[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals

  • Conference paper
Information Systems Security (ICISS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5905))

Included in the following conference series:

Abstract

The importance of the Electronic Health Record (EHR) has been addressed in recent years by governments and institutions.Many large scale projects have been funded with the aim to allow healthcare professionals to consult patients data. Properties such as confidentiality, authentication and authorization are the key for the success for these projects. The Integrating the Healthcare Enterprise (IHE) initiative promotes the coordinated use of established standards for authenticated and secure EHR exchanges among clinics and hospitals. In particular, the IHE integration profile named XUA permits to attest user identities by relying on SAML assertions, i.e. XML documents containing authentication statements. In this paper, we provide a formal model for the secure issuance of such an assertion. We first specify the scenario using the process calculus COWS and then analyse it using the model checker CMC. Our analysis reveals a potential flaw in the XUA profile when using a SAML assertion in an unprotected network. We then suggest a solution for this flaw, and model check and implement this solution to show that it is secure and feasible.

This work has been supported by the EU project Sensoria, IST-2005-016004.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. The IHE Initiative: IT Infrastructure Technical Framework (2009), http://www.ihe.net

  2. OASIS Security Services TC: Assertions and protocols for the OASIS security assertion markup language (SAML) v2.02 (2005)

    Google Scholar 

  3. OASIS/ebXML Registry Technical Committee: ebXML business process specification schema technical specification v2.0.4 (2006), http://www.ebxml.org

  4. OASIS Web Services Security TC: WS-Trust 1.3 specification (2007)

    Google Scholar 

  5. GIP DMP: Dossier Médical Personnel A French Project, http://www.d-m-p.org

  6. ARGE-ELGA: Die Arbeitsgemeinschaft Elektronische Gesundheitsakte, http://www.arge-elga.at

  7. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. Technical Report RFC 5246, IETF (August 2008)

    Google Scholar 

  8. OASIS Web Services Security TC: Web service security: SOAP message security (2006)

    Google Scholar 

  9. Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: TulaFale: A Security Tool for Web Services. CoRR abs/cs/0412044 (2004)

    Google Scholar 

  10. Bhargavan, K., Corin, R., Fournet, C., Gordon, A.D.: Secure sessions for web services. In: SWS, pp. 56–66. ACM, New York (2004)

    Chapter  Google Scholar 

  11. Kleiner, E., Roscoe, A.W.: On the relationship between web services security and traditional protocols. In: Mathematical Foundations of Programming Semantics, MFPS XXI (2005)

    Google Scholar 

  12. Armando, A., et al.: Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In: FMSE. ACM, New York (2008)

    Google Scholar 

  13. Lowe, G.: A hierarchy of authentication specifications, pp. 31–43. IEEE, Los Alamitos (1997)

    Google Scholar 

  14. ACR-NEMA: Digital imaging and communications in medicine, dicom (1995)

    Google Scholar 

  15. Health Level Seven organization: Hl7 standards (2009), http://www.hl7.org

  16. Lapadula, A., Pugliese, R., Tiezzi, F.: A calculus for orchestration of web services. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 33–47. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. Masi, M., Pugliese, R., Tiezzi, F.: On secure implementation of an IHE XUA-based protocol for authenticating healthcare professionals (full version), http://rap.dsi.unifi.it/cows/

  18. OASIS Security Services TC: SAML v2.0 Holder-of-Key Assertion Profile (March 2009)

    Google Scholar 

  19. Gudgin, M., Hadley, M., Rogers, T.: Web Services Addressing 1.0 - Core. Technical report, W3C, W3C Recommendation (May 2006)

    Google Scholar 

  20. OASIS Web Services Security TC: Username token profile v1.1 (2006)

    Google Scholar 

  21. Lapadula, A., Pugliese, R., Tiezzi, F.: A Calculus for Orchestration of Web Services (full version). Technical report, Dipartimento di Sistemi e Informatica, Univ. Firenze (2008), http://rap.dsi.unifi.it/cows

  22. OASIS WSBPEL TC: Web Services Business Process Execution Language v2.0 (2007)

    Google Scholar 

  23. ter Beek, M.H., Gnesi, S., Mazzanti, F.: CMC-UMC: A framework for the verification of abstract service-oriented properties. In: Shin, S.Y., Ossowski, S. (eds.) 2009 ACM Symposium on Applied Computing (SAC), pp. 2111–2117. ACM, New York (2009)

    Chapter  Google Scholar 

  24. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)

    Google Scholar 

  25. Broadfoot, P., Lowe, G.: On distributed security transactions that use secure transport protocols. In: 16th Computer Security Foundations Workshop, pp. 63–73. IEEE, Los Alamitos (2003)

    Google Scholar 

  26. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)

    Article  MATH  MathSciNet  Google Scholar 

  27. Fantechi, A., Gnesi, S., Lapadula, A., Mazzanti, F., Pugliese, R., Tiezzi, F.: A model checking approach for verifying COWS specifications. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 230–245. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  28. Blanchet, B.: CryptoVerif: Computationally sound mechanized prover for cryptographic protocols. In: Dagstuhl seminar Formal Protocol Verification Applied (October 2007)

    Google Scholar 

  29. Groß, T.: Security analysis of the saml single sign-on browser/artifact profile. In: ACSAC, pp. 298–307. IEEE, Los Alamitos (2003)

    Google Scholar 

  30. Hansen, S., Skriver, J., Nielson, H.: Using static analysis to validate the saml single sign-on protocol. In: WITS, pp. 27–40. ACM, New York (2005)

    Chapter  Google Scholar 

  31. OASIS Security Services TC: Profiles for the OASIS Security Assertion Markup Language (SAML) v2.0 (2005)

    Google Scholar 

  32. Armando, A., et al.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Università degli Studi di Firenze, Viale Morgagni, 65, 50134, Firenze, Italy

    Massimiliano Masi, Rosario Pugliese & Francesco Tiezzi

Authors
  1. Massimiliano Masi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rosario Pugliese
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Francesco Tiezzi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electrical Engineering and Computer Science Department, University of Michigan, 48109, Ann Arbor, MI, USA

    Atul Prakash

  2. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

    Indranil Sen Gupta

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Masi, M., Pugliese, R., Tiezzi, F. (2009). On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals. In: Prakash, A., Sen Gupta, I. (eds) Information Systems Security. ICISS 2009. Lecture Notes in Computer Science, vol 5905. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10772-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-10772-6_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-10771-9

  • Online ISBN: 978-3-642-10772-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation