CA2276235A1 - Authentication process for protected accesses in a networked data processing system - Google Patents
Authentication process for protected accesses in a networked data processing system Download PDFInfo
- Publication number
- CA2276235A1 CA2276235A1 CA 2276235 CA2276235A CA2276235A1 CA 2276235 A1 CA2276235 A1 CA 2276235A1 CA 2276235 CA2276235 CA 2276235 CA 2276235 A CA2276235 A CA 2276235A CA 2276235 A1 CA2276235 A1 CA 2276235A1
- Authority
- CA
- Canada
- Prior art keywords
- station
- authentication
- security
- server
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2211/00—Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
- G06F2211/1097—Boot, Start, Initialise, Power
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The security server (30) includes a server security management software module (33) using a station security management software module (35) and a station adaptation software module (36) for adapting to a maximum number of authentication modules (34a-34q) necessary to the execution of a maximum number of authentication methods (Ma-Mn). In order to perform an authentication, the process is comprised of downloading into the station (20) a copy (35') of the station security management software module (35), which verifies in the station whether a valid copy (36') of the station adaptation module (36) is present in the station, and if not, orders its downloading into the station, and which controls the authentication of the entity in accordance with the specific means (23a-23k) available in the station.
Description
4 Technical Field 6 The invention relates to the authentication required for 7 protected accesses in a networked data processing system. Its 8 subject is a process for authenticating at least one user entity 9 of at least one station for access t~o protected resources in a networked data processing system, as well as the resulting 11 system.
12 It applies to any networked data processing system, which by 13 definition comprises at least one station linked to at least one 14 server through a network. The term "~atation" is used here in a general sense to designate not only a workstation but also any 16 computer (a personal computer, minicomputer, or very large scale 17 computer, also called a "mainframe") or any device like the one 18 known as "Web-TV," which is connected directly to a television 19 set and has only very limited resources, both in terms of hardware and software.
21 Although other servers can exisi~ in the system, the 22 invention relates to a security server. This can be a server in 23 its entirety or one of the functions included in a server. The 24 security function consists of managing the authentication of various user entities of a station oithe system. An entity can 26 be a person, known as a user, or a software function that can 27 request access to the system through the network. The software 28 function can be, for example, a soft'vare application for using a 29 database. The entity can also be the station itself. Generally, it is understood that for protected accesses, it is necessary for 1 the user and/or the station to be authenticated by the security 2 server. Certain applications like those for using databases, or 3 certain information linked to these applications, are only 4 accessible to authorized persons, particularly for confidentiality reasons or for the purpose of preserving the 6 integrity of this information. Likewise, certain types of 7 operations are also subject to authorization. For example, a user 8 may read data in a database even the>ugh the operations for 9 writing and/or erasing data in the x>ase are forbidden to him.
The network can be of any type, and in the example that 11 follows it will be considered to be the one currently known by 12 the name Internet, this word encompassing the networks known as 13 "Intranets" and "Extranets." Likewise, the communication protocol 14 can be of any type.
Finally, the resources can be any software and/or hardware 16 resources, such as drafting software:, a database and a telephone 17 line for transmitting a fax.
19 The Prior Art 21 Generally, a station can use a number less than or equal to 22 a number n of authentication methods recognized by the security 23 server. The authentication requires a station to have specific 24 means for authentication according to at least one given method.
The specific means comprise a hardware part necessary to the 26 authentication and a software part. A station can have a number 27 less than or equal to a number p of specific means. An 28 authentication method is used by a number less than or equal to a 29 number q of authentication modules recognized by the security 1 server for the execution of authentication methods. It must be 2 noted that an authentication module can use one or more 3 authentication methods and/or one or more specific means.
4 Moreover, a method can involve a number, at least equal to 1, of specific means. Other methods, other specific means and/or other 6 authentication modules may be available in one or more stations.
7 However, the server does not recognize them and these methods, 8 means and/or modules cannot be used by the server for 9 authentication. When a request to access a protected resource is formulated by a user, a dialogue is established between the 11 station and the server. The information exchanged depends on the 12 method used.
13 A first important problem stems: from the fact that a large 14 number of authentication methods already exist and that still others will be added. These methods have a wide variety of levels 16 of security and degrees of reliability. Moreover, because of the 17 worldwide expansion of networks and their users and databases, 18 there is an increasingly large number of conditions for access to 19 protected resources. Furthermore, it. has been observed that the stations capable of coexisting in th.e network are of very 21 different natures, are able to use different operating systems 22 from one another, and are also equipped with very different 23 software and hardware resources.
24 One example of low-level authentication consists of asking the user for a password associated with a user identification. In 26 this example, when the user sends a request to access a given 27 application, the server returns in response a so called "Web"
28 page, for example in the language HTML (HyperText Markup 29 Language). This page is displayed on the screen of the station.
1 It is a type of form, and appears in the form of a dialog box. In 2 the box is an area for entering an identifier of the user, for 3 example his name, and another area f:or entering a password. When 4 both areas of the page are filled in, a click on a control button available in the box sends the page to the server. The sending 6 with the protocol HTTP normally takes place in a mode known as 7 "GET" or in a mode known as "POST." The mode is programmed into 8 the page transmitted to the station by the server. The server 9 comprises a suitable interface called CGI (Common Gateway Interface), which presents the infox~nation it receives in a pre-11 established way so as to serve as a standardized entry into a 12 given application.
13 In order for the transaction to benefit from a minimum of 14 security, it is also necessary for the identification data not to be transmitted through the network i.n unencrypted form. It is 16 therefore necessary for the navigator to be of the secured type 17 and to be able to use a logical layer of the network, for example 18 the security layer known as SSL (Secure Socket Layer), or the 19 more recent one known as TLS (Transport Layer Security).
The security server has a security data base that associates 21 the identifier with the password. If the comparison performed on 22 this pair of data is positive, access to the requested resource 23 is granted. In the opposite case, it is denied. The security 24 server can also store a security profile associated with a given user, the profile granting him only the right to perform certain 26 operations (reading, writing, etc.).
27 Consequently, in this example of low-level authentication, 28 the hardware part of the specific authentication means is 29 constituted by the screen and the keyboard of the station. In the 1 station, it is understood that software module required for a is 2 receiving and processing the pagese:nt by the server, as well as 3 for returning the filled-in page to the server. server must The 4 therefore also have a software du7.e for adaptingto this mo 5 method, which cooperates with software part of the specific the 6 authentication means.
12 It applies to any networked data processing system, which by 13 definition comprises at least one station linked to at least one 14 server through a network. The term "~atation" is used here in a general sense to designate not only a workstation but also any 16 computer (a personal computer, minicomputer, or very large scale 17 computer, also called a "mainframe") or any device like the one 18 known as "Web-TV," which is connected directly to a television 19 set and has only very limited resources, both in terms of hardware and software.
