The present invention relates to a security system as well as to a method for securing the integrity of at least one arrangement comprising multiple devices, for example of at least one network and/or of at least one computer system.
According to the prior art open multiple device systems or complex systems, like networks, computers comprising for example computer main boards with card slots and plug-in cards, mobile phones, etc. are not protected against any kind of manipulation, i.e. against insertion or removal of arbitrary components. Thus, users are permitted to remove plug-in cards from and to insert plug-in cards into multiple device systems as they like.
However, there are cases in which system providers want to assure the integrity of their system:
As a first example, the usage of undesired network access devices in a defined network ought to be avoided. In this case, only authorized network adapter cards shall work in a defined network in order to avoid the use of illegal network adapter cards, i.e. illegal copies of network adapter cards.
As a second example, the usage of undesired plug-in cards in a computer main board ought to be avoided. In this case, only authorized plug-in cards shall work in a main board of a personal computer (PC).
As a third example, the illegal usage of plug-in cards in undefined personal computer systems ought to be prevented. In this case, a certain plug-in card must not work in an unauthorized personal computer system.
In prior art document US 2003/0231649 A1 a dual purpose method and an apparatus for performing network interface and security transactions is depicted; in particular, it is described how to encrypt data packets to be exchanged over a network channel. However, a mutual authentication, for instance of the network endpoints, is not disclosed.
How to securely define or securely control the access permissions for users for executing, reading and/or writing on a computer system is described in prior art document WO 96/42057 A1. However, the disclosure of prior art document WO 96/42057 A1 does not apply to the entire computer but only to the resources of the computer.
In prior art document U.S. Pat. No. 4,757,533 it is disclosed how to ensure data integrity and/or security of user inputs and user data storage of a personal computer wherein the system is interrupted by a file by very specific deactivation. Moreover, a way of requiring an authentication of the user before file access can be executed is disclosed.
A computer system being protected by using a personalized smart card is described in prior art document WO 02/33522 A1. Basically, the B[asic]I[nput/]O[utput]S[ystem] of the computer system does not work if the user has not the proper personalized smart card.
Finally, a device and a method for preventing the usage of stolen computer hardware in another system are depicted in prior art document U.S. Pat. No. 6,594,765 B2; in particular, it is described to use a remote server computer continuously communicating to devices with embedded security units or agents to verify the integrity of the system.
The remote server computer advises the embedded agent to block the device which is part of the system; this means that the security profile is only stored in the remote server.
Thus, the device and the method according to prior art document U.S. Pat. No. 6, 594,765 B2 are based on a centralized repository and control point providing authorization to the agents. The devices containing an agent communicate only with the remote server and not between each other. So, it can only be prevented that the device works in an undefined or wrong environment.
Starting from the disadvantages and shortcomings as described above and taking the prior art as discussed into account, an object of the present invention is to further develop a security system of the kind as described in the technical field and a method of the kind as described in the technical field in such way that manipulation of the arrangement comprising multiple components or devices is prevented, in particular that
The object of the present invention is achieved by a security system comprising the features of claim 1 as well as by a method comprising the features of claim 6. Advantageous embodiments and expedient improvements of the present invention are disclosed in the respective dependent claims.
The present invention is based on the idea of integrity protection of at least an open multiple component system or multiple device system, like at least one computer, at least one network, etc. against illegal, undesired and/or unauthorized manipulations, in particular against inserting and/or removing one or more components or devices. According to the teaching of the present invention, this integrity protection is realized by using at least one security unit, in particular at least one security module, for example at least one smart module or at least one smart card.
Thus, the security system according to the present invention as well as the method according to the present invention are designed for protecting the arrangement comprising multiple devices, for example against illegal hardware copies.
In order to protect the integrity of the arrangement, in particular of at least one complex system, like at least one computer, at least one network, etc. the present invention proposes
The present invention leads to the advantage that the use of undefined and/or unauthorized and/or illegal devices, in particular of undefined and/or unauthorized and/or illegal components or of undefined and/or unauthorized and/or illegal cards, can be detected.
According to a preferred embodiment of the present invention, in case of detecting such undefined and/or unauthorized and/or illegal devices the security unit is designed to disable the operation of its respective device and/or of the other devices, in particular when starting up.
Independently thereof or in combination therewith, according to a preferred embodiment of the present invention all other devices, i.e. the complete rest of the arrangement comprising multiple devices stops to work when an undefined and/or unauthorized and/or illegal device, in particular an undefined and/or unauthorized and/or illegal card, is detected, for example when at least one device without such embedded security system is inserted into the arrangement. Thus, the entire arrangement, in particular the entire network or the entire computer, can stop working in case of illegal usage.
Consequently, a preferred embodiment of the present invention is designed in order to prevent
Independently thereof or in combination therewith, according to a preferred embodiment of the present invention every device of the arrangement is designed for mutual authentication. Hence, every device of the arrangement supports at least one mutual authentication scheme, which is preferably provided by the respective security unit, wherein the security unit in turn is assigned to, in particular embedded in, the respective device.
