WO2012098265A1 - Method and system for controlling access to networks and/or services - Google Patents
Method and system for controlling access to networks and/or services Download PDFInfo
- Publication number
- WO2012098265A1 WO2012098265A1 PCT/EP2012/050991 EP2012050991W WO2012098265A1 WO 2012098265 A1 WO2012098265 A1 WO 2012098265A1 EP 2012050991 W EP2012050991 W EP 2012050991W WO 2012098265 A1 WO2012098265 A1 WO 2012098265A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- token
- application
- network
- access
- identifier
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 230000008569 process Effects 0.000 claims abstract description 56
- 238000005516 engineering process Methods 0.000 claims abstract description 30
- 238000001994 activation Methods 0.000 claims description 102
- 230000004913 activation Effects 0.000 claims description 84
- 238000004590 computer program Methods 0.000 claims description 51
- 238000004891 communication Methods 0.000 claims description 41
- 238000010200 validation analysis Methods 0.000 claims description 13
- 238000012795 verification Methods 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 9
- 230000001419 dependent effect Effects 0.000 claims description 6
- 230000002441 reversible effect Effects 0.000 claims description 3
- 238000013475 authorization Methods 0.000 claims 1
- 230000004044 response Effects 0.000 description 21
- 230000006870 function Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 15
- 239000008186 active pharmaceutical agent Substances 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000003213 activating effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 241000721662 Juniperus Species 0.000 description 1
- 206010000210 abortion Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Definitions
- the present invention relates to a network access control system for controlling access to a network and/or services, and is particularly, but not exclusively, suited to ensuring secure access to single sign-on services.
- Apple Inc. created a new tablet computing device category with the introduction of the iPad in April 2010 that has seen an unprecedented rate of adoption and other manufacturers are now responding with their own tablet devices, mostly based on the Android operating system from Google Inc.
- the 2011 market forecast for tablet devices is forecast by various analysts to exceed 24 million devices.
- 802. l lx can be used for network access control to the local network over Wi-Fi or Ethernet and VPNs can be used for remote network access, both of these requiring users to authenticate to the network before access is granted.
- services on the network are configured to require user authentication for users who are authorised to access these services.
- SSO single sign-on
- Kerberos Kerberos
- Integrated Windows Authentication To avoid the inconvenience of users having to provide their authentication credentials to each service every time they require access to these services, single sign-on (SSO) methods are commonly deployed, for example Kerberos or Integrated Windows Authentication.
- SSO single sign-on
- anti -virus technology is commonly deployed to attempt to secure the computer from these attacks as well as applying regular security patches to the operating system and applications that fix security vulnerabilities that are discovered.
- hard disk encryption or application data encryption can be used in addition to requiring users to enter a password (login) to access the computer and automatically locking the computer after a period of inactivity or when it is switched off.
- the device operating systems do not yet support sophisticated secure device management and with the wide range of devices and operating system variants from different device manufacturers, remotely managing these devices except for the most rudimentary tasks is not feasible.
- File system encryption is commonly supported but it is well known that the method employed is ineffective in securing data as there are known methods for attackers to extract unencrypted data from the devices without having to tamper or modify the device software at all.
- methods, commonly called jailbreaking or rooting that allow users (or attackers) to gain unlimited (root) access to both iOS and Android devices that enables modification or removal of security measures and unlimited access to user and system data and settings.
- VPNs Virtual Private Networks
- SSL Secure Sockets Layer
- Wi-Fi access can also be protected with WPA2 enterprise.
- Both these technologies provide network data encryption and user authentication to the network, but they both suffer from the same security flaw in that once the user has been authenticated then any application or service on the device is able to gain access to the enterprise private network, including any malware.
- any SSO method would be unprotected and would allow malware to gain access to services on the enterprise private network once the user had been initially authenticated.
- FIG. 1 An example of a typical unsecure client server arrangement is shown in Figure 1.
- VPN client 150 is a service on the client device 100 that enables IP communication between any application or service on device 100 and services on the intranet 305 via Internet 200 and VPN server 350 once the user has authenticated with the VPN service.
- Kerberos 110 is a conventional service on the client device 100 that enables, in conjunction with the Kerberos Key Distribution Center (KDC) 315, any application to authenticate with services on the intranet 305 that support Kerberos authentication. Kerberos 110 communicates with KDC 315 via a VPN tunnel over the Internet 200.
- KDC Kerberos Key Distribution Center
- the client device 100 has three applications 120, 130, 140 installed thereon; the first two are enterprise applications (which is to say that they have been provisioned by the network), while the third has been installed independently of the enterprise.
- the first two are enterprise applications (which is to say that they have been provisioned by the network), while the third has been installed independently of the enterprise.
- a conventional client- server arrangement makes no distinction between the three applications, and grants full access to the enterprise network 305 to each application.
- the first applicationl 120 wishes to access Service 1 320 in the intranet and makes a request to the Kerberos service 110 for a service ticket using the Kerberos API 5.
- the Kerberos service 110 does not have a valid Ticket Granting Ticket (TGT) in the keystore 105.
- TGT Ticket Granting Ticket
- the user is prompted for their credentials and then the Kerberos service 110 obtains a TGT from KDC 315 and saves this in keystore 105.
- the Kerberos service 110 then obtains a service ticket for Servicel 320 from KDC 315, saves this in keystore 105, and returns the service ticket to applicationl 120.
- the applicationl 120 then presents this service ticket to Service 320, which then grants access to the application 120.
- the second application 2 130 makes a request to the Kerberos service 110 for a service ticket using the Kerberos API.
- Kerberos 110 has a valid TGT in the keystore 105 so the user does not have to be prompted for their credentials.
- Kerberos 110 obtains a service ticket for Service2 330 from the KDC 315, saves this in keystore 105, and returns the service ticket to the application2 130.
- the application 130 then presents this service ticket to Service2 330, which then grants access to Application2 130.
- Malware 140 then makes a request to the Kerberos service 110 for a service ticket using the Kerberos API 6. As Kerberos 110 has no access control in place, Malware 140 has full access to the Kerberos service 110. Kerberos 110 has a valid service ticket for Service 1 320 in the keystore 105 and returns this to Malware 140, which presents this service ticket to Service 1 330. As VPN client 150 has no access control in place beyond initial user authentication, Malware 140 is able to connect to Service 1 330 and indeed any destination on the intranet 305.
