Electrical computers and digital processing systems: support – System access control based on user identification by...
Reexamination Certificate
1998-06-30
2001-02-13
Peeso, Thomas R. (Department: 2767)
Electrical computers and digital processing systems: support
System access control based on user identification by...
C713S150000, C713S168000, C713S152000, C380S255000, C380S270000, C380S278000
Reexamination Certificate
active
06189100
ABSTRACT:
FIELD OF THE INVENTION
This invention relates generally to networked computers, and more particularly to booting a computer across a network.
COPYRIGHT NOTICE/PERMISSION
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the software and data as described below and in the drawing hereto: Copyright© 1997, Microsoft Corporation, All Rights Reserved.
BACKGROUND OF THE INVENTION
A remote boot client computer boots off a server computer connected to the client through a network rather than booting from the local boot drive. Everything that would normally be stored on the local boot drive is instead stored in a client-specific location, or store, on the server. When a remote boot client computer starts up, typically the boot ROM (read-only memory) in the client requests a small bootstrap code module known as a “loader” from the server which the server transfers over the network to the client. The loader executes on the client computer and causes the server to transfer the operating system executable and other files needed to start the system. The operation system executable and other files are collectively referred to as the “boot files.” Once the operating system is up and running on the client, it communicates over the network as needed to read and write other files from and to the client-specific store that it would normally read and write from and to the client computer's hard drive if booting locally.
Because the data used to boot the client is stored is on the server, it important that the data be as secure as the data would be if it were stored on the local boot drive. This means that it must be protected from viewing and modification by unwanted users, both while it resides on the server and while it is being transferred across the network. Typically, the network protocol used to transfer the loader and the boot files to the client computer is a simple protocol, such as TFTP (trivial file transport protocol), which does not provide security services. A simple, unsecured protocol generally means that any boot file that the loader downloads from the server for one remote client computer will be easily readable by any other client computer on the network. Thus, current remote boot operations present major security issues.
The lack of security in the transfer protocol makes it is easy for a rogue user with access to the network to capture the loader and/or boot files as they are being downloaded from the server to the client. The rogue user can then modify and re-send the modified files to the client. Such an operation is known as “spoofing.” A client machine that has been spoofed is unaware that the loader and/or boot files are not coming from the legitimate boot server. At best, the rogue user inserts invalid bits into the loader and/or boot files that prevent them from loading. At worse, the rogue user can cause the loader or boot files to operate in a manner other than what was intended. For example, the loader could be modified to ask the user for a password, and then rebroadcast the password on the network without the user's knowledge. Additionally, the boot files themselves can contain password data or other sensitive material which can be captured by the rogue user.
Another issue with remote booting is that a rogue user can set up a computer to pretend to be either the client or server by observing the network traffic between client and server when they boot. On the client side, the rogue user programs a rogue computer to imitate the legitimate client when booting. The server is unaware that it is not communicating with the legitimate client computer and the server gives the rogue computer access to the legitimate client computer's client-specific store. Furthermore in this case, the server would also give the rogue computer access to any other files on the server that the legitimate client has permission to view. On the server side, the rogue user programs the rogue computer to imitate the legitimate server. The rogue server then sends down modified binaries to a legitimate client. Such modified binaries can, for example, request the user's password and store the entered password for later use.
Once the client computer is booted up, more sophisticated protocols are available to ensure integrity and encryption of files passed between the client and the server. One example is the IP (internet) security protocol known as “ipsec.” However ipsec requires that the client and server exchange an encryption key between the two computers. If the encryption key itself is sent over an unsecured network, the security of ipsec is compromised.
Therefore, there is a need to secure the remote boot process which also provides a mechanism for a client and server to exchange a shared encryption key using the secure remote boot process.
SUMMARY OF THE INVENTION
The above-mentioned shortcomings, disadvantages and problems are addressed by the present invention, which will be understood by reading and studying the following specification.
A remote boot process uses a secret shared between a client and a server to sign and/or seal the data necessary to remotely boot the client from the server on a network to ensure the integrity of the data. The secret is generated by the server and securely delivered to the client during the initial setup of the client. The secret contains a one-way encryption of the password for the client account on the server. Each side balances a signed message with a verify and a sealed message with an unseal. After the boot process is complete, subsequent transactions between the client and server are conducted using messages encrypted with a key generated by the server and securely delivered to the client in a message sealed using the secret. The secret can also be used in conjunction with an access data structure to prevent unauthorized users from accessing data stored on the server on behalf of the client or other users using an access control data structure. The use of private/public key pair for the client to replace the secret is also described.
In one aspect of the invention, three loaders, a secured file transport service and secure conversation that couples the client and the server interface to provide the benefits of securing the remote boot data when boot across the network. In another aspect of the invention, the initial setup of the client is performed across the network, but subsequent boots are performed from boot files downloaded from the server and stored on the client's local boot drive.
Because the remote boot process secures the boot data using a simple balanced sign/verify and seal/unseal protocol, it is suitable for use with a loader having minimal available processing capabilities and thus can be used throughout the boot process to seal (or sign) the data exchanged between the client and the server so that a rogue user has little opportunity to corrupt the process. Furthermore, the secret can be used to set up more sophisticated security protocols used after the boot process is completed. Finally, because the secret is tied to the client's account on the server, the server can secure client data stored on the server from unwanted access.
The present invention describes systems, clients, servers, methods, and computer-readable media of varying scope. In addition to the aspects and advantages of the present invention described in this summary, further aspects and advantages of the invention will become apparent by reference to the drawings and by reading the detailed description that follows.
REFERENCES:
patent: 4993068 (1991-02-01), Piosenka et al.
patent: 5235642 (1993-08-01), Wobber et al.
patent: 5560008 (1996-09-01), Johnson et al.
patent: 5999711 (1999-12-01), Misra et
Barr Adam D.
Lenzmeier Charles T.
Swift Michael M.
Microsoft Corporation
Peeso Thomas R.
Schwegman Lundberg Woessner & Kluth P.A.
LandOfFree
Ensuring the integrity of remote boot client data does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Ensuring the integrity of remote boot client data, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Ensuring the integrity of remote boot client data will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2585849