WO2000038072A1 - Method for executing a security critical activity - Google Patents

Method for executing a security critical activity Download PDF

Info

Publication number
WO2000038072A1
WO2000038072A1 PCT/SE1999/002422 SE9902422W WO0038072A1 WO 2000038072 A1 WO2000038072 A1 WO 2000038072A1 SE 9902422 W SE9902422 W SE 9902422W WO 0038072 A1 WO0038072 A1 WO 0038072A1
Authority
WO
WIPO (PCT)
Prior art keywords
action
user
security
situation
proxy
Prior art date
Application number
PCT/SE1999/002422
Other languages
French (fr)
Inventor
Christian Wettergren
Original Assignee
Myspace Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Myspace Ab filed Critical Myspace Ab
Priority to JP2000590064A priority Critical patent/JP2002533814A/en
Priority to EP99964913A priority patent/EP1151385A1/en
Priority to AU30942/00A priority patent/AU3094200A/en
Priority to IL14359599A priority patent/IL143595A0/en
Publication of WO2000038072A1 publication Critical patent/WO2000038072A1/en
Priority to IL143595A priority patent/IL143595A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress

Definitions

  • the present invention generally relates to a method for executing a security critical activity running on a security device, and particularly to a method for executing a security critical activity with user involvement.
  • MLS multi level secure
  • Such systems label objects and subjects according to a security classification, and define rules for how information is allowed to flow through the system.
  • the classification of different security levels and the record keeping of which users that have access to different security levels and objects is very time consuming to maintain.
  • conventional personal computer applications are not compatible with the operating systems of the MLS system, and all applications have to be tailor-made for the MLS system. This is of course very costly.
  • WO94/01821 discloses a trusted path subsystem for workstations, such as personal computers.
  • the system comprises a network com ⁇
  • the workstation is connected to a trusted path subsystem, which receives the encrypted data from the trusted system of the MLS computer and decrypts it without involving the workstation.
  • the application running on the MLS-system will be certain that the data received will be the same as the data sent from the trusted subsystem of the MLS computer, and vice versa.
  • UK patent application GB 2 267 986 discloses a security device for a computer.
  • the object of this security device is to isolate the computer from the input/output devices, such as keyboard and mouse, when security critical activities are to be performed.
  • the security device can operate in either a transparent mode or a special handling mode. In the transparent mode the data inputted from the input/output devices is transmitted through the security device directly to the computer, i.e. the security device is in a passive mode. In the special handling mode the security device itself will perform the processing of the data without any involvement of the computer. The processing of the security critical activity in the security device is done automatically, without any user involvement. Hence, the user can not be certain which steps are performed within the security device.
  • W098/19243 discloses another approach in solving the security problem, namely user involvement.
  • 098/19243 discloses a method and a security system for processing a security critical activity.
  • the system comprises a security device connected to a personal computer and to input/output devices .
  • the security device is allocated and the control of the data processing and the input/output devices are transferred from the computer to the security device.
  • the data processing of the security critical activity is then executed on the security device with user involvement, i.e. the user must grant each security critical activity.
  • the execution of a security critical activity may even require more than one user involvement step, i.e. the user must be involved several times to grant different parts of the security critical activity.
  • the objective problem to be solved by the present invention is to provide a method for processing security critical activities with user involvement, but without constantly bothering the user for each and every part of the security critical activity to be executed.
  • the user will not constantly be asked to grant each part of a security critical activity, since the proxy letter created by the user will grant all the security steps defined by the user.
  • the user can focus on the important security steps to be granted. In this way the user will be more concentrated each time he shall grant an action.
  • the method according to the invention it is possible to maintain or even increase the security obtainable by using a security device as described in W098/19243, but without the constant user interruption.
  • the work situation of the user will of course also be more ergonomic, since the proxy letter defined in the security device grants many monotonous steps .
  • Figure 1 shows a block diagram of a security system on which the method according to the present invention may be performed.
  • Figure 2 shows a block diagram of another security system on which the method according to the present invention may be performed.
  • Figure 3 shows a flow chart of the method according to the invention.
  • Figure 4 shows a flow chart of the direct user involvement step according to the present invention.
  • Such a generic system is defined by having a protected processing space with a protected data memory, means for secure communication with the user through input/output devices, means for communicating with a computers ordinary processing space and programmed user involvement steps stored in the protected data memory.
  • Figure 1 shows one embodiment of a security system on which the present invention may be performed.
  • a security system is used to perform security critical activities when the system is connected to a public network and comprises an arbitrary personal computer 2, input/output devices such as a keyboard 4, a mouse 6, a display 8, and a smart card reader/writer (r/w) 12.
