EP1469436A2 - Remote authentication of gaming software in a gaming system environment - Google Patents

Abstract

In one embodiment, a secure gaming system includes at least one gamingterminal and at least one gaming system server. The terminal(s) and server(s)communicate over a communication network. In one embodiment, a gamingsystem server is capable of performing an authentication routine of an executablegaming software program, by exchanging messages with a gaming terminal overthe communication network. The authentication routine results in adetermination of whether a copy of the executable gaming software programstored at the gaming terminal is substantially identical to a copy of theexecutable gaming software program accessible by the gaming system server.

Description

TECHNICAL FIELD

This invention is directed to secure gaming system environmentsincluding gaming devices configured to provide reel slots, poker, video slots,multiple games, and progressive jackpots, and more particularly, to remoteauthentication of gaming software in a gaming system environment.

BACKGROUND

Gaming terminals providing games such as electronically driven gamessuch as video slot, video poker, video blackjack, video keno, video bingo, videopachinko, video lottery, and mechanically driven reel slot games, etc., are well known in the gaming industry. Also well known, is the fact that preventingcheating and ensuring fair play of the games are crucial to the gaming industry.As a result, within a gaming jurisdiction (i.e., a particular geographic areaallowing gaming), a regulatory body is tasked with regulating the games playedin that gaming jurisdiction. In virtually all jurisdictions, there are varied butstringent regulatory restrictions regarding the gaming terminals and theirassociated games. Accordingly, a varied but rigorous approval process of newand modified gaming software is implemented by all gaming jurisdictions. Inaddition, steps to manually authenticate and verify the new and modified gamingsoftware are typically required after the gaming terminals are delivered to agaming proprietor.

Currently, due to in part to gaming regulatory requirements and securityconcerns, games are provided to the individual gaming terminals via one or moreerasable programmable read-only memories (EPROM) or electrically erasablePROMs (EEPROM) programmed with gaming software. If the game isprovided by a manually installed EPROM, it can only be erased via ultravioletlight. If the game is provided by a manually installed EEPROM, is can only beerased via application of higher than normal electrical voltage. Typically,gaming terminals also include a number of EPROMs programmed to executebasic input/output system (BIOS) functions, various game software programssuch as slot, bingo, etc., operating system software, audio functions, diagnosticsfunctions, and to determine game play outcomes using random number generator(RNG) functions and paytables.

Authenticating the EPROM software requires manual removal of theEPROM by a gaming commission agent and/or a gaming proprietor. AKobetron MT-2000 or similar diagnostic device is then used to execute analgorithm on the EPROM software. Execution of the algorithm produces anelectronic signature that is compared to a previously approved and expectedsignature (calculated from the data content of a master EPROM approved by thegaming commission). If the electronic signatures match, the gaming software isdeemed "authentic" and no action is taken. If, however, the electronic signatures do not match, the gaming software is not authentic, tampering is suspected, thegaming terminal is taken out of service and an investigation is conducted by thegaming commission, the gaming terminal owner, and/or the gaming terminalprovider. In some cases, tamper evident security tape is used to secure theEPROM to a main processor board of the gaming terminal to indicate tampering.

In order to comply with the varied regulatory restrictions required by thedifferent gaming jurisdictions, manufacturers of gaming terminals and associatedsoftware, for example, WMS Gaming, Inc., must either develop one "large"software version of a particular game suitable for use in all of the gamingjurisdictions, or develop individual customized gaming software versions of theparticular game suitable for use in corresponding individual gamingjurisdictions. Of course, both approaches require additional memory resourcesand manpower. In addition, after each gaming terminal is delivered to thegaming proprietor, installation of any modifications or "patches" to the gamingsoftware require execution of a manual and time-consuming authenticationprocess of all affected EPROMs by a gaming technician.

Generally gaming terminals are configured to operate as "stand-alone"units (that may or may not be coupled to a backroom computer) where theoutcome of game play is "locally determined", or as part of a server-basedgaming network where the outcome of game play may be either locallydetermined or "centrally determined". For example, a gaming terminal locatedin a bar, a convenience store, a riverboat, or an airplane, may operate as a stand-aloneunit, while a gaming terminal located in a traditional casino may operate aspart of a server-based gaming network within the casino.

The server-based gaming networks typically include a number of gamingterminals, communicatively coupled via a dedicated (i.e., non-public)communication network to one or more server(s). Because of their versatility,server-based gaming networks enable a gaming proprietor (e.g., Harrah's) toaugment the traditional "base" game play with enhancements such as communityprogressive games, community bonus games, tournaments, etc. Server-basedgaming network configurations also enable access to all types of gaming terminal data including gaming terminal performance data, player tracking data,accounting data, security data, and maintenance data, to name a few.

In cases where a gaming proprietor owns multiple casinos distributedover a large geographical area, individual casinos may be linked together via alarge dedicated communication network. In addition, one or more servers in aindividual casino may be communicatively coupled via the dedicatedcommunication network to one or more remote database servers, therebyenabling the gaming proprietor to gather gaming data and operate and maintainthe gaming network at one convenient location.

Although costly to install and maintain, dedicated communicationnetworks provide a relatively secure network for transmission of gamingterminal data to the local or remote server(s). Ideally, gaming terminal data canbe securely uploaded from the gaming terminals to one or more of the server(s)of the server-based gaming network using the dedicated gaming network.However, due to current gaming regulatory practices, gaming software generallycannot be downloaded from the server(s) to the individual gaming terminals ofthe server-based gaming network described above. Additionally, because ofsecurity concerns, direct communication between individual gaming terminalsand remotely located servers is generally precluded in most jurisdictions today.Therefore, operation of the remote server is typically limited to data collectionand associated report generation.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an embodiment of a secure gaming systemenvironment including gaming devices and security elements in accordance withan embodiment of the invention;

FIG. 2 is a block diagram of the electronic components of the gamingdevices and the security elements of FIG. 1;

FIG. 3A-3B is a flowchart of a security routine that may be performed byone or more of the security elements of FIG. 1 and FIGs. 4A and 4B;

FIG. 3C is a flowchart of a certification authority initialization routinethat may be performed by one or more of the security elements or gamingdevices of FIG.1 and FIGs. 4A and 4B;

FIG. 3D is a flowchart of a gaming device key generation and signingroutine that may be performed by one or more of the security elements orgaming devices of FIG.1 and FIGs. 4A and 4B;

FIGs. 3E-3G is a flowchart of a digital certificate authentication routinethat may be performed by one or more of the security elements or gamingdevices of FIG. 1 and FIGs. 4A and 4B;

FIGs. 4A and 4B are block diagrams of an embodiment of a detailedsecure gaming system in accordance with an embodiment of the invention;

FIG. 5 is a flowchart of an authentication routine that may be performedby the gaming devices of FIG. 1 and FIGs. 4A and 4B;

FIG. 6 is a high level flowchart of a gaming software approval anddistribution routine that may be performed by one or more gaming devices ofFIG. 1 and FIGs. 4A and 4B;

Fig. 7 is a perspective view of an embodiment of one of the gamingterminals shown schematically in Fig. 1 and FIGs. 4A and 4B;

Fig. 8 is a flowchart of an embodiment of a main routine that may beperformed during operation of one or more of the gaming terminals;

FIG. 9 is an exemplary visual display that may be displayed duringperformance of a slot routine; and

FIG. 10 is a flowchart of an embodiment of the slot routine that may beperformed by one or more of the gaming terminals.

DETAILED DESCRIPTION OF THE INVENTION EMBODIMENTS

The description of the preferred examples is to be construed asexemplary only and does not describe every possible embodiment of theinvention. Numerous alternative embodiments could be implemented, usingeither current technology or technology developed after the filing date of thispatent, which would still fall within the scope of the claims defining theinventive subject matter.

Advances in network technologies (e.g., the World Wide Web, theInternet, satellite technology, cellular technology, 802.11 technology, infraredtechnology, etc.) coupled with advances in available software architectures haveprovided a fertile ground for development of new gaming system environments:gaming system environments that may or may not include the limitationstypically associated with dedicated communication networks.

