The present invention relates to systems and methods for controlling access to software applications and associated data. More particularly the present invention relates to systems and methods for providing secure end user authentication for enterprise and other software applications.
An internet directory service is a software application, or a set of applications, that stores and organizes information about a computer network's users and network resources, and that allows network administrators to manage users' access to the resources. A directory service can be deployed as the central identity store in a multitude of enterprise deployments and can be used to perform end user authentication.
A popular mechanism for such end user authentication is based on determining if the end user knows the correct password associated with that user's account. One of the challenges with password based authentication is preventing a malicious user from guessing the password and attempts to do so are usually classified as “brute force” or “dictionary” attacks where a malicious entity will perform a series of authentication attempts providing different password values until success is achieved.
Some directory services support advanced mechanisms to mitigate such attacks by detecting consecutive failed login attempts and locking the account for a pre-determined time interval thereby reducing the likelihood of success by such an attack. For example, if a particular password can have 266 or 308,915,776 possibilities (which is a 6 character password constructed using case-insensitive letters) and you locked out an account for a day after 3 consecutive failed logins that would require (266)/3 or 102,971,925 days to cover all possibilities. But if you didn't have such lock out mechanisms in place thus allowing unrestricted consecutive authentication attempts and each attempt took 1/100 of a second it would take just under 36 days to try all possibilities.
A directory service is able to safeguard accounts contained within the directory from these attacks only if it is aware of the result of an authentication attempt. LDAP (lightweight directory access protocol) is a well known application protocol for querying and modifying directory services running over TCP/IP. In at least one known LDAP directory service, authentication attempts have been performed via LDAP bind operations where the client provides a cleartext password value to the directory service and the directory service evaluates its correctness internally and maintains the required state regarding successful or failed authentication attempts. Thus, in an LDAP bind operation the entire authentication process is performed within the directory service with appropriate internal events being generated to update various account states as necessary.
However, to address concerns regarding the propagation of a cleartext password over the Internet (even within a secure channel such as SSL) a new class of authentication mechanisms known as digest authentication has been proposed and has grown in popularity. The new class of authentication mechanisms can and often use LDAP search operation based authentication. In an LDAP search based authentication, authentication is performed against other authentication tokens (e.g., verifiers) maintained as part of a user entry where the token maybe retrieved by the application and the authentication process occurs within the application and outside the scope of the directory service. Therefore in LDAP search based authentications, the directory does not implicitly know the result of the authentication attempt. Based on the HTTP digest authentication mechanism, slightly varied versions are being adopted by other protocols.
Consider a simplified scenario on how a variant of an LDAP search based authentication is used by one known security product:                1. An end user provides his password to a client when attempting to access a database.        2. This password is converted into an irreversible format (a verifier) and transmitted to the database.        3. The database queries the directory service for the known verifier corresponding to the end user via an LDAP search operation.        4. The database compares the two (user provided and known) verifier values and determines whether authentication was a success or not.        5. Based on the result in 4, the end user is either granted or denied access to the database.        
The comparison that occurs in step 4 occurs outside the directory service and therefore the directory service has no means to know the result of the comparison. What this means is that a malicious entity can launch an attack on a particular account via the client and the database while circumventing the protections afforded by the directory service against such attacks. Essentially, any mid-tier application performing end user authentication via verifiers by referring to a central identity store in the form of a directory service is susceptible to be exploited in this manner.
One mechanism that can be implemented to avoid this problem is for all mid-tier client applications to build logic that maintains their own state regarding authentication events and performs the necessary account lockouts. Such an approach is not desirable in some instances. Accordingly, additional techniques of providing a secure mechanism for a client to inform a directory service of the authentication results when authentication is performed within the client are desirable.