Protected USB dongle with integrated browser for online banking
- Project Overview
Under the order of a Swiss provider of Internet solutions for the banking industry, we have developed a software/hardware system for safe data transfer while working on an insecure computer terminal. The device is based on a USB flash drive with a shock-proof enclosure and additional features.
Key features of USB dongle for online banking
- The USB dongle features specially designed software for launching applications (launcher), as well as a library with PKCS (public key cryptographic standard) #11
- Authorization in the system involves PIN code protection, digital signature and encryption / decryption of downloaded data
- Online blocking of client software is available
- Protected user data storage: information is permanently deleted
- A user interface for working with a bank account is provided by integrated Mozilla Firefox with additional settings for enhanced security:
- Full automatic data verification to prevent unauthorized replacement
- The device is set to work with a specific bank, so the replacement of a web page causes a security error
- User identification data are hidden and unreadable
Technical parameters
Model SanDisk Extreme Cruzer Contour Smart technology support U3 Enclosure Liquidmetal® Pressure resistance 900 kg Memory 4 to 64 GB Write/read speed write speed: up to 18 MB/sec
read speed: up to 25 MB/secPassword protection + AES encryption + USB port USB 2.0 Project summary In the process of developing a secure USB dongle with an integrated browser, Promwad experts performed the following tasks:
— Selection of the optimal hardware platform
— Software development
— PrototypingÂ
Â
Â
Â
Â
Â
- How It's Made
Customer
Swiss company specializing in Internet solutions for e-commerce and client-bank systems.
Objective
Â
To develop a hardware and software solution for secure transaction between a bank and its clients when unsecure computer terminal is used. The product must provide the following functionality:
- Tamper (Secure) storage of user identification information
- User identification information should have restricted knowledge based algorithm. Identification information shouldn’t have a sense without user know component (like PIN)
- User-know component should have possibility to change without any reencrypting user files
- Secured execution client software at unsecured PC
- Integrity checking of client software to detect attacker modification
- Guaranteed secure update, checking for substitution by fishing site
- Online possibility booking client software
- Encrypting / decrypting user private files
- Encrypting / decrypting downloading data
- Sign/check sign of user data
- Secure delete operation
- Client software should work under Microsoft(c) Windows XP(c), Microsoft(c) Windows Vista(c)
Solution
As the hardware platform was selected USB smart drive by SanDisk supporting U3 technology. SanDisk Extreme Contour is an extremely rugged and smart USB flash drive. It is built with Liquidmetal® casing that is crash-resistant to over 2,000 lbs. SanDisk Extreme Contour also includes U3 smart technology which deals with security functions
1. Hardware
A U3 flash drive presents itself to the host system as a USB hub with a CD drive and standard USB mass storage device.
This configuration causes Windows disk management to show two drives:
- A read-only ISO9960 volume on an emulated CD-ROM drive with an autorun configuration to execute the U3 LaunchPad
- A standard flash drive (FAT formatted) that includes a hidden "SYSTEM" folder with installed applications
Table 1. SanDisk Extreme Contour flash drive specification
Capacities 4GB, 8GB, 16GB, 32GB and 64GB Read and write performance Up to 25MB/sec read and 18MB/sec write Password protection Supported in Windows(c) XP and Windows(c) Vista AES encryption Supported in Windows(c) XP and Windows(c) Vista USB port Hi-Speed USB 2.0 2. SoftwareÂ
Software consists from four independent parts:
- Launcher software, to provide all security operation and controlling algorithms
- Mozilla Firefox customized browser to provide user web interface for interaction with banks account
- Secure token library, connected to Mozilla Firefox browser and provided PKCS#11 functionality
Launcher software developed for:
- Quick access to functionality
- Providing software AES 256 encryption of client files
- Integrity checking of internal components and Mozilla Firefox components
- Getting secure update from customer
- Online activation software by booking number
All user private identification information and data are stored in encryption partition. Launcher software used u3dapi library interface to get SanDisk U3 AES 256 encryption algorithm and tamper storage.
Launcher user interface have a progress bar with display of integrity checks current state. If malware try to made changes, user notification is present immediate and session would be security destroyed.
The secure delete algorithm makes impossible to recover deleted data from stick.
Mozilla Firefox browser customized for increase security:
- Launching from portable device – no temporary files stored on local HDD
- Excluded build-in object token – no possibility to add or change objects by malware
- Developed Mozilla Firefox download extension – prevent creating plaintext temporary file
- Minimized plugins and extension loading – no possibility to attach malware module
Secure token library attached to Mozilla Firefox browser as PKCS#11 library and provide:
- Getting certificate object from client software – no possibilities to add or substitute certificate authority
- Performs AES encryption
- Performs RSA encrypting and key distribution
- Provides external random generator to OpenSSL
Firefox browser has ability to download files to encrypted temporary storage thus preventing fishing of Firefox downloadable extensions
Advantages
- Portable browser solution has an integrity checking to prevent fake substitution of malicious components
- Portable browser customized for bank interaction, substitution of bank page cause a security error
- Protected file storage for user data files
- Hidden and unreadable user identification data
- Secure delete algorithm to prevent recovery user deleted files
Programming languages C++, JS Interfaces USB 2.0 Development tools MSVC2005, MinGW Project management tools dotProject, SVN Project duration 5 months
Â