New gaming system environments, not limited wholly by dedicatedcommunication networks, may use public communication networks such as, forexample, the Internet, and may therefore be vulnerable to unauthorizedmanipulation from any access point within the gaming system environment viamany different methods. For example, unauthorized software, hardware, and/orfirmware manipulation of gaming devices may be accomplished via publiccommunication network access (e.g., URL hacking, manipulation via packetinserting, packet sniffing, IP spoofing, DNS table spoofing, denial-of-serviceattacks, distributed denial-of-service attacks, exploitable URLs and otherapplication level attacks, etc.), via local area network access (e.g., manipulationvia password sniffing, DNS table spoofing, common gateway interferencehacking, etc.), or via gaming terminal or gaming server access (e.g.,manipulation via a known-plaintext attack, a chosen-plaintext attack, stealingpasswords, etc.). The manipulation may be the result of intentional orunintentional internal tampering (e.g., manipulation by a casino employee), or itmay be the result of external tampering (e.g., by an attacker introducing acomputer virus, a computer worm, a Trojan horse, etc). Obviously, unauthorizedmanipulation of any gaming system environment at any level will compromisethe gaming industry.

In general, the present invention provides methods and apparatus for asecure gaming system environment that may include a public communicationnetwork, a private dedicated communication network, or a combination of both.The methods and apparatus are provided using a layered security approach thatmay substantially ensure data, software, firmware, and hardware integrity of the gaming devices and associated peripherals of the secure gaming systemenvironment.

Specifically, the secure gaming system environment of FIG. 1 includes aone or more secure gaming terminals coupled via a communications network toone or more secure gaming servers. Selected ones of the secure gamingterminals may include one or more of the following: (1) a secure communicationapparatus configured to provide access control at the network level to protect thegaming terminal from attacks mounted remotely via the communicationnetwork; (2) an access control apparatus configured to provide access control atthe gaming terminal level to protect the gaming terminal from attacks mountedvia direct contact with the gaming terminal; and (3) an integrity apparatusconfigured to provide access control at the network level and the gamingterminal level to protect the gaming terminal software and data from attacksmounted from any one of a number of locations. Similarly, selected ones of thesecure gaming servers may include one or more of the following: (1) a securecommunication apparatus; (2) an access control apparatus; and (3) an integrityapparatus.

The components that may be incorporated in the gaming devices (i.e., thegaming terminals and/or the gaming servers) and the security elements (i.e., theintegrity apparatus, the secure communication apparatus, and/or the accesscontrol apparatus) of secure gaming system environment are illustrated in FIG.2.The components that may be incorporated in the gaming devices or securityelements illustrated by FIG. 2 are configured to enable execution of a number ofroutines (e.g., software programs).

Flowcharts representing embodiments of routines executed by thecomponents of the gaming devices and security elements are illustrated in FIGs.3A, 3B, 3C, 3D, 3E, 3F, 3G, 5 and 6. For example, FIGs. 3A-3B illustrates asecurity routine, FIG. 3C illustrates a certification authority initialization routine,FIG. 3D illustrates a key generation and signing routine, and FIGs. 3E-3Gillustrates an authentication routine using the digital certificates and key generated by the certification authority initialization routine and the keygeneration and signing routine of FIGs. 3C and 3D.

The more detailed secure gaming system shown in FIGs. 4A and 4Bincorporates a variety of networks and systems, communicatively coupled, toform a secure gaming system. Some of the networks and systems may begeographically remote from each other. For example, the detailed secure gamingsystem may include one or more game provider data center networks. The gameprovider data center networks may be implemented regionally and/or globally.The detailed secure gaming system also may include a customer corporate centercoupled to one or more individual customer networks. Each individual customernetwork may be located in one gaming establishment such as one casino or maybe located in many gaming establishments such as a number of casinos, boats,etc. One or more jurisdiction data centers also may be provided to performjurisdiction regulation and approval functions. In addition, each of the networksand systems of the detailed secure gaming system may incorporate one or moreof security elements discussed in connection with FIG.1.

FIG. 5 illustrates an authentication routine that may be performed by oneor more of the servers of the jurisdiction data center illustrated in FIGs. 4A and4B. Utilization of the authentication routine enables local or remoteauthentication/verification of designated gaming software and/or data residing inany of the gaming devices of the detailed secure gaming system of FIGs. 4A and4B.

Similarly, FIG. 6 is an example embodiment of a gaming softwareapproval and distribution routine that may be performed by the gaming devicesand security elements of FIGs. 4A and 4B. Specifically, FIG. 6 illustrates thesteps that may be executed by one or more servers of the game provider datacenter network when attempting to gain jurisdictional approval of unapprovedsoftware prior to licensing and distribution to a customer. Both of the routinesillustrated in FIG. 5 and FIG. 6 may utilize one or more of the security elementsdiscussed in connection with FIG. 1.

Fig. 7 is an exemplary gaming terminal that may be used in either thesecure gaming system environment of FIG. 1 or the detailed secure gamingsystem of FIGs. 4A and 4B. An exemplary gaming routine that may beperformed by components (FIG. 2) of the exemplary gaming terminal of FIG. 7is illustrated in FIG. 8. The exemplary gaming routine includes a base gamesuch as a slot game, a bingo game, etc., and a bonus game such as Monopoly.For example, an exemplary slot game that may be performed by the exemplarygaming terminal is illustrated in FIG. 9 and an exemplary visual displayassociated with the slot game is illustrated in FIG. 10.

I. THE SECURE GAMING SYSTEM NETWORK

FIG. 1 is a block diagram of a securegaming system environment 10 inaccordance with an embodiment of the invention. As used herein, the term"secure gaming system" is defined to include all manner of securing a computer-basedgaming system or network environment including utilizing, for example,secure hardware; perimeter defenses such as firewalls, anti-virus software andanti-virus scanners (AV); two factor authentication (to gain access);authentication of gaming software before and after installation including "ondemand" authentication; authentication, authorization, and accounting of thegaming sessions; data integrity assurance (DIA) of designated software files inthe gaming devices of the securegaming system environment 10 includinggaming devices at the network level, the server level and the gaming terminallevel; gaming software vulnerability assessment (VA); network VA usingnetwork-based scanners and host-based scanners; security informationmanagement methods including security policy implementation, security teams(e.g., CSIRTs), security reports, incident response, etc.; and proactive andreactive intrusion detection (ID) systems.

Referring to FIG. 1, the securegaming system environment 10 includesone or more secure gaming terminal(s) 12 and one or more secure server(s) 14interconnected vialinks 16 and 18, respectively, to acommunications network20. Thecommunications network 20 may be a public communications network, for example, the Internet, or it may be a dedicated private network, for example,an intranet.

Asecure gaming terminal 12 includes, in one embodiment, agamingterminal 22 and one or more of the following security elements: a firstsecurecommunication apparatus 24 communicatively coupled to thegaming terminal22 and thecommunication network 20; afirst integrity apparatus 26communicatively coupled to thegaming terminal 22; and a firstaccess controlapparatus 25 communicatively coupled to thegaming terminal 22. Similarly, asecure gaming server 14 includes, in one embodiment, agaming server 28 andone or more of the following security elements: a secondsecure communicationapparatus 30 communicatively coupled to thegaming server 28 and thecommunication network 20; asecond integrity apparatus 32 communicativelycoupled to thegaming server 28; and a secondaccess control apparatus 34communicatively coupled to thegaming server 28. As used herein, the term''security element" refers to any of the first and secondsecurity communicationapparatus 24, 30, the first and secondaccess control apparatus 25, 34, and thefirst andsecond integrity apparatus 26, 32. In addition, the first and secondsecurity communication apparatus 24, 30, the first and secondaccess controlapparatus 25, 34, and the first andsecond integrity apparatus 26, 32 may beimplemented as hardware, software, or a combination of both.

Although FIG. 1 depicts onesecure gaming terminal 12 and one secureserver gaming server 14, the securegaming system environment 10 may haveany number of secure gaming terminals forming a group of secure gamingterminals. The group of secure gaming terminals may be communicativelycoupled to one or moresecure gaming servers 14 to provide a gaming network.The gaming network may be interconnected via a number of suitable networkdata links or bus (discussed in connection with FIGs. 4A and 4B). Moreover,one or more individual gaming networks may be linked together via a wide areanetwork (WAN) or a local area network (LAN), depending on the desiredconfiguration.

Gaming environment security may be addressed in terms of preventionand/or detection of unauthorized actions by users of the securegaming systemnetwork 10. The unauthorized actions may be the result of physical intrusionsby aperson 40, or software intrusions caused by theperson 40. Thus, the firstand secondsecure communication apparatus 24, 30, the first and secondaccesscontrol apparatus 25, 34, and the first andsecond integrity apparatus 26, 32 areconfigured to provide multiple levels of access control to the securegamingsystem environment 10, in one embodiment, thereby preventing unauthorizedactions by person(s) such asperson 40.

