1. Field of the Invention
This invention generally relates to Internet security, specifically to the use of a secure terminal to protect Internet users.
2. Background Art
(a) Internet
The Internet is an interconnected system of networks that connects computers around the world via the TCP/IP protocol.
The world wide web, commonly referred to as the web, uses hypertext pages on the Internet.
As well as browsing the web, the Internet is used for a vast number of purposes such as emailing, online chatting, looking up directories, and transferring files.
A client/server architecture is often used on the Internet. The software executing on a user's personal computer is typically the client, and the software executing on the host computer is typically the server.
(b) Personal Computer
A personal computer (PC) is a small, relatively inexpensive computer designed for an individual user. A PC comprises a motherboard (which is based on a microprocessor), a power supply and local peripherals.
PCs are used by businesses and at home for purposes such as using the Internet, word processing, accounting, desktop publishing, keeping spreadsheets, managing databases, and playing games.
(c) Secure Sockets Layer
Data travelling over the Internet may pass through many different unknown and mistrusted computer systems, so there is often a requirement for end-to-end security of this data between a sender and a recipient. This security must offer privacy, authentication and integrity.
Most Internet software employs the SSL (Secure Sockets Layer) scheme to meet this security requirement.
For example, a web browser may use SSL to access a web page. When SSL is used by a web browser, the web page's address may begin with “https” (rather than the regular “http”) and the web browser may display a padlock icon on the web browser's status bar.
SSL uses a client/server architecture. In the above example, the web browser is the SSL client and the web page host is the SSL server.
SSL divides a connection into two phases, the handshake phase followed by the data transfer phase. The handshake phase authenticates the server and optionally the client, and the handshake phase establishes the cryptographic information which is used to protect the payload data. During the data transfer phase, the payload data is broken up and sent as a series of cryptographically protected packets.
SSL is very successful at meeting this requirement to secure data between a sender and a recipient over the Internet. When Internet client software is executed on a user's PC, SSL defends data from attacks while the data travels over the Internet, as shown in FIG. 1 (SSL Defense).
Later versions of SSL are called TLS (Transport Layer Security, specified in RFC2246). SSL version 3.0 and TLS version 1.0 are very similar, and it is common to use the term SSL to denote both of these versions. This convention, using the term SSL to denote both SSL and TLS, is used herein. U.S. Pat. No. 5,657,390 to Netscape (1997) describes SSL.
(d) Certificates
SSL employs public key cryptography.
With public key cryptography, each party owns a public key and an associated private key. Public keys are made available to others, and private keys are kept secret by their owners.
To achieve privacy, a sender encrypts data using a recipient's public key, and the recipient decrypts it using the recipient's private key. To achieve authentication and integrity, a sender signs data using the sender's private key, and a recipient verifies it using the sender's public key.
When a public key is made available to others, the public key is contained within a certificate. The format of the certificates used by SSL is defined by X.509 (published by ITU-T, the International Telecommunication Union Telecommunication Standardization Sector) and RFC2459.
(e) Malware
SSL does not protect against malware which resides on an Internet user's PC. Malware is defined as malicious software or hardware. Examples of malware are viruses, spyware, trojan horses, and worms. The proliferation and success of malware is well documented.
When an Internet user enters private information into their PC, or when private information is displayed on the PC's monitor, or when a sensitive transaction is sent or received, in each of these cases the user's data is susceptible to eavesdropping or modification or some such attack by malware. When malware resides on an Internet user's PC, SSL does not defend against this malware's attacks, as shown in FIG. 2 (SSL No Defense).
Two examples of Internet client software are a web browser and an email client. A web browser may be used to enter a credit card number when paying for goods, or to enter a password to access an account, or to view an account's details, or to view a transaction's result. An email client may be used to enter a password or to compose and read emails. But in each of these cases, malware residing on the PC can eavesdrop on or modify the data, even if SSL is used between the Internet client software and the server.
