Widespread use of networks to interconnect heterogeneous computer services is common today. Typically, in a distributed processing environment, a user will access an unsecured workstation and, using the workstation itself, access a variety of other computer services on the network. As the use of networks has increased, however, so have the problems relating to securing and controlling the legitimate access of users to the computer systems.
Traditionally, access to computer services was controlled through the use of passwords. For each service, a user was associated with a user id and a password. Both the computer system and the user who wished to access a service had to know the password. The user provided the user id and the computer systems challenged the user to then provide the password. This initiated access to the system.
In a distributed processing environment, a user often needs to access resources located at multiple servers from multiple workstations interconnected via a communications network. Authentication to each host accessed is crucial, but presenting separate user id/password pairs can be both unwieldy and unsecure. What is needed is a mechanism which requires users to identify and authenticate themselves once to a trusted agent which then performs the necessary user identification and authentication to each accessed resource transparently. This is known as unitary login.
Previous work in developing secure unitary login protocols for distributed systems include those intended for open environments (e.g., the Massachusetts Institute of Technology Kerberos protocol, the Digital Equipment Corporation SPX protocol, the Carnegie Mellon University Strongbox protocol, and the ISO OSI Directory Services protocols) and those intended for closed environments (e.g., the World Wide Military Command and Control System (WWMCCS) Information System Network Authentication Service (WISNAS) protocol, the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) protocol, and the Strategic Air Command Intelligence Network (SACINTNET) protocol). Each of there protocols provides different authentication services, but a common property of all is the required workstation configuration, which may not always be possible or feasible. Organizations could greatly ease the problems associated with user authentication with a method for authenticating users without workstation configuration.
There is a need in the field of network security and management for improved methods of transparently authenticating users and identifying enterprise machines that could otherwise not be identified.