1. Field of the Invention
The present invention relates generally to the use of cryptography in a distributed data processing system and, more specifically, to an apparatus and method for transparently authenticating a client to multiple services and applications in such a distributed system.
2. Background Information
In a distributed data processing network system, the methodology employed to reliably verify the identity of a communicating device across the network prior to allowing the device to access system operations and resources is referred to as authentication. Access to the system may be needed for the purpose of, for example, communicating with other clients, retrieving secure information, or receiving a service. Distributed systems generally include various computer nodes interconnected by a communications medium. The computer nodes may include client nodes that are directly accessed by clients, e.g., workstations, and server nodes running specialized applications. These nodes, the processes running on these nodes, and the clients of the distributed system are commonly referred to as ‘principals.’ The authentication exchange is performed on behalf of the principals.
Some conventional network systems have been designed to reduce the number of authentication exchanges required. One method is to use a set of passwords in a configuration referred to as a ‘keychain.’ The operating system incorporates the keychain and the client gains access to the network services by using a keychain password at the time his workstation is booted.
However, this approach provides for only one keychain per operating system, or per workstation. This localized feature of the keychain precludes its use with other workstations or systems in the distributed network system. Moreover, the use of a single keychain results in a single level of access control to all application programs in the system for a given workstation and does not provide for different access rights in different applications for the client. The method stores client names and passwords only for network-based services and not for application programs. Thus, although single password access is provided to services, the client is required to authenticate himself to each program that is accessed thereafter.
In another conventional method, the client enters a single password when logging into the distributed data processing network system. In this method, a service is available only as part of the operating system of each local workstation, and is therefore not provided on the network as a distributed service. Moreover, this conventional service does not provide for passwords of choice for application programs or for network logins, but rather requires that all services accessed by the workstation synchronize their respective passwords with the platform password. If a client assigns the same value to all passwords, his rights to the applications are given away if his common password is compromised.
It can thus be seen from the foregoing that the conventional approaches to simplifying the authentication process have limited capabilities and flexibility. What is needed, therefore, is an apparatus and method for automatically authenticating a client to one or more selected application programs or services in a distributed network without compromising the security of the network or the confidentiality of the client's information.