It is becoming increasingly common for individuals to operate many devices that have the ability to connect to communication networks. In particular, it is common for individuals to carry many pervasive devices, or electronic devices such as personal digital assistants (PDAs), laptop computers, wireless telephones, sensors, digital watches, etc. that can all be used to communicate or access information over wireless or wireline communication networks. In many cases, communication with these pervasive devices needs to be done in a secure manner to ensure the confidentiality and integrity of data, as well as protecting the communication networks from unauthorized use.
This need for security places a great burden on users because they must provide authentication and authorization “credentials” for each device that they use for secure communications, where credentials are the means for declaring the security attributes of the users. The problem is compounded by the fact that many devices, such as digital watches, do not have convenient user interfaces for entering credentials.
There are systems, such as wireless phone networks, that address this problem by providing long-term storage of user credentials to access the phone network in the wireless phone, and by providing automatic authentication on behalf of the user to the phone network. This special case for existing wireless phone networks suffers from several disadvantages if applied to portable devices that connect with many different secure services. First, if a device is lost, the credentials stored on the device for each service can be compromised. In this case, the user must coordinate with each of the services to deactivate the credentials as opposed to coordinating with one service in existing wireless phone networks. Second, if devices need many different user credentials to access many different services, there is significant overhead (e.g., extensive time and effort to be expended) in entering these credentials for each device.
To simplify the task of authentication and authorization for users and to provide better protection for credentials, it has been recognized as being highly desirable if a user could enter credentials on one convenient authentication device such that the authentication device could automatically and securely share the user's credentials with several or all of his or her pervasive devices. Furthermore, it is desirable for such a system to protect user credentials that have been shared with pervasive devices in the event that the devices are lost or stolen.
There are existing solutions that offer some of these desirable qualities. For example, user credentials can be protected if a device is lost or stolen as long as the user credential has limited time validity, or is not cached by the device. However, this implies that the user would need to frequently provide credentials to the device.
Conceivably, there are many solutions for exchanging data from one device to another that could be used to share credentials between pervasive devices. Such solutions include TCP/IP over wireless or PDA infrared hot-syncing protocols, among others. These solutions, however, do not securely authenticate the devices. In PDA “hot-synching”, for example, the only authentication used is the name of the device, which can easily be determined and forged.
There are also systems like Dynamic Host Configuration Protocol (DHCP) in which one device provides information that another device needs to gain access to a network. In DHCP, a DHCP server provides an Internet Protocol address, an address for a network gateway, and addresses for Domain Name Service machines to a DHCP client computer. The DHCP client computer uses these addresses to gain access to the network such that the needed information does not need to be manually configured on the DHCP client. However, the DHCP system does not address distribution of user credentials and cannot protect against disclosure of the information it provides to the client.
In view of the foregoing, a need has been recognized in connection with providing more efficient and effective solutions than those previously attempted.