Through a computer network, multiple computers may be linked together to allow the computers to communicate with each other and to share data, applications, files, and other resources such as printers and modems. A typical computer network can be analogized to a wheel having a hub and spokes. Generally, the hub comprises a centralized computer called a "server" to administer communications and to manage centralized resources and data. The services of the server are shared and accessed by other computers, usually referred to as "clients," which constitute the spokes. Such an arrangement is referred to as a client/server computer network.
Clients and the server typically interface by sending messages (e.g. requests and responses) in the form of message packets. A message packet contains a series of information in a format recognized within the network. For example, a message packet can contain the following series of information: a packet header that identifies the length of the message and provides other network specific information, a request code that designates the particular type of procedure being requested, and data that provides relevant information for the message.
Sometimes an intruder can forge message packets and gain unauthorized access within the network. Unauthorized access can take a variety of forms. For example, an unauthorized user having no access to the network could gain unauthorized access. Alternatively, a user having limited network access could access to restricted information in the network. Whatever the form of unauthorized access, an intruder could conceivably retrieve sensitive or secret data within the network. In addition, an intruder could intentionally or inadvertently modify, delete, or otherwise sabotage critical data or functions within the network.
One system for protecting sensitive information within a network is disclosed in U.S. Pat. No. 4,349,642 to Kingdon. In general terms, the systems disclosed in Kingdon authenticates message packets in a client/server network as follows:
1. When the client initiates a session by logging on to the network, both the client and the server store a code called a "session key" that is unique to the client and the session.
2. As the client communicates on network, the client sends a message to the server, known as a request. Appended to the request is a message signature derived from the session key and the request itself. Therefore, the message signature is unique to the client, the session, and the request.
3. Upon receiving the appended request, the server strips the message signature and calculates its own message signature using the request and the session key. If the calculated message signature and the received message signature match, the server processes the request.
4. After the request has been processed, the server prepares a response message. Appended to the response is another message signature generated from the response and the session key.
5. Upon receiving the appended response, the client strips the message signature and calculates its own message signature using the response and the session key. If the calculated signature and the response signature match, the message transaction has been successfully completed and the client can begin a new transaction with the server.
While the system disclosed in Kingdon effectively prevents message packet forgery, it can be time consuming. Each of the steps and calculations add overhead and introduce delays in the transferring of messages. Individually, such signature authentication means may result in a relatively small delay. However, the cumulative effect of delaying potentially thousands or millions of messages transferred within a computer network can result in a significant and problematic cumulative delay.