- a first embodiment provides a device for use in controlling access by an application executing on the device to a network, the application having an identity and the device comprising a network access portion arranged to:
- a second embodiment provides a network entity system for use in controlling access by an application executing on a device to a network, the application having an identity and the network entity system comprising a network access portion arranged to:
- a third embodiment provides a computer program, or a suite of computer programs, comprising a set of instructions, which, when executed by a device (100a), causes the device to perform a method for use in controlling access by an application (120) executing on the device to a network (305a), the method comprising:
- a fourth embodiment provides a computer program, or a suite of computer programs, comprising a set of instructions, which, when executed by a network entity system, causes the network entity system to perform a method for use in controlling access by an application (120) executing on a device (100a) to a network (305a) with which the network entity system is associated, the application having an identity (310a) and the method comprising the steps of: receiving data indicative of a cryptographic credential (Ck) corresponding to the application and an identifier (400a) corresponding to the application identity from the device; validating said received cryptographic credential using a cryptographic function on the basis of the identifier corresponding to the application; and
- Ck cryptographic credential
- 400a identifier
- the network access control system which controls access by an application running on a client device to a network.
- the network access control system comprises:
- the first network access portion is that configured on the device of the first embodiment and the second network access portion is that configured on the network entity system of the second embodiment.
- the identifier further corresponds to a user of the application and said client device. This enables the second network access portion to make use of single sign on technology, in which access to a given service is authenticated using user credentials, when granting access to the network.
- the first network access portion comprises an activation component that is responsive to an activation request received from the application to prompt a user of the client device for credential data associated with the application such as a key, and credential data associated with the user, and to send an application activation request message to the second network access portion.
- credential data associated with the application
- credential data such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the application such as a key
- credential data associated with the application such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as a key
- credential data associated with the user such as
- the activation component selectively combines the user credential data with data identifying the application and data identifying the client device so as to generate the identifier corresponding to the application, and the activation component encapsulates the identifier within the application activation request message. Further, the activation component generates a token granting token authenticator from the user credential data and can encrypt the token granting token authenticator using the application credential data; this is then combined with the identifier corresponding to the application within the application activation request message.
- the token granting token authenticator is decrypted by the second network access portion using a provisioning key corresponding to the one entered by the user, i.e. the key issued at the time of application provisioning. If successfully decrypted, the token granting token authenticator is then used by the second network access portion to request a token granting token from a token issuer.
- the token granting token that is issued by the token issuer is stored in a keystore accessible by the second network access portion.
- the second network access portion can generate a cryptographic key, which is for use in authenticating network access requests and also for securely passing tokens associated with a given token generating token to the first network portion. Accordingly the cryptographic key is stored in the aforementioned keystore in the network and, using the provisioning key, is securely forwarded to the activation component of the first network access portion on the client device.
- network access request messages can be authenticated by the second network access component: a network access request comprises the identifier corresponding to at least the application requesting network access, and, when received by the second network access portion, is used to identify a token granting token corresponding thereto. If the application has been successfully activated, in the manner described above, such a token granting token will be available to the second network access portion. In certain circumstances the token granting token may have expired, in which case the second network access portion performs a token generating process; however, if the token granting token is still valid, the first network access portion is granted access to the network via e.g. a suitable network access granting instruction that is sent to the first network portion.
- the token generating process involves the second network portion sending a challenge request message to the first network portion, this causing the first network portion to request credentials from the user. These credentials are then used to generate a token generating token authenticator, as described above in relation to the activation process.
- the token generating token authenticator is securely sent to the second network access portion, this time using the cryptographic key generated during the activation process and, if successfully decrypted, is used to request a token granting token from the token issuer.
- the first network access portion is then granted access to the network.
- the first network access portion further comprises a data communications client capable of controlling a communications interface on the client device so as to configure a connection with the second network access portion.
- a data communications client capable of controlling a communications interface on the client device so as to configure a connection with the second network access portion.
- the data communications client and indeed the activation component are integrated with the application, but the data communications client can alternatively be configured as a service on the client device.
- the first and second network access portions may implement virtual private network technology to enable communication therebetween.
- the first and second network access portions may be a VPN client and a VPN server respectively, and the VPN server may implement a Remote Authentication Dial In User Service (RADIUS) client to cooperate with the AAA server incorporating a RADIUS server so as to authenticate incoming access requests.
- the first and second network access portions may implement any of Wi-Fi and Ethernet technologies.
- the first network access portion comprises a plurality of data communications clients, each of which is configured to communicate with different second network access portions.
- client devices can be configured with multiple data communications clients, each implementing, for example, a different VPN technology and thereby enabling applications to connect to different networks using a variety of data communication technologies.
- the different second network access portions may be located in different networks, enabling applications to access different networks.
- the plurality of data communications clients may be provided as a plug-ins to, or communicate with, the applications via Application Programming Interface (API) libraries, which are private to the application.
- API Application Programming Interface
- the data communications client comprises a VPN client
- a fifth embodiment provides a device for use in enabling single sign on access to services for an application running thereon and a service provided by a computer system, the computer system being located on a network, the device comprising an access control portion arranged to cooperate with a corresponding access control portion configured within the network such that single sign on access to said service is controlled on the basis of at least an identifier corresponding to said application.
- a sixth embodiment provides a network entity system for use in enabling single sign on access to services for an application running on a device and a service provided by a computer system, the computer system being located on a network, the network entity system comprising an access control portion arranged to:
- a seventh embodiment provides a computer program, or a suite of computer programs, comprising a set of instructions, which, when executed by a device, causes the device to perform a method for enabling single sign on access to services for an application running on the device and a service provided by a computer system, the computer system being located on a network, the method comprising causing a access control portion configured on the device to cooperate with a corresponding access control portion configured within the network such that single sign on access to said service is controlled on the basis of at least an identifier corresponding to said application.
- An eighth embodiment provides a computer program, or a suite of computer programs, comprising a set of instructions, which, when executed by a network entity system, causes the network entity system to perform a method for use in enabling single sign on access to services for an application (120) running on a device and a service (320) provided by a computer system, the computer system being located on a network (305a), the method comprising the steps of: receiving data indicative of an application identifier (400a);
- the fifth to eighth embodiments collectively make up a system hereinafter referred as an application access control system for use in enabling single sign on access to a service for at least one application running on a client device and a service provided by a computer, the computer being located on a network.
- the application access control system comprises:
- the first access control portion is that configured on a device according to the fifth embodiment
- the second access control portion is that configured on the network entity system of the sixth embodiment.
- the identifier further corresponds to a user of the application and said client device. This enables access to services to be provided using single sign on technology, in which access to a given service is authenticated using user credentials.
