Personal computers (hereinafter “PCs”) are often used at home and in offices, being connected to a network. PCs connected to a network exchange much data with other computers via the network. Data to be exchanged includes very confidential information, such as authentication information related to authentication of users or information related to individual privacy or to business secrets. When such information is misused or altered by a third party on the transmission path of a network, the damages caused will be critical.
A PC which is used in an office environment stores much information related to the authentication of users and of clients, such as passwords for accessing the PC or the hard disk, user identifications (IDs) and passwords for logging into an operating system (hereinafter “OS”), bioinformation data such as fingerprints, for example, related to biometrics authentication, and user IDs and passwords for logging onto an email system or into user group groupware, and must exchange such information via a network. Furthermore, recently, since even a slightly insufficient understanding of a security policy could result in the critical leak of information, there is an increased demand for collectively setting and managing information related to authentication. Naturally, in order to collectively set and manage information related to authentication, a communication system, by which information can be safely exchanged on a network and safely inputted to individual PCs so that the information can be reflected in the setup, is indispensable.
To ensure security, encryption of data is generally performed. Especially widely employed is SSL (Secure Socket Layer), which was developed by Netscape Communications, in the U.S., and is a technique for encrypting information for the transmission and reception of data on the Internet. SSL is a technique for preventing wiretapping and alteration of data and spoofing, by combining security techniques, such as public keys, private key encryption, digital certificates and hash functions. SSL operates at the boundary of a session layer (fifth layer) and a transport layer (fourth layer) in an Open Systems Interconnection (OSI) reference model, and can be transparently employed, without users being especially conscious of it, by using application software that employs a high level protocol, such as Hyper Text Transfer Protocol (HTTP) or File Transfer Protocol (FTP).
In a network constituted by PCs that use WINDOWS (registered trademark) as an OS, computer resources, such as a plurality of PCs and printers, which are theoretically regarded as a single group, are collectively called a domain. In one domain, a computer that manages user IDs and a security policy is called a domain controller. To log in to the domain using a PC that is a domain participant, a user needs only to enter a user ID and a password that are registered on the server that is the domain controller for the pertinent domain (this is called a domain login). At this time, a secure SSL connection is established by performing mutual authentication between the PC and the domain controller, using a system such as LM (Local Area Network (LAN) Manager) authentication, NTLM (WINDOWS (registered trademark) NT LAN Manager) authentication or NTLMv2 (NTLM version 2) authentication. Thus, the PC and the domain controller can safely exchange information related to authentication.
Published Japanese translation of PCT Patent Publication (Kohyo) No. 2000-516373 teaches a technique for providing authentication information related to the authentication of a user. Publication No. 2000-516373 teaches a technique whereby an encryption key stored in a token is processed using a safe memory in a safe processor mode. Using this technique, an encryption key can be safely employed while using only an inexpensive storage device, without special hardware, such as a smart card, being required.
While the safety of a communication route can be ensured by using the above-described SSL, still present is a risk that information stored in the inside of each PC will be leaked. Of special concern is malicious software, such as spyware and key loggers that are recently rampant. Spyware is software that can transmit information present inside a PC, or information for operating a PC, to a third party without permission. Spyware can be installed in a PC at the same time as other application software, or can be installed in a PC while an email attached file or a website is being browsed, in the same manner as can a computer virus. Since many spyware programs operate in the background, without displaying windows, it is difficult for a user operating the PC to detect the presence of such a spyware program. Further, even if the presence of spyware is detected, it may be difficult for a user without special knowledge to remove the spyware from the OS.
Among the variety of spyware programs that can be employed, one that obtains contents entered by a user via a keyboard is specifically called a key logger. Thus, in a PC having such a key logger installed thereon, the key logger can obtain all content entered by a user via a keyboard, so the key logger tends to be employed maliciously, and is especially used to steal highly confidential information, such as passwords and credit card numbers. Of course, since the key logger will operate in the background, it will be difficult for a user operating the PC to detect its presence. Actually, in Japan, the theft of money has occurred using Internet banking passwords that were stolen by employing key loggers.
Intel Corp., in the U.S., has developed a new technology, titled La Grande Technology, that provides a secure computing environment. According to this technology, a secure connection, one that excludes spyware or key loggers, is established between a PC main body and a keyboard to preclude the possibility that user content entered at the keyboard will be stolen. However, for this new technology to be applied, the PC main body, the keyboard, the OS and the device driver are required to correspondingly match the new technology.
