Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
2000-02-01
2003-12-09
Etienne, Ario (Department: 2757)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S229000, C709S227000, C713S152000
Reexamination Certificate
active
06662228
ABSTRACT:
The invention pertains to the field of authenticating and authorizing users accessing a computer system or network of computer systems. In particular, the invention pertains to authenticating and authorizing users by an authentication server referenced by the computer system or network of computer systems with encrypted communications over an insecure channel.
BACKGROUND OF THE INVENTION
The Internet offers tremendous convenience to those who wish to connect computers at widely distributed locations. Full-time and dialup Internet connections are available from service providers in almost all cities of the world for reasonable prices. It is known that a computer or network of computers that is connected to the Internet in a first city can readily communicate with a computer or network of computers in a second city. The cost of maintaining a connection between computers a computer or network of computers in one city, through the Internet to a computer or network of computers in a second city is often cheaper than connecting these computers or networks of computers with leased data lines; and is often less expensive than connecting through modems over dialup telephone lines.
Unencrypted communications over the Internet are not regarded as secure. Internet packets may be routed through facilities including servers, routers, and lines belonging to many different entities. Some entities operating Internet facilities do not have strong security policies. Other entities may be hostile to a given company. Packets transmitted over the Internet are usually routed according to the availability of facilities at the time they are transmitted, making it difficult to ensure that they travel only on secure facilities. It is known that data may be transmitted onto the Internet with fake identification, so connection of a computer to the Internet makes “spoofing” possible if a user identification and password are known or intercepted. The Internet therefore is usually regarded as an insecure channel.
Other insecure communications channels also exist. Virtually any unencrypted or weakly encrypted radio transmissions, including transmissions by wireless modems, analog and digital cellular phones, and satellites, are subject to interception and thus are an insecure communications channel. Data superimposed on power distribution wiring within a home or business forms an insecure channel because these signals can often be intercepted outside the home or business. Even infrared communications are insecure if they are subject to interception through windows. Dialup and leased telecommunications lines may be subject to wiretapping without due process in some countries, and may therefore be an insecure channel. In some areas, fence wire, including barbed wire, has been used for telecommunications, this wire being readily accessible and forming an insecure channel. These insecure channels, however, offer mobility, ready and cheap access, and convenience, there is much temptation to incorporate them into computer networks.
If it is intended that data, including authentication and authorization data, be transmitted between machines securely, without possibility of interception or spoofing, any channel for which any portion is even possibly insecure should be treated as an insecure channel. An insecure channel may therefore have one or a combination of almost any data communications technologies, including Wireless, 10-BaseT, 100-BaseT., CI, Ethernet, Fiberchannel, Token-Ring, T-1, T-3, Microwave, Satellite, DSL, ISDN, Infrared, modems over analog or digital telephone lines whether leased or switched, and others.
Encryption has long been used to provide some security to communications over insecure channels. Encryption machines are known to have been widely used for military communications since the 1930's. It is also known that cryptanalysis of machine-encrypted communications had interesting effects on the Second World War and the early development of computing equipment.
Many computer systems offer a hierarchy of access rights. For example, in the Unix operating system there is a “superuser” or “root” account that has unlimited access—including the rights to create accounts and to set account privileges; this is also true of related operating systems including the Solaris (a trademark or registered trademark of Sun Microsystems, Inc. in the U.S. and other countries) and the Linux operating system. In the Unix operating system there may also be user accounts that can access most system resources, and there may be public accounts restricted to only a few limited resources, like FTP or HTML accounts restricted to reading only files in particular directories.
Authentication is the verifying that a person or machine attempting access to a computer system or network is who what person or machine purports to be. Authorization is the looking up of access rights owned by authenticated persons or machines and application of those access rights to permit access by that person or machine to appropriate system resources. Areas or routines of a server or network that require access rights beyond those granted to all users, including account creation, modification, and deletion routines, may be referred to as privileged areas of the system.
While many computer systems maintain a database of user identification, access rights, and passwords on each system for authentication and authorization, this is inconvenient on networked computer systems, especially on large networks. Many local area computer networks based on the Unix operating system use a network-accessible authentication server to maintain a network-wide database of user identification, access rights, and passwords. The “yellow-pages” common with the Unix operating system and Novell NetWare used with many personal computer networks utilize authentication servers to authenticate users and authorize access to resources on a network. These systems, however, often transmit some user identification and authorization information over the network in unencrypted form, thereby inviting attack if this information is transmitted over an insecure channel.
Passwords transmitted over an insecure channel are subject to interception. A prior-art method of authenticating users needing access to network, especially superusers, is use of a challenge-response device. With these devices, such as the Safeword product of Secure Computing Co., a challenge code is transmitted to the user by an authentication server when authentication is desired. The challenge code is processed by the challenge-response device to generate a response according to an algorithm and key known to both the challenge-response device and to the authentication server. Authentication fails if the response received by the system does not match an expected response generated by the authentication server using the same algorithm and key.
Typical challenge-response devices resemble a small calculator, having a keyboard for entry of the challenge, and a display for providing a response for entry to a computer or workstation by their possessor.
Dongles are common hardware devices that attach to computer systems, often being attached to a printer or other I/O port, including a PCMCIA port, of the system. Dongles usually operate by generating a desired response to the computer system when stimulated with a challenge provided from the computer system. They are most often used as a license enforcement device for software, and are typically small and portable such that they may be readily transported by a user or administrator.
There is need for many computer networks to be remotely administered—especially those in smaller companies and branch offices, where it is uneconomical to hire scarce, expensive, trained network administrators full-time. It is known that administration of these networks may be performed by administrators at a main office or by a network administration contractor. Network and system administration typically requires superuser or system administrator privileges on the remotely administered networ
Etienne Ario
Hogan & Hartson LLP
Kubida William J.
Meza Peter J.
Salad Abdullahi E.
LandOfFree
Internet server authentication client does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Internet server authentication client, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Internet server authentication client will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3135443