The ever rising dependency on computer systems has resulted in an attendant rise in concern regarding computer security. One well-known method for restricting access to computers and computer resources (e.g. one program or application accessing another) is that of using passwords. Hard-coded application passwords provide the de-facto methodology to permit one application (requester) to authenticate to another application or service (target) for the purpose of gaining access to the resources and/or data offered by the target.
However, hard-coding of passwords creates significant vulnerabilities to data since the hard-coded passwords remain as clear-text information that is susceptible to malicious viewing. Such passwords also require distribution to developers and have long validity periods to accommodate for their lack of change. These considerations only increase the vulnerability to security breaches.
For those organizations with password change policies, hard-coded passwords have the drawback in that they entail a recurring software maintenance issue. Also, there are significant costs associated with human redevelopment effort and there is a potential for application outages due to synchronization errors and timing.
Regardless of these drawbacks, hard-coded passwords remain in use for approximately 90% of all corporate applications. New applications are being developed and deployed that contain hard-coded passwords. Third-party (vendor) applications force corporations to accept and deploy systems containing hard-coded passwords. 70% of datacenter applications are database driven.
While User Identity Management systems offer authentication and authorization of individuals to systems, there are significant difficulties of utilizing these solutions for the purposes of unattended applications:
they rely upon user manual interaction for authentication;
they rely upon user manual interaction for recovery of authentication credentials;
they do not include credential access and management capabilities for automatic use by unattended scripts and applications;
they offer no tamper resistance;
they offer no defense against static or dynamic analysis; and
they assume that employees are generally to be trusted, an assumption which is demonstrably untenable due to the prevalence of insider attacks.
Another possibility for use are provisioning systems. Provisioning systems offer the ability to push operating system and software configuration updates to servers. However, there are significant difficulties of utilizing these solutions for the purposes of unattended applications:
they do not include run-time retrieval of credentials for use by unattended scripts and applications;
they do not include credential access and management capabilities for automatic use by unattended scripts and applications;
they offer no tamper resistance; and
they offer no defense against static or dynamic analysis.
Another option would be the use of Public Key Infrastructures. Public Key Infrastructures offer the components needed to create a comprehensive and elegant authentication and authorization solution. However, there are significant difficulties of utilizing these solutions for the purposes of unattended applications:
they do not protect keying materials while in memory;
they rely upon user interaction for access to authentication credentials;
they do not include credential access and management capabilities for automatic use by unattended scripts and applications;
they offer no tamper resistance;
they offer no defense against static or dynamic analysis or tampering of the application code;
they dramatically shift the authentication paradigm for corporations and incur larger integration and deployment efforts; and
both the authenticator and the authenticate must be modified to make use of PKI for authentication purposes.
Another possibility would be the Kerberos authentication protocol. The Kerberos authentication protocol offers the components needed to create a comprehensive and elegant authentication and authorization solution. However, However, there are significant difficulties of utilizing these solutions for the purposes of unattended applications:
it does not protect keying materials while in memory;
it relies upon user interaction for access to authentication credentials;
it relies on hard-coded passwords for authentication by unattended applications;
it does not include credential access and management capabilities for automatic use by unattended scripts and applications;
it offers no tamper resistance;
it offers no defense against static or dynamic analysis or tampering of the application code;
it dramatically shifts the authentication paradigm for corporations and incur larger integration and deployment efforts; and
it requires that both the authenticator and the authenticatee be modified to make use of Kerberos for authentication purposes.
There is therefore a need for systems and methods which will allow for unattended authentication of applications so that these applications can access resources. Ideally, such systems and methods avoid the shortcomings of hard coded passwords while providing a similar if not higher level of security.