Description of personal data exchange protocol: X

V. Belsky, I. Gerasimov, K. Tsaregorodtsev, I. Chizhov


—Personal data exchange and disclosure prevention are widespread problems in our digital world. There are a couple of information technologies embedded in the commercial and government processes. People need to exchange their personal information while using these technologies while services need to process it. And therefore, It is essential to make this exchange is secure. Despite many legal regulations, there are many cases of personal data breaches that lead to undesirable consequences. Reasons for personal data leakage may be adversary attack, data administration error or service corruption. At the same time, creating complex service interaction and multilayer information security may lead to many inconveniences for the user. Personal data exchange protocol has the following tasks: participant’s data transfer, ensuring information security, providing participants with trust in each other and ensuring service availability. In this paper, we represent a personal data exchange protocol called X. The main idea is to provide personal data encryption on the user side and thus to prevent personal data disclosure and publication. This approach allows us to transfer personal data from user to service only in the form of an encrypted data packet — blob. Each blob can be validated and certified by a personal data inspector who had approved user’s information. It can be any government department or a commercial organization, for example, passport issuing authority, banks, etc. It implies that we can provide several key features for personal data exchange. A requesting service cannot publish the user personal data. It still can perform a validation protocol with an inspector to validate user data. We do not depend on service data administration infrastructure and do not complicate the inspector’s processes by adding additional information about the personal data request. The personal data package has a link between the personal data owner and a service request. Each blob is generated for a single request and has a time limit for a provided encrypted personal data. After this limit, the service can not use a received package. The user cannot provide invalid personal data or use the personal data of another person. We don’t restrict specified cryptographic algorithms usage The X protocol can be implemented with any encryption, digital signature, key generation algorithms which are secure in our adversary model. For protocol description, Russian standardized cryptographic protocols are used. The paper also contains several useful examples of how the X protocol can be implemented in real information systems.

Full Text:

PDF (Russian)


The Kerberos Network Authentication Service (V5) : RFC : 4120 / RFC Editor ; Executor: C. Neuman, T. Yu, S. Hartman, K. Raeburn : 2005. –– July. –– URL:

The OAuth 2.0 Authorization Framework : RFC : 6749 / RFC Editor ; Executor: D. Hardt : 2012. –– October. –– URL:

Oganesjan A. Samye znachitel'nye utechki dannyh v 2018 godu (chast' pervaja). –– URL: data obrashhenija: 07.11.2019.

A. Oganesjan. Samye znachitel'nye utechki dannyh v 2018 godu (chast' vtoraja). –– URL: data obrashhenija: 07.11.2019.

InfoWatch. Za 12 let uteklo bolee 30 mlrd zapisej personal'nyh dannyh. –– URL: data obrashhenija: 29.11.2019.

N. Il'ina, A. Urmanceva. Iz bazy von: dannye o klientah bankov iz top-20 prodajut v Telegram. –– URL:

prodaiut-v-telegram. data obrashhenija: 29.11.2019.

Federal'nyj zakon «O personal'nyh dannyh» ot 27.07.2006 n 152-FZ. –– URL:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). –– data obrashhenija: 07.11.2019. URL:

Samonte M. Google v CNIL Case C-507/17: The Territorial Scope of the Right to be Forgotten Under EU Law. –– 2019. –– URL:

/10/29/google-v-cnil-case-c-507-17-the-territorialscope-of-the-right-to-be-forgotten-under-eu-law/. data obrashhenija: 07.11.2019.

GDPR Fines and Penalties. –– URL: data obrashhenija: 07.11.2019.

FSB predupredila o riske utechek iz sozdajushhejsja edinoj bazy personal'nyh dannyh. –– URL: data obrashhenija: 17.11.2019.

The Transport Layer Security (TLS) Protocol Version 1.3 : RFC : 8446 / RFC Editor ; Executor: E. Rescorla : 2018. –– August.

Informacionnaja tehnologija. Kriptograficheskaja zashhita informacii. Kriptograficheskie algoritmy, soputstvujushhie primeneniju algoritmov jelektronnoj cifrovoj podpisi i funkcii heshirovanija. GOST

R 50.1.113-2016. –– data obrashhenija: 07.11.2019. URL:

Mezhgosudarstvennyj standart GOST 34.10.2018 Informacionnaja tehnologija (IT). Kriptograficheskaja zashhita informacii. Processy formirovanija i proverki jelektronnoj cifrovoj podpisi.

Mezhgosudarstvennyj standart GOST 34.12-2018 Informacionnaja tehnologija (IT). Kriptograficheskaja zashhita informacii. Blochnye shifry.

Katz Jonathan, Lindell Yehuda. Introduction to modern cryptography. –– Chapman and Hall/CRC, 2014.

Bellare Mihir, Rogaway Phillip. Introduction to modern cryptography // Ucsd Cse. –– 2005. –– Vol. 207. –– P. 207.


  • There are currently no refbacks.

Abava  Кибербезопасность MoNeTec 2024

ISSN: 2307-8162