Page 181 - ITU KALEIDOSCOPE, ATLANTA 2019

P. 181

ICT for Health: Networks, standards and innovation

type and sample, and the user-enrolled biometric reference images" that can "represent movements completely
template identifier at the BSP. This feature would provide unrelated to any language" [10].
user portability of their biometric credential across multiple
devices with only a single user enrollment. As described by Fong, Zhuang and Fister, these types
include footsteps, "finger positions and hand posture" [19].
Recommendation ITU-T X.1080.0 provides an informal Some biometric technology types are considered to be
CMS specification for data protection based on IETF RFC ‘weak’ for general use. For a constrained population living
5652. SG17 should revise Recommendation ITU-T in an in-home healthcare environment, who may have been
X.1080.0 to reference ITU-T X.894 CMS, whose syntax authenticated on entry, these types may offer value for user
complies with the current ASN.1 standards. This change identification and authentication, especially when
will allow ITU-T X.1080.0 adopters to eliminate the use of telemedicine and telemonitoring services are assisted by
RFC 5652 syntax that is “based on X.208, the deprecated robotics.
1988 version of ASN.1 that was withdrawn as a standard in
2002” [15]. Adoption of ITU-T X.894 will allow any of the REFERENCES
ASN.1 encoding rules to be used, removing the IETF one-
rule restriction. ITU-T X.894-based ITU-T X.1080.0 [1] Astbrink, G., Shabbir, M., Giannoumis, G.A. (2018)
implementations will also gain new options for 1.3 Billion Reasons for Making Technology
telebiometric data protection, including field level Accessible. Internet Governance Forum Workshop
tokenization and a SigncryptedData type that can be used to Session (WS) #45.
replace SignedData and EnvelopedData.
[2] Calvaresi, D., Cesarini, D., Sernani, P., Marinoni, M.,
The TLS protocol is widely used and well suited for server et al. (2017). Exploring the ambient assisted living
to server mutual authentication, since both communicating domain: a systematic review. Journal of Ambient
parties are likely to possess digital certificates. However, Intelligence and Humanized Computing, 8(2), 239-
when individuals must authenticate to a server using TLS, 257.
they must often rely on a password. The lack of users with
certificates makes mutual authentication with TLS rare and [3] ITU-D. (2019). mHealth for NCD - BeHe@lthy
successful phishing attacks on users likely. BeMobile. ICT Applications.

ITU should standardize a profile of the TLS handshake [4] ICT Consultation. (2013). The ICT opportunity for a
protocol that ensures secure access for mobile device users. disability-inclusive development framework.
This profile should support mutual authentication based on
user passwords protected by PAKE. An ITU standard for [5] Griffin, P. H. (2015). Security for ambient assisted
TLS should enable the use of PAKE extensions that provide living: Multi-factor authentication in the internet of
multifactor user authentication with samples collected from things. In 2015 IEEE Globecom Workshops (GC
the biometric sensors readily available on smart mobile Wkshps) (pp. 1-5). IEEE.
devices. This new TLS standard would allow mobile users
to enjoy the benefits of strong, two-factor user [6] Hamdi, O., Chalouf, M. A., Ouattara, D., & Krief,
authentication and mutual authentication without the cost of F. (2014). eHealth: Survey on research projects,
digital certificates and the risk of being phished. comparative study of telemonitoring architectures
and main issues. Journal of Network and Computer
A revision of Recommendation ITU-T X.1081 should Applications, 46, 100-112.
include consideration of non-biometric telemedicine
devices. This revision could be achieved through a new [7] Recommendation ITU-T X.1035 Password-
normative annex or as a separate standard. ITU-T X.1081 authenticated key (PAK) exchange protocol, 2007.
security aspects could incorporate work being proposed in
ITU-T X.tas, since, as this paper has shown, it is possible [8] ISO/IEC 11770-4 Key Management – Mechanisms
for a biometric sensor to also collect user knowledge for Based on Weak Secrets, 2017.
use as an authentication factor. The X.tas: Telebiometric
authentication using speaker recognition standardization [9] Engler, J., Karlof, C., Shi, E., Song, D. (2009). Is it
should especially consider the BAKE protocol extension to too late for PAKE? In Web 2.0 Security and Privacy
PAKE. (W2SP) 2009.

The X.tas work should be broadened to include other types [10] Griffin, P. H. (2015). Biometric knowledge
of biometrics for which "knowledge extraction can mine extraction for multi-factor authentication and key
something-you-know information from biometric sensor exchange. Proceedings of the 2015 Complex
data" [10]. These biometric types could be used to support Adaptive Systems Conference, Missouri Institute of
the operation of PAKE and its extensions. These types of Science and Technology, in San Jose, California.
biometrics include collected "user gestures as binary video

– 161 –

176 177 178 179 180 181 182 183 184 185 186