  • input/output devices such as a keyboard 4, a mouse 6, a display 8, and a smart card reader/writer (r/w) 12.
  • the personal computer 2 is provided with a processor 14, a read only memory (ROM) 16 and a random access memory (RAM) 18.
  • Each physical input/output device 4, 6, 8, 12 is connected to the computer 2 through a suitable communication interface 20, 22, 24, 26.
  • the display 8 is connected to the computer 2 via a screen device controller 10.
  • Each input/output device 4, 6, 8, 12 is also provided with a switching and crypto device 28, 30, 32, 34, the function of which is to be described below. It shall be understood that also the input/output devices 4, 6, 12 have device controllers, which in the shown embodiment are incorporated in the switching and crypto devices 28, 30, 32.
  • the screen device controller 10 comprises a screen control circuit 36 and a screen memory 38.
  • the screen controller 10 is connected to a security device 40, comprising a processor 42, a PROM 44 and a RAM 46.
  • the processor 42 of the security device 40 is connected to the screen circuit 36 and to the screen memory 38 and also to the PROM 44 and the RAM 46.
  • the processor 42 is also connected to and controls the switching and crypto device 34 provided in the screen circuit 36.
  • the switching and crypto device 34 serves as blocking means, i.e. prevents the processor 14 of the computer 2 from getting access to the screen device controller 10.
  • FIG. 2 shows an alternative embodiment of the security system, in which the security device 40 is incorporated within the computer 2.
  • the screen device controller 10 is duplicated and the switching and crypto device 34 is acting as an ordinary switch, which is controlled by the security device 40, in order to switch between the two screen control devices 10.
  • the security system is used to perform security critical activities when the system, i.e. the computer 2, is connected and on-line with a network. If the computer is a standalone computer there is no need for a security device 40, since no intruder is able to listen or compromise with the processed data.
  • the present invention is directed towards computers that are on-line with networks.
  • Security critical activities are activities that the user wishes to perform in privacy, i.e. without the danger of having an intruder listening to or compromising the security critical activity. Examples of such security critical activities are transferring money, signing documents, and preparing confidential mails and the like.
  • a security critical activity can also, as mentioned above, require more than one user involvement step, i.e. a security critical activity may be divided into different parts which each have to be granted by the user. As defined in the present invention each such part is called an action.
  • granting a security critical activity means granting the security critical activity as a whole, if it only comprises one action, or granting a chain of actions, if several user involvement steps are required. However, it should be noted that it is not the action itself that is granted, but the situation in which the action may be granted.
  • granting an ac- tion means granting an action under certain circumstances as will be described in detail below.
  • the situation under which each action is performed can be divided into two subgroups, namely a proxy letter group and a user involvement group.
  • a proxy letter group namely a proxy letter group and a user involvement group.
  • the same action may be found several times in one group or in both groups. It is the combination of the action and situation under which it is performed that is the basis for dividing it into groups.
  • the two groups will be explained more in detail below.
  • the security systems having the configuration as described above are operable in two different modes.
  • a first mode defined as the normal mode
  • the security system operates as an ordinary computer, i.e. the security device 40 is in a passive mode.
  • a second mode defined as the secure management mode
  • the security device 40 takes over the control of the data processing in order to, in a reliable way, perform different security critical activities.
  • the method according to the present invention is applicable when the security system is operated in the secure management mode. It is in this mode the user has to grant, in some way, each action of the security critical activity. If the user has to grant each action directly himself this may lead to decreased security, since as mentioned above the user after a while may mechanically grant every action, without carefully checking what he is granting.
  • the first step 100 of the method is to define under which situation the action or the actions of the security critical activity can be granted indirectly by the user.
  • An example of such a situation may be the payment of an amount that is smaller then a predetermined amount, for exam- pie $10, to a predetermined account. What is granted, in this case, .is the request of for example $6, as long as the requested amount is less than $10. It shall be noted once again that it is the situation and not the action itself that determines if the action is to be granted directly or indirectly by the user. If for example the action payment in the example above is in a situation where $10,000 is to be transferred, the user may have to grant this directly.
  • a proxy letter which may be stored in the PROM 44 of the security device 40.
  • the proxy letter may of course also be stored in a protected RAM 46 of the security device 40.
  • a secure memory will mean either of the above mentioned memories 44, 46 or any other secure memory associated with the security device.
  • the situations under which the action may be performed will belong to a proxy letter group. All other situations, which are not defined by the proxy letter, will be part of a user involvement group.
  • proxy letter i.e. the definition of less critical situations may be done in a number of ways.
