The present invention relates to systems and techniques for authenticating and authorizing users of computers and other computerized devices connected to a network.
Computers and other computerized devices are frequently used in networked configurations. Computer networks advantageously allow multiple users operating respective computers to share information, access services provided by other devices connected to the network, and/or share hardware resources such as mass storage systems, printers, and facsimile machines.
For example, computers may be connected to a local area network (LAN), which generally allows a relatively small number of computers in a limited area to share information and access services/resources. Computers that are connected to a common LAN typically belong to the same group.
Further, computers may be connected to respective LANs, thereby defining multiple groups of computers. These LANs may also be linked together by way of, e.g., a wide area network (WAN) and/or the Internet, thereby allowing some or all of the relatively small number of computers in each group to share information and access services/resources.
Computers and other computerized devices, whether they are connected to a LAN and/or part of a larger WAN, also frequently have access to external networks, e.g., the Internet. For example, in a so-called “open” network configuration, all computers connected to an internal network typically have direct access to the external network. Alternatively, a specialized computer, sometimes called a “gateway” computer, may be interposed between the internal network and the external network, thereby requiring the computers connected to the internal network to access the external network indirectly by way of the gateway computer.
Although computer networks provide numerous advantages in facilitating the sharing of information and the accessing of services/resources between multiple users, computer networks have drawbacks in that they are subject to security breaches. For example, computers assigned to respective groups often share common access privileges relative to, e.g., specific files, directories, databases, web pages, and other services/resources. It is therefore desirable to authenticate users to ensure that, e.g., the users belong to particular groups and therefore have the requisite privileges for accessing the desired service/resource. In this way, unauthorized users can be prevented from accessing restricted information, services, and/or resources on the computer network; and, the security of the restricted information, services, and/or resources can be maintained.
Not only is it desirable to authenticate users to ensure that the users have the requisite access privileges, but it is also desirable to perform user authentication to ensure that any message and/or data transmitted by a user in fact originated with that user, and was not intentionally or inadvertently modified during the transmission through the network to its destination. In this way, the integrity of any message/data transmissions on the computer network can be maintained.
User authentication is conventionally performed on a computer network as follows. First, a user operating a client computer initiates a connection with a server computer via the network, e.g., for accessing a service/resource provided by the server computer.
Next, if access to the service provided by the server computer is restricted, then, instead of immediately accepting the connection, the server computer transmits a message to the client computer that includes information about what the client computer must do to authenticate the user.
For example, a secure channel for transmitting messages/data between the client and server computers over the network may be set up using the well-known Secure Socket Layer (SSL) protocol. Specifically, the client and server computers execute SSL routines, which set up the secure channel through the network using, e.g., public-private key pair cryptography techniques for encrypting/decrypting transmitted messages/data and digital signatures for user authentication.
More specifically, using the SSL protocol, the server computer typically transmits a message to the client computer that includes a request for a certification path (i.e., a “certpath”) from the server computer to the client computer. For example, the message transmitted by the server computer may include a certificate request message, which typically includes a list of acceptable certificate types and a list of acceptable certificate authorities.
Accordingly, in order to authenticate the user, the client computer transmits a message to the server computer that includes a certpath from the server computer to the client computer that conforms to the lists of acceptable certificate types and authorities. That certpath from the server computer to the client computer is regarded as the client computer's “credentials” (i.e., “certpath” credentials) to the server computer.
Finally, the server computer evaluates the credentials transmitted by the client computer; and, if they satisfy the certificate request message, then the user is properly authenticated and authorized, and the server computer subsequently provides the requested service/resource to the client computer.
However, such conventional techniques for providing user authentication in computer networks have drawbacks. For example, the SSL protocol generally requires the client computer to build certpath credentials, thereby providing an indication of the certpath from the server computer to the client computer for authenticating the user. But, in some applications, the client computer may be incapable of building the required certpath credentials, even though it might be capable of building other types of credentials. Similarly, the server computer may be incapable of evaluating such certpath credentials, even though it might be capable of evaluating other types of credentials. Further, because the SSL protocol generally deals only with certpath credentials, in some applications, it may be incapable of providing a full set of credentials from the client computer to the server computer, thereby providing a definitive indication of the access privileges of the user.
In addition, even though client computers normally request access to services/resources from server computers via a network, and the server computers normally provide the requested information and/or services to the client computers, in some applications, the server computers may at least temporarily take on the role of clients and/or the client computers may at least temporarily take on the role of servers. However, these computers using conventional techniques such as the SSL protocol may be incapable of building and/or evaluating all of the different types of credentials required for authenticating users in their dual roles as clients and servers.
It would therefore be desirable to have improved systems and techniques for authenticating and authorizing users of computers and other computerized devices connected to a network that are extensible to permit incorporation of new and/or different types of credentials, credential builders, and/or credential evaluators. It would also be desirable to have improved systems and techniques for authenticating and authorizing users that provide for secure communications between any computers connected to a network, thereby allowing any computer on the network to request credentials from any other computer accessible via the network for user authentication/authorization.