Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
1998-12-22
2002-08-13
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S168000, C713S170000, C713S176000, C713S182000
Reexamination Certificate
active
06434700
ABSTRACT:
FIELD OF THE INVENTION
The present invention generally relates to management of computer networks, and relates more specifically to network access control mechanisms that authenticate and authorize users of passwords generated by the Fortezza cryptographic protocol.
BACKGROUND OF THE INVENTION
By remote network access, individuals or large groups may work with computers and networks from any location and at any time. Remote access is the ability to connect to, or “log-on” to a computer network from a distant location. Using remote access, mobile computer users, or computer users at remote sites, may access a network by dialing in to a network access server (“NAS”) using a computer, modem and remote access software. The NAS selectively permits or denies network traffic and thereby controls remote access to an Internet Service Provider, private corporate network or virtual private network.
However, the convenience of remote access comes at the expense of security. A malicious user can use remote access to penetrate and attack a network. For example, an unauthorized user can gain remote access to a machine with the intention of destroying, compromising, or stealing resources or information. Thus, one important security issue for remote access is user identification and authentication, which is verifying that the person who dials in is authorized to access the network and is who he says he is.
Another important security issue is user authorization. Generally, after authentication of a user, an authorization phase begins. Authorization is the process of defining what an authenticated user can do when the user accesses the network. For example, a network administrator may restrict remote users to specific servers and services, rather than letting them access any part of the network. In general, the more authorization a user receives, the more stringent the authorization procedure would be.
Remote access security systems vary in complexity depending on the level of security needed. Some networks rely on simple user identifier (“ID”) and password systems. In such a system, the NAS maintains user IDs and encrypted passwords as part of a system configuration file. However, there are at least two major drawbacks to this approach. The first drawback is that remote users need the flexibility of dialing in to the NAS that is closest to their location, while still being able to use the same user ID and password. The second drawback of the user ID and password system is that its security derives only from controlled knowledge of the password. Any Identification and Authentication (I&A) mechanism based solely on “something you know” is considered weak authentication.
Strong authentication, on the other hand, is achieved through an I&A mechanism based on “something you know” as well as “something you have.” An example of “something you have” that may be used to improve authentication is ownership of a Smart card, Token card or Crypto card.
A Fortezza security system is an example of strong authentication. Fortezza security systems require each authorized user to possess an electronic card that can generate or is encoded with a password generated using the Fortezza cryptographic algorithm (a “Fortezza Crypto card”). The United States National Security Agency developed the Fortezza security system for the United States Department of Defense, to provide originator authentication as well as data integrity and data privacy.
Generally, a Fortezza security system includes a Fortezza Crypto card that stores unique encrypted information, and which executes encryption algorithms to produce a scrambled one-time password (“OTP”). The card is a self-contained hardware system, having its own CPU and memory, and which stores and authenticates Fortezza OTPs. Each OTP is unique and is valid only for a particular interval of time. Because each password created by this process is different every time, users cannot share their passwords, and intruders cannot reuse a stolen password. Further information about Fortezza security systems is disclosed in Fortezza Application Developer's Guide, available on the Internet at: http://armadillo.huntsville.al.us/FADG/welcome.htm
While the Fortezza security system provides a high level of security, in the past it has been difficult to deploy. Deployment of Fortezza depends on setting up a sophisticated infrastructure to support Fortezza's specialized hardware and interface specifications.
In one approach, users access a network by dialing in to special NASs that are dedicated to support Fortezza technology exclusively. These special NASs are not configured to support any other authentication and authorization mechanism other than Fortezza. A different set of NASs are maintained to support the other authentication and authorization mechanisms that are not only less specialized than Fortezza but typically involve lower user access privileges corresponding to weaker authentication and authorization. Thus, an Internet Service Provider, corporate network, or virtual private network would need to maintain several security systems in order to support users with different password types.
FIG. 1
is a block diagram of a system
100
in which the Fortezza security system can be used. Generally, system
100
includes a client
102
, a user
106
associated with client
102
, a network access server
104
, and a network
108
. Client
102
is used by and associated with a user
106
. Client
102
and network access server
104
are respectively located in logically distinct regions
101
,
103
, which may be geographically separate.
Client
102
is a device, such as a workstation or personal computer, that is capable of dialing in to the network access server
104
to establish a connection
116
. Client
102
may be a Sun workstation running Solaris. A card reader
107
b
is coupled to client
102
to communicate data and commands between the client and a Fortezza card
107
a
. In an embodiment, card reader
107
b
is a PCMCIA card reader such as Litronic ARGUS/2100, and Fortezza card
107
a
is a compatible PCMCIA card. Card reader
107
b
may communicate with client
102
over a SCSI port.
The network
108
is a network that includes any number of network devices
118
,
120
,
122
interconnected by one or more communication channels
109
. Ethernet, Token Ring, or other protocols can characterize the communication channels
109
. Communication channels
109
may form part of a local area network or wide area network.
The network access server
104
is a computer, or one or more hardware or software components or processes that cooperate or execute in one or more computer systems. The network access server
104
is coupled to the network
108
and controls remote access to the network
108
and the network devices
118
,
120
,
122
. An example of a product that is suitable for use as network access server
104
is model AS5300, commercially available from Cisco Systems, Inc.
The network access server
104
may execute an application program
110
that is compiled and linked with a cryptologic library
112
. The application program
110
invokes the functions in the cryptologic library
112
. The cyptologic library communicates with a Fortezza security server
114
. Thus, cryptologic library
112
provides an interface that enables network access server
104
to communicate with Fortezza security server
114
.
Fortezza security server
114
is a computer, or one or more hardware and software components or processes that cooperate or execute in one or more computer systems. While Fortezza is a hardware-based authentication method, the electronic hardware that carries out Fortezza authentication may be controlled by software elements that command the hardware what to do, provide input data, and receive output data. Fortezza products that are suitable for use as cryptologic library
112
and Fortezza security server
114
are commercially available from Secure Computing Inc., Litronic Inc., and Rainbow Technologies Inc.
The user
106
associated with client
102
causes the
Alonso Oscar S.
Calabrese John S.
Morris Herbert C.
Victa Rodelito L.
Hickman Palermo Troung & Becker LLP
Peeso Thomas R.
LandOfFree
Authentication and authorization mechanisms for Fortezza... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Authentication and authorization mechanisms for Fortezza..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Authentication and authorization mechanisms for Fortezza... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2902231