- the first access control portion comprises a token based client and the second access control portion comprises a token issuer and a token repository.
- the token repository stores tokens in association with identifiers corresponding to services for which a token has been issued, these having been generated in response to either an initial token request message from the first access control portion or on demand, e.g. if a previously generated token has expired; the token is thereafter accessible for subsequent requests from the application to access the service.
- a client device is configured with an application access control system and a network access control system, in which case the second access control portion has access to the cryptographic key generated during the activation process.
- the token based client has access to the activation component, which holds the cryptographic key.
- This cryptographic key is preferably used to securely transmit a token to the token based client, and, because the token based client has access to the cryptographic key via the activation component, it is able to decrypt the token and provide it to the application.
- the application subsequently sends the token to the service in the network.
- the second access control portion performs a token generating process, which involves identifying a token granting token in the token repository and sending the token granting token to the token issuer.
- the token issuer issues a token that is subsequently stored in a token repository and which is securely transmitted to the first access control portion in the manner described above.
- the token based client can be integrated with the application, or configured as a service on the client device. Most conveniently the token based client is integrated with the application, and, when the application access control system is used in combination with the network access control system, any unknown application such as malware cannot access services within the network because they are unable to be authenticated by the AAA Server as part of the network access granting process. Further, since the token repository provides a token to an authenticated token based client, this being encrypted with its respective unique cryptographic key, only that token based client associated with the specific application can decrypt and use the token.
- SSO single sign on
- TM Kerberos
- SSO enterprise single sign-on
- Figure 1 is a schematic block diagram of a conventional client server arrangement
- Figure 2 is a schematic block diagram showing an application provisioning system utilised by embodiments of the invention.
- FIG. 3 is a schematic block diagram showing an access control system according to an embodiment of the invention.
- Figure 4 is a timing diagram showing steps performed by the components shown in Figure 3 for activating an application according to an embodiment of the invention
- Figure 5 is a schematic block diagram illustrating the storage of cryptographic keys, application, user and device identifiers according to an embodiment of the invention
- Figure 6 is a timing diagram showing steps performed by the components shown in Figure 3 for granting network access to an application according to an embodiment of the invention
- Figure 7 is a timing diagram showing steps performed by the components shown in Figure 3 for access to a network according to an alternative embodiment of the invention.
- Figure 8 is a schematic block diagram showing a configuration of a plurality of data communications clients according to an embodiment of the invention.
- FIG. 9 is a schematic block diagram showing an application access control system according to an embodiment of the invention.
- Figure 10 is a timing diagram showing steps performed by the components of Figure 9 for granting single sign on access to a service according to an embodiment of the invention
- Figure 11 is a timing diagram showing steps performed by the components of Figure 9 for granting single sign on access to a service according to an alternative embodiment of the invention
- Figure 12 is a schematic block diagram illustrating the storage of token granting tokens, tokens, applications, user and device identifiers according to an embodiment of the invention
- Figure 13a is a schematic block diagram showing an alternative configuration of the first network access portion and the first application access control portion according to an embodiment of the invention
- Figure 13b is a timing diagram showing steps performed by the components of Figure 13a according to an embodiment of the invention.
- Figure 14 is a schematic block diagram showing an access control system according to an embodiment of the invention when a client device connects to the network via Wi-Fi.
- indices "a, b, c" etc. are used to distinguish between instances of a given component, step or element.
- Embodiments of the invention are concerned with an access control system.
- the access control system is directed towards controlling network access by an application running on the client device.
- the access control system is directed towards controlling access to services within a network, using known single sign on technology such as Kerberos (TM)
- TM Kerberos
- a unifying feature of both access control systems is that access is controlled on the basis of an identifier corresponding to the application running on the client device. This identifier is known to the client device and to (a) device(s) configured within the network by means of an application provisioning process.
- embodiments of the invention enable access control of individual applications on the basis of their identifiers. Any application unknown to the access control system is not permitted to access the network and/or services within the network, thereby restricting network access to applications that can be authenticated by the access control system.
- the applications that may be authenticated to connect to the network and/or access services therein are, in one embodiment, hosted by a repository of applications (commonly referred to as "an App Store") that may be internal or external to the network.
- an App Store a repository of applications that may be internal or external to the network.
- the App Store 500 is accessible by connected and trusted client devices connected to the intranet 305 and may conveniently be accessed using web technology such as a browser 550a, 550b in a manner well known to one skilled in the art.
- the access rights of the users 600a and 600b, as regards the app store 500, may be limited to downloading applications, whereas the administrator 610 has access to management functions for maintaining applications provided via the app store 500.
- the management functions include adding a new application, updating or removing an existing application
- Every application that can be provisioned by the App Store is associated with a unique application identifier 310a (hereinafter ID), which is typically defined when the application is added to the App Store 500.
- ID an application identifier 310a
- the mapping between applications and their IDs is maintained in a database 510 that may be internal or external to the App Store 500.
- users can initiate application provisioning via the (trusted) browser 550a, 550b by downloading a file that triggers download of a selected application and installation on the client device 100a.
- the user 600a interacts with the App Store user interface so as to navigate the list of identified applications, and upon identifying a desired application 310a, an application 120 is selected, triggering the download and installation process described above.
- the App Store 500 generates a unique instance 400a (hereinafter UID) that is at least in part indicative of the application ID 310a, and which preferably corresponds to the user ID 600a and/or device UDID 300a.
- UID 400a is stored in the network 305, e.g. at least in repository 510, and utilised by the access control system for selectively granting access to the network 305 and/or a service within the network as will be described in detail later in the description.
- the UID 400a may correspond to the User ID 600a, thereby establishing a link between the User ID 600a and the application 310a. In this way, the UID 400a would be different for different users downloading the same application 120 to the same client device. This is particularly useful in controlling network access by applications on multi-user devices, such as open access computers, and multi-user applications, such as a web browser.
- the App Store 500 may generate the UID 400a by hashing one or more of the ID 310a, the User ID 600a and the UDID 300a.
- the access control system can uniquely identify a given application on a given client device operated by a given user from the UID 400a alone, thus creating a three way relationship between users, client devices and applications.
- This is particularly useful with the advent of ultra portable computing devices, for which there is increasingly a demand to accommodate users with multiple devices and indeed multiple users of devices.
- the usage of devices further complicates the already difficult task faced by network operators, namely to monitor each and individual user device for the presence of suspicious applications. Granting network access on the basis of an identifier that represents an instance of an application (namely the UID 400a) alleviates the risk of unknown applications accessing the network, as access to unknown applications would not be granted.
