Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1999-11-18
2004-05-25
Vu, Kim (Department: 2135)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C713S175000, C709S201000
Reexamination Certificate
active
06742114
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to the delegation of rights in a distributed computing system. More particularly, the present invention relates to delegation through a chain or tree of deputies in the distributed system.
TECHNICAL BACKGROUND OF THE INVENTION
Distributed computing systems are becoming increasingly useful and prevalent. Distributed computers are connected by local area networks, wide area networks, and networks of networks, such as the Internet. These distributed computing systems make available platform-neutral, mobile code environments which contain a growing collection of computational objects, applications, data, and other information in the form of files, databases, images, and/or other named resources.
With the growth of such distributed computing systems and their information content, there is an urgent need to support the efficient and effective delegation of rights across heterogeneous systems, services, and platforms. Powerful and convenient delegation services are needed to achieve seamless distribution of critical resources, and to make the power of computing resources available for more widespread use. Ideally, delegation services help users (both human and digital) put computational tasks to work at times and locations which are appropriate for execution of those tasks and with access to required resources, without creating unacceptable security risks.
Various approaches have been taken to the problem of providing effective and efficient delegation services in a distributed computing system. For instance, a Simple Distributed Security Infrastructure (“SDSI”) has been designed to facilitate the construction of secure systems by providing terminology for defining access control lists and security policies. SDSI is also an attempt to move away from identity-based certification and towards a system based on roles and credentials. The SDSI system is key-centric. Rather than attach a public key to an identity, SDSI entities are the keys themselves. That is, SDSI principals are public keys that can make declarations by issuing verifiable signed statements. The statements may be made in the form of certificates which bind identifying information to a principal, assert that a principal does or does not belong to some group, and/or bind a name to a value such as a principal.
The Calypso architecture described by Tuomas Aura and other researchers from Helsinki University of Technology also uses a key-oriented approach. A public cryptographic signature key represents the entity that holds the corresponding private key. Key-oriented certificates are used to delegate rights. Access rights are delegated directly from key to key without explicitly identifying the involved entities by name in the certificates. Delegation is also transitive. That is, if Alice's key authorizes Bob's key to use a service and Bob's key in turn authorizes Charlie's key to use the service, then the system considers that situation to be equivalent to having Alice's key delegate rights directly to Charlie's key.
Although key-centric approaches can be useful, they assume it is not necessary to expressly associate a name (such as a user name or an account number) with a particular act of delegation. However, such associations can be very useful in assigning responsibility. Key-centric approaches also require a homogeneous environment if delegation is to be transitive. By contrast, identifying and distinguishing between entities in a chain of delegations allows both delegation between heterogeneous systems and persistent delegation, as explained in the description of the present invention below.
Microsoft Windows NT environments, Kerberos environments, and some other environments, define “domains” or “realms” within which a given user has specified rights. A domain or realm may also be viewed as a group of machines in a network, with the grouping defined for administrative ease. For instance, all machines in a domain or realm typically share a common database of users and groups, and the machines typically also have the same security policy. Accordingly, authentication tools and techniques exist which allow users to log into domains or otherwise authenticate themselves to domains or realms, instead of (or in addition to) being authenticated to a particular computer.
The concept of authentication is related to the concept of delegation. For instance, one way for a task A to delegate rights to a task B is for A to provide B with authentication information that allows B to impersonate A. This approach to delegation is relatively easy to implement but it also has serious disadvantages. Task B receives all rights of task A, including rights B does not necessarily need to perform the job at hand. Moreover, giving two tasks the same identity makes it harder to assign responsibility for inept or malicious acts which are performed under that identity.
A detailed approach to authentication in a distributed computing system is described in Network Working Group Request for Comments 1507 (“RFC 1507”), entitled “DASS: Distributed Authentication Security Service”. As stated in RFC 1507, “the goal of authentication is to reliably learn the name of the originator of a message or request. The classic way by which people authenticate to computers (and by which computers authenticate to one another) is by supplying a password. There are a number of problems with existing password based schemes which DASS attempts to solve. The goal of DASS is to provide authentication services in a distributed environment which are both more secure (more difficult for a bad guy to impersonate a good guy) and easier to use than existing mechanisms. In a distributed environment, authentication is particularly challenging. Users do not simply log on to one machine and use resources there. Users start processes on one machine which may request services on another. In some cases, the second system must request services from a third system on behalf of the user. Further, given current network technology, it is fairly easy to eavesdrop on conversations between computers and pick up any passwords that might be going by. DASS uses cryptographic mechanisms to provide ‘strong, mutual’ authentication. Mutual authentication means that the two parties communicating each reliably learn the name of the other. Strong authentication means that in the exchange neither obtains any information that it could use to impersonate the other to a third party.”
DASS operates by providing a global identity which allows a user to log into a network instead of requiring separate logins for each server. The user is assigned a name from a global namespace and that name will be recognized by any node in the network. A resource may be configured for access only by a particular user through a particular node, but the user is still known by the given global identity.
It would be an advancement in the art to provide an improved distributed computing system delegation service which expressly identifies the entities involved in a delegation of rights but does not require a global namespace.
It would be a further advancement to provide such an improved service which supports delegation across network boundaries.
It would also be an advance to provide such an improved service which is compatible with existing public key infrastructures and existing authentication tools and techniques.
It would be a further advance to provide such an improved service which operates effectively with specific realms or domains, including Kerberos realms, domains defined in Microsoft Windows NT environments, and others.
Such delegation improvements are disclosed and claimed herein.
BRIEF SUMMARY OF THE INVENTION
The present invention provides Distributed Deputization Points for use in a distributed computing system. Deputization is a particular type of rights delegation which expressly identifies the entities involved in the delegation and does not inherently require a global namespace. “Rights” are sometimes referred to in connection wit
Carter Stephen R.
Nevarez Carlos A.
Baum Ronald
Dinsmore & Shohl LLP
Novell Inc.
Vu Kim
LandOfFree
Deputization in a distributed computing system does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Deputization in a distributed computing system, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Deputization in a distributed computing system will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3205046