For example, a PC Internet user may visit a retail web site, select goods to purchase, proceed to the web site's checkout, and enter their credit card number. When the credit card number is sent from the PC over the Internet to the payment server, SSL is used to defend against attacks which may be made as the credit card number travels over the Internet. However, malware residing on the PC may capture the credit card number as it is entered into the PC keyboard, or as it is displayed on the PC monitor, or at some other opportunity. The malware could then send the credit card number over the Internet to the attacker. SSL protects the credit card number as it travels over the Internet, but this malware attack takes place before SSL is applied.
To take another example, a PC Internet user may receive an email. When the email is sent from the server over the Internet to the PC, SSL is used to defend against attacks which may be made as the email travels over the Internet. However, malware residing on the PC may modify the email when it is stored on the PC's hard disk, or as it is displayed on the PC monitor, or at some other opportunity. The malware could change the email's text, date, or some other property. SSL protects the email as it travels over the Internet, but this malware attack takes place when SSL is no longer applied.
These malware attacks are beyond the scope of SSL's security objectives. SSL is designed to protect data as it travels over the Internet, but not before or afterwards.
Some web sites try to defend against such attacks by having their users enter passwords by mouse clicking on a virtual keyboard displayed at random locations on the PC's monitor. This does defend against malware which specifically targets the PC's keyboard, but does not defend against malware, for example, which upon every mouse click captures a graphical image of whatever is displayed on the PC's monitor and then emails these “screen shots” to the attacker.
Other web sites try to defend against these malware attacks by demanding that their users always execute anti-virus software. Though, as is constantly reported in the news media and other publications, malware is very often successful in spite of anti-virus software.
In the broadest sense, it is theoretically possible for malware on a PC to penetrate the inner workings of any Internet software executing on that PC, even if the Internet software uses SSL when sending or receiving over the Internet. Malware can read from or write to the memory areas used by the Internet software, or read from or write to local peripheral devices such as the PC's keyboard, mouse or monitor. This allows malware to perpetrate virtually any imaginable security breach.
(f) Man-in-the-Middle
Internet software using SSL is also susceptible to an attack known as “man-in-the-middle”. The attacker clandestinely redirects the Internet client software to communicate with the attacker's server, and the attacker (as the client) also communicates with the legitimate server. The attacker passes through data to and from the Internet client software and the legitimate server, but the attacker may also eavesdrop on or modify the data. The elements of a man-in-the-middle attack are shown in FIG. 3 (Man-In-The-Middle).
The use of SSL by the Internet client software and by the legitimate server is no defense against man-in-the-middle. SSL protects the data as it travels over the Internet between the client and the attacker, and SSL protects the data as it travels over the Internet between the attacker and the legitimate server, but SSL is not applied when the data passes through the attacker's computer. So the attacker is free to read private data such as a password or a credit card number, and the attacker is free to corrupt sensitive data such as a transaction amount or the text of an email.
A possible defense against man-in-the-middle is to pre-load an SSL certificate onto the PC. However, as is explained below (in the sub-section entitled “Pre-Loading SSL Certificates Onto A PC”), this defense is thwarted by malware or by the attacker purchasing a legitimate certificate.
Another possible defense against man-in-the-middle is for the Internet client software to verify the server's address contained within the server's SSL certificate. However, the attacker's malware may modify data on the Internet client's PC such that the attacker's server's address is verified.
(g) Counterfeit Servers
An attacker may direct a user to a fraudulent server which emulates a legitimate server. The unsuspecting user may deliver private data to the attacker, such as entering their password or other private data at a fraudulent web site.
This misdirection may be achieved by methods such as a “phishing” email (in which case the fraudulent server typically hosts web pages), or by “DNS spoofing”, or by malware which surreptitiously modifies the server's name or address.
This attack may be further concealed by other malware activity, such as changing the address which is displayed in a web browser's address field from the counterfeit server's address (which is actually being used) to the correct address (which is not being used).
Currently, the major defense offered by Internet service providers is to vocally warn their customers to be careful of such impostors. This is clearly an inadequate defense.
A possible defense against counterfeit servers is to pre-load an SSL certificate onto the PC. However, as is explained below (in the sub-section entitled “Pre-Loading SSL Certificates Onto A PC”), this defense is thwarted by malware or by the attacker purchasing a legitimate certificate.
