`He
`
`USOO5944.824A
`Patent Number:
`11
`(45) Date of Patent:
`
`5,944,824
`Aug. 31, 1999
`
`54 SYSTEM AND METHOD FOR SINGLESIGN
`ON TO A PLURALITY OF NETWORK
`ELEMENTS
`
`75 Inventor: Jingsha He, San Jose, Calif.
`73 Assignee: MCI Communications Corporation,
`Washington, D.C.
`
`21 Appl. No.: 08/848,327
`22 Filed:
`Apr. 30, 1997
`(51) Int. Cl. ................................................ G06F 13/00
`52 U.S. Cl. .............................................................. 713/201
`58 Field of Search ......................... 395/188.01, 187.01,
`395/186, 200.59, 726; 364/222.5, 286.4,
`286.5; 380/4, 23, 30; 711/163, 164; 713/200,
`201, 202
`
`56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,305,456 4/1994 Boitana ................................... 395/700
`5,586.260 12/1996 Hu .........
`395/2002
`5,606,668 2/1997 Shwed ................................ 395/200.11
`5,684,950 11/1997 Dare et al. ......................... 395/187.01
`5,721,780 2/1998 Ensor et al. .............................. 380/25
`5,768,503
`6/1998 Olkin ............
`... 395/187.01
`5,768,504 6/1998 Kells et al. ...
`... 395/187.01
`5,815,665 9/1998 Teper et al. ........................ 395/200.59
`5,862,323
`1/1999 Blakley, III et al. .............. 395/188.01
`
`OTHER PUBLICATIONS
`Bryant, “Designing an Authentication System: a Dialog in
`Four Scenes”, pp. 1-18, http://web.mit.edu/kerberos/www/
`dialogue.html., Dec. 1988.
`Neuman et al., "Kerberos: An Authentication Service for
`Computer Networks”, pp. 1-11, USC/ISI Tech. Report #ISI/
`RS-94-399,
`http://nii.isi.edu/publications/kerberos-neu
`man-tso.html, and/or IEEE Communications Magazine, Vol.
`32, No. 9, pp. 33–38, Sep. 1994.
`Orfali et al., “Essential Client/Server Survival Guide”, pp.
`105-128 and 147-160, Van Nostrand Reinhold Publishing
`Company, Dec. 1994.
`Primary Examiner Robert W. BeauSoliel, Jr.
`Assistant Examiner Stephen C. Elmore
`57
`ABSTRACT
`A Secured network permits a single Sign-on ("SSO) of users
`to a plurality of network elements. Data structures, proce
`dures and System components that Support the SSO func
`tionality in a distributed networked environment are
`included in the secured network. The SSO functionality can
`be implemented and integrated into an existing network
`platform or used as the backbone protocol to new network
`installations. DCE-based features as well as ERA and EAC
`can be utilized as the foundation for the implementation. The
`SSO functionality may be implemented and integrated with
`out requiring Significant low level development or major
`modifications in a network.
`9 Claims, 12 Drawing Sheets
`
`104
`
`106
`
`User Authenticates
`
`User Identifiers and
`Passwords Stored
`
`Transmit Along
`With Ticket
`
`Return Control
`to STS
`
`24
`
`122
`
`
`
`Update Password
`
`Protect Ticket
`
`
`
`User Receives and
`Processes Ticket
`
`STS Verifies and
`User Request
`
`Simulate User
`Log-on
`
`if 8
`
`Perform Special
`Log-on
`
`STS Retrieves User
`ID and Password
`
`SSSO
`Requested
`
`
`
`Special Log-on
`Not Performed
`
`/
`
`Panasonic-1016
`Page 1 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 1 of 12
`
`5,944,824
`
`17 s
`
`()
`CS Ea
`
`Secury Server
`(SS)
`15
`
`s
`
`32
`
`13
`
`24
`NCN (RS232)
`Nee 22
`Secure
`'gya!
