The present invention relates generally to computer network security systems. More particularly, the invention relates to a security system that allows secure access by a remote authenticated user via a remote client that utilizes a portable storage device containing user-generated one-time passwords.
With the proliferation of computer network-propagated viruses and worms, and with the increasing frequency at which computer networks are being broken into, there is considerable interest today in computer security. Sophisticated network administrators construct secure firewalls to prevent such attacks. Less sophisticated system administrators, including most home network computer users, employ security measures that are far less robust. At present, many home computer networks are simply unprotected. Computer network security is a complex issue, and many home network users simply do not have the skill or training to ensure that their networks are free from attack.
The present invention provides a network security solution that is both highly secure and easy to use. The invention is thus ideal for home network security applications, where the network “administrator” may not necessarily have a great deal of training or experience in security issues.
The invention employs a portable storage device that maintains a set of one-time passwords. Using system software from a secure vantage point within the home network, the user generates a set of one-time passwords that are stored on the portable storage device. The portable storage device may then be installed in or connected to any remote client computer, giving that remote client computer the ability to establish and authenticate a secure connection with the home network. Each password is used only once, and session management software within the home network has the ability to limit a session to a predetermined length of time (e.g., 30 minutes). Although communication between home network and remote client is preferably over a secure channel, communication of the one-time password over this channel is further protected by using an encrypted version of the user's PIN number. The PIN number is encrypted at the remote client using a plug-in module that accesses a protected area within the portable storage device to retrieve the key used for this encryption.
The preferred embodiment takes the form of a home gateway that includes a firewall which functions as a screening router. The screening router screens out all requests to access content on the home network. All URLs associated with the home network are unreachable directly from the outside, and are thus maintained as protected URLs. The remote client, even after authentication, cannot issue URLs for the home network directly. Rather, upon authentication, a web proxy system is employed to communicate with the home network on behalf of the authenticated remote client. The proxy system works in conjunction with URL modification and URL verification processes. The URL verification process verifies the authenticity of the client, while the URL modification process gives the web proxy system the correct reference for the trusted domain resource. The URL modification process is unique for each authenticated client and for each authenticated session. Thus URLs that have been modified for a given authenticated client and for a given session cannot be re-used by other clients, or even for the same client during a later session.
In the preferred embodiment the authentication function is performed by a bastion host system forming part of the home gateway. The bastion host has software to perform the remote key authentication process by which the remote client authenticates itself using the one-time password obtained from the portable storage device. The bastion host also performs the URL verification and modification functions mentioned above.
The invention thus affords a high level of security in an easy-to-administer package. Everything a user needs to gain access to the home network from a remote client computer (except for knowledge of the user's personal identification number) is stored on the portable storage device. In a presently preferred embodiment the storage device also includes suitable browser plug-in software that supplies a remote client computer's browser with the capability of performing the authentication process, including the process of accessing and using the appropriate one-time password.
Unlike other security systems that rely on a trusted third party source for key distribution, the invention allows the user to create his or her own keys by operating configuration software at the trusted home network site. The user thus configures the portable storage device, supplying it with a set of one-time passwords using the configuration software.
The configuration software also installs a corresponding set of authentication codes in a secure database associated with the gateway. In this way, both the gateway and the portable storage device are provided with the corresponding keys needed to perform authentication. This solves the problem of how to securely distribute keys to a remote client, so that the remote client can then gain access to the home network.
For a more complete understanding of the invention, its objects and advantages, refer to the following specification and to the accompanying drawings.