  • One way is to enter the secure management mode and defining those situations, which are to be considered less critical and then store these in the secure memory. Since the proxy letter is created within the security device 40, the user can be absolutely sure that the proxy letter only contains situations defined by him.
  • Another way is to create the proxy letter somewhere outside the security device and then load it into the secure memory associated therewith. The loading process of such a proxy letter must then of course by monitored and granted by the user with user involvement, step by step, to secure that the proxy letter does not contain anything against the will of the user.
  • the proxy letter is written or defined in plain text, i.e.
  • proxy letter may be seen as a user involvement step with a time-delay.
  • live user involvement is referred to as direct user involvement and user involvement by means of a proxy letter is referred to as indirect user involvement.
  • this first step 100 of the method does not always have to be performed when using the method according to the invention.
  • a proxy letter must be defined before the method can be applied, but if defined the already existing proxy letter or letters may be used.
  • this first step 100 is only performed initially before the method is used or when a proxy letter or letters have to be updated.
  • the first step 102 of the method is to start the execution of the first action of the security critical activity. Thereafter the microprocessor 42 of the security device 40 will check in what situation this action is to be performed, i.e. check if the situation belongs to the proxy letter group at step 104. This is done, by reading the proxy letters and see if any proxy letter is allowed to grant the action under the present situation. If there is, the action in this situation belongs to the proxy letter group and if not the action belongs to the user involvement group.
  • the situation/action belongs to the proxy letter group, this means that the proxy letter can grant the action without direct user involvement.
  • the proxy letter can grant directly by the user. It shall be understood that the user always is in control of the execution of the security critical activities and that he at any time can cancel a proxy letter and take a direct control of the action to be executed.
  • step 104 If, at step 104, it is determined that the situation/action cannot be granted by the proxy letter, the user will have to be involved to continue the processing of the security critical activity and the method continues to step 106.
  • the user involvement step 106 will be described in detail in conjunction with figure 4 below. However, if the user is not involved within a predetermined time the execution of the action will be timed out and the secure management mode will be exited at step 116.
  • the processor 42 After the situation/action has been granted either by the proxy letter, at step 104, or by the user, at step 106, the processor 42 will continue the execution of the action at step 108. Thereafter, at step 110, the processor checks if all actions of the security critical activity have been executed. If the answer is no, the execution of the next action of the security critical activity will be started, at step 112, and steps 104 to 110 as described above will be repeated. This will continue until all the actions of the security critical activity have been executed and the security critical activity is ended at step 114.
  • step 106 will be described in detail in conjunction with figure 4. If, at step 104, it is determined that the proxy letter cannot grant the situation/action, the flow chart of figure 4 is entered. Thus, steps 200 to 204 in figure 4 correspond to step 106 in figure 3.
  • the user is requested to grant the situation/action.
  • the processor 42 checks at step 202 if the user has granted the request, i.e. if the user has been involved. If the answer is yes the flow chart of figure 4 is exited and the method proceeds with step 108 in figure 3. However, if the user has not granted the request a timer is started. The timer is set to a predefined time. If during this time the user does not grant the request the processing of the security critical activity is terminated. Thus, at step 204 the processor 42 checks if the timer is timed out. If the answer is no the processor will wait for the user to grant the request until the timer is timed out. When the timer is timed out the processing of the security critical activity is terminated at step 116.
  • the processor 42 will keep track on which of the proxy letter or the user, has granted each situation/action. This information is collected and stored as a log file. This may be an advantage if there is a dispute on who granted which action. It also gives the user reliable receipts of what he has done.
  • a security critical activity that often is performed is open file. Assuming that all files on the hard disk of the computer are encrypted the user has to use his private key to open a file. This key is stored in the security device and can only be accessed if allowed by the user, when running in the secure management mode.
  • proxy letter that allows the application running on the computer to open certain files .
  • Such a proxy letter may for example define that all files in the directory C: ⁇ my docu- ments ⁇ public ⁇ *.* can be granted without direct user involvement, i.e. grant file opening/decryption if situation is filename matches directory C: ⁇ my documents ⁇ public ⁇ * . * .
  • the decision to open a file can be made in two levels, namely by the proxy letter if the defined conditions are satisfied or directly by the user.
  • proxy letter defines which actions/situations that are allowed to be granted
  • a proxy letter also may define actions/situations that are to be prevented from being executed without any further user involvement.
  • the application may request that an amount $10000 is to be transferred to a certain account. Assuming that a transaction of such an amount or to such an account never will be the case, the user can in the proxy letter define such cases. The proxy letter will then stop further execution of such actions/situations without any user involvement.
  • the scope of this invention is to be considered limited only by the following claims.