In one embodiment, the multiple levels of access control to the securegaming system environment 10 have three aspects: confidentiality, integrity, andavailability. The confidentiality aspect prevents unauthorized users (e.g., person40) from accessing sensitive information via the gaming terminal(s) 22 or thegaming server(s) 28, or even via thecommunication network 20. The integrityaspect has two components, in one embodiment: data integrity, which ensuresthat data associated with the gaming terminal(s) 20 and gaming server(s) 28 hasnot been deleted or altered by a person without permission; and softwareintegrity which ensures that the software programs residing in the gamingterminal(s) 20 and gaming server(s) 28 have not been altered by error, amalicious user, or a virus. The availability aspect ensures that a malicious user(e.g., an attacker) cannot prevent legitimate users (e.g., a casino technician) fromhaving required access to the gaming terminal(s) 22 and gaming server(s) 28.

Access control breaches, or security breaches, may occur as a result ofunintentional system misconfiguration due to gaming software or data updates,unauthorized access to any aspect of the gaming terminal(s) 22 or the gamingserver(s) 28 by an internal user (i.e., internal system misuse), or unauthorizedaccess to any aspect of the gaming terminal(s) 22 or the gaming server(s) 28 byan outside attacker/hacker. Thus, as used herein, the term "access control" refersto limiting: (1) access to gaming terminal's or server's software and/or data by aperson; (2) access to gaming terminal's or server's hardware, peripherals,database, memory, etc, by a person; (3) access to gaming terminal's or server's software by a computer program initiated by a user; and (4) access to gamingterminal's or server's hardware, peripherals, database, etc., by a computerprogram initiated by a user.

Ia. Secure Communication Apparatus

The first and secondsecure communication apparatus 24, 30, providingaccess control at a network level, enables secure communication between andamong the gaming devices (e.g., the gaming terminal(s) 22 and the gamingserver(s) 28). The first and secondsecure communication apparatus 24, 30include one or more secure communication elements, including but not limitedto those discussed herein, for providing network access control. For example, inone embodiment, the first and secondsecure communication apparatus 24, 30include virtual private network (VPN) application software, one or morefirewalls, VPN tunneling protocols, and cryptographic methods/protocols suchas encryption/decryption protocols. Although included in the first and secondsecure communication apparatus 24, 30, it will be appreciated by those ofordinary skill in the art that VPN application software, VPN tunneling protocols,and cryptographic protocols may also be included in the gaming terminal(s) 22,the gaming server(s) 28, or another security element of the securegaming systemenvironment 10.

a_(1). VPN Application Software

As previously mentioned, thecommunication network 20 may be apublic communications network or a dedicated private network. If thecommunication network 20 includes a public network (i.e., the Internet), VPNapplication software may be utilized to provide a substantially secure VPNconnection between and among the secure gaming terminal(s) 12 and the secureserver(s) 14. The secure VPN connection may be viewed as a securecommunication "pipe" passing through an unsecured public communicationenvironment. Use of a VPN connection (e.g., virtual private dial networks,virtual private routed networks, virtual leased lines, etc.) may partially or wholly reduce the need for costly dedicated communication networks (e.g., dedicatedleased or owned private lines) between and/or among the various gaming devicesof a gaming system.

a₍₂₎. VPN Tunneling Protocols

Secure access within the VPNs may be maintained using one of anynumber of tunneling protocols. These tunneling protocols include cryptographicprotocols such as IPsec, point-to-point tunneling protocol (PPTP), layer twotunneling protocol (L2TP), secure shell (SSH), proprietary protocols, etc. Thesetunneling protocols may also include future Internet protocols developed underthe auspices of the Internet Engineering Task Force (IETF) and others toencapsulate gaming software/data traversing thecommunication network 20.Fundamentally, tunneling protocols send packetized encrypted gaming data toand from the gaming terminal(s) 22 and gaming server(s)28 through a "tunnel"that is considered secure; the tunnel cannot be entered by data that is notproperly encrypted. In addition to using VPN tunneling protocols, a number ofother security measures (discussed below) can be implemented to ensure theintegrity of gaming data traversing thecommunication network 20.

The gaming data may include new or modified gaming software for gameplay, bonus game play, tournament play, progressive lottery game play, etc., onthe gaming terminal(s) 22. The gaming data may also include gaming terminalgame performance data, maintenance information or instructions, security data,maintenance data, player data, accounting data, electronic fund transfer (EFT),wagering account transfer data, game play information such as selection ofgame, bet, etc., electronic transfer of funds to/from secure server(s) 14, gameoutcomes (for systems having central determination), gaming device software(OS, peripherals, etc.), etc.

Thecommunication network 20 may also include one or more dedicatedcommunication network segments configured as an intranet. An intranet may bedesirable if, for example, a large gaming proprietor wishes to link gamingdevices within a casino or between two or more casinos. The intranet may be configured to enable downloading of (software) games, game configuration data,game outcomes, game play, etc. from the gaming server(s) 28 to the gamingterminal(s) 22, and to enable uploading of marketing and operations data (i.e.,security, accounting, and configuration data) from the gaming terminals(s) 22 tothe gaming server(s) 28. The gaming server(s) 28 and the gaming terminal(s) 22may be further interconnected via private leased phone lines, private microwaveor satellite links, dedicated hardwire, wireless links, etc.

a_(3). Firewalls

Each of the first and secondsecure communication apparatus 24, 30, mayinclude a firewall. As is known, firewalls operate much like a router, except thatfirewalls have additional functionality to protect the gaming device(s) 22 and thegaming server(s) 28 from "intruder data packets". Such intruder data packetsmay originate from a hacker's computer somewhere within thecommunicationnetwork 20. The hacker (e.g., person 40) may be attempting any number oftypes of attacks of the gaming system environment including: URL hacking inthe case of Internet gaming where the application layer is exploited via worms,viruses, Trojan horses, logic bombs, scumware, spyware; packet sniffing to stealuser names and pass codes; IP spoofing where a data packet sent by the hackerand purporting to come from a trusted computer is accepted by a gaming serveror terminal; DNS table spoofing where the domain name service routing tablesare compromised; denial-of-service attacks and distributed denial-of-serviceattacks where one or more gaming terminals or servers are crashed by dataflooding; etc.

At the simplest level, a firewall uses a consistent rule set (implementingpacket filtering) to test incoming network traffic, and then allows passage ofnetwork traffic (e.g., open systems interconnection (OSI) model data packets)that meets the rule set. Network traffic that does not meet the rule set isdropped. More sophisticated firewalls keep information about the state of thenetwork and what types of data packets are expected, rather than looking atindividual packets (i.e., a dynamic packet filter or a "stateful inspection" where some packets are intercepted at the network layer, and then data is extracted toperform OSI layer 4-7 inspections). In other words, a firewall included in thefirstsecure communication apparatus 24 provides a perimeter boundary betweenthegaming terminal 22 and thecommunication network 20. Similarly, a firewallincluded in the secondsecure communication apparatus 30 provides a perimeterboundary between thegaming server 28 and thecommunication network 20. Inaddition, firewalls included in the first and secondsecure communicationapparatus 24, 30 may be configured differently or the same, depending on thesecurity threshold required for incoming packets to thegaming terminal 22 andthegaming server 28, respectively. Firewalls may also be installed directly inthe gaming terminal(s) 22 and the gaming server(s) 28 or any of the securityelements of the securegaming system network 10.

More than one firewall may be used with the firstsecure communicationapparatus 24. For example, two logical firewalls may be used to build a safetybuffer zone around the gaming terminal(s) 22. The buffer zone (DMZ) may beused to isolate a Web server placed between the secure gaming terminal(s) 22and thecommunication network 20 from the gaming terminal(s) 22. Onefirewall may be used to protect the buffer zone itself (i.e., placed between theWeb server and the communication network 20), while a second firewall isconfigured with more restrictions and placed interior to the first (i.e., placedbetween the Web server and the gaming terminal(s) 22).