21 Although other servers can exisi~ in the system, the 22 invention relates to a security server. This can be a server in 23 its entirety or one of the functions included in a server. The 24 security function consists of managing the authentication of various user entities of a station oithe system. An entity can 26 be a person, known as a user, or a software function that can 27 request access to the system through the network. The software 28 function can be, for example, a soft'vare application for using a 29 database. The entity can also be the station itself. Generally, it is understood that for protected accesses, it is necessary for 1 the user and/or the station to be authenticated by the security 2 server. Certain applications like those for using databases, or 3 certain information linked to these applications, are only 4 accessible to authorized persons, particularly for confidentiality reasons or for the purpose of preserving the 6 integrity of this information. Likewise, certain types of 7 operations are also subject to authorization. For example, a user 8 may read data in a database even the>ugh the operations for 9 writing and/or erasing data in the x>ase are forbidden to him.
The network can be of any type, and in the example that 11 follows it will be considered to be the one currently known by 12 the name Internet, this word encompassing the networks known as 13 "Intranets" and "Extranets." Likewise, the communication protocol 14 can be of any type.
Finally, the resources can be any software and/or hardware 16 resources, such as drafting software:, a database and a telephone 17 line for transmitting a fax.
19 The Prior Art 21 Generally, a station can use a number less than or equal to 22 a number n of authentication methods recognized by the security 23 server. The authentication requires a station to have specific 24 means for authentication according to at least one given method.
The specific means comprise a hardware part necessary to the 26 authentication and a software part. A station can have a number 27 less than or equal to a number p of specific means. An 28 authentication method is used by a number less than or equal to a 29 number q of authentication modules recognized by the security 1 server for the execution of authentication methods. It must be 2 noted that an authentication module can use one or more 3 authentication methods and/or one or more specific means.
4 Moreover, a method can involve a number, at least equal to 1, of specific means. Other methods, other specific means and/or other 6 authentication modules may be available in one or more stations.
7 However, the server does not recognize them and these methods, 8 means and/or modules cannot be used by the server for 9 authentication. When a request to access a protected resource is formulated by a user, a dialogue is established between the 11 station and the server. The information exchanged depends on the 12 method used.
13 A first important problem stems: from the fact that a large 14 number of authentication methods already exist and that still others will be added. These methods have a wide variety of levels 16 of security and degrees of reliability. Moreover, because of the 17 worldwide expansion of networks and their users and databases, 18 there is an increasingly large number of conditions for access to 19 protected resources. Furthermore, it. has been observed that the stations capable of coexisting in th.e network are of very 21 different natures, are able to use different operating systems 22 from one another, and are also equipped with very different 23 software and hardware resources.
24 One example of low-level authentication consists of asking the user for a password associated with a user identification. In 26 this example, when the user sends a request to access a given 27 application, the server returns in response a so called "Web"
28 page, for example in the language HTML (HyperText Markup 29 Language). This page is displayed on the screen of the station.
1 It is a type of form, and appears in the form of a dialog box. In 2 the box is an area for entering an identifier of the user, for 3 example his name, and another area f:or entering a password. When 4 both areas of the page are filled in, a click on a control button available in the box sends the page to the server. The sending 6 with the protocol HTTP normally takes place in a mode known as 7 "GET" or in a mode known as "POST." The mode is programmed into 8 the page transmitted to the station by the server. The server 9 comprises a suitable interface called CGI (Common Gateway Interface), which presents the infox~nation it receives in a pre-11 established way so as to serve as a standardized entry into a 12 given application.
13 In order for the transaction to benefit from a minimum of 14 security, it is also necessary for the identification data not to be transmitted through the network i.n unencrypted form. It is 16 therefore necessary for the navigator to be of the secured type 17 and to be able to use a logical layer of the network, for example 18 the security layer known as SSL (Secure Socket Layer), or the 19 more recent one known as TLS (Transport Layer Security).
The security server has a security data base that associates 21 the identifier with the password. If the comparison performed on 22 this pair of data is positive, access to the requested resource 23 is granted. In the opposite case, it is denied. The security 24 server can also store a security profile associated with a given user, the profile granting him only the right to perform certain 26 operations (reading, writing, etc.).
27 Consequently, in this example of low-level authentication, 28 the hardware part of the specific authentication means is 29 constituted by the screen and the keyboard of the station. In the 1 station, it is understood that software module required for a is 2 receiving and processing the pagese:nt by the server, as well as 3 for returning the filled-in page to the server. server must The 4 therefore also have a software du7.e for adaptingto this mo 5 method, which cooperates with software part of the specific the 6 authentication means.
7 Another example of a higher-level authentication uses a chip 8 card (a card incorporating an integrated circuit). In this case, 9 the exchanges are comparable to those described in the preceding paragraph. However, the hardware part of the specific means 11 possessed by the station must comprise, in addition to the 12 screen, a chip card reader and software for interfacing with this 13 reader, like that known as API (Appl.ication Program Interface).
14 The chip contained in the card records identification data in encrypted form. The insertion of the: card can suffice as an 16 authentication operation, the identification data being read and 17 transmitted. But it is understood that only the card is 18 identified and not its user. Thus, it is preferable to combine 19 this method with a method that requires the entry of a secret code. It is therefore also understood that the software module 21 must be different from the one in th.e preceding example of low-22 level security. Furthermore, it is also understood that the 23 station must have a software module for adapting to this method, 24 which is different from the module of the preceding paragraph and which can even be incompatible with the latter.
26 Another exemplary authentication also depends on the 27 environment in which the user's station is running. This is the 28 case, for example, for the operating system known by the 29 registered trade name "Windows NT." This can also be a module 1 added to the operating system. The user must be authenticated, 2 even in the local mode, i.e., even in the absence of any request 3 from the Internet network to the information processing system.
4 The user is then declared in advance:, and his local rights are specified. When there is a request t:o the security server, the 6 security server again requests an authentication. This 7 constitutes a waste of time and annc>ys the user.
8 Other new authentication methods also exist, and still 9 others will emerge shortly. These methods are generally more sophisticated and offer greater authentication security. Among 11 the emerging techniques, it is possible to cite authentication 12 using biometric techniques, certificates in accordance with the 13 "X509" standard, etc. It is therefore necessary for 14 authentication processes to be able to adapt to these methods without its being necessary. to substantially modify the existing 16 ones. Finally, it is necessary for the authentication processes, 17 while accepting these new techniques., to remain compatible with 18 the techniques currently used (so-called "upward" compatibility).
