The use of the Internet to carry out commercial transactions is rapidly growing. Unfortunately, the Internet is not a secure communication channel and this fact has raised concerns over the ability to securely perform these transactions. To address these concerns cryptographic techniques have been developed.
One such technique may be referred to herein as xe2x80x9cchallenge-responsexe2x80x9d authentication. Challenge-response authentication provides one computer with the ability to authenticate another computer over an unsecured network such as the Internet.
For example, consider the case wherein a vendor (computer A) wishes to transmit data to a customer""s computer over an unsecured communication channel (e.g., the Internet). Before transmitting this data, the vendor wishes to verify that the receiving computer (computer B) is indeed an authorized computer (i.e., the customer""s computer) and not a computer masquerading as the customer""s computer. In order to accomplish this task a challenge-response authentication technique may be used.
In order to facilitate challenge-response authentication, it is assumed in this example that the vendor and customer have previously agreed on a public key cryptographic (crypto) algorithm, a public key and that the customer has been issued a private key. It is also agreed that a special purpose security protocol will be used as described below.
In order for computer A to verify that computer B is an authorized computer, computer A first generates a challenge block (i.e., a string of encrypted code). This is accomplished using the public key crypto algorithm. After the challenge block is generated, it is then transmitted to computer B over the communication channel by using the special purpose security protocol.
Computer B, in order to properly respond to receiving the challenge block, converts the challenge block into a xe2x80x9cresponse blockxe2x80x9d (i.e., a second string of encrypted code). This is accomplished using the same public key crypto algorithm and the private key which was assigned to the customer. The response block is then transmitted back to the computer A by again using the special purpose protocol.
Upon receiving the response block, computer A processes it in order to determine (within a degree of certainty) that computer B is indeed in possession of the appropriate private key. This is accomplished by again using the public key crypto algorithm and the public key mentioned above.
As indicated above, prior art challenge-response authentication typically involves the use of a special purpose protocol that is used to transmit the challenge block and the response block from one computer to the other. Unfortunately, providing a computer with the ability to communicate using an additional protocol can add significant overhead and therefore costs to the computer. This is especially true for a computer having limited resources. For example, in some situations it is desirable to authenticate a printer over a network. Adding the software to enable the printer to communicate using a challenge-response protocol can result in occupying a significant portion of the printer""s memory. As a result, the available memory that can be used for other purposes is reduced. This can result in reducing printer performance or having to purchase and then add additional memory to accommodate the additional software or both.
Accordingly, there is a need to authenticate a computer without having to implement an additional protocol to support the authentication.
Many networked computers include the ability to communicate by using a network management protocol. Such a protocol enables one computer to diagnose problems and gather certain statistics from another computer over a network for administration and fine tuning.
In an embodiment of the invention, a first computer is provided that is able to transmit a challenge request to a second computer by using a network management protocol. The second computer is able to respond to the request by also using the network management protocol. As a result, authentication is achieved by using a protocol that is likely to be already implemented on both computers for the primary purpose of achieving network management.
Thus, the present invention can be used to eliminate the need of having to implement a prior art challenge-response protocol in order to support challenge-response authentication. This can result in reducing system overhead and costs associated with providing a computer the ability to participate in challenge-response authentication.
The present invention may be implemented as a computerized method of transmitting a challenge block to a computer. The method includes the step of transmitting the challenge block, using a network management protocol message, to the computer. Preferably, the network management protocol is the simple network management protocol (SNMP). The at least one message may include an SNMP SetRequest message including the challenge block and an associated pre-determined object identifier. The method can also include the step of receiving a second SNMP message that includes the response block; verifying the response block; and if the response block is verified, then verifying the identity of the computer. The second SNMP message preferably is an SNMP GetResponse message that includes the response block and the pre-determined object identifier associated therewith.
The present invention may also be implemented as a first computer including means for receiving a network management protocol message. The message includes a challenge block, from a second computer; and means for responding to the message by using the challenge block to generate a response block. Preferably, the network management protocol is the simple network management protocol (SNMP) and the message is a SNMP SetRequest message. The SNMP SetRequest message including a pre-determined object identifier and the challenge block associated therewith. The computer may also include means for transmitting the response block, using the SNMP protocol, to the second computer. Preferably, the transmitting means includes means for transmitting a GetResponse message that includes the response block and the object identifier associated therewith to the second computer. Importantly, the first computer may be a network printer.
The present invention may also be implemented as a program storage medium readable by a first computer, tangibly embodying a program of instruction executable by the first computer to perform method steps for issuing a challenge to a second computer, the method steps include transmitting a network management protocol message that includes a challenge block to the second computer. Preferably, the network management protocol message is an SNMP SetRequest message that includes a pre-determined object identifier and the challenge block associated therewith. In addition, the method steps may also include the step of upon receiving a GetResponse message including the object identifier and a response block from the second computer, then verifying the response block.
Other aspects and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating by way of example the principles of the invention.