This invention relates generally to computer systems, and more particularly to a mechanism for determining the restrictions to impose on an implementation of a service requested by an application.
For a number of years, the U.S. Department of Commerce has regulated, and at times, prohibited the exportation of computer programs or applications which implement data encryption algorithms. Currently, computer programs cannot, as a general rule, be exported if they implement encryption algorithms having cryptographic key sizes exceeding a certain number of bits (the specific allowable key size is algorithm-specific). There are certain exceptions to this rule. One exception is that if an exemption mechanism is implemented, the key size, and hence the cryptographic strength of the program, may in some cases be increased. Examples of exemption mechanisms include key escrow, key recovery, and key weakening. Also, certain types of programs are allowed to use larger key sizes than others. For example, current regulations allow health care and financial services applications to use larger key sizes because of the need for increased security (to protect highly sensitive data) in these types of applications. While some applications may enjoy greater latitude than others, all encryption applications are subject to export regulations.
These regulations apply not only to programs which directly implement encryption algorithms, but also to programs which interface with programs that directly implement encryption algorithms. These programs include xe2x80x9cframeworkxe2x80x9d programs which provide infrastructure for facilitating interaction between various programs. The framework itself may not implement any encryption algorithm, but it may allow one or more programs which do implement encryption algorithms to interface with or xe2x80x9cplug inxe2x80x9d to the framework. An example of such a framework is the Java Cryptography Extension to the Java Platform manufactured by Sun Microsystems, Inc. of Palo Alto, Calif. If a framework allows an encryption mechanism to be xe2x80x9cplugged inxe2x80x9d to the framework, the framework itself will be subject to export regulations. This means that in order to be exportable, the framework needs to ensure that all export regulations are adhered to regardless of the encryption implementation that is plugged in to the framework. In order to do this, the framework needs to have some mechanism for enforcing the necessary restrictions on the encryption implementations.
These regulations apply not only to programs which directly implement encryption algorithms, but also to programs which interface with programs that directly implement encryption algorithms. These programs include xe2x80x9cframeworkxe2x80x9d programs which provide infrastructure for facilitating interaction between various programs. The framework itself may not implement any encryption algorithm, but it may allow one or more programs which do implement encryption algorithms to interface with or xe2x80x9cplug inxe2x80x9d to the framework. An example of such a framework is the Java Cryptography Extension to the Java Platform manufactured by Sun Microsystems, Inc. of Mountain View, Calif. If a framework allows an encryption mechanism to be xe2x80x9cplugged inxe2x80x9d to the framework, the framework itself will be subject to export regulations. This means that in order to be exportable, the framework needs to ensure that all export regulations are adhered to regardless of the encryption implementation that is plugged in to the framework. In order to do this, the framework needs to have some mechanism for enforcing the necessary restrictions on the encryption implementations.
In accordance with the present invention, there is provided a mechanism for dynamically constructing customized implementations to enforce restrictions on services. For purposes of the present invention, a service is defined broadly to encompass any functionality requested by and provided to an application, including but not limited to encryption/decryption functionality. In one embodiment, the invention is implemented in a system comprising an application, a general implementation of a particular service, and a framework.
The framework receives from the application a request for an implementation of a particular service, such as an implementation of a particular encryption algorithm. In response, the framework determines what restrictions, if any, need to be imposed on the requested implementation. In one embodiment, the framework determines the restrictions by determining whether any permissions have been granted to the application, and if so, processing the permissions to derive the set of restrictions to impose on the implementation. In one embodiment, the permissions are processed such that the set of restrictions derived is least restrictive.
Once the restrictions are determined, the framework dynamically constructs the requested implementation. In one embodiment, the requested implementation is constructed such that it incorporates the general implementation of the service, the restrictions, and enforcement logic for enforcing the restrictions on the general implementation. Since the requested implementation is constructed specifically for the application, it is customized for the application. Thus, the implementation is referred to as the customized implementation.
Once the customized implementation is dynamically constructed, the framework provides the customized implementation to the application. Thereafter, the application invokes the customized implementation directly for services. Since the customized implementation incorporates the restrictions and enforcement logic for enforcing the restrictions, it is not necessary for the application to further interact with the framework. The customized implementation itself will provide the services, and will guarantee that the restrictions are enforced. By dynamically constructing customized implementations in this manner, the framework ensures that the necessary restrictions are enforced on the services provided to the application.