- the App Store 500 also generates an application credential 502a for use in application activation.
- This application credential 502a is stored in the database 510 in the record corresponding to the associated UID 400a and transmitted to the user, e.g. via email or other separate communication means.
- This application credential may comprise an activation encryption key 502a (hereinafter activation key), which may be utilised for securely activating the application.
- the App Store 500 may further provide the application credential 502a to the AAA server 520 so as to enable the AAA server 520 to validate network access requests by the application.
- the AAA server stores these credentials and indeed identifiers in a keystore, to be described below, also located within the network.
- client device 100a is configured with an activation component 200a and a data communications client 180a.
- These components make up the first network access portion of embodiments of the invention, and may be integrated with the downloaded application 120, e.g. via a plug -in or via a library of APIs which can be provisioned by the App Store 500. Alternatively the components can be embodied as a service on the client device and centrally accessible by individual applications.
- Figure 3 depicts the first embodiment, while Figure 13a depicts the second embodiment and is described later in the description.
- the activation component 200a is responsible for handling activation of the application 120: it will be appreciated from the foregoing that until an application has been activated, an application that has been provisioned from the App Store 500 is effectively inoperable. After activation, the application can subsequently be invoked (and its access requests scrutinized according to embodiments of the invention) without requiring activation every time it executes.
- the application activation component 200a in response to receiving an activation request received from the application 120, prompts the user for credential data associated therewith, which may include the user ID 600a and/or a user password (step 4.1).
- the activation component 200a further acquires the credential data associated with the application from the user, which as discussed above may include the activation encryption key 502a provided to the user as part of application provisioning.
- the activation component 200a generates the UID 400a, i.e. the application instance ID, comprising at least the application ID 310a and optionally the UDID 300a and the user ID 600a. Using a cryptographic function, the activation component 200a may then generate an application authentication credential Ck, which may include the tamper-detect checksum of the application 120. The application authentication credential Ck may be further combined with the application credential 502a, which, in an arrangement where the application credential is the activation encryption key 502a, may involve encrypting the application authentication credential Ck using the activation encryption key 502a.
- the cryptographic function may comprise a non-reversible cryptographic function or any other non-forgeable function, which makes it extremely difficult, if not impossible, for the application authentication credential Ck to be created for anything other than the intended application.
- the activation component 200a creates a token granting token authenticator on the basis of user credentials using the user ID 600a and password, and encrypts the token granting token authenticator with the activation encryption key 502a (step 4.2).
- the application authentication credential Ck may be also combined with further data, such as a timestamp corresponding to the generation of the application authentication credential Ck at the client device 100a. Usage of the timestamp imparts temporality to the application authentication credential Ck, thereby preventing replay attacks. In effect, the usage of the timestamp makes the application authentication credential Ck a time limited password.
- the activation component 200a then provides the UID 400a, the encrypted token granting token authenticator and the application authentication credential Ck to the VPN client 180a (step 4.3), which transmits an application activation request message to the VPN server 350 comprising these data therein (step 4.4).
- the AAA server 520 performs an application activation process.
- this is triggered by the VPN server 350 transmitting an access request message comprising the received UID 400a, the encrypted token granting token authenticator and the application authentication credential Ck to AAA Server 520 via the RADIUS client 540 (step 4.5).
- the AAA server 520 receives the request from its RADIUS Server 530 and uses the UID 400a to retrieve the corresponding application credential 502a from database 510, which is used to decrypt the encrypted token granting token authenticator (step 4.6).
- the AAA Server 520 retrieves application executable code corresponding to UID 400a (this having been stored in database 510 as described above) in order to verify the application authentication credential Ck (part of step 4.6).
- the AAA server 520 generates its own version of the application authentication credential: the activation component 200a and the AAA server 520 follow the same process for generating the application authentication credential. For example, this may involve checksum processing of the application executable code, involving performing a cryptographic function in respect thereof.
- the cryptographic function may comprise a non-reversible cryptographic function or any other non-forgeable function.
- the AAA server 520 verifies that the application authentication credential Ck it received at step 4.4 matches the generated application authentication credential. In the event that the verification of the application or of the token granting token authenticator is unsuccessful, the AAA server 520 aborts the activation process. The AAA server 520 may transmit an error message to the VPN client 180a via the VPN server 350 comprising data indicative of the unsuccessful verification.
- the AAA Server 520 uses the decrypted token granting token authenticator to request a token granting token TGT (hereinafter TGT) from the KDC 315 (step 4.7), whereupon the KDC 315 validates the user's credentials using standard Kerberos techniques. In the event that the credentials are validated, the KDC 315 generates a TGT 420a (step 4.8) and returns it to the AAA Server 520 (step 4.9); otherwise the AAA Server 520 returns a RADIUS-Access-Reject error response to VPN Server 350 and the activation process ends.
- TGT token granting token TGT
- the AAA server 520 stores the token granting token TGT 420a in the keystore 370 in association with the user ID 600a, thereby configuring single sign on access to the network 305, specifically services therein.
- the AAA server 520 then generates and stores a cryptographic key 410a in the keystore 370 in association with the UID 400a.
- the key 410a is preferably encrypted using activation encryption key 502a and returned to the VPN server 350 for delivery to the application 120 (steps 4.10 and 4.11).
- the VPN server 350 then generates an activation instruction message comprising the encrypted cryptographic key 410a and transmits it to the activation component 200a via the VPN client 180a (steps 4.12 and 4.13).
- this key 410a is available, and specific, to the application 120 and is held by the network 305. Since the key 410a is shared between the application 120 and the network 305, it can be used to secure application data particular to the user to whom the application 120 was provisioned, and this application data can be recovered from the client device 100a under control of the network 305. In addition, and when the key 410a is linked to a user ID 600a (which it is when the UID 400a corresponds to a user of the application), it can be used to encrypt, and thereby sandbox, individual user's data on a device that is shared by multiple users.
- Delivery of the cryptographic key 410a to the application 120 concludes activation; in the event that the received cryptographic key 410a has been encrypted using the application credential 502a, the activation component 200a decrypts the encrypted cryptographic key using the locally held application credential 502a, and stores the unencrypted cryptographic key 410a in a local store in association with the UID 400a corresponding to the application (step 4.14).
- the network access granting process comprises identifying a TGT 420a corresponding to the UID 400a stored at the keystore 370 (as a result of step 4.10).