Abstract

The present invention relates to a method for executing a security critical activity in a security device (40), wherein the security critical activity is executed with user involvement. Each security critical activity is divided into a number of situations/actions, belonging either to a proxy letter group or a user involvement group. The processor (42) of the security device (40) starts the execution of an action of a security critical activity, and then checks if this situation/action can be handled by a proxy letter or shall be handled by a user. If the user or the proxy letter grants the situation/action the execution of the action is continued and ended. This is repeated until all actions of the security critical activity have been executed. If neither the user nor the proxy letter grants the situation/action the execution of the security critical activity will be stopped.

Description

Method for executing a security critical activity
BACKGROUND OF THE INVENTION
Field of the invention
The present invention generally relates to a method for executing a security critical activity running on a security device, and particularly to a method for executing a security critical activity with user involvement.
Background
Advances in computer and communications technology have increased the flow of information between and within computer networks. This ability to communicate between computers and networks has also made it possible to develop a wide variety of services that can be performed from your own personal computer. Such services may for example be mailing, home shopping, home banking etc. Many of these services comprise security critical activities that have to be performed when the computer is on-line, such as transferring money through Internet.
Performing such security critical activities, is of course a security risk, since also potential intruders can listen to and/or compromise these security critical activities, by breaking into the computer. One of the reasons for this is that the operating systems of personal computers were not designed with security in mind, since they were personal and without connections to any network. Thus, it is easy to use malicious code, Trojan horses or the like to compromise the operating system of a personal computer and thereby the security critical activities executed thereon. Also more secure operating systems, such as Unix, may be compromised with a relatively small effort. Today there is no commercial operating system that protects the user from Trojan horses .
Over the years there have been many suggestions how to solve this security problem such as firewalls, smart cards, the use of passwords for access to certain services etc. However, many of these solutions are mainly software based. Since software always contains bugs, it is corruptible, and may therefore be compromised by exploited security holes, malicious code, resident Trojan horse software etc. Software based security solutions are also too brittle, i.e. if the operating system security is compromised all data and all applications that are executed thereon will also be compromised.
Another approach to increase the operating system security is to build a multi level secure (MLS) operating system. Such systems label objects and subjects according to a security classification, and define rules for how information is allowed to flow through the system. The classification of different security levels and the record keeping of which users that have access to different security levels and objects is very time consuming to maintain. Furthermore, conventional personal computer applications are not compatible with the operating systems of the MLS system, and all applications have to be tailor-made for the MLS system. This is of course very costly.
WO94/01821 discloses a trusted path subsystem for workstations, such as personal computers. The system comprises a network com¬
Figure imgf000004_0001
subsystem of the MLS computer and the workstation. To solve this problem the workstation is connected to a trusted path subsystem, which receives the encrypted data from the trusted system of the MLS computer and decrypts it without involving the workstation. Thus, the application running on the MLS-system will be certain that the data received will be the same as the data sent from the trusted subsystem of the MLS computer, and vice versa.
UK patent application GB 2 267 986 discloses a security device for a computer. The object of this security device is to isolate the computer from the input/output devices, such as keyboard and mouse, when security critical activities are to be performed. The security device can operate in either a transparent mode or a special handling mode. In the transparent mode the data inputted from the input/output devices is transmitted through the security device directly to the computer, i.e. the security device is in a passive mode. In the special handling mode the security device itself will perform the processing of the data without any involvement of the computer. The processing of the security critical activity in the security device is done automatically, without any user involvement. Hence, the user can not be certain which steps are performed within the security device.
Even if the systems described in GB 2 267 986 and WO94/01821 provide a high degree of security they still have a major drawback, namely they are system orientated and lack user involvement during the execution of the security critical activity.
W098/19243 discloses another approach in solving the security problem, namely user involvement. 098/19243 discloses a method and a security system for processing a security critical activity. The system comprises a security device connected to a personal computer and to input/output devices . When the application running on the computer needs to perform a security critical activity the security device is allocated and the control of the data processing and the input/output devices are transferred from the computer to the security device. The data processing of the security critical activity is then executed on the security device with user involvement, i.e. the user must grant each security critical activity. The execution of a security critical activity may even require more than one user involvement step, i.e. the user must be involved several times to grant different parts of the security critical activity.
Even if the system and the method described in W098/19243 have made a substantial contribution to security, when executing a security critical activity, this is made to a degree where the user has to grant each and every part of the security critical activity to be executed. This continuous involvement of the user may also lead to a decrease in security, since the user after a while mechanically may grant every part of the security critical activity, without carefully checking what he is granting. Thus, there is a need for a method that not constantly involves the user during the processing of security critical activities.
SUMMARY OF THE INVENTION
Thus, the objective problem to be solved by the present invention is to provide a method for processing security critical activities with user involvement, but without constantly bothering the user for each and every part of the security critical activity to be executed.
This problem is solved by a method as defined in claim 1.
Preferred embodiments of the invention are defined in the dependent claims 2-9
By using the method according to the present invention the user will not constantly be asked to grant each part of a security critical activity, since the proxy letter created by the user will grant all the security steps defined by the user. Thus, by relieving the user from performing the granting of every security critical step, the user can focus on the important security steps to be granted. In this way the user will be more concentrated each time he shall grant an action. Thus, with the method according to the invention it is possible to maintain or even increase the security obtainable by using a security device as described in W098/19243, but without the constant user interruption. The work situation of the user will of course also be more ergonomic, since the proxy letter defined in the security device grants many monotonous steps .
