User authentication

User Authentication. User authentication is a vital required function, particularly for fully electronic systems, but one whose implementation varies widely from one company to another. Different companies may use different authentication mechanisms and technologies to validate their users, for example, Windows username, Oracle usernames, smartcards (such as SAFE-compliant cards provided by a trust authority), and biometrics. Typical enterprise ELN systems will delegate this authentication process to an external module that is customized to match the corporate IT infrastructure. 

A simple example of the first method is to screen requests to ensure that they come from an acceptable (i.e., previously identified) domain name and Internet protocol address. Firewalls may also use more complex rules that analyze the application data to determine if the traffic should be allowed through. For example, the firewall may require user authentication (i.e., use of a password) to access the system. How a firewall determines what traffic to let through depends on which network layer it operates at and how it is configured. Some of the pros and cons of various methods to control traffic flowing in and out of the network are provided in table 9.12. 

Proxy service Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. In this way, the firewall can limit the information made known to the requesting system, making vulnerabilities less apparent. Only allows temporary open holes in the network perimeter. Can be used for all types of internal protocol services. Allows direct connections to internal hosts by external clients offers no user authentication... 

The standard attempts to encourage a security culture and shares many of the expectations of 21 CFR Part 11. For instance, to improve personnel security, ISO 17799 recommends definition of security in job responsibilities, persormel screening, training and awareness, and incident reporting. Access controls recommended by ISO 17799 also match Part 11, e.g., user registration, user-ID and password management, definition of user responsibilities, user authentication, and monitoring system access for unauthorized access attempts. 

One could also consider normal confidentiality requirements in the interest of all participants in a transaction, e.g., that attackers do not learn anything about the messages that honest users authenticate for each other. In general, one woidd use combinations of normal signature schemes and secrecy schemes inside the system, but, as mentioned under Directedness of Authentication in Section 5.2.8, this will not always be trivial. 

EvKW74 Arthur Evans, William Kantrowitz, Edwin Weiss A User Authentication Scheme Not Requiring Secrecy in the Computer Communications of the ACM 17/8 (1974) 437-442. 

Besides vulnerabilities of the standards and NAC architectures, practical NAC exceptions should be handled. The most common NAC authentication and enforcement exceptions are client side devices which do not support NAC agent software such as printers and IP phones and multi-host devices (phones, hubs, VMware) that complicate user authentication. (Network Access Control InteroperahiUty Lah 2007)... 

Virus control. Additional User ID/password protection. Encryption. User authentication. 

Require verification of user authenticity by security verifiers. 

Security services are intended to protect a system from security attacks, to prevent attacks, or both by utilizing different security mechanisms. User authentication is the process of verifying the identity of a user. In the case of a user-to-user communication, both users have to be checked. Traditionally, in the client-server domain, the authentication is focused on the client side, since the system should be protected from users and not vice versa. However, for some applications such as e-commerce, server authentication is equally important to ensure that it is the correct server a customer is communicating with. Data authentication describes the verification of a particular data or message origin. 

There is no simple way of identifying invalid documents, as the reasons that they are invalid will vary. By printing authentic documents on colored paper or providing paper with a special header one can inject a degree of control. Placing the approval signatures on the front sheet will immediately identify an unapproved document. However, the onus must rest with the user who, if properly trained and motivated, will refrain from using invalid documents. 

In addition to the increased precision in the communication between the researcher and the programmer, there will be an increase in the accuracy of the data involved in the research. As Mason [23] pointed out early on in the history of computer use, authenticity and correctness are necessary for accuracy. One current controversy in the pharmaceutical industry, in fact, depends on accuracy, which in turn affects liability. People in and out of the industry are discussing how best to make research visible to potential users of drugs. 

Security This category includes mechanisms for authentication of users and authorization for performing various tasks. 

Security Does the system at runtime prevent unauthorized access or (mis)use Security concerns typically include at least authentication—ensuring that the apparent source of a request is, in fact, who it claims to be—and authorization ensuring that the authenticated user is permitted to access the needed set of resources. Security should be modeled as any other behavioral requirement is modeled. If an existing security mechanism or product is being used (for example, Kerberos), use a model of that mechanism as a part of your design models. 

