1. Technical Field
The present invention relates generally to client-server protocols for accessing a directory service in a distributed computer environment and, in particular, to a method of securing sensitive data in such a directory service.
2. Description of the Related Art
LDAP is the Lightweight Directory Access Protocol, which is a known protocol for accessing a directory service in a computer network such as the Internet. LDAP is an evolving protocol that is based on a client-server model in which a client makes a TCP/IP connection to an LDAP server, rends requests, and receives responses. The LDAP information model is based on an xe2x80x9centryxe2x80x9d, which contains information about some object. Entries are typically organized in a specified tree structure, and each entry is composed of attributes. The protocol defines a number of directory service operations with respect to the tree (and data therein) including authentication, search and retrieval, entry addition/deletion and information modification.
The directory is useful for storing information about resources in the computer network. According to the protocol, any entity can access the directory and the resource information in the directory subject to authentication and authorization. Presently, data within the LDAP directory service is stored xe2x80x9cas is,xe2x80x9d i.e. in the cleartext form in which it was transmitted to the directory. In many applications, however, there is a need to store data in an encrypted manner, A representative example would be the case where the directory service is used to store passwords, user desktop configurations, and other sensitive, confidential or otherwise privileged data that may be subject to security attacks.
There is thus a need to provide techniques to store and retrieve sensitive data in a client-server based directory service such as LDAP. The present invention addresses this problem.
It is a primary object of this invention to secure sensitive data in a directory service of a client-server based computer network.
It is another primary object of this invention to extend a directory service through a set of client and server controls useful in securing sensitive data in the directory service.
It is a particular object of this invention to implement a xe2x80x9cclient-sidexe2x80x9d control for a directory access protocol to secure sensitive data provided from a client application to the directory service.
It is another particular object of this invention to implement a xe2x80x9cserver-sidexe2x80x9d control for a directory access protocol to secure sensitive data within the directory service.
A more general object of this invention is to secure sensitive data provided to or from a directory service in a client-server computer network such as the Internet.
A particular object of this invention is to extend the lightweight directory access protocol (LDAP) to include client- and server-based controls for securing sensitive data in the directory service.
A set of controls include a client control implemented on a client machine, and/or a server control implemented on a server machine. It is not required that both controls be implemented together, and a client machine may implement the client control irrespective of whether a server involved in the directory operation is running the server control. The server control is composed of elements that preferably are also elements of the client control.
The client control generally comprises a control block including identifying information, a signature control block, and a signature. The signature preferably comprises a digital signature of the data (which first may be encrypted), the control block and the signature control block, During a given directory service operation from a client machine, the data and the client control are transmitted from the client to the directory service in a message envelope.
A preferred client control according to the invention enables an application to secure given data in a Lightweight Directory Access Protocol (LDAP) directory service of a client-server computer network, where the computer network comprises a client machine running the application and a server supporting the LDAP directory service. In this preferred embodiment, the client control comprises a control portion, a signature control block, and a signature. The control portion includes given identifying information including a control type, a first algorithm identifier and a first key identifier. The signature control block preferably comprises a second algorithm identifier and a second key identifier. The signature is preferably a digital signature of (a) the data, (b) the control block and (c) the signature control block against an algorithm and a key identified by the second algorithm identifier and the second key identifier. The data and the client control are transmitted from the client to the server during a given directory service operation, such as a xe2x80x9cwritexe2x80x9d operation. In this embodiment, the first algorithm identifier specifies an encryption or signing algorithm registered in the directory service and the first key identifier specifies a key stored for use by the registered algorithm. The registered algorithm and the algorithm identified by the second algorithm identifier may be the same or different.
The particular server side control includes components that preferably are also components that comprise the client side control. The server control, however, does not generally include the signature control block or the signature.
Another feature of the present invention is the providing of a computer program product for use to facilitate secure access to a directory service of a client-server computer network. The computer program product typically executes in a client computer that is running an application. The computer network includes at least one server supporting the directory service. The computer program product comprises means for generating a digital signature over given data, a control block and a signature control block. The signature is generated by a signing algorithm and a key identified by an algorithm identifier and a key identifier in the signature control block. In addition, the computer program product includes means, responsive to a directory service operation initiated by the application, for transmitting the signed components (the data, control block and signature control block) from the client machine to the server.
Thus, a particular directory service typically includes a client computer that includes the capability of generating the client control and using the control during a particular directory service operation to secure data written to or retrieved from the directory. Preferably, the directory service conforms to the lightweight directory access protocol (LDAP).
The foregoing has outlined some of the more pertinent objects and features of the present invention. These objects should be construed to be merely illustrative of some of the more prominent features and applications of the invention. Many other beneficial results can be attained by applying the disclosed invention in a different manner or modifying the invention as will be described. Accordingly, other objects and a fuller understanding of the invention may be had by referring to the following Detailed Description of the Preferred Embodiment.