1
SYSTEM AND METHOD OF PROXY
AUTHENTICATION IN A SECURED
NETWORK
CROSS-REFERENCE TO RELATED 5
APPLICATIONS
This is a continuation of and priority is claimed to copending U.S. Patent Application having Ser. No. 09/490,199, a filing date of Jan. 24,2000, for "system And Method Of Proxy 10 Authentication In A Secured Network" of Swift et al. This co-pending U.S. Patent Application is commonly assigned herewith and is hereby incorporated herein by reference for all that it discloses.
15
BACKGROUND OF THE INVENTION
In a computer network environment, access to services is often restricted for security reasons, and a user attempting to access a server has to be authenticated before access can be 20 granted. In many network systems, the user authentication process is based on the password of the user. User authentication prevents a malicious attacker from illegally gaining access to services by pretending to be an authorized user.
The requirement of user authentication for network secu- 25 rity, however, can conflict with the need for delegation or appointing a proxy. There are many occasions in which a user intends to have another user or a service perform tasks on her behalf when she is not logged onto the network. For example, a user who will be out of her office for an extended period of 30 time may want another user to access her files during her absence. Access to those files may be restricted for only the first user and requires user authentication based on her password. Due to security concerns, the first user may not want to give her password to the second user. Without her password, 35 however, the second user will not be able to access the files of the first user. If the first user does decide to give her password to the second user, she will be taking the risk that second user may use her password for other unauthorized purposes in or after the supposed duration of the proxy authorization. 40
As another example, a user may submit a batch job to a batch service and then log off, expecting the batch service to run the batch job in the background without further attention of the user. To run the batch job, it is likely that the batch service will have to access services that the user submitting 45 the batch job is authorized to access. Due to the requirement of user authentication for accessing services, however, the batch service cannot gain access to those services by simply holding itself out as the batch user.
Existing batch services solve this problem by taking 50 approaches that are not satisfactory. Under one approach, the requirement for user authentication is simply waived. The operating system of the service is told to perform subsequent actions on the batch user's account without requiring authentication from that user. The problem of this approach is that all 55 the computers running the batch jobs must be highly trusted and secure, because they can act as the user without authentication while the batch job is running. An alternative is to modify permissions on the objects that the batch job needs to access. It is, however, difficult to know in advance which 60 objects will be accessed. Furthermore, the user may not have the authority to change the access permissions of the objects, such as when the security of the objects is managed by someone else.
Under another existing approach, the user's password is 65 given to the batch service, which stores the password and uses it to instantiate the batch Job. The aspect of requiring the user
2
to give her password to another entity, in this case the batch service, causes serious security concerns. There may be many batch jobs submitted to the batch service by different users, and the batch service will store the passwords of all of those batch users. If an attacker breaks into the batch service, he will find out the passwords of all the batch users. He can then act as any of those batch users and authenticate properly because he knows the password of that user.
Besides the security concerns, this approach may also encounter problems when the user who submitted a batch job changes her password. Many batch jobs are run periodically or continuously for months or even years. During the lifetime of the batch job, it is possible that the user will change her password one or more times. If the user changes her password but forgets to notify the batch service of the new password, the batch service can no longer authenticate itself as the user. As a result, access to the services will be denied and the batch job will fail.
Accordingly, there is a need for a mechanism for one user in a secured network to allow another user or a service to act as her without requiring the first user to divulge her password or other secrets, and preferably such mechanism allows such delegation or proxy to operate for an extended period without being affected by the user's changing her password.
SUMMARY OF THE INVENTION
In view of the foregoing, the present invention provides a method and system of controlling access to services in a network that enables an authorized proxy client to access a service on behalf of a user. To permit the proxy client to function as a proxy, the user first registers with a trusted security server proxy authorization information that identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy access request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.
Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments, which proceeds with reference to the accompanying figures.