`eVer
`(STS)
`
`2O
`n
`:
`gun
`Network
`Element
`(NE)
`
`
`
`LAN User
`
`1O
`
`26
`LAN/WAN
`OR
`
`12
`
`N
`
`14
`
`| 1 45
`NON
`Dial-up
`User
`NBe
`Dial-up
`28
`Gateway
`
`f
`
`FIG. 1
`
`Panasonic-1016
`Page 2 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 2 of 12
`
`5,944,824
`
`Authentication
`
`Data Integrity
`
`
`
`
`
`
`
`Authorization
`
`User Privilege
`Control
`
`Data Encryption
`
`User Access
`Auditing
`
`Administration
`and
`Management
`
`FIG. 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`Security
`seveSs)
`
`Panasonic-1016
`Page 3 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 3 of 12
`
`5,944,824
`
`12
`
`LAN
`
`
`
`15
`
`Securit
`Server Ss)
`
`Logical
`Or
`Physical
`
`FIG. 3
`
`Panasonic-1016
`Page 4 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 4 of 12
`
`5,944,824
`
`NE PassWord
`Protection
`
`78
`NE PassWord
`Control
`
`NE Password
`Initialization
`
`NEPassword
`Generation
`
`Random
`
`88
`86
`NE PassWord
`Modification
`
`NE Password
`Recovery
`Manual-98
`O
`Automatic N96
`
`NE Super User
`Classification
`
`OO
`
`72
`
`74
`
`76
`
`2O
`
`2O
`
`7O
`
`Scenario 1
`
`SSO Capability N Scenario 2
`Control
`
`Scenario 3
`
`12
`
`
`
`15
`
`Security
`Server (SS)
`
`C2S
`
`fO
`
`FIG. 4
`
`NE
`
`NE
`
`NE
`
`Panasonic-1016
`Page 5 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet S of 12
`
`5,944,824
`
`104
`
`106
`
`User Authenticates
`
`User identifiers and
`PaSSWOrds Stored
`
`WRE Along
`With Ticket
`I
`ICKe
`
`User Receives and
`Processes Ticket
`
`STS Verifies and
`User Request
`
`108
`
`Return Control
`to STS
`
`1 10
`
`f 12
`
`Update Password
`
`Simulate User
`LOg-On
`
`1 14
`
`Perform Special
`Log-On
`
`Yes 117
`
`1 16
`
`124
`
`122
`
`f2O
`
`f 18
`
`
`
`128
`
`STS Retrieves User
`D and PaSSWOrd
`
`
`
`SSSO
`Requested
`
`NO
`126
`
`Special Log-on
`Not Performed
`
`/
`
`FIG. 5
`
`Panasonic-1016
`Page 6 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 6 of 12
`
`5,944,824
`
`Security
`Server
`(SS)
`
`2O2
`
`2O4
`
`PASSWORD
`ENCRYPTION
`
`PASSWORD
`RANDOMIZATION
`
`
`
`
`
`
`
`
`
`NE Password
`Protection
`
`
`
`
`
`2OO 1
`
`FIG. 9
`
`Panasonic-1016
`Page 7 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 7 of 12
`
`5,944,824
`
`Super User
`Identifier
`
`Database
`
`148
`
`PaSSWOrd
`Generator
`
`CV d
`
`Security
`
`146
`--/
`
`24
`
`13
`
`15
`
`Q2
`
`f0
`
`N
`
`Ticket
`
`144
`
`12
`
`
`
`Database
`ACCount
`
`Indication
`Digit
`
`FIG. 7
`
`Panasonic-1016
`Page 8 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 8 of 12
`
`5,944,824
`
`149
`
`15O
`
`SSO enable
`Option
`
`154
`
`
`
`No
`
`
`
`Option
`Selected
`
`Yes 152
`
`156
`
`SSO Digit Set
`
`Post Result
`
`158
`
`
`
`Log-on ldentifier
`Generated
`
`Invoke
`Password
`Initialization
`
`
`
`Present
`PaSSWOrd
`Generated
`
`160
`
`161
`
`Check Password
`
`Check Password
`
`Generated
`
`f68
`
