1. Field of the Invention
This invention relates to computer systems which employ a peer-to-peer bus architecture, and in particular to secure communications between the devices coupled to the peer-to-peer bus in such systems.
2. Description of the Related Art
William Stallings, in his textbook Network and Internetwork Security: Principles and Practice (1995, Prentice Hall), which is hereby incorporated by reference in its entirety as though fully set forth herein, cites a National Research Council report as follows: "Security is a concern of organizations with assets that are controlled by computer systems. By accessing or altering data, an attacker can steal tangible assets or lead an organization to take actions it would not otherwise take. By merely examining data, an attacker can gain a competitive advantage, without the owner of the data being any the wiser." Stallings goes on to define computer security as "the generic name for the collection of tools designed to protect data and to thwart hackers." Stallings defines several computer security services such as confidentiality, integrity, authentication, and access control.
Stallings says that "confidentiality requires that the information in a computer system and transmitted information be accessible only for reading by authorized parties. This type of access includes printing, displaying, and other forms of disclosure, including simply revealing the existence of an object. Confidentiality is the protection of transmitted data from passive attacks." Thus, confidentiality services are primarily concerned with preventing unauthorized parties from accessing confidential information. Confidentiality may also be referred to as secrecy or privacy. One common form of a confidentiality service is data encryption.
Stallings says that "integrity requires that computer system assets and transmitted information be capable of modification only by authorized parties. Modification includes writing, changing, changing status, deleting, creating, and the delaying or replaying of transmitted messages." Stallings says that, "In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links. To achieve this control, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual." Thus, the issues of integrity and access control are concerned with identification, authentication and authorization. Typically, a user or entity must identify itself when requesting to modify information, and an authorization service validates whether or not the identity is authorized to perform the modification.
Often, prior to validation of a requester's authorization, the identity of the requester must be authenticated. As Stallings says, "the authentication service is concerned with assuring that a communication is authentic. Authentication is a procedure to verify that received messages come from the alleged source and have not been altered." That is, authentication concerns itself with the question: is the entity making the request really who it says it is and has the request been altered? Techniques for performing authentication include cryptographic checksums, hash functions, digital signatures, and message encryption via secret keys, or passwords, public/private keys, etc. These techniques are well known in the art of network security and are described in detail in Stallings.
FIG. 1 shows a traditional computer system 10, such as may be part of a network or internetwork whose security is discussed in the Stallings reference. The computer system 10 includes a plurality of devices 12 coupled to an I/O bus 14. For example, one of the devices 12 is a network interface card (NIC) 12a which receives a request 18 for data from a remote source. An example of the remote source may be another computer coupled to the computer 10 by a local area network, such as an Ethernet or Token Ring network. The requested data in the example may reside on a disk drive 12b also coupled to the I/O bus 14.
The network interface card 12a communicates the remote request 18 to an operating system 16 executing on the central processing unit (CPU) of the system 10. In the traditional system, the operating system 16 executing on the system CPU is largely responsible for providing the security services such as confidentiality, access control and integrity, and authentication as follows.
The remote request 18 includes information identifying the source of request 18. The operating system 16 executing on the system CPU uses the identify information to validate the requesting source's authority to make the request 18 to read the requested data. For example, a machine ID and/or user name may be looked up in an authorization table to determine if the requester is authorized to access the data. If not, the request 18 is rejected. The authorization determination made by the operating system 16 may also include making distinctions based upon the type of operation requested in the request 18. For example, the request source may be authorized to read data but not to write data. Thus, the operating system 16 may reject a write request but perform a read request, for example.
Furthermore, request 18 may include authentication information, also referred to as an "authenticator." The authenticator enables the operating system 16 executing on the system CPU to authenticate whether or not request 18 did indeed come from the remote source whose identity is included in the request 18. The authenticator may be a cryptographic checksum, which is a public function of the request and a secret key known by the request source, included by the request source in the request 18. Cryptographic checksums are also referred to as message authentication codes (MACs). The operating system 16, knowing the secret key also, recomputes the checksum and compares it with the checksum in the request 18. The authenticator may also be a hash code. Hash codes are also referred to as message digests. A hash code is a function of all the bits of the message and provides an error detection capability. The authenticator may also be a digital signature.
