The invention relates generally to network security, and more specifically to secure message and file transfers across public or private networks using an application-level virtual private network. It provides a means for specifying and validating the application being used to access a remote resource over a dynamic dedicated secure conduit or tunnel that is established over existing network pathways.
The need for providing and accessing information throughout small and large enterprise organizations spawned rapid a growth in intranets and extranets to satisfy these organizational communications requirements. With the rapid growth of the Internet as a public network communication medium, organizations found substantial cost savings by using the Internet as an worldwide vehicle for providing and accessing organizational information. The result was a shift from closed and protected to open and less secure, open information infrastructure. Gateways were provided to connect existing private networks to the Internet to replace many private dedicated networks providing access to disparate parts of the world. It is not unusual in today""s business environment to have multiple computer workstations and servers interconnected by complex and widely dispersed communications networks. These communications networks are critical to many businesses that rely on these information networks to provide services for the day-today operation of their enterprises.
With the growth of these communications networks came an increase in incidences of unauthorized access to these networks by individuals and software programs for accessing confidential information and causing disruptions or irreparable harm to these informational networks. These intrusions, oftentimes resulting in economic losses, have created a demand for means for detecting and preventing malicious and unauthorized access to these networks by users and organizations that seek to find and exploit the smallest security hole. In addition to enterprises instituting safeguards to prevent harm caused to business enterprises and individuals, the government has instituted regulations to protect the privacy of information on individuals that may be available on these information networks.
The Gramm-Leach-Bliley Act requires financial institutions and financial services companies to comply with stringent privacy and security standards. The health care market has similar legislation called the Health Insurance Portability and Accountability Act (HIPAA). While the details of HIPAA are still being completed, it will clearly establish uniform information security standards for health care organizations. Since the late 1980s, the government agencies have been under legislative pressure to secure networked systems. Emerging homeland defense initiatives will add additional and enforceable network security requirements to the government agencies.
In response to unauthorized intrusions into informational networks, various protective measures have been implemented to eliminate or reduce intrusion incidences. Some of these measures include Public Key Infrastructure (PKI) encryption, S/MIME Email security, Secure Sockets Layer (SSL) 128 bit encryption, Virtual Private Network (VPN), firewalls, and vulnerability scanners. Some of these network protection schemes may work at cross-purposes to one another by inhibiting other protection schemes from operating effectively. For example, a firewall may inhibit a vulnerability scanner form assessing the intrusion vulnerability of a system protected by the firewall.
Traditional VPN solutions have typically provided network-to-network secure communications, and machine-to-machine secure communications. In the former case, one network gateway can establish a secure channel to another network""s gateway by employing encryption technologies and using the public Internet as a medium. This approach has the benefit of using public resources in a secure manner, but has several notable disadvantages as well. The disadvantages include: (1) all resources on one side of the connection can access all resources on the other side of the connection, unless additional (often overlooked or too restrictive) measures are taken; and (2) if one side of the connection has multiple VPN channels to other locations, all locations can potentially access each other.
Although machine-to-machine VPN solutions seem to address these problems, they still have issues of their own that are often ignored due to the inability of current technologies to address them. The issues include: (1) if an intruder gains access to the one machine in the connection, she can use whatever application is available on the compromised machine to attack resources on the other side of the connection; and if the user of one machine contracts a virus or worm that corrupts his applications, that virus can spread across the VPN to attack resources on the other side of the connection.
The present invention provides a solution that overcomes many of the disadvantages and issues encountered in the use of network-to-network VPN secure communications and machine-to-machine VPN secure communications. It enables users to securely share application information and resources by granting resource owners access to user-application combinations, and ensuring that only approved and unaltered applications can access the resources being made available. A process of negotiation is a necessary preamble to any secure connection attempt from an application to a resource. This negotiation allows both ends of a communication channel to agree upon an application and version of an application to be used to access a target resource. Upon agreement by both ends of the communication channel, channel encryption may be established using an encryption key and a signature verified using the hash of the negotiated application.
Each application that runs on a client workstation is subject to a check upon all attempts to use an established application-level VPN channel. This check involves a query to the host operating system to determine which application has requested access and then a calculation of that application""s hash. As traffic passes into the VPN channel, the discovered hash and encryption process with a provided session key is used to establish secure communication. As packets emerge on the other side of the channel, the hash of the pre-coordinated application is used as a signature to validate the connection. Therefore, if a rogue or tainted application attempts to use the channel once it has been established, the hash-encryption step will not match the hash-signature step, and communications will not be successful. An embodiment of a network that satisfies these requirements is disclosed in U.S. patent application Ser. No. 10/249,668 filed on Apr. 29, 2003, and incorporated herein by reference.
