1. Field of the Invention
The present invention relates to information security devices, and more particularly to a method and apparatus of providing a secure authentication system utilizing a protected personal identification number (PIN) path.
2. Description of the Related Art
With the widespread use of computers, there is an increased need for controlling access to the computers and to the sensitive information stored within the computers. To provide additional security, cryptographic tokens, such as credit-card sized devices with built-in microprocessors and non-volatile memory are utilized in controlling access to computer systems. They are typically issued to a user with personalized information and private keying material and a personal access code, commonly known as a Personal Identification Number ("PIN"). The user must present a correct PIN to the card or to a device which reads the card, so as to unlock the card for operation. To compromise a card, a malicious user must be in physical possession of the card and also know the private PIN code. Since the PIN is typically entered directly into the computer, the security of such systems may still be compromised since the PIN may be captured by software specifically designed for the purpose.
One current approach to this problem is the use of an electro-mechanical device, or card reader, into which the user inserts the token. The device is, in turn, coupled to a computer. The user must enter his PIN directly into the card reader through a keypad mounted on the card reader. The card reader then verifies the PIN with the cryptographic key on the token. If the PIN is valid, a signal is sent to the computer, which authorizes access to the card's cryptographic information.
This approach however, present several disadvantages. First, the reader must provide the keypad, the keypad interface to the card reader's processor and the software for interpreting the user's entry. This feature adds to the complexity of the device and its cost. Secondly, a separate keyboard has to be used for accepting user input or commands to the computer. As a result, the user has to relocate from the keyboard to the keypad or vice versa. If repeated attempts at entering the PIN are required, such movement may prove distracting. The use of such a device is thus both awkward and expensive.
A second approach, as described in U.S. Pat. No. 5,406,624 (the "'624 patent"), involves the use of a security unit that is connected between a computer and keyboard. The security unit includes a processor which stores a number of security programs for operating the security unit, controlling attached peripherals and executing cryptographic algorithms. The security unit operates in one of two fundamental modes: a Transparent Mode in which data inputted from the keyboard to the security unit is transmitted to the computer, and a Special Handling Mode in which data entered from the keyboard is isolated from the computer so that the security unit assumes complete control of data provided via the keyboard. The Special Handling Mode in effect causes the security unit to replace the computer, executing security-related algorithms and in general, duplicating the operations of the computer in controlling the input, processing and displaying of information. The control means for selecting one of these modes involves downloading cryptographically signed software from the host computer and executing it within the security unit, or the use of a switchbox connected between the security unit and the computer, which enables manual selection of the modes. In the '624 patent, security key operations are performed in the security unit. These security key operations include the verification of a program's signature, ciphering and deciphering of passwords and other like operations.
This second approach also presents several disadvantages. First, since the security and peripheral control programs executed by the security unit are of significant computational complexity, it requires a powerful processor and large amounts of memory to be effective. This processing requirement, and the control electronics for a variety of peripheral devices adds significant cost to the unit, placing it out of reach for a large number of potential users. Secondly, if the control means is implemented using down-loadable software, an additional security risk is incurred since this software comes from an external source, which could be intercepted and compromised. The '624 device attempts to guard against this risk by requiring such software to be accompanied by a signature. However, this in turn limits the usefulness of the device for those applications which do not have the proper signature, and which do not have the knowledge (or code) required to interface with the security unit's processing system. If the control means is implemented using a manual switch, the operator has to be constantly interrupted to attend to the selection of the two modes, and may often find himself committing errors which hinder the effectiveness and the security of the unit.
Accordingly, there is a need in the technology for a simple, elegant and cost-effective consumer-level method and apparatus of authenticating a password or personal identification number (PIN) independently from the computer, so that access control to one or more application programs running on the computer may be enforced, while minimizing the risk of capture of the password by unauthorized users and also minimizing the complexity of user operation.