The present invention is generally directed to secure communications in a multinode, distributed data processing system. More particularly, the present invention is directed to the use of asymmetric cryptography to establish a secure path protected via symmetric key cryptography. Even more particularly, the present invention is directed to a system and method for identifying a client's network identity in a distributed, multinode data processing environment.
In typical Reliable Scalable Cluster Technology (RSCT) environments, client-server authentication uses the so-called Host-Based Authentication (HBA) public key infrastructure to authenticate an application client to an application server. The HBA public keys are exchanged between hosts such that trust is established between them in order for the host accepting the application client's identity to trust the client's network identity provided to the application server by the host initiating the client authentication session.
It is noted, however, that public key cryptography is very computational intensive and, as a consequence, slow. In a large cluster environment, where performance scaling is important, the public key cryptography processing performed by the HBA mechanism often has a large performance impact. In contrast, symmetric key encryption, where the same or closely related keys, are used for both encryption and decryption are processed in times that are hundreds or even thousands of times faster than the algorithms required for asymmetric key processing, including public key processing.
In the present discussion, it is noted that the more generic term “symmetric key cryptography” is used rather than the term “private key cryptography” since the term “private key” is found in asymmetric or public key cryptography to distinguish it from the “public key” also found in this more complicated cryptographic system. Symmetric key cryptography, as that term is employed herein, is also sometimes referred to as “secret key” cryptography.
From the above, it is therefore seen that there exists a need in the art to overcome the deficiencies and limitations described herein and above.
In accordance with a preferred embodiment of the present invention, a method is provided for identifying a client's network identity in a distributed, multinode data processing environment. The method comprises the steps of establishing, using public key cryptography, a trust relationship between a first node and a second node in the environment. The first node includes an application client and the second node includes an application server. Upon establishing the trust relationship between the first node (or host) and the second node, there is also established a symmetric key cryptographic system between the first node and the second node, for subsequent use by the cluster security infrastructure for the purpose of providing the application client's network identity to the application server. The application server is now particularly able to determine the client's network identity with a high degree of trust based only on symmetric key cryptography instead of asymmetric key cryptography.
In the present invention, the effect is thus to replace public key cryptography with symmetric key cryptography for the purpose of authenticating application clients to application servers, while at the same time maintaining the same high level of trust between the hosts in the cluster, as provided by public key cryptography. In short, computationally more intense public key cryptography is used to establish computationally less challenging symmetric key cryptographic paths which are thus enabled for longer term communication interchanges. In the present invention a symmetric key is used for establishing the identity of an application client to the application server, that is, it is used to create a secure context between the two. This is in contrast to systems employing a combined shared key which is used to provide message authentication, only after the identity of an application client is established, to the application server (in other words, once the secure context between the client and the server has already been established).
Additional features and advantages are realized through the techniques of the present invention. Other embodiments and aspects of the invention are described in detail herein and are considered a part of the claimed invention.
The recitation herein of desirable objects which are met by various embodiments of the present invention is not meant to imply or suggest that any or all of these objects are present as essential features, either individually or collectively, in the most general embodiment of the present invention or in any of its more specific embodiments.
The subject matter which is regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of practice, together with the further objects and advantages thereof, may best be understood by reference to the following description taken in connection with the accompanying drawings in which:
In the discussion below there is a description of the Host-Based Authentication (HBA) security mechanism as employed herein. In particular, in
As a result of the authentication process, a security context is established between application client 105 and application server 205. The security context provides a client network identity to server 200 and session (symmetric) keys 115 and 215 for the purpose of signing/encrypting subsequent messages exchanged between application client 105 and application server 205.
A significant aspect of the present process is the fact that HBA (which the ctcasd daemons implement) uses public key cryptography in order to create the security context between application client 105 and application server 205. As mentioned above, the HBA public key establishes trust between the hosts for the purpose of determining a client's network identity. The gist of the present invention is to replace the public key cryptography used for the purpose of authenticating a client or server, with subsequent interchanges involving symmetric key cryptography. In other words, the present idea is to create a trust session between the hosts that use symmetric keys (and symmetric key cryptography) instead of public keys (and asymmetric key cryptography). Basically, the hosts where the application clients and servers run establish and manage trust sessions that expire and are renewed at preset intervals, or as otherwise required. Once a trust session is established, symmetric key cryptography is used in place of asymmetric key cryptography for the purpose of determining the clients network identity.
The HBA security mechanism uses a symmetric session key within a security context. SSH and SSL do the same. SSH stands for “Secure SHell” and SSL stands for “Secure Socket Layer.” SSL has an option to use asymmetric key cryptography in order to establish a secure connection between a client and server. The secure context created is defined by a session key. SSH uses SSL under the covers. This is all done for the purpose of using the asymmetric key cryptography (which is very slow compared to the symmetric key cryptography) for as little time as possible. The utility and advantages of the present invention lie in the fact that, in a distributed security mechanism, trust sessions based on symmetric keys are used for the purpose of determining a session's client's network s identity.
There are other security mechanisms, such as Kerberos 5, that use symmetric keys for both client authentication and session key, however, Keberos 5 uses a centralized key distribution center and does not use trust sessions. In contrast, HBA is implemented as a distributed security mechanism. By establishing and managing trust sessions using symmetric keys, the performance of authenticating the application client to the application server (and vice-versa, for mutual authentication) increases dramatically, from the scale of tens of milliseconds to mere microseconds (excluding network latency and resource availability delays).
The implementation of such an idea is fairly simple taking into consideration the existing infrastructure. During the first client-server authentication between two hosts, the ctcasd daemons on each of the hosts establish a trust session between the two hosts with an associated symmetric key. That symmetric key is used to process the data exchanged for the purpose of client/server authentication and for the creation of a security context between the application client and the server. Each daemon maintains the trust session until it expires or until one of the daemons is restarted, in which case a new trust session is established (with a new and different session key).
Some performance impact is expected during the establishment of a trust session. However, that should happen only once in a while (when the trust session expires or when one of the hosts is restarted). The performance gained subsequently by replacing the asymmetric key cryptography with the symmetric key cryptography is more than enough to justify such a once-in-a-while performance penalty.
While the invention has been described in detail herein in accordance with certain preferred embodiments thereof, many modifications and changes therein may be effected by those skilled in the art. Accordingly, it is intended by the appended claims to cover all such modifications and changes as fall within the spirit and scope of the invention.