Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-10-05
2002-08-27
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S176000
Reexamination Certificate
active
06442696
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to the field of providing security for a location in a network and more particularly to an extensible positive client identification system and method.
2. Background
The Worldwide Web (web), web browser, and email technologies have transformed the Internet public telecommunications network into a tool for everyday use. While businesses have used a variety of computer and private network technologies for several decades, often creating valuable databases and internal files in the process, web technologies have now made it possible for businesses to use such corporate data on the Internet for competitive advantage. Commercial transactions that used to be done through face to face meetings and negotiations, for example, can now be done electronically via the Internet—at least in theory. In practice, the more significant the transactions are, and the more sensitive the data involved, the more likely it is that security on the Internet (or any network) becomes a problem.
Ideally, electronic security addresses three requirements:
1. Confidentiality—the prevention of the unauthorized disclosure of information;
2. Integrity—the prevention of the unauthorized modification of information; and
3. Availability—the prevention of the unauthorized withholding of information.
In practice, current methods tend to fall short of the degree of certainty or comfort needed in one or more of these areas for many commercial or higher risk transactions.
Confidentiality, for example, begins by identifying the requestor of confidential information. This, in turn, means not only identifying a valid requester, but also detecting when an imposter or thief is impersonating a valid requestor to gain access to confidential information. In many cases it is also true that a valid requestor may only be authorized to have access to a particular level of information. An employee database, for example, which contains salary information may have several different levels of access. An individual employee may only be authorized to access his or her salary information, while the head of the personnel department may have access to all salary data. Non-employees may be denied access to any employee data—hence the importance of identification.
Data integrity is required to safeguard the data being requested. Computer hackers (those who seek to break through security safeguards either for amusement or theft), may try to corrupt data at the host computer by seeding computer viruses (programs that destroy files and data at the host site), corrupting data, replacing data with false information or by depositing “trojans”—software that appears to be useful but in fact does harm. Hackers can also try to intercept and corrupt data as it is being transmitted to a remote site. After transmission, a hacker may try to corrupt the data stored at the remote site.
Availability means simply that information should not be withheld improperly when it is requested. Many factors can affect availability over a network, such as hardware malfunction, software malfunction, data corruption, or the failure or slowing down of communications links.
While there are some existing measures and tools designed to address computer and network security, many of these have significant weaknesses. For example, one of the most popular methods of user identification for computers and networks is the use of a logon name and password. As seen in
FIG. 2
(Prior Art), a computer user at a personal computer terminal
00
may want to connect over private network lines
10
, to communicate with another user at terminal
02
within the private network. Computer software allows the user at terminal
00
to log onto the computer by using a dialogue screen that requests his or her user name and password. For a hacker to “crack” or break this kind of system thus requires knowledge of a valid user name and password combination.
The logon name and password approach has a number of weaknesses. First, logon names are usually very easy to discover. Many organizations select a standard format for them based on the user's real identity. Fred Smith, for example, may be given a logon name of“fsmith” or“freds”. A hacker familiar with a user's real name may find it easy to deduce this kind of logon name. Many computer systems that require logon names also have default settings that are used when the system is first configured. Many users simply keep these default account names. Thus, a hacker familiar with the NT™ operating system provided by Microsoft, Inc. of Redmund Washington, might try the ‘Administrator’ account. Default account names and passwords greatly reduce the amount of work required for the hacker to gain illicit entry to a system. Hackers may use software attacks to obtain passwords by copying password files.
Users often reveal their passwords accidentally by writing them down or by being observed during password entry. Some may deliberately disclose their passwords to a colleague so he or she can carry out a task on the user's behalf. Others will use the names of pets, family members, birthdays, etc., in order to make them memorable.
Unfortunately, this also makes them easier for others to guess. Most computer systems allow an administrator to define the type of passwords to be used. However, the more complex the requirements are, the more likely the user is to write it down and display it conspicuously near the terminal, simply because the user cannot remember it.
Many organizations have relied on the logon name and password approach for their internal networks, because for most of these organizations, most potential hackers are internal employees who are not likely to do significant damage to the corporation. However, as these organizations allow access from outside the company, using the Internet
25
of
FIG. 2
(Prior Art)—or other networks—sole reliance on logon names and passwords can ultimately lead to a total breach of security and all its consequences.
Some corporations have also used hardware keys (also known as“dongles”) connected to each computer terminal to identify users and prevent unauthorized access. While this is an improvement over the simple logon name and password approach, these can usually be circumvented fairly easily by a hacker who examines what the hardware key does and emulates it in software.
Digital Identifiers (Digital IDs), Digital Certificates and Trusted Third Party Certificate Authorities (TTPCA) are more sophisticated methods used in the industry to enhance identification and security over the Internet. There are various industry standards associated with this technology, the most notable at this time being ANSI standard X.509 version 3. For the purposes of this discussion, the terms Digital IDs and Digital Certificate are used interchangeably. A Digital Certificate is a series of characters containing an identifier and usually other verification information. The certificate or id may be stored in a computer file—as seen in
FIG. 2
(Prior Art), at disk
03
connected with a computer terminal
02
, or on some other memory device such as a smart card. When the id is read by the appropriate software it is possible to use that id for identification purposes. Usually these ids are constructed in such a way that if they are tampered with and any of the characters are changed the reading software will confirm this and inform the requesting software. Thus, the techniques currently in use are sophisticated enough to insure that a certificate is complete and unaltered. Thus, they also provide an excellent basis for encryption of information.
However, digital certificates can be copied from a computer terminal
02
such as the one shown in
FIG. 2
(Prior Art), and used to impersonate the user. They can also be stolen remotely while the user is using the Internet. For example, a hacker at terminal
13
can use the Internet
25
and communications networks
30
and
10
to find and copy a certificate stored on a disk at personal computer t
Blanchfield David John
Wray David Robert
Authoriszor, Inc.
Hayes Gail
Reyak Christopher A.
LandOfFree
System and method for extensible positive client identification does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for extensible positive client identification, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for extensible positive client identification will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2924901