1. Technical Field
The present invention relates generally to the field of providing security for a location in a network and more particularly to an extensible positive client identification system and method.
2. Background
The Worldwide Web (web), web browser, and email technologies have transformed the Internet public telecommunications network into a tool for everyday use. While businesses have used a variety of computer and private network technologies for several decades, often creating valuable databases and internal files in the process, web technologies have now made it possible for businesses to use such corporate data on the Internet for competitive advantage. Commercial transactions that used to be done through face to face meetings and negotiations, for example, can now be done electronically via the Internetxe2x80x94at least in theory. In practice, the more significant the transactions are, and the more sensitive the data involved, the more likely it is that security on the Internet (or any network) becomes a problem.
Ideally, electronic security addresses three requirements:
1. Confidentialityxe2x80x94the prevention of the unauthorized disclosure of information;
2. Integrityxe2x80x94the prevention of the unauthorized modification of information; and
3. Availabilityxe2x80x94the prevention of the unauthorized withholding of information.
In practice, current methods tend to fall short of the degree of certainty or comfort needed in one or more of these areas for many commercial or higher risk transactions.
Confidentiality, for example, begins by identifying the requestor of confidential information. This, in turn, means not only identifying a valid requester, but also detecting when an imposter or thief is impersonating a valid requestor to gain access to confidential information. In many cases it is also true that a valid requestor may only be authorized to have access to a particular level of information. An employee database, for example, which contains salary information may have several different levels of access. An individual employee may only be authorized to access his or her salary information, while the head of the personnel department may have access to all salary data. Non-employees may be denied access to any employee dataxe2x80x94hence the importance of identification.
Data integrity is required to safeguard the data being requested. Computer hackers (those who seek to break through security safeguards either for amusement or theft), may try to corrupt data at the host computer by seeding computer viruses (programs that destroy files and data at the host site), corrupting data, replacing data with false information or by depositing xe2x80x9ctrojansxe2x80x9dxe2x80x94software that appears to be useful but in fact does harm. Hackers can also try to intercept and corrupt data as it is being transmitted to a remote site. After transmission, a hacker may try to corrupt the data stored at the remote site.
Availability means simply that information should not be withheld improperly when it is requested. Many factors can affect availability over a network, such as hardware malfunction, software malfunction, data corruption, or the failure or slowing down of communications links.
While there are some existing measures and tools designed to address computer and network security, many of these have significant weaknesses. For example, one of the most popular methods of user identification for computers and networks is the use of a logon name and password. As seen in FIG. 2 (Prior Art), a computer user at a personal computer terminal 00 may want to connect over private network lines 10, to communicate with another user at terminal 02 within the private network. Computer software allows the user at terminal 00 to log onto the computer by using a dialogue screen that requests his or her user name and password. For a hacker to xe2x80x9ccrackxe2x80x9d or break this kind of system thus requires knowledge of a valid user name and password combination.
The logon name and password approach has a number of weaknesses. First, logon names are usually very easy to discover. Many organizations select a standard format for them based on the user""s real identity. Fred Smith, for example, may be given a logon name ofxe2x80x9cfsmithxe2x80x9d orxe2x80x9cfredsxe2x80x9d. A hacker familiar with a user""s real name may find it easy to deduce this kind of logon name. Many computer systems that require logon names also have default settings that are used when the system is first configured. Many users simply keep these default account names. Thus, a hacker familiar with the NT(trademark) operating system provided by Microsoft, Inc. of Redmund Washington, might try the xe2x80x98Administratorxe2x80x99 account. Default account names and passwords greatly reduce the amount of work required for the hacker to gain illicit entry to a system. Hackers may use software attacks to obtain passwords by copying password files.
Users often reveal their passwords accidentally by writing them down or by being observed during password entry. Some may deliberately disclose their passwords to a colleague so he or she can carry out a task on the user""s behalf. Others will use the names of pets, family members, birthdays, etc., in order to make them memorable.
Unfortunately, this also makes them easier for others to guess. Most computer systems allow an administrator to define the type of passwords to be used. However, the more complex the requirements are, the more likely the user is to write it down and display it conspicuously near the terminal, simply because the user cannot remember it.
