1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention provides a method and apparatus for computer-to-computer authentication.
2. Description of Related Art
Enterprises generally desire to provide authorized users with secure access to protected resources in a user-friendly manner throughout a variety of networks, including the Internet. The Remote Authentication Dial-In User Service (RADIUS) protocol is a server authentication and accounting protocol that secures remote access to networks and that is very commonly used. However, after a properly authenticated user has gained access to a network, a malicious user on the network may eavesdrop on electronic messages from the user or may spoof messages from the user. Concerns about the integrity and privacy of electronic communication have grown with adoption of Internet-based services. Various encryption and authentication technologies have been developed to protect electronic communication, such as asymmetric encryption keys.
The X.509 set of standards for digital certificates has been promulgated to create a common, secure, computational framework that incorporates the use of cryptographic keys. An X.509 digital certificate is an International Telecommunications Union (ITU) standard that has been adopted by the Internet Engineering Task Force (IETF) body. It cryptographically binds the certificate holder, presumably identified by the subject name within the certificate, with its public cryptographic key. This cryptographic binding is based on the involvement of a trusted entity within the Internet Public Key Infrastructure for X.509 certificates (PKIX) called the certifying authority (CA). As a result, a strong and trusted association between the certificate holder and its public key can become public information yet remain tamper-proof and reliable. An important aspect of this reliability is a digital signature that the certifying authority stamps on a certificate before it is released for use. Subsequently, whenever the certificate is presented to a system for use of a service, its signature is verified before the subject holder is authenticated. After the authentication process is successfully completed, the certificate holder may be provided access to certain information, services, or other controlled resources, i.e., the certificate holder may be authorized to access certain systems.
The widespread adoption of Internet-related and Web-related technology has enabled the growth of a global network of interconnected computers that are physically supported by many thousands of organizations and businesses and many millions of individuals, mainly due to adoption of communication protocols like HyperText Transport Protocol (HTTP) but also including the adoption of standards like X.509 certificates to a lesser extent. Recently, enterprises have exerted effort to organize the computational capacity of many computers into a grid, which is a logical organization of many computers for providing a collective sharing of computational capacity and datastore capacity while maintaining local autonomous control over individual computers. Many of these enterprises are cooperating within the Global Grid Forum™, which is supported by GGF, Inc., to develop community-driven standards for grid computing.
The Globus Project™ is one effort that has been supported by government agencies, corporations, and universities to develop grid-related technologies, which has resulted in the development of the Open Grid Services Architecture (OGSA), which is an initiative for incorporating grid concepts within a service-oriented framework based on Web services. The Globus Toolkit® is an implementation of the Open Grid Services Architecture that provides software programming tools for developing grid-enabled applications, and the Grid Security Infrastructure (GSI) is the portion of the Globus Toolkit® that implements security functionality. GSI uses X.509 certificates as the basis for user authentication within a grid.
Although providing secure authentication mechanisms reduces the risks of unauthorized access to protected resources, the same authentication mechanisms may become barriers to user interaction with the protected resources. Users generally desire the ability to jump from interacting with one application to another application without regard to the authentication barriers that protect each particular system supporting those applications.
As users get more sophisticated, they expect that computer systems coordinate their actions so that burdens on the user are reduced. These types of expectations also apply to authentication processes. A user might assume that once he or she has been authenticated by a computer system, the authentication credentials should be valid throughout the user's working session, or at least for a particular period of time, without regard to the various computer architecture boundaries that are sometimes invisible to the user. Enterprises generally try to fulfill these expectations in the characteristics of their operational systems, not only to placate users but also to increase user efficiency, whether the user efficiency is related to employee productivity or customer satisfaction, because subjecting a user to multiple authentication processes in a given time frame may significantly affect the user's efficiency.
Various techniques have been used to reduce authentication burdens on users and computer system administrators. These techniques are generally described as “single-sign-on” (SSO) processes because they have a common purpose: after a user has completed a sign-on operation, i.e., been authenticated, the user is subsequently not required to perform another authentication operation. The goal is that the user would be required to complete only a single authentication process during the user's session.
Due to the highly distributed nature of a grid, efforts have been made to incorporate the concept of single-sign-on functionality into the infrastructure of grid architectures. For example, the Globus Toolkit® implements single-sign-on functionality through the use of X.509 proxy certificates; the single-sign-on functionality applies to resources within the grid so that a user of multiple services within the grid is not required to pass an authentication challenge for each service that is used.
However, a user is typically required to pass an authentication challenge to gain initial access to a network prior to attempting to access services within a grid. After the user has completed an authentication operation with respect to the network, the user may then attempt to gain access to resources in a grid via the network. Hence, a user is typically required to pass two authentication challenges to gain access to resources in a grid, which is contrary to the concept of a single-sign-on operation and diminishes the efforts of incorporating single-sign-on functionality within a grid infrastructure.
Therefore, it would be advantageous to have a method for providing a single-sign-on operation that, when successfully completed, allows access to a network while subsequently allowing access to resources in a grid that is accessed through the network. It would be particularly advantageous to provide a single-sign-on operation that is compliant with entities that are commonly implemented in accordance with standard specifications, such as a RADIUS server and a Globus™-enabled grid.