Communications in a computerised network are intervened for various reasons. Intervention can be used to create data e.g. for defensive, analytical and audit purposes and/or for preventing loss of data. For example, organizations such as businesses, governmental or municipal organizations or non-profitable organizations may wish to audit and/or otherwise monitor use and access to their internal computer systems. A network system and communications therein can be constantly monitored to protect the system from attacks by external users and data leaks and other unauthorised data communications and/or to prevent data loss. A way to provide this is to capture and analyse data communicated between two parties by an appropriate intermediate node. For example, an arrangement known as man in the middle (MIT) can be provided for capturing data.
A problematic situation may occur because where the communicating parties need to be authenticated. Authentication is a security measure commonly used for verifying the other party. For example, in public key authentication two asymmetric mathematically linked keys are required. One of the keys is a secret or private key and the other key is a public key wherein the private key is used to create a digital signature and the public key is used to verify the digital signature. Public key authentication cannot be transparently relayed by a data capturing node as the challenge signed with the private key of the sender contains information on the initial key exchange session, and more particularly the identifier of the session (Session ID). The Session ID can be unique for each key exchange session and therefore cannot be reproduced, even if the private key of the target entity of the connection, for example a server host, is known. In key exchange information from both endpoints of the key exchange negotiations is mixed in when the Session ID is created. More particularly, the session ID is based on a random nonse. They key-exchange can be based on e.g. a Diffie-Hellman exchange. In systems where key managers are used the key manager provides each host device with its own set of asymmetric keys.
A problem may occur because when the communications are routed through an intermediate node such as a node for capturing audit data or the like the authentication between the intermediate node and the receiver device a different session ID will appear in the challenge.
It is noted that the above discussed issues are not limited to any particular communication protocol and data processing apparatus but may occur in any system where authenticators are used and where an intermediate node can interfere with the authentication procedure between sender and receiver of data.
Embodiments of the invention aim to address one or several of the above issues.