eprintid: 406
rev_number: 11
eprint_status: archive
userid: 31
dir: disk0/00/00/04/06
datestamp: 2011-06-15 12:52:15
lastmod: 2011-07-11 14:35:30
status_changed: 2011-06-15 12:52:15
type: book_section
metadata_visibility: show
item_issues_count: 0
creators_name: Masi, Massimiliano
creators_name: Pugliese, Rosario
creators_name: Tiezzi, Francesco
creators_id: 
creators_id: 
creators_id: francesco.tiezzi@imtlucca.it
title: On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals
ispublished: pub
subjects: QA75
divisions: CSA
full_text_status: public
note: ©Springer-Verlag Berlin Heidelberg 2009. The original publication is available at www.springerlink.com
abstract: The importance of the Electronic Health Record (EHR) has been addressed in recent years by governments and institutions.Many large scale projects have been funded with the aim to allow healthcare professionals to consult patients data. Properties such as confidentiality, authentication and authorization are the key for the success for these projects. The Integrating the Healthcare Enterprise (IHE) initiative promotes the coordinated use of established standards for authenticated and secure EHR exchanges among clinics and hospitals. In particular, the IHE integration profile named XUA permits to attest user identities by relying on SAML assertions, i.e. XML documents containing authentication statements. In this paper, we provide a formal model for the secure issuance of such an assertion. We first specify the scenario using the process calculus COWS and then analyse it using the model checker CMC. Our analysis reveals a potential flaw in the XUA profile when using a SAML assertion in an unprotected network. We then suggest a solution for this flaw, and model check and implement this solution to show that it is secure and feasible. 
date: 2009
date_type: published
series: Lecture Notes in Computer Science
volume: 5905
publisher: Springer
pagerange: 55-70
id_number: 10.1007/978-3-642-10772-6_6
refereed: TRUE
isbn: 978-3-642-10771-9
book_title: Information Systems Security (ICISS 2009)
editors_name: Prakash, Atul
editors_name: Gupta, Indranil
official_url: http://dx.doi.org/10.1007/978-3-642-10772-6_6
funders: This work has been supported by the EU project Sensoria, IST-2005-016004.
citation:   Masi, Massimiliano and Pugliese, Rosario and Tiezzi, Francesco  On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals.   In:  Information Systems Security (ICISS 2009).   Lecture Notes in Computer Science, 5905 .  Springer, pp. 55-70.  ISBN 978-3-642-10771-9      (2009)  
document_url: http://eprints.imtlucca.it/406/1/cows_iciss_2009a.pdf