`166
`
`164
`
`162
`
`FIG. 8
`
`Panasonic-1016
`Page 9 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 9 of 12
`
`5,944,824
`
`250
`
`252
`
`254
`
`256
`
`258
`
`26O
`
`262
`
`Create User
`Log-on ldentifier
`
`Present
`PaSSWOrd
`Generated
`
`NeW
`Password
`Generated
`
`NE Record
`Fetched
`
`
`
`
`
`Retrieve NE
`Super-User
`Log-on lodentifier
`
`Post Result
`
`NE User Log-in
`Data Written
`
`Data Saved
`
`Super-User
`Present
`PaSSWOrd
`
`27O
`
`268
`
`266
`
`264
`
`263
`
`SendMessage
`
`STS invokes
`LOCal Procedure
`
`FIG. 10
`
`Panasonic-1016
`Page 10 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 10 of 12
`
`5,944,824
`
`
`
`
`
`
`
`
`
`
`
`User FollowS
`Specific NE
`Procedures
`
`28O
`
`User
`Authenticates
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Yes
`
`Error Message
`
`SS Blocks
`Modification
`Attempt
`
`
`
`User Account
`Record
`Retrieved
`
`Invoke NE
`PaSSWOrd
`Recovery
`Procedure
`
`Regenerate
`PassWords
`
`284
`
`286
`
`288
`
`290
`
`
`
`292
`
`294
`
`FIG. 11
`
`Panasonic-1016
`Page 11 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 11 of 12
`
`5,944,824
`
`312
`
`
`
`Create User
`Accounts and
`NE Passwords
`
`31 O
`
`338
`
`Secure
`
`Y
`eS
`
`Skip Distribution
`
`313
`
`NO
`
`NEPaSSWords
`Distributed
`
`Pry:User
`
`List of NES
`Returned
`
`318
`
`32O
`
`322
`
`324
`
`336
`
`334
`
`332
`
`Log-on Verified
`
`P
`
`Ticket Verified
`
`STS Deencrypts
`Ticket
`
`User Selects
`from list
`
`Ticket
`Forwarded
`
`330
`
`User Send
`Ser SeOS
`
`326
`
`Ticket Returned
`
`328
`
`FIG. 12
`
`Panasonic-1016
`Page 12 of 22
`
`
`
`U.S. Patent
`
`Aug. 31, 1999
`
`Sheet 12 of 12
`
`5,944,824
`
`362
`
`Yes
`
`NSA Performs
`
`366
`
`NO
`364
`
`Perform Present
`Routine
`
`User W/O
`Attempts Access
`
`User Authenticated
`
`List of NES
`Returned
`
`User Selects
`
`User Sends
`Access Request
`
`34O
`
`342
`
`344
`
`346
`
`348
`
`35O
`
`Password Recovery
`
`Manual Log-on
`
`36O
`
`358
`
`356
`
`354
`
`353
`
`Ticket Returned
`
`Ticket Verified
`
`Ticket Forwarded
`
`352
`
`STS Deencrypts
`Ticket
`
`FIG. 13
`
`Panasonic-1016
`Page 13 of 22
`
`
`
`5,944,824
`
`1
`SYSTEMAND METHOD FOR SINGLESIGN
`ON TO A PLURALITY OF NETWORK
`ELEMENTS
`
`TECHNICAL FIELD
`The present invention relates to an improved data net
`working System and, more specifically, to an architecture
`and method that allows network users to achieve a single
`Sign-on to a plurality of network elements.
`
`2
`management of the multiple passwords will become a night
`mare for users. Posting or Storing the passwords for easy
`acceSS and retrieval Seems to be the next natural move users
`normally take. The consequence is the compromise of
`security in the NES.
`To simply disable the local authentication mechanisms
`does not Serve the purpose best. First, other local Security
`mechanisms. Such as authorization may depend on them.