- the TGT 420a at least in part corresponds to the user credentials 600a and may be utilised by applications for when requesting access to services to enable the application 120 to access network services without having to provide the user credentials each time a service is requested.
- the keystore 370 maintains a three way mapping uniquely identifying every application that is installed on every client device accessible by users. For example, a user A has access to applications corresponding to IDs 310a, 310b and 310c on the client device 100a, whereas a user B has access to applications corresponding to IDs 310a and 310c on the same client device 100a and user C has access to applications corresponding to ID 310b, again, the same client device 100a.
- the fine grained mapping architecture not only uniquely associates a given application to a given client device, but also associates it with a given user.
- the keystore 370 additionally stores the cryptographic key 410a provided by the AAA server 520 during activation.
- embodiments of the invention are tailored to the needs of multi-user and multi-device applications by way of the three-way mapping between the application, the client device and the user.
- each user can be independently authenticated for an application and each application instance can be independently authenticated for each authenticated user.
- the first and second network access portions may implement virtual private network technology to enable communication therebetween.
- the first and second network access portions may be a VPN client 180a and a VPN server 350 respectively, and the VPN server 350 may implement a Remote Authentication Dial In User Service (hereinafter RADIUS) client 540 to cooperate with the AAA server 520 incorporating a RADIUS server 530 so as to authenticate incoming access requests.
- RADIUS Remote Authentication Dial In User Service
- the first and second network access portions may implement any of Wi-Fi and Ethernet technologies.
- the network 305 comprises a Local Area Network (hereinafter LAN) and the client device is directly connected to the LAN
- the first network access portion implements an access control mechanism particular to the type of connection to the LAN.
- the first and second network access portions are suitable for implementing any access control mechanisms for both local and remote connections in both the first and the second arrangements.
- the application 120 transmits an access request to the activation component 200a (step 6.1), which may generate the authentication credential Ck associated with the application (step 6.2). As described above, this may include a tamper detect checksum of the application executable code, encrypted using the key 410a and optionally incorporating a timestamp corresponding to the generation of the application authentication data at the client device 100a.
- the activation component 200a then sends the access request comprising the UID 400a and, if it has been generated, the application authentication credential Ck to the VPN client 180a for delivery to the VPN server 350 (steps 6.3 and 6.4).
- the VPN server 350 sends the UID 400a and the application authentication credential Ck to the AAA server 520 for verification (step 6.5).
- the AAA server 520 utilises the UID 400a to retrieve the corresponding record, in particular the key 410a, which as described above, may be held at the keystore 370 (step 6.6). If included in the network access request message, the AAA server 520 decrypts the received application authentication credential Ck using the retrieved key 410a and generates a checksum of the application executable code that it retrieves from database 510. AAA server 520 uses UID 400a to retrieve the TGT 420a from database 370 and checks that it is still valid (also part of step 6.6).
- the AAA server 520 transmits an error message to the VPN client 180a.
- the AAA server 520 sends an access granting message to the VPN client 180a, via the VPN Server 350 to access the network 305 (steps 6.7, 6.8).
- the VPN client 180a sends confirmation that access to the network has been granted to the activation component 200a at step 6.9, which forwards same to the application 120 (step 6.10).
- the AAA server 520 transmits an access challenge request message to the VPN server 350, which forwards the challenge request message to the activation component 200a via the VPN client 180a (steps 7.7 - 7.9).
- the activation component 200a creates a token granting token authenticator on the basis of user credentials, which are acquired from the user in the manner described above in relation to step 4.2 (step 7.10).
- the token granting token authenticator may be encrypted using the key 410a, thereby preparing a secure token granting token authenticator; this serves to prove the authenticity of the request to the AAA server 520.
- the content of a subsequently generated and transmitted challenge response message (steps 7.11- 7.13) may additionally include a computed application authentication credential Ck (cf step 4.2) and it includes the UID 400a.
- the AAA server 520 In response to receiving the challenge response message, the AAA server 520 verifies the application authentication credential Ck if it was included in the challenge response message (step 7.14), and the AAA server 520 decrypts the secure token granting token authenticator using key 410a retrieved from the keystore 370.
- the AAA server 520 sends the now-decrypted token granting token authenticator to the KDC 315, along with a request for a TGT (step 7.15).
- the KDC 315 validates the user's credentials and generates a TGT 420a (step 7.16).
- the KDC 315 transmits the TGT 420a to the AAA server 520 for storage in the record corresponding to the UID 400a maintained at the keystore 370 (steps 7.17 and 7.18).
- the AAA server 520 then transmits an access confirmation message to the activation component 200a via the VPN server 350 and the VPN client 180a (steps 7.19-7.21).
- the activation component 200a may then notify the application 120 that it has been granted access to the network 305.
- Figure 8 illustrates an example where the first network access portion comprises a plurality of data communications clients 180a and 185a, each of which is configured to communicate with different second network access portions 540 and 550.
- client devices can be configured with multiple data communications clients, each implementing, for example, a different VPN technology and thereby enabling applications 120 and 130 to connect to different networks using a variety of data communication technologies.
- the different second network access portions may be located in different networks 305a and 305b, thereby enabling applications 120 and 130 to access different networks 305a and 305b.
- the data communications clients 180a, 185a, 180b or 185b are integrated with the application 120 or 130, in which case the plurality of data communications clients may be provided as a plug-ins to, or communicate with, the applications via API libraries.
- this arrangement enables the following configurations: User A is granted access to use Application 1 120 that connects to Service 1 320a on intranet 305a via VPN clientl 180a and VPN serverl 350.
- User A is granted access to use Application2 130 that connects to Service2 330b on intranet 305b via VPN client2 185b and VPN server2 355.
- User C is granted access to use Application2 130 that connects to Service2 330a on intranet 305a via VPN clientl 180b and VPN serverl 350.
- Malware 140 is unable to connect to intranet 305a as it cannot connect to VPN serverl 350 and is unable to connect to intranet 305b as it cannot connect to VPN server2 355.
- the access control system is capable of granting single sign on access, to an application running on the client device, in relation to a service within the network 305a.
- the first and second access control portions cooperate such that single sign on access to requested services is granted on the basis of at least an identifier correspond to the application, i.e. the UID 400a.
- the first access control portion may comprise a token based client, which, in the event that the single sign on is implemented using Kerberos technology, may be a Kerberos client.