On the other hand, when an SMI (System Management Interrupt) input pin (SMI#) is asserted, a central processing unit (CPU) produced by Intel Corp., in the U.S., can operate in an SMM (System Management Mode), which is an operating mode for system management. In the SMM, an SMI handler, which is an interrupt control handler executed by the CPU produced by Intel Corp., is executed in a memory space called SMRAM (System Management Random Access Memory) that is especially allocated in a main memory. Since it is impossible for the OS to directly employ the SMM, the CPU under the control of the OS enters the SMM when the SMI handler is called. In the SMM, the CPU operates in a single tasking because it is controlled by the Basic Input/Output System (BIOS) and all interrupts are regarded as invalid. Further, the SMRAM can be used exclusively by the CPU while operating in the SMM. Therefore, during the period in which the CPU is operating in the SMM, the operation of programs other than the single tasking being performed under the control of the BIOS is not permitted, and the SMRAM cannot be accessed by a process other than that for the program that is currently operating.
That is, the CPU operating in the SMM is especially appropriate for handling confidential information, since in the CPU operating in the SMM, there is no room available for an operation performed by malicious software, such as spyware or key loggers. Employing this technology, as taught in Publication No. 2000-516373, there is a technique for processing confidential information relating to authentication, such as a password, after the CPU is shifted to the SMM. According to the invention taught in Publication No. 2000-516373, an encryption key stored in a token is enabled upon the entry of a valid personal identification number (PIN), and encryption, using this encryption key, is performed in the SMM. For example, in a case where a remote server is logging on, a character string (challenge) received from the remote server under the control of the OS is transmitted to the CPU shifted to the SMM by the SMI handler. The CPU operating in the SMM then employs the above described encryption key to encrypt the received challenge, and generates an encrypted character string (response). The CPU under the control of the OS, after it is returned from the SMM, transmits the response to the remote server to complete the processing related to the logon. However, with this method, there are three problems.
As the first problem, when the CPU is shifted from under the control of the OS to the SMM, by the SMI handler being called via the BIOS, it is in general necessary, from the viewpoint of the architectures of the PC and the OS, for the CPU to complete the operation in the SMM within several tens to several hundreds of milliseconds and to return to the operation under the control of the OS. For example, a process such as the one described in Publication No. 2000-516373, above, in which a key stored in the memory in advance is used to encrypt a character string that also is stored in the memory, can be completed within the above-mentioned time period. However, it takes several seconds, at the minimum, for a user to input characters such as a password via a keyboard, and to display the inputted character. Therefore, the SMM can not be employed for a process for which user input is required. Incidentally, in Publication No. 2000-516373, before an OS is activated, a PIN must be entered and accepted under BIOS control, and thereafter, the encryption key stored in the token is stored in the memory and the OS is started. Further, in another embodiment of Publication No. 2000-516373, after a user has entered the PIN under the control of the OS, the CPU is shifted to the SMM. However, the input of confidential information, such as a PIN, under the control of the OS accompanies a risk that spyware or key loggers may steal the inputted content.
The second problem is as follows. When the CPU is returned to under the control of the OS after it is shifted to the SMM and performs specific data processing, a register of the CPU is usually employed for the exchange of data between the BIOS and an application for which data processing is required. Therefore, when data with a capacity larger than the capacity of the register is processed and exchanged between the application and the BIOS or multiple sets of data are sequentially processed and exchanged, the cycle in which the CPU is returned to under the control of the OS after it is shifted to the SMM and performs data processing must be repeated many times, within a short period of time. This greatly deteriorates the performance of the PC.
As the third problem, an NVRAM (Non-Volatile Random Access Memory) provided for obtaining a manager password and information related to the security of a PC is inhibited from further writing when initialization is performed by a BIOS and completed and the operation of the OS starts, and this inhibition is not removed until a power-ON reset of the PC is performed. Therefore, a writing inhibition to the NVRAM cannot be removed, simply by shifting the CPU to the SMM, and the setup information can not be rewritten. Especially in a case where multiple sets of data related to PC setup information, such as BIOS passwords, are received via a secure communication environment provided by SSL, each time a set of data is received, a power-ON reset of the PC must be performed and the content of the NVRAM must be changed, in order for the received information to be written to the NVRAM and to be reflected to the PC. Accordingly, when multiple sets of data are received, power-ON resets are also repeated multiple times. This greatly deteriorates the usability of the PC.
While the above systems and methods allow for safely transferring information, it would be desirable for such systems and methods to provide for safely transferring information between a server and a PC that are connected via a network, even in an environment where malicious software is operated, without requiring special hardware and without suffering any loss in the performance or the usability of the PC.