background image
Tech Note #110: Concept for a Secure Network Computer
2000 Bionic Buffalo Corporation; All Rights Reserved.
         Tuesday, 11 January 2000
Page 8 of 18
If the HC’s memory clearing operation fails, one or both of the MCVs will detect the failure. If
one of the MCVs fails, then the other MCV will detect the failure of its companion. If the
memory capacity of ISMCPU exceeds that of HC, then the EMCV may be required to fill
ISMCPU memory during the test, to guarantee that IMCV does not sabotage the test by
spoofing (pretending to be the HC).
Authentication and User Interaction
Before an enclave’s boundary controller will grant the SNC admission, both the user and the
SNC must be authenticated. Each must possess an appropriate private key and certificate.
Similarly, the boundary controller itself must be authenticated by the SNC, else a connection
might be made to a counterfeit enclave.
The SNC’s own certificates and keys can be stored within the SM, since it is the SM’s CPUs
which will use them. The user’s keys and certificates, on the other hand, are usually kept in an
identification token which is carried by the user.
The most common types of identification token are smart cards and smart buttons. These
devices contain their own CPUs and software, and (in some cases) their own power sources
(batteries) and clock-calendars. Their main functions are:
to sign documents, using their secret keys
to verify signatures, using the certificates they contain
Identification tokens are designed to be resistant to tampering and observation. If they secret
key can be read from such a device, then the device could be cloned and would not be a reliable
form of identification. If the clock-calendar were to be changed, then the expiration dates on
certificates could be avoided. Since the token’s CPU must know the keys and certificates to sign
and verify, the CPU itself must also be resistant to tampering and observation.
Personal identification tokens usually will refuse to perform their functions unless their owners
give them additional information. This additional information might be a secret password or
number, or it might be a digest of the owner’s scanned retina or fingerprint. This precaution
makes it more difficult to impersonate a user by stealing his or her identification token.
When a remote boundary controller wants to verify the identity of a user, it will send an
arbitrary document to be signed by the user’s token. The token, in turn, will expect the user to
provide the additional secret information (password, number, or scan). Then the token will sign
the document and return it to the remote boundary controller for signature verification.