cating with the key distribution center (KDC). The Kerberos system takes such an approach and has to manage a number of keys that is directly proportional to the number of users in the organization. It distributes time-limited secret session keys without the need for passwords to pass in cleartext over any part of the computer network. Although the KDC represents a focal point of vulnerability in the system, Kerberos is a major step forward in organization management of secure communications and is the basis of strong authentication in the Distributed Computing Environment being promoted by the Open Software Foundation (OSF). Kerberos is being used actively in some health care and other facilities that the committee did not visit, in which secure authentication of more than 30,000 entities is required.
Smart Card Tokens. Internet commerce interests are pushing forward aggressively on standards for developing and deploying token-based cryptographic authentication and authorization systems (e.g., the Mastercard-Visa consortium and CyberCash Inc.). These technologies should be adapted to health care organization and interorganization applications, including the establishment of certification authorities with adequate trust levels to be effective in health care settings. Commercial deployment of these technologies will drive the prices of tokens and related software down to the point at which they can be used cost-effectively for protecting access to personal health care information, and user acceptance will be high because use of the technologies will be familiar in other settings. In support of this direction, health care organizations, elements of the health care information services industry, professional organizations, and government agencies should strongly support the development of Internet and commercial efforts in this arena.
One example of a smart card token is a card about the size of a credit card but somewhat thicker that has a liquid crystal display in which a number appears that changes every minute or so (the length of the number and frequency of change depend on the card model). Each user card generates a unique sequence of numbers over time, and, through a shared secret algorithm, servers for which the user has been assigned access privileges can generate the corresponding sequence of numbers. Since only the bona fide user (nominally) possesses the card and the number sequence is unique, the number at any given time is used as a session password. Any snooper who detects the number being sent over the network must replay it within the cycle time of the card; otherwise a new random number, known only to the holder of the card, is required for login. Other devices suitably packaged as buttons, smart cards, or similar tokens are becoming available at economically affordable prices. These have write-controlled internal memory (devices with 8 kilobytes of stor-