2 December 2008
LiveCycle Rights Management ES
Adobe Acrobat or Adobe Reader
Adobe LiveCycle Rights Management ES allows you to enforce user access and usage rights based on dynamic information policies that support key business and governance objectives inside your company. In other words, you can ensure that only authorized users have access to protected information whether it's stored on a laptop, shared network drive, or distributed on the Internet. At its core, LiveCycle Rights Management ES offers dynamic protection based upon user identities. In this article, I'll describe the different ways in which the system can authenticate users.
Four approaches to identifying and authenticating users
Rights management involves managing usage rights to protect sensitive documents. The goal of rights management is to ensure that only authorized users have access to protected information. The fundamental operation of dynamic protection is based upon user identities. To achieve dynamic protection, the system must be able to identify which individual users should have access to secured content.
Flexibility in identifying and authenticating users is key to ensuring that protection can be transparently integrated into preexisting infrastructures; the ability to use multiple strategies is central to effective deployment. The benefits of maintaining a flexible system are significant, and result in rapid deployment, easy administration, and facilitate a faster return on your investment.
LiveCycle Rights Management ES provides four different types of authentication to the end user:
- Anonymous authentication
- Username/password authentication
- Kerberos SSO authentication
- Smart card/certificate authentication
These four types enable out-of-the-box deployment into a variety of authentication infrastructures, and make it easy to add substantial mechanisms for customization and integration.
In this section I'll explain some of the possibilities and benefits associated with these authentication types:
This type of authentication completely skips identifying the end user. Anonymous authentication involves granting "guest-level" access to content. This means that end users are not required to authenticate prior to being authorized to access content. This approach allows several workflows:
- Authors can distribute content and still control information through the "yank and replace" revocation mechanism. For example, an author can distribute a price sheet or a data capture form, and make sure that only the latest version of content can be viewed.
- Even though individual end user identity is unknown, authorization can be controlled via IP address or by analyzing the number of times content has been viewed. Additionally, detailed (although anonymous) audit records allow you to track of how frequently documents are opened.
This approach is most commonly used, and requires that the user enter their username and password in the authentication "Log In" dialog box in LiveCycle Rights Management ES (see Figure 1):
The Log In dialog box is the gateway to the powerful "username/password" authentication; it provides out-of-the-box functionality to authenticate users against a variety of directory systems, and also allows custom integration with other credential providers.
For example, you can authenticate users against supported LDAP directories (such as Microsoft Active Directory, Sun Directory Server, IBM Domino LDAP, Novell eDirectory, and others) that are already deployed. But you are not limited to authenticating LDAP users. LiveCycle Rights Management ES provides two out-of-the-box mechanisms for managing user accounts for customers without an existing directory infrastructure: "invited users" and "local users." These accounts are stored "locally" within a built-in directory. As an administrator, you can manage these accounts using the built-in APIs and GUI. And you can set up the system to allow end users to quickly and easily create and manage their own accounts.
In all these scenarios, the end user simply enters their username and password upon opening a document. The server automatically queries the relevant system to verify their credentials and authorize the user. If you wish, you can configure the system so that the end user has the option to make the system remember their credentials, which will securely cache credentials and not require further authentication when opening subsequent documents. For many implementations, this offers an inexpensive method of "Single Sign-On" (SSO), because end users will only see an authentication dialog the first time they log in. The simplicity of accessing files in this manner improves end user experience with the system, and they may even forget that they are opening protected content.
This authentication type is much more flexible than basic username/password integration with directory services. You can enable integration with any credential system that traffics in two user-inputted strings. Using LiveCycle Rights Management ES, you can dynamically customize the authentication dialog box, and also develop a custom authentication provider integration via the server-based "SPIs."
For example, some financial industry developers have leveraged their existing account management infrastructure, allowing their customers to authenticate via their existing account number and PIN to access their policy-protected banking statements. Others have successfully leveraged SPIs to integrate with one-time password (OTP) systems to enable multi-factor authentication.
Kerberos SSO authentication
If you are looking for the ultimate "transparent integration" with existing authentication infrastructure, you can choose to enable Kerberos-based single sign-on (SSO). This is an outstanding option that creates a seamless authentication process for end users because they won't have to enter their password information into the authentication dialog box.
Since end users never see an authentication dialog when they are opening a protected document, they frequently forget are accessing protected content. Some end users have referred to this authentication type as "magic."
Based upon technology built into Microsoft Windows clients and Microsoft Active Directory on the server, Kerberos SSO allows LiveCycle Rights Management ES clients to securely use the credentials entered by the end user when logging into their machine to authenticate directly with the Rights Management server.
Smart card / certificate authentication
The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some implementations, this form of authentication is often more secure than the other supported forms of authentication. In this section I'll provide some background and context to explain how this strategy works in LiveCycle Rights Management ES. I'll also highlight the benefits of using smart cards for user authentication.
A smart card, in its most well-known form, is a credit card-sized Ôintelligent card' that contains user's credentials in the form of Digital Certificates. There are many variants of smart cards available today. Some smart cards also possess processing capabilities, such as the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to entering a username/password, which is something-you-know.
A Digital Certificate, often just referred to as a Certificate, is a digital document. At the minimum, a Digital Certificate includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user's identity and the public key can be used to prove that identity. The Certificate is signed by a trusted third-party known as a Certificate Authority (CA). The CA vouches for the authenticity of the Certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties and encrypting messages. PKI overcomes the significant flaws in traditional cryptography or what is known as symmetric cryptography, and at the same time provides added security by placing strict requirements for key lengths and industry standard cryptographic algorithms (set forth by the Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).
At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate's signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and then maps this Certificate to a unique user using the rules you create when configuring LiveCycle. LiveCycle Rights Management ES also offers flexibility and easier enterprise integration by providing server-based "SPIs," which can be used to develop custom Certificate authentication providers.
Many enterprises and governments today employ smart card-based authentication, not only to achieve enhanced security but also to leverage ease of deployment and use for the end users. For example, the United States Department of Defense issues Common Access Cards (CAC cards) which are used for secure user identification. CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents.
In this workflow, the user inserts their card into a smart card reader on their machine to initiate identification. Smart card readers are available in a variety of forms, and can be connected to a user's computer using either a USB or PC card interface. Smart card readers are already integrated into many laptops today, such as the Dell Latitude line of business laptops.
To give you a better understanding of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, view the demo (see Figure 2).
Where to go from here
In this article, I've highlighted the four different types of user authentication available in LiveCycle Rights Management ES, along with some of the benefits and workflows associated with each solution. You may choose to use one or a combination of these strategies when implementing digital rights in your own infrastructure.
Also be sure to visit the LiveCycle Developer Center, where you'll find helpful articles, tutorials and sample files to get you up to speed quickly.
For more up-to-date news about the product, you can visit the Rights Management Blog.
Prior experience using LiveCycle is suggested. Basic familiarity with Adobe Acrobat or Adobe Reader is also helpful.