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing and other aspects of the present invention will be best appreciated with reference to the following detailed description of a specific embodiment of the invention, given by way of example only, when read in conjunction with the accompanying drawings, wherein
Figure 1 shows a block diagram of a security system on which the method according to the present invention may be performed.
Figure 2 shows a block diagram of another security system on which the method according to the present invention may be performed.
Figure 3 shows a flow chart of the method according to the invention.
Figure 4 shows a flow chart of the direct user involvement step according to the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENTS
Even if the present invention will be described as using a specific security device or security system, it is believed that any security device having the following features may be used. Such a generic system is defined by having a protected processing space with a protected data memory, means for secure communication with the user through input/output devices, means for communicating with a computers ordinary processing space and programmed user involvement steps stored in the protected data memory.
However, the method according to the invention will be described in conjunction with the security system disclosed in W098/19243, which hereby is incorporated as reference. Thus, such a system will be described first.
Figure 1 shows one embodiment of a security system on which the present invention may be performed. Such a system is used to perform security critical activities when the system is connected to a public network and comprises an arbitrary personal computer 2, input/output devices such as a keyboard 4, a mouse 6, a display 8, and a smart card reader/writer (r/w) 12.
The personal computer 2 is provided with a processor 14, a read only memory (ROM) 16 and a random access memory (RAM) 18. Each physical input/output device 4, 6, 8, 12 is connected to the computer 2 through a suitable communication interface 20, 22, 24, 26. As can be seen in figure 1, the display 8 is connected to the computer 2 via a screen device controller 10. Each input/output device 4, 6, 8, 12 is also provided with a switching and crypto device 28, 30, 32, 34, the function of which is to be described below. It shall be understood that also the input/output devices 4, 6, 12 have device controllers, which in the shown embodiment are incorporated in the switching and crypto devices 28, 30, 32.
The screen device controller 10 comprises a screen control circuit 36 and a screen memory 38. In this embodiment the screen controller 10 is connected to a security device 40, comprising a processor 42, a PROM 44 and a RAM 46. The processor 42 of the security device 40 is connected to the screen circuit 36 and to the screen memory 38 and also to the PROM 44 and the RAM 46. The processor 42 is also connected to and controls the switching and crypto device 34 provided in the screen circuit 36. In this embodiment the switching and crypto device 34 serves as blocking means, i.e. prevents the processor 14 of the computer 2 from getting access to the screen device controller 10.
Figure 2, shows an alternative embodiment of the security system, in which the security device 40 is incorporated within the computer 2. In such an embodiment the screen device controller 10 is duplicated and the switching and crypto device 34 is acting as an ordinary switch, which is controlled by the security device 40, in order to switch between the two screen control devices 10.
As mentioned above the security system is used to perform security critical activities when the system, i.e. the computer 2, is connected and on-line with a network. If the computer is a standalone computer there is no need for a security device 40, since no intruder is able to listen or compromise with the processed data. Thus, the present invention is directed towards computers that are on-line with networks. Security critical activities are activities that the user wishes to perform in privacy, i.e. without the danger of having an intruder listening to or compromising the security critical activity. Examples of such security critical activities are transferring money, signing documents, and preparing confidential mails and the like.
The execution of a security critical activity can also, as mentioned above, require more than one user involvement step, i.e. a security critical activity may be divided into different parts which each have to be granted by the user. As defined in the present invention each such part is called an action. Thus, in the context of the present invention, granting a security critical activity means granting the security critical activity as a whole, if it only comprises one action, or granting a chain of actions, if several user involvement steps are required. However, it should be noted that it is not the action itself that is granted, but the situation in which the action may be granted. Thus, in the context of the present application granting an ac- tion means granting an action under certain circumstances as will be described in detail below.
Furthermore, the situation under which each action is performed can be divided into two subgroups, namely a proxy letter group and a user involvement group. Thus, depending on the situation the same action may be found several times in one group or in both groups. It is the combination of the action and situation under which it is performed that is the basis for dividing it into groups. The two groups will be explained more in detail below.
The security systems having the configuration as described above are operable in two different modes. In a first mode, defined as the normal mode, the security system operates as an ordinary computer, i.e. the security device 40 is in a passive mode. In a second mode, defined as the secure management mode, the security device 40 takes over the control of the data processing in order to, in a reliable way, perform different security critical activities.
The method according to the present invention is applicable when the security system is operated in the secure management mode. It is in this mode the user has to grant, in some way, each action of the security critical activity. If the user has to grant each action directly himself this may lead to decreased security, since as mentioned above the user after a while may mechanically grant every action, without carefully checking what he is granting.
Thus, now the method according to the present invention will be described in conjunction with figure 3. The first step 100 of the method is to define under which situation the action or the actions of the security critical activity can be granted indirectly by the user. An example of such a situation may be the payment of an amount that is smaller then a predetermined amount, for exam- pie $10, to a predetermined account. What is granted, in this case, .is the request of for example $6, as long as the requested amount is less than $10. It shall be noted once again that it is the situation and not the action itself that determines if the action is to be granted directly or indirectly by the user. If for example the action payment in the example above is in a situation where $10,000 is to be transferred, the user may have to grant this directly.
The situations where an action can be granted indirectly by the user is, according to the present invention, defined in a proxy letter, which may be stored in the PROM 44 of the security device 40. The proxy letter may of course also be stored in a protected RAM 46 of the security device 40. In the context of this application, a secure memory, will mean either of the above mentioned memories 44, 46 or any other secure memory associated with the security device.
Thus, the situations under which the action may be performed, as defined by the proxy letter, will belong to a proxy letter group. All other situations, which are not defined by the proxy letter, will be part of a user involvement group.