19 The following example presents a high-level authentication method using a biometric technique. In this case, the station is 21 equipped with specific means for acquiring the necessary 22 biometric data, such as the user's signature, fingerprint, retina 23 (measurements of pressure, speed, etc., by a transducer), a 24 visual recognition, etc. The information related to the signature requires pressure, speed and image measurements, and consequently 26 requires specific means that are varied and complex to be 27 disposed as peripherals to the station. For visual recognition, 28 it is possible to use a video camera, for example of the "WebCam"
29 type, connected to a parallel input-out port of the station. The 1 data acquired is normally sufficient: for it to be unnecessary to 2 enter additional identification data, such as the identifier and 3 a password. A specific API interface: is necessary. Here again, 4 this specific method requires specific security software, very different from those described above: and even incompatible with 6 them.
7 Another emerging high-level authentication method is 8 indicated above, which consists of using authentication 9 certificates. For this purpose, it i.s possible to use the "X509"
standard. A certificate of this type: gathers various data, 11 normally comprising an identifier, a~ so-called public encryption 12 key, an encrypted signature and othelr data such as the expiration 13 date. The certificate is signed by a. so called "trusted"
14 authority (CA or "Certification Authority"), which guarantees the authenticity of the public key. Version 3 of the "X509" standard 16 authorities the insertion of two categories of additional data:
17 standardized extensions such as an e~-mail address; and so-called 18 "proprietary" extensions, freely available to the user and/or the 19 security server. The certification authority (CA) is either integrated into the security server, or is independent (a 21 specialized module) and accessed by this security server. The 22 private or secret key is held by the client, i.e., known by the 23 station. The transmission of the certificate, signed by the 24 private key, takes place through a secure layer like those known by the abbreviations "SSL" or "TLS." The private key is never 26 transmitted. It's purpose is to prove legitimate possession of 27 the certificate. The security certificates can also be 28 transmitted through the Internet network with the aid of pieces 29 of software known as "cookies." Again, it is clear that this 1 method involves the use of specific means and security software 2 means that are very different from t:hose described above.
3 Thus, the diversity of methods, specific means and 4 corresponding security software is clear. Naturally, the presentation of the data and/or information on the screen of a 6 station differs from one authentication method to another.
7 Furthermore, the needs of the various possible users and their 8 knowledge of computer techniques are! extremely varied. This is 9 particularly the case with users of the Internet network, which is not generally confined to a homogeneous group of individuals, 11 even when it involves a network of t:he Intranet type.
12 A second problem of the prior a.rt appears in the following 13 example. The example relates to the authentication of a user of a 14 station wishing to access protected resources of a data processing system via an Internet network and a security server 16 within the framework of a session of the client-server type.
17 Transmissions through the Internet network take place in 18 accordance with specific protocols. One of the most frequently 19 used protocols is known by the name HTTP (HyperText Transfer Protocol). This protocol, and most o~f the protocols currently in 21 use, were essentially developed for handling simple queries and 22 are easy for nonprofessional computer users to use. This protocol 23 is implemented in the station by a mvodule called a navigator or 24 "browser." However, the protocol HTT'P functions in an offline mode. The drawback is that the server cannot retain the context 26 from one data exchange to another between the station and the 27 server. This protocol is therefore not very suitable for 28 exchanges of the transactional type.
29 A third problem is due to the fact that there is a wide 1 variety of existing authentication modules. The best known 2 currently use a software module called an "applet" in Java~
3 language and the one called a "plug-in," particularly in C
4 language. Especially in the~case of the "plug-in" module, the user must explicitly download it. The user can therefore 6 intervene to order the downloading of multiple modules for 7 complex methods. These downloads talc:e place by means of various 8 commands, which specifically depend on the type of the station 9 and its operating system.
A fourth problem exists, linked to the rapid evolution of 11 the software relative to authentication methods. These software 12 packages are frequently updated. Consequently, the user may also 13 have to explicitly download their updates.
Summary of the invention 17 A first object of the invention. is to automate the 18 authentication so that no user has to intervene in the security 19 software to be used. For example, th.e process of the invention enables the user to enter only his identifier and a password into 21 the form-like page, or to simply insert his chip card into the 22 reader associated with the station. In the case of a method of 23 authentication by visual recognition. by a camera, the user would 24 no longer have any action to perform. in order to achieve his authentication. This object therefore corresponds to offering any 26 user the most transparent authentication possible.
27 A second object of the invention is to provide the 28 authentication process with great flexibility, by integrating the 29 current methods and the updating of the corresponding software, 1 as well as the upcoming methods and software, in a way that is 2 transparent for any user.
3 A third object of the inventior,~ is to adapt the 4 authentication process to any type of station.
5 The subject of the invention is. a process for authenticating 6 at least one user entity of at least: one station for access to 7 protected resources of a data procea;sing system via a network and 8 a security server, the station having specific means for 9 authentication according to at least. one given method and the 10 security server including a~server security management software 11 module, characterized in that it is initially comprised of making 12 available to the security management. module a station security 13 management software module and a station adaptation software 14 module for adapting to a maximum number of authentication modules necessary to the execution of a maximum number of authentication 16 methods, and in order to perform an authentication, it is 17 comprised of downloading into the station, via the network, a 18 copy of the station security management module, which verifies in 19 the station whether a valid copy of the station adaptation module is present in the station, and if not, orders its downloading 21 into the station, and which controls the authentication of the 22 entity in accordance with the specific means available in the 23 station.
24 A corollary subject of the invention is a data processing system comprising at least one security server connected to at 26 least one station via a network, as well as to protected 27 resources, the station being usable by an entity and having 28 specific means for authentication according to at least one given 29 method, and the security server including a security management 1 software module, characterized in that the system implements the 2 process defined above.
3 The characteristics and advantages of the invention appear 4 in the description given in reference to the attached drawings.
6 Presentation of the Drawings 8 Fig. 1 illustrates, in the form of a block diagram, an 9 exemplary embodiment of a data processing system implementing an authentication process according to the invention; and 11 Fig. 2 illustrates a list of meahods used in an exemplary 12 authentication process according to the invention.
14 Detailed Description of Examples Illustrating the Invention 16 Fig. 1 illustrates, iw the form of a block diagram, a 17 networked data processing system 10 according to the invention.
18 As the system can be of any type, only the elements involved in 19 the implementation of the authentication process according to the invention will be described, the other elements being well known 21 to one skilled in the art.
22 The system 10 illustrated comprises at least one user entity 23 (U) of at least one station 20 connected to at least one security 24 server 30 through a network 11. The security server 30 is also linked to a plurality of protected resources 40 (40a-40m). The 26 resources 40 can be software such as drafting software, and/or 27 hardware such as a telephone switchboard or communication line, 28 or a data base. The resources 40 can be located in the same 29 server assembly that includes the security server 30, or at a 1 remote site connected to the server by a network, for example.