Many organizations have relied on the logon name and password approach for their internal networks, because for most of these organizations, most potential hackers are internal employees who are not likely to do significant damage to the corporation. However, as these organizations allow access from outside the company, using the Internet 25 of FIG. 2 (Prior Art)xe2x80x94or other networksxe2x80x94sole reliance on logon names and passwords can ultimately lead to a total breach of security and all its consequences.
Some corporations have also used hardware keys (also known asxe2x80x9cdonglesxe2x80x9d) connected to each computer terminal to identify users and prevent unauthorized access. While this is an improvement over the simple logon name and password approach, these can usually be circumvented fairly easily by a hacker who examines what the hardware key does and emulates it in software.
Digital Identifiers (Digital IDs), Digital Certificates and Trusted Third Party Certificate Authorities (TTPCA) are more sophisticated methods used in the industry to enhance identification and security over the Internet. There are various industry standards associated with this technology, the most notable at this time being ANSI standard X.509 version 3. For the purposes of this discussion, the terms Digital IDs and Digital Certificate are used interchangeably. A Digital Certificate is a series of characters containing an identifier and usually other verification information. The certificate or id may be stored in a computer filexe2x80x94as seen in FIG. 2 (Prior Art), at disk 03 connected with a computer terminal 02, or on some other memory device such as a smart card. When the id is read by the appropriate software it is possible to use that id for identification purposes. Usually these ids are constructed in such a way that if they are tampered with and any of the characters are changed the reading software will confirm this and inform the requesting software. Thus, the techniques currently in use are sophisticated enough to insure that a certificate is complete and unaltered. Thus, they also provide an excellent basis for encryption of information.
However, digital certificates can be copied from a computer terminal 02 such as the one shown in FIG. 2 (Prior Art), and used to impersonate the user. They can also be stolen remotely while the user is using the Internet. For example, a hacker at terminal 13 can use the Internet 25 and communications networks 30 and 10 to find and copy a certificate stored on a disk at personal computer terminal 02.
Trusted Third Party Certificate Authorities (TTPCA) can be used to create and issue digital certificates for a company. To obtain a certificate from a certificate authority usually requires proof of identity. The certifying authority then uses its own digital certificate to generate one for the requestor. The degree of stringency and cost varies from authority to authority. At the highest levels of security, it can take several months to obtain one, and require high levels of proof of identity as well as expense. Certificates for large corporations for example, can cost as much as $10,000 USD. At the other extreme, some companies will issue them for as little as $10 and require no proof of identity.
If a user holds a certificate and believes it may have been stolen or compromised then it informs the certificate authority which will usually revoke the user""s current certificate and issue it another one. Certificates thus offer a higher degree of protection, but are still fairly vulnerable, either through copying or interception of transmissions. In theory, a check should be made with the appropriate Certificate Authority before the customer relies on the certification. The Certificate Authority might have already revoked the certificate. In practice this is a step that many application programs fail to take when certificates are used. Detection of the theft or interception may not take place until after some significant damage has occurred.
As mentioned above, smart cards can also be used to enhance identification. Some of these are similar to magnetic strip credit cards which can be read by insertion or swiping in a card reader. Smart cards are usually used in conjunction with some other type of user input, such as name, password, or Personal Identification Number (PIN) number. The simplest cards are low cost but may be easily duplicated. More complex smart cards have built-in data storage facilities and even data processing facilities in the form of embedded computer chips allowing additional user information to be stored, thus providing a higher level of user verification. These tend to cost more and be more difficult to duplicate. The most secure cards have very sophisticated verification techniques but include a higher cost per individual user.
Another method of identification uses simple fixed system component serial numbers. In the example of FIG. 2 (Prior Art), a computer manufacturer, (such as Intel) of a personal computer processor chip such as that shown as terminal 05, may have embedded a serial number in the processor. This number can then be read to identify that particular personal computer terminal 05. While this tends to be much more specific at identifying a terminal, it also raises privacy questions, since the terminal 05 can be identified by anyone using appropriate methods over the Internet. This has led to the creation of a software program that switches off the serial number facility. This approach to identification thus creates some concerns about privacy and also about the ability for the feature to be switched on and off without the user""s knowledge.
