1. Field of the Invention
The present invention relates generally to authentication and authorization in a network communications and more particularly to a host based security system in which credentials may be transmitted from a credential host, which store such credentials, to a destination site on a network server for the authentication of a local computer, which may otherwise be unsecured or compromised, upon request of the local computer to connect to the destination site.
2. Description of the Related Art
Since the release of the web browser client, network communication between computers has become a common daily occurrence for computer users worldwide. Evolving from the nascent days of email and simple web browsing, the Internet has become a public network platform upon which millions of recreational, consumer, business and commercial users daily entrust to bidirectional communication of, for example, their banking and financial data as well as its storage on a remote site. Moreover, this data is most oftentimes confidential, proprietary or personal, and its unauthorized disclosure or misappropriation has been known to result in financial loss to both individuals and enterprises.
Also from these nascent days of the Internet to the present there has existed numerous and varied threats to the security of transmission of this data. These threats manifest themselves as attacks on either the communications carrying such data or the hardware devices themselves that effect such communications. To address these threats, protocols have been developed to secure network communications and an entire network and Internet security industry has evolved to provide both hardware and software security solutions.
In a most basic example of network computing, a user at a local computer initiates, typically through a web browser interface executing on the local computer, a communication session with a destination site in which data is communicated bidirectionally between the local computer and the destination site. During this communication session user data stored at the destination site may be viewed in the web browser interface and information entered into the web browser interface to be communicated to the destination site to modify, add to or delete from the data stored thereat.
As is well known, this communication session is maintained over a connection established between the local computer and the server on which the destination site is stored. This connection is routed along a communication path that encompasses a network of nodes interconnected by a web of links using well known protocols. It is therefor seen that to secure the transmission of data along this communication path to prevent any unauthorized disclosure or misappropriation thereof, protection must be provided at each of the local computer, the server on which destination site is stored and at each node and link along the communication path.
Typically, each of the servers on which destination sites are stored and the links and nodes along the communication path are operated by enterprises for which providing robust security of the servers, links and nodes is a basic necessity. Accordingly, attacks to compromise the security of the communication path to effect the unauthorized disclosure or misappropriation of the data being communicated thereon are most often targeted to the local computer whereat such attacks are relatively easier to effect. These attacks usually are effected through the installation on the local computer of malware, which is malicious computer software that interferes with normal computer functions of the local computer or that sends personal user data stored on the local computer or entered into the web browser interface to unauthorized parties over the network.
The local computer becomes the frequent target of attacks because many of the local computers connected to the Internet are owned or operated by users many of whom, whether through negligence, recklessness, inattentiveness or lack of appreciation of Internet threats, forgo the installation of widely available security software thereby leaving their own local computer vulnerable to such attacks. Other users of the local computers may install such security software but may be mistaken in their belief that their own local computer is properly secured by such software. For example, many users who do install security software may through negligence or lack of technical expertise fail to properly configure such software upon its initial installation or obtain available updates as such become available to protect against the latest discovered threats.
Even a user of high technical expertise may be unaware of the presence of malware despite the presence of properly configured and updated security software. Sophisticated malware has been known to be specifically written to avoid detection from most common consumer security software. The local computer may be compromised although the user believes otherwise from an apparent lack of warning or other indication from installed security software that is relied upon to monitor and assess security risks.
Malware can be surreptitiously installed on the local computer typically from downloading and opening content from compromised or malicious destination sites or inadvertently from opening an attachment in an email. Malware can also be installed on the local computer from the network should a scan from a remote site reveal an open port to the local computer through which a direct connection thereto can be made.
Other local computers may also be those as provided for use to the general public, such as those provided by public libraries or hotels. Not only may these public local computers have their security compromised as set forth above, but more insidiously by a malicious user who can readily install malware directly on any such public local computer as the use of these computers is generally unsupervised.
Of primary concern herein is malware that sends personal and confidential data about the user from the user's local computer to unauthorized parties over the network. One example of this type of malware captures user credentials, such as through keystroke loggers, as they are being entered into the web browser interface when such credentials are needed to be transmitted to a destination site for authentication thereat prior to access of the user data stored at such site. Once a user's credentials have been obtained through malware, the destination site can be accessed by such unauthorized users from any other computer wherever located to obtain and misappropriate such confidential and private user data.
Similarly, such malware can also capture other sensitive data of the user being entered at the local computer subsequent to the credentials being authenticated. For example, financial information, such as relating to credit card numbers or account numbers for banks and other financial institutions, may also be logged as entered in the web browser interface. As stated above, misappropriation of any of this data can result financial loss to the user whose credentials have been misappropriated.
Accordingly, a need exists to provide a system or method which enables user credentials to be sent to a destination site to authenticate a local computer while minimizing the possibility of such credentials being surreptitiously captured at the local computer and transmitted to unauthorized users. Yet another need exists to provide a system or method which enables user private information to be sent a destination site to effect commerce thereat while also minimizing the possibility of such user private information being surreptitiously captured at the local computer and transmitted to unauthorized users. This need is met by the inventions disclosed and claimed below.