The present invention relates generally to electronic gaming machines or consoles and in particular the invention provides an improved system for executing casino games in RAM as opposed to the conventional unalterable ROM. The improvements provide an authentication process based upon digital signatures, with the U.S. Digital Signature Standard (DSS) being the preferred means of implementation.
For the sake of clarity the following terms are defined for the purpose of this specification.
A gambling machine, usually referred to as a gaming machine, is a traditional gaming machine. Typical examples include slot machines of the type made by Aristocrat Leisure Industries or IGT.
A casino refers to the operator of gambling machines.
A digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified.
Strong encryption is the encryption of data such that it is computationally infeasible for a third partyxe2x80x94for example a government agencyxe2x80x94to retrieve the encrypted data without a key.
A hash, or message digest, is the output from a function that produces a value that is unique for any message input into it. A one-way hash produces an output that is computationally difficult to relate to the input. It is also computationally difficult to produce two different messages with the same message digest.
An unforgeable log is produced by chaining together hash values such that the nth entry in the log is dependent on the (nxe2x88x921)""h entry, and thus previous entries cannot be altered without re-computing the whole chain.
A logic cage is a secure area inside the gaming machine that cannot be accessed without sufficient security clearance.
xe2x80x9cThe Digital Signature Standardxe2x80x9d U.S. Federal Information Processing Standards Publication 186
xe2x80x9cThe Secure Hash Standardxe2x80x9d U.S. Federal Information Processing Standards Publication 180-1
xe2x80x9cCryptographic Support for Secure Logs on Untrusted Machinesxe2x80x9d by Bruce Schneier and John Kelsey (available at http://www.counterpane.com/secure-logs. html)
Traditionally, microprocessor based gaming machines store their program contents in unalterable ROM or EPROM. During installation and after a large jackpot payout, the machine is physically inspected and the EPROMs are removed. These EPROMs are placed in a verification device which produces an output string using a known algorithm usually referred to as a hash function. This string is compared against a string that has been already generated when the game program was approved by the gaming jurisdiction. Authentication is achieved by a match of the approved string and the EPROM generated string.
The main disadvantage of such a system is that the current limited capacity of EPROM technology ensures that games cannot be as sophisticated as if they were stored in an alternative medium such as a hard disk or CD-ROM. The other problem with using RAM is that it cannot be extracted and placed in a verification device, since the contents of the RAM are necessarily volatile.
Another system, disclosed and described in U.S. Pat. No. 5,643,086 uses a private key to encrypt a message digest of the approved copy of the program, and thus produce an unalterable digital signature which can be decrypted with a corresponding public key and compared against a message digest generated by an unalterable EPROM in the gaming machine.
The disadvantage of the above invention is that it relies on strong encryption, currently subject to export restrictions from the U.S. and other countries. This program can only be signed by one party and if a single private key is compromised, the whole system is compromised.
A related problem that exists is that of version control. Once a gaming machine program is found to be faulty, a modification or xe2x80x98patchxe2x80x99 is usually distributed. Unfortunately, conventional EPROM based machines, and the disclosed system above, have no method implemented of ensuring that the earlier version of the program is not re-installed, either deliberately or by accident, later. Once program is approved, it is impossible for the machine to revoke that approval. If a rogue element was able to xe2x80x98sneak pastxe2x80x99 a jurisdiction a dubious piece of program, there would be no way to stop it being used in a casino, even after detection
The invention provides a gaming machine with enhanced capability for storing games due to enhanced security and authentication capabilities.
According to a first aspect the present invention provides a programmable controller, including a readable and writable storage means to hold a program during its execution by the programmable controller, and program authentication means comprising digital signature verification means which verifies a digital signature associated with the program and prevents execution of the program if the digital signature is not valid.
According to a second aspect the present invention provides a method of verifying a program or a program component for a programmable controller, including a readable and writable storage means to hold a program during its execution by the programmable controller, and program authentication means comprising digital signature verification means which verifies a digital signature associated with the program, and the method including a step of verifying the digital signature against a key, and preventing execution of the program if the digital signature is not valid.
Preferably, the digital signature is generated by a method that does not include encryption such that de-encryption is not performed during the digital signature verification.
According to a third aspect the present invention provides a programmable controller, including a readable and writable storage means to hold a program during its execution by the programmable controller, and program authentication means comprising digital signature verification means which verifies each of a plurality of digital signatures associated with the program and prevents execution of the program if any one of the digital signatures is not valid.
According to a fourth aspect the present invention provides a method of verifying a program or a program component for a programmable controller, including a readable and writable storage means to hold a program during its execution by the programmable controller, and program authentication means comprising digital signature verification means which verifies each of a plurality of digital signatures associated with the program, and the method including steps of verifying each of the digital signatures against a respective key, and preventing execution of the program if any one of the digital signatures is not valid.
Preferably the or each digital signature is generated by a method that does not include encryption such that de-encryption is not performed during the digital signature verification.
In one embodiment, the programmable controller is used to control the operation of a game played on an electronic gaming machine and the signed program is a game program or a component of a game program.
Preferably multiple signatures may be applied to the game program, to ensure that only program approved by not only the manufacturer, but also the jurisdictional authority and optionally the casino itself, is executed by the machine
Preferably also a system is provided for revoking signature keys. This can be password basedxe2x80x94a password is entered which allows one of the public signatures stored in the machine to be changed. Alternatively, a revocation certificate can be used, which must be valid, or the revocation system can be time based, where the machine stores a set of signatures, good for say 10 years, and the current active signature is based upon the current system clock.
A system of equivalent signatures is also preferably provided, such that any one of these signatures can be used as part of the verification. Ideally a manufacturer will have at least one signature for its office in each jurisdiction. Any one could be used to sign a game, but it would be apparent in the event of a problem where the responsibility would lie, and could be revoked easily.
Preferably a system for version control is also included, such that once a later version of program runs on a gaming machine it is then impossible to run an earlier version of the same program. This would preferably permanently revoke faulty games once a fix had been issued.
Preferably any signature and version changes are held in secure unforgeable logs updated after each change to help detect possible fraud. Preferably also the unforgeable logs are implemented using tamper-proof devices such as smartcards to ensure that the log can never be deleted.