[Gnumed-devel] Security (was Re: privacy assessment)

[J Busser]

On Nov 16, 2007, at 6:30 PM, Dan Brow wrote:
> just use a
> IPSec VPN. Don't give access to patient records if the person does not
> need it, ie admin staff.

Oscar's "two" passwords had good intentions but I think provides only  
one "bit" more security than a single password of length equal to the  
sum of two parts. I bet people's "remote" password is not very long.

Access from outside the network on any computer that may permit  
credentials to be spied, or keystroke-logged, represents a worrisome  
added vulnerability. This is unprotected by a VPN which ---  
helpfully, but only ---creates a secure tunnel through which to  
communicate plus minus limit the location(s) from which people can  
access.

An elegant solution would combine:

        1. userid
                (something that the user knows, but which others can know or 
guess)
        2. a stable passphrase
                (something *hopefully* only the user knows)
        3. one-time-password (OTPW) generator solution
                (something only the user has)
                (only needed by people needing remote access)

In some organizations, people are made to periodically alter their  
single password, however I think on a local network it is only needed  
if people's passwords are permitted to be trivial or easily guessed,  
provided there is a repeated-attempt lockout or time-out to shut out  
hackers who could otherwise attempt unlimited, computer-aided  
password "cracking".

I think that for remote access, #3 is very important. Until now, the  
only manageable implementations were commercial ($$) like those RSA  
SecurID tokens, whose regularly-changing LCD displays had been  
synchronized to a remote server's clock.

However, there is now a slick implementation "Perfect Paper  
Passwords" --- worked out by Steve Gibson at GRC --- which is  
relatively nicely laid out here, with links to open source  
implementations that seem to be really taking off:

        https://www.grc.com/ppp.htm

In this solution, a server can run software that generates keys, and  
each user who needs to be able to access remotely can be provided  
with a credit-card-sized, tri-fold paper wallet card, holding a  
series of 210 passcodes each of which can be used only once, and in  
the correct order.

Each time one is used, it is crossed out. The next time, the next  
passcode is used. Remotely logging in once a day, a passcard would  
last the user 7 months. The existing passcard can be easily revoked  
in circumstances of loss or uncertain compromise, and the next  
trifold passcard is always cheaply and easily generated any time the  
user is next back on the premises.

The degree of strength that is provided by this solution is described  
if you skip down along an associated page to the section 'Attck  
Analysis: The Online Attack":
	https://www.grc.com/ppp/algorithm.htm