Traditional secure registration protocols rely on clients (or devices) authenticating with a server (or network). For instance, a user (of the client or device) may log on to a server, or a mobile device might register with a network. The registration protocol often includes authentication of client/device to the server/network or a mutual authentication protocol. More recently, with a view towards securing the entire session (not just access), these authentication protocols have been augmented to include a key agreement procedure which allows the client/device and the server/network to agree on a set of keys to secure the entire session.
Examples of one way authentication protocols include: CHAP described in W. Simpson, “PPP Challenge Handshake Authentication Protocol (CHAP),” RFC 1994; PAP described in B. Lloyd, “PPP Authentication Protocols,” RFC 1334; GSM triplet based authentication protocols described in European Telecommunications Standards Institute, GSM Technical Specification GSM 03.20 (ETS 300 534): Digital Cellular Telecommunication System (Phase 2); Security Related Network Functions, August 1997, the disclosures of which are incorporated by reference herein in their entireties.
Examples of mutual authentication protocols include: 3rd Generation Partnership Project's (3GPP) Authentication and Key Agreement (AKA) protocol described in 3GPP TS 33.102, Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (Release 9), and various Extensible Authentication Protocol (EAP) based mutual authentication protocols such as EAP-TLS (EAP Transport Layer Security) described in B. Aboba and D. Simon, “PPP EAP TLS Authentication Protocol,” RFC 2716, the disclosures of which are incorporated by reference herein in their entireties.
These secure registration protocols have been extended to include a client registering with multiple servers, using what is commonly referred to as “single sign-on” protocols. With single sign-on, a user logs in once but gains access to all systems without being prompted to log in again with each system. These protocols are very useful in enterprise environments where a user has authorized access to multiple servers, and would like access to more than one at the same time. An example of a single sign-on protocol is Factotum described in R. Cox, E. Grosse and R. Pike, “Security in Plan 9,” USENIX, 2002, the disclosure of which is incorporated by reference herein in its entirety.
However, none of the existing registration approaches provide a mechanism for allowing a “reverse single sign-on,” where multiple clients gain access to one system in a secure and efficient manner. It would be desirable to provide techniques for addressing the problem of allowing multiple clients to gain access to one system in a secure and efficient manner and thus a solution to the “reverse single sign-on” problem.