The creation of a proxy letter, i.e. the definition of less critical situations may be done in a number of ways. One way is to enter the secure management mode and defining those situations, which are to be considered less critical and then store these in the secure memory. Since the proxy letter is created within the security device 40, the user can be absolutely sure that the proxy letter only contains situations defined by him. Another way is to create the proxy letter somewhere outside the security device and then load it into the secure memory associated therewith. The loading process of such a proxy letter must then of course by monitored and granted by the user with user involvement, step by step, to secure that the proxy letter does not contain anything against the will of the user. Preferably the proxy letter is written or defined in plain text, i.e. it is created in the same way as when the user grants an action directly. Thus, the creation of the proxy letter may be seen as a user involvement step with a time-delay. As already mentioned previously, live user involvement is referred to as direct user involvement and user involvement by means of a proxy letter is referred to as indirect user involvement.
It shall be noted that this first step 100 of the method does not always have to be performed when using the method according to the invention. However, a proxy letter must be defined before the method can be applied, but if defined the already existing proxy letter or letters may be used. Thus, this first step 100 is only performed initially before the method is used or when a proxy letter or letters have to be updated.
Thus, starting with the assumption that at least one proxy letter according to the will of the user is already loaded in the secure memory associated with the security device 40, the first step 102 of the method is to start the execution of the first action of the security critical activity. Thereafter the microprocessor 42 of the security device 40 will check in what situation this action is to be performed, i.e. check if the situation belongs to the proxy letter group at step 104. This is done, by reading the proxy letters and see if any proxy letter is allowed to grant the action under the present situation. If there is, the action in this situation belongs to the proxy letter group and if not the action belongs to the user involvement group.
Depending on what group the situation under which the action is to be performed belongs to different steps will be taken by the method according to the present invention. If the situation/action belongs to the proxy letter group, this means that the proxy letter can grant the action without direct user involvement. However, it shall be noted that even if the user is not directly involved, he is the one who created the proxy letter and thus the action is performed with indirect user involvement. If on.the other side the situation/action belongs to the user involvement group the action must be granted directly by the user. It shall be understood that the user always is in control of the execution of the security critical activities and that he at any time can cancel a proxy letter and take a direct control of the action to be executed.
If, at step 104, it is determined that the situation/action cannot be granted by the proxy letter, the user will have to be involved to continue the processing of the security critical activity and the method continues to step 106. The user involvement step 106 will be described in detail in conjunction with figure 4 below. However, if the user is not involved within a predetermined time the execution of the action will be timed out and the secure management mode will be exited at step 116.
After the situation/action has been granted either by the proxy letter, at step 104, or by the user, at step 106, the processor 42 will continue the execution of the action at step 108. Thereafter, at step 110, the processor checks if all actions of the security critical activity have been executed. If the answer is no, the execution of the next action of the security critical activity will be started, at step 112, and steps 104 to 110 as described above will be repeated. This will continue until all the actions of the security critical activity have been executed and the security critical activity is ended at step 114.
Now the user involvement step 106 will be described in detail in conjunction with figure 4. If, at step 104, it is determined that the proxy letter cannot grant the situation/action, the flow chart of figure 4 is entered. Thus, steps 200 to 204 in figure 4 correspond to step 106 in figure 3.
Starting at step 200 the user is requested to grant the situation/action. The processor 42 then checks at step 202 if the user has granted the request, i.e. if the user has been involved. If the answer is yes the flow chart of figure 4 is exited and the method proceeds with step 108 in figure 3. However, if the user has not granted the request a timer is started. The timer is set to a predefined time. If during this time the user does not grant the request the processing of the security critical activity is terminated. Thus, at step 204 the processor 42 checks if the timer is timed out. If the answer is no the processor will wait for the user to grant the request until the timer is timed out. When the timer is timed out the processing of the security critical activity is terminated at step 116.
In a preferred embodiment of the invention the processor 42 will keep track on which of the proxy letter or the user, has granted each situation/action. This information is collected and stored as a log file. This may be an advantage if there is a dispute on who granted which action. It also gives the user reliable receipts of what he has done.
Now an example according to the present invention will be described. A security critical activity that often is performed is open file. Assuming that all files on the hard disk of the computer are encrypted the user has to use his private key to open a file. This key is stored in the security device and can only be accessed if allowed by the user, when running in the secure management mode.
Each time an application running on the computer wants to read a file the user has to grant file opening. This can occur often since an application may use many files. If this happens to often there will be a risk that the user grants all file openings without carefully checking that these files really belong to the files that the user wants to open.
It is in a situation like this the present invention is powerful. Instead of directly granting each situation/action the user can define a proxy letter that allows the application running on the computer to open certain files . Such a proxy letter may for example define that all files in the directory C:\my docu- ments\public\*.* can be granted without direct user involvement, i.e. grant file opening/decryption if situation is filename matches directory C:\my documents\public\* . * .
In this way the decision to open a file can be made in two levels, namely by the proxy letter if the defined conditions are satisfied or directly by the user.
This will make the work situation much more comfortable since he not constantly is interrupted by routine task. Furthermore, the user is always in control, since he at any time can revoke a proxy letter.
Whilst this invention has been described in terms of preferred embodiments thereof, it will be appreciated that other forms could readily be adapted by one skilled in the art. Thus, even if an embodiment has been described wherein the proxy letter defines which actions/situations that are allowed to be granted it should be understood that a proxy letter also may define actions/situations that are to be prevented from being executed without any further user involvement. For example the application may request that an amount $10000 is to be transferred to a certain account. Assuming that a transaction of such an amount or to such an account never will be the case, the user can in the proxy letter define such cases. The proxy letter will then stop further execution of such actions/situations without any user involvement. Thus, by defining situations/actions that never would have come in question to be executed and prevent these with a proxy letter will further relieve the user. Accordingly, the scope of this invention is to be considered limited only by the following claims.

