An inherent function of many applications is sending requests to other applications and receiving responses from other applications. These requests include access to network resources, requests for specific information, access to various APIs (Application Programming Interfaces) and many other needs. This architecture is generally known as client-server, where a first (requesting) application acting as a client sends a request to a second (receiving) application acting as a server. The receiving application (known as the server), needs to authenticate the requesting application, to validate that the request should be granted. Specifically, the receiving application needs to validate that the request is legitimate, i.e. originated in the permitted application, and was not sent by an impersonator (human or application user purporting to be the legitimate application).
Application authentication is known as a topic of interest in the computer field. Application authentication is required both when the application acts on behalf of a user (for example, a browser application accessing a web server) and when the application acts independently (for example, when an application accesses a database to perform a scheduled task) or a batch process. There are also cases when the application acts on behalf of a user, while also authenticating to a network resource with dedicated credentials, separate from those used by the user (for example, a user connects through an application, which also accesses a database to retrieve some information). Conventionally, the problem of authentication is addressed by a combination of the following conventional techniques:
1. In a first technique, credentials are presented by the application—such as passwords, PKI (Private Key Infrastructure) certificates, or other credentials.
2. In a second technique, a provider provides the application with the needed credentials, which are then used to access the network resources.
3. In a third technique, NAC (Network Access Control) controls access to the network and the network resources by identifying the machine (physical and operating system, also referred to as “the environment”) on which the application is running. NAC is primarily designed for end user access and not for application-to-application controls.
These conventional techniques are lacking in several aspects. In the first technique, credentials are stored within an application or in the application's environment, and are used when needed. However, this technique exposes the stored credentials to other parties (human or programmatic) who have permissions to operate in the same environment. These parties can, potentially, access and use the credentials to be falsely authenticated as the intended application.
The second technique addresses the above-mentioned problem by performing checks on the application before providing it with the necessary credentials. However, these steps are performed on the request before the request reaches the network resource or server, thus the network server has no effective way of validating that these checks were indeed performed. The network server receives the request from the application and the credentials, and has no way to validate further that the application was indeed the source of the request.
The third technique (NAC) mainly identifies the environment in which the application is running and is usually employed to validate that only specific environments have access to organizational network. This technique is not designed to identify, and does not identify, the specific application requesting access to network resources.
A related field of authentication is that of human user authentication, which deals with authenticating a user of a specific application. Several solutions in this field employ “out-of-band” authentication (OOBA), such as basing their decision on something the user has (for example, possession of a mobile phone), knows (additional information, such as mother's maiden name) or is (for example, biometrics).
Examples of conventional OOBA techniques include U.S. application 2012/0159603 to Tobias Queck for Mobile Out-Of-Band Authentication Service. Queck teaches enabling authentication of an application session at a client machine by using authentication values and user-identification values that are received from a mobile communication device. The mobile communication device provides an out-of-band channel for validating the session and enables secure authentication for a variety of applications. Queck solves the problem of stronger user authentication by adding authentication of the user's platform (in this case the user's mobile communication device). This additional/second authentication is done by sending a token to the purposed originating device and checking whether it is received and responded to accordingly. While Queck adds another layer of conventional authentication, this teaching does not suggest a solution for application authentication, as this technique only verifies the device (that is, the environment) of the application and not the application itself.
Another conventional authentication technique is taught in U.S. application 2012/0030742 to Laurence Lundblade for Methods and apparatus for providing application credentials. Lundblade teaches providing an application credential for an application running on a device, wherein the application credential is used by the application to authenticate to a data server. The method includes receiving a request to generate the application credential, wherein the request includes an application identifier. The method also includes generating the application credential using the application identifier and a master credential associated with the device. While Lundblade does discuss application authentication, this technique is conventional in-band authentication, and hence suffers from the same problems as other in-band techniques. Specifically, other parties can impersonate the original application, send the request to generate the application credential, and falsely complete the authentication process.
Another known technique is described in U.S. application 2008/0196101 to Yair Sade (assigned to Cyber-Ark Software, Ltd.) for Methods and Systems for Solving Problems with Hard-Coded Credentials. Sade teaches methods for handling hard-coded credentials, and provides methods for intercepting credential usage, mapping to other credentials, and replacing the credentials with valid application credentials. This is an example of the provider technique mentioned above. The request is intercepted and valid credentials are placed into the request, which is then sent to the server. However, the server has no independent way of validating the source of the request and must rely on the validity of the served credentials.
There is therefore a need for a system and method of application authentication that is out-of-band and provides increased security compared to current techniques, specifically, authenticating both the application credentials and the fact that the credentials are indeed presented by the authenticated application.