2 The station 20 includes at leae~t one processor 21 connected 3 to means forming a memory 22. The memory 22 is used to store 4 software modules and data relative t:o the authentication of the entity U. The memory contains the software part of the specific 6 means 23 for authentication according to at least one given 7 method M. These specific means ordinarily comprise respective 8 hardware parts necessary to the authentication and software 9 modules specific to respective authentication methods, the modules normally being made of dynamic link libraries, known as 11 DLLs, or API interfaces. These modules represent native 12 functions, specific to the station a.nd very different in terms of 13 the authentication methods and the software environment, 14 particularly the operating system. Lt is assumed that the station has a given number k of specific means 23a-23k for the 16 authentication of a corresponding number of authentication 17 methods Ma-Mk represented in the list in Fig. 2. Generally, the 18 number k is a whole number equal to at least 1. In the drawings, 19 the invention relates to only the software parts of the specific means, which are illustrated in the form of blocks included in 21 the memory 22 of the station. The user entity U in this case is 22 considered to be a user, although it could be a software entity 23 such as an application, or the station itself. The authentication 24 is handled by the processor 21.
The security server 30 comprises at least one processor 31 26 and means forming a memory 32. The memory 32 is used to store 27 data related to the authentication of the entity U. The software 28 data includes a server security management module 33. The 29 management module 33 can be of the above-mentioned CGI type, and 1 its main function is to manage security and the security-related 2 exchanges between the server and the: station. In addition, the 3 server 30 is supposed to recognize a~ maximum number n of 4 authentication methods Ma-Mn (see Fi.g. 2) that can be implemented by a maximum number p of specific means 23a-23p and a maximum 6 number q of authentication modules 34a-34q. The number k of 7 specific means that are available in any station of the system 8 and that can be recognized by the server is therefore less than 9 or equal to the number p. However, i.t is possible for the stations 20 of the system 10 to have: specific means other than 11 those indexed in the server 30. In this case, these other 12 specific means are not usable by the: server 30. Generally, a 13 security server of the system 10 doea not have to include 14 authentication modules. However, the: server 30 illustrated contains the modules 34a-34q for executing the number n of 16 authentication methods Ma-Mn represe:nted in the list in Fig. 2.
17 The modules 34a-34q are coupled with. the management module 33 in 18 accordance with the prior art.
19 In the memory 32 of the server 30, the security management module 33 is linked to a station security management software 21 module 35 and a software module 36 for adapting a station to the 22 number q of authentication modules 34. The station adaptation 23 module 36 illustrated is therefore linked to the number q of 24 authentication modules 34. The functions of these two modules will emerge from the following description of the authentication 26 process.
27 In order to perform an authentication, the process of the 28 invention is comprised of downloading into the station 20, via 29 the network 11, a copy 35' of the station security management 1 module. The station security management module 35' downloaded 2 into the station then verifies whether the station has a valid 3 copy 36' of the station adaptation u~odule 36 present in the 4 server. If not, the station management module 35' orders the downloading of a copy of the station adaptation module 36 6 contained in the server. If the process is being used in the 7 station for the first time, for example, the station will not 8 incorporate a station adaptation module 36'. The station 9 management module 35' therefore orders the downloading of a necessarily updated copy 36' of the station adaptation module 36 11 present in the server. If the station 20 has already used the 12 process, the station adaptation module 36' will have already been 13 downloaded and may still exist in the station. However, it may 14 not be valid, particularly if the updated version does not correspond with the version, of the adaptation module 36 made 16 available to the server. In this cae.e, the station management 17 module 35' orders the downloading of a valid copy 36' of the 18 station adaptation module. The downloaded management module 35' 19 can be, for example, a Java~ "applet" or a piece of software in C
language, transmitted at the same time as a "Web" page in the 21 language HTML.
22 The downloaded management module 35' then controls the 23 authentication in accordance with th.e specific means available in 24 the station. Many possible methods exist. In the example chosen, the pre-loaded management module 35' controls the selection of at 26 least one method Mj from among the methods available in the 27 station and the submission to the user entity U and/or to the 28 specific authentication means 23j (not illustrated) of the 29 station that are involved in the method selected. The control of 1 the selection and submission of the method Mj can be handled by 2 the downloaded management module 35' directly or, as in the 3 example illustrated, via the station, adaptation module 35', or 4 via any other means. However, the submission could be handled 5 directly by the adaptation module 36'. The submission may involve 6 the user U, for example if the method relates to an 7 authentication by identifier and password. But it may not involve 8 the user U, for example when the method is simply comprised of 9 using a tiny camera as the specific means 23j, in order to 10 photograph the user for the purpose of an authentication by 11 visual recognition. It may also involve both the user and the 12 specific means, for example for an authentication by means of a 13 chip card or a fingerprint.
14 Preferably, the selection is made as a function of their 15 degree of security. For example, the method Mj selected by the 16 downloaded management module 35' offers the highest degree of 17 security among the methods Ma-Mk available in the station. This 18 selection is preferable because the method Mj is supposed to be 19 able to offer the user U access to the greatest number of protected resources he can have. Of course, it would be possible 21 to leave the choice up to the user. But if he chooses a method Mb 22 with a lower degree of security, he may not get access to the 23 resources he wants and therefore may have to restart the 24 authentication procedure.
The selection of the method Mj with the highest degree of 26 security can be comprised, in a first step, of downloading into 27 the memory 22 of the station 20, preferably with the downloading 28 of the management module 35 and/or of the adaptation module 36, a 29 list 37 of all the methods available in the security server, in 1 order of their degree of security. ~, list of this type is 2 illustrated in Fig. 2. The second step is comprised of selecting 3 from among these methods the ones) available in the station.
4 This selection can therefore be made as soon as the management module 35 has been downloaded. In this case, the list 37 could be 6 a module independent from the other modules, or could be part of 7 this module. In the example chosen, the list 37 is a component of 8 the adaptation module 36.
9 Also preferably, the selected method Mj is submitted to the user U and/or to the corresponding specific means 23j in 11 decreasing order of their degree of security. Thus, the user has 12 the best authentication to start with, but he can use any other 13 method available in the station. The choice can be made with the 14 aid of a dialog box incorporating a list indicating the hierarchy of the methods Ma-Mk available in the station, allowing the user 16 to make a choice, for example with the aid of a control button, 17 by clicking it.
18 The list of authentication methods 37 is generally not a 19 list that is fixed, i.e., determined once and for all. It can advantageously depend on the type and/or the nature of the 21 resource before it is accessed. It is easy to understand that 22 access to a non-confidential database does not require a high-23 level authentication method. In this case, the list can include 24 only one low-level method (password .and identifier, for example), in which at least the authentication method referenced Mn will be 26 a method with this level.
27 The process can also offer help to the user in the 28 particular case where the station activates an operating system 29 requiring an initial authentication of the entity by the station.