Claims

1. Method for executing a security critical activity in a security device, wherein the security critical activity is executed with user involvement, comprising the steps of i) starting the execution of an action of a security critical activity, ii) checking if this action, under the present situation, can be handled by a proxy letter or if it shall be handled by a user, and if the action can be granted by either the proxy letter or the user, iii) continuing and ending the execution of the action, and iv) repeating steps i) to iii) until all actions of the security critical activity have been executed or else v) stop the execution of the security critical activity.
2. Method according to claim 1, further comprising the step of, in the proxy letter, define under which situation or situations each proxy letter is allowed to handle actions.
3. Method according to claim 2, wherein the definition in the proxy letter defines under what situations the proxy letter is allowed to grant actions.
4. Method according to claim 2 or 3, wherein the definition in the proxy letter further defines under what situations the proxy letter is allowed to prevent actions from being executed.
5. Method according to any of claims 1-4, wherein the step of checking if the situation/action can be granted further comprises the steps of reading the proxy letters and see if any proxy letter is allowed to grant the situation/action and if not requesting the user to grant the action.
6. Method according to claim 5, further comprising the step of checking if any proxy letter is allowed to prevent the action/situation from being executed and stop executing if there is such an action/situation.
7. Method according to claim 5, wherein the step of requesting the user to grant the action further comprises the steps of asking the user to grant the action, waiting a predetermined period of time to receive a reply granting the action.
8. Method according to any of the preceding claims, wherein the step of ending the execution of the action comprises the step of logging if the proxy letter or the user granted the situation/action.
9. Method according to any of claim 3 to 8, wherein the definition of situations/actions which the proxy letter is allowed to grant comprises only the definition of less security critical actions .
PCT/SE1999/002422 1998-12-18 1999-12-17 Method for executing a security critical activity WO2000038072A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2000590064A JP2002533814A (en) 1998-12-18 1999-12-17 How to perform security critical functions
EP99964913A EP1151385A1 (en) 1998-12-18 1999-12-17 Method for executing a security critical activity
AU30942/00A AU3094200A (en) 1998-12-18 1999-12-17 Method for executing a security critical activity
IL14359599A IL143595A0 (en) 1998-12-18 1999-12-17 Method for executing a security critical activity
IL143595A IL143595A (en) 1998-12-18 2001-06-05 Method for executing a security critical activity

