Richard Au

Consumer-Centric and Privacy-Preserving Identity Management for Distributed E-Health Systems

A new framework of privacy-preserving identity management for distributed e-health systems is proposed. Utilizing a consumer-centric approach, the healthcare consumer maintains a pool of pseudonymous identifiers for use in different healthcare services. Without revealing the identity of consumers, health record data from different medical databases distributed in various clinic/hospitals can be collected and linked together on demand. While pseudo-anonymity preserves user privacy, the architectural design allows the anonymity to be revoked by a trusted authority under well-defined policies with legal-compliance. This framework inherits the advantages in centralized management for distributed medical databases Security of the interactions among different entities in the architecture is guaranteed by certification and cryptographic technologies.

Cross-domain one-shot authorization using smart cards

As the use of information technology is increasing rapidly in organizations around the world, an important task is to design global networks with high security, eÆciency and functionality. While centralized systems have the advantages of simpli ed management, they face the problems of bottleneck and single point of failure. In this paper, we propose a new authorization scheme that operates over existing centralized authentication mechanisms. The goal is to enhance the performance and scalability in a centrally administered security architecture. A new technique of using one-shot authorization tokens is introduced. It facilitates a mechanism for updating or revocation of the access rights of users in online or o -line authorization models. A smart card is used as an authorization device in addition to its traditional function of user authentication. This scheme provides the mobility for users and the exibility in coping with di erent access control policies in a cross domain multi-application environment.

Secure Authorisation Agent for Cross-Domain Access Control in a Mobile Computing Environment

New portable computers and wireless communication technologies have significantly enhanced mobile computing. The emergence of network technology that supports user mobility and universal network access has prompted new requirements and concerns, especially in the aspects of access control and security. In this paper, we propose a new approach using authorisation agents for cross-domain access control in a mobile computing environment. Our framework consists of three main components, namely centralised authorisation servers, authorisation tokens and authorisation agents. An infrastructure of centralised authorisation servers and application servers from different domains is proposed for supporting trust propagation to mobile hosts instantaneously. While the authorisation token is a form of static capability, the authorisation agent on the client side can be regarded as a dynamic capability to provide the functionality in client-server interactions. It works collaboratively with remote servers to provide authorisation service with finer access granularity and higher flexibility.

Towards a New Authorisation Paradigm for Extranets

The development of extranets is transforming enterprise networking. Rather than using proprietary networks to exchange private information, organisations can now set up corporate extranets to exchange data and share applications with strategic partners, suppliers, and customers in a global scale. Because extranets allow third-party users into corporate networks, they need to be extremely secure and external access needs to be highly controllable. Authorisation governs what an entity can do, thus it is a core element in network security. In this paper, we propose a new authorisation framework that can cope with the dynamic and outreaching characteristics of extranets. We apply the technique of one-shot authorisation token in providing extranet users with flexible direct access to applications without authenticating their identities every time. It also solves the problem of revocation and update of user privileges in off-line models. This authorisation scheme has various advantages in terms of higher efficiency and greater adaptability to the diverse application environment of extranets.

Agent-based privilege negotiation for E-commerce on world wide web

In this paper, we have proposed a new credential-based authorisation framework using Privilege Negotiation Agents to enhance the authorisation service in the Web environment. For further research, we can put efforts to develop an universal set of languages with formal semantics for expressing policies and credentials for interactions between various agents and servers.

Privilege negotiation agents for distributed authorisation on World Wide Web

Privilege negotiation agents migrate from the security servers of different administrative domains on the Internet to the users secure client agent environment. They work cooperatively for trust establishment and authorisation in an automated way. Agent communication protocols are expressed through the Knowledge Query and Manipulation Language (KQML). Security issues for interaction between agents are discussed. The user-centred approach enables a user to enforce his own privacy policies during the privilege negotiation process.

Enhancing SESAMEV4 with Smart Cards

SESAMEV4 is a security architecture that supports role based access control with single sign-on facilities for heterogenous distributed network environments. Several vulnerabilities are identified in SESAMEV4’s user authentication process. This paper proposes four options for enhancing this user authentication process by integrating smart cards into SESAMEV4. The proposals are shown to successfully increase the level of security of SESAMEV4 and will be shown to correctly operate with existing SESAMEV4 applications and servers, with no modifications required to the applications or servers.