Today, many businesses use computer applications to interact with customers, vendors, partners and employees. Traditional access to these business computer applications requires a simple username and password to gain access to the application. However, as the level of sophistication of thieves trying to intercept and steal data has increased, so has the need for increased security measures. Furthermore, as the proliferation of smart phones and tablets that need and establish access to company data and applications from remote locations has increased, so has the vulnerability of corporate networks.
Many methods of establishing a secure connection between a client and a server exist. Those methods may be categorized into symmetric cryptography and asymmetric cryptography. In symmetric cryptography, the client and server encrypt and decrypt data using the same “private” key. As long as this key remains private, the data being transmitted is secure. One vulnerability with symmetric cryptography is the exchange of the private key. In many systems, the private key (often based on a username and password) may be initially exchanged in an unencrypted format. If the private key is exchanged in an unsecure manner prior to setting up the secure connection, the connection may be compromised. Retransmission of the private key every time a connection is desired further increases the likelihood that the key will be compromised.
One security implementation that completely avoids the transmission of the private key is asymmetric cryptography. Asymmetric cryptography or Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the data stream, and one to unlock or decrypt the encrypted data stream. Neither key will do both functions. One of these keys is published or public and the other is kept private. If the lock/encryption key is the one published then the system enables private communication from the public to the unlocking key's owner. If the unlock/decryption key is the one published then the system serves as a signature verifier of documents locked by the owner of the private key.
In asymmetric cryptography, a system simultaneously produces a mathematically linked key pair (i.e., a public and a private key) using an asymmetric key algorithm. The public key may be disseminated and used to transform a message into an unreadable form, decryptable only by using the different but matching private key. By publishing the public key, the key producer empowers anyone who gets a copy of the public key to produce messages only the producer can read—because only the key producer has a copy of the private key required for decryption. When someone wants to send a secure message to the creator of those keys, the sender encrypts the message using the intended recipient's public key; to decrypt the message, the recipient uses the private key. The public key can not be used to decrypt the message and accordingly, no one other than the holder of the private key, including the sender, can decrypt the message. One advantage of public-key cryptography is that private keys are never exchanged, thus eliminating a common security flaw found in symmetric key cryptography systems.
In addition to providing a secure connection, authentication, proving with increased certainty that the user trying to access the secure system is who they say they are, has become imperative to maintaining a secure system. While methods such as public-key cryptography and others have reduced or eliminated the unsecure transmission of secure login information, passwords and other secure login information may still be compromised through espionage or other methods. Accordingly, many networking communication systems employ a tiered or multifactor authentication approach using some type of security token.
Security tokens may be a physical device or software device that an authorized user of computer services is given to add another layer of authentication, two-factor authentication. Security tokens include smart cards, one-time password (OTP) tokens such as those from RSA Security, USB drives, and key fobs to name a few. Many security tokens provide a number that changes at set intervals and is synced with an authentication server. As long as the server and the token are in sync, the server can verify that the number entered by the user is valid within a certain time period and thus authenticate that the person logging in is in possession of the security token. In combination with a password or PIN, this provides multilevel authentication in that a potential intruder would need to compromise both the password and the security token to gain access. Other forms of security tokens may include biometric data such as fingerprint minutiae or digital signatures using a private key to further authenticate a client. Sometimes these additional authentication factors expire fairly quickly, for example within a minute, and much faster than a typical password to further increase security risks.
These additional authentication factors may be input to the client device in various ways. For disconnected tokens, a number may simply appear on the screen of the token and may then be input by hand into the client. Other tokens such as smart cards and USB tokens are physically connected to the client device. For security tokens that are physically connected, the client device must have supporting hardware such as a smart card reader or a USB port. This limits the ability of most mobile phones or tablets to use connected security tokens because most cell phones and tablets do not include the necessary hardware for reading smart cards or connecting USB devices.
In many security implementations verification of authentication information is handled by an authentication server. Authentication servers are servers that provide authentication services to users or other systems via a network. Remotely placed users and other servers provide passwords or security token information to be authenticated by such a server. Once the information is authenticated, the user or other system may receive cryptographic tickets which may then be exchanged to verify identity.
The use of an authentication server as a security measure limits access to only those user devices that are logged into a network that has direct access to the authentication servers. Although some authentication servers may be designed to authenticate clients outside the LAN, some authentication servers may be restricted to LAN access only in order to provide added security. A problem arises for corporations that would like to allow remote devices access to the services of these local authentication servers and the services they authenticate because the servers are not accessible outside the LAN. Accordingly, users may need to be directly connected to a dedicated network or use a virtual private network (VPN) technology like IPsec VPN or SSL VPN to get direct access to a the desired services.
The concept of using a VPN to enable remote users to access a dedicated network is well understood. However, in implementing VPNs as a security solution, it is assumed that the user device is owned and managed by the organization. The purpose of this ownership and management is to ensure the device does not have any rogue applications that can enter the dedicated network through a remote VPN established by the user. A rogue application may relay information to another source, install a virus or perform some other malicious activity.
With the new trend of using personally owned devices, enterprises no longer have full control over such devices. This creates a significant security hole for enterprises because a traditional existing VPN will give access to all applications on a device. Since the device is not owned or managed by the organization, there could be rogue applications on the device that exploit the VPN access established by the device.
One solution to some of the above problems and risks being employed by organizations is to disable VPN access to mobile devices and push end-users to web or web-service only front-end applications. While this strategy works well for simple authentication schemes like username/password, this model does not allow more complicated authentication schemes because the user device does not have access to authentication servers that reside on the organization's private dedicated network.