J.M. Cueva Lovelle et al. (Eds.): ICWE 2003, LNCS 2722, pp. 543–544, 2003. © Springer-Verlag Berlin Heidelberg 2003 Critical Information Systems Authentication Based on PKC and Biometrics Carlos Costa, José Luís Oliveira, and Augusto Silva DET/IEETA, Aveiro University, 3810-193 Aveiro, Portugal ccosta@ieeta.pt, {jlo, asilva}@det.ua.pt Abstract. This paper presents an access control model that dynamically com- bines biometrics with PKC technology to assure a stronger authentication mechanism to healthcare professional that can be used indistinctly in Internet and Intranets access scenario. 1 Introduction Access control mechanisms are mostly related with the username and password asso- ciation or with Public Key Cryptography (PKC). Despite these techniques are broadly used, the storage and handling of secrets, like PKC private keys, is yet a hard-worked problem. One solution can be provided by the usage of smart cards to store digital certificates and respective private keys with access provided by means of PIN code verification. However, when we are dealing with very sensible data it is mandatory to guarantee that the user is in fact who he claims to be, preventing the delegation of access to third persons. Our model proposes a new vision to integrate smart cards, digital credential, biometric fingerprint and user password, contemplating the in- door/outdoor access provenience. The main goal was the achievement of a flexible and robust security access system to verify and ensure that the users are in fact who they claim. The deployment scenario to this implementation was a mission-critical Healthcare Information Systems (HIS). 2 Developed Model The first outcome of this system was the development of a web-based interface mod- ule to the HIS [1]. The XML/XSL technology was used to assure dynamic content creation and formatting, according to the user terminal and to the access privileges of different user profiles. Aspects of interface usability have also been matter of study in the implementation phase, aiming to create a flexible interface to distinct client termi- nals. The developed multi-platform interface integrates, in run time, the patient infor- mation retrieved from the HIS system with its images from the PACS [2], making these alphanumeric and multimedia data available in a unique Internet browser. Because we are dealing with very sensitive information, the confidentiality, the us- ers authentication and the log of events are crucial requisites. The data communication privacy is ensured with the adoption of protocols, like the HTTPS, to encrypt the data transferred between server and client. However, concerning access control the prob-