1. Field of the Invention
The invention concerns a method to provide a secured remote access to private resources.
More specifically, the method allows remote Internet users to access securely to private resources protected by a firewall.
The invention also concerns an architecture implementing said method.
Within the framework of the invention, "resources" are related to all kinds of "objects": hardware or logical units, such as a particular computer, microcomputer or server in a data processing system, a disk unit, a database, or a software application, etc.
2. Description of the Prior Art
When a user or a client device attempts to access to a particular protected resource located in a data processing system, generally it is necessary to check whether it may or not access to said resource. For example, if the user sends a request so as to read some protected data, its requests must be filtered, before granting such an access. On the one hand, the authentication of the user must be performed. On the second hand, after this authentication stage is performed, the request is allowed or discarded according to his rights or privileges.
If the problem is to be handled on a local area or on a LAN (Local Area Network), the solution is generally quiet simple. The number of users and their rights and other identification data are well known and mastered. The information is usually stored in a secured data base. These data and associated security mechanisms are under control of a security officer or a system administrator.
When a session is started at a user's station or the like, the usual process is the following :
The user enters some identification data, for example a log-in and a password, which are sent to a server.
Upon reception, the server or a security device filters the request, i.e. it compares the received data with filtering rules stored in a secured data base. If the user is authorized to access the resource, the operation is allowed. Otherwise, the operation is denied. The control may be more sophisticated: for example a given user may read data stored on a particular disk unit, but not write data nor erase them.
Another problem relates to a multiple access request, i.e. when a user's device requests to access successively to more than one resource, for example to three separate servers. The usual way to proceed is to enter as many different passwords (and eventually log-in words) as there are servers to be accessed, or more generally speaking number of resources to be accessed. Thus, the user has to remember a lot of authentication data.
Furthermore, the system has to cope with the necessity to change, at least at regular intervals, the set of passwords, identification data and authorization levels attributed to users and resources. Such modifications are also made when at least one of the following circumstances arises: addition, modification or deletion of one or more resources.
To overcome the above-recalled problems, as far as local access requests are concerned, some methods have been proposed in the prior art.
One method is based on the implementation of a special piece of security software in the user's station. When a user wants to access one or more servers or resources, he enters a log-in and a password, or any other authentication data sets, as usual. However, this stage is performed once for a whole session. Said piece of security software sends a request to a security manager unit or the like which looks at a secured data base. Said request consists in a message transmitted through any suitable channel that does not need to be secured per se. However, the data themselves are usually coded or more exactly enciphered. According to the result of the comparison between received data and stored data, the security unit makes a decision whether or not the user is permitted to use one or more resources. It send back an enciphered response message to the requesting user's station. Said message contains data indicating whether the connection to one or more resources is allowed or denied, and eventually which resources are allowed if all are not permitted, taking into account the entered password. The corresponding data is stored in the user's station under control of the special piece of security software.
Such a feature is often called "SSO" ("Single Sign-On").
It is easy to understand that to manage the access of remote users, according to a given security policy, in a consistent way, is more difficult than locally.
As above-recalled, thought the invention is not limited to this sole application, the preferred application concerns remote accesses to private resources through Internet.
Such a network exhibits specific features. Some are recalled here-after.
The number of users connected to Internet is not limited. Solutions, such as the ones recalled, which are convenient for a LAN or the like are useless. As a matter of fact, it is not realistic or even possible that the security officer or the security manager unit can control hundred or thousand users, distributed on a worldwide basis, in particular when security data associated with various resources are to be changed very often. In other words, it is not possible to simply implement the above-recalled piece of security software in each user's workstation, remote personal computer or terminal to solve the above-recalled problem.
Transmissions use standardized protocols such as "FTP" ("File Transfer Protocol"), "Telnet" (terminal emulation), "HTTP" ("Hyper Text Transfer Protocol") , etc. So, any solution implemented so as to secure data exchanges must cope with standardization requirements.
Internet constitutes a highly insecure network. Messages routing is never foreseeable. In particular, it depends on an eventual congestion along backbones or any transmission channels. Messages may be stored in "ISP" stations ("Internet Service Providers") before to being delivered or downloaded, and can be copied. Thus security can not be guaranteed.
Usually, a security device, called a "firewall", is provided in order to isolate the "outside world", i.e. Internet, from the "inside world", LAN or other computer facilities. But prior art devices only filter "IP" ("Internet Protocol") addresses, i.e. one of the lowest layers of the architecture. Internet layers comprise the following ones "Physical", "Data Link" ("PPP", "Slip", etc.), "Network" ("IP"), "Transport" ("TCP", "UDP") and "Application" ("HTTP", "FTP", "e-mail", etc.).
The problem of securely filtering remote access requests to a protected server (i.e. a physical machine), an application, for example a "FTP" type application (i.e. a higher level layer), or any other resource remains unsolved.
In the prior art some attempts have been made to solve this problem.
The first solution is known as a "VPN" ("Virtual Private Network"). It consists in providing secured "data pipes" constituting so-called "Extranets" which are extensions of Intranets or LANs. As communication channels are not located inside a well delimited area (private building, manufacturing plant, etc.), it is necessary to use a cryptology method in order to secure transmitted data. Furthermore, as they are publicly transmitted and thus can be intercepted, enciphered data must be very difficult to be decrypted. It implies that high-level algorithms must be used, for example algorithms exhibiting a long-sized encoding key. However, such algorithms are not allowed in some country, for example in France (except if a special authorization is given: defense-related applications, etc.), at least when they the purpose is to encipher the whole message. They are only allowed for encoding authentication data, such as electronic signatures (sealing function). On networks of the "VPN" type, it is impossible to differentiate authentification data from application data. Thus, a "VPN" type solution commonly uses low-level algorithms or weak keys, which is not sufficient to protect very sensitive data, as passwords for example. Furthermore, problems in connection with the necessity to remember a lot of passwords and other authentication data remain unsolved.
An other known solution consists in securing the initial authentication stage with "One-Time Passwords" ("OTP"). Stealing such passwords is without importance as they can not be "re-played". However, as above, the problem relating to the necessity to remember a lot of authentication data remains unsolved. At the beginning of a session, a final user must retrieve the connection data for each server or resource to be accessed. Furthermore, the solution is very expensive to implement as each protected accessed resource must be modified in order to install an authentication client which is able to handle one-time passwords.
Other solutions are based on standards authentication protocols as "TACACS" .RTM. or "RADIUS" .RTM. which permit to route authentication requests outside filter network hardware. These solutions allow the implementation of one-time passwords generation means, as above recalled. However, problems in connection to the necessity of remembering a lot of passwords and other authentication data remain again unsolved.
The invention is directed to alleviate the drawbacks of the prior art methods, some of which have just been referred to, and to meeting the stated requirements.