The firewalls used in the securegaming system environment 10 may beimplemented via traditional router-based firewalls, software-based firewallsusing CPUs (i.e., for classic data and file processing), application specificintegrated circuits (ASIC), and network processors (i.e., for continuousprocessing of packet streams, instead of chunks of file/data processed withdiscrete operations). The firewalls may also be implemented via programmablenetwork processors to inspect OSI layer 7 packets at gigabit speeds, for example,the ES-1000 switch available from Transtech Networks, Inc. (Oakland, CA). Inaddition, the firewalls may be implemented using an adaptive computing integrated circuit technology such as the adaptive computing integrated circuitavailable from QuickSilver Technology (San Jose, CA).

a_(4). Cryptographic Methods/Protocols

Each of the first and secondsecure communication apparatus 24, 30 mayinclude application of one or more cryptographic methods to ensure integrity ofgaming data transmitted via thecommunication network 20. Such cryptographicmethods applied by the first and secondsecure communication apparatus 24, 30include (1) message authentication codes (MACs) (i.e., a randomly generatednumber appended to a digital message which has to be matched at the receivingend in order to authenticate the digital message) used to ensure that the gamesoftware packets were not modified during transmission; (2) one-way hashalgorithms for authentication such as secure hash algorithm (SHA-1-secure hashalgorithm) that serve as "digital fingerprints" (i.e., small pieces of data that canserve to identify much larger digital objects); (3) public-key cryptography (e.g.,RSA-public-key algorithm for both encryption and authentication, ElGamal, andelliptical curves); (4) digital signature schemes using public-private key-pairs(e.g., RSA, digital signature algorithm-DSA, EIGamal signatures); (5)symmetric encryption (e.g., Triple-DES, AES, Algorithm X, etc.); (6) randomnumber generators to generate random numbers for session keys and uniquevalues used in various protocols; (7) protocols using more than one of the above-mentionedauthentication techniques; and so on.

As will be appreciated by those of ordinary skill in the art, the first andsecondsecure communication apparatus 24, 30 may be configured to includeany combination of the VPN application software, firewalls, VPN tunnelingprotocols, and cryptographic methods discussed above, to provide securecommunication within the securegaming system environment 10. Thus, theconfiguration of first and secondsecure communication apparatus 24, 30 maybedifferent, or may be identical.

Ib. Access Control Apparatus

The firstaccess control apparatus 25 and the secondaccess controlapparatus 34 provide access control at the gaming device level. The firstaccesscontrol apparatus 25 prevents unauthorized access to the gaming terminal(s) 22by aperson 40. Similarly, the secondaccess control apparatus 34 preventsunauthorized access to the gaming server(s) 28 by theperson 40.

The first andsecond control apparatus 25, 34 include one or more accesscontrol elements, including but not limited to those discussed herein, forproviding access control at the gaming device level. For example, in oneembodiment, the first andsecond control apparatus 25, 34 includemethods/protocols for authenticating a person and authenticating softwareattempting access to any aspect of the gaming termmal(s) 12 or the gamingserver(s) 14. The first andsecond control apparatus 25, 34 also includeauthorization and accounting methods/protocols.

b_(1). Authentication, Authorization, Accounting

Methods to control access at the gaming device level (e.g., thegamingterminal 22 and the gaming server 28) may not be effective unless and untilidentification and authentication of the person 40 (or computer program initiatedby the person 40) attempting access is properly completed. One or moremethods/protocols for authenticating a person accessing software, peripherals,memory, etc, of the gaming terminal(s) and server(s) of the securegamingsystem environment 10 may be included in the first and secondaccess controlapparatus 25, 34. These methods/protocols include, but are not limited to, (1)requiring the use of usernames and passwords (or hashed passwords), (2)requiring use of a biometric identifier (e.g., handwriting, voiceprints, facerecognition, fingerprints, hand geometry, typing patterns, retinal scans, irisscans, signature geometry, etc.), (3) requiring use of access tokens (e.g., a tokenis inserted in a slot in the gaming terminal(s) or server(s)), (4) requiring a user toenter a time-based number (e.g., SecurID authenticator token) on a keypad of thegaming terminal, (5) gaming device specific firewalls, or (6) monitoring a time the user gains access to software, peripherals, memory, etc, of the gamingterminal(s) 22 and server(s) 28 and, based on that time, determining if the accessis/was appropriate. In addition to those listed above, combinations ofmethods/protocols may be also be used by the first and secondaccess controlapparatus 25, 34 (e.g., performing a SHA-1 hash of a digital representation of afingerprint).

For example, the SecurID is a token-based two-factor user authenticationtechnology developed by RSA to take advantage of the industry standard AESalgorithm. Used in conjunction with an RSA gaming server (configured as anRSA ACE/Server and a Policy Server), the SecurID functions like an ATM cardfor the securegaming network environment 10. The SecurID requires a user(i.e., a casino attendant) to identify himself with two unique factors (i.e.,something he knows and something he has) before he is granted access to any ofthe gaming devices or peripherals of the securegaming network environment 10.Each SecurID has a unique symmetric key that is combined with a powerfulalgorithm to generate a new code, or number every 60 seconds. The user thencombines this number with a secret PIN to log into gaming device (i.e., thegaming terminal or the server). Only the RSA gaming server, utilizing RSAACE/Server software, knows which number is valid at that moment in time forthat user/SecurID combination.

The RSA gaming server may be additionally configured with policyinformation that permits a user to access the gaming devices or communicationnetwork during specified hours. In addition, some users (casino employees) maybe given greater access rights than others. For example, a casino attendant maybe required to use a special attendant key to gain access to an Administratorscreen. The Administrator screen may then require the casino attendant to enterthe username and SecurID passcode prior to gaining physical access to a gamingdevice. Thus, before the casino attendant is permitted entry to open a gammgterminal door or to change any configuration in the gaming terminal, etc., he/shemust be authenticated using the issued SecurID token. Upon authentication, thegaming terminal will communicate with the RSA gaming server, utilizing RSA ACE/Server software (i.e., the Policy Server) before allowing the attendant toproceed with opening the main door, emptying the bill acceptor, etc. In this waytwo-factor authentication using the SecurID provide restricted physical access tothe gaming devices of the securegaming system environment 10

In addition to access control, these methods/protocols may also be usedto determine an authorization level or access level of a person properly accessingthe gaming terminal(s) or server(s). For example, an access token in conjunctionwith a passcode may allow a casino technician to gain access to a coin hopper inthegaming terminal 22, but not to the gaming terminal software. As will beappreciated by those of ordinary skill in the art, overall administration ofauthentication and authorization methods/protocols may also be performed byany gaming device of the securegaming system network 10.

As will also be appreciated by those of ordinary skill in the art, the firstand second secureaccess control apparatus 25, 34 may be configured to includeany combination of the authentication, authorization, and accounting methodsdiscussed above, thereby providing secure access to the gaming devices of thesecuregaming system environment 10. Thus, the configuration of the first andsecond secureaccess control apparatus 25, 34 may be different, or may beidentical.

Ic. Integrity Apparatus

The first andsecond integrity apparatus 26, 32 provide access control atboth the gaming device level and network level, and ensure integrity of thegaming software and gaming data within the gaming devices of the securegaming system network 10. Each of the first andsecond integrity apparatus 26,32 may include one or more integrity elements. The integrity elements mayinclude antiviral software, antiviral scanners, an intrusion detection system, adata integrity system or methods, incident response methods/protocols to assessdamage and restore systems, security information management protocols(including security response teams), vulnerability assessment methods/protocols, and one or more authentication methods/protocols (cryptographic methods)discussed above.

c₍₁₎. Authenticating Received or Residing Gaming Software/Data

Methods provided by the first andsecond integrity apparatus 26, 32 forensuring integrity, authentication, and non-repudiation of gaming softwareprograms attempting access to the gaming devices of the securegaming systemenvironment 10 may include using one or more of the individual authenticationprotocols discussed in connection with the first and secondsecurecommunication apparatus 24, 30, for example, MACs, one-way hash algorithms,public-key cryptography, digital signature schemes (e.g., code signing),symmetric encryption, session keys (i.e., a key that is used for only onecommunication session between the gaming devices), and random numbergenerators. Similarly, in addition to proving confidentiality, the methodsprovided by the first andsecond integrity apparatus 26, 32 for ensuring integrity,authentication, and non-repudiation of computer programs residing in thegaming devices of the securegaming system network 10 may include using oneor more of the individual authentication protocols discussed above. Forexample, authentication protocols provided by the first andsecond integrityapparatus 26, 32 may be used prevent known-plaintext attacks (i.e., attempts byan attacker to recover the encryption key when the attacker has a copy of theplaintext and the cipher text) and chosen-plaintext attacks (i.e., attempts by anattacker to recover the encryption key when the attacker chooses the message tobe encrypted) against gaming software or data installed in the gaming devices.