Some Internet service providers have tried offering hardware tokens to their customers to defend against these fraudulent servers. These hardware tokens contain secret information known only by the legitimate server, so they may be used to authenticate the server. However, these schemes involving hardware tokens remain susceptible to man-in-the-middle attacks.
(h) Pre-Loading SSL Certificates Onto a PC
In order to defend against inauthentic servers (either man-in-the-middle or counterfeit servers), Internet client software executing on a PC motherboard may pre-load a CA's (certificate authority's) SSL certificate. For example, certificates from various CAs are included in the installation of the Microsoft Windows operating system. A pre-loaded CA SSL certificate may then be used to authenticate another SSL certificate which is received during an SSL handshake.
However, it is easy to purchase a certificate which is signed by a reputable CA. An attacker may do so, thereby obtaining a certificate which would be deemed authentic by the Internet client software. The attacker could implement an inauthentic server which uses this purchased certificate.
An alternate defense against inauthentic servers is for the Internet client software to safely obtain a copy of the legitimate server's SSL certificate, such as on a CD by post, and to only use that particular certificate when attempting to communicate with that particular server.
However, an SSL certificate (either a CA's SSL certificate or a server's SSL certificate) which is pre-loaded onto a PC is susceptible to malware (as is any data loaded onto a PC). For example, an attacker's malware may store a bogus certificate as if it were a pre-loaded certificate, and the attacker could then implement an inauthentic server which uses this bogus certificate.
(i) PC Local Peripherals
A local peripheral is a device which is a sub-component of a PC and which interfaces with a PC's motherboard by a short connection. This short connection may be a cable, connector, plug & socket, or wireless link.
For example, a PC's local peripherals may be a keyboard, mouse, monitor, hard disk, CD drive, modem, printer, speakers, microphone, camera and touchpad.
Short connections to monitors are graphics interfaces such as VGA, XGA and SVGA.
Short connections to internal disk drives generally use the various ATA (Advanced Technology Attachment) interfaces such as IDE.
An expansion board may connect to a motherboard using bus standards such as PCI or ISA. An expansion board may itself be a local peripheral (such as a modem card) or it may be part of a local peripheral by using a short connection to other hardware (such as an audio card which has a socket for a speaker cable plug).
Where a local peripheral is integrated into a PC case, such as a keyboard and a touchpad in a notebook PC, the technology used for the short connection is determined by the PC manufacturer.
Aside from monitors, internal disk drives, expansion boards, and devices which are integrated into a PC's case, the most common short connections to local peripherals are:                USB (Universal Serial Bus)        EIA-232 (Electronic Industries Alliance) commonly referred to as RS-232C or serial        PS/2 (IBM Personal System/2)        Parallel, which may be Centronics, EPP, ECP or SCSI        PCMCIA        Bluetooth wireless        27 MHz wireless        IEEE-1394 (Institute of Electrical and Electronics Engineers) commonly referred to as FireWire        
It is not conventional to use the TCP/IP protocols to connect a local peripheral to a PC motherboard. If TCP/IP is used to connect a device to a PC motherboard, then the device is autonomous and stand-alone and is not a PC local peripheral. In this case, the device and the PC motherboard are different TCP/IP nodes with different IP addresses.
(j) Secure Terminals
A regular “computer terminal” is a device which provides a user interface, such as a keyboard and a display screen, and is able to communicate with another device. A “secure terminal” provides the same functionality but with security, and is expressly designed to keep a user's information private and to ensure the integrity and authenticity of all data. A secure terminal is extremely resistant to attacks by malware, and in general is able to perform cryptographic operations.
Secure terminals are used in many contexts, very commonly for a customer to enter their PIN (personal identification number) at a retail point of sale.
To be classified as a secure terminal, the device must meet security criteria which may include:                Provide resistance to attempts to tamper with the device, protecting against drills, lasers, chemical solvents, splitting the case along its seams, entry via ventilation openings, etc.        Detect attempts to tamper with the device, and upon such attempts automatically erase all sensitive information contained within the device and render it inoperative.        The keyboard circuitry is inaccessible to external probes or other eavesdropping equipment which could capture a user's keystrokes.        The device's security systems remain intact when exposed to extreme environments such as low temperatures or high voltages.        A strictly controlled technique must be used to change the device's software or to read from or write to the device's memory.        
