The present invention is directed to security measures in a computer system and, more particularly, to systems and methods that permit a server to associate independent security requirements with individual remote methods.
Distributed systems usually contain a number of different computers interconnected by communications networks. Oftentimes, a client-server relationship is established between communicating computers. Typically, a "client" is defined as a process making a call to request resources located or controlled by a "server" process. In this context, the computers executing the requesting process and the server process may also be referred to as a client and server, respectively. However, these roles may change depending on the context of information and particular processing taking place.
One mechanism that facilitates the client-server relationship is the Remote Procedure Call (RPC) where the client invokes a function of the server. The RPC is a mechanism that provides synchronized communication between two processes operating on the same or different computers. The RPC mechanism is usually implemented in two parts: one part on the client side and the other part on the server side.
Security is an issue that always arises when client and server computers communicate. A breach in security can severely hamper the operation of both the client's and server's computers. Thus, organizations that use computer systems are vulnerable to persons who may intentionally or unintentionally cause the computer systems to malfunction or who may steal the organizations' confidential information.
System operators typically address three types of security issues: (1) preventing interception and alteration of messages; (2) controlling access to a server; and (3) authenticating a server by a client. System operators have conventionally addressed these issues in object-oriented programming environments by defining a security class that provides methods for setting communication requirements. One such object-oriented programming environment is Sun Microsystems.TM. Java.TM. object-oriented programming environment described in a text entitled Java 1.1 Developer's Guide, 2nd ed., Sams.net Publishing, 1997, which is hereby incorporated by reference.
The security class includes five communication requirements: CONFIDENTIALITY, INTEGRITY, ANONYMITY, AUTHENTICATE_SERVER, and NO_DELEGATION. CONFIDENTIALITY ensures that message contents are private. System operators use encryption techniques to assure that only parties with the proper decryption key can decipher the message. INTEGRITY detects when message contents (both requests and replies) have been altered, and refuses to process altered messages. System operators may accomplish this through the use of checksums, or the like, at both the client and server locations.
ANONYMITY represents the client desiring to remain anonymous. In other words, the client does not want to be authenticated by the server. AUTHENTICATE_SERVER represents the client needing to authenticate the server before invoking a remote method. Through this communication requirement, the client ensures that it is communicating with the correct server. NO_DELEGATION refers to the server not being permitted to delegate under the client's identity in calls that it makes. In other words, the server is not authorized to make calls to other computer systems pretending to be the client.
At the client's location, the security class is represented by a single bit for each communication requirement. By setting the bits corresponding to CONFIDENTIALITY, INTEGRITY, ANONYMITY, AUTHENTICATE_SERVER, and NO_DELEGATION, the client designates that confidentiality will be ensured, that integrity will be ensured, that the client will remain anonymous, that the server will be authenticated, and that delegation will not be provided, respectively. Conventionally, a client indicates the security class preferences on a global context or on a per call basis. In other words, the client specifies one set of communication requirements to be used for every call made by the client or specifies separate communication requirements for each individual call to a server.
At the server's location, the security class is represented by dual bits for each communication requirement. One of the bits (the "supported bit") represents whether the corresponding communication requirement is supported by the server. The other bit (the "required bit") represents whether the corresponding communication requirement is required by the server. In other words, the supported bit indicates what the server is capable of doing and the required bit indicates what the server must do.
For CONFIDENTIALITY, when the supported bit is set, the server provides confidentiality when the client requests it. If the bit is not set, the server is unable to provide confidentiality. When the required bit is set, the server will always ensure confidentiality.
For INTEGRITY, when the supported bit is set, the server provides integrity when the client requests it. If the bit is not set, the server is unable to provide integrity. When the required bit is set, the server will always ensure integrity.
For ANONYMITY, when the supported bit is set, the server is willing to accept an anonymous client (ie., the server is willing to not authenticate the client) when the client requests anonymity. Conversely, if the supported bit is not set, the server will always authenticate the client. When the required bit is set, the server will only accept anonymous clients. In other words, the server never authenticates the client when the required bit is set.
For AUTHENTICATE_SERVER, when the supported bit is set, the server is willing to authenticate itself when the client requests it. Conversely, if the supported bit is not set, the server is unable to authenticate itself. A server will never require itself to authenticate, so the required bit is never set.
For NO_DELEGATION, when the supported bit is set, the server is willing to do without delegation. Conversely, if the supported bit is not set, the server always requires delegation. When the required bit is set, the server never needs to delegate.
Conventionally, a server contains a single set of communication requirements that dictate the minimum requirements that the server tolerates. The server designates one set of communication requirements to handle all methods and functions invoked on the server. Typically, however, the methods and functions contain varying sets of requirements that they can tolerate for their invocation. For example, suppose a server contains two methods: a deletion method that requires client authentication and a lookup method that requires no client authentication. The server communication requirements include the strictest communication requirements required by the methods, which in this case would be to always require client authentication.
Such an across-the-board designation of communication requirements leads to an increase in the amount of processing time required to invoke a method, wasting system resources because all methods are subjected to the same communication requirements, even those that do not require such communication requirements. Accordingly, it is desirable to improve security requirement designation in communication systems.