A typical credential manager is program module on a computer, such as a personal computer (PC). More particularly, a credential manager is typically part of the trusted core of an operating system (OS) of a PC. As the name implies, a credential manager handles the access to (e.g., reads and writes) and storage of credentials, which are used to gain access to networks (e.g., domains) and network resources.
No conventional credential manager provides a mechanism to retrofit legacy system—that only have provisions for traditional username/password authorization model—to use a non-password authorization model (e.g., X.509 Certificates).
Some conventional credential managers provide a mechanism binding a minimum set of credentials to resources requiring authentication. The goal of these conventional managers is to provide a “single sign-on” that gives access to a variety of resources across one or more networks and access to one or more networks. However, none of these conventional credential managers employs a single sign-on mechanism that automatically and transparently provides credentials for accessing the multiple resources within an authorized domain to the multiple resources.
Credentials
A “credential” is a generic term for data used to verify the identity of an entity. An entity may be a server, a client, a service, etc. Typically, it is a user. Common forms of credentials include username/password model, X.509 Certificates, and bio-metric identification. There are two general types of credentials: Domain credentials and generic credentials.
Domain Credentials. Typically, these are used by operating system (OS) components and authenticated by a local security authority (LSA). LSA is a typically a low-level program module (e.g., part of the trusted core of the OS) that ensures that the entity attempting to access the system actually has permission to access the system.
Typically, domain credentials are established for a user when a registered security support provider (SSP), such as Kerberos, authenticates logon data provided by the user. The logon credentials are cached by the OS so that a single sign-on gives the user access to a variety of resources. For example, network logons can occur transparently, and access to protected system objects can be granted based on a user's cached domain credentials.
Domain credentials are protected by the operating system; only components running in-process with the LSA can read and write domain credentials. Applications are typically limited to writing domain credentials.
Generic Credentials. These are defined and authenticated by applications that manage authorization and security directly, instead of delegating these tasks to the operating system. For example, an application can require users to enter a user name and password provided by the application or to produce a certificate in order to access a Web site.
Applications may prompt users for application-defined (generic) credential information such as username, certificate, smart card, or password. The information entered by the user is returned to the application. Authenticating this information is the responsibility of the application—not the OS.
Unlike domain credentials, generic credentials may be read and written by user processes (e.g., applications).
One way of implementing generic credentials is via “cookies.” A cookie is a message given to a Web browser by a Web server. The browser typically stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.
One of the main purposes of cookies is to identify and authorize users. When a user initially enters a Web site, the user may be asked to fill out a form providing identification information. This information is packaged into a cookie and sent to the Web browser, which stores it for later use. The next time the user goes to the same Web site, the browser will send the cookie to the Web server. The server can use this information to identify and authenticate the user.
In this example, the application program controls the credentials—the application program can both read and write the credentials. Thus, these credentials are generic.
Identification and Authentication Models
Existing software authentication systems typically are based on a username and password pair model (“password model”). In this model, the username identifies a user and the password verifies such identity. The use of this model is extensive and there is substantial software written to use this form of credential.
However, there are non-password based user credentials, such as X.509 Certificates or bio-metric identification/authentication models. In order to upgrade software systems to use non-password based user credentials, major rewrites are required if conventional techniques are used.
Single Sign-On
Traditional methods of providing single sign-on usually require that a distinct credential be used for each unique application or resource that requires authentication. This can result in the storage of large numbers of user credentials that must be securely maintained for the user and managed.
Conventional Credential Managers
No conventional credential manager is domain-authentication aware. In other words, no conventional manager provides a mechanism where authentication by one resource in a trust network enables automatic (without manual user input) authenticated access to all resources in that trust network.
No conventional credential manager provides a mechanism for concurrent authentications with multiple independent networks (e.g., domains).
No conventional credential manager has an encrypted database structure of user's credentials, where the entire structure is encrypted (as opposed to encrypting each credential separately).
No conventional credential manager provides a credential model retrofit for legacy applications that only understand the password model. No conventional manager marshals high-level credentials (such as a certificate) so that the high-level credential appears to be a low-level credential (such as a user/password) to legacy applications.
No conventional credential manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. No conventional manager fully insulates the application from “read” access to the credentials.