1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention provides a method and apparatus for computer-to-computer authentication and authorization.
2. Description of Related Art
In virtually every networking system, an administrative system protects resources by restricting access to those resources, which requires authentication of a user when the user wants to access a protected resource. A large network within an enterprise may have many types of protected resources to be accessed: physical resources, such as client machines; and logical resources, such as computer programs. Each protected resource may have its own authentication scheme in which each user is assigned a username and password. Rather than inefficiently requiring users to remember numerous usernames and passwords, centralized authentication systems have been developed.
In a centralized authentication system, the user is required to sign-on once, and the user is provided with access to protected resources based on credentials stored on a global server. Whenever a protected resource needs to be accessed, the credentials are retrieved from the database on the global server and provided to a security service to authenticate the user. This generally occurs in the background without the need for any intervention by the user and is usually termed a “single sign-on” (SSO) system.
Commercial use of the Internet is increasing dramatically. Web-based and Internet-based applications have now become so commonplace that when one learns of a new product or service, one assumes that the product or service will incorporate Internet functionality into the product or service. One of the factors influencing the growth of the Internet is the adherence to open standards for much of the Internet infrastructure. Individuals, public institutions, and commercial enterprises alike are able to introduce new content, products, and services that are quickly integrated into the digital infrastructure because of their ability to exploit common knowledge of open standards. For example, an open standard promulgated for protecting electronic information is the X.509 standard for digital certificates.
An X.509 digital certificate is an International Telecommunications Union (ITU) standard that has been adopted by the Internet Engineering Task Force (IETF) body. It cryptographically binds the certificate holder, presumably the subject name within the certificate, with its public cryptographic key. This cryptographic binding is based on the involvement of a trusted entity in the Internet Public Key Infrastructure (PKIX) called the “Certifying Authority”. As a result, a strong and trusted association between the certificate holder and its public key can become public information yet remain tamper-proof and reliable. An important aspect of this reliability is a digital signature that the Certifying Authority stamps on a certificate before it is released for use. Subsequently, whenever the certificate is presented to a system for use of a service, its signature is verified before the subject holder is authenticated. After the authentication process is successfully completed, the certificate holder may be provided access to certain information or services, i.e. the certificate holder may be authorized to access protected resources.
A standard for an X.509 Attribute Certificate has been proposed by which attribute certificates would be similar in structure to public key certificates but in which the attribute certificate would not contain a public key. An attribute certificate would be used to certify or otherwise securely bind a set of authorization capabilities to its subject holder. Those capabilities are possibly authenticated and then cryptographically verified by a target service sought by the holder of the attribute certificate, and the attribute certificate may then be used for authorized access to protected resources.
Many legacy systems have been modified to operate with open standard functionality, such as X.509 certificates, so that system services are widely available yet secure. However, although an updated legacy system may be more conveniently accessed through the Internet or through a corporate intranet, there may be justifiable economic or personnel reasons for not modifying certain systems. Hence, many enterprises have legacy systems that are being maintained but not updated with new technologies.
As noted above, many administrative systems, including most legacy administrative systems, ensure secure access through the use of a password or other secret or secure information, such as biometric identifiers, that must be simultaneously asserted along with a user's identity. Since an individual may have many identities on different legacy systems, an enterprise's information technology infrastructure may be confusing to the average user and relatively inconvenient to use, which can present barriers to enterprise-wide goals of enhancing efficiency and workflow compared with newer or updated interconnected systems that employ open standards for authentication and authorization.
Therefore, it would be advantageous to have a method and system in which secure user access to a legacy system could be provided through an interconnected system without the necessity of modifying the legacy system. It would be particularly advantageous to use the trusted relationships associated with digital certificates in order to authenticate and authorize user access to these legacy systems using a single sign-on methodology that employs digital certificates.