1. Field of the Invention
This invention relates to a method for providing strong authentication of users within a Public Key Infrastructure (PKI).
In one preferred embodiment, the invention involves using a virtual private key. The invention also relates to a program product bearing software which enables user authentication with a virtual private key to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is performed using a virtual private key.
In a second preferred embodiment, the invention involves a method for providing strong authentication of users within a PKI using a device such as a magnetic swipe card or a biometric device. The invention also relates to a program product bearing software which enables user authentication with a magnetic swipe card or the like to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is performed using a magnetic swipe card or the like.
In a third preferred embodiment, the invention involves a method for providing strong authentication of users within a PKI using a pass phrase. The invention also relates to a program product bearing software which enables user authentication with a pass phrase to be practiced on a computer system. The invention further relates to a computer system which operates so that user authentication is is performed using a pass phrase.
2. Related Art
In PKI systems today, authentication of a user may be based on that user's knowledge of a private key. Private keys, however, are not something that a user can be expected to remember and to enter himself. It is often the case, therefore, that a user's private key is stored in encrypted from on the user's personal computer, and is accessed by the user with a password. This is a problem, however, because now it the password which becomes the weakest link in the security chain. Passwords that users can remember are notorious for being easy to determine by the clever intruder or hacker. If that password can be hacked by an intruder, then the otherwise strong security offered by the PKI is reduced to simple password-based security.
Thus, today's PKI systems may be said to have a weak link problem because of the private key being only password protected.
Another problem is that PKI is cannot readily be used in certain environments where storage is limited.
To explain, it should be noted that PKI systems use digital signatures to ensure the authenticity of the sender is of a message. Up to 2,000 bytes are required for digital signatures based on 1024-bit keys. However, in some situations, it is not practical or possible to directly use PKI technology, especially digital signatures, due to limitations in the environment.
One example of such an environment involves cards with magnetic strips. Devices such as credit cards and other magnetic swipe cards do not have the capacity to store 2,000 bytes. Thus, such devices cannot use digital ignatures.
Another example of a limiting environment exists in remote access systems. Here, the client station does not communicate directly with a security server. Instead, the client station communicates with a communications server, which, in turn, communicates with a remote access security server. The protocol used for communication between the client station and the communications server is typically designed to get a userid and password from the user. A typical example of such a protocol is the Point to Point Protocol (PPP). Such userid/password oriented protocols can pass about 60 bytes in their userid/password fields, which is insufficient to support for the direct use of public key technology for user authentication, encryption, or for digital signatures. Thus, PKI authentication cannot effectively be used in this type of remote access system.
To combat the weak link problem, there have been developed so-called "two-factor" techniques for improving the strength of the user authentication procedure. Here, authentication of the user is based on two factors:
something the user knows (e.g., a password), and something a user has (e.g., a smart card, a fingerprint, or the like). In a system operating according to a two factor technique, even if an intruder knows the password of a ser, the intruder will not be authenticated unless he satisfies the other factor (i.e., possesses the necessary smart card or fingerprint).
Two factor techniques provide very strong protection, and overcome the weak link problem of password protection, but are very disadvantageous. The disadvantage of a system using a two factor technique is the requirement for additional devices to perform user authentication. For example, a system using the two factor technique might employ a smart card as one of the two factors. This necessitates the presence of a card reader adapted to read the smart card. Likewise, relying on a user's fingerprint is as a factor requires a fingerprint scanner.
Such additional devices are not commonly included with computer systems today, and this is problematic for the user who needs to use a workstation that has no such additional device. Moreover, such additional devices may be costly.
Two-factor techniques provide for improved user authentication, and overcome the weak link problem of password protection, but they are nevertheless an undesirable solution.
What is needed is an improved approach to user authentication which overcomes the weak link problem of password protected private keys, but which also avoids the above-identified disadvantages of the two factor techniques.
Also, what is needed is a way to use PKI technology in environments where storage is limited.