c_(2). Antivirus Software and Scanners

Controlling access to the gaming devices of the securegaming systemenvironment 10 by the first andsecond integrity apparatus 26, 32 also includepreventing malicious software from accessing the gaming terminals andassociated gaming software. Malicious software as defined herein includes allmanner of "malware" including viruses that may be a file infector virus, a boot-sector infector virus, and a macro virus that infect gaming data, Trojan horses(e.g., piece(s) of malware deliberately embedded in a "normal" piece of softwareto modify existing software in favor of the attacker), and worms (e.g., selfreplicating program(s) that corrupt and crash computers). Preventing malicioussoftware from gaining access to the gaming devices of the securegaming systemenvironment 10 can be achieved using antivirus software or antivirus scannersincluded in the first andsecond integrity apparatus 26, 32. Typical antivirussoftware and/or scanners scan gaming software/data looking for viral code basedon a database of virus footprints. When the viral code is detected, antivirussoftware and/or scanners disinfect the gaming software/data by removing theviral code. For unknown viruses, polymorphic viruses (which mutate with everyinfection), and encrypted viruses, antivirus programs that look for suspiciousvirus-like behavior can be utilized.

Additional security measures provided by the first andsecond integrityapparatus 26, 32 may be required if the gaming terminals of the secure gamingsystem environment are configured to accommodate mobile code such asJavaScript, Java, ActiveX, to allow on-line gaming, or to participate insophisticated tournament gaming. Currently, Java is the only programminglanguage specifically designed with security in mind. Java programs (e.g.,applets) run within a "sandbox" that limits damage that may be caused bymalicious software. Three mechanisms protect the sandbox: a byte code verifier(to ensure correct byte code format), a class loader (to determine how and whenan applet can add itself to the Java environment), and a security manager (to beconsulted whenever the applet attempts to do something questionable likeopening a file, opening a network connection, etc.)

c₍₃₎. Intrusion Detection System and Method

Intrusion detection methods and data integrity methods provided by thefirst andsecond integrity apparatus 26, 32 may be implemented at the gamingterminal level or at the network level. Unlike perimeter defenses that seal-offoutside access to the securegaming system environment 10, intrusion detection and data integrity methods provide assurance of the integrity of core assets (i.e.,gaming software and data) within the securegaming system environment 10.For example, intrusion detection software available from Internet SecuritySystems, Inc. (Atlanta, Georgia) can be installed in the gaming devices to detectintrusive network packets in the securegaming system environment 10.Operating much like antivirus software or antivirus scanners, one class ofintrusion detection methods may provide "misuse detection" of intrusivenetwork packets that have gained entry into the securegaming systemenvironment 10. That is, they scan packets looking for bit strings that signifyknown attacks. Another class of intrusion detection methods utilizes statisticalmodeling of expected gaming terminal(s) and server(s) behavior to detectintrusive network packets. This modeling includes determining "normal"operation of the gaming devices of the securegaming system environment 10,and, then using that model, determining anomalous behavior indicating an attackor intrusion. In either case, if an intrusion is detected, appropriate steps aretaken. Such appropriate steps may include one or more of the following:disabling the affected gaming devices in a fail-safe fashion (i.e., preventing avalue payout), automatically generating a security alarm at an appropriatelocation, automatically generating an incident report that includes details of theintrusion, dispatching a security team, performing a post-mortem analysis of theintrusion that may include modification to current security measures, etc. Ofcourse, implementing intrusion detection methods provided by the first andsecond integrity apparatus 26, 32 includes preventing false alarms by ensuringproper and current hardware and software configurations of the gaming devicesof the securegaming system environment 10.

Intrusion detection systems/methods do not, however, fully indicate howgaming data/software was compromised within gaming devices of the securegaming system environment 10. Further, intrusion detection systems/methodsdo not know or provide a pre-attack configuration of the gaming software/datathat would assist in a post-mortem analysis of the attack. Moreover, althoughproviding after-the-fact detection of external attacks, intrusion detection systems do not look, nor provide, after-the-fact detection of internal attacks (i.e., amalicious attack or innocent security breach by a casino employee). Dataintegrity systems and methods may therefore be used to augment intrusiondetection.

c₍₄₎. Data Integrity System and Method

Data integrity systems and methods provided by the first andsecondintegrity apparatus 26, 32 may be employed to detect threats or attacks to thegaming devices of the securegaming system environment 10. For example, dataintegrity assurance software available from Tripwire Inc., (Portland, Oregon) canbe installed in the gaming devices of the securegaming system environment 10to monitor gaming data and software for any deviations from an expectedbaseline. The data integrity assurance software may detect internal or externalattacks, and therefore provides an additional layer of security.

Generally, data integrity systems provided by the first andsecondintegrity apparatus 26, 32 provide a tool for assuring the integrity of critical ormonitored items (i.e., gaming OS files) identified in the securegaming systemnetwork 10. Such data integrity systems continually check to see whatmonitored files have changed, and if change is detected, to automatically isolatethe problem, gather "forensic" data associated with the problem includingproviding a snapshot of the system at the time of the change, and enable repair ofthe problem with minimal downtime.

Implementing a data integrity system in the securegaming systemenvironment 10 is a multi-step process. Once installed in the first andsecondintegrity apparatus 26, 32, the data integrity system creates a database of selectedfiles (i.e., critical system files, directories, registry objects, system executables,databases, user application programs such as gaming software) in a knownconfiguration that represents a desired good state, or baseline, of the securegaming system environment 10. The selected files may be based onpredetermined criteria selected by a gaming system administrator. Alternatively,the selected files may be predetermined, depending on jurisdictional regulations, etc. Subsequently, the data integrity system provides information on anydeviations from the baseline by comparing an existing state to the baseline. Thedeviations may include additions, deletions, or modifications of the selectedfiles. Any changes outside of specific pre-selected boundaries are detected,reported, etc. If the change is determined to be a valid change, the gamingsystem administrator can accept the change and update the baseline with the newinformation. If the change is not valid, remedial action described above can betaken to return the securegaming system environment 10 to a desired state.

A changed file can be detected in a number of ways by the data integritysystem. For instance, a changed file may be detected by comparing a file'sinode information (i.e., structure which stores meta information about a file: size,owner, access and modification times, etc.) against values stored in thepreviously generated baseline. A changed file may also be detected bycomparing several signatures of the file (e.g., hash digests or checksum values)calculated in such a way that it is computationally infeasible to invert. In thatcase, the data integrity system can be configured to scan using cryptographicsignatures of file content in addition to scanning for file name changes. The dataintegrity system can also scan for known malicious files. In addition, the dataintegrity system can be configured to scan files that have been copied ordownloaded to the gaming terminal(s) and server(s) to ensure that no changeoccurred during the transfer. Any number of criteria or combinations of criteriamay be selected for detecting changes to files.

Changes outside of the specific pre-selected boundaries may be due tosimple gaming software installation errors, inadvertent corruption of vitalgaming system data, malicious software such as virus' or Trojan horses thatmanaged to get through perimeter defenses, direct tampering with the gamingterminal(s) or server(s) by a game player or gaming employee, an authorizeduser violating gaming policy or controls, etc. Therefore, by recognizing any"drift" from the baseline and addressing it immediately, the data integrity systemof the first andsecond integrity apparatus 26, 32 can assure the integrity ofmonitored items within the securegaming system environment 10.

c₍₅₎. Vulnerability Assessment Scanners

Vulnerability assessment scanners provided by the first andsecondintegrity apparatus 26, 32 may be employed to determine vulnerabilities in thesecuregaming system network 10. Vulnerability scanners are software toolsthat are configured to protect the securegaming system network 10 against non-predictableattacks. They check settings of the gaming devices and determinewhether the settings are consistent with a pre-selected gaming security policy.They identify "holes" or vulnerabilities in the securegaming systemenvironment 10 that could be exploited by an attacker. Thus, vulnerabilityassessment scanners provided by the first andsecond integrity apparatus 26, 32simulate the behavior of an attacker to identify vulnerabilities in the securegaming system environment 10, thereby enabling proactive security measures tobe taken.

c₍₆₎. Incident Response

Incident response methods/protocols that assess damage and restoreaffected devices of the securegaming system environment 10 are provided bythe first andsecond integrity apparatus 26, 32. Such incident responsemethods/protocols may employ known security information managementtechniques or may employ security information management techniques tailoredfor the gaming environment.