All the qualities that relate to runtime behavior should be captured as part of the behavioral specification of the system,3 including requirements about security, availability, and performance, because they contribute to the definition of acceptable behavior. For example, the need to authenticate users before permitting them to access certain operations should be... 

Stateful pattern recognition This method examines and compares the contents of certain key parts of an information packet against a database of acceptable information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. If not, the information is discarded. Provides a limited time window to allow pockets of information to be sent does not allow any direct connections between internal and external hosts supports user-level authentication. Slower than packet filtering does not support all types of connections. 

Canned research projects We recognize that not all users of this textbook will have a sufficiently robust research project to write about. To date, we have developed four canned research projects to address this need. These projects, all based on authentic research, provide sufficient data and background information for a mock journal article or poster. 

In this chapter we have heard different accounts of the ways psychotropic drugs affect users senses of themselves. In some cases medication allowed people to realize their authentic selves or to function at a higher level. In this sense their narratives are success stories, even miracles. In other cases, by contrast, people described psychiatric drugs as masking or even devastating their authentic selves. As a result they were typically resistant to or ambivalent about medication. 

Chapter 15 discusses security, the backbone of Part 11. This chapter introduces the key security services, user or data authentication, and access control. 

Another area of concern for the FDA relates to records sent over public networks, dial-up connections, or public phone lines, accessed through extemal/intemal web servers or by database servers. A number of security issues need to be considered in order to keep these records trustworthy. Intranets may face similar security issues if remote users connect to the central network resources through a local link to an Internet, even when password-protected access for the users is provided to just a small portion of a private network. These systems are considered by the agency as Open Systems (Part 11.30)4. For example, the Internet provides a convenient medium to connect to other networks, but it does not provide reliable security features, such as entity authentication, or protection from hostile users or software. 

Challenge-response schemes—These look like one-time password generators and use a similar synchronization mechanism however, additional user actions are required for authentication. It involves a challenge/response exchange with a new key being used at each login. 

A similar mechanism to certificate-based authentication is the authentication of email transport. The authentication of email transport can be checked against the identity of the recipient. The authentication of email users ensures that there is no fraudulent user access to the system. 

The authenticity of electronic records refers to the degree of confidence that users can have that the records are the same as those expected, based on a prior reference or understanding of what they purport to be. 

Passwords are one of many methods used to authenticate authorized users. As security of computer systems performing regulated operations is so very critical, expectations for activities (such as assignment, security, and maintenance of passwords) are clearly established by the FDA. Before Part 11, the FDA expected4 that passwords would be ... 

Entity Authentication The following implementation features must be present - Automatic logoff - Unique user identification In addition, at least one of the other listed implementation features must be present to verify that an entity is who it claims to be. Automatic logoff Biometrics Password PIN Telephone callback Token Unique user identification... 

The second section reviews documentation in relation to CSV and the procedural controls required for regulated operations. Change management and control, training, and security (introducing key technology-driven services such as user/data authentication and access control), are followed by guidance on source code issues, and suppliers qualifications. 

E-banking is often presented as a field where electronic signature is used most. E-banking applications use many means of authenticating transactions. Electronic signature based on PKI is just one of them, and probably not the most convenient and user friendly one. 

The JADE-S (i.e., Secure-JADE) add-on to JADE is a third party enhancement to the framework that implements numbers of security services, including user/agent authentication, authorization and secure intra-platform communication. It makes the platform a multi-user environment where all components (i.e., agents and containers) are owned by users who are responsible for their actions. Additionally, a security policy can be enforced in order to allow or deny actions only on chosen subset of agents or users. 

In this paper, we have described the design and implementation of a distributed event gathering application. The application relies on standard software tools such as databases and web servers for ensuring identification and authentication of users and storing data in a secure and reliable fashion. It also uses well-known transport layer security tools, such as SSH or virtual... 

Identification and quantification Two spectral user-libraries (MS and MS/MS) were developed using injections of TMS-derivatized authentic reference compounds. The MS library recorded the retention times and normal El mass spectra of trimethylsilyl (TMS) derivatives of authentic standards under the chosen chromatographic conditions, while the MS/MS library recorded retention times and product ion spectra derived from the specifically chosen precursor ions (Table 7.3) of TMS... 

---