1 This case was presented in the introduction related to the prior 2 art. The process is comprised of sending, under the control of 3 the downloaded management module 35', this prior authentication 4 to the security server. This can be done, for example, by sending an authentication certificate to the server, or with the aid of a 6 particular interrace API. If the initial authentication is 7 recognized by the server, i.e., if it is carried out according to 8 one of the methods Ma-Mn indexed in the server, the server 9 accepts it and gives the user the corresponding access rights.
Thus, the user U does not need to redo the authentication 11 procedure, as was the case with the prior art. If the server does 12 not accept the initial authentication, it performs an 13 authentication according to~the invention, as described above.
14 This procedure is entirely transparent for the user. It may also be said to be a procedure of the type ordinarily known by term 16 "Single Sign-On."
17 Furthermore, given the invention's ease of use, the process 18 of the invention can provide authentications at regular 19 intervals, in accordance with pre-established security rules recorded in a security database that can be consulted by the 21 security management module 35 of the server.
22 Within the framework of the Internet network used as an 23 example, the information exchanged between the management modules 24 35 and 35' is made of a set of "keyword/value" pairs, in accordance with the "HTTP Query String" type of coding used for 26 transmissions of the Internet type. :However, the keywords and the 27 value conventions are specific to the invention. Likewise, the 28 routing of the data performed in the example illustrated is 29 carried out in accordance with a standardized communication la 1 protocol, for example "HTTP." Other protocols can be used, 2 particularly the protocol currently in development known as 3 "IIOP" (for "Internet Interchange Object Protocol") which will 4 allow transactions in the so-called online mode.
In addition, the server 10 cou7Ld include a software module 6 for adapting a server to the autheni:ication modules 34a-34q. This 7 software module would be necessary if the server 30 or the server 8 management module 33 alone cannot ensure the verification of the 9 data received from the station 20 and must have recourse to all or some of the authentication modules.
11 Moreover, it has been seen above that the authentication 12 modules (34a-34q) may not exist. However, they could also be at 13 least partially contained in the security server.
14 The process of the invention offers a great flexibility of use and has proven transparent for the user. It adapts to a 16 multiplicity of both currently known and upcoming authentication 17 methods, and to a multiplicity of stations.
18 The authentication process therefore has many advantages, 19 particularly the following:~control of the multiplicity of station configurations, simplicity for the end user, transparency 21 of operations (the user need only enter a password and possibly 22 an identifier for certain methods), automaticity of the 23 downloads, potential compatibility with all existing and future 24 techniques, without the need for substantial modifications or for downloading a plurality of different modules.
14 The chip contained in the card records identification data in encrypted form. The insertion of the: card can suffice as an 16 authentication operation, the identification data being read and 17 transmitted. But it is understood that only the card is 18 identified and not its user. Thus, it is preferable to combine 19 this method with a method that requires the entry of a secret code. It is therefore also understood that the software module 21 must be different from the one in th.e preceding example of low-22 level security. Furthermore, it is also understood that the 23 station must have a software module for adapting to this method, 24 which is different from the module of the preceding paragraph and which can even be incompatible with the latter.
26 Another exemplary authentication also depends on the 27 environment in which the user's station is running. This is the 28 case, for example, for the operating system known by the 29 registered trade name "Windows NT." This can also be a module 1 added to the operating system. The user must be authenticated, 2 even in the local mode, i.e., even in the absence of any request 3 from the Internet network to the information processing system.
4 The user is then declared in advance:, and his local rights are specified. When there is a request t:o the security server, the 6 security server again requests an authentication. This 7 constitutes a waste of time and annc>ys the user.
8 Other new authentication methods also exist, and still 9 others will emerge shortly. These methods are generally more sophisticated and offer greater authentication security. Among 11 the emerging techniques, it is possible to cite authentication 12 using biometric techniques, certificates in accordance with the 13 "X509" standard, etc. It is therefore necessary for 14 authentication processes to be able to adapt to these methods without its being necessary. to substantially modify the existing 16 ones. Finally, it is necessary for the authentication processes, 17 while accepting these new techniques., to remain compatible with 18 the techniques currently used (so-called "upward" compatibility).
19 The following example presents a high-level authentication method using a biometric technique. In this case, the station is 21 equipped with specific means for acquiring the necessary 22 biometric data, such as the user's signature, fingerprint, retina 23 (measurements of pressure, speed, etc., by a transducer), a 24 visual recognition, etc. The information related to the signature requires pressure, speed and image measurements, and consequently 26 requires specific means that are varied and complex to be 27 disposed as peripherals to the station. For visual recognition, 28 it is possible to use a video camera, for example of the "WebCam"
29 type, connected to a parallel input-out port of the station. The 1 data acquired is normally sufficient: for it to be unnecessary to 2 enter additional identification data, such as the identifier and 3 a password. A specific API interface: is necessary. Here again, 4 this specific method requires specific security software, very different from those described above: and even incompatible with 6 them.
7 Another emerging high-level authentication method is 8 indicated above, which consists of using authentication 9 certificates. For this purpose, it i.s possible to use the "X509"
standard. A certificate of this type: gathers various data, 11 normally comprising an identifier, a~ so-called public encryption 12 key, an encrypted signature and othelr data such as the expiration 13 date. The certificate is signed by a. so called "trusted"
14 authority (CA or "Certification Authority"), which guarantees the authenticity of the public key. Version 3 of the "X509" standard 16 authorities the insertion of two categories of additional data:
17 standardized extensions such as an e~-mail address; and so-called 18 "proprietary" extensions, freely available to the user and/or the 19 security server. The certification authority (CA) is either integrated into the security server, or is independent (a 21 specialized module) and accessed by this security server. The 22 private or secret key is held by the client, i.e., known by the 23 station. The transmission of the certificate, signed by the 24 private key, takes place through a secure layer like those known by the abbreviations "SSL" or "TLS." The private key is never 26 transmitted. It's purpose is to prove legitimate possession of 27 the certificate. The security certificates can also be 28 transmitted through the Internet network with the aid of pieces 29 of software known as "cookies." Again, it is clear that this 1 method involves the use of specific means and security software 2 means that are very different from t:hose described above.
3 Thus, the diversity of methods, specific means and 4 corresponding security software is clear. Naturally, the presentation of the data and/or information on the screen of a 6 station differs from one authentication method to another.
7 Furthermore, the needs of the various possible users and their 8 knowledge of computer techniques are! extremely varied. This is 9 particularly the case with users of the Internet network, which is not generally confined to a homogeneous group of individuals, 11 even when it involves a network of t:he Intranet type.
12 A second problem of the prior a.rt appears in the following 13 example. The example relates to the authentication of a user of a 14 station wishing to access protected resources of a data processing system via an Internet network and a security server 16 within the framework of a session of the client-server type.