Furthermore, the message itself may be encrypted by the remote request 18 source using a secret key (e.g., password) or private key. The encryption provides privacy from unauthorized persons who may be snooping the network to illicitly capture confidential information. In this case, the operating system 16 executing on the system CPU may authenticate the request 18 by decrypting the request 18 using the same secret key used by the request source or by using the public key associated with the private key. In this case, the entire encrypted request 18 itself serves as the authenticator. The fact that the remote request 18 is encrypted provides confidentiality, i.e., secrecy or privacy, of the request 18.
Thus, the operating system 16 executing on the system CPU receives the request 18 from NIC 12a. If request 18 is encrypted, the operating system 16 decrypts the message and potentially performs authentication based upon the decryption. If some other authenticator is present, such as a checksum or hash code, the operating system 16 performs authentication on the request 18 using the proper authenticator. If the request 18 is not authentic, the operating system 16 rejects the remote request 18. The operating system 16 (executing on the system CPU) then determines if the remote source is authorized to receive the requested data. If not, the operating system 16 rejects the remote request 18.
If the remote source is authorized, the operating system 16 determines if the requested data exists and, if so, requests the data from, e.g., disk 12b. The operating system 16 executing on the system CPU encrypts the data, possibly includes an authenticator with the data, and forwards the data to NIC 12a. NIC 12a forwards the encrypted and authenticated data to the remote source. Thus in traditional systems, the security services for data communications between devices are primarily performed by the operating system 16 executing on the system CPU.
As device and bus technology become more intelligent, a new paradigm of I/O device communication is emerging. This paradigm is direct I/O device communication, or peer-to-peer communication. In the peer-to-peer I/O device communication paradigm, the I/O devices within a system communicate data between one another directly, that is, without the involvement of the operating system. In view of the discussion of security services above, it is apparent that bypassing the operating system, as is done in peer-to-peer bus architectures, removes opportunity for the operating system to perform the security services.
FIG. 2 illustrates a computer system 20 in which intelligent devices 22 are coupled together by an I/O bus 24. The intelligent devices may include intelligent input/output processors (IOP) 30. For example, the I/O bus 24 may be a Peripheral Component Interconnect (PCI) bus and the devices 22 may be devices which conform to the Intelligent I/O (I.sub.2 O) Specification Draft 1.5 of March 1997 which is hereby incorporated by reference.
In system 20 of FIG. 2, the NIC 22a receives a remote request 28 like the request of FIG. 1. However, in system 20, NIC 22a makes a request for data directly to the disk 22b, rather than making the request to the operating system 26. In response, the disk 22b provides the data to the NIC 22a, without the intervention of the operating system 26. This new paradigm potentially improves the data throughput and transfer speeds of the system. However, with the operating system 26 no longer involved in the validation, encryption, and authentication of the transfer, potential security problems exist such as unauthorized access to, tampering with, or snooping of the data.
Another example of a data communication using the peer-to-peer paradigm is a fast restore of a disk drive from a tape backup. In this scenario, an intelligent tape drive transfers data directly to an intelligent disk drive to restore lost data onto a new disk installed to replace a failed disk. This peer-to-peer operation may drastically improve performance of the restore operation since the operating system need not be involved in the data transfer. However, the possibility exists for an unauthorized I/O device on the bus to write to the disk drive and destroy valid data since no security means are in place via the operating system.
Another example of a data communication using the peer-to-peer paradigm is a transfer of video information, such as a copyrighted movie, from an intelligent storage device directly to an intelligent video device on an I/O bus. The possibility exists for an unauthorized I/O device on the bus, such as an intelligent digital video disk (DVD) writer to snoop the bus during the data transfer and pirate the movie since no security means are in place via the operating system. Similarly, an unauthorized device might snoop key strokes coming from a keyboard connected to a system via a Universal Serial Bus (USB).
An important aspect of system administration in large networked facilities is the ability to perform the system administration remotely from a central system administration location. Examples of the system administration include diagnosing system problems and performing software upgrades or firmware upgrades of system components remotely. Traditionally, the operating system or Basic Input Output System (BIOS) of the remote system is used to perform security services during remote administration. However, in a peer-to-peer paradigm, the operating system or BIOS can no longer provide the security services. Therefore, a method for providing security in a peer-to-peer communication system is desired.