1. Technical Field
The present invention relates to a computer network and a method of operating a computer network.
2. Related Art
The advent of the Internet has meant that it is now much more common for groups of computers to co-operate with one other in some sort of common endeavour. Examples include distributed application programs, different parts of which run on different computers connected to the computer network. The most widely-researched distributed application programs are programs which integrate ‘Web Services’ running on different computers. ‘Web Services’ are one example of components that might be assembled in accordance with a ‘Service Oriented Architecture’. Other known technologies might be used in place of Web Services—e.g. Enterprise Java Beans or components constructed in accordance with the Common Object Request Broker Architecture.
There is a need for security in such systems. This is especially true of inter-enterprise distributed application programs where computers in one enterprise co-operate with computers in a different enterprise. Whilst an enterprise's system administrator might trust computers administered by that enterprise not to behave maliciously, he is much less likely to trust computers administered by another enterprise to do so.
One important safeguard against malicious operation is operating each computer participating in running a distributed application to respond to receiving a message claiming to be from another participating computer by first verifying the authenticity of that claim before acting upon the message. Should the authenticity of the claim be found to be in doubt, then the receiving computer might do nothing or issue an alert to the system administrator.
Authentication is often provided using so-called credentials—most commonly a digital certificate digitally signed by a trusted authority. A problem with such credentials is handling their revocation. Conventionally this is done using Certificate Revocation Lists which a person receiving a certificate is expected to check prior to relying on that certificate. Alternatively, or in addition, the lifetime of certificate can be made short so that a certificate which is not renewed quickly becomes invalid in any case.
Returning to authentication in distributed applications, whilst it would be possible to require the computer sending the message to authenticate itself individually, it is often sufficient to have the computer sending the message to authenticate itself as a participant without specifically indicating which of the participant computers it is. This provides a more scalable method of authentication.
The applicant's co-pending European patent application 06251031.8 suggests a group authentication scheme where membership of the group is expanded by existing members sending an invitation including an unique identifier for the recipient signed by the group private key. Should the recipient meet local policy requirements for joining the group and prove to have an invitation signed by an existing member then they too will be given the group private key. They will then be able to authenticate themselves as members of the group in subsequent message exchanges by encrypting messages using the group private key and providing a certificate which certifies the group public key. In preferred embodiments, the group certificate is personalised and includes an identification of the group member.
As with all schemes involving ‘certificate revocation lists’, the problem arises that the security of the whole system then additionally depends on the security of whatever protocol is used to store such lists and transmit information from such lists to the point of use.
Two of the present inventors have worked on the EU's TrustCOM project. Deliverable 19 from that project was the Basic TrustCOM reference implementation. The same two inventors contributed to a paper entitled “Dynamic Security Perimeters for Grid-enabled Collaboration” at the UK Workshop on Grid Security Experiences, Oxford 8th and 9th Jul. 2004. One of those two inventors contributed to another paper, entitled “Multilayer Privilege Management for Dynamic Collaborative Scientific Communities” at the same workshop. The two inventors also contributed to a paper entitled “Dynamic Security Perimeters for Inter-Enterprise Service Integration” published in the journal Future Generation Computer Systems, vol. 23, no. 4, 2 Feb. 2007. This earlier work relates to securely integrating instances of resources that are distributed around a network environment, such as instances of applications installed in different servers that are brought together in a logical group in order to execute a composite service or a distributed process.
The inventors have realised how the security of such systems can be further improved.