The invention relates to the field of client/server (also known as xe2x80x9cdistributedxe2x80x9d) computing, where one computing device (xe2x80x9cthe clientxe2x80x9d) requests another computing device (xe2x80x9cthe serverxe2x80x9d) to perform part of the client""s work.
Client/server computing has become more and more important over the past few years in the information technology world. This type of distributed computing allows a software process (e.g., the client) running on one machine to delegate some of its work to a software process (e.g., the server) running on another machine that might be, for example, better suited to perform that work. The client and server could also be separate software processes running on the same machine.
In such client/server systems, it is very important that the client and the server develop a sufficient level of trust in each other before they engage in a meaningful interaction, because the information that may be exchanged during the client""s request for server processing and/or the server""s processing result which is returned to the client may be highly sensitive information. Oftentimes, the client and the server have no prior relationship with each other and thus they must enter into some type of an initial conversation in order to determine whether they can trust each other before they disclose any potentially sensitive information. A good example of where this is particularly useful is when the client is a World Wide Web browser application sending electronic commerce requests over the Internet to a World Wide Web server application. On the initial interaction between these parties, the Web client and the Web server do not have any prior relationship and the Web client, for example, may be very reluctant to provide a credit card number to the Web server over the Internet.
It is known in the prior art to exchange credentials (i.e., digitally signed assertions by the credential issuer about the credential owner) between a client and a server in order to develop trust between them. A credential is signed by using the issuer""s private key and can be verified by using the issuer""s public key. The credential aggregates one or more attributes of the owner, each attribute consisting of a name/value pair and describing some property of the owner asserted by the issuer. Each credential also contains the public key of the credential owner. The owner can use the corresponding private key to answer challenges or otherwise demonstrate ownership of the credential. The owner can also use the private key to sign another credential owned by a third entity.
Thus, as is well known in the prior art, credentials may be combined into chains, where the owner of one credential is the issuer of the next credential in the chain. These chains can be submitted to trace a web of trust from a known entity (the issuer of the first credential in the chain) to the submitting entity, in whom trust needs to be established. The submitting entity is the owner of the last credential in the chain. The submitting entity can demonstrate ownership of that credential by demonstrating possession of the private key mate of the public key contained therein. The other supporting credentials are owned by entities with whom the submitting entity has direct or indirect relationships, and although they are not owned by the submitting entity, the submitting entity does keep and submit copies of them. Each supporting credential contains the public key whose private key mate was used to sign the next credential in the chain.
All the submitted credentials are relevant to demonstrating a (possible indirect) relationship between the submitting entity and the known entity that issued the first credential in the chain. The nature of that relationship can be inferred by inspecting the attributes of the credentials in the chain. Multiple chains can be submitted to establish a higher degree of trust or to demonstrate additional properties of the submitting entity and its relationships with known entities.
Prior art techniques for using credentials to establish mutual trust can be divided into two basic approaches. The first approach is described by A. Frier, P. Karlton, and P. Kocher, xe2x80x9cThe SSL 3.0 Protocolxe2x80x9d, Netscape Communications Corporation, Nov. 18, 1996; T. Dierks, C. Allen, xe2x80x9cThe TLS Protocol Version 1.0xe2x80x9d, draft-ietf-tls-protocol-06.txt, Nov. 12, 1998; S. Farrell, xe2x80x9cTLS Extensions for Attribute Certificate Based Authorizationxe2x80x9d, draft-ietf-tls-attr-cert-01.txt, Aug. 20, 1998. This approach will be referred to as the SSL approach, as it is used by SSL, TLS, and TLS with extensions for attribute-certificate-based authorization. In the SSL approach, the client and the server can exchange credentials as follows. The server initiates the negotiation by unilaterally disclosing a pre-selected credential. It can include a request for client credentials, including the type of credential the server can accept and, in the attribute-certificate case, a template indicating the required attributes.
The second approach is described by N. Ching, V. Jones, and M. Winslett, xe2x80x9cAuthorization in the Digital Library: Secure Access to Services across Enterprise Boundariesxe2x80x9d, Proceedings of ADL ""96 - - - Forum on Research and Technology Advances in Digital Libraries, Washington, D.C., May 1996, available at http://drl.cs.uiuc.edu/security/pubs.html; and also by M. Winslett, N. Ching, V. Jones, and I. Slepchin, xe2x80x9cUsing Digital Credentials on the World-Wide Webxe2x80x9d, Journal of Computer Security, 5, 1997, 255-267, available at http://drl.cs.uiuc.edu/security/pubs.html. We will call this second approach the digital credentials approach. In this approach, when a request for service is made by a client to a server without adequate credentials attached, the server sends to the client a policy governing that service. A policy is a credential formula, that is, a logical combination of required credentials and expressed constraints on the attributes that they contain. Policies can be used to characterize required properties of the submitting entity and its relationships with known entities. By receiving this policy as a request for credentials, the client has the opportunity to select in private credentials to submit to authorize service. By sending policies to clients, servers off-load credential selection. The practice also enables different servers to have very different policies, requiring different client attributes and accepting credentials issued by different authorities.
Both of these two prior art approaches support the server sending a request for credentials to the client, including a characterization of credentials that would be acceptable to the server. However, the present inventors have noted deficiencies in this present state of the art as follows.
