The present invention relates generally to data communication networks, and more particularly to a system for managing access by users and host computers at least certain destinations which may be other users or hosts within a packet switching network.
In packet switching networks, packets in the form of units of data are transmitted from a source--such as a user terminal, computer, application program within a computer, or other data handling or data communication device--to a destination, which may be simply another data handling or data communication device of the same character. The devices themselves typically are referred to as users, in the context of the network. Blocks or frames of data are transmitted over a link along a path between nodes of the network. Each block consists of a packet together with control information in the form of a header and a trailer which are added to the packet as it exits the respective node. The header typically contains, in addition to the destination address field, a number of subfields such as operation code, source address, sequence number, and length code. The trailer is typically a technique for generating redundancy checks, such as a cyclic redundancy code for detecting errors. At the other end of the link, the receiving node strips off the control information, performs the required synchronization and error detection, and reinserts the control information onto the departing packet.
Packet switching arose, in part, to fulfill the need for low cost data communications in networks developed to allow access to host computers. Special purpose computers designated as communication processors have been developed to offload the communication handling tasks which were formerly required of the host. The communication processor is adapted to interface with the host and to route packets along the network; consequently, such a processor is often simply called a packet switch. Data concentrators have also been developed to interface with hosts and to route packets along the network. In essence, data concentrators serve to switch a number of lightly used links onto a smaller number of more heavily used links. They are often used in conjunction with, and ahead of, the packet switch.
In virtual circuit (VC) or connection-oriented transmission, packet-switched data transmission is accomplished via predetermined end-to-end paths through the network, in which user packets associated with a great number of users share link and switch facilities as the packets travel over the network. The packets may require storage at nodes between transmission links of the network until they may be forwarded along the respective outgoing link for the overall path. In connectionless transmission, another mode of packet-switched data transmission, no initial connection is required for a data path through the network. In this mode, individual datagrams carrying a destination address are routed through the network from source to destination via intermediate nodes, and do not necessarily arrive in the order in which they were transmitted.
The widely-used Telenet public packet switching network routes data using a two-level hierarchy. The hierarchy comprises a long distance-spanning backbone network with a multiplicity of nodes or hubs, each of which utilizes a cluster of backbone switches; and smaller geographic area networks with backbone trunks, access lines and clustered lower level switches connected to each hub. Packet-switched data is transmitted through the network via VCs, using CCITT (International Telegraph and Telephone Consultative Committee of the International Telecommunications Union) X.75 protocol, which is a compatible enhancement of X.25 protocol.
For a communication session to proceed between the parties to a connection, it is essential that data be presented in a form that can be recognized and manipulated. The sequence of required tasks at each end, such as the format of the data delivered to a party, the rate of delivery of the data, and resequencing of packets received out of order, is generally handled in an organized manner using layered communication architectures. Such architectures address the two portions of the communications problem, one being that the delivery of data by an end user to the communication network should be such that the data arriving at the destination is correct and timely, and the other being that the delivered data must be recognizable and in proper form for use. These two portions are handled by protocols, or standard conventions for communication intelligently, the first by network protocols and the second by higher level protocols. Each of these protocols has a series of layers. Examples of layered architectures include the Systems Network Architecture (SNA) developed by IBM, and the subsequently developed Open Systems Interconnection (OSI) reference model. The latter has seven layers, three of which are network services oriented including physical, data link, and network layers, and the other four providing services to the end user by means of transport, session, presentation, and application layers, from lowest to highest layer.
X.25 is an interface organized as a three-layered architecture for connecting data terminals, computers, and other user systems or devices, generally refereed to as data terminal equipment (DTE), to a packet-switched network through data circuit terminating equipment (DCE) utilized to control the DTE's access to the network. The three layers of the X.25 interface architecture are the physical level, the frame level and the packet level. Although data communication between DCEs of the network is routinely handled by the network operator typically using techniques other than X.25, communication between the individual user system and the respective DCE with which it interfaces to the network is governed by the X.25 or similar protocol. In essence, X.25 establishes procedures for congestion control among users, as well as call setup (or connect) and call clearing (or disconnect) for individual users, handling of errors, and various other packet transmission services within the DTE-DCE interface.
X.25 is employed for virtual circuit (VC) connections, including the call setup, data transfer, and call clearing phases. Call setup between DTEs connected to the network is established by one DTE issuing an X.25 call-request packet to the related DCE, the packet containing the channel number for the logical connections, the calling and called DTE addresses, parameters specifying the call characteristics, and the data. The destination DCE issues an incoming call packet, which is of the same general format as the call-request packet, to the destination DTE, the latter replying with a call-accepted packet. In response, the calling DCE issues a call-connected packet to its related DTE. At that point the call is established and the data transfer phase may begin by delivery of data packets. When the call is compared, i.e., the session is to end, a call-clearing procedure is initiated.
Prospective routing paths in the network are initially determined by a network control center, which then transmits these predetermined paths to the backbone switches as routing tables consisting of primary and secondary choices of available links from each hub. The secondary choices are viable only in the event of primary link failures, and the specific secondary link selection is a local decision at the respective hub based principally on current or recent traffic congestion patterns. The unavailability of an outgoing link from a hub at the time of the call setup effects a clearing back of the VC for the sought call to the preceding hub. An alternative link is then selected by that hub, or, if none is available there, the VC circuit is again cleared back to the next preceding hub, and so forth, until an available path is uncovered from the routing tables. Messages concerning link and/or hub failures are communicated immediately to the network control center, and that information is dispatched to the rest of the network by the center.