For authentication, preferably every device comprises, in particular stores by means of at least one storage unit, at least one predefined authentication profile defining under which conditions the authentication is to be assumed as being valid, in particular
Advantageously the storage unit can further be designed for storing authentication information regarding the other devices, in particular authentication means for the other devices.
With
according to a preferred embodiment of the present invention the security system does not require any remote server.
Consequently, in an expedient embodiment of the present invention a remote server is not obligatory because the security units are distributed over the security system. Thus, the present invention provides a decentralized security system, in which a connection to a centralized repository and control point is not required.
The main advantage of applying the paradigm of a decentralized security scheme is that such decentralized security scheme is much stronger than a centralized security scheme, and consequently it is much harder to cheat or to circumvent the decentralized security system being based on the decentralized security scheme.
Moreover, according to a preferred embodiment of the present invention, each individual device or component comprises, in particular stores in its respective memory module, the predefined security profile of the entire arrangement; thereby, the respective individual device is able
Favorably, every component or device of the arrangement comprising multiple components or multiple devices attempts to authenticate the, in particular all, other components or devices being comprised by the entire arrangement. In this manner every component or device in the arrangement receives and/or comprises a present existing authentication profile.
Authentication can for example be invalid if the present existing authentication profile does not match the predefined authentication profile, and consequently the devices can be advised to refuse to work by the security system, in particular by the respective security unit.
The predefined authentication profile can for example define that the devices of the arrangement shall only work if the security system, in particular the respective security unit, authenticates these devices exactly according to a predefined list of further arrangement devices. Advantageously, the arrangement comprising multiple devices does not work if the security system, in particular the security unit, detects any undefined and/or unauthorized and/or illegal device in the arrangement or if a required device is not present in the arrangement.
Preferably, this authentication profile is applied for all devices of the arrangement in order to protect the arrangement against undesired, for instance undefined and/or unauthorized and/or illegal, modifications of its devices.
According to a further advantageous embodiment, the security unit is designed for providing its respective device with a key functionality as a service in case of a valid authentication, in particular if the pre-defined authentication profile has been fulfilled. This service can be implemented by using the technical principle of R[emote]M[ethod]I[nvocation].
In this context, by R[emote]M[ethod]I[nvocation] objects on different computers can interact in a distributed network by using object-oriented programming, in particular by using Java programming language and development environment (Java RMI is a mechanism allowing to invoke a method on an object existing in another address space; the other address space can be on the same machine or on a different machine).
In other words, the RMI mechanism is basically an object-oriented R[emote]P[rocedure]C[all] mechanism with the ability to pass one or more objects along with the request. The object can include information that will change the service being performed in the remote computer.
Moreover, according to a favorable embodiment of the present invention all devices authenticate each other, in particular by means of the respective security units, wherein the respective device, in particular the respective security unit, refusing the authentication of another device, in particular of another security unit, starts to advise all other devices, in particular all other security units, to stop operation.
The present invention leads to the advantage that although the security units of the respective devices protect the execution of the key functionality of the respective devices and thus of the arrangement comprising the devices, the protection mechanism of the security system cannot be sidestepped by replacing the authorized or original device by at least one undefined and/or unauthorized and/or illegal, for instance faked, device implementing the same functionality as the authorized or original device.
A further advantage of the present invention, is the basic ability to be integrated into existing standards or into existing infrastructures.
In this context, components or devices which do not comprise any security unit according to the present invention and/or in which the security method according to the present invention has not been implemented, can be affected and/or modified by adding at least one component or device, for example by inserting or plugging in a P[eripheral]C[omponent]I[nterconnect] card, comprising such security unit and/or having such security method implemented.
Then, the functional and/or technical behaviour, reaction or response of the complete arrangement comprising such multiple components or devices cannot be predicted because the coordination and/or interaction between the unsecured component(s) or device(s) with the secured component(s) or device(s) cannot be anticipated.
In particular, a component or device, for example a P[eripheral]C[omponent]I[nterconnect] card, comprising such security unit according to the present invention and/or supporting such security method according to the present invention, may be designed such that this secure component or device strives to bug or disturb the functional and/or technical operation of the components or devices which do not comprise any security unit according to the present invention and/or in which the security method according to the present invention has not been implemented, for example by disregard of specifications or standards.
By such design, an abnormal end or even a crash of the function of the complete arrangement comprising the multiple components or devices can be volitionally evoked in order to unveil the fact that one or more of the multiple components or devices of the arrangement has not been implemented in compliance with the security principles of the teaching of the present invention.
The present invention finally relates to the control of computer systems and of other types of electrical, mechanical or electro-mechanical arrangements at the device or component level; such arrangement comprising multiple devices is secured by, in particular embedding, at least one security unit within each device of the arrangement in order to control access to the devices within the respective arrangement.
