Secure Client
Device
Alexander Liss
Having a secure networked device in hands of a user
– a Client Device, is crucial to extending commercial applications using
Internet.
Current devices as desktops, laptops, cell
phones, etc. are insufficiently secure to provide reliable identification of a
user to the counterparty and insufficiently secure to provide protection of
user’s data and communication.
To make such secure device commercially
feasible, it should have broad capabilities, particularly functionality
available in insecure devices. This last requirement is not easy to achieve.
In addition, there is a need to provide
functionality, which could support information trade. Current schemas, where
information is downloaded in encrypted form are flowed, because they create
temptation for secondary information distribution without fees charged. ITunes proved that a schema, where each piece of
information is low priced, diminishes this temptation to the level that a
viable commerce could emerge.
This should be augmented with central
storage of information and repetitive downloads of it on demand, as long it was
purchased once.
This creates an additional requirement for
a secure client device – it should have an area, which supports such activity,
where large data could be downloaded quickly and without checking, but it is
wiped out automatically, when it is not needed, and potentially malicious
software downloaded with it could not affect functionality of the rest of the
device.
To facilitate the secure use of encryption in
this device, one needs to add a super-secure area. This area deals with
cryptographic activities and storage of cryptography related data.
Note that the most vulnerable area in such
device is input (keyboard) and output (display). Input could be surreptitiously
monitored and replayed and output could be faked. Hence, they have to be
protected in the way not present today.
Storage has to be divided into classes,
that different areas do not have access to storage inappropriate to their level
of security.
There is a need to have a protected area,
where secure processing could reside – secure communication, modules
interacting with financial sites, and alike. Only a small set of applications
need such special protection, but it is an important set and there is no way to
protect it without setting a specially protected area in the device.
All these requirements look as too
constraining, but it is possible to design a relatively simple device, which
meets all of them.
The device has to have three distinctive
physically separated areas (processor, memory, connections, etc.) - secure,
normal, reset.
Normal area is similar to currently used
computers or handheld devices with an important difference – it does not have
direct access to user input and output devices (keyboard, display, etc).
Instead, user input and output are facilitated by the secure area.
Secure area is a stripped down computing
device, which operating system could be made reliable and secure. It has lines
of communication with other areas and it facilitates user input and output on
behalf of other areas.
Secure area contains a super-secure area
dedicated to cryptographic support. Encapsulating cryptographic support in a
dedicated hardware is a broadly used approach.
Reset area does not have long-term storage.
Hence, its operating system and its applications are loaded from normal area.
This way, the reset area does not need to be heavily protected against attacks
from the network. Memory of reset area could be not physically but logically
separated, however possibility of writing outside this area should be
prevented. Writing to long-term storage should be impossible.
Hardware communication module could be
shared between all these areas, only communication between an area and the
network should not physically go through a more secure area. Note that even
super-secure area need to communicate over the network, for example for storage
and retrieval of cryptographic secrets in a central backup location.
Secure area, super-secure area and normal area
should have physically separate storage. Super-secure area requires only small
long-term storage, and it is usually separated, hence only physical separation
of storages of secure and normal areas has to be done. Note that logical
separation of storage even with use of cryptography is insufficient.