The present invention generally relates to management of computer networks, and relates more specifically to network access control mechanisms that authenticate and authorize users of passwords generated by the Fortezza cryptographic protocol.
By remote network access, individuals or large groups may work with computers and networks from any location and at any time. Remote access is the ability to connect to, or xe2x80x9clog-onxe2x80x9d to a computer network from a distant location. Using remote access, mobile computer users, or computer users at remote sites, may access a network by dialing in to a network access server (xe2x80x9cNASxe2x80x9d) using a computer, modem and remote access software. The NAS selectively permits or denies network traffic and thereby controls remote access to an Internet Service Provider, private corporate network or virtual private network.
However, the convenience of remote access comes at the expense of security. A malicious user can use remote access to penetrate and attack a network. For example, an unauthorized user can gain remote access to a machine with the intention of destroying, compromising, or stealing resources or information. Thus, one important security issue for remote access is user identification and authentication, which is verifying that the person who dials in is authorized to access the network and is who he says he is.
Another important security issue is user authorization. Generally, after authentication of a user, an authorization phase begins. Authorization is the process of defining what an authenticated user can do when the user accesses the network. For example, a network administrator may restrict remote users to specific servers and services, rather than letting them access any part of the network. In general, the more authorization a user receives, the more stringent the authorization procedure would be.
Remote access security systems vary in complexity depending on the level of security needed. Some networks rely on simple user identifier (xe2x80x9cIDxe2x80x9d) and password systems. In such a system, the NAS maintains user IDs and encrypted passwords as part of a system configuration file. However, there are at least two major drawbacks to this approach. The first drawback is that remote users need the flexibility of dialing in to the NAS that is closest to their location, while still being able to use the same user ID and password. The second drawback of the user ID and password system is that its security derives only from controlled knowledge of the password. Any Identification and Authentication (IandA) mechanism based solely on xe2x80x9csomething you knowxe2x80x9d is considered weak authentication.
Strong authentication, on the other hand, is achieved through an IandA mechanism based on xe2x80x9csomething you knowxe2x80x9d as well as xe2x80x9csomething you have.xe2x80x9d An example of xe2x80x9csomething you havexe2x80x9d that may be used to improve authentication is ownership of a Smart card, Token card or Crypto card.
A Fortezza security system is an example of strong authentication. Fortezza security systems require each authorized user to possess an electronic card that can generate or is encoded with a password generated using the Fortezza cryptographic algorithm (a xe2x80x9cFortezza Crypto cardxe2x80x9d). The United States National Security Agency developed the Fortezza security system for the United States Department of Defense, to provide originator authentication as well as data integrity and data privacy.
Generally, a Fortezza security system includes a Fortezza Crypto card that stores unique encrypted information, and which executes encryption algorithms to produce a scrambled one-time password (xe2x80x9cOTPxe2x80x9d). The card is a self-contained hardware system, having its own CPU and memory, and which stores and authenticates Fortezza OTPs. Each OTP is unique and is valid only for a particular interval of time. Because each password created by this process is different every time, users cannot share their passwords, and intruders cannot reuse a stolen password. Further information about Fortezza security systems is disclosed in Fortezza Application Developer""s Guide, available on the Internet at: http://armadillo.huntsville.al.us/FADG/welcome.htm
While the Fortezza security system provides a high level of security, in the past it has been difficult to deploy. Deployment of Fortezza depends on setting up a sophisticated infrastructure to support Fortezza""s specialized hardware and interface specifications.
In one approach, users access a network by dialing in to special NASs that are dedicated to support Fortezza technology exclusively. These special NASs are not configured to support any other authentication and authorization mechanism other than Fortezza. A different set of NASs are maintained to support the other authentication and authorization mechanisms that are not only less specialized than Fortezza but typically involve lower user access privileges corresponding to weaker authentication and authorization. Thus, an Internet Service Provider, corporate network, or virtual private network would need to maintain several security systems in order to support users with different password types.
FIG. 1 is a block diagram of a system 100 in which the Fortezza security system can be used. Generally, system 100 includes a client 102, a user 106 associated with client 102, a network access server 104, and a network 108. Client 102 is used by and associated with a user 106. Client 102 and network access server 104 are respectively located in logically distinct regions 101, 103, which may be geographically separate.
Client 102 is a device, such as a workstation or personal computer, that is capable of dialing in to the network access server 104 to establish a connection 116. Client 102 may be a Sun workstation running Solaris. A card reader 107b is coupled to client 102 to communicate data and commands between the client and a Fortezza card 107a. In an embodiment, card reader 107b is a PCMCIA card reader such as Litronic ARGUS/2100, and Fortezza card 107a is a compatible PCMCIA card. Card reader 107b may communicate with client 102 over a SCSI port.
The network 108 is a network that includes any number of network devices 118, 120, 122 interconnected by one or more communication channels 109. Ethernet, Token Ring, or other protocols can characterize the communication channels 109. Communication channels 109 may form part of a local area network or wide area network.
The network access server 104 is a computer, or one or more hardware or software components or processes that cooperate or execute in one or more computer systems. The network access server 104 is coupled to the network 108 and controls remote access to the network 108 and the network devices 118, 120, 122. An example of a product that is suitable for use as network access server 104 is model AS5300, commercially available from Cisco Systems, Inc.