These security criteria combine to prevent the installation of malware on a secure terminal.
For example, malicious spyware software may easily be installed on a regular PC because regular PCs are designed to be open platforms which execute any software. But a secure terminal is designed to be a closed platform upon which only authorized software may be installed using techniques such as digital signatures or passwords. So unauthorized spyware software may not be installed on a secure terminal.
To take another example, malicious spyware hardware may easily be installed on a regular PC because regular PCs offer no defenses against such hardware. It is straightforward to hide mechanical probes under the keys on a PC keyboard, or to mount a hardware keystroke logger on a PC keyboard cable. But a secure terminal is designed to have a protected keyboard with countermeasures such as physically shielded keys or membrane keys.
There are various regulations and standards for secure terminals, such as Visa and MasterCard's “Payment Card Industry POS PIN Entry Device Security Requirements Manual”, and the International organization for Standardization's “ISO 13491”, and the USA National Institute of Standards and Technology's “FIPS 140-2”. Different secure terminals meet different requirements.
Different names are used for secure terminals, depending on the industry and the context and on the precise functionality of the device. These names include PIN-pad, pinpad, EPP (encrypting PIN-pad), SPED (secure PIN entry device), PED (PIN entry device), cryptographic module, TCU (terminal cryptographic unit), SCD (secure cryptographic device), TRSM (tamper resistant security module), and smart card reader.
The malicious attack on secure terminals which historically has been the most difficult to defend against is that of a counterfeit secure terminal. The attacker surreptitiously swaps a user's secure terminal with the attacker's counterfeit secure terminal. This rogue secure terminal appears to behave identically to the legitimate secure terminal, but in fact it delivers the user's private information to the attacker. A variation on this attack is to use the legitimate secure terminal's exterior plastic case but to surreptitiously replace some of the electronics within. Another variation is to somehow breach the secure terminal's defenses and to load new software into the secure terminal.
(k) Secure Terminals as PC Local Peripherals
As shown in FIG. 4 (Secure Terminal As PC Local Peripheral), a secure terminal may be connected to a PC motherboard as a local peripheral.
The secure terminal may provide a user interface (such as a keyboard and display screen) which is resistant to malware, and may also provide a card reader/writer for smart cards (IC cards) or magnetic stripe cards.
There are several enterprises supporting this use of a secure terminal as a PC local peripheral.
FinRead specifies an open platform upon which software for a smart card scheme may be developed to execute on a PC motherboard and to execute on a compliant secure terminal. The PC/SC Workgroup specifies an open platform upon which software for a smart card scheme may be developed to execute on a PC motherboard.
The scope of both FinRead and the PC/SC Workgroup is limited to the specification of open platforms for software development of smart card schemes.
EMV is a smart card scheme which is being widely adopted worldwide. An EMV compliant secure terminal may be connected to a PC motherboard and an EMV smart card may then be used to pay for goods over the Internet or to access a bank account over the Internet. The EMV specifications detail particular implementations of operations such as PIN encipherment, cryptographic key management, file transfer and financial transactions.
The scope of EMV is limited to payments and related financial transactions, with no real provision for other applications.
Some organizations (such as Kryptosima, FreeStar Technology, EyeCashNetworks, Innovonics and CASPay) offer services for card payments over the Internet using a secure terminal. These secure terminals are used for reading a card's magnetic stripe, or for entering a PIN, or for authenticating a message.
The scope of these card payment services is limited to payment transactions. Furthermore, these card payment services require a web merchant to invest in changes to the merchant's server's infrastructure by installing or connecting to the card payment service's server system. Furthermore, these card payment services perform some sensitive aspects of financial transactions on the user's regular PC, not on a secure terminal, such as displaying a transaction authorization number, so those aspects remain vulnerable to malware or to inauthentic servers.
It is neither the purpose nor the ability of any of the above enterprises (FinRead and the PC/SC Workgroup, EMV, and card payment services) to provide security for existing Internet applications, such as web browsing, email, or FTP. So attacks on these existing Internet applications by malware and inauthentic servers remain possible when these enterprises are used. Furthermore, none of the above enterprises defend against counterfeit secure terminals.