`Authorization mechanisms at the network Server level can
`only perform to a limited degree at the NE level. Further
`acceSS control to individual resources and information in an
`NE generally require and depend on local Security mecha
`nisms in the NE. Second, the diversity of NES in a network
`makes it very difficult, if not impossible, to effectively and
`efficiently enforce access control directly from the network
`server. Third, for compatibility reasons and for smooth
`integration of network Security in network Server with local
`Security mechanisms, it is desirable to make use of the local
`Security mechanisms whenever possible.
`Thus, what is needed is a network wide Security System
`that can cope with Security problems that local Security
`mechanisms cannot effectively deal with.
`SUMMARY OF THE INVENTION
`The present invention is an architecture and method for a
`Single Sign-On (“SSO”) that addresses system security and
`user password management concerns on a network-wide
`basis. The SSO of the present invention allows a user to
`log-on only once at a user Station and a Security Server
`(“SS”), in turn, will automatically log the user on to all the
`NES that the user is authorized to access. The invention takes
`advantage of the various network Security provisions and
`integrates local user authentication processes currently
`found on Network Elements (“NEs”) into the global network
`platform.
`A primary advantage of the present invention is the total
`integration of a plurality of network Security mechanisms
`including NE password protection, SSO capability control,
`password control, initiation, modification and recovery. In
`one embodiment the SSO uses the Distributed Computing
`Environment (“DCE) standard ensuring that evolution of
`DCE-based technologies will keep the SSO at the front of
`the Security platform.
`Another advantage of the present invention is the inte
`gration of network-wide authentication with local authenti
`cation in the NES. This allows a user to authenticate only
`once to the network authentication Service. Local authenti
`cation into an NE is performed automatically and is trans
`parent to the user. This is based on the notion that the
`network authentication is visible to the local NES So that the
`local Security mechanisms would trust the network authen
`tication result and make use of it to achieve local authenti
`cation for the user. AS Such, a strong network authentication
`Service is disclosed which not only provides better Security
`both for the network and for the NES but also makes
`available the necessary information and procedures to the
`NES in order to Simulate local authentication functions on
`behalf of the user.
`Yet another advantage of the present invention is that user
`identifiers and passwords for network authentication and
`those for the NE local authentication do not have to be the
`SC.
`Disclosed in one embodiment is a network architecture
`and method that integrates an SSO-based solution into
`existing network log-on and acceSS functionality. Security
`mechanisms provide network authentication, credentials
`
`BACKGROUND OF THE INVENTION
`Data integrity and Security are important aspects of com
`puterized networks. This is especially true in computing
`environments, where users and resources are distributed
`over two or more physical locations. In Such distributed
`networked environments, a premium is placed on the Secu
`rity mechanisms which dictate how users access attached
`network resources.
`Various network Security mechanisms have been devel
`oped which greatly enhance the overall security of Network
`Elements (“NEs”) for users at all level across the network.
`The NES can be switches, signal transfer points ("STPs”),
`mainframes, databases, or other similar resources and may
`be situated at great distances from the users. Typically, a user
`accesses the NES through either a local area or wide area
`network. In Some configurations, dial-up connections are
`also employed. In either case, the user must go through a
`Series of authentication and authorization Steps in order to
`gain access to a requested NE.
`Local authentication mechanisms in the NES may become
`unnecessary because of the availability of more Sophisti
`cated network authentication protocols for access control. In
`addition, NE local authentication, mechanisms may prove to
`be a burden for ordinary users as the number of NES that are
`connected increases and the management of the different
`passwords on the different NES becomes more difficult.
`To overcome this difficulty, a user may use the same
`password for all NES. When this is not possible due to
`different password management policies in the NES, other
`methods may be employed. One common practice is to write
`down the passwords for easy acceSS by the user and equally
`easy access by others. Ultimately, however, Such methods
`may seriously compromise the Security of the entire net
`work.
`Authentication mechanisms that are implemented in indi
`vidual NES, i.e., local authentication, have proven to be
`ineffective in networked environments. This is because the
`terminal used by a user to interact with the NES may not be
`directly attached to the NES locally. Consequently, all data
`communication between a user and an NE is Subject to
`attacks on the connection between the user and the NE.