The network access server 104 may execute an application program 110 that is compiled and linked with a cryptologic library 112. The application program 110 invokes the functions in the cryptologic library 112. The cyptologic library communicates with a Fortezza security server 114. Thus, cryptologic library 112 provides an interface that enables network access server 104 to communicate with Fortezza security server 114.
Fortezza security server 114 is a computer, or one or more hardware and software components or processes that cooperate or execute in one or more computer systems. While Fortezza is a hardware-based authentication method, the electronic hardware that carries out Fortezza authentication may be controlled by software elements that command the hardware what to do, provide input data, and receive output data. Fortezza products that are suitable for use as cryptologic library 112 and Fortezza security server 114 are commercially available from Secure Computing Inc., Litronic Inc., and Rainbow Technologies Inc.
The user 106 associated with client 102 causes the client to establish a connection 116. For example, user 106 may enter user access information such as a valid username and password at a login window displayed by client 102, and by inserting a Fortezza Crypto card 107a into a Fortezza card reader 107b. One or more application programs executed by Client 102 receive the user access information. When inserted in the Fortezza card reader 107b, the Fortezza Crypto card 107a may perform a mathematical hash algorithm on the user access information, to produce a one-time password that is unique for every login. The one-time password may be stored in the form of a hash value. Client 102 sends the user access information and the hash value to network access server 104 over connection 116.
Upon receiving the hash value through connection 116, network access server 104 forwards the hash value to application program 110. The application program 110 may invoke appropriate functions in the cryptologic library 112, which in turn communicates the hash value and user access information to Fortezza server 114. Based on the hash value, the Fortezza server 114 determines if the user 106 is authorized to access the network 108 and what set of access privileges the user 106 is allowed to obtain.
The drawback is that the network access server 104 can only support Fortezza passwords. Separate network access servers are maintained to support other types of passwords. Thus, in a computer network that supports users of different password types, many different NASs need to be maintained to implement different security systems, thereby complicating the task of network administration. When a user deploys a system secured by Fortezza, the user must also procure another product or system to carry out authorization of services.
This arrangement is also inconvenient because a particular user may have multiple passwords and may require multiple password technologies to access different resources of the network.
Further, currently available Fortezza systems do not enable an administrator to manage user name and password information in a database such as a relational database management system (RDBMS).
Based on the foregoing, there is a clear need for a mechanism allowing users of Fortezza passwords to use computer networks in conjunction with other authentication and authorization mechanisms, thereby facilitating ease of network administration.
In particular, there is a need for a mechanism that can receive and authenticate Fortezza passwords within a system that also receives and authenticates other types of passwords for users who do not use Fortezza passwords or crypto cards.
The foregoing needs, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method of receiving and authenticating a Fortezza password within a computer system that also receives and authenticates passwords of other types and to thereby selectively permit a client associated with the Fortezza password to access a network that is protected by the computer system, comprising the steps of receiving, from the client, user access information associated with a particular user of the client; determining, based on the user access information and a database that contains profile information associated with the user, a type of a password associated with the user; when the password type is FORTEZZA, requesting authentication of the password from a Fortezza server; granting the client access to the network when the Fortezza server approves the password; and when the password type is any type other than FORTEZZA, requesting authentication of the password from an authentication process that is associated with that password type.
According to one feature of this aspect, receiving the user access information comprises the step of receiving from the client, user access information associated with a particular user of the client at an access control server that is logically interposed between the client and the network. In another feature, the method further involves the step of receiving, from the client, user access information associated with a particular user of the client at a network access server that is coupled to the access control server and logically interposed between the client and the network.
According to still another feature, the step of determining the password type further involves the step of accessing a user profile that is stored in the database and that stores profile information of a plurality of users, in which the profile information identifies users of FORTEZZA type passwords and passwords of other types.
In another feature, the step of requesting authentication and authorization from the Fortezza server further involves the step of communicating with the Fortezza server through a cryptologic library.
According to another aspect, a password authentication apparatus is configured to receive and authenticate a Fortezza password and to receive and authenticate passwords of other types, to thereby selectively permit a client associated with the Fortezza password to access a protected network. An access control server logically interposed between the client and the protected network. A Fortezza authentication server is coupled to the access control server for communication therewith. A database coupled to the access control server and that contains profile information associated with the user. Means for generating the Fortezza password are coupled to the client. There are means in the access control server for receiving, from the client, user access information associated with a particular user of the client; determining, based on the user access information and a database, a type of a password associated with the user; when the password type is FORTEZZA, requesting authentication of the password from a Fortezza server; granting the client access to the network when the Fortezza server approves the password; and when the password type is any type other than FORTEZZA, requesting authentication of the password from an authentication process that is associated with that password type.
One feature of this aspect involves a means in the access control server for receiving, from the client user, access information associated with a particular user of the client at a network access server that is coupled to the access control server and logically interposed between the client and the network. Another feature of this aspect involves a means in the access control server for determining the password type by accessing a user profile that is stored in the database and that stores profile information of a plurality of users, in which the profile information identifies users of FORTEZZA type passwords and passwords of other types.
Yet another feature is a means in the access control server for requesting authentication and authorization from the Fortezza server which further comprises a cryptologic library in the access control server that is logically coupled to the Fortezza server for communication therewith.
Other features and aspects will become apparent from the following description and the appended claims.