1. Field of the Invention
The present invention relates to a data security method and a data security system, and relates particularly to a method and system for executing part of the server machine process within a process execution space in the client machine.
2. Description of the Prior Art
The Internet and similar network communications channels 103 are widely used today to link plural communications machines, i.e., communications machines (modems) built in to or connected to a computer. Such networked communications channels 103 typically use one or more server machines commonly accessed by plural client machines, and provide security for client-server communications as shown in FIG. 7.
The server machine 101 and client machine 102 each comprise memory 105 and 109 and a CPU 104 and 108, respectively. The client-server communications interface 130 is within the communications channel 103. The server machine 101 and the client machine 102 also each comprise a security module 120 and 121, respectively. The security modules may be implemented as software used by the respective machine processes and executed by the corresponding CPU in memory, as dedicated hardware, or as a combination of CPU-executed software and dedicated hardware. The security modules are used specifically for encrypting data before transmission between the client and server over some type of communications channel, and then decrypting the received encrypted message.
An example of such a client machine is a personal computer for home shopping; the server machine in this application is a computer providing a shopping service and used to communicate product order numbers and credit card numbers for payment. This data is presently transmitted using the Internet as the communications channel. A typical method for maintaining the confidentiality of customer credit card numbers in this application is to encrypt the credit card number on the client side before transmission via a World-Wide Web (WWW) browser program implementing the Security Socket Layer (SSL) v3.0 specification (a public standard). The server, which has also implemented SSL v3.0, then decrypts the received information.
When an order is generated in this example, the order is issued by a process executed by the client CPU 108, and all messages or credit card numbers requiring confidentiality held in memory 109 are encrypted by the security module 121 before transmission. When the data is received by the server, the data encrypted by the client is decrypted by the server-side security module 120, and is then processed by the order processing program executed by the server CPU 104 and memory 105.
The problem in this system is that the encryption and decryption functions are separately controlled by the client and server machines, and the communications channel itself is not secure. Conceptually, security is provided by wrapping each packet transmitted over the communications channel in a "protective wrapper" achieved by data encryption, and the communications channel itself is not secure.
More specifically, different servers use different communications methods (protocols), and clients accessing different servers require different security software for secure communications with different servers.
Furthermore, while individual packets may be secure, these "secure" packets are commonly entrusted to a communications channel that may not be secure.