In the SSL approach, there is no opportunity for the server to authenticate any information about the client before disclosing the server""s credential. The server may regard its credential as highly confidential, and thus, if the client and server fail to establish mutual trust, then the server has turned over to the client a highly sensitive (confidential) piece of information. Furthermore, if the credential disclosed by the server does not satisfy the client, the client has no opportunity to request additional credentials from the server. This can be a serious problem when the client and server have no prior relationship. In that case it is unlikely that any single credential issuer would be an acceptable authority on all server attributes of interest to all clients.
The shortcoming of prior systems based on the digital credentials approach arises with credentials that the client wishes to disclose only to servers in whom some degree of trust has already been established. Prior systems developed using the digital credentials approach have supported client-credential submission policies that partitioned services into equivalence classes and then, for each equivalence class, assigned each client credential to one of two categories. Credentials in the first category could be submitted with any service request in the equivalence class. Those in the second category could be submitted only after interactively consulting the user for authorization. These consultations permitted the user to move credentials from the second category to the first, enabling subsequent automatic submission. However, the mechanism is not fully automated in that it requires a user be available to make trust decisions when new service classes are contacted.
Within the context of the digital credentials approach, an alternative technique is briefly described by Winslett, et al. (cited above) whereby the client can require server credentials to unlock disclosure of its own credentials. That technique can be used to implement a negotiation in which there is a single request for credentials by each participant. Each service is associated with a policy that is sent to the client by the server when the client requests that service. When the scenario is reversed, it is unclear what purpose is intended by having servers present credentials to clients. One possibility is to establish client trust for the general purpose of interacting with the server. Another is to establish trust specifically to encourage clients to disclose their credentials. In the latter case, the approach could be used to enable a client to require credentials from the server prior to disclosing any of its own credentials to that server. However, it would be impossible for the server then to request client credentials before disclosing its own credentials. Doing so would introduce a cyclic dependence, bringing the negotiation to deadlock, because in this model all client credentials are governed by the same policy and, hence, any subsequent server request would lead to an identical request from the client.
According to a first aspect the present invention provides a data processing apparatus for use in a client/server network where a client data processing apparatus sends a data processing request to the server data processing apparatus and the server data processing apparatus performs data processing based on the request and returns a reply to the client data processing apparatus, the data processing apparatus comprising: storage means for storing a plurality of local site credentials; means for receiving a first credentials request from an opposing site data processing apparatus, the credentials requested by the first credentials request being local site credentials stored in the storage means that satisfy a first logical expression provided with the first credentials request; and means for sending to the opposing site data processing apparatus a second credentials request which is dependent upon the contents of the first credentials request, the credentials requested by the second credentials request being opposing site credentials that satisfy a second logical expression provided with the second credentials request.
According to a second aspect, the invention provides a method of operating the data processing apparatus of the first aspect.
According to a third aspect, the invention provides a computer program product stored on a computer readable storage medium for, when run on a computer, carrying out the method steps of the second aspect.
According to a fourth aspect, the invention provides a computer data signal embodied in a carrier wave, the signal having program elements for instructing a computer to carry out the method steps of the second aspect.
Thus, the present invention extends the prior art digital credentials approach to support a sequence of interdependent requests for credential disclosures. In order to allow for a sequence of interdependent requests for credential disclosures, different credentials must be governed.by different policies. The request for credentials that the client receives from the server is not for individual credentials, or even for a specific combination of credentials. Instead, it is for arbitrary credentials that satisfy a logical expression. In the present invention the incoming request for credentials is logically combined with the credentials actually possessed by the client, together with the access-control policy associated with each of those credentials, to derive a new request for opposing-site credentials. Thus, the present invention comprises any derivation of a respondent request for credentials from a local credential-access policy and an incoming request for credentials, except in the case where the respondent request is independent of the incoming request. And in the latter, excepted case, a sequence of incremental credential disclosures is impossible because of cyclic dependencies, as discussed above.
No prior solution explicitly recommends using credentials as a basis for governing credential disclosure. There is no mention of the problem of interdependencies between credentials and the need to require different credential-access policies for different policies to avoid certain deadlock. These are aspects of automating trust establishment between strangers who keep their credentials private that have been overlooked in the past.
There has also been no prior mention of dynamically synthesizing credential requests during trust establishment. Prior solutions have selected credential-request content from pre-existing policies.
The invention thus provides for fully automating trust negotiation between stranger data processing apparatuses who protect their credentials. Simple negotiation strategies can be applied immediately. More sophisticated techniques, which balance the concerns of successful negotiation and avoiding inadvertent disclosure of information about credentials held, can also be considered.
An important advantage provided by the present invention is that it enables trust to be established automatically, even when the parties involved require some knowledge of their counterparts before disclosing some of their credentials to them. In prior solutions, each participant had only one opportunity to present credentials within each negotiation, and one of the participants had to go first. Unlike prior solutions, the present invention does not require either negotiation participant to disclose its credentials all at once, without any knowledge of the other participant. To obtain a highly sensitive service, a client may have to submit a highly sensitive credential that it discloses only after first obtaining a moderately sensitive server credential. For this, the server may in turn require some less sensitive credential.
The present invention makes it possible to negotiate an arbitrary-length sequence of dependent credential exchanges.
In some cases, such a sequence can enable a higher degree of trust to be negotiated than can a single exchange. This makes the new solution potentially very important in the context of e-business (i.e., electronic business) among strangers, where automated business negotiations will require a high degree of trust that the participants will bargain in good faith and handle disclosed information appropriately.
The present invention provides a basis for automatic negotiation of incremental credential disclosure. It does this by associating with each credential held at a local site an access policy based on opposing-site credentials and by providing for the logical combination of that policy with incoming. requests for credentials to derive negotiation responses.