For example, upon notification by the data integrity system of the firstandsecond integrity apparatus 26, 32, an incident response team of people mayrespond to a non-valid change in a monitored file by (1) gathering the forensicdata (audit logs) associated with the breach, either manually or automatically,and, if required, (2) ensuring safe failure (fail-safe) or shut-down of the affectedgaming device, either automatically or manually.

In the case of thesecure gaming terminal 12, detection of corrupt data(i.e., a non-valid change) in a system RAM by thefirst integrity apparatus 26may result in automatic suspension of operation of thegaming terminal 22. Similarly, detection of corrupt data on a storage medium by thefirst integrityapparatus 26 may result in automatic suspension of operation ofgaming terminal22. Audit logs, automatically generated to provide data regarding the detectednon-valid change, my be generated by thegaming terminal 22, theintegrityapparatus 26, one or more servers such as thesecure gaming server 14, or anyother suitable device within the securegaming system environment 10.Concurrently, notification of the detected non-valid change to an appropriatecasino employee or other suitable person may be accomplished in any one of anumber of ways. For example, notification can occur via a visual notification bythe gaming terminal, a wireless (e.g., a pager) or wireline communication, etc.from theintegrity apparatus 26, thegaming terminal 22 or a server coupled tothegaming terminal 22.

Upon notification of the detected non-valid change, the casino employeemay be dispatched to thesecure gaming terminal 12. A number of manualdiagnostic and repair steps may be performed by the casino employee (e.g., thecasino employee initiates a gaming terminal power cycle and subsequentexecution of local authentication routines). A number of automatic diagnosticand repair steps may also be performed by theintegrity apparatus 26, thegamingterminal 22 or a server coupled to thegaming terminal 22. In addition, if it isdetermined that a new part is needed to repair thegaming terminal 22,notification of the need for the new part may be made manually by the casinoemployee, or may be made automatically by theintegrity apparatus 26, thegaming terminal 22 or a server coupled to thegaming terminal 22. Thenotification may be received by an appropriate "parts department" via a wirelessor wireline communication provided by thecommunication network 10.

Approval of the repair may be required prior to allowing thesecuregaming terminal 12 to be released for play. The approval may be authorized inany one of a number of ways, depending on the configuration of the securegaming system environment. For example, the approval may come from acasino employee at the location of thesecure gaming terminal 12. The approvalmay also come from a person within the securegaming system environment 10, but remotely located from thesecure gaming terminal 12, for example, from ajurisdictional regulator. Approval from a person other than a casino employeemay be required for recovery actions including changing percentages,denominations, or clearing meter data in thegaming terminal 22.

In the case of thesecure gaming server 14, detection of a non-validchange by thesecond integrity apparatus 32 may result in isolation of thegamingserver 28 from the securegaming system environment 10. Operation of anygaming terminals coupled to thesecure gaming server 14 will continueunimpeded, however, some of the functionality provided by the server to thosegaming terminals may be adversely affected for a short period of time (e.g.,electronic fund transfers, ticket acceptance, and ticket printing). Therefore, ifpossible, the functions performed by thegaming server 28 may be seamlesslytransferred to another, redundant server in the securegaming systemenvironment 10 as soon as thesecond integrity apparatus 32 detects the non-validchange.

Much like the gaming terminal scenario described in the above,notification of the detected non-valid change to an appropriate casino employeeor other suitable person may be accomplished in any one of a number of ways.Similarly, as described above, a number of manual, automatic, or combination ofboth diagnostic and repair steps may be performed, and approval of subsequentrepairs to thegaming server 28 may be required before placing thegamingserver 14 back into service.

In the case of a communication failure between or among the securegaming terminal(s)12 and the secure gaming server(s) 14, means of notificationof the failure and subsequent repair of the failure may vary depending on thetype of communication failure. For example, if the communication failureresulted from an inadvertently detached cable coupling a gaming terminal to agaming server, notification of the failure using the methods discussed above mayresult in manual re-attachment of the cable. If required, the functions performedby the gaming server may be seamlessly transferred to another, redundant server in the securegaming system environment 10 as soon as thesecond integrityapparatus 32 detects the communication failure.

Fig. 2 is a block diagram of a number of components that may beincorporated in selected ones of the gaming devices and security elements ofFIG 1. Referring to Fig. 2, each of the gaming devices and security elementsmay include acontroller 200 that may comprise aprogram memory 202, amicrocontroller or microprocessor (MP) 204, a random-access memory (RAM)206, and an input/output (I/O)circuit 208, all of which may be interconnectedvia a communications link or an address/data bus 210. It should be appreciatedthat although only onemicroprocessor 204 is shown, thecontroller 200 mayincludemultiple microprocessors 204. For example, thecontroller 200 mayinclude one microprocessor for low level gaming functions and anotherprocessor for higher level game functions such as some communications,security, maintenance, etc. Similarly, the memory of thecontroller 200 mayincludemultiple RAMs 206 andmultiple program memories 202, depending onthe requirements of the gaming device. Although the I/O circuit 208 is shown asa single block, it should be appreciated that the I/O circuit 208 may include anumber of different types of I/O circuits. The RAM(s) 206 andprogrammemories 202 may be implemented as semiconductor memories, magneticallyreadable memories, and/or optically readable memories, etc.

Fig. 2 illustrates that multiple peripheral devices depicted asperipheraldevices 211, 212, and 214 may be operatively coupled to the I/O circuit 208.Each of theperipheral devices 211, 212, 214 is coupled to the I/O circuit 208 byeither a unidirectional or bidirectional, single-line or multiple-line data link,depending on the design of the component that is used. In addition, theperipheral devices 211, 212, 214 may be connected to the I/O circuit 208 via arespective direct line or conductor. Different connection schemes, includingwireless connections, could be used. For example, one or more of theperipheraldevices 211, 212, 214 shown in Fig. 2 may be connected to the I/O circuit 208via a common bus or other data link that is shared by a number of components.Furthermore, some of the components may be directly connected to themicroprocessor 204 without passing through the I/O circuit 208. Although threeperipheral devices are depicted in FIG. 2, more or less peripheral devices may beincluded in FIG. 2.

A variety of different peripheral devices may be utilized in the differentgaming devices and different security elements of the securegaming systemenvironment 10. For example, if the gaming device is agaming server 28, theperipheral devices may include a keyboard, a graphical interface unit (GUI)display, a number of communication ports, a monitor, a printer, a modem, a tapedrive, a DVD drive, a CD drive, etc. If the gaming device is agaming terminal22, the peripheral devices may include a control panel with buttons, a coinacceptor, a note acceptor, a card reader, a number of electro-mechanical reels, akeypad, a sound circuit driving speakers, a card reader display, a video display,etc, operatively coupled to the I/O circuit 208, either by a unidirectional orbidirectional, single-line or multiple-line data link or wireless link, depending onthe design of the component that is used. If the security element is anintegrityapparatus 26, 32, the peripheral devices may include a monitor, a printer, akeyboard, etc. to enable gaming security personnel to access data associated witha access control breach identified by the data integrity system.

Further, the controllers of the gaming devices and the security elementsmay be operatively coupled to each other in any number of suitableconfigurations, interconnected as discussed above.

One manner in which one or more of the gaming devices and securityelements of the securegaming system environment 10 may operate is describedbelow in connection with a number of flowcharts which represent a number ofportions or routines of one or more computer programs, that may be stored inone or more of the memories of thecontroller 200. The computer program(s) orportions thereof may be stored remotely, outside of the gaming devices orsecurity elements, and may control the operation from a remote location. Suchremote control may be facilitated with the use of a wireless connection or by anInternet interface that connects the gaming devices with a remote computerhaving a memory in which the computer program portions are stored. The computer program portions may be written in any high level language such as C,C++, C#, JAVA or the like or any low-level, assembly or machine language. Bystoring the computer program portions therein, various portions of thememories202, 206 are physically and/or structurally configured in accordance withcomputer program instructions.