- the second access control portion may comprise a token-issuer and a token repository, which in the event that the single sign on is implemented using Kerberos technology, may be the KDC 315 and a token server 360, 370 respectively (hereinafter referred to as a ticket server 360 and keystore 370; tokens are alternatively referred to as tokens or tickets herein).
- the keystore 370 is arranged to store tokens in association with the UID 400a corresponding to the service for which a given token has been granted.
- a token based client may be integrated with the application 120 requiring single sign on access to a service within the network 305, or may be a service embodied on the client device 100a that is available to all applications on the client device.
- Application 120 initiates a request to access service 320 by transmitting a token request to the Kerberos client 190a, which encapsulates the UID 400a corresponding to the application 120 in the token request and transmits it to the ticket server 360 (steps 10.1 and 10.2).
- the ticket server 360 In response to receiving the token request comprising the UID 400a, the ticket server 360 triggers a token retrieval process or a token generation process. The decision as to which of the processes is invoked is dependent upon the ticket server identifying a token corresponding to the received UID 400a in the keystore 370. For example, in the event that a token corresponding to the received UID 400a is identified, the ticket server 360 triggers the token retrieval process, and in the event that it is not identified, the ticket server 360 triggers the token generation process (step 10.3). As will be appreciated, the presence of a valid token by the ticket server 360 indicates that the user has been authenticated for the requested service.
- the ticket server 360 checks for the presence of a TGT 420a in the keystore 370 corresponding to the UID 400a. In response to identification of the TGT 420a, the ticket server 360 checks the validity of the identified TGT 420a and, if it is determined to be valid, encrypts it using the afore-mentioned key 410a. The ticket server 360 then encrypts, whereby to securely transmit, the identified TGT 420a to the Kerberos client 190a, whereby to perform a first part of the token generation process (step 10.4).
- the Kerberos client 190a decrypts the encrypted TGT using the key 410a associated with the application 120 (step 10.5, this key being stored locally as a result of step 4.14).
- the Kerberos client 190a then transmits the TGT to the KDC 315 to trigger generation of a token for the requested service 320 (step 10.6).
- the KDC 315 verifies the received TGT, and in response to successfully verifying the received TGT, the KDC 315 generates a token and transmits the token to the Kerberos client 190a (steps 10.7 and 10.8).
- the Kerberos client 190a encrypts the received token using the cryptographic key 410a corresponding to the application (step 10.9).
- the Kerberos client 190a then transmits the encrypted token in conjunction with the UID 400a to the ticket server 360 (step 10.10).
- the ticket server 360 retrieves the key 410a corresponding to the UID 400a and uses this to decrypt the token (step 10.11), thereby authenticating the application 120.
- the ticket server 360 stores the token in a record corresponding to the UID 400a maintained at the keystore 370 (step 10.11).
- the Kerberos client 190a additionally passes the token to the application 120 for use in accessing the service 320 (step 10.12).
- steps 10.13 and 10.14 enable the application 120 to access the service 320 by presenting the token to the service 320, whereby to gain access to the service 320 without having to provide user credentials (steps 10.13 and 10.14).
- the second access portion (here ticket server 360) initiates a token retrieval process.
- this process involves the ticket server 360 retrieving, from the keystore 370, the token, and securely transmitting the token to the Kerberos client 190b (step 11.4).
- secure transmission may involve the ticket server 360 encrypting the token using the key 410a and transmitting the encrypted token to the application 120.
- the Kerberos client 190b decrypts the token using the key 410a, and passes the unencrypted token to the application 120 for use in accessing the service 320 (step 11.6).
- the application 120 then accesses the service 320 by presenting the token to the service (steps 11.7 and 11.8).
- the keystore 370 forming part of the second access portion may be embodied by a keystore 370a or 370b, each of which maintains tokens in relation to every user of a given client device 100a.
- the keystore 370a maintains a list of token granting tokens 420a...420d as a function of associated users and devices: there is one TGT for each user and each device associated with the user, and there are as many tokens 430a...430n as there are authenticated requests to access services from the user and from a given device.
- token granting tokens 420a...420d and the corresponding tokens 430a...430n may be associated with the corresponding client device UDID 300a, 300b and user ID 600a, 600b.
- tokens 430 can be shared between devices for a given user, only one token granting ticket (TGT) 420 is required for each user, while there are as many tokens 430 as there are authenticated requests to access services for a given user.
- TGT token granting ticket
- Figure 13a illustrates an example in which, rather than integrating the token based client and data communications client with respect to a given application 120, the first application access control portion comprises a token based client 115 as a service on the client device 100a, and the first network access control portion comprises a data communications client 155 configured as a service on the client device 100a.
- the second access control portion may comprise the KDC 315 and the ticket server 360.
- the ticket server 360 maintains the cryptographic key 410a in association with the UID 400a. This prevents malware application 140 - which has an identity other than those UID 400a that are known to the second network access portion - from gaining access to network services by sniffing data corresponding to authenticated applications 120 and 130.
- the steps involved in granting access to a network service 320 to the application 120, where the token based client 115 is provided as a service on the client device 100a, will now be described with reference to Figure 13b.
- the application 120 requests access to the service 320 by transmitting a request to the Kerberos client 115 using a standard Kerberos API, which then attempts to identify a token corresponding to the UID 400a in a locally maintained associated keystore 105 whereby to selectively trigger a token retrieval process or a token granting process (steps 13.1 and 13.2)
- the Kerberos client 115 retrieves a ticket granting ticket corresponding to the UID 400a associated with the application 120 from the local keystore 105 (step 13.2). The Kerberos client 115 then transmits a token request to the KDC 315, the request comprising the retrieved ticket granting ticket (step 13.3).
- the KDC 315 In response to receiving the token request, the KDC 315 verifies the ticket granting ticket, and if valid, the KDC 315 generates a token (step 13.4) and transmits the generated token to the Kerberos client 115 (step 13.5).
- the Kerberos client 115 then sends a request to the ticket server 360 for the key 410a associated with the UID 400a (step 13.6), which responds by retrieving the requested key 410a from the keystore 370 and sending the key 410a to the Kerberos client 115 (step 13.7).
- the Kerberos client 115 In response to receiving the token, the Kerberos client 115 saves the token in the local keystore 105, encrypts the token with the key 410a received at step 13.7, and passes the encrypted token to the application 120.
- the application 120 having access itself to the key 410a, decrypts the token and presents the token to the service 320, thereby invoking single sign on access to the service (steps 13.8 - 13.12).
- the Kerberos client 115 requests a key 410a from the ticket server 360, and in response to receipt of the key 410a, encrypts the retrieved token with the key 410a, and passes the encrypted token to the application 120. This part of the process is as described above with reference to steps 13.8-13.12.
