Providing secure mobile access to information servers with temporary certificates

摘要

This paper presents a solution that compatibilizes user mobility and secure access to information servers by means of X.509 certificates with a short validity period. The common approach to compatibilizing user mobility and secure access is based on removable tokens that hold cryptographic information. The use of these techniques restricts user mobility in several ways. Firstly, when specific hardware is required, it must be available in any computer the user may employ to connect from. Secondly, using software that must be added to well-known client programs means that the user must circumscribe to those hosts where the software is installed or install it on his/her own. The solution we present here does not impose any constraints on hardware and, since it is based on the thin client paradigm, software requirements are minimal. The application of X.509 certificates permits the use of (de facto) standard software for accessing the information. Furthermore, since the system uses short term certificates it does not necessitate the user eliminating any traces left behind in the client g any traces left behind in the client program after its use. Finally, the token (actually, a diskette) can be used with practically any computer, as it contains all the software and data needed for user authentication, and is based on a thin client written in an architecture-neutral language like Java. The requirements on the computer the user is connecting from are minimal: having a floppy drive and a Java virtual machine. An implementation of the framework described here is in use to provide authorized access to internal servers at CICA.