Presentation Title:

 

Secure Delivery of Web-based Teaching Resources Using Smartcards and Public Key Cryptography

 

Graham Phillips

Clinical and Biomedical Computing Unit, University of Cambridge Clinical School

 

Abstract:

Publication of teaching materials on the web does not generally need to be restricted, but there are some resources, such as online examination questions and clinical images, where controlled, authenticated access is desirable.  We have been investigating the security implications of distributing resources over the web, and asking specifically whether smartcards offer a convenient and useful way to limit access to confidential information. We have developed a generic system for use on individual web sites that enables us to do this.

 

Our system is based on public key cryptography for secure communication between web server and browser. By issuing users with smartcards, we enable them to carry their private keys and digital certificates with them with minimal risk of copying or impersonation. They can then access their authorised resources from any PC with an Internet connection and a smartcard reader.

 

We use a relational database to hold the access control rules. The web server queries the database before delivering any sensitive document to an identified user. The database can also be accessed by other programs (such as Active Server Pages or Common Gateway Interface) for example to offer a user a menu of only those resources for which she has the necessary permissions.

 

The system is based on published standards. Its architecture is modular and flexible, with components for user registration, card personalisation and certificate creation, graphic design and printing, web access control, and online validity testing and revocation.

 

At Slice of Life 2000 we will introduce the smartcard system, discuss its uses and (rubber chickens permitting) demonstrate it working.

 

Benefit in Attending Session:

Web browsers are rapidly becoming the method of choice for access to teaching resources, but the underlying technologies are inherently insecure. In the medical arena we are often concerned with confidential information. While each institution remains responsible for its own security practices, we can all learn from each other's policies and experiences. The smartcard techniques that we have developed at Cambridge will be made available to other organisations: we hope that they will prove useful.

 

PRIMARY AUTHOR'S INFORMATION

Graham Phillips

Clinical and Biomedical Computing Unit

University of Cambridge Clinical School

Box 111, Addenbrooke's Hospital

Hills Road, Cambridge CB2 2SP, UK

Telephone Number: (+44) 1223 216631

Fax Number: (+44) 1223  400060

E-mail Address: graham@cbcu.cam.ac.uk

 

Web Site: http://www.cbcu.cam.ac.uk/

 

CO-AUTHORS' INFORMATION

Kim Whittlestone

Jem Rashbass

 

Address(es):

Clinical and Biomedical Computing Unit

University of Cambridge Clinical School

Box 111, Addenbrooke's Hospital

Hills Road, Cambridge CB2 2SP, UK

 

Telephone Number(s):

(+44) 1223 400066

(+44) 1223 762035

Fax Number(s):

(+44) 1223 400060

 

E-mail Address(es):

kim@cbcu.cam.ac.uk

jem@cbcu.cam.ac.uk

 

Web Site(s): http://www.cbcu.cam.ac.uk/