`Thus, user passwords for authentication purposes can be
`easily obtained, which breaks the Security mechanisms in
`the NES.
`Furthermore, the local authentication mechanisms may
`prove to be a burden for ordinary users due to the require
`ment that multiple Sets of user identifiers and passwords be
`remembered and used on different NES respectively. This is
`partly because of the lack of uniform implementation of
`local authentication and difference in administration policies
`that are established in different types of NEs. Although these
`may be considered as desirable features for Security, users
`tend to find various ways to overcome the inconvenience.
`Typically, a user will use the same password for all NES.
`When security policies make it difficult to do so, the
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Panasonic-1016
`Page 14 of 22
`
`
`
`5,944,824
`
`3
`control and access control to NES. The SSO provides the
`Network Security Administrator ("NSA") with the option to
`grant an individual user the SSO capability of being auto
`matically logged on to the NES that the user is authorized to
`access once network Security checks are passed. A user who
`is not granted the SSO capability will still have to go through
`the two layers of authentication, namely, network authenti
`cation and NE local authentication, before the user finally
`gains access to the resources and information in an NE.
`When necessary, support for the Distributed Computing
`Environment (“DCE) is provided.
`For a more complete understanding of the present
`invention, including its features and advantages, reference is
`now made to the following detailed description, taken in
`conjunction with the accompanying drawings.
`
`15
`
`4
`and any other designated point of access, including a net
`work device, Switch or addressable network unit. Other
`Similar connotations shall be opponent to those skilled in the
`art upon reference to this disclosure.
`In FIG. 1, the high-level architectural scheme for a
`Secured network according to the invention is shown and
`denoted generally as 5. Secured network 5 is a network
`Security architecture that protects accesses to a plurality of
`Network Elements (“NEs) 20. A user 12 obtains access by
`Sending a request to one or more of the NES 20, which goes
`through the network Security Server (“SS”) 15.
`The Network Security Administrator (“NSA”) 17 controls
`who is allowed to access what NES 20 by creating a user
`account record and defining the access privileges for the
`account in a centralized Security database 13. All access
`decisions for user requests are made based on information
`retrieved from the database 13.
`The security server 15 performs all the network security
`functions for the network 10 and maintains the various
`Security mechanisms 32 as herein described. The Security
`server 15 provides a security platform where all user data for
`Security are Stored, updated, retrieved, processed and dis
`tributed to other nodes across the network 10. In the pre
`ferred embodiment, the security server 15 verifies the
`authenticity of a user 12, establishes mutual trust between a
`user 12 and an NE 20, and determines the set of NES 20 that
`a user 12 is authorized to access. The security server 15 also
`acts as the key distribution center for performing encryption
`and decryption functions.
`The NE 20 includes any types of equipment that are
`essential to network operations Such as a Switch, an STP, a
`mainframe computer, a database, and other similar network
`devices. In one embodiment, the interface 22 that connects
`the NES 20 to the network 10 platform is comprised of
`RS232 asynchronous Serial ports, although other types of
`interfaces may be employed.
`Also shown is a Secure terminal Server 24 which acts as
`the interfaces between the NES 20 and the Internet Protocol
`("IP") network 10. In the preferred embodiment, each secure
`terminal server 24 is co-located with the NES 20 it serves
`and may serve more than one NE 20 at the same location.
`The Secure terminal Server 24 can be considered a gateway
`or bridging device to connect the NES 20 to the IP network
`10.
`The user nodes 14 are where user access requests to NES
`20 originate. A node 14 typically consists of a personal
`computer, a mini-computer, a mainframe, or other similar
`apparatus. The user 12 may be connected locally via a LAN
`26 to a secure terminal server 24 or remotely via the
`LAN/WAN or dial-up 28 configuration. However, it should
`be understood that the way is in which a user 12 is connected
`to the network 10 makes no difference as far as network
`Security is concerned. This ensures that all acceSS paths are
`Subject to the same level of Security checks and, therefore,
`are equally protected.