17 Transmissions through the Internet network take place in 18 accordance with specific protocols. One of the most frequently 19 used protocols is known by the name HTTP (HyperText Transfer Protocol). This protocol, and most o~f the protocols currently in 21 use, were essentially developed for handling simple queries and 22 are easy for nonprofessional computer users to use. This protocol 23 is implemented in the station by a mvodule called a navigator or 24 "browser." However, the protocol HTT'P functions in an offline mode. The drawback is that the server cannot retain the context 26 from one data exchange to another between the station and the 27 server. This protocol is therefore not very suitable for 28 exchanges of the transactional type.
29 A third problem is due to the fact that there is a wide 1 variety of existing authentication modules. The best known 2 currently use a software module called an "applet" in Java~
3 language and the one called a "plug-in," particularly in C
4 language. Especially in the~case of the "plug-in" module, the user must explicitly download it. The user can therefore 6 intervene to order the downloading of multiple modules for 7 complex methods. These downloads talc:e place by means of various 8 commands, which specifically depend on the type of the station 9 and its operating system.
A fourth problem exists, linked to the rapid evolution of 11 the software relative to authentication methods. These software 12 packages are frequently updated. Consequently, the user may also 13 have to explicitly download their updates.
Summary of the invention 17 A first object of the invention. is to automate the 18 authentication so that no user has to intervene in the security 19 software to be used. For example, th.e process of the invention enables the user to enter only his identifier and a password into 21 the form-like page, or to simply insert his chip card into the 22 reader associated with the station. In the case of a method of 23 authentication by visual recognition. by a camera, the user would 24 no longer have any action to perform. in order to achieve his authentication. This object therefore corresponds to offering any 26 user the most transparent authentication possible.
27 A second object of the invention is to provide the 28 authentication process with great flexibility, by integrating the 29 current methods and the updating of the corresponding software, 1 as well as the upcoming methods and software, in a way that is 2 transparent for any user.
3 A third object of the inventior,~ is to adapt the 4 authentication process to any type of station.
5 The subject of the invention is. a process for authenticating 6 at least one user entity of at least: one station for access to 7 protected resources of a data procea;sing system via a network and 8 a security server, the station having specific means for 9 authentication according to at least. one given method and the 10 security server including a~server security management software 11 module, characterized in that it is initially comprised of making 12 available to the security management. module a station security 13 management software module and a station adaptation software 14 module for adapting to a maximum number of authentication modules necessary to the execution of a maximum number of authentication 16 methods, and in order to perform an authentication, it is 17 comprised of downloading into the station, via the network, a 18 copy of the station security management module, which verifies in 19 the station whether a valid copy of the station adaptation module is present in the station, and if not, orders its downloading 21 into the station, and which controls the authentication of the 22 entity in accordance with the specific means available in the 23 station.
24 A corollary subject of the invention is a data processing system comprising at least one security server connected to at 26 least one station via a network, as well as to protected 27 resources, the station being usable by an entity and having 28 specific means for authentication according to at least one given 29 method, and the security server including a security management 1 software module, characterized in that the system implements the 2 process defined above.
3 The characteristics and advantages of the invention appear 4 in the description given in reference to the attached drawings.
6 Presentation of the Drawings 8 Fig. 1 illustrates, in the form of a block diagram, an 9 exemplary embodiment of a data processing system implementing an authentication process according to the invention; and 11 Fig. 2 illustrates a list of meahods used in an exemplary 12 authentication process according to the invention.
14 Detailed Description of Examples Illustrating the Invention 16 Fig. 1 illustrates, iw the form of a block diagram, a 17 networked data processing system 10 according to the invention.
18 As the system can be of any type, only the elements involved in 19 the implementation of the authentication process according to the invention will be described, the other elements being well known 21 to one skilled in the art.
22 The system 10 illustrated comprises at least one user entity 23 (U) of at least one station 20 connected to at least one security 24 server 30 through a network 11. The security server 30 is also linked to a plurality of protected resources 40 (40a-40m). The 26 resources 40 can be software such as drafting software, and/or 27 hardware such as a telephone switchboard or communication line, 28 or a data base. The resources 40 can be located in the same 29 server assembly that includes the security server 30, or at a 1 remote site connected to the server by a network, for example.
2 The station 20 includes at leae~t one processor 21 connected 3 to means forming a memory 22. The memory 22 is used to store 4 software modules and data relative t:o the authentication of the entity U. The memory contains the software part of the specific 6 means 23 for authentication according to at least one given 7 method M. These specific means ordinarily comprise respective 8 hardware parts necessary to the authentication and software 9 modules specific to respective authentication methods, the modules normally being made of dynamic link libraries, known as 11 DLLs, or API interfaces. These modules represent native 12 functions, specific to the station a.nd very different in terms of 13 the authentication methods and the software environment, 14 particularly the operating system. Lt is assumed that the station has a given number k of specific means 23a-23k for the 16 authentication of a corresponding number of authentication 17 methods Ma-Mk represented in the list in Fig. 2. Generally, the 18 number k is a whole number equal to at least 1. In the drawings, 19 the invention relates to only the software parts of the specific means, which are illustrated in the form of blocks included in 21 the memory 22 of the station. The user entity U in this case is 22 considered to be a user, although it could be a software entity 23 such as an application, or the station itself. The authentication 24 is handled by the processor 21.
The security server 30 comprises at least one processor 31 26 and means forming a memory 32. The memory 32 is used to store 27 data related to the authentication of the entity U. The software 28 data includes a server security management module 33. The 29 management module 33 can be of the above-mentioned CGI type, and 1 its main function is to manage security and the security-related 2 exchanges between the server and the: station. In addition, the 3 server 30 is supposed to recognize a~ maximum number n of 4 authentication methods Ma-Mn (see Fi.g. 2) that can be implemented by a maximum number p of specific means 23a-23p and a maximum 6 number q of authentication modules 34a-34q. The number k of 7 specific means that are available in any station of the system 8 and that can be recognized by the server is therefore less than 9 or equal to the number p. However, i.t is possible for the stations 20 of the system 10 to have: specific means other than 11 those indexed in the server 30. In this case, these other 12 specific means are not usable by the: server 30. Generally, a 13 security server of the system 10 doea not have to include 14 authentication modules. However, the: server 30 illustrated contains the modules 34a-34q for executing the number n of 16 authentication methods Ma-Mn represe:nted in the list in Fig. 2.
17 The modules 34a-34q are coupled with. the management module 33 in 18 accordance with the prior art.
19 In the memory 32 of the server 30, the security management module 33 is linked to a station security management software 21 module 35 and a software module 36 for adapting a station to the 22 number q of authentication modules 34. The station adaptation 23 module 36 illustrated is therefore linked to the number q of 24 authentication modules 34. The functions of these two modules will emerge from the following description of the authentication 26 process.
