1. Field of the Invention
The present invention relates to a system for distributed group management for management of security of information relating to users and groups to which the users belong at the time of distributed processing among a plurality of computer systems.
Along with the advances made in computer networks in recent years, a demand has arisen for processing for transfer of information distributed among a plurality of computer systems, that is, remote processing. At the time of such remote processing, a management for authentication and management for authorization based on the authentication, that is, security management, are indispensable.
On the other hand, looking at authorization, when there are many users requesting remote processing, the general practice has been to set a plurality of groups each including predetermined users in the computer system. These correspond to the groups explained above. This makes it possible to extremely effectively manage authorizations of many users, for example, authorization for reading files and authorization for reading/writing files.
Note that the concept of a “group” has been widely known under the terms “role” or “privilege”. In the present invention, the term “group” will be used to represent these terms. This is because no matter what term used, the basic nature is the same, i.e., a plurality of users can belong to one group (in certain cases, one user can belong to a plurality of groups).
Almost all current authentication systems used for security management authenticate by means of (i) using secret information such as a password or secret key information, (ii) devising a special physical structure and issuing an article difficult to forge such as an IC card, or (iii) utilizing physical characteristics enabling identification of a specific person, for example, fingerprints or retina patterns.
However, there are problems when trying to use each of the means of authentication shown in the above (i) to (iii) as they are directly for the authentication of a group. For example, it is extremely difficult to commonly share the means of authentication by the plurality of users comprising a group. Also, there is an inconvenience that when a user leaves the group, it is also extremely difficult to retrieve the means of authentication from the user.
In order to deal with this, use has been made of a security management technique comprised of a two-tier model, i.e., first authenticating the individual user by the means of authentication shown in the above (i) to (iii), then separately managing to which group the user belongs. This model is used in many computer systems, for example, for UNIX users and groups.
The present invention concerns a security management technique relating to authentication as described above.
2. Description of the Related Art
The conventional standard UNIX has the concepts of users and groups, but these groups exist locally in the corresponding servers. Accordingly, there is the disadvantage that a user requesting usage of authorization shared by this group must first be authenticated as the user by him (or her) self.
On the other hand, relating to the concept of users and groups, an information sharing management technique referred to as a network information service (NIS) is known. When this technique is used, it becomes possible to centrally manage a user/authentication information table, a user/group correspondence table, and a user/authorization correspondence table at a single NIS server for users of the plurality of servers.
However, even if that information sharing management technique is used, close communication must be guaranteed between the server and the NIS server, so this NIS server must be treated more like a server than a client from the viewpoints of the main entity in charge of security management and the structure of the organization. Also, even if that information sharing management technique is used, there is still the accompanying disadvantage explained above that the individual users must be authenticated.
As one of the techniques for dealing with the above disadvantage that the individual users must still be authenticated in this way, the technique of indirect authentication has been known. As one system incorporating such an indirect authentication technique mainly into a UNIX system, a distributed authentication system referred to as “Kerberos” has been proposed in Reference 1 (John Kohl and B. Clifford Neuman, The Kerberos Network Authentication Service (Version 5), Internet Request for Comments RFC-1510, September 1993).
In this Kerberos distributed authentication system, not the server performing remote processing, but another server referred to as a ticket server centrally directly authenticates users. After the direct authentication, the ticket server issues a ticket to each user. In this mechanism, the user presents the issued ticket to the original server to indirectly be authenticated. Such a mechanism is realized by a cryptographic technique.
Further, it is proposed to include group membership information in an extension field of Kerberos Version 5 in Reference 2 (B. Clifford Neuman, Proxy-Based Authorization and Accounting for Distributed Systems, in Proceedings of the Thirteenth International Conference on Distributed Computing Systems, pages 283–291, May 1993).
Under the above background, the known related art will be explained later by using FIG. 48 and FIG. 49. FIGS. 48 and 49 are views of a conventional system of distributed group management. As will be explained later by using these figures, there is the following problem.
An encryption function unit (34′) shown in the figure encrypts an original ticket (TC) by using a secret key. Accordingly, it is extremely difficult for a malicious third party to eavesdrop the original ticket (TC) unless knowing the secret key, so the security is secured.
However, in general, the processing speed for the encryption is slow, so a considerable processing time is required. For this reason, there is a problem that the indirect authentication of the group cannot be carried out at a high speed.