Authentication is the process of verifying the identity of a person or application. Authentication in computer systems can be done in various ways and involves acquiring user or application characteristics or credentials and verifying them against a known value. In popular conventional authentication implementations, a user, which can be a person or an application, requesting a connection to a target will interact with a client (machine) which then provides client credentials to the target. Typically, the target is a server machine or server process providing a service to the client. Typically, direct connection is made to the target via a native protocol. The target (or server) can be implemented either in hardware or by software. Upon receiving the client credentials, the target will authenticate the provided client credentials by comparing them with known values in order to verify the client and accordingly authorize (grant or deny) the request for connection. In this conventional authentication process, security breaches can occur at the client, at the target and in the transfer of client credentials between the client and the target (during communications).
Various systems involving proxies attempt to address security issues in the aforementioned authentication process: US2006/0101510 to Kadyk describes a method for negotiating a secure end-to-end connection between a client and a server where a proxy facilitates establishment of the end-to-end connection. In this method, a client initially establishes a secure connection to the proxy via which the client authenticates to the proxy. Once the client is authenticated to the proxy, the connection between the client and proxy is downgraded to an insecure connection. The proxy then facilitates establishment of a secure (encrypted) end-to-end connection between the client and the server by forwarding a client system request to the server. The secure end-to-end connection is encapsulated within the insecure client-proxy connection. This method prevents client credentials from being exposed in the client-proxy communications link and allows the client to communicate with the target without the proxy being aware of the communications (the end-to-end connection is secured). Kadyk thereby teaches an end-to-end connection between the client and the server wherein a conventional proxy forwards communications between client and server.
EP1157344 to Hudson describes a proxy server including a database. The proxy uses the database to augment a client request by adding user profile information from the database to the received client request. The proxy then sends the augmented client request, including client credentials, to the server for authentication. Hudson thereby teaches transfer of client requests including client credentials by a proxy wherein the original client request including the original client credentials are augmented by the proxy. There also exist other native protocol systems for filtering connections or adding information at a proxy. However, such systems do not address the security issues described in this document.
US2006/0225132 to Swift describes a method of controlling access to network services where an authorized proxy can access a service on behalf of a user. In this method, only authorized proxies can access services. Swift thereby teaches access limitation to a server whereby only authorized conventional proxies can access network services.
US2011/0231651 to Bollay describes establishment of an encrypted session between a client and a proxy facilitating access to a target. The address of the target server is only provided to the client once an encrypted client-proxy session is established. Bollay thereby teaches restricting communication of a target server address wherein communication of the target server address is only through encrypted client-proxy sessions.
Conventional use of proxies for authentication of a client to a target means that the client connects to the proxy via a special protocol of the application on the proxy providing the connection. This means that the client needs to change, for example, scripts, procedures, applications, etc. on the client in order to use the protocol of the proxy application.
Generally, in conventional authentication techniques, the authentication credentials are held by the client and are sent to the target for authentication. Requiring the client to have credentials that will allow the client to authenticate directly with the target means that if the client is compromised (hacked, breached), the client credentials can be hijacked and abused, providing access to the target. This risk is manifested by the existence of a variety of attack tools that directly focus on credentials, including keyloggers that can capture typed passwords, memory grabbers that can retrieve passwords from machine memory and many others.
Another security concern is due to the limitations of human users. Human users choose relatively simple, easy-to-remember passwords and often use the same password for different needs. Thus, conventional authentication systems and methods using password-based credentials can be vulnerable to security threats due to low password complexity and password reuse.
Furthermore, in the context of shared or privileged accounts, for example, when the same account is used by a group of administrators, conventional authentication systems are unable to link actions on a target to an individual user. In other words, when a common access credential (such as user/password) is used by group of users, there is no attribution on the target for which user is using the credentials/performing actions on the target machine.
Some systems attempt to address security issues by only allowing authorized clients (e.g. US2011/0231651 to Bollay) or authorized proxies (e.g. US2006/0225132 to Swift) access to a target. Other solutions attempt to improve security by using a proxy to establish a secure end-to-end connection between a client and a server. However, these solutions do not address the security issue of the client possessing credentials that provide direct access to the target.
Other systems attempt to address issues of security, shared accounts, credentials replacement and monitoring by installation of a central system, such as a proxy, which can be a ‘jump server’, through which a client establishes sessions with a target. The client connects to the proxy either through a terminal or through a browser-based interface. The proxy then establishes a native session with the target, using client credentials. Proxy systems are typically more complex to implement than conventional systems, including additional challenges such as using non-native protocols for client-proxy communications.
There is, therefore, a need for a system and method for securely authenticating a client to a target, without target access credentials being exposed and available on the client machine. Furthermore, there is a need for secure authentication of a client to a target whilst retaining the client access method.