U.S. Pat. No. 5,815,577 to Innovonics (1998) uses a secure terminal connected to a PC motherboard as a local peripheral, but it is limited to simple encryption of user input for the sole purpose of privacy. It does not provide any other basic cryptographic operations such as authentication, integrity, and decryption. Its secure terminal does not support SSL nor Internet client software which employs SSL (such as web browsing, email or FTP) so its secure terminal cannot be used with existing Internet servers and it does not defend Internet users against attacks by malware and inauthentic servers. Furthermore, it does not defend against counterfeit secure terminals.
U.S. Pat. No. 6,834,271 to Kryptosima (2004) uses a secure terminal connected to a PC motherboard as a local peripheral, but it is limited to the secure encryption of a PIN block for a financial transaction. It suffers the weaknesses of U.S. Pat. No. 5,815,577 and of card payment services, both discussed earlier in this sub-section:                Its secure terminal does not support SSL nor Internet client software which employs SSL (such as web browsing, email or FTP) so its secure terminal cannot be used with existing Internet servers and it does not defend Internet users against attacks by malware and inauthentic servers;        It does not defend against counterfeit secure terminals;        Its scope is limited to payment transactions;        It requires a web merchant to invest in changes to the merchant's server's infrastructure by connecting to a “secure transaction management system”;        All other cryptography is performed on the PC motherboard so it is vulnerable to malware; and        It performs some sensitive aspects of financial transactions on the user's regular PC, not on the secure terminal, such as displaying a “merchant response software log number”, so those aspects remain vulnerable to malware or to inauthentic servers.(l) Pre-Loading Certificates Onto a Secure Terminal        
In order to defend against inauthentic servers, some existing secure terminals may pre-load servers' certificates (or the certificates' digital signatures).
For example, this pre-loading may be employed by a secure terminal when public key cryptography is used to transport a symmetric key from a financial institution to a secure terminal. Or to take another example, this pre-loading may be performed within the FinRead environment (mentioned above).
But this pre-loading of certificates (or digital signatures) does not mitigate the threat of inauthentic Internet servers. Internet servers, such as web pages or FTP hosts, use the SSL protocol, but these pre-loaded certificates (or digital signatures) are used for purposes other than SSL.
Furthermore, these secure terminals do not execute Internet client software (such as SSL, HTTP, and a web browser) so PC Internet users remain exposed to malware.
(m) Secure Terminals and SSL
There are a few secure terminals, such as the Hypercom ICE 7000CE, which use the Microsoft Windows CE operating system. Windows CE supports the use of SSL.
Compared to regular secure terminals, these secure terminals have extremely powerful hardware, with significantly larger memory, faster speed, and other features. So these secure terminals are not considered for use as PC local peripherals because they are over-engineered for the purpose and their retail cost is too high.
Furthermore, the TCP/IP protocol is not used to connect a local peripheral to a PC motherboard. Windows CE generally uses TCP/IP when supporting SSL, so when SSL is used as such, these secure terminals are autonomous stand-alone devices which are not PC local peripherals.
These secure terminals would not be PC local peripherals so these secure terminals would not be used by PC Internet users to defend against malware or inauthentic servers.
Furthermore, these secure terminals do not defend against counterfeit secure terminals.
(n) Summary of Possible Attacks
Three classes of possible attacks have been discussed.
Firstly, malware residing on a PC may eavesdrop on or modify data, even when SSL is used.
Secondly, a server may not be authentic, even when SSL is used. Man-in-the-middle attacks and counterfeit servers may be successful.
Thirdly, a legitimate secure terminal may be surreptitiously replaced by a counterfeit secure terminal.
3. Objects And Advantages
Accordingly, several objects and advantages of the present invention are:                to defend a PC Internet user against malware attacks, such as viruses, spyware, trojan horses, and worms;        to defend a PC Internet user against inauthentic Internet servers, such as man-in-the-middle and counterfeit servers; and        to defend a secure terminal user against the surreptitious replacement of a legitimate secure terminal with a counterfeit secure terminal.        
Further objects and advantages of the invention will become apparent from a consideration of the ensuing description.