Generally, the present invention relates to computing environments involving authentication frameworks. Particularly, although not exclusively, it relates to authentication frameworks in a wireless environment, especially those contemplative of the extensible authentication protocol (EAP) authentication framework. Features of the invention include tunneling a proprietary authentication framework over a more widely accepted framework, e.g., EAP, to wirelessly enable pluralities of strong authentication protocols that are not otherwise wirelessly enabled absent an EAP tunnel. Other features contemplate computer program products, computing network systems, authentication protocols, and retrofit technology, to name a few.
Many authentication systems, such as Novell, Inc.'s Modular Authentication Service (NMAS), provide varying levels of strong authentication. NMAS, for instance, can authenticate users using biometrics (e.g., fingerprint, retina scan, etc.), tokens (one-time passwords, smart cards), and passwords. Security sensitive applications or resources, such as corporate financial information, personal and personnel information, military secrets, nuclear technology, banking activity, securities trading, health/patient records, etc., use these authentication services to prevent unauthorized users from gaining access. During use, third parties “plug” NMAS into their computing environment and write a Login Client Method (LCM), for a client workstation, and a Login Server Method (LSM), for a server. The LCM is methodology largely responsible for collecting authentication credentials from users at their workstation, e.g., receiving one-time passwords, receiving fingerprint data from a scanner, etc., while the LSM is methodology largely responsible for authenticating or verifying the credentials.
The LCM and LSM communicate using proprietary NMAS API calls. These API calls take data provided by the caller, package it into MAF API packets, and send it over a network between the client workstation and server. The format of the data is not specified by NMAS, but is left to the discretion of the LCM/LSM developer. Login secrets (e.g., how one-time passwords are calculated, scanned fingerprint data for users, etc.) are stored for the server with the assistance of a computing product, such as Novell's eDirectory or Microsoft's Active Directory, and may be accessed from the LSM using NMAS API calls for storing and retrieving secrets.
However, it presently exists that NMAS and various other frameworks do not contemplate wireless computing scenarios, especially those involving the Extensible Authentication Protocol (EAP) that is regularly found in wireless networks and point-to-point connections. Defined by RFC 3748, EAP defines message formats and common functions for authenticators (e.g., authenticating server, including or not an EAP server) and peers (also known as supplicants in IEEE 802.1x) to negotiate a desired authentication method.
In that NMAS has existed longer than EAP, and there are several Novell partners who have developed login/authentication methods for NMAS (using proprietary NMAS API calls), the methods cannot be made to run directly in another framework, such as EAP, without modification or reimplementing NMAS protocol over EAP. Appreciating these types of updates are costly for NMAS partners, many are slow or altogether resistant to update their methods.
Accordingly, there exists a need in the art of strong authentication to allow users to login or be authenticated in a wireless computing environment without requiring costly updates to existing authentication methods within the framework. To the extent such can be made to occur, multiple authentication methods will then be made wirelessly-enabled whereas they are not otherwise wirelessly enabled. In that many computing configurations already have strong authentication services, it is further desirable to leverage existing configurations, thereby avoiding the costs of providing wholly new products. Taking advantage of existing frameworks, such as NMAS, LDAP/SASL, OpenLDAP/SLAPD, IPSEC, etc. or any authentication framework is another feature that optimizes existing resources.
Also, EAP has long prevented conversation between the authenticator and peer about multiple authentication methods due to their vulnerability from man-in-the-middle attacks. To combat this, LAP has supported tunneling, but only for a single EAP authentication method inside the tunnel. Never has there been executions of LDAP/SASL, for instance, inside the tunnel. While many tunneling methods exist, each has its shortcomings. Common ones include, but are not limited to, EAP-TLS, EAP-TTLS, and PEAP. Essentially, EAP-TLS is an X.509 mutual authentication requiring certificates of the client, and is seldom deployed for this reason. While EAP-TTLS does not require client authentication, it is primarily used to provide a secure channel for password based authentication methods, not strong authentication. PEAP provides a secure channel for password based authentication methods, not strong authentication, similar to EAP-TTLS, but with security and performance improvements. Regardless of form, each of the tunneling EAP methods (with the exception of EAP-TLS) commonly provide an encrypted channel in which to execute another individual EAP method or legacy PPP (point-to-point protocol) method. Also, the tunneling EAP methods cannot be forced to execute a non-EAP/non-PPP authentication scheme, such as SASL or NMAS, inside of the tunnel.
