Capability security for transparent distributed object systems
First Claim
1. In a distributed object system wherein communications between objects in different processes are rendered transparent through the use of proxy objects and transports, a proxy object resident in a first process being a local representative of a corresponding remote object resident in a second, different process, said proxy object being responsive to messages associated with said remote object, said transports existing in pairs, a first transport of a pair of transports residing in said first process and including a first in-table and a first out-table matched, respectively, to a second out-table and a second in-table in a second transport of said pair of transports resident in said second process, said pair of transports enabling communication between said proxy object and said corresponding remote object by providing corresponding slots in said first and second in- and out-tables, such that a third object in said first process desiring to send a message to said remote object sends said message locally to said proxy object as if said proxy object were said remote object, said proxy object, upon receiving said message, relaying said message to said first transport designating said remote object as recipient using a first index designated for sole use of said proxy object and said remote object, said first transport being configured to relay said message to said in-table of said second transport at said first index, said second transport being configured to relay said message received at said first index to a unique object in said second process associated with said first index, said unique object being said remote object due to correspondence in transport indices of said proxy and remote objects, a capability security system, comprising:
- a public and private key associated with each of said processes; and
an agreed key shared by said first and second processes;
said first and second processes being configured to generate cooperatively said agreed key from their own public and private keys according to agreed key encryption techniques;
such that, upon receiving a message from a first object in said first process directed to a second object in said second process identified by a transparent reference, said first transport is configured to encode said message using said agreed key and to transmit said encoded message to a second transport in said second process;
said second transport being configured to decode said encoded message using said agreed key and to direct the decoded message to said second object based on said transparent reference, messages between said first and second processes being encrypted with said agreed key, thereby ensuring secure inter-process message-passing with transparency.
2 Assignments
0 Petitions
Accused Products
Abstract
A system providing capability security for distributed object systems is disclosed. The basic tenet of capability security is that the right to do something to an object (e.g., invoke a particular object'"'"'s methods) is represented solely by the holding of a reference to that object. In each of the preferred embodiments described herein, an object is presumed to hold legitimately a reference to a particular object only if the object knows some unpublicized (except under the conditions required by capability security) key associated with the particular object. That is, an object'"'"'s key is required along with the object'"'"'s reference. So that capability security is preserved when object references are passed between objects in different processes, the object references being passed are encrypted upon transmission and then decrypted upon arrival at their intended destination. This cryptography can be performed by objects or processes using a variety of techniques, including Diffie-Helman or public/private key cryptography. The cryptography performed in the various embodiments ensures that only the intended recipient of the message can decode the object reference and that a misbehaving object cannot convince another object that it possesses a capability it does not have. Some of the disclosed embodiments provide capability security for transparent distributed object systems, wherein a pair of matched transports handle and encrypt inter-process communications between objects in their respective processes.
-
Citations
21 Claims
-
1. In a distributed object system wherein communications between objects in different processes are rendered transparent through the use of proxy objects and transports, a proxy object resident in a first process being a local representative of a corresponding remote object resident in a second, different process, said proxy object being responsive to messages associated with said remote object, said transports existing in pairs, a first transport of a pair of transports residing in said first process and including a first in-table and a first out-table matched, respectively, to a second out-table and a second in-table in a second transport of said pair of transports resident in said second process, said pair of transports enabling communication between said proxy object and said corresponding remote object by providing corresponding slots in said first and second in- and out-tables, such that a third object in said first process desiring to send a message to said remote object sends said message locally to said proxy object as if said proxy object were said remote object, said proxy object, upon receiving said message, relaying said message to said first transport designating said remote object as recipient using a first index designated for sole use of said proxy object and said remote object, said first transport being configured to relay said message to said in-table of said second transport at said first index, said second transport being configured to relay said message received at said first index to a unique object in said second process associated with said first index, said unique object being said remote object due to correspondence in transport indices of said proxy and remote objects, a capability security system, comprising:
-
a public and private key associated with each of said processes; and an agreed key shared by said first and second processes; said first and second processes being configured to generate cooperatively said agreed key from their own public and private keys according to agreed key encryption techniques; such that, upon receiving a message from a first object in said first process directed to a second object in said second process identified by a transparent reference, said first transport is configured to encode said message using said agreed key and to transmit said encoded message to a second transport in said second process; said second transport being configured to decode said encoded message using said agreed key and to direct the decoded message to said second object based on said transparent reference, messages between said first and second processes being encrypted with said agreed key, thereby ensuring secure inter-process message-passing with transparency. - View Dependent Claims (2, 3, 4, 5, 6, 19)
-
-
7. In a distributed object system wherein communications between objects in different processes are rendered transparent through the use of proxy objects and transports, said transports existing in pairs, a first transport of a pair of transports residing in a first process and including a first in-table and a first out-table matched, respectively, to a second out-table and a second in-table in a second transport of said pair of transports resident in a second process, said pair of transports enabling communication between a proxy object in said first process and its corresponding remote object in said second process by providing corresponding slots in said first and second in-and out-tables, a capability security method, comprising the steps of:
-
generating a public and private key for each of said processes; generating an agreed key for said first and second processes according to key-exchange principles based on said public and private keys of said first and second processes; said first transport, upon receiving a message from said proxy object directed to a recipient associated with a particular index in said first out-table, encrypting said message using said agreed key and transmitting the encrypted message to said second transport at said particular index of said second in-table; said second transport, upon receiving said encrypted message, decrypting said encrypted message using said agreed key and directing the decoded message to said remote object associated in second in-table with said particular index. - View Dependent Claims (8, 9, 10, 20)
-
-
11. In a transparent, distributed object system, a capability security system, comprising:
-
a public and private key associated with each of a subset of processes composing said transparent, distributed object system; and an agreed key shared by a pair of said subset of processes hosting objects that are communicating via transports and proxy objects provided by said pair, said pair including first and second processes and said transports including first and second transports; said first and second processes being configured to generate cooperatively said agreed key from their own public and private keys according to agreed key encryption techniques; such that, upon receiving a message from a first object in said first process directed to a second object in said second process identified by a transparent reference, said first transport is configured to encode said message using said agreed key and to transmit said encoded message to a second transport in said second process; said second transport being configured to decode said encoded message using said agreed key and to direct the decoded message to said second object based on said transparent reference, messages between said first and second processes being encrypted with said agreed key, thereby ensuring secure inter-process message-passing with transparency. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 21)
-
Specification