Applications:SecureConfirm - Secure Data Confirmation

From Yubico

Jump to: navigation, search


SecureConfirm - Secure Data Confirmation by "Thomas Weitzel"

Introduction

Today, it’s easy to securely confirm the identity of a user with the YubiKey. This allows for secure identification and audit logging within an Application for the purposes of determining who interacted with a specific piece of data.

However, this type of auditing does not provide any security regarding the data which is the subject of that user interaction. It is still possible for accidental data corruption or intentional manipulation by an adversary to occur within the Application or Application Database. For this reason, an audit log could falsely indicate that a user made a specific data modification or confirmed incorrect information. This universally opens the door for repudiation of any data the user interacted with.

In many situations, a single data element can be critical (such as a medication dose in an electronic medical record system.) It is simply not enough to determine who interacted with a piece of data when there is a possibility of error or falsification. In these critical cases, it is necessary to authenticate both the user and the data subject to the interaction.

That’s where SecureConfirm comes in!


SecureConfirm (Secure Data Confirmation)

SecureConfirm is the first and only fully integrated method to securely authenticate both the user and the data subject to user interaction. This protects the user by assuring any accidental data corruption or intentional manipulation can be identified.

In order to accomplish this, the Application passes data to a cryptographic hash function that creates a fixed length message Digest. This Digest is passed as a variable to the YubiKey. The Application prompts the user to positively and securely confirm the displayed application data by pressing the integrated YubiKey button. The Digest is added to the time-variant code which is encrypted into the Authentication/Confirmation Code. This Authentication/Confirmation code is sent to the Validation and Confirmation Service for authentication and the Digest is retained by the Validation and Confirmation Server. The Application can then use the Confirmation Receipt to securely verify data integrity in the future.


YubiKing Contest Submission - © 2009 by Thomas Weitzel - All rights reserved. Thomas Weitzel, HealthcareSystemics.com thomas_weitzel @ yahoo.com

» ["http://www.healthcaresystemics.com/Home/secureconfirm---secure-data-confirmation"]

Retrieved from "http://wiki.yubico.com/wiki/index.php/Applications:SecureConfirm_-_Secure_Data_Confirmation"
Personal tools
Authors/Administrators