Accordingly, there is a further need in the art of authentication frameworks to provide authentication in other than the EAP or PPP authentication schema, including wirelessly enabling a multi-factor, pluggable authentication framework like SASL or NMAS. Any improvements along such lines should further contemplate good engineering practices, such as relative inexpensiveness, stability, ease of implementation, high security, low complexity, flexibility, etc.
The foregoing and other problems become solved by applying the principles and teachings associated with the hereinafter-described proprietary protocol tunneling over EAP. At a high level, methods and apparatus teach tunneling a proprietary authentication framework over a more widely accepted framework, e.g., EAP, to wirelessly enable pluralities of strong authentication protocols that are not otherwise wirelessly enabled absent the EAP tunnel. In a representative embodiment, the invention(s) herein describe how an NMAS method for EAP can be created to allow all existing NMAS methods to work within the EAP framework without modification. As is known, NMAS provides fifty-plus existing authentication methods and the invention(s) provide advantage over the prior art since all can be wirelessly enabled without modification to the methods. It is not limited to NMAS, however, and other strong, multi-factor authentication frameworks, such as LDAP/SASL, OpenLDAP/SLAPD, IPSEC, etc., can derive advantage based on the techniques and computing arrangements herein.
During use, packets are wirelessly transmitted and received between a supplicant and authenticating server according to EAP's prescribed message format, including an intervening access point communicating with the server and wirelessly communicating with the supplicant. In a tunnel, various authentication protocols form the payload component of the EAP message format, thereby yielding execution capability of more than one protocol, instead of the typical single protocol authentication.
In a computing system embodiment, the invention may be practiced with: a client workstation; and an authenticating server arranged as part of pluralities of physical or virtual computing devices, including executable instructions for undertaking the foregoing tunneling methodology. Computer program products are also disclosed and are available as a download or on a computer readable medium. The computer program products are also available for installation on a network appliance, such as an authenticating server, on a supplicant, such as a client workstation or as retrofit technology with a strong authentication service, such as Novell, Inc.'s NMAS, or with other strong, multi-factor authentication frameworks, such as LDAP/SASL with/without PAM, OpenLDAP/SLAPD, or elsewhere. In still other embodiments, computing networks and party interaction are discussed, as are possible strong authentication schemes, e.g., smart card, one-time passwords, fingerprint, DNA, retina scan, etc.
These and other embodiments of the present invention will be set forth in the description which follows, and in part will become apparent to those of ordinary skill in the art by reference to the following description of the invention and referenced drawings or by practice of the invention. The claims, however, indicate the particularities of the invention.
The accompanying drawings incorporated in and forming a part of the specification, illustrate several aspects of the present invention, and together with the description serve to explain the principles of the invention. In the drawings:
In the following detailed description of the illustrated embodiments, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention and like numerals represent like details in the various figures. Also, it is to be understood that other embodiments may be utilized and that process, mechanical, electrical, arrangement, software and/or other changes may be made without departing from the scope of the present invention. In accordance with the present invention, methods and apparatus for tunneling proprietary or other protocols over another protocol or framework (e.g., EAP) are hereinafter described.