Along similar lines, Internet Protocol (IP) addresses can be used for identification with systems using the Terminal Control Protocol/Internet Control Protocol (TCP/IP) communication protocol of the Internet. To be part of such a TCP/IP network requires that each computer have a unique IP address, using a specified format. Each IP computer, in turn, is a member of a domain. Domains can be part of another network, as a subnet or can even contain subnets. These IP properties are exposed during every network access. Basic firewall systems 15, as seen in FIG. 2 (Prior Art) use these properties to allow or refuse access to a computer system. Computer users of the AMERICA ONLINE(trademark) (AOL(trademark)) internet service, from America Online, Inc. of Dulles, Va., for example, are all members of the AOL(trademark) domain.
Many companies and Internet Service Providers (ISP) such as AOL(trademark) only allow Internet access through a proxy server. The IP address that appears when proxies are used will be that of the proxy server machine. For users of AOL, for example, AOL(trademark)""s proxy server IP address will be the only IP form of identification for the many millions of users. This is not conducive to discrete identification.
Proxy servers may also be used by hackers to reach a user""s computer. Hackers, for example, can impersonate an IP address, until they find an IP address of the user""s that works for their purposes.
Biometric identification techniques are now becoming available, such as fingerprints, voiceprints, DNA patterns, retinal scans, face recognition, etc. While the technology exists in many cases to use this type of information, it is usually not presently available in a practical form or is too expensive for many applications. Many hackers will simply view it as a challenge to find ways to copy, intercept, or fake these forms of identification.
In addition to the identification problems outlined above, companies seeking to use the Internet and the web for commercial purposes, also need to control the creation, modification and deletion of data that is requested or used on a website or network location. In the example shown in FIG. 2 (Prior Art), a corporate website 35 (usually composed of a computer system, operating system software, webserver software and web application software) may have valuable confidential information stored on local memory such as disk 40.
Computers hold programs and data in objects usually called files or data sets. As seen in FIG. 3 (Prior Art), files 72 and 74 are usually organized logically in folders 70 that are, in turn referenced by directories 65xe2x80x94all of which is stored physically on local memory such as disk 40. In most file structures provided by present day operating systems, folders can also be placed inside other folders or directories, allowing files to be logically grouped together on a disk 40, just as they might be stored in cardboard folders in file cabinets if they were physically kept on paper. The authority to use a computer""s files is based on identification of the user and the permissions and rights that have been given to that user, usually by a system administrator. For example, as seen in FIG. 3 (Prior Art) an operating system might have the scope of permissions and rights outlined in table T1. For these files a user might be denied any access which would be indicated at line 80 of table T1.
If this same security profile typing is applied to web pages, as it is by many websites today, a requester without the proper permissions receives messages such as those shown in FIG. 3 (Prior Art) at 100 and 105. In some instances, messages such as these may alert a hacker to the kinds of information that require more rights, and provoke him or her into spending more time attempting to gain illicit access.
One approach to data integrity is provided by Virtual Private Networks (VPNs), which were conceived as a method of providing more secure remote access to users. VPN permission levels closely resembled the same functionality and permission levels that local users of the computer or network would have had. VPNs create secure links between two (or more) computers, which identify each other and then create encrypted pathways between them using sophisticated encoding techniques. Once the links have been created, they may be regarded as nearly hacker-proof for all practical purposes. However, while VPNs can create secure links between computers and/or terminals on a network, the link may be based on client identification methods that are vulnerable to attack, such as the logon name and password approach, mentioned above. Thus VPNs can be subverted by false identifications into creating confidential sessions with a hacker.
Firewalls are another form of network security that have been developed to address data integrity. Firewalls are usually essential requirements for any computer or computer network which can be accessed remotely. A firewall is typically a computer system placed between two networks and connected to both. One of the networks is usually an internal corporate network which is reasonably secure. The other network is usually a public network, such as the Internet, which may be fraught with perilxe2x80x94at least from a security viewpoint. The software in the firewall computer usually provides protection from certain kinds of intrusions into the internal network by:
denying service,
closing off access to internal ports or computers,
denying access to certain protocols, or
filtering messages (examining the content of a message to determine whether or not to accept it).
In FIG. 2 (Prior Art), computer 15 might be a firewall computer which is placed between terminals 00 and 02 on private network 10 and the Internet 25 and public communication links 30. The internal, private network is considered thexe2x80x9ccleanxe2x80x9d network, and the external, public one the potentiallyxe2x80x9cdirtyxe2x80x9d one.