`The dial-up gateway 28 provides the connection to a user
`12 who accesses the network 10 through dialing into a
`Public Switched Telephone Network (PSTN)30. This broad
`ens the ways in which users 12 can gain access to an NE 20.
`To the network Security platform, however, it makes no
`difference whether a user 12 is connected via the dial-up
`mechanism 28 or a LAN/WAN connection 26 once the
`connection is established.
`Turning to FIG. 2, the security mechanisms 32 that run on
`the security server 15 are illustrated in more detail. As
`shown, a plurality of Security mechanisms 32 for the net
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`In the drawings:
`FIG. 1 is a high-level block diagram of a secured network
`according to one aspect of the invention;
`FIG. 2 is a high-level block diagram of a network archi
`tecture illustrating the Security mechanisms according to one
`aspect of the present invention;
`FIG. 3 is a high-level block diagram illustrating the
`interconnections between various nodes of a Secured net
`work according to one embodiment of the invention;
`FIG. 4 illustrates Specific requirements for a single Sign
`on Solution according to one embodiment of the invention;
`FIG. 5 is a process flow diagram for the Single Sign-on
`method according to the preferred embodiment of the inven
`tion;
`FIG. 6 illustrates the interactions between various nodes
`of a Secured network according to one embodiment of the
`invention;
`FIG. 7 illustrates various requirements of the security
`database employed by the Security Server according to one
`aspect of the invention;
`FIG. 8 is a process flow diagram for enabling a single
`Sign-on capability according to one aspect of the invention;
`FIG. 9 is a process flow diagram for an NE password
`protection method according to one embodiment of the
`invention;
`FIG. 10 is a process flow diagram for the NE password
`initialization method according to the embodiment of the
`invention;
`FIG. 11 is a process flow diagram for the NE password
`modification method according to the embodiment of the
`invention;
`FIG. 12 is a proceSS flow diagram gaining access to an NE
`authorized network element, and
`FIG. 13 is a process flow diagram showing access by user
`without the Single Sign-on capability.
`Corresponding numerals refer to corresponding parts in
`the figures unless otherwise indicated.
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`DETAILED DESCRIPTION OF THE
`INVENTION
`In the following detailed description a user shall mean and
`encompass a Single user, a plurality of users or any one of
`a plurality of users. Likewise, a network element can be any
`Single resource among a plurality of network elements or a
`group of network elements taken as a whole. Also, a node
`shall be understood to mean an entry point into a network
`
`60
`
`65
`
`Panasonic-1016
`Page 15 of 22
`
`
`
`5,944,824
`
`15
`
`S
`work 10 are provided and include application modules for
`authentication 50, authorization 52, data encryption 54, data
`integrity 56, user privilege control 58, user acceSS auditing
`60 and central System administration and user management
`62. Various applications can be developed based on the core
`network Security functions of the Security mechanisms 32.
`For the network authentication module 50, a request is
`Sent to the user 12 Station requesting a user identifier and a
`password. The user information will be checked against the
`information in the user profile of the central Security data
`base 13 at the security server 15. The network 10 establishes
`mutual trust between an authenticated user 12 and a specific
`NE 20 the user 12 requests to access. Therefore, network
`authentication 50 also assures the user 12 that the correct NE
`20 is accessed.
`For the authorization module 52, the network 10 deter
`mines the set of NES 20 an authenticated user 12 can access.
`The access list is established based on the privilege of the
`user 12 and is provided to the user 12 once the authentication
`check is passed. The user 12 can Simply choose from the list
`the desired NE 20 and is not even aware of the existence of
`the NES 20 that the user 12 is not authorized to access. Thus,
`the level of access authorization in the network 10 applies to
`an NE 20 at the local NE 20 level. Further access control to
`individual resources and information in an NE 20 is
`25
`enforced by the local access mechanisms available in the NE
`2O.