II. ROUTINES PERFORMED BY GAMING DEVICES AND SECURITYELEMENTSIIa. Security Routine

FIG. 3A-3B is a flowchart of an embodiment of a security routine thatmay be performed by one or more of the security elements of FIG. 1. Thesecurity routine 300 provides one example of controlling software packet accessto the gaming devices of the securegaming system environment 10. Thesecurity routine 300 may be stored in one or more of the memories of thecontroller 200. In the illustrated example, network level access control providedby thecommunication apparatus 24, 30 is discussed in connection with FIG. 3A,while network and gaming device access control provided by theintegrityapparatus 26, 32 is discussed in connection with FIG. 3B. As will beappreciated by those of ordinary skill in the art, the access controlmethods/elements (e.g., firewalls, VPN tunneling protocols, cryptography, etc.)of thecommunication apparatus 24, 30 and theintegrity apparatus 26, 32discussed in connection with FIGs. 3A-3B may be provided by other apparatuswithin the securegaming system environment 10.

Referring to FIG. 3A, thesecurity routine 300 begins operation when asoftware data packet attempting access to the secure gaming terminal(s) 12and/or the secure gaming server(s) 14 via thecommunication network 20 isreceived by a firewall of thecommunication apparatus 24, 30 (block 302). Thefirewall, which may be implemented using one of the methods discussed inconnection with FIG. 1, determines if the data packet is allowed entry (block304). If the firewall determines that the data packet is an intruder data packet,the data packet is not allowed entry (i.e., rejected) and an attack on the secure gaming terminal(s) 12 and/or secure gaming server(s) 14 is prevented (block306). If the firewall determines that the data packet is not an intruder datapacket, the data packet is allowed entry. Optimally, an intruder data packet isalways detected and rejected by a firewall. If the firewall is not properlyconfigured or if a VPN is utilized in thecommunication network 20, however, anintruder data packet may be allowed to pass through the firewall.

It is determined whether a VPN is utilized at the network processinglayer (block 307). If a VPN is utilized, the data packet is received by one of anynumber of types of VPN tunneling protocols (block 308) used to secure the VPNover thecommunication network 20, in one embodiment. If a VPN is notutilized (as may be the case in a dedicated private network), the data packet maybe received and decrypted by one or more cryptographic protocols (block 314).If the data packet is received at the network processing layer (block 308) of thesecuregaming system environment 10, the VPN tunneling protocol determineswhether the data packet is authentic (block 310), in one embodiment.Authentication of the data packet may be determined using an authenticationheader (AH) method where the sender of the data is authenticated, or anencapsulating security payload (ESP) method where the sender of the data isauthenticated and the data is encrypted. If the VPN tunneling protocoldetermines that the data packet is not authentic (i.e., an intruder data packet), thedata packet is rejected and an attack on the secure gaming terminal(s) 12 and/orsecure gaming server(s) 14 is prevented (block 306). If the VPN tunnelingprotocol determines that the data packet is authentic, a cryptographic protocol(block 314) provided by theintegrity apparatus 26, 32 determines whether thepayload data (e.g., files, executable software, etc.) in the data packet is authentic,in one embodiment. Typically, a non-authentic data packet is detected andrejected by the VPN tunneling protocol. If the VPN tunneling protocol is notproperly implemented (via an inappropriate encryption algorithm, digitalsignature algorithm, and so forth), however, one or more non-authentic datapackets may exploit the improper implementation and not be authenticated bythe VPN tunneling protocol.

If utilized in the securegaming system environment 10, a cryptographicprotocol receiving the data packet (block 314) may be used to determine whetherthe data (payload data) carried in the data packet is authentic (block 316).Authentication may be determined using one or more of symmetric encryption,message authentication codes, public-key encryption, one way hash functions,digital signature schemes, random number generator schemes, or combinations.Moreover, the cryptographic protocol provided by theintegrity apparatus 26, 32may be provided at the OSI model network layer, at the OSI model applicationlayer, or both. As previously mentioned, if a VPN tunneling protocol is notused, the data packet may pass directly from the firewall to application of thecryptographic protocol.

If application of the cryptographic protocol determines that the payloaddata is not authentic (block 316), the payload data is rejected and an attack onthe secure gaming terminal(s) 12 and/or secure gaming server(s) 14 is prevented(block 306). If application of the cryptographic protocol determines that thepayload data is authentic, the payload data may be received by thegamingterminal 22, thegaming server 28, or theintegrity apparatus 26, 32. Non-authenticpayload data may be uncovered by application of the cryptographicprotocol and rejected accordingly. If cryptographic protocol is not properlyimplemented, however, the data packet may exploit the improperimplementation and payload data may be erroneously authenticated.

Referring to FIG. 3B, in the illustrated example, the payload datareceived by theintegrity apparatus 26, 32 is reviewed by antivirus software(block 320) and virus scanners (block 324), in one embodiment, as discussed inconnection to FIG. 1. The payload data may form a file, an executable program,a script, a macro, etc. If the payload data is determined to contain a virus, it isrejected and an attack on the secure gaming terminal(s) 12 and/or secure gamingserver(s) 14 is prevented (block 306).

Concurrently, in one embodiment, the payload data is subject to theintrusion detection system, implemented as a misuse detection system, astatistical modeling system, or a combination of both (block 328). If the intrusion detection system detects an intrusion attributable to the payload data(block 330), the affected gaming device is automatically disabled in a fail-safemanner, a security report is generated, and suitable action is taken (discussedabove in connection with FIG. 1), in one embodiment. If the intrusion detectionsystem does not detect an intrusion attributable to the payload data, thecontroller200 may determine whether any file deviations (from a baseline) have occurred(block 332). If file deviations have occurred (block 332) indicating an invalidchange, incidence response is deployed (block 334) (discussed above inconnection with FIG. 1), in one embodiment. If file deviations have notoccurred, the payload data is accepted as valid and authentic, in oneembodiment.

Although illustrated as separate from secure gaming terminal(s) 12 andthe secure gaming server(s) 14, the security functionality provided by thesecurecommunication apparatus 24, 30 and theintegrity apparatus 26, 32 may beimplemented directly in secure gaming terminal(s) 12 and/or the secure gamingserver(s) 14.

IIb. Key-Based Routines For Ensuring Integrity, Authentication, and Non-repudiation

Symmetric cryptosystems that use secret keys for encryption of plaintextmessages and decryption of the resulting ciphertext messages, are one type ofkey-based algorithm. Asymmetric cryptosystems such as public keycryptosystems and multiple-key public key cryptosystems that use public keysfor encryption of plaintext messages (or digital signatures) and private keys fordecryption of resulting ciphertext messages, are another type of key-basedalgorithm. Generally, symmetric cryptosystems provide a faster method ofencryption than asymmetric cryptosystems, but asymmetric cryptosystemsprovide better authentication techniques. In both types of key-based algorithms,generation, management, and control (including key transmission) of secret,public, and private keys requires a level of protection equivalent to the level of protection sought for the data they encrypt because the security of theencryption/decryption algorithm rests, in part, on the key.

One-time Session Key:

In some embodiments, a one-time session key is used for symmetricencryption and decryption of gaming software or other associated datatransmitted between two or more gaming devices (e.g., from aserver 28 to agaming terminal 22). The one-time session key may be generated in a number ofways using a public-private key-pair. After generation and secure transmission,the one-time session key can be used to symmetrically decrypt/encrypt gamingsoftware as it is transferred between the gaming devices. As the name suggests,a one-time session key is used for a short period of time, typically one session ofgaming software exchanges requiring encryption and decryption.

Generation and secure distribution of the one-time session key by gamingdevices of the securegaming system environment 10 may be done using publickey cryptography. For example, a first gaming device (e.g., the gaming terminal22) transmits its public key (from a public-private key-pair) to a second gamingdevice, for example, theserver 28. The second gaming device then generates arandom one-time session key using random generation methods discussed above,and encrypts the one-time session key using the first gaming device's public key.The encrypted one-time session key is then transmitted to the first gamingdevice. The first gaming device then decrypts the encrypted one-time sessionkey (using its private key from the public-private key-pair) to recover the sessionkey. The first gaming device is now capable of symmetrically encryptinggaming software using the session key prior to transmission to the secondgaming device, and vice versa.

Control of the session key, or "session key restrictions" are implementedto characterize session key parameters associated with, for example, when asession key is used, what gaming devices are authorized or required to use thesession key, and how it is used. Such session key restrictions may beaccomplished by attaching a key control vector (KCV) to the session key. The KCV contains the specific uses and restrictions for the particular session key.For example, hashing and XORing the KCV with a master key by the firstgaming device yields a result that can be used as an encryption key to encryptthe one-time session key, in one embodiment. The resultant encrypted one-timesession key may then be stored with the KCV by the first gaming device. Whenreceived by the second gaming device, the KCV can be hashed and XORed withthe master key, and the result can be used to decrypt the encrypted one-timesession key (i.e., to recover the one-time session key for use). The one-timesession key can then be used to symmetrically encrypt and decrypt gamingsoftware transmitted between the first and second gaming devices, in oneembodiment.

