1. Statement of the Technical Field
The present invention relates to network communication security and more particularly to a method and system for obscuring authentication data sent which is sent from a client to a server as part of an authentication request.
2. Description of the Related Art
With the proliferation of public access communication networks such as the Internet, security and integrity of data is a concern that permeates society. Related to this concern is the availability of server resources and the need to provide availability and access to potentially sensitive data in the face of malicious unauthorized access attempts, i.e., hackers, as well as attempts to destroy data and computing resources, i.e., viruses and worms. These computer hackers and viruses and worms are constantly probing and analyzing networks, servers and other computing resources for vulnerabilities that can be exploited.
Many schemes for protecting data and unauthorized access to computing resources exist, ranging from general password protection to more sophisticated firewall arrangements. As typically occurs in Internet communications, when a client computer seeks to access a web server, the request in the form of an Internet Protocol (“IP”) packet is routed through a series of networks. OSI Layers, such as the Transmission Control Protocol (“TCP”) layer, use a logical port number assigned to each message so that the recipient device can determine the type of service being is requested/provided. These logical ports are therefore reference numbers used to define a service. Logical port numbers are straight unsigned integer values which range up to a value of 65535. Some logical ports are assigned, some reserved and many unassigned which may be utilized by application programs. For instance, the hypertext transfer protocol (“HTTP”) uses port 80 by default to provide web browsing services.
In order to allow services like internet web browsing to be used, the supporting logical ports, like port 80, are typically left unblocked by firewalls so that the corresponding data, for example a request for information, can be received by the web server. Once the data has passed through the firewall, the web server typically blindly accepts the data, processes it and sends the result back to the originating client computer. Such can even be the case where a web server receives a request and replies by requesting a password and/or ID. Further, for example, a response to a request for a password is received as a single message, this making it possible for the message to be recorded and replayed in order to mount a replay attack.
These arrangements make the servers vulnerable to the above-described attacks and further, disadvantageously, require a significant amount of administration by administrators in order to constantly update firewall rule sets after the attacks have been made. It is therefore desirable to have a system and method which allows client computers to communicate with servers via a firewall in which the firewall does not need to have certain ports allowed by default, i.e. the firewall apparently blocks all incoming traffic regardless of port number. It is further desirable to have a system and method which provides greater protection against a replay attack in which a message comprising, for example a password, is recorded and re-sent to a server.