Difference between revisions of "VistA Security"

From VistApedia
Jump to: navigation, search
Line 1: Line 1:
 
Each person who uses the VistA system has an entry in the NEW PERSON File #200.
 
Each person who uses the VistA system has an entry in the NEW PERSON File #200.
 
The VistA login security subsystem (XU namespace) requires two passwords ([[access code]] and [[verify code]]) to authorize someone to use the system, and one password ([[electronic signature]]) to allow someone to authorize a different person to proceed with an action.
 
The VistA login security subsystem (XU namespace) requires two passwords ([[access code]] and [[verify code]]) to authorize someone to use the system, and one password ([[electronic signature]]) to allow someone to authorize a different person to proceed with an action.
In English there is a subtle difference
+
 
"authenticate" - prove identity
+
In English there is a subtle difference
"authorize" - permit an action
+
"authenticate" - prove identity
 +
"authorize" - permit an action
  
 
Since the VA uses a "home grown" way of taking human readable text used for each of these and turning it into a non-human undestandable text to be stored in the system, I think it unwise to claim that the VA uses an encryption system.  What the VA does use is a obfuscation system, which makes it very difficult for someone to come up with a human readable text to be used for authorization.  In my opinion, authentication is a very difficult thing to do with any static system.  Dynamic query and response authentication is far more likely to be able to prove identity.
 
Since the VA uses a "home grown" way of taking human readable text used for each of these and turning it into a non-human undestandable text to be stored in the system, I think it unwise to claim that the VA uses an encryption system.  What the VA does use is a obfuscation system, which makes it very difficult for someone to come up with a human readable text to be used for authorization.  In my opinion, authentication is a very difficult thing to do with any static system.  Dynamic query and response authentication is far more likely to be able to prove identity.

Revision as of 17:43, 20 August 2009

Each person who uses the VistA system has an entry in the NEW PERSON File #200. The VistA login security subsystem (XU namespace) requires two passwords (access code and verify code) to authorize someone to use the system, and one password (electronic signature) to allow someone to authorize a different person to proceed with an action.

In English there is a subtle difference
"authenticate" - prove identity
"authorize" - permit an action

Since the VA uses a "home grown" way of taking human readable text used for each of these and turning it into a non-human undestandable text to be stored in the system, I think it unwise to claim that the VA uses an encryption system. What the VA does use is a obfuscation system, which makes it very difficult for someone to come up with a human readable text to be used for authorization. In my opinion, authentication is a very difficult thing to do with any static system. Dynamic query and response authentication is far more likely to be able to prove identity.

It would be appropriate for someone who has a VistA system that is actually on the Internet to investigate things like ssl and ssh tunnelling, as they are sub-systems which can support VistA, and which are developed, tested, and investigated by full time security professionals.