Access control to private computer networks and the protection of sensitive company information is of great importance to most companies.
In conventional access restricted networks, a user profile is created for each user that is allowed to access the network and this profile is stored and maintained by a database administrator within the network. One of the most common examples of such access restricted environments is found in a Microsoft® Windows environment and is controlled by so-called “Active Directory”. Active Directory (AD) is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems and provides a central location for network administration and security. Server computers that run AD are called domain controllers. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, AD checks the submitted password and determines whether the user is a system administrator or normal user and assigns privacy and usage rights to the user while he remains logged (signed) on to the network.
For many organisations the authentication and authorisation functionality provided by directory services such as AD is insufficient, as any person who is in possession of a valid username and password can generally access and interact with the network as if he is an authorised user.
To ensure the security and integrity of computer networks, Internet communications and ecommerce, organisations are often required to implement more advanced security measure than those provided for by standard usernames and passwords. For this reason additional security services such as Public Key Infrastructures (PKI) are used. PKI enables users of an otherwise unsecure public network, such as the Internet, or even access restricted private networks, to communicate and interact with the network securely through the use of private and public cryptographic key pairs. These key pairs are issued by trusted authorities and enable organisations to ensure that network resources are accessed and used by only authorised users, that confidential information is only accessed and disseminated by authorised users and that the identities of users carrying out specified functions and activities on the network can be verified.
Microsoft PKI for Windows is an example of such a PKI and enables organisations to secure and exchange information with strong security across the Internet, extranets, intranets and applications.
One way of implementing PKI in an access controlled network is to issue users with smartcards or other, hardware-based dongles or “tokens” that are configured with digital certificates including cryptographic key pairs, or that are configured to generate these cryptographic keys themselves. For their use, workstations that are allowed to log onto the network are fitted with authentication drivers and hardware readers configured to physically connect the tokens to the workstations. For a user to sign onto a network, the user has to insert the token into the reader in the workstation, after which the authentication driver negotiates the sign-on with the network server by means of certificate exchanges and mutual encryption. The digital certificates may also be used for encryption during the working session, which typically terminates as soon as the token is removed. Cryptographic smartcards are therefore often used for single sign-on operations.
Whilst being a very effective form of user authentication and network sign-on, smartcard (or other token) based digital identification has the disadvantage that users have to have the smartcards (or tokens) with them in order to sign on to the network.
In the remainder of this specification the term “workstation” should be broadly construed to include any computer or other data processing device by means of which a user may conduct a sign-on onto an access restricted network. It should also be appreciated that sign-on may occur from a workstation that is directly connected to the network being accessed, or remotely over a suitable distributed network such as the Internet.