Secure Client Device

 

Alexander Liss

 

03/20/2009

 

 

Having a secure networked device in hands of a user – a Client Device, is crucial to extending commercial applications using Internet.

     Current devices as desktops, laptops, cell phones, etc. are insufficiently secure to provide reliable identification of a user to the counterparty and insufficiently secure to provide protection of user’s data and communication.

     To make such secure device commercially feasible, it should have broad capabilities, particularly functionality available in insecure devices. This last requirement is not easy to achieve.

     In addition, there is a need to provide functionality, which could support information trade. Current schemas, where information is downloaded in encrypted form are flowed, because they create temptation for secondary information distribution without fees charged. ITunes proved that a schema, where each piece of information is low priced, diminishes this temptation to the level that a viable commerce could emerge.

     This should be augmented with central storage of information and repetitive downloads of it on demand, as long it was purchased once.

     This creates an additional requirement for a secure client device – it should have an area, which supports such activity, where large data could be downloaded quickly and without checking, but it is wiped out automatically, when it is not needed, and potentially malicious software downloaded with it could not affect functionality of the rest of the device.

     To facilitate the secure use of encryption in this device, one needs to add a super-secure area. This area deals with cryptographic activities and storage of cryptography related data.

     Note that the most vulnerable area in such device is input (keyboard) and output (display). Input could be surreptitiously monitored and replayed and output could be faked. Hence, they have to be protected in the way not present today.

     Storage has to be divided into classes, that different areas do not have access to storage inappropriate to their level of security.

     There is a need to have a protected area, where secure processing could reside – secure communication, modules interacting with financial sites, and alike. Only a small set of applications need such special protection, but it is an important set and there is no way to protect it without setting a specially protected area in the device.

     All these requirements look as too constraining, but it is possible to design a relatively simple device, which meets all of them.

     The device has to have three distinctive physically separated areas (processor, memory, connections, etc.) - secure, normal, reset.

     Normal area is similar to currently used computers or handheld devices with an important difference – it does not have direct access to user input and output devices (keyboard, display, etc). Instead, user input and output are facilitated by the secure area.

     Secure area is a stripped down computing device, which operating system could be made reliable and secure. It has lines of communication with other areas and it facilitates user input and output on behalf of other areas.

     Secure area contains a super-secure area dedicated to cryptographic support. Encapsulating cryptographic support in a dedicated hardware is a broadly used approach.

     Reset area does not have long-term storage. Hence, its operating system and its applications are loaded from normal area. This way, the reset area does not need to be heavily protected against attacks from the network. Memory of reset area could be not physically but logically separated, however possibility of writing outside this area should be prevented. Writing to long-term storage should be impossible.

     Hardware communication module could be shared between all these areas, only communication between an area and the network should not physically go through a more secure area. Note that even super-secure area need to communicate over the network, for example for storage and retrieval of cryptographic secrets in a central backup location.

     Secure area, super-secure area and normal area should have physically separate storage. Super-secure area requires only small long-term storage, and it is usually separated, hence only physical separation of storages of secure and normal areas has to be done. Note that logical separation of storage even with use of cryptography is insufficient.