While firewalls fend off many attacks, some forms of attack can be difficult to detect, such as file deposition attacks, in which an internal computer or system is gradually filled with unwanted data which will eventually affect performance or even stop the computer or network from working. Since most current firewall technologies will detect and prevent large files being uploaded onto an internal computer or network, a knowledgeable hacker will upload a number of very small files within the size acceptable to the firewall, eventually causing the computer""s disk storage space to become insufficient and the system to degrade or fail.
A trojan is an extreme example of a file deposition attackxe2x80x94the file being deposited is a program that appears useful but will in fact damage or compromise data integrity and system security when it is used.
No matter how effective a firewall or VPN connection is, it is likely that a determined intruder can find a way to access a website for nefarious purposes. In a sense, the protocol of the Internet itself abets this, particularly its HTTP (Hypertext Transfer Protocol) and related protocols. This is the method used by websites on the worldwide web to publish pages to a web browser at a user""s personal computer terminal. Uniform Resource Locators (URLs) are used to implement this. As seen in FIGS. 4A and 4B (Prior Art), block 110, the URL describes where to find and how to use a resource on the Internet. In the example of FIGS. 4A and 4B (Prior Art), thexe2x80x9chttp://xe2x80x9d indicates that the resource must be accessed using the http protocol. xe2x80x9cwww.w3.orgxe2x80x9d is the Internet name of the computer on which the page is to be found and along with its web root directory.xe2x80x9cAddressingxe2x80x9d is a directory found in the web root directory, andxe2x80x9cURLxe2x80x9d is a directory found in the directory calledxe2x80x9cAddressingxe2x80x9d. The page being published is found in the directoryxe2x80x9cURLxe2x80x9d and the page name isxe2x80x9cOverview.htmlxe2x80x9d. This general structure applies to all URLs and enables anyone with a web browser to reach information on the Internet. Thus, any website must at least have a web root directory if it is to be accessed over the Internet. This means that hackers can find any website on the Internet and access web root directories. Once a web root directory is found, hackers can usually use port scanners or other techniques to locate the vulnerable areas of a website and deploy attacks against them or copy them for illicit purposes.
As mentioned above, file deposition attacks can be used to slow down, to subvert an application, or to completely disable a website or system. A hacker, for example, can take an initial, legitimate web page and replace it with a page of the same name that asks for improper actions or allows access to confidential data. This affects the third function of security, namely availability. While a number of technologies such as redundant computer and disk systems have been developed to maintain high availability of systems and networks, sabotage by hackers or others can bring whole systems down.
Most current security systems and methods also embody some assumptions about would-be intruders. For example, many systems will deny access to an intruder once he or she has been detected. While the system designers know that this often does not deter an intruder, but may actually provoke one, an assumption of this approach is that the intruder who has been detected knows he or she will have to work harder and might give up to search for other prey. In present-day cryptography, for example, it is assumed that most ciphers or encryption techniques can be decoded or decrypted, given a sufficient amount of time, money, and computerxe2x80x9chorsepower.xe2x80x9d In other words, it is extremely difficult to make a security system unbreakable, but it can be made more difficult and costly to break. Implicit in these approaches is a defensive posture that tries to build computer systems and networks that are impregnable fortresses. They often fail to take into account the fact that telling an intruder it has been caught and denying access, in many cases provides valuable information to the intruder about which of its tools and attack plans are ineffective. The intruder who breaks in for amusement may actually regard these measures as a challenge. The criminal can use them for information.
It is an object of the present invention to provide a security system that positively identifies an authorized client.
It is another object of the present invention to provide a system for detecting interlopers.
These and other objects are achieved by a system for providing electronic security over a network through an extensible positive client identifier (EPCI), working with a positive information profiling system (PIPS), pseudo uniform resource locators (PURLs) to assist in providing data integrity, a virtual page publication system (VPPS), and an active security responder, (ASR). The extensible positive client identifier (EPCI) system creates a unique client identification key and continually self-evaluates the key based on unique system signature data. The positive information profiling system implements account profiles for all content and clients so that pages of information can be generated and matched to the data requested as well as the requestor. The virtual page publication system VPPS of the invention does not store pages permanently in the root directory of the site but instead creates temporary web pages dynamically containing the level of information resulting from the client identification, PIPS, and PURL evaluations. The virtual page is sent, (in encrypted form if this option has been selected or if this option is required by the PIPS profile), to the requestor and exists only for the time necessary to send it. The active security responder (ASR) controls the overall operation of the present invention.