeable digital proof could be a good practice
  • 10. 10 EXEMPTION • GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (article 2.2) • Biometrics on smartphone can be exempted • e.g. French Data Protection Authority (CNIL) exemption IF ON DEVICE STORAGE AND MATCHING • If remote storage and matching, there must be an impact assessment All Rights Reserved | FIDO Alliance | Copyright 2018
  • 11. All Rights Reserved | FIDO Alliance | Copyright 201811 CNIL BIOMETRIC DIRECTIVE Criteria for exemption from CNIL review and authorization 1. The user uses this device privately, using his own biometric data, to unlock his phone or to access applications he has downloaded on his own 2. The user only decides to use the biometric authentication integrated in his device 3. The biometric template is stored in the device in a closed environment and is not accessible or transmitted to the outside 4. The biometric template is stored in the apparatus in an encrypted manner using a cryptographic algorithm and a key management according to the state of the art 5. During the access control, only a token or data indicating the success or failure of the recognition of the biometry presented is transmitted
  • 12. All Rights Reserved | FIDO Alliance | Copyright 201812 DATA SUBJECT RIGHTS • Data subjects have a number of rights on their personal data: • Right of access (Article 15) • Right to rectification (Article 16) • Right to erasure (Article 17) • Right to data portability (Article 20) • Delivering these capabilities requires user authentication For sensitive data (special categories), are passwords still OK ? ➔Strong authentication may be required
  • 13. 13 DATA PROTECTION BY DESIGN PRINCIPLE • Controllers should implement measures which meet the principles of data protection by design (article 25) • Proactive • Embedded from the start in design • For authentication solutions, this would mean, by design: ➔ Protection of user authentication credentials and biometric data ➔ Protection against phishing or MITM attacks ➔ Protection against third parties inferring the identities of authenticating parties All Rights Reserved | FIDO Alliance | Copyright 2018
  • 14. All Rights Reserved | FIDO Alliance | Copyright 201814 FIDO HELPS MEET GDPR REQUIREMENTS
  • 15. All Rights Reserved | FIDO Alliance | Copyright 201815 HUMAN-READABLE “SHARED SECRET” • Inconvenient • Phishable • Hackable This is true of One Time Passwords as well Password or OTP
  • 16. All Rights Reserved | FIDO Alliance | Copyright 201816 SMS OTP HACKS August 2018 – USA “Reddit Breach Highlights Limits of SMS OTP- Based Authentication” May 2017 – Germany (Süddeutsche Zeitung ) “Vulnerability in the mobile network: Criminal hackers empty accounts” German Banks
  • 17. User Environment All Rights Reserved | FIDO Alliance | Copyright 201817 FIDO AUTHENTICATION Authenticator User gesture before private key can be used (Touch, PIN entry, Biometric entry) Challenge Signed Response Private key Public key User Relying Party Local user verification step On-line authentication step
  • 18. All Rights Reserved | FIDO Alliance | Copyright 201818 FIDO EMBRACES PROTECTION/PRIVACY-BY-DESIGN Based on public key cryptography No server-side shared secrets Keys generated and stored on device No 3rd party in the protocol Biometrics, if used, never leave device No link-ability between services or accounts
  • 19. All Rights Reserved | FIDO Alliance | Copyright 201819 FIDO PROTECTION FROM HACKERS • Non human readable cryptographic response • Protects from (simple) phishing attacks • Verification of web origin/channel id • Prevents man-in the middle attacks and (complex) phishing attacks Relying Party
  • 20. All Rights Reserved | FIDO Alliance | Copyright 201820 FIDO’S USE OF BIOMETRICS • With FIDO, biometrics can only be stored and matched on a consumer’s device • FIDO prohibit biometrics from being stored or matched in servers ➔ No Data Protection Impact Assessment for the use of biometric data
  • 21. All Rights Reserved | FIDO Alliance | Copyright 201821 EXPLICIT CONSENT WITH FIDO • FIDO authenticators are capable of signing transaction data • Server message can include consent information • Signed response is a non forgeable proof • Can be used in case of dispute Do you agree to providing your health data to ABCHealth ? Authenticate to confirm
  • 22. All Rights Reserved | FIDO Alliance | Copyright 201822 BROADER REACH: A BENEFIT OF STANDARDISATION • A FIDO universal server supports any FIDO compliant authenticator ➔FIDO Standards reduce the cost of deploying multiple devices FIDO server App
  • 23. All Rights Reserved | FIDO Alliance | Copyright 201823 TAKE AWAY • In light of the heavy fines • In light of the ever increasing attacks from hackers ➔ A service provider should consider replacing passwords with stronger means of authentication Password • FIDO proposes a standardized solution • That combines convenience and security • That meets the privacy-by-design requirement Data protection measures
  • 24. All Rights Reserved | FIDO Alliance | Copyright 201824 HTTPS://FIDOALLIANCE.ORG/
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks
    SAVE OUR EARTH

    We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

    More details...

    Sign Now!

    We are very appreciated for your Prompt Action!

    x