1. Field of the Invention
This invention relates generally to authentication of data communications, and more particularly, to intrusion detection in authentication of data communications with servers over data communications networks.
2. Description of the Related Art
When a user wishes to communicate over a data communications network with a remote server, some form of authentication procedure is often required. FIG. 1 of the accompanying drawings illustrates an exemplary scenario which will be used to demonstrate various problems associated with authentication systems. This scenario is commonly encountered in open networks such as the Internet. A user at a computer A wishes to communicate via a set of network nodes I(1), I(2) . . . I(n) with a remote server B, where “server” is used here in the most general sense and includes any computer or system providing some service or functionality to connecting users. The parties A and B wish to communicate confidentially with each other, i.e., in a way that ensures that information transferred between them is both inaccessible to third parties and has not been altered by third parties. All information, however, is flowing over the network nodes I(1) . . . I(n) that are deemed essentially insecure. These nodes can possibly be compromised by attackers interested both in the content of the information exchanged between A and B as well as in changing this information in a way indiscernible to either party. This situation is commonly found in high-value secure commerce transactions over the Internet, e.g., when performing home-banking or online purchasing.
To ensure the desired properties of data confidentiality and integrity in the above scenario, the use of encryption and authentication protocols is common practice. Under the assumption that it is possible to exchange a secret key between A and B, all information sent over the network nodes can essentially be secure from snooping or reading, and interference or changing. Protocols such as TLS/SSL (Transport Layer Security/Secure Sockets Layer) and PKI (Public Key Infrastructure) are being deployed to facilitate this. However, setting up such common secret keys is not straightforward in view of two complications: (a) the user computer A cannot be guaranteed secure from malign interference, such as viruses or worms for example; and (b) while correctly establishing the identity of B at A, e.g., via an SSL server certificate, is technically possible, this is not straightforward for the user when the potential compromise of A is taken into consideration.
The most secure configuration possible addressing consideration (a) is illustrated on a conceptual level in FIG. 2 of the accompanying drawings. Here, three devices embraced by the dashed lines in the figure take the place of user computer A in the FIG. 1 system. Specifically, the core security data, such as a secret key for encrypting/decrypting communications, is contained in a secure device C which is supplied to the user by the provider of back-end system B. Device C typically includes a secure chip which is physically protected against tampering, e.g., using self-destructing data containers or at least intrusion detection sensors. A standard form indicator for device C is a smart card. In any case, as C has no user-interface device, a reader device R is required to interface between C and the user and the possibly modified user computer represented here by A′.
Currently the highest level of security is achieved by deploying a PKI-enabled smart card as component C in FIG. 2. Users have to insert this into a device R in the form of a certified/provably-secure smart card reader which is connected to the user computer. See Hiltgen et al., “Secure Internet Banking Authentication”, IEEE Security & Privacy magazine, Vol. 4, No. 2, March 2006. In this setting, a complete, electronic, two-way authentication and establishment of secure keys between C and B can take place during establishment of a connection, practically without user intervention. It is advisable, though, that the user also provides an element of secret information, known only to him and C, so as to avoid operation of C in his absence, e.g., if C has been stolen. This secret information is normally a PIN that the user enters into reader R to “open” C for communication with B.
An alternative is the presentation of some biometric data, such as a fingerprint, to “open” C. This system provides for reliable authentication of the communications to be conducted between the user computer A′ and server B by ensuring that C and B can each verify the identity of the other and are operating with the user's consent. A fundamental problem with this system, however, is that reader device R is typically very expensive as a result of the need for a “provably-secure platform”. This presents a significant barrier to commercial deployment of the system.
Various alternatives for establishing trust between C and B exist which differ basically in the level of connectivity, connections cr and ra in FIG. 2, and reliance on the devices R and A′. For example, systems are known which integrate R into A′ by providing a smart card reader in the user computer. Aside from the issue of reader cost, this requires hardware installation at A′ which is non-trivial for technically inexperienced users. Moreover, such systems suffer from the basic unreliability of the user computer A′ as illustrated in FIG. 3. A subverted, i.e., “hacked”, user computer A′ can easily capture all information on the link cr, including the exchange of the user PIN. With this information, and control over the next hop node, a subverted computer A′ can enable a hacker H to assume the identity of the real user and perform transactions with B “on his behalf”. In general, the only way to avoid such attacks is to provide a system for authenticating communications between the user computer A′ and server B whereby each party can be sure of the identity of the other. To achieve this, communication endpoints C and B need to be able to verify that they are indeed talking to each other, ideally with some input from the user to confirm the user's consent.
As a trade-off between the above systems, it is known to use disconnected and very inexpensive readers R to interface with device C. The disconnection of the user computer and reader R inhibits a hacker from gaining access to security information, such as the user's PIN, on the link cr as in the FIG. 3 scenario. In such a low-cost setting, the communication link to B is established by the user transferring information across the link ra in FIG. 2 as part of a challenge/response authentication protocol.
In particular, some information X sent by B is displayed to the user at computer A′, and the user has to type this into the reader R which communicates the information to C. C uses the security data stored in its secure memory to generate a response X′ which is returned to R for display to the user, and the user types X′ back into A′. The response X′ is then sent back to B for verification. While this scheme remedies the cost issue, it creates several problems. First, the extent of the required user interaction is inconvenient, reducing general acceptability of the system. Second, no real end-to-end authenticity, as guaranteed by a PKI protocol, is established as the full PKI security channel cannot be set up this way. The amount of data for such end-to-end authentication is rather large, several hundred bytes, and it is not feasible for a user to transfer this amount of data back-and-forth between R and A′ by typing. As a consequence, C cannot be sure that it is creating responses/data for an authentic B and can thus be primed to compute responses to challenges.
Considering the arrangement of FIG. 3, a hacker H can send challenges he received from B to C. While the cooperation of the user is required in this, it is known that users oblige if they believe they are communicating with the authentic B and, as already indicated, this is not straightforward to ascertain, particularly if one assumes that A′ has been subverted. Under these circumstances and due to the low bandwidth of communications across ra, attackers can be successful with neither C nor B noticing subversive operations.
A modified version of the system just described uses a reader R with a sensor for sensing the fluctuations in a flickering image which is displayed at A′ and encodes the authentication message from server B. The reader is held close to the screen to allow the sensor to detect the fluctuations, and the resulting message X is then communicated to C. The remainder of the authentication process is the same as before, whereby the user types back C's authentication response X′ into user computer A′ to bridge connection ra. While this represents an improvement to the previous system, fundamental problems still remain. Inconvenient user interaction is still required for the return path across ra, and the limitations inherent in the user involvement mean that full bidirectional end-to-end authentication is still inhibited, whereby the possibility of malign interference still remains.
Some aspects of the problems discussed above are addressed by intrusion detection (ID) technology. This technology involves observation of the behavior of networks and computers, e.g., communications and program execution patterns, with a view to detecting intrusions and in particular any malicious or unauthorized intervention which can compromise system security. Through use of such measures, ID systems try to protect all parties in a network from “misrepresentations” as to who-is-who.
However, current ID systems are of limited usefulness in the context of the authentication scenarios discussed above. An ID system typically sits just inside a network router and checks for intrusions in a specific network node I. In FIG. 2, for example, such an ID system cannot check the integrity of all components depicted; the components belong to different entities and are subject to different intrusion detection policies. While ID systems are increasingly federated, cooperating across areas of local concern, a limitation with existing ID systems is that they cannot observe all components involved in a secure transaction operation across a diverse network such as the Internet.