- the first network access control portion comprises a data communications client 155 configured as a service on the client device 100a (shown as VPN client 155).
- the public APIs associated with the VPN client 155 include a means to enforce network access control such that the malware application 140 is unable to use a connection to the network 305 that has already been established by an authenticated application.
- One such means which may be implemented using the known Network Access Protection (NAP) client-server technology developed by Microsoft (TM) , as described in e.g. "Introduction to Network Access Protection" in a white paper published June 2004.
- NAP Network Access Protection
- TM Microsoft
- the client device 100a could be provisioned with a NAP client (not shown), which, via the associated APIs, is configured with firewall outbound connection filtering/operating system access control/network APIs so as to limit access to a network 305 to a preconfigured list of applications on the device.
- a NAP client not shown
- firewall outbound connection filtering/operating system access control/network APIs so as to limit access to a network 305 to a preconfigured list of applications on the device.
- FIG 14 shows an arrangement in which the client device 100a accesses the network 305 locally via Wi-Fi.
- the data communications client 155 is provided as a service on the client device 100a, and in this arrangement includes a Wi-Fi client that cooperates with a Wi-Fi access point 650 embodying at least part of the second network access portion.
- Wi-Fi access presents particular problems to secure access since, if a device is within range of a Wi-Fi access point, if the client device 100a is able to connect to the Wi-Fi access point, the device is then effectively given unfettered access to all services on the network 305, meaning that Malware 140 can access services on the intranet 305.
- the Wi-Fi client 155 and Wi-Fi Access Point 650 are configured to support 802. l lx, which enables the RADIUS client 540 to interoperate with AAA Server 520 to implement the access control method described for the arrangement shown in Figure 13a.
- the Wi-Fi Access Point 650 may support guest account access which allows Wi-Fi clients to be connected to the external Internet only and have no access whatsoever to the network 305.
- the data communications client 155 additionally includes a VPN client and the second network access portion includes a VPN server, which cooperate to grant access using the mechanism described above with reference to Figures 6 and 7.
- FIG. 13a and 14 subsequent single sign on access by application 120 to service 320 within the network 305 is controlled by a token based client as described above with reference to Figures 9 and 10.
- the token based client can either be provisioned as a service 115 on the client device ( Figures 13a, 14), or implemented as individual token based clients, as shown in Figure 9.
- the application 120 is a web browser, and services to which the application 120 connects are web services, these can be web sites and/or servers implemented behind an enterprise's firewall.
- the browser is preferably configured with a built-in VPN and Wi-Fi client as shown in e.g. Figures 3 and 14 and which implements the network access functionality described with reference to Figures 4, 6 and 7. Further, the browser can support multiple built-in VPN clients that use different vendor VPN technologies, as described with reference to Figure 8. This enables a user of the device to securely browse web sites and services that are behind enterprise's firewall, both locally on intranet (using wired or wireless local area network e.g. Ethernet or Wi-Fi) and remotely using a VPN (via Wi-Fi, Ethernet or Wireless Wide-Area Network).
- wired or wireless local area network e.g. Ethernet or Wi-Fi
- a VPN via Wi-Fi, Ethernet or Wireless Wide-Area Network
- All browser data relating to a given user's browsing session can be encrypted locally using key 410a thereby safe-guarding all sensitive enterprise data that the user may have accessed. Further, all browser data is sandboxed and is inaccessible to other applications or other user sessions within the browser.
- browser data can be securely wiped (deleted) either remotely by user or administrator for the case where a device is lost or stolen, after defined number of failed unlock attempts or locally by user.
- Access to the browser can be locked by means of a password-protection mechanism; preferably this password is distinct from the credentials described above with respect to step 4.1 that are required to authenticate user to the enterprise network, since these may only be required once per day for example.
- the browser makes use of built in secure single sign-on authentication (Kerberos, WebSSO and Integrated Windows Authentication) that enables the user to automatically authenticate to any web-site or service on the protected network without having to re-enter their credentials.
- the application access control system incorporated in the browser supports multiple users and multiple authentication realms, enabling multiple users to use the same browser to authenticate to services on one or more different enterprise networks.
- the browser has support for multiple users, each with their own password lock and separate and private browser data. Further, individual users can create multiple user accounts and switch between them.
- Each user has one or more user accounts:
- Each user account has completely separate and isolated (sandboxed) data that is encrypted and password protected as described above;
- Each user account has its own tabs, favourites, settings and secured browser data as described above;
- Each user account can be separately authenticated with choice of enterprise network (domain);
- Each account may use the same or different VPN client technology, compatible with the VPN server deployed for their enterprise network, as described above.
- Each account is locked when user switches to another account, exits their account or automatically after a defined inactivity period.
- the user may also manually lock their account. This allows the same device to be securely shared with colleagues to access their data. As a result, a single user can securely access different systems by having separate accounts, thereby ensuring secure access to each network and ensuring that data from each network is isolated.
- the browser can be configured to allow users to access the Internet in addition to enterprise networks while keeping the user's data associated with each network separate and secure.
- the data communications client 180a can be configured to automatically switch between the Internet and an enterprise network based on the URL or IP address of the data or service being accessed.
- the data communications client 180a, 155 and the token based client 190a, 115 are embodied as application libraries which enable these applications to benefit from secure network access, VPN, Kerberos, password and encryption key management in the manner described above .
- Figures 4, 6, 7, 10, 11, 13b illustrate messages transmitted between, and functions performed by, a device and various network entities according to example embodiments of the invention.
- each functional step may be implemented by various means, such as hardware, firmware, processor, circuitry, and/or other devices associated with execution of software including one or more computer program instructions.
- one or more of the procedures described above may be embodied by computer program instructions.
- the computer program instructions which embody the procedures described above may be stored by a memory device of an apparatus employing an embodiment of the present invention and executed by a processor of the apparatus.
- any such computer program instructions may be loaded onto a computer or other programmable apparatus (e.g., hardware) to produce a machine, such that the resulting computer or other programmable apparatus implements the functions specified in the figures.
- These computer program instructions may also be stored in a computer-readable memory that may direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture the execution of which implements the function specified in the figures.