In typical present-day concentrators and packet switches, the data processing devices reside in plurality of cards or boards containing printed circuits or integrated circuits for performing the various functions of the respective device in combination with the system software. Typically, the cards are inserted into designated slots in cages within a console, with backplane access to a data bus for communication with one another or to other devices in the network. The VME bus is presently the most popular 16/32-bit backplane bus. References from time to time herein to cards or boards will be understood to mean the various devices embodied in such cards or boards.
Many public data networks (PDNs) offer little or no security for communications between users and hosts or other data processing devices within the network, in keeping with the "public purpose" of the network and the desire for accessibility by a large number of actual and prospective users. Where restrictions on access are necessary or desirable, it is customary to assign each authorized user an identification (ID) number or a password, or both, which must be used to gain access to the host. More elaborate security measures are necessary where access may be had to highly confidential data.
Some data communication networks involve a variety of different customers each of whom makes available a host and one or more databases to its users, and may place a level if security on its database which differs from the level placed by other customers on their respective hosts and databases. In those instances, it is customary to make the host responsible for security and access to itself and its associated database. Thus, a user might have access to certain destinations in the network without restriction, but no access to other destinations.
It may happen that an intruder, i.e., an unauthorized user, is able to enter the network by dialing up a desired host, and then attempts to make calls (i.e., to access) a desired destination through an iterative process using large numbers of IDs or passwords. Hackers have been known to run long routines of potential passwords for days on end while leaving a terminal unattended, with the exception that upon return to the terminal, entry to the host and the database may have been successful. These techniques not only violate network security, but also tie up lines otherwise available to authorized users. If toll lines are involved, the intruder may cost the network or its customers many hundreds or thousands of dollars of network time, whether or not the intruder is ultimately able to gain access to the host and its database.
In the past, various techniques and systems have been employed to provide secure data communications. U.S. Pat. No. 4,317,957 to Sendrow describes a security system for an electronic funds transfer network in which proposed transactions entered at remote terminals are multiply-enciphered in a predetermined manner with user identification and other secret information. Data is re-enciphered into another key and, together with this secret information, is appended to a transaction request message and transmitted to a central computer for validation. Such a technique does not readily alleviate the problem of dealing with many different levels of users within a data network, or of precluding an intruder from obtaining initial access and running a routine to penetrate further into the network's confidential archives. The Sendrow system is of the type in which any user may obtain access to the network, and the host has the responsibility for validation of the user's authorization to go further.
U.S. Pat. No. 4,423,287 to Zeidler describes a so-called "end-to-end" encryption system for protecting certain critical elements of messages used to obtain cash in automated financial transactions, such as transactions involving ATMs or other cash dispensing systems. In the Zeidler system, one-time session keys are implemented to assure that all encrypted data and message authentiacation codes are different notwithstanding identical transactions. The system requires multiple sequential encryptions and decryptions of session keys in master keys. Critical elements of the data message, such as a PIN, are encrypted using a session key which itself is decrypted using a master key, and then a message authentication code is computed using the same session key for other data elements of the message. An acquirer station with which a plurality of user terminals are associated attaches another master key-encrypted session key to the already encrypted data from an associated terminal. The multiply-encrypted data is then transmitted to a host via a network switch which inserts yet another master key for encryption. An issuer receives the last encrypted message and decrypts it with a final master key. Such a security system is generally unsuitable for a public data communications network, simply because it is overly complex and does not allow for different levels of security or different levels of users.
U.S. Pat. No. 4,430,728 to Beitel discloses a system for secure communications using a security key for automatic operation of a modem hookup for communication between the calling and called modems. If a security key contains the proper code, a switch is activated by the called modem to connect the caller to the host. Here again, although the technique employed is relatively less complex than those described above, the prior art system does no readily distinguish between different levels of security or different levels of users within the same network.
U.S. Pat. No. 4,349,695 to Morgan describes an authentication system in which the receiver interrogates the transmitter in code. Multiple back and forth transmissions are required to authenticate the remote user. Such systems likewise do not take into account the various levels of users and security within a single network. While the interrogation of certain users may be appropriate, for others it is a waste of valuable network time.
It will be observed, therefore, that a need exists for a relatively simple security and access management system that may be implemented in an existing data communication network in which certain users may be authorized for unlimited access to hosts and databases, while others have more restricted access, and still others are to be denied access to specified portions of the network but free access to other portions. It is a principal object of the present invention to provide such an access management system.
It is another object of the present invention to provide an access management system for a data communications network which precludes intruders from gaining initial access to the network itself and thus improves the level of overall security, but without imposing harsh or cumbersome measures of accessibility or interrogation on authorized users of every level.
Still another object of the invention is to provide an access management system which precludes iterative techniques for stumbling on valid passwords or other entry-authorizing codes to the data communications network, without establishing unnecessarily strict barriers to entry by the various levels of authorized users of the network.