1. Field of the Invention
The invention is related to the field of security systems, and in particular, to an object-based security system for computing and communications systems.
2. Statement of the Problem
Computer and communication system security has become of paramount importance with the increase in the use of such systems across all aspects of industry. Numerous security tools are available for these systems, but unfortunately, the current tools exhibit numerous shortcomings.
Current security products are designed to work as a single integrated package with their own feature set. If an improved security feature is made available in a different product, then the user must wait for their product to include the new feature or buy the other product. There is a need for security products to be abstracted behind a client interface so security features can be upgraded without replacing the security system.
Current security products are also difficult for application programmers to design to. For example, the programmer designing communications software for a personal computer must understand all of the messaging and interaction required to interface with the security product. There is a need for security products that offer simple interfaces to application software developers.
Current security products typically apply security at a single communications layer. There is a need for security tools that apply security at multiple layers of interprocessor communications.
The invention solves the above problems with methods and software products that authenticate processes and inter-process messaging in computer or communications systems. Some examples of the invention operate as follows in an environment comprised of a first computer system, a second computer system, and a security system. In the first computer system, a process transfers a log-in request to a security object. The security object transfers a request to authenticate the process to the security system. The security system authenticates the process and generates a security association. In some versions of the invention, the security association is a random number. The security system stores the security association and transfers the security association to the security object in the first computer system.
In the first computer system, the security object transfers the security association to the middleware. The middleware subsequently receives a message from the process for transfer to the second computer system. The middleware inserts the security association into the message and transfers the message to the middleware in the second computer system.
In some examples of the invention, the security object in the first computer system transfers the security association to a transport layer in the first computer system. The transport layer receives the message from the middleware in the first computer system for transfer to the second computer system. The transport layer inserts the security association into the message and transfers the message to the transport layer in the second computer system. In the second computer system, the transport layer extracts the security association from the message and transfers the security association to the security system. The security system checks the security association extracted from the message with the stored security association to authenticate the message.
Some examples of the invention include software products. One software product comprises security software and middleware software stored on a software storage medium. The security software directs a processor to receive a log-in request for a process, generate a request to authenticate the process, transfer the request to authenticate the process, receive a security association for the process, and transfer the security association. The middleware software directs the processor to receive the security association from the security software, receive a message from the process, insert the security association into the message, and transfer the message.
Another software product comprises security software stored on a software storage medium. The security software directs a processor to receive a request to authenticate a process, authenticate the process, generate a security association for the process, store the security association, transfer the security association, receive the security association extracted from a message, and check the security association extracted from the message with the stored security association to authenticate the message.
The invention authenticates processes and inter-process messaging. The processes could be in an end-user""s computer to provide access to a network. The processes could also be in a network system without any end-user. In some examples of the invention, security is performed in three layersxe2x80x94the application layer, the middleware layer, and the transport layer. The three layers of security provide a highly secure environment.
One advantage of the security system is the ease with which processes can be developed and installed for use within a highly secured environment. The programmer need only design their process to provide a password to a local security object. The use of middleware provides an easy message interface to the programmer for this purpose. The security objects and middleware then handle the authentication of both the process and messages sent and received by the process. System users and devices only need the relatively thin client security objects, middleware, and transport software to operate in a highly secured environment.
The local security objects also provide a thin client interface to a robust security toolkit. The security features are abstracted behind the client interface and can be conveniently updated for a user without changing out the user""s security system. Thus, the user is provided a true choice of advanced in security technologies.