More specifically, the present invention relates to the use of at least one security system as described above and/or of the method as described above
As already discussed above, there are several options to embody as well as to improve the teaching of the present invention in an advantageous manner. To this aim, reference is made to the claims respectively dependent on claim 1 and on claim 6; further improvements, features and advantages of the present invention are explained below in more detail with reference to two preferred embodiments by way of example and to the accompanying drawings where
The same reference numerals are used for corresponding parts in
In order to avoid unnecessary repetitions, the following description regarding the embodiments, characteristics and advantages of the present invention relates (unless stated otherwise)
both embodiments 100, 100′ being operated according to the method of the present invention.
In this arrangement described by way of example, a respective security unit 30, 32, in particular a respective agent, is embedded in each device 10, 12; by the respective security unit 30, 32 the operation of the respective device 10, 12 is disabled when starting up.
Each security unit 30, 32 communicates to all other security units 30, 32 by exchanging a number of messages 20 to authenticate each other. For exchanging messages 20 and/or for being provided with a mutual authentication scheme and/or with a key functionality in case of a valid authentication, in particular by using R[emote]M[ethod]I[nvocation], each device comprises a respective interface 50, 52.
Possible interfaces 50, 52 may be
in particular interfaces in accordance with the ISO/IEC 14443 standard (contactless), in accordance with the ISO/IEC 7816 standard (contacted) and U[niversal]S[erial]B[us].
For storing
When authorized, i.e. when authentication is valid, operation of the devices 10, 12 is enabled; otherwise, i.e. when authentication is invalid, operation of the devices 10, 12 is disabled.
Every component or device 10, 12 supports the mutual authentication scheme being provided by its respective embedded security unit 30, 32. For authentication, all security units 30, 32 authenticate each other by mutual authentication wherein one of the security units 30, 32 refusing the authentication of another device 14 not comprising such security unit 30, 32 starts to advise all other devices 10, 12 to stop operation.
In
This security system 100′ is designed for securing an arrangement being a compilation of multiple devices 10a, 12a, 12b, 12c, namely for securing a personal computer, for example a desktop computer or a notebook, comprising a main board 10a, a card slot for a plug-in card 12a, a display screen 12b and a computer mouse 12c.
Each device 10a, 12a, 12b, 12c comprises a security unit 30, 32 and a storage unit 40, 42. The security system 100′ described by way of example in
There are several possibilities to integrate the security unit 30, 32, for example being implemented as a smart card I[ntegrated]C[ircuit]
The security unit 30, 32 can for example be based on a secure N[ear]F[ield]C[ommunication] chip with an I[ntegrated]C[ircuit] being integrated in a device housing or in a P[rinted]C[circuit]B[oard] of the respective device 10, 12 (cf. first embodiment according to
In this context, Near Field Communication (NFC)—standardized in ISO/IEC 18092—is an interface technology for exchanging data between consumer electronic devices 10, 12 (cf. first embodiment according to
N[ear]F[ield]C[ommunication] operates in the 13.56 Megahertz frequency range. As NFC compliant devices 10, 12 (cf. first embodiment according to
For example, bringing a NFC enabled camera close to a T[ele]V[ision] apparatus fitted with the same technology could initiate a transfer of images while a P[ersonal]D[igital]A[ssistent] and a computer will know how to synchronize address books or a mobile phone and an MP3 player will be able to initiate the transfer of music files.
Using NFC, consumers can quickly establish wireless links between devices 10, 12 (cf. first embodiment according to
In case the devices 10, 12 (cf. first embodiment according to
In
Another possibility to embody the security system 100, 100′ according to the present invention is a contact smart card fixed on the P[rinted]C[ircuit]B[oard] of the network access devices.
According to this implementation the security unit 30, 32 is based on a smart card IC. This integrated circuit is located on the printed circuit board of the device 1010, 12 (cf. first embodiment according to
Advantageously, existing system busses being available (for instance U[niversal]S[erial]B[us], P[eripheral]C[omponent]I[nterconnect] or I[ndustry]S[tandard]A[rchitecture] bus in case of a computer system) are re-used for authentication purpose.
Finally,
For securing the integrity of the arrangement comprising the multiple devices, for example of a network (cf. first embodiment according to
By means of the respective security unit 30, 32, the devices 10, 12 (cf. first embodiment according to
calculating a current authentication profile based on the information delivered by the exchanged messages 20 (reference numeral ii.a in
comparing the current authentication profile with a predefined authentication profile defining under which conditions the authentication is valid (reference numeral ii.b in
In case of a valid authentication the operation of the respective device 10 or 10a and/or of at least one of the other devices 12 or 12a, 12b, 12c is enabled (reference numeral iii.a in
Otherwise, i.e. in case of an invalid authentication, the operation
The step iii.b of disabling the operation of the respective device 10 or 10a and/or of at least one of the other devices 12 or 12a, 12b, 12c and/or of the undefined and/or unauthorized and/or illegal device 14 is controlled by denying the respective device any key functionality.
Number | Date | Country | Kind |
---|---|---|---|
05105808.9 | Jun 2005 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB06/52056 | 6/23/2006 | WO | 00 | 12/21/2007 |