With reference to
In either, storage devices are contemplated and maybe remote or local. While the line is not well defined, local storage generally has a relatively quick access time and is used to store frequently accessed data, while remote storage has a much longer access time and is used to store data that is accessed less frequently. The capacity of remote storage is also typically an order of magnitude larger than the capacity of local storage. Regardless, storage is representatively provided for aspects of the invention contemplative of computer executable instructions, e.g., software, as part of computer program products on readable media, e.g., disk 14 for insertion in a drive of computer 17. Computer executable instructions may also be available for installation as a download or reside in hardware, firmware or combinations in any or all of the depicted devices 15 or 15′.
When described in the context of computer program products, it is denoted that items thereof, such as modules, routines, programs, objects, components, data structures, etc., perform particular tasks or implement particular abstract data types within various structures of the computing system which cause a certain function or group of functions. In form, the computer product can be a download of executable instructions resident with a downstream computing device, or readable media, received from an upstream computing device or readable media, a download of executable instructions resident on an upstream computing device or readable media, awaiting transfer to a downstream computing device or readable media, or any available media, such as RAM, ROM, EEPROM, CD-ROM, DVD, or other optical disk storage devices, magnetic disk storage devices, floppy disks, or any other physical medium which can be used to store the items thereof and which can be assessed in the environment.
In network, the computing devices communicate with one another via wired, wireless or combined connections 12 that are either direct 12a or indirect 12b. If direct, they typify connections within physical or network proximity (e.g., intranet). If indirect, they typify connections such as those found with the internet, satellites, radio transmissions, or the like, and are given nebulously as element 13. In this regard, other contemplated items include servers, routers, peer devices, modems, T# lines, satellites, microwave relays or the like. The connections may also be local area networks (LAN), metro area networks (MAN), and/or wide area networks (WAN) that are presented by way of example and not limitation. The topology is also any of a variety, such as ring, star, bridged, cascaded, meshed, or other known or hereinafter invented arrangement.
With the foregoing representative computing environment as backdrop,
With NMAS, third parties “plug” the computing program product into their computing environment 10 and write/provide a Login Client Method (LCM) 50 for a client workstation 52 and a Login Server Method (LSM) 54 for a server 56, as is known. In general, the LCM is methodology largely responsible for collecting authentication credentials (user input information 60) from users at their workstation, e.g., receiving one-time passwords, receiving fingerprint data from a scanner, receiving an employee bar code, etc., while the LSM is methodology largely responsible for authenticating or verifying the credentials per a user, a workgroup, or other arrangement.
Also, NMAS may be outfitted with various schemes providing varying levels of strong authentication. In one instance, the authentication schemes relate to user-fixed characteristics such as biometrics in the form of fingerprints, retina scans, DNA, etc. In another, they relate to electronic structures, such as smart cards, microchips, magnetic stripes, etc. In still another, they are user-created, such as passwords, secrets, usernames, PINs, or other credentials. Regardless of form, they are referred to generically herein as protocols, methods, schemes, etc. and users log-in from their workstation, including navigation with apparatus such as card readers, retina or fingerprint scanners, password forms, keypads, etc., as is typical. (In certain embodiments, the workstation may be simply a computing device in the form of a card reader, retina or fingerprint scanner, password form, keypad, etc., such as 15′ in
When the client workstation and server are in communication, the LCM and LSM communicate using proprietary NMAS API calls 62. These API calls take data provided by the caller, package it into MAF (Multi-mode Authentication Framework) API packets, and send it over a network between the client workstation 52 and server 56, especially between the NMAS client 64 and NMAS server 66. In turn, the NMAS client and server communicate with the LCM and LSM, respectively. The format of the data is not specified by NMAS, but is left to the discretion of the LCM/LSM developer. Actual login secrets (e.g., how one-time passwords are calculated, scanned fingerprint data per specific users, employee card values for users, workgroups, etc.) are stored for the server with the assistance of a computing product, such as Novell's eDirectory 70. As will be seen, this arrangement extends to a wireless computing environment in which the framework itself will be tunneled intact over another framework, such as EAP, to wirelessly enable the pluralities of strong authentication schemes that are not otherwise wirelessly enabled absent the EAP tunnel. In this manner, NMAS's fifty-plus existing authentication schemes are enabled in a wireless environment without modification. It is also true of other strong, multi-factor authentication frameworks, such as LDAP/SASL, OpenLDAP/SLAPD, IPSEC, etc., earlier mentioned.