`For the data encyption module 54, the network 10 not
`only ensures that user passwords are properly protected, but
`also provides the mechanism for encrypting regular traffic
`data between a user 12 and an NE 20 after a connection is
`successfully established. Thus, network 10 can be used to
`transmit Sensitive information and as the foundation for the
`implementation of Virtual networks.
`In one embodiment, the network also Supports a data
`integrity module 56 that is used to guard against accidental
`or malicious modification or destruction of data. The integ
`rity module 56 of the security mechanisms 32 ensures that
`all data received from an NE 20 is accurate and those applied
`into an NE 20 are correct.
`For the user privilege control module 58, a user privilege
`determines the set of NES 20 a user 12 can access. Therefore,
`user privilege control 58 must reflect the policy of “need
`to-know” that can be established based on the responsibility
`of the position of the user 12 inside a company. Change of
`user privilege can be easily made to reflect the present
`responsibility of the user 12, which in turn determines the
`access right of the user 12 to the NES 20.
`For the user access auditing module 60, the network 10
`logs all user access attempts, be they Successful or not to
`create an audit trail. In one embodiment, the information in
`the audit trail includes the user identifier, point of access,
`time of attempt and the Success or failure of the attempt. The
`audit trail can be used by a network security administrator 17
`for further investigation or for prosecution purposes. In
`addition, upon consecutive failed authentication attempts by
`a user 12, the user account can be disabled and the network
`security administrator 17 notified automatically.
`For the central System administration and user manage
`ment module 62, the network 10 allows system administra
`tion and user management to be performed in a centralized
`manner, meaning that an network Security administrator 17
`can perform all the Security administration functions from
`the same terminal. This capability not only reduces the cost
`of System administration, but also ensures the consistency,
`correctness and effectiveness of appropriate Security policies
`acroSS the entire network platform.
`
`35
`
`6
`In one embodiment, the authentication mechanism 50 in
`the IP network 10 uses the Distributed Computing Environ
`ment (“DCE) key distribution service based on KER
`BEROSTM authentication algorithm distributed by the Mas
`Sachusetts Institute of Technology in Cambridge, Mass. All
`user authentication 50 is handled by the security server 15
`which also establishes mutual authentication between a user
`12 and a requested NE 20. Another property of the KER
`BEROSTM authentication algorithm is that user passwords
`are never transmitted in the network 10, whether clear or
`encrypted, which eliminates the threat of the open network
`to user passwords.
`In Still another embodiment, the authorization mechanism
`52 in network 10 uses the DCE Cell Directory Service
`(“CDS”) and the Access Control List (“ACL) mechanism
`applied to the CDS entries. This is accomplished by attach
`ing an ACL to every NE list entry to decontrol which of the
`users 12 or which groups of users are allowed to acceSS a
`particular NE 20. By employing a structured naming Scheme
`for NE 20 and by using the group as the primary entity for
`acceSS control, ACLS are sparsely populated in the CDS tree
`and can be mostly attached to a common root of a Subtree.
`In yet another embodiment, the encryption algorithm
`module 54 in network 10 uses the Data Encryption Standard
`(“DES”) algorithm offered in DCE that takes a 56-bit secret
`key for the encryption and decryption of desired data. The
`use of temporary or Session keys, which are DES keys, can
`limit the effective period of time of the keys and make the
`brutal attacks more difficult and less attractive to take place.
`Turning now to FIG. 3, the interconnections between the
`various types of nodes in the network 10 are illustrated. The
`role of the user node 14 is to interface users 12 to the
`network 10 and to the NES 20 that each particular user 12
`needs and is allowed to access. The role of the Security
`server 15 is to provide a secure network environment for a
`user 12 to connect to and access the NES 20. The role of the
`Secure terminal server 24 is to interface a number of NES 20
`to the network 10 for remote user access. The NE 20 is the
`ultimate destination that users 12 try to connect to and acceSS
`information and other resources.
