There are currently many needs that must be addressed when implementing a system and method for maintaining security within a computer network. One such need is protection from computer code that might compromise the security of the system. An example of this type of program is a “virus,” which is a program that loads itself into system memory and then embeds itself into legitimate software so that it can continue to replicate itself. Another example of malicious code is a “Trojan horse,” which is a program that appears to be one application such as a simple game or utility but in fact hides its real purpose from the user. Typically a Trojan horse writes itself into the system programming so that it runs every time the computer starts and does not make its presence known to the user. In most cases a Trojan horse is designed for specific attacks on a computer system. Common examples include: opening up access ports to the computer and possibly running system capturing software that allows a hacker to access remotely the computer system by commandeering the mouse, keyboard and screen of the user, or capturing all the keystrokes a user enters and saving them in a file or transmitting them to a location from which the originator of the Trojan horse accesses same.
Although there commonly exists software that scans each application at load time and checks for the existence of viruses in execution, this software typically relies on of the following technique: scanning for known virus code found in an internal database that must be updated frequently.
Unfortunately, most prior art systems do not protect against man-in-the-middle type attacks. A man-in-the middle attack is a security breach formed when a system or application disposes itself between two parties to a secure communication. For example, a Trojan horse application is interposed between applications in the computer system. The Trojan horse application is for intercepting keystrokes and other security data that are provided between applications within the computer system and for recording or e-mailing the intercepted keystrokes and other security data to the hacker.
In order to prevent locally executing applications, such as for instance a Trojan horse application, from affecting key data, one prior art method is to provide the computer system with a secure token for performing cryptographic functions. The token does not accept programming code and, as such, cannot be tampered with. Further, the token provides no access to keys stored therein, such that security of the key data is assured. Unfortunately, the man-in-the-middle attack is still possible wherein data is intercepted when not encrypted either before being provided to the token or upon receipt therefrom.
Fischer, in U.S. Pat. No. 5,436,972 teaches a method for preventing inadvertent betrayal by a trustee of escrowed digital secrets. In a definition phase, the user defines an escrow record that provides self-identification data together with encrypted password data. The user is prompted to voluntarily escrow password or other secret information for later retrieval by entering a series of information uniquely describing them. After unique identification data has been entered, the user is asked to select a password to protect the system. Thereafter, all the personal identifying data, together with the password, is encrypted with the trustee's public key and is stored, for example, in the user's computer as an escrow security record. The password is then used to encrypt all data on the user's disk. If the user forgets the password, a retrieval phase of the method is performed. The trustee utilizes documentary evidence presented by the alleged legitimate user and determines whether such evidence matches with the previously encrypted escrow information stored in the escrow record created by the user. If they agree, then the trustee has confidence that the true owner is making the request, and that revealing the secret key will not betray the owner's interest. Unfortunately, the method disclosed by Fischer does not prevent a Trojan horse application, when resident in the user's system, from intercepting the private key and recording it.
U.S. Pat. No. 5,919,257 issued Jul. 6, 1999 in the name of Trostle teaches a networked workstation intrusion detection system. During pre-boot—a period of time prior to initiating operation of the workstation operating system, a networked workstation performs an intrusion detection hashing function on selected workstation executable program(s). A hash function is a mathematical transformation that takes a message of arbitrary length (e.g., the selected executable programs) and computes from it a fixed length number (i.e., the computed hash value). A computed hash value calculated by the hashing operation is compared against a trusted hash value that is downloaded from a server in order to detect unauthorized changes to the selected workstation executable programs. The server can compute the trusted hash value(s) by performing the hashing function on trusted copies of the selected workstation executable programs stored in the server. Alternatively, the server may include a database of trusted hash values each uniquely associated with an executable program.
The workstation executes the hashing function on the selected executable programs stored in workstation memory (disk or RAM) to calculate a computed hash value. The workstation compares this value with the trusted hash value downloaded from the server to determine if any illicit changes have been made to the selected executable programs. If changes are detected, the user and/or the network system administrator is notified in order to take corrective action. Otherwise, the initialization proceeds and the workstation boot process continues. Alternatively, a computed hash value may be calculated separately for each selected workstation executable program, and compared against the trusted hash value downloaded from the server for that executable program. Advantageously, unauthorised changes to executable programs are detected using the prior art method. Unfortunately, it is necessary that the workstation be connected to a server or to other secure hardware from which it can obtain a trusted hash value for comparison. Further, the method compares hash values representing known or authorized executable files, and therefore can only detect Trojan horse applications that are appended to known executable files, and then only if that executable file is included in the comparison.
It would be advantageous to provide a method of reducing the efficacy of a man-in-the-middle security attack.