With reference to
In
The foregoing also includes a generic NMAS-EAP method 121, 123 (server or supplicant) which acts as a shim between the EAP protocol stack or layer and the NMAS methods. During use, the shim provides an implementation of the proprietary NMAS API that is required by the partner methods (e.g., one-time password, fingerprint, smart card, etc.). The shim allows the MAF protocol packets to be wrapped in EAP packets. When the EAP-NMAS method is invoked, it reads data from the server to determine which sequence of NMAS login methods should be invoked. These methods are invoked in order, just as when performing an ordinary NMAS login, such as with the wired environment of
With reference to the EXAMPLE below, a more detailed explanation is given. It exists also in the context of NMAS and a strong authentication protocol in the form of a one-time password for Vasco corporation's Digipass product.
1) The user initiates Client32 NCP login on the client workstation 52′ using the Vasco Digipass login method.
2) The NMAS Client invokes the Vasco Digipass LCM 50, which prompts the user for the token code. The user enters the token code and the token code is sent to the LSM 54 by way of the access point 110, as part of the EAP message format (via EAP 117 of the supplicant to EAP 115 to EAP 117 of the server).
3) The LSM 54 receives the token code from EAP 117 of the server. To verify the token code, the LSM looks up the token that is assigned to the user. For the Vasco method, the token is a separate object that is linked to the user using an attribute called vascoAssignedTokenDN. The Digipass LSM calls NMAS API 123 to read the vascoAssignedTokenDN attribute of the user. NMAS reads the attribute from the user and returns the results to Vasco LSM 54.
4) The LSM 54 calls NMAS_GetLoginSecret to read the token seed from the token object.
5) The LSM validates the token code provided by the user.
6) The LSM informs the LCM 50 of authentication via the access point as a payload of the EAP message format. Login is successful. Otherwise, if the token code is invalid, login is unsuccessful and certain or all functionality of the client workstation (supplicant) is prevented.
Similarly, other authentication schemes are practiced as encapsulated payloads of EAP. Other round trips between the supplicant and server may also exist, but are not discussed for clarity.
In any embodiment, certain advantages and benefits over the prior art should be readily apparent. For example, methods and apparatus teach an arrangement of computing devices whereby a first authentication framework is provided over another authentication framework in order to wirelessly enable multiple authentication schemes that are not otherwise wirelessly enabled without modification. Other advantages include, but are not limited to: 1) tunneling one pluggable authentication protocol (MAF) over another pluggable authentication protocol (EAP); 2) wirelessly enabling NMAS, LDAP/SASL, Open LDAP/SLAPD, and IPSEC, to name a few, which are otherwise unavailable for wireless authentication; 3) allowing strong authentication in geographic locations (reachable in a wireless context) not earlier able to provide strong authentication; and 4) leveraging existing configurations thereby avoiding the costs associated with providing wholly new products.
Still other advantages exist in the form of authentication schemes and party interaction as well as computer program products, computing networks and computing devices, to name a few. Also, features of the invention make it possible to use existing login methods, without modification, for wireless login. Naturally, skilled artisans will be able to contemplate others.
One of ordinary skill in the art will also recognize that additional embodiments are possible without departing from the teachings of the present invention. This detailed description, and particularly the specific details of the exemplary embodiments disclosed herein, is given primarily for clarity of understanding, and no unnecessary limitations are to be implied, for modifications will become evident to those skilled in the art upon reading this disclosure and may be made without departing from the spirit or scope of the invention. Relatively apparent modifications, of course, include combining the various features of one or more figures with the features of one or more of other figures.