BRIEF DESCRIPTION OF THE DRAWINGS
While the appended claims set forth the features of the present invention with particularity, the invention, together with its objects and advantages, may be best understood from the following detailed description taken in conjunction with the accompanying drawings of which:
FIG. 1 is a block diagram generally illustrating an exemplary computer system usable for forming a network system on which the present invention may be implemented;
FIG. 2 is a schematic diagram showing a system in which a proxy client is permitted to access a target service on behalf of a user in accordance with the invention;
FIG. 3 is a schematic diagram showing a network that implements network security based on the use of session keys and tickets for authentication;
FIG. 4 is a schematic diagram showing data exchange between a client and a key distribution center for establishing communication therebetween;
FIG. 5 is a schematic diagram showing a client requesting a session ticket for accessing a server;
FIG. 6 is a schematic diagram showing a client presenting a session ticket to a server for authentication.
FIG. 7 is a schematic diagram showing an embodiment of 5 the invention in which a user registers proxy authorization information with a key distribution center;
FIG. 8 is a schematic diagram showing the embodiment of FIG. 7 in which a proxy client obtains a ticket for accessing a target service on behalf of a user; and 10
FIG. 9 is a flowchart showing a process of proxy authentication in the embodiment of FIGS. 7 and 8.
DETAILED DESCRIPTION OF THE INVENTION
15
Turning to the drawings, wherein like reference numerals refer to like elements, the invention is illustrated as being implemented in a suitable computing environment. Although not required, the invention will be described in the general context of computer-executable instructions, such as program 20 modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be 25 practiced with other computer system configurations, including hand-held devices, multi-processor systems, microprocessor based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed com- 30 puting environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules maybe located in both local and remote memory storage devices. 35
With reference to FIG. 1, an exemplary system for implementing the invention includes a general purpose computing device in the form of a conventional personal computer 20, including a processing unit 21, a system memory 22, and a system bus 23 that couples various system components 40 including the system memory to the processing unit 21. The system bus 23 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read only memory (ROM) 24 45 and random access memory (RAM) 25. A basic input/output system (BIOS) 26, containing the basic routines that help to transfer information between elements within the personal computer 20, such as during start-up, is stored in ROM 24. The personal computer 20 further includes a hard disk drive 50 27 for reading from and writing to a hard disk 60, a magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29,and an optical disk drive 3 0 for reading from or writing to a removable optical disk 31 such as a CD ROM or other optical media. 55
The hard disk drive 27, magnetic disk drive 28, and optical disk drive 3 0 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical disk drive interface 34, respectively. The drives and their associated computer-readable media provide nonvola- 60 tile storage of computer readable instructions, data structures, program modules and other data for the personal computer 20. Although the exemplary environment described herein employs a hard disk 60, a removable magnetic disk 29,and a removable optical disk 31, it will be appreciated by those 65 skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as
magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories, read only memories, and the like may also be used in the exemplary operating environment.
A number of program modules may be stored on the hard disk 60, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35, one or more applications programs 36, other program modules 37, and program data 38. A user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and a pointing device 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor, personal computers typically include other peripheral output devices, not shown, such as speakers and printers.
The personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49. The remote computer 49 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN) 51 and a wide area network (WAN) 52. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.
When used in a LAN networking environment, the personal computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the person computer 20 typically includes a modem 54 or other means for establishing communications over the WAN 52. The modem 54, which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the personal computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
In the description that follows, the invention will be described with reference to acts and symbolic representations of operations that are performed by one or more computers, unless indicated otherwise. As such, it will be understood that such acts and operations, which are at times referred to as being computer-executed, include the manipulation by the processing unit of the computer of electrical signals representing data in a structured form. This manipulation transforms the data or maintains it at locations in the memory system of the computer, which reconfigures or otherwise alters the operation of the computer in a manner well understood by those skilled in the art. The data structures where data is maintained are physical locations of the memory that have particular properties defined by the format of the data. However, while the invention is being described in the foregoing context, it is not meant to be limiting as those of skill in the art will appreciate that various of the acts and operation described hereinafter may also be implemented in hardware.
Referring now to FIG. 2, the present invention is directed to a mechanism by which a user 70 of a computer network 72 is
|