`The connections between an Secure terminal Server 24 and
`the NES 20 can be logical or physical depending on the
`capability of the NES 20 to interface to the network 10
`directly and to Support the Security policies implemented
`and enforced by the Security Server 15. In this regard, an
`RS232 connection 34 may be used to bring an NE 20 to the
`network 10 for user access. As the NE 20 connection 34
`interface improves and necessary Security capabilities are
`supported the hardware box that performs the functions of
`the Secure terminal Server 24 is no longer needed. Then, the
`connection between a Secure terminal Server 24 and an NE
`20 can be considered a logical connection. Thus, in one
`embodiment the secure terminal server 24 and the NE 20 are
`merged into a single piece of hardware. All the interface
`requirements and Security Support will Still have to be
`present.
`It should be understood that due to various limitations of
`networking and Security technologies, the network Security
`that is imposed by the security server 15 will only cover the
`interconnections that involve the user nodes 14, the Security
`server 15 and the security terminal server 24. No data flow
`between the security terminal server 24 and the NES 20 is
`protected including user identifiers and passwords that are
`required by the NES 20 to authenticate a user 12 before
`access to its information and resources can be granted. It
`should be understood that the SSO solution of the present
`invention Simulates this local log-on process.
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Panasonic-1016
`Page 16 of 22
`
`
`
`5,944,824
`
`15
`
`25
`
`7
`In short, the fundamental requirement for any SSO solu
`tion is that it be consistent with the overall Security policies
`that are used for the development of the network Security in
`the security server 15. When it is not possible to implement
`the same Security mechanisms 32, an alternate method
`should be identified and shown to meet the requirement.
`Such Security mechanism 32 may be implemented in a
`plurality of ways including by Software or hardwired means
`maintained on the security server 15. Other means will be
`apparent to those skilled in the art.
`In FIG. 4, the specific requirements for the security
`mechanisms 32 are illustrated according to one embodiment
`of the invention. As shown, with the SSO capability control
`70, the SSO solution gives the control 70 to the network
`security administrator 17. The control 70 can be requested
`by the administrative authority 17 for the network 10 and
`allows the network security administrator 17 to enable or to
`disable the SSO capability to individual users 12.
`The control 70 can be applied to NES 20 that a user 12 is
`authorized by the network security administrator 17 to
`access. In other embodiments, the control 70 can also be
`applied to a selected list of such NES 20. This control 70
`gives the network Security administrator 17 the capability to
`discriminate user groups. So that the more trusted groups,
`e.g., internal Security groups and network Support groups,
`can be granted the SSO feature. Casual users, e.g., vendors
`and other Special users, are still required to exercise local
`log-on to some NES 20 even though network authentication
`and access control in the network have cleared them for
`access to those NES 20.
`According to another embodiment of the invention, the
`control mechanisms 70 are written to allow three distinct
`Scenarios. In a first Scenario 72, a Specific user 12 is granted
`the SSO capability to all the NES 20 that are authorized by
`the network 10 for the user 12 to access. In a second Scenario
`74, a user 12 is denied the SSO capability to all the NES 20
`that are authorized by the network 10 for the user 12 to
`access. In a third scenario 76, a user 12 is granted the SSO
`capability only to a Subset of the NES 20 that are authorized
`by the network 10 for the user 12 to access.
`NE password protection 78 is able to counter eavesdrop
`ping threats over the RS232 connection between an Security
`terminal server 24 and an NE 20. Since all data flow over the
`RS232 connection is in a clear format, the connection
`becomes a weak point for attacking the entire System
`Security. This is because the capture of the user identifier and
`password over the connection would allow the attacker to
`bypass the network security 32 and directly log on to the NE
`20 with the user identifier and password, which would
`50
`render the entire network Security useleSS. AS Such, the
`present invention includes Security mechanisms 32 in the
`form of NE password protection 78 that guard against Such
`attacks So as to not cause threat to the overall network
`Security.
`Also shown is NE password control 80 wherein pass
`words can be set and reset by the network Security admin
`istrator 17. The selection of a user password may be ran
`domly determined and must meet the composition
`requirement set up by the administrator 17. This capability
`allows the network securi