The working environment for companies dealing with large amount of data is nowadays dominated by computers and in particular by networked computers. These corporate networks provide an efficient communication platform for the staff of a company or other institutions, like universities. These corporate networks effectively allow to provide IT services to a well defined group of persons, as e.g. employees of a company. Corporate networks also provide a basis for establishing an Intranet that provides company specific data only to those computers that are physically connected to the corporate network. In this way, a corporate network effectively prevents external access to confidential company specific data or company specific IT services, such as e.g. company specific software. Consequently, an employee of a company can only access company specific data and IT services when the employee makes use of a computer that is physically embedded into the corporate network.
Due to the large expansion of the Internet, data and IT services principally became accessible worldwide. Moreover, due to an increasing mobility of members of a staff, it is therefore highly desirable also to provide access to corporate networks from computers that are located at remote locations and that may contact a corporate network via the Internet. In this way an employee could access the corporate network or Intranet from his home or from a hotel when on business travel. Worldwide access to corporate networks via the Internet is in principle realizable. However, Internet based communication is rather un-secure and typically does not meet the stringent security requirements of a corporate network.
Here, the concept of virtual private network (VPN) provides a general solution. A VPN is a private communications network that is typically used within a company or by several different companies or organisations that communicate over a public network. VPN message traffic is typically carried on public networking infrastructure, e.g. the Internet, using standard and hence possibly un-secure communication protocols, such as IPv4. Virtual private networks use cryptographic tunnelling protocols to provide the necessary confidentiality, sender authentication and message integrity to achieve the privacy intended. When properly chosen, implemented, and used, such techniques can indeed provide secure communications over un-secure networks.
Nowadays, there exists a plurality of different implementation schemes for establishing VPNs. There exists a plurality of different VPN protocols that for example include IP security (IPSEC) that is an obligatory part of IPv6, Point to Point Tunnelling Protocol (PPTP), Layer 2 Forwarding (L2F) and Layer 2 Tunnelling Protocol (L2TP).
For almost any VPN a secure authentication is required. For example, when an employee of a company wants to access the corporate network either from home or during business travel, the employee may typically make use of a portable computer and a dedicated authentication device, such as a Token. The mobile computer is typically provided with a dedicated authentication software, such like a VPN client. In order to authenticate the mobile computer to a VPN gateway of the corporate network, the user has to enter a one-time password into the mobile computer. Such a one-time or temporary password is generated by the Token that is implemented as hardware and carried along with the user. When handed over to the employee, the Token is typically synchronised with the VPN gateway of the corporate network in order to provide the one-time password to the employee.
This temporary and/or one-time password might be subject to modification after a predefined time interval has elapsed. For example, the password to be generated by the Token changes once a minute and is determined via a cryptographic function. Typically, the one-time password is graphically displayed on the Token. The employee can then enter the one-time password with his username in order to authenticate to the corporate network. Since, the combination of user name and one-time password is valid for a maximum of one minute, the authentication scheme making use of the one-time password provides a high level of security.
Tokens that are implemented as hardware devices for secure authentication to corporate networks are for example commercially available as RSA SecurID that are distributed by Secur Integration GmbH, 51107 Cologne, Germany; see also www.securintegration.de.
Even though the above described authentication scheme making use of one-time temporary passwords based on hardware Tokens provides a high level of security for establishing VPN IP-based connections, it is rather disadvantageous for the employee or user to carry along such a hardware implemented Token. In particular, when an employee or a private person requires remote access to a plurality of different corporate networks, for each one of these networks a dedicated hardware Token is required. Also, when e.g. a plurality of employees share the same mobile computer for business travel purpose, the above described access scheme might be rather inconvenient, because for each user of the mobile computer, a manual configuration of the VPN client software installed on the mobile computer is required.
This disadvantage becomes even more pronounced where a user makes use of several mobile computing devices, such as e.g. a laptop computer and a Personal Digital Assistant (PDA), each of which having a VPN client for individually accessing a corporate network. Then, for each mobile computing device a device specific hardware Token might be required. Also, when a software update of the VPN client software becomes available, the corresponding update procedure has to be applied to each one of the computing devices that feature a VPN client software. Such an update procedure for a plurality of mobile computing devices is typically quite cumbersome and time intensive.
Generally, these aspects certainly limit the diversity and universality of the above described VPN based secure authentication scheme.
The present invention therefore aims to provide and to realize a secure authentication scheme that does not require to carry along a network specific piece of hardware, such as a Token.