Protecting electronic information is a growing worldwide concern. Whether the information consists of intellectual property, vital operational data or personal information the costs of unintentional exposure are increasing due to global competition, public awareness of data privacy issues and new legislation. These problems are compounded by pervasive network technologies, which enable access to data from virtually any location and a multitude of access devices. For example, regulatory requirements affecting some industries, such as the health care industry in the U.S. (where rules are being adopted to ensure that health care facilities take all reasonable measures to ensure the security and privacy of individually identifiable health information), create an increasing need to be able to authenticate each prospective user of a computer network before such person is permitted access to the network or to data therein which may be considered sensitive or confidential.
Each component of a network, and each pathway between such components, can become the subject of an attack (i.e. to permit data access by an unauthorized entity). Moreover, the ability to access confidential data over a network does not necessarily require that a person log into the network because an unauthorized observer within viewing distance of a network computer screen may be able to access confidential data simply by viewing the screen when it displays such data. Thus, the usual approaches to achieving data access protection which target user authentication to provide such protection are able to address only the problem of unauthorized network users and not that of unauthorized observers who never attempt to access the network through use.
Cryptography is frequently employed within networked systems as a security measure and uses private and public keys. The terms “private key” and “public key” are well known in the art and are used for asymmetric cryptography in which one key is used for encryption and the other for decryption and one of these keys, namely the private key, is kept by the user and never revealed or transferred. Asymmetric cryptography is considered to provide a higher level of security than symmetric cryptography for which a shared key is used for both encryption and decryption (the sharing aspect introducing an element of insecurity). Using asymmetric cryptography to send a message to another party, the public key of that party is located using a public key infrastructure (PKI) and used to encrypt the message and then only the person with the corresponding private key (i.e. being the other party for whom the message is created) is able to decrypt the message.
The term digital signature is also well known in the art and refers to a message digest encrypted using a private key, a message digest being a condensed form of a document or transaction to be signed which cannot be used to recreate the document or transaction itself, and which is extremely sensitive to small changes in the document. The digital signature is verified by decrypting it with the corresponding public key to recover the message digest and then comparing this message digest with one computed by a verifier from the document which was purported to be signed. This technique can be used as part of an authentication process in which a party proves they have a specific private key by their ability to encrypt and return a message digest. In this case, the specific contents of the message are not crucial and the message digest may be discarded after authentication is complete. More commonly, the encrypted message digest will be used to prove that the holder of a specific key was involved in a transaction involving the message, usually to indicate that they gave their assent to the message, just as a physical signature is used to indicate the participation of its owner in a document. In this case, the encrypted form of the digest must be retained at a secure site. Both forms of digital signature are used as part of the present invention.
User identification systems frequently use passwords, smart cards, biometrics, and/or PKI (Public Key Infrastructure) security measures and while they may focus on securing portions of the authentication process the known systems leave open other avenues of attack. For example, software only systems rely on something the user knows such as a user name and password which can be fairly readily stolen, seen or otherwise acquired and then used by unauthorized persons. Security means based on tokens (i.e. something the user has), such as smart cards, are similarly vulnerable since the token can be lost or stolen and, therefore, does not guarantee that the authorized user is actually present.
Security means based on biometric identifiers (i.e. something the user is) can be equally vulnerable to unauthorized intervention. For example, any use of a central server to validate a presented biometric introduces a security weakness because of the need to transport the critical biometric data over either (or both) of the communications channels to be engaged for such remote validation (i.e. between the biometric transducer which captures the presented biometric and the local computer, and between the local computer and the validating central server containing the verification data with which the presented biometric is compared). Therefore, the manner in which a biometric identifier is handled and processed is critical if it is to function effectively as a security measure.
There is a need not only to identify the potential points of failure by which a computer network might become subject to unauthorized infiltration but also to develop means for addressing and reducing such areas of vulnerability in a comprehensive manner. Security breaches may occur in various forms, including the following: replay (referring to a situation where a former response element is captured and used to interject a false response), snooping (referring to unauthorized observation), spoofing (referring to the situation where an imposter inserts itself and manager both reception and transmission such that it appears to be a genuine element of the network) and/or tailgating (referring to a situation of unauthorized access acquired by joining with an authorized access sequence when it is abandoned by the authorized user).
It is important to avoid vulnerability caused by time gaps and/or one-way verification checks during the identification/validation processes. The applicants herein recognize a need for verification check processes to take place in real time, and for reciprocal verification checks between the central verification authority and the local entity being verified, in order to protect against some types of security breaches.
There is also a need for means to automatically and effectively monitor and control, and to generate an audit trail for, persons having authority for differing levels of access to the network (e.g. full access and limited access).