This invention relates generally to distributed data processing systems. More specifically, it relates generally to linking two or more sites of a computer network by providing automatic user login identification without requiring the linked sites to use the same usernames and without requiring the sites to share user password information.
A distributed network system typically includes various computer nodes interconnected by a communications medium. The computer nodes may include nodes that are directly accessed by users, e.g., workstations or user computers, and nodes running specialized applications, e.g., servers or sites. These nodes, the applications running on these nodes, and the users of the distributed system may be referred to as “principals.” The methodology employed to reliably verify the identity of a user of a distributed network system prior to allowing the user access to system resources and applications is referred to as authentication. Authentication is generally performed on behalf of the principals.
In a typical distributed network system, the user sends a password to each application running on a remote node in order to access its resources. Each of these entities typically includes a component referred to as an authentication agent that maintains the user's identity and secret (e.g., password). Although the user has been generally authenticated on the network, these agents may not be aware of that authentication, and thus query the user for a password. This can be quite intrusive to the user, particularly in systems requiring users to be authenticated whenever a resource is accessed. Moreover, if the password for each application is different, remembering the password and its associated application can be rather difficult and inconvenient. The user could simply set each password for each application to the same value, but this presents the problem that if the user changes one password and forgets to change the others, the passwords will differ.
On the other hand if the user has the same password for all applications, the local application with which the user “logs-in” typically saves the entered password and automatically sends it to remote applications as needed. This type of remote authentication is susceptible to a password-based system threat known as eavesdropping, i.e., interception of the password by wiretapping the network. To counter such a threat, cryptography is often used to preserve the confidentiality of the transmitted password when authenticating the user to remote applications.
A known mechanism for solving this problem is a single sign-on mechanism. Single signon is a term used to describe a system where a user is required to remember only one user name and password and authentication is provided for multiple services. Here, a main application stores the secrets of the multiple applications or services and, in response to an inquiry from an application or service, provides the appropriate secret on behalf of the user. The user thus does not have to retype the secrets, as it is assumed that if the user has successfully logged into the main application, the workstation can access the secrets of the other applications and provide them to the applications on behalf of the user.
One example of a single signon system is the Kerberos network authentication system, which is designed to allow entities communicating over physically insecure networks to exchange private information. Kerberos works by issuing a unique key, called a ticket, to each user that logs on to the network system. This ticket is issued when the user provides a password. The ticket is then embedded in messages to identify the sender of the message. The Kerberos single signon is possible because all of the network services are under the same administrative control. A centralized database stores keys that are shared with each service, and tickets can be issued, encrypted under the keys of the target services.
Single signon is more difficult, however, when the resources to be accessed are under different administrative control. Perhaps the best example of this is the Internet, where the resources of different websites are under different administrative control. Linking one Internet website to other websites is a common practice. For example, corporate websites can use strategic links to bolster the content of the linked website and promote the use of the website. When these links are to private, access controlled portions of subscription-based websites, however, users have to log in on each different site when the sites are linked. Alternatively, the linked sites have to share user password lists with each other. In the first case, user convenience suffers, and the user does not get the impression of two sites being closely linked or related—the user sees the two sites as simply two separate web environments. In the second case, password sharing creates problems with keeping the password lists up to date across all sites, and poses security issues, with potential for inadvertent disclosure of the password database.
One prior attempt to provide a single signon service for the Internet that utilizes existing Web technology is Microsoft Corporation's Passport service. Like the Kerberos system, the Passport service relies on a centralized Passport server for storing authentication information, as well as consumer profile information for all registered users of the service. Although storage of this information in a central location is convenient, it suffers from the drawbacks discussed above. For example, it makes the server an attractive target for attacks, such as unauthorized access attacks and denial of service attacks, which can compromise user information accessed by the server. The Passport service and some of its drawbacks are discussed in more detail in D. Kormann and A. Rubin, “Risks of the Single Signon Protocol”, Computer Networks, volume 33, pages 51-58 (Elsevier Science Press 2000), which is incorporated herein by reference.
From the foregoing, it can be seen that there exists a need for a method and system for linking access-controlled sites by providing automatic user login identification without requiring the linked sites of a computer network to use the same usernames and without requiring the sites to share user password information. Accordingly, it is an object of the present invention to provide such a method and system.
Another object of the invention is to provide such a linking method and system that can utilize existing Internet technologies that are present in most browsers and servers.
Another object of the invention is to provide such a linking method and system with improved user convenience, by not requiring users to logon to each individual website, while maintaining a high degree of security and ease of internal operations.
Another object of the invention is to provide such a method and system that avoids potential privacy issues that may result from sharing user password information between linked sites.
Additional objects and advantages of the invention will be set forth in the description that follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations pointed out in the appended claims.