27 In order to perform an authentication, the process of the 28 invention is comprised of downloading into the station 20, via 29 the network 11, a copy 35' of the station security management 1 module. The station security management module 35' downloaded 2 into the station then verifies whether the station has a valid 3 copy 36' of the station adaptation u~odule 36 present in the 4 server. If not, the station management module 35' orders the downloading of a copy of the station adaptation module 36 6 contained in the server. If the process is being used in the 7 station for the first time, for example, the station will not 8 incorporate a station adaptation module 36'. The station 9 management module 35' therefore orders the downloading of a necessarily updated copy 36' of the station adaptation module 36 11 present in the server. If the station 20 has already used the 12 process, the station adaptation module 36' will have already been 13 downloaded and may still exist in the station. However, it may 14 not be valid, particularly if the updated version does not correspond with the version, of the adaptation module 36 made 16 available to the server. In this cae.e, the station management 17 module 35' orders the downloading of a valid copy 36' of the 18 station adaptation module. The downloaded management module 35' 19 can be, for example, a Java~ "applet" or a piece of software in C
language, transmitted at the same time as a "Web" page in the 21 language HTML.
22 The downloaded management module 35' then controls the 23 authentication in accordance with th.e specific means available in 24 the station. Many possible methods exist. In the example chosen, the pre-loaded management module 35' controls the selection of at 26 least one method Mj from among the methods available in the 27 station and the submission to the user entity U and/or to the 28 specific authentication means 23j (not illustrated) of the 29 station that are involved in the method selected. The control of 1 the selection and submission of the method Mj can be handled by 2 the downloaded management module 35' directly or, as in the 3 example illustrated, via the station, adaptation module 35', or 4 via any other means. However, the submission could be handled 5 directly by the adaptation module 36'. The submission may involve 6 the user U, for example if the method relates to an 7 authentication by identifier and password. But it may not involve 8 the user U, for example when the method is simply comprised of 9 using a tiny camera as the specific means 23j, in order to 10 photograph the user for the purpose of an authentication by 11 visual recognition. It may also involve both the user and the 12 specific means, for example for an authentication by means of a 13 chip card or a fingerprint.
14 Preferably, the selection is made as a function of their 15 degree of security. For example, the method Mj selected by the 16 downloaded management module 35' offers the highest degree of 17 security among the methods Ma-Mk available in the station. This 18 selection is preferable because the method Mj is supposed to be 19 able to offer the user U access to the greatest number of protected resources he can have. Of course, it would be possible 21 to leave the choice up to the user. But if he chooses a method Mb 22 with a lower degree of security, he may not get access to the 23 resources he wants and therefore may have to restart the 24 authentication procedure.
The selection of the method Mj with the highest degree of 26 security can be comprised, in a first step, of downloading into 27 the memory 22 of the station 20, preferably with the downloading 28 of the management module 35 and/or of the adaptation module 36, a 29 list 37 of all the methods available in the security server, in 1 order of their degree of security. ~, list of this type is 2 illustrated in Fig. 2. The second step is comprised of selecting 3 from among these methods the ones) available in the station.
4 This selection can therefore be made as soon as the management module 35 has been downloaded. In this case, the list 37 could be 6 a module independent from the other modules, or could be part of 7 this module. In the example chosen, the list 37 is a component of 8 the adaptation module 36.
9 Also preferably, the selected method Mj is submitted to the user U and/or to the corresponding specific means 23j in 11 decreasing order of their degree of security. Thus, the user has 12 the best authentication to start with, but he can use any other 13 method available in the station. The choice can be made with the 14 aid of a dialog box incorporating a list indicating the hierarchy of the methods Ma-Mk available in the station, allowing the user 16 to make a choice, for example with the aid of a control button, 17 by clicking it.
18 The list of authentication methods 37 is generally not a 19 list that is fixed, i.e., determined once and for all. It can advantageously depend on the type and/or the nature of the 21 resource before it is accessed. It is easy to understand that 22 access to a non-confidential database does not require a high-23 level authentication method. In this case, the list can include 24 only one low-level method (password .and identifier, for example), in which at least the authentication method referenced Mn will be 26 a method with this level.
27 The process can also offer help to the user in the 28 particular case where the station activates an operating system 29 requiring an initial authentication of the entity by the station.
1 This case was presented in the introduction related to the prior 2 art. The process is comprised of sending, under the control of 3 the downloaded management module 35', this prior authentication 4 to the security server. This can be done, for example, by sending an authentication certificate to the server, or with the aid of a 6 particular interrace API. If the initial authentication is 7 recognized by the server, i.e., if it is carried out according to 8 one of the methods Ma-Mn indexed in the server, the server 9 accepts it and gives the user the corresponding access rights.
Thus, the user U does not need to redo the authentication 11 procedure, as was the case with the prior art. If the server does 12 not accept the initial authentication, it performs an 13 authentication according to~the invention, as described above.
14 This procedure is entirely transparent for the user. It may also be said to be a procedure of the type ordinarily known by term 16 "Single Sign-On."
17 Furthermore, given the invention's ease of use, the process 18 of the invention can provide authentications at regular 19 intervals, in accordance with pre-established security rules recorded in a security database that can be consulted by the 21 security management module 35 of the server.
22 Within the framework of the Internet network used as an 23 example, the information exchanged between the management modules 24 35 and 35' is made of a set of "keyword/value" pairs, in accordance with the "HTTP Query String" type of coding used for 26 transmissions of the Internet type. :However, the keywords and the 27 value conventions are specific to the invention. Likewise, the 28 routing of the data performed in the example illustrated is 29 carried out in accordance with a standardized communication la 1 protocol, for example "HTTP." Other protocols can be used, 2 particularly the protocol currently in development known as 3 "IIOP" (for "Internet Interchange Object Protocol") which will 4 allow transactions in the so-called online mode.
In addition, the server 10 cou7Ld include a software module 6 for adapting a server to the autheni:ication modules 34a-34q. This 7 software module would be necessary if the server 30 or the server 8 management module 33 alone cannot ensure the verification of the 9 data received from the station 20 and must have recourse to all or some of the authentication modules.
11 Moreover, it has been seen above that the authentication 12 modules (34a-34q) may not exist. However, they could also be at 13 least partially contained in the security server.
14 The process of the invention offers a great flexibility of use and has proven transparent for the user. It adapts to a 16 multiplicity of both currently known and upcoming authentication 17 methods, and to a multiplicity of stations.
18 The authentication process therefore has many advantages, 19 particularly the following:~control of the multiplicity of station configurations, simplicity for the end user, transparency 21 of operations (the user need only enter a password and possibly 22 an identifier for certain methods), automaticity of the 23 downloads, potential compatibility with all existing and future 24 techniques, without the need for substantial modifications or for downloading a plurality of different modules.