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE9804421-7 1998-12-18
SE9804421A SE520885C2 (en) 1998-12-18 1998-12-18 Procedure for executing a security-critical activity using a proxy

Publications (1)

Publication Number Publication Date
WO2000038072A1 true WO2000038072A1 (en) 2000-06-29

Family

ID=20413748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE1999/002422 WO2000038072A1 (en) 1998-12-18 1999-12-17 Method for executing a security critical activity

Country Status (6)

Country Link
EP (1) EP1151385A1 (en)
JP (1) JP2002533814A (en)
AU (1) AU3094200A (en)
IL (2) IL143595A0 (en)
SE (1) SE520885C2 (en)
WO (1) WO2000038072A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5272754A (en) * 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5406624A (en) * 1992-09-04 1995-04-11 Algorithmic Research Ltd. Data processor systems
US5680452A (en) * 1993-10-18 1997-10-21 Tecsec Inc. Distributed cryptographic object method
WO1998019243A2 (en) * 1996-10-30 1998-05-07 Myspace Ab Method and security system for processing a security critical activity

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07104803B2 (en) * 1984-07-30 1995-11-13 富士通株式会社 File deletion control method
JPH10307745A (en) * 1997-05-08 1998-11-17 Fuji Xerox Co Ltd Document processing system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5272754A (en) * 1991-03-28 1993-12-21 Secure Computing Corporation Secure computer interface
US5406624A (en) * 1992-09-04 1995-04-11 Algorithmic Research Ltd. Data processor systems
US5680452A (en) * 1993-10-18 1997-10-21 Tecsec Inc. Distributed cryptographic object method
WO1998019243A2 (en) * 1996-10-30 1998-05-07 Myspace Ab Method and security system for processing a security critical activity

Also Published As

Publication number Publication date
SE9804421L (en) 2000-06-19
IL143595A (en) 2006-10-05
JP2002533814A (en) 2002-10-08
EP1151385A1 (en) 2001-11-07
IL143595A0 (en) 2002-04-21
SE520885C2 (en) 2003-09-09
SE9804421D0 (en) 1998-12-18
AU3094200A (en) 2000-07-12

Similar Documents

Publication Publication Date Title
US8341707B2 (en) Near real-time multi-party task authorization access control
US8341406B2 (en) System and method for providing different levels of key security for controlling access to secured items
EP0972234B1 (en) Method and apparatus for providing security for servers executing application programs received via a network
US8266674B2 (en) Method and system for implementing changes to security policies in a distributed security system
AU2008341026B2 (en) System and method for securing data
CN101411163B (en) System and method for tracking the security enforcement in a grid system
US20030110397A1 (en) Guaranteed delivery of changes to security policies in a distributed system
US20070214332A1 (en) Storage-access control system, storage-access control method, and computer product
US20080010453A1 (en) Method and apparatus for one time password access to portable credential entry and memory storage devices
WO2007008808A2 (en) Maintaining security for file copy operations
WO2007008807A2 (en) Secure local storage of files
WO2007008806A2 (en) Secure clipboard function
WO2004055702A1 (en) Means for providing protection for digital assets
US6618809B1 (en) Method and security system for processing a security critical activity
US6996840B1 (en) Method for executing a security critical activity
Peyravian et al. Hash-based encryption system
WO2000038072A1 (en) Method for executing a security critical activity
US7093022B2 (en) Local queue creation security
EP1083528A2 (en) Electronic transaction apparatus
MXPA99003968A (en) Method and security system for processing a security critical activity
Spalka et al. Notes on application-orientated access control
Lee Web server: security lockdown
Anthes Still a few chinks in Java's armour
Guan Mobile Agent Authentication and Authorization in E-Commerce
JPH081619B2 (en) Network security management method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 143595

Country of ref document: IL

WWE Wipo information: entry into national phase

Ref document number: 1999964913

Country of ref document: EP

ENP Entry into the national phase

Ref country code: JP

Ref document number: 2000 590064

Kind code of ref document: A

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWP Wipo information: published in national office

Ref document number: 1999964913

Country of ref document: EP