E-SERVICES IN MISSION-CRITICAL ORGANIZATIONS: IDENTIFICATION ENFORCEMENT

Carlos Costa, José Luís Oliveira, Augusto Silva

2004

Abstract

The increasing dependency of enterprise on IT has rise up major concerns on security technology and procedures. Access control mechanisms, which are the core of most security policies, are mostly based on PIN and, some times, in Public Key Cryptography (PKC). Despite these techniques can be already broadly disseminated, the storage and retrieval of security secrets is yet a sensitive and open issue for organization and users. One possible solution can be provided by the utilization of smart cards to store digital certificates and private keys. However, there are special organizations where even this solution does not solve the security problems. When users deal with sensible data and it is mandatory to prevent the delegation of access privileges to third persons new solutions must be provided. In this case the access to the secrets can be enforced by a three-factor scheme: the possession of the token, the knowledge of a PIN code and the fingerprint validation. This paper presents a Professional Information Card system that dynamically combines biometrics with PKC technology to assure a stronger authentication that can be used indistinctly in Internet and Intranet scenarios. The system was designed to fulfill current mission-critical enterprises access control requirements, and was deployed, as a proof of concept, in a Healthcare Information System of a major Portuguese Hospital.

References

  1. Alliance, S., 2002. Smart Cards and Biometrics in PrivateSensitive Secure Personal Identification Systems. Smart Card Alliance. www.smartcardalliance.org
  2. Bexiga, A. and Augusto, F., 2003. IWBDC - Interface WAP para Base de Dados Clínica. Revista do DETUA. 827-841. vol.3, issue. 8
  3. Booz, A. and Hamilton, November 2000. Federal Deposit Insurance Corpotation (FDIC) Deploys Smart Cards & PKI to Internal Staff. Smart Card Alliance. http://estrategy.gov/smartgov/information/fdic_case_st udy_full.pdf.
  4. Castle, T., 2001. Online Authentication Using Combined Smart Card and Fingerprint Recognition. Centre for Applied Reseach into Education Technology - University of Cambridge.
  5. Costa, C., et al., 2003. An Integrated access interface to multimedia EPR. CARS2003. London - UK
  6. Costa, C., et al., 2003. A New Concept for an Integrated Healthcare Access Model. Health Technology and Informatics - IOS Press. 101-106,95,
  7. DataKey and DSI, S., Largest Dutch bank deploys 33000 smart cards to authenticate internal users and secure online transactions. Smart Card Alliance. www.smartcardalliance.org.
  8. DSI, S. and Virginia, U., Department of Defense to issue up to 13 million. Common Access Cards for smart card-enabled PKI. Smart Card Alliance. www.smartcardalliance.org.
  9. Grant, M. and Pai, G., 2001. Biometrics Authentication and Secure Processing in Networked Embedded Systems. Departement of Electric and Computer Engineering -University of Virginia.
  10. Hachez, G., et al., 2001 October. Biometrics, Access Control, Smart Cards: A Not So Simple Combination. Security Focus Magazine. issue.
  11. HCP Deutsche - Specifications Ver 1.0. National Association of Office Based Physicians and German Medical Association. 1999www.hcp.de
  12. ISO-7816, 1997. ISO 7816 Identification Cards - Integrated circuit(s) cards and terminals. http://www.scia.org/aboutSmartCards/iso'16_wimag es.htm.
  13. Johner, H., et al., 2000 February. Deploying a Public Key Infrastructure. IBM. http://www.redbooks.ibm.com.
  14. Jones, M., et al., Shell Group's info security initiatives center around 85000 smart cards with PKI and single sign on. Smart Card Alliance. www.smartcardalliance.org.
  15. Lutz, S. and Thomas, H., 2002. PKI based Access Control with Attribute Certificates for Data held on Smartcards. Technical University of Berlin Research Center for Network and Multimedia Technology.
  16. Marvie, R., Pellegrini, M. et al, 2000. Value-added Services: How to Benefit from Smart Cards. GDC2000. Montpellier, France
  17. Menezes, A. J., et al., 1996. Handbook of Applied Cryptography. CRC Press.
  18. Microsystems, S., 2001. Java Card 2.1.2 - Development Kit Users Guide.
  19. NIST/Biometric, 2002. Biometric Application Programming Interface (API) for Java Card. NIST/Biometric Consortium Biometric.
  20. Norbert, P., Practical Deployment of Biometrics and IT Security,2003,
  21. Ola, S., et al., 2003. Precise BioMatch™ Fingerprint Technology. Precise Biometrics. www.precisebiometrics.org
  22. PC/SC, 1997. PC/SC Specifications 1.0. ("Interoperability Specification for ICCs and Personal Computer Systems"). http://www.pcscworkgroup.com/.
  23. PKCS11, 2001. PKCS #11 v2.11: Cryptographic Token Interface Standard, revision 1. RSA Laboratories.
  24. Ratha, N. K., et al., 2001. Enhacing security and privacy in biometrics-based authentication systems. IBM Systems Journal. 614-634,40, 3
  25. Riha, J. and Matyas, V., 2000. Biometric Authentication Systems. Masaryk University Brno. http://citeseer.nj.nec.com/riha00biometric.html
  26. SchSDK, 2002. Cyberflex Access Cards Programmer's Guide. Schlumberger.
Download


Paper Citation


in Harvard Style

Costa C., Luís Oliveira J. and Silva A. (2004). E-SERVICES IN MISSION-CRITICAL ORGANIZATIONS: IDENTIFICATION ENFORCEMENT . In Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 4: ICEIS, ISBN 972-8865-00-7, pages 389-396. DOI: 10.5220/0002649103890396


in Bibtex Style

@conference{iceis04,
author={Carlos Costa and José Luís Oliveira and Augusto Silva},
title={E-SERVICES IN MISSION-CRITICAL ORGANIZATIONS: IDENTIFICATION ENFORCEMENT},
booktitle={Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 4: ICEIS,},
year={2004},
pages={389-396},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002649103890396},
isbn={972-8865-00-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Sixth International Conference on Enterprise Information Systems - Volume 4: ICEIS,
TI - E-SERVICES IN MISSION-CRITICAL ORGANIZATIONS: IDENTIFICATION ENFORCEMENT
SN - 972-8865-00-7
AU - Costa C.
AU - Luís Oliveira J.
AU - Silva A.
PY - 2004
SP - 389
EP - 396
DO - 10.5220/0002649103890396