Claims (9)
1. Process for authenticating at least one user entity (U) of at least one station (20) for access to protected resources (40) of a data processing system (10) via a network (11) and a security server (30), the station having specific means (23a-23k) for authentication according to at least one given method (Ma-Mk), and the security server including a server security management software module (33), characterized in that it is initially comprised of making available to the security management module (33) a station security management software module (35) and a station adaptation software module (36) for adapting a maximum number of authentication modules (34a-34q) necessary to the execution of a maximum number of authentication methods (Ma-Mn), and in order to perform an identification, it is comprised of downloading into the station, via the network, a copy (35') of the station security management module (35), which verifies in the station whether a valid copy (36') of the station adaptation module (36) is present in the station, and if not, orders its downloading into the station, and which controls the authentication of the entity in accordance with the specific means (23a-23k) available in the station.
2. Process according to claims 1, characterized in that the downloaded management module (35') controls the selection of at least one method from among the methods available in the station.
3. Process according to claims 2, characterized in that the selection is made as a function of their degree of security.
4. Process according to claim 2 or 3, characterized in that the selection is comprised of downloading into the station, via the network, a list (37) of all the methods available in the security server in order of their degree of security, and of selecting from among these methods the one(s) available in the station.
5. Process according to claims 4, characterized in that the list is automatically downloaded with the management module or the adaptation module.
6. Process according to any of claims 1 through 5, characterized in that the submission is carried out by the adaptation module (36') present in the station under the control of the downloaded management module (35').
7. Process according to any of claims 1 through 6, characterized in that when the station activates an operating system requiring an initial authentication of the entity by the station, the process is comprised of sending, under the control of the station security management module, this initial authentication to the security server.
8. Process according to any of claims 1 through 7, characterized in that the authentication modules (34a-34q) are at least partially contained in the security server.
9. Data processing system (10) comprising at least one security server (30) connected to at least one station (20) via a network (11) as well as to protected resources (40a-40m), the station being usable by an entity (U) and having specific means (22a-22k) for authentication according to at least one given method (Ma-Mk), and the security server including a security management software module (33), characterized in that the system implements the process defined by any of the preceding claims.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| FR9808300 | 1998-06-30 | ||
| FR9808300A FR2780586B1 (en) | 1998-06-30 | 1998-06-30 | AUTHENTICATION METHOD FOR PROTECTED ACCESS IN A NETWORKED COMPUTER SYSTEM |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2276235A1 true CA2276235A1 (en) | 1999-12-30 |
Family
ID=9528051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA 2276235 Abandoned CA2276235A1 (en) | 1998-06-30 | 1999-06-23 | Authentication process for protected accesses in a networked data processing system |
Country Status (4)
| Country | Link |
|---|---|
| EP (1) | EP0969347B1 (en) |
| CA (1) | CA2276235A1 (en) |
| DE (1) | DE69937169T2 (en) |
| FR (1) | FR2780586B1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100449990C (en) * | 2003-08-19 | 2009-01-07 | 华为技术有限公司 | User centrificating apparatus and method for fixed network terminal |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4999806A (en) * | 1987-09-04 | 1991-03-12 | Fred Chernow | Software distribution system |
| WO1990003607A1 (en) * | 1988-09-26 | 1990-04-05 | Hitachi Maxell Ltd. | Data processing system using ic card |
| US5235642A (en) * | 1992-07-21 | 1993-08-10 | Digital Equipment Corporation | Access control subsystem and method for distributed computer system using locally cached authentication credentials |
| SK285147B6 (en) * | 1995-08-21 | 2006-07-07 | Cornel Sirbu | Conditional access method and device |
| US6067582A (en) * | 1996-08-13 | 2000-05-23 | Angel Secure Networks, Inc. | System for installing information related to a software application to a remote computer over a network |
-
1998
- 1998-06-30 FR FR9808300A patent/FR2780586B1/en not_active Expired - Fee Related
-
1999
- 1999-06-21 EP EP19990401535 patent/EP0969347B1/en not_active Expired - Lifetime
- 1999-06-21 DE DE1999637169 patent/DE69937169T2/en not_active Expired - Lifetime
- 1999-06-23 CA CA 2276235 patent/CA2276235A1/en not_active Abandoned
Also Published As
| Publication number | Publication date |
|---|---|
| EP0969347B1 (en) | 2007-09-26 |
| EP0969347A1 (en) | 2000-01-05 |
| DE69937169T2 (en) | 2008-06-26 |
| FR2780586A1 (en) | 1999-12-31 |
| DE69937169D1 (en) | 2007-11-08 |
| FR2780586B1 (en) | 2000-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1645971B1 (en) | Database access control method, database access controller, agent processing server, database access control program, and medium recording the program | |
| US7188181B1 (en) | Universal session sharing | |
| US6105131A (en) | Secure server and method of operation for a distributed information system | |
| US7818582B2 (en) | Single sign-on with common access card | |
| US7490242B2 (en) | Secure management of authentication information | |
| US6934848B1 (en) | Technique for handling subsequent user identification and password requests within a certificate-based host session | |
| US6976164B1 (en) | Technique for handling subsequent user identification and password requests with identity change within a certificate-based host session | |
| US8037316B2 (en) | Method and system for user information verification | |
| US6484258B1 (en) | Access control using attributes contained within public key certificates | |
| US6718328B1 (en) | System and method for providing controlled and secured access to network resources | |
| US7353283B2 (en) | Method for controlling access to internet sites | |
| US20040059941A1 (en) | Systems and methods for identifying users and providing access to information in a network environment | |
| US20130124408A1 (en) | System and Method for Electronic Wallet Conversion | |
| US20050165698A1 (en) | User authentication method and system using user's e-mail address and hardware information | |
| KR20010105705A (en) | Method for providing integrated user management environment to multi-internet service and system for the same | |
| CA2613285A1 (en) | Biometric authentication system | |
| US20040158743A1 (en) | Method and system for logging into and providing access to a computer system via a communication network | |
| US20020166066A1 (en) | Method of restricting viewing web page and server | |
| KR100501125B1 (en) | Policy verificating system of internet contents and method therefore | |
| EP1293857A1 (en) | Server access control | |
| CA2276235A1 (en) | Authentication process for protected accesses in a networked data processing system | |
| US20020184100A1 (en) | Casual access application with context sensitive pin authentication | |
| JP2004524591A (en) | Systems, methods, and computer program products for providing integrated authentication services for online applications | |
| Alenius | Authentication and Authorization: Achieving Single Sign-on in an Erlang Environment | |
| KR20020011577A (en) | User certification system on internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |