1. Field of the Invention
The present invention generally relates to a method for executing a security critical activity running on a security device, and particularly to a method for executing a security critical activity with user involvement.
2. Background
Advances in computer and communications technology have increased the flow of information between and within computer networks. This ability to communicate between computers and networks has also made it possible to develop a wide variety of services that can be performed from your own personal computer. Such services may for example be mailing, home shopping, home banking etc. Many of these services comprise security critical activities that have to be performed when the computer is on-line, such as transferring money through Internet.
Performing such security critical activities, is of course a security risk, since also potential intruders can listen to and/or compromise these security critical activities, by breaking into the computer. One of the reasons for this is that the operating systems of personal computers were not designed with security in mind, since they were personal and without connections to any network. Thus, it is easy to use malicious code, Trojan horses or the like to compromise the operating system of a personal computer and thereby the security critical activities executed thereon. Also more secure operating systems, such as Unix, may be compromised with a relatively small effort. Today there is no commercial operating system that protects the user from Trojan horses.
Over the years there have been many suggestions how to solve this security problem such as firewalls, smart cards, the use of passwords for access to certain services etc. However, many of these solutions are mainly software based. Since software always contains bugs, it is corruptible, and may therefore be compromised by exploited security holes, malicious code, resident Trojan horse software etc. Software based security solutions are also too brittle, i.e. if the operating system security is compromised all data and all applications that are executed thereon will also be compromised.
Another approach to increase the operating system security is to build a multi level secure (MLS) operating system. Such systems label objects and subjects according to a security classification, and define rules for how information is allowed to flow through the system. The classification of different security levels and the record keeping of which users that have access to different security levels and objects is very time consuming to maintain. Furthermore, conventional personal computer applications are not compatible with the operating systems of the MLS system, and all applications have to be tailor-made for the MLS system. This is of course very costly.
WO94/01821 discloses a trusted path subsystem for workstations, such as personal computers. The system comprises a network computer, which is a MLS computer and a workstation. The object of the invention is to provide safe communication between a trusted subsystem of the MLS computer and the workstation. To solve this problem the workstation is connected to a trusted path subsystem, which receives the encrypted data from the trusted system of the MLS computer and decrypts it without involving the workstation. Thus, the application running on the MLS-system will be certain that the data received will be the same as the data sent from the trusted subsystem of the MLS computer, and vice versa.
UK patent application GB 2 267 986 discloses a security device for a computer. The object of this security device is to isolate the computer from the input/output devices, such as keyboard and mouse, when security critical activities are to be performed. The security device can operate in either a transparent mode or a special handling mode. In the transparent mode the data inputted from the input/output devices is transmitted through the security device directly to the computer, i.e. the security device is in a passive mode. In the special handling mode the security device itself will perform the processing of the data without any involvement of the computer. The processing of the security critical activity in the security device is done automatically, without any user involvement. Hence, the user can not be certain which steps are performed within the security device.
Even if the systems described in GB 2 267 986 and WO94/01821 provide a high degree of security they still have a major drawback, namely they are system orientated and lack user involvement during the execution of the security critical activity.
WO98/19243 discloses another approach in solving the security problem, namely user involvement. WO98/19243 discloses a method and a security system for processing a security critical activity. The system comprises a security device connected to a personal computer and to input/output devices. When the application running on the computer needs to perform a security critical activity the security device is allocated and the control of the data processing and the input/output devices are transferred from the computer to the security device. The data processing of the security critical activity is then executed on the security device with user involvement, i.e. the user must grant each security critical activity. The execution of a security critical activity may even require more than one user involvement step, i.e. the user must be involved several times to grant different parts of the security critical activity.
Even if the system and the method described in WO98/19243 have made a substantial contribution to security, when executing a security critical activity, this is made to a degree where the user has to grant each and every part of the security critical activity to be executed. This continuous involvement of the user may also lead to a decrease in security, since the user after a while mechanically may grant every part of the security critical activity, without carefully checking what he is granting. Thus, there is a need for a method that not constantly involves the user during the processing of security critical activities.