An embodiment of the present invention is a method for application-level virtual private networking, comprising the steps of requesting access for sending requester messages to an external resource by a requester application within a user workstation, identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation, forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway, receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway, authenticating the received requester messages using the calculated application hash value and forwarding the requester messages to the external resource, and receiving the requestor messages by the external resource. The step of requesting access for sending requestor messages to an external resource by a requestor application within a user workstation may comprise the step of requesting access for sending requestor messages to an external server application program within the channel gateway by a requester application within a user workstation, the step of forwarding the requestor messages to the external resource may comprise the step of forwarding the requester messages to an external server application program within the channel gateway, and the step of receiving the requester messages by the external resource may comprise receiving the requester messages by the external server application program within the channel gateway. The step of identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation may further comprise calculating a hash value of only one specific version of one specific requestor application by a connection manager within the user workstation, and the step of authenticating the received requester messages using the calculated application hash value may comprise authenticating the received requestor messages using the calculated hash value of only the one specific version of the one specific requestor application. The step of identifying the user application may comprise querying a workstation operating system for identifying the user application. The method may further comprise preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway, receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation, receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation, and receiving the response messages by the requestor application within the user workstation. The step of authenticating the received response messages using the received calculated application hash value may comprise authenticating the received response messages by comparing the received calculated application hash value with an application hash value calculated by the connection manager. The step of forwarding the requestor messages and the calculated application hash value may comprise the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway, the step of receiving the requestor messages and the calculated application hash value may comprise receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway, and the step of authenticating the received requestor messages using the calculated application hash value and forwarding the requester messages to the external resource may comprise decrypting the application hash value, digital signature, user ID and password using the application requestor PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource. The step of receiving the response messages by the channel receiver and forwarding the response messages may comprise receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation, and the step of receiving the response messages by the connection manager may comprise receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation. The method may further comprise the step of forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key, the step of encrypting the requestor messages by the connection manager using the session key, and the step of decrypting the requester messages by the channel receiver using the session key. The method may further comprise the step of negotiating a connection and obtaining a session key from an access authority, the step of encrypting the response messages by the channel receiver using a session key, and the step of decrypting the response messages by the connection manager using the session key. A computer-readable medium may contain instructions for controlling a computer system to implement the method above.
Another embodiment of the present invention is a system for application-level virtual private networking, comprising means for requesting access for sending requestor messages to an external resource by a requestor application within a user workstation, means for identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation, means for forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway, means for receiving the requester messages and the calculated application hash value by a channel receiver within the channel gateway, means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource, and means for receiving the requestor messages by the external resource. The external resource may be a server application program. The requester application may be one specific version of one specific application. The system may further comprise means for preparing and forwarding response messages by the external resource to the channel receiver within the channel gateway, means for receiving the response messages by the channel receiver and forwarding the response messages and the calculated application hash value over the network to the connection manager within the user workstation, means for receiving the response messages by the connection manager, authenticating the received messages using the received calculated application hash value, and forwarding the response messages to the requestor application within the user workstation, and means for receiving the response messages by the requester application within the user workstation. The means for forwarding the requestor messages and the calculated application hash value may comprise the steps of obtaining public and private keys from a PKI authority, encrypting the requestor messages using the external resource public PKI key, encrypting the application hash value and a digital signature, a user ID and a password using the requestor application PKI private key, forwarding the encrypted requestor messages, the application hash value, the digital signature, the user ID and the password by the connection manager over the network to the channel gateway, the means for receiving the requestor messages and the calculated application hash value may comprise receiving the encrypted requestor messages, application hash value, digital signature, user ID and password by the channel receiver of the channel gateway, and the means for authenticating the received requestor messages using the calculated application hash value and forwarding the requestor messages to the external resource may comprise decrypting the application hash value, digital signature, user ID and password using the application requester PKI public key, decrypting the encrypted requestor messages using the external resource PKI private key, authenticating the received requestor messages using the decrypted calculated application hash value, digital signature, user ID and password, and forwarding the decrypted requestor messages to the external resource. The means for receiving the response messages by the channel receiver and forwarding the response messages may comprise receiving the response messages by the channel receiver, encrypting the response messages using the requestor application PKI public key, encrypting the hash and remote source digital signature using the remote source PKI private key, and forwarding the encrypted response messages, the encrypted calculated application hash value and remote resource digital signature, and the requestor application user ID and password over the network to the connection manager within the user workstation, and the means for receiving the response messages by the connection manager comprises receiving the response messages by the connection manager, decrypting the response messages using the requestor application PKI private key, decrypting the hash and remote source digital signature using the remote source PKI public key, authenticating the decrypted received response messages using the decrypted received calculated application hash value and digital signature, and forwarding the response messages to the requestor application within the user workstation. The system may further comprise means for forwarding the calculated application hash value, a digital signature, a user ID and a password by the connection manager over the network to an access authority for connection negotiation to obtain a session key, means for encrypting the requestor messages by the connection manager using the session key, and means for decrypting the requestor messages by the channel receiver using the session key. The method may further comprising means for negotiating a connection and obtaining a session key from an access authority, means for encrypting the response messages by the channel receiver using a session key, and means for decrypting the response messages by the connection manager using the session key.
Yet another embodiment of the present invention is a user interface method for application-level virtual private networking, comprising defining a remote resource to be accessed without connection negotiation, including selecting a remote resource to be accessed, designating a local port for accessing a virtual private network, providing an IP address of the remote resource, assigning a port number where the remote resource is available, defining a connection for the requestor application, including using an executable application program for connecting to the remote resource, selecting a remote resource designation, supplying a user ID, entering a password, and clicking an enable button for accessing the remote resource. The user interface method may further comprise defining a remote resource to be accessed with connection negotiation, including checking a box for designating negotiation required, and assigning an access authority to be used and for determining an IP address and remote resource port.