1. Field of the Invention
This invention relates generally to computer networks, and more particularly to a system and method for securing access to services in a computer network.
2. Description of the Background Art
In its infancy, the Internet provided a research-oriented environment where users and hosts were interested in a free and open exchange of information, and where users and hosts mutually trusted one another. However, the Internet has grown dramatically, currently interconnecting about 100,000 computer networks and several million users. Because of its size and openness, the Internet has become a target of data theft, data alteration and other mischief.
Virtually everyone on the Internet is vulnerable. Before connecting to the Internet, companies balance the rewards of an Internet connection against risks of a security breach. Current security techniques help provide client and server authentication, data confidentiality, system integrity and system access control.
The most popular of the current security techniques is a firewall, which includes an intermediate system positioned between a trusted network and the Internet. The firewall represents an outer perimeter of security for preventing unauthorized communication between the trusted network and the Internet. A firewall may include screening routers, proxy servers and application-layer gateways.
For users on the internet to access protected services on the trusted network, they may be required to provide their identity to the firewall by some means such as entering a password or by computing a response to a challenge using a hardware token. With proper authentication, the user is allowed to pass through the firewall into the local network, but is typically limited to a predetermined set of services such as e-mail, FTP, etc.
Some local network managers place just outside the firewall a server, often referred to as a xe2x80x9csacrificial lambxe2x80x9d for storing non-confidential data which is easily accessible by the remote user but providing little security.
A De-Militarized Zone, or DMZ, sits between two firewalls protecting a trusted network. The external firewall protects servers in the DMZ from external threats while allowing HyperText Transfer Protocol (HTTP) requests. The internal firewall protects the trusted network in the event that one of the servers in the DMZ is compromised. Many companies use DMZs to maintain their web servers.
Another security technique for protecting computer networks is the issuance and use of public key certificates. Public key certificates are issued to a party by a certificate authority, which via some method validates the party""s identity and issues a certificate stating the party""s name and public key. As evidence of authenticity, the certificate authority digitally signs the party""s certificate using the certificate authority""s private key.
Thus, when a user via a client computer connects to a server, the client computer and server exchange public key certificates. Each party verifies the authenticity of the received certificates by using the certificate authority""s public key to verify the signature of the certificate. Then, by encrypting messages with the server""s public key the user can send secure communications to the server, and by encrypting messages with the user""s public key the server can send secure communications to the user. Although any party might present a public key certificate, only the real user and the real host have the corresponding private key needed to decrypt the message. Examples of authentication and key distribution computer security systems include the Kerberos(trademark) security system developed by the Massachusetts Institute of Technology and the NetSP(trademark) security system developed by the IBM Corporation.
These security techniques cause problems for the roaming (traveling) user. The roaming user must maintain identification and authentication information such as passwords, certificates, keys, etc. and carry hardware tokens for responding to system challenges. Therefore, a system and method are needed for authenticating a roaming user easily and securely.
The present invention provides a system and method for authenticating the identity of a user in a computer network. The network system includes a server coupled via a computer network to a client. Upon receiving a request for access, the server sends an authentication applet to the client. The authentication applet includes a user identification (ID) module for obtaining a user ID and a password module for obtaining a client password. The authentication applet also includes a response generator coupled to the password module for using the client password as a variable in an algorithm to compute a client response. The authentication applet further includes a communications module coupled to the response generator and to the user ID module for sending the client response and the user ID back to the server for user authentication. The client uses an applet engine to execute the applet. The server uses the received user ID, the response and possibly user information to verify the identity of the user.
The method includes the steps of receiving a service request from a client, delivering to the client an authentication applet which when executed by the client uses client input as a variable in an algorithm to compute a response, receiving the response and a user ID from the client, and verifying the response. Verifying the response includes using the user ID and the challenge and possibly user information to verify the user.
It will be appreciated that the system and method of the present invention never send the password itself across the computer network and thus never compromise the password by transmission across unsecured channels. Further, the user need not maintain a hardware token configured to generate a proper response to a challenge. The user need only maintain the global server Uniform Resource Locator (URL), a user ID and a password needed to effect a proper response to a challenge by the applet. Thus, to access a service, the roaming user can use any computer terminal, which is connected to the computer network and capable of executing the applet.