- the computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operations to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide operations for implementing the functions specified in the figures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Selective Calling Equipment (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1314269.0A GB2501653A (en) | 2011-01-21 | 2012-01-23 | Method and system for controlling access to networks and/or services |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1101073.3 | 2011-01-21 | ||
GB1101073.3A GB2487533A (en) | 2011-01-21 | 2011-01-21 | Access control with application specific rules and access requests including application identifiers |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012098265A1 true WO2012098265A1 (en) | 2012-07-26 |
Family
ID=43769420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2012/050991 WO2012098265A1 (en) | 2011-01-21 | 2012-01-23 | Method and system for controlling access to networks and/or services |
Country Status (2)
Country | Link |
---|---|
GB (2) | GB2487533A (en) |
WO (1) | WO2012098265A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106506498A (en) * | 2016-11-07 | 2017-03-15 | 安徽四创电子股份有限公司 | A kind of inter-system data calls authorization and authentication method |
GB2545894A (en) * | 2015-12-21 | 2017-07-05 | F Secure Corp | Network service abuse prevention |
US10454917B2 (en) | 2015-11-05 | 2019-10-22 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
CN111109657A (en) * | 2020-02-06 | 2020-05-08 | 广芯微电子(广州)股份有限公司 | Electronic cigarette and encryption and decryption authentication method thereof |
CN114051714A (en) * | 2019-06-06 | 2022-02-15 | 思科技术公司 | System and method for generating context tags |
CN114595465A (en) * | 2020-12-04 | 2022-06-07 | 成都鼎桥通信技术有限公司 | Data encryption processing method and device and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005043334A2 (en) * | 2003-10-29 | 2005-05-12 | Qualcomm Incorporated | Methods and apparatus for providing application credentials |
US20090241170A1 (en) * | 2008-03-19 | 2009-09-24 | Applied Identity | Access, priority and bandwidth management based on application identity |
WO2010045426A1 (en) * | 2008-10-16 | 2010-04-22 | Verisign, Inc. | Transparent client authentication |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7069330B1 (en) * | 2001-07-05 | 2006-06-27 | Mcafee, Inc. | Control of interaction between client computer applications and network resources |
US20060248578A1 (en) * | 2005-04-28 | 2006-11-02 | International Business Machines Corporation | Method, system, and program product for connecting a client to a network |
US8495181B2 (en) * | 2006-08-03 | 2013-07-23 | Citrix Systems, Inc | Systems and methods for application based interception SSI/VPN traffic |
-
2011
- 2011-01-21 GB GB1101073.3A patent/GB2487533A/en not_active Withdrawn
-
2012
- 2012-01-23 WO PCT/EP2012/050991 patent/WO2012098265A1/en active Application Filing
- 2012-01-23 GB GB1314269.0A patent/GB2501653A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005043334A2 (en) * | 2003-10-29 | 2005-05-12 | Qualcomm Incorporated | Methods and apparatus for providing application credentials |
US20090241170A1 (en) * | 2008-03-19 | 2009-09-24 | Applied Identity | Access, priority and bandwidth management based on application identity |
WO2010045426A1 (en) * | 2008-10-16 | 2010-04-22 | Verisign, Inc. | Transparent client authentication |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10454917B2 (en) | 2015-11-05 | 2019-10-22 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
US11102191B2 (en) | 2015-11-05 | 2021-08-24 | Red Hat, Inc. | Enabling single sign-on authentication for accessing protected network services |
GB2545894A (en) * | 2015-12-21 | 2017-07-05 | F Secure Corp | Network service abuse prevention |
CN106506498A (en) * | 2016-11-07 | 2017-03-15 | 安徽四创电子股份有限公司 | A kind of inter-system data calls authorization and authentication method |
CN114051714A (en) * | 2019-06-06 | 2022-02-15 | 思科技术公司 | System and method for generating context tags |
CN114051714B (en) * | 2019-06-06 | 2023-06-09 | 思科技术公司 | System and method for generating context labels |
CN111109657A (en) * | 2020-02-06 | 2020-05-08 | 广芯微电子(广州)股份有限公司 | Electronic cigarette and encryption and decryption authentication method thereof |
CN111109657B (en) * | 2020-02-06 | 2020-12-08 | 广芯微电子(广州)股份有限公司 | Electronic cigarette and encryption and decryption authentication method thereof |
CN114595465A (en) * | 2020-12-04 | 2022-06-07 | 成都鼎桥通信技术有限公司 | Data encryption processing method and device and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
GB201314269D0 (en) | 2013-09-25 |
GB201101073D0 (en) | 2011-03-09 |
GB2487533A (en) | 2012-08-01 |
GB2501653A (en) | 2013-10-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
CN113810369B (en) | Device authentication based on tunnel client network request | |
US8359464B2 (en) | Quarantine method and system | |
US8365266B2 (en) | Trusted local single sign-on | |
KR101471379B1 (en) | Domain-authenticated control of platform resources | |
JP6335280B2 (en) | User and device authentication in enterprise systems | |
JP4746266B2 (en) | Method and system for authenticating a user for a sub-location in a network location | |
JP6170158B2 (en) | Mobile multi single sign-on authentication | |
US8595810B1 (en) | Method for automatically updating application access security | |
US20170250974A1 (en) | System and method for service assisted mobile pairing of password-less computer login | |
US20080148046A1 (en) | Real-Time Checking of Online Digital Certificates | |
US20070266421A1 (en) | System, method and computer program product for centrally managing policies assignable to a plurality of portable end-point security devices over a network | |
US7987357B2 (en) | Disabling remote logins without passwords | |
US20170055146A1 (en) | User authentication and/or online payment using near wireless communication with a host computer | |
EP3283964B1 (en) | Method of operating a computing device, computing device and computer program | |
US20150121498A1 (en) | Remote keychain for mobile devices | |
JP2015535984A5 (en) | ||
US9600656B1 (en) | System and method for domain password reset in a secured distributed network environment | |
WO2012098265A1 (en) | Method and system for controlling access to networks and/or services | |
US20130073844A1 (en) | Quarantine method and system | |
US8171530B2 (en) | Computer access security | |
JP6464544B1 (en) | Information processing apparatus, information processing method, information processing program, and information processing system | |
KR20150074128A (en) | Method for downloading at least one software component onto a computing device, and associated computer program product, computing device and computer system | |
WO2015078500A1 (en) | Method and system for secure execution of web applications for mobile devices | |
US11477185B2 (en) | Method and system for single sign-on authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12703724 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 1314269 Country of ref document: GB Kind code of ref document: A Free format text: PCT FILING DATE = 20120123 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1314269.0 Country of ref document: GB |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 12703724 Country of ref document: EP Kind code of ref document: A1 |