Public-private Key-pair and Secret Keys:

Private-public key-pairs used by the gaming devices of the securegaming system environment 10 may be generated, stored, transmitted, andauthenticated in any one of a number of ways, in various embodiments,depending on the scheme selected. For example, a private key (or a secret key)may be generated randomly by an automatic process (e.g., pseudo-random-bitgenerator) or by using techniques such as key-crunching to convert randomlyselected phrases into private keys. The private key may also be generatedrandomly using a cryptographic algorithm such as triple-DES (DES appliedthree times). Similarly, the public key may be generated using a randomprocess, however, the random process must yield keys having certainmathematical properties, for example, the key may have to be a prime number, itmay have to be a quadratic residue, etc.

Once generated, secure transmission and verification of the private,public, or secret key by a gaming device of the securegaming systemenvironment 10, may be implemented, in one embodiment. Secure transmissionof the key between gaming devices (via the communication network 20) may beaccomplished through the use of a key-encryption key that encrypts the key priorto transmission. Use of the key-encryption key provides an additional layer security for the key during its transmission. However, distribution of a key-encryptingkey typically is manual and therefore may not be feasible if thenumber of gaming devices in the securegaming system environment 10 becomeslarge. For example, because every pair of gaming devices exchanges key-encryptionkeys, a one hundred-gaming device network may require about 4950key-encryption key exchanges. In addition to using key-encryption keys, securetransmission of the key may also be accomplished by using a trusted courier(e.g., a casino employee), by using a digital signature protocol using a public keydatabase, or by using a key distribution center (discussed below), depending onthe cryptographic protocol used.

After receiving the key, the receiving gaming device may be required toverify the key's authenticity and source. Verification of authenticity and sourcemay be accomplished in a variety of ways, depending on the cryptographicalgorithm used and the level of security required. For example, utilization of thetrusted courier, the key-encryption key, the digital signature protocol using apublic key database, the one-way hash function, the key distribution center(KDC) etc., can provide different levels of assurance of authenticity and thesource of the key.

A key may be stored in a number of ways, again depending on the levelof security required. For example, the key may be stored on a magnetic stripcard, a ROM key card, or a smart card. The user can then insert the card havingthe key into a suitable card reader coupled to the gaming device, therebyallowing access to the key by the gaming device. Alternatively, the key may besegmented into two halves. For example, one-half of the key may be stored on aROM key and the other half of the key may be stored in suitable component ofthe gaming device (e.g., program memory). In addition, the key may also bestored in an encrypted form to provide an additional level of security. Forexample, an RSA private key could be encrypted with a DES key and stored on atangible medium such as a disk.

The Public-Private Key-Pair Infrastructure:

Public keys used in public key cryptographic algorithms or in multiple-keypublic key cryptographic algorithms can be stored in, and verified by, acentralized public key database or registry (e.g., a KDC). A typical centralizedregistry system (e.g., a public key infrastructure (PKI)) utilizes a "public keycertificate" in conjunction with a trusted certification authority (e.g., Verisign)and a separate registration authority to issue and manage security credentials andthe public keys. The typical centralized registry system is also configured to usedifferent industry-standard cryptographic algorithms (including RSA, DSA,MD5, SHA-1). A single public key certificate can be derived from a singlecertification authority or it can be derived from a series of public key certificates,with each of the series of public key certificates derived from a series ofcertification authority entities and linked or chained via digital signatures(discussed in connection with FIGs. 3C and 3D). In the case of a series ofpublic key certificates derived from a series of certification authority entities, an"end entity" (i.e., the entity named in the subject field of a certificate) canidentify the certification authority (i.e., the entity named in the issuer field of acertificate).

The public key certificate is a digitized certificate referred to herein as a"digital certificate" and may be viewed as an electronic passport equivalent toprove identity of associated gaming software or associated gaming data. In thesecuregaming system environment 10, the trusted certificate authority andregistry authority may be an existing authority body or may be a proprietaryauthority body operating under the sponsorship and control of an existinggaming jurisdiction body, a large casino customer body (e.g., Harrah's), a specialgaming authority, etc. In addition, the securegaming system environment 10may include dedicated certificate servers having the centralized public keydatabase.

Public keys and private keys may be created simultaneously by thetrusted certificate authority using the same algorithm (e.g., RSA). Creation ofthe public and private keys may be done by a software routine such as that provided by OpenSSL software (open source software) or may be done usingone of the manual routines or a combination routine as discussed above. Theresulting private key may be given only to the requesting party (e.g., to the firstgaming device) while the resulting public key is made publicly available (e.g., tothe first and second gaming devices) as part of the digital certificate. The privatekey can then be used by the gaming device to decrypt received text or data,including gaming software that has been encrypted using the correspondingpublic key by another gaming device prior to transmission, in one embodiment.In addition to decrypting messages, the private key can also be used to encrypt adigital certificate, in one embodiment. At the receiving end, the digitalcertificate can then be decrypted using the corresponding public key, in oneembodiment. Thus, the public key held by the receiver gaming device (e.g., thesecond gaming device) can be used by the sender gaming device (e.g., the firstgaming device) to encrypt a message, and the receiver gaming device's privatekey can be used to decrypt the message, in one embodiment. Alternatively, theprivate key held by the sender gaming device can be used to encrypt the sendergaming device's signature, and the sender gaming device's public key can beused by the receiver gaming device to decrypt the encrypted signature (therebyauthenticating the sender), in another embodiment.

As mentioned above, the public key certificate, or the digital certificateused by the gaming devices of the securegaming system environment 10, isissued by a trusted certification authority, in one embodiment. Each digitalcertificate, in one embodiment, includes a copy of the certificate holder's publickey (used for encrypting messages and digital signatures), a serial number, anexpiration date of the key, and a digital signature of the certificate-issuingauthority, so that a recipient can verify that the certificate is real. In the securegaming system environment 10, the digital certificate holder and the recipientmay be a gaming device such as thesecure gaming terminal 12 or thesecuregaming server 14, or a person such as a casino employee.

b₍₁₎. Certification Authority Initialization Routine

For example, FIG. 3C is a flowchart of a certificationauthorityinitialization routine 350 that may be performed, in one embodiment, by acontroller 200 of one or more of the security elements or gaming devices of FIG.1, for example, by thecontroller 200 of thesecure gaming server 14 configuredas a certification authority (CA) server. The certificationauthority initializationroutine 350 may be utilized when a customer, such as a casino entity (e.g.,Harrah's) has control of, or manages, the certification authority (CA), theregistration authority (RA), and the users (e.g., gaming devices such as gamingterminals and servers). Of course, as will be appreciated by those of ordinaryskill in the art, variations of the certificationauthority initialization routine 350may be utilized depending on ownership/control of the CA and RA. Thecertificationauthority initialization routine 350 may be performed by the CAserver to provide a self-signed certificate (if the RA and CA are owned andcontrolled by the same entity, not a real "third party") or to provide an RAapproved and CA signed certificate (if the RA and CA are not owned andcontrolled by the same entity) for use by the gaming devices of the securegaming system environment 10.

Referring to FIG. 3C, the certificationauthority initialization routine 350begins operation when a request (block 351) for a CA public-private key-pair(key-pair) is received by the CA server (i.e., request to generate an RSA key-pairfor the CA). The request may be a manual request from an appropriate casinoemployee, may be an automated request, or may be a request from a gamingdevice of the securegaming system environment 10. In response, the CA server,utilizing a certificate generation tool such as OpenSSL generates, encrypts, andstores the public-private key-pair.

For example, using a randomly generated password, the certificategeneration tool generates (block 352) a key-pair. Using a cryptographicalgorithm such as triple-DES that supports 168-bit encryption, with SHA-1message authentication, the certificate generation tool encrypts (block 353) theCA key-pair. The encrypted CA key-pair is then stored in a specified file, for example in a ca.key file in the CA server (or on another secure server). Anencrypted CA key-pair is now available for use with the CA digital certificate.

In response to a request to generate a CA certificate (block 354), adetermination is made (block 355) whether the CA and the RA are controlled bythe same entity. If so, the CA server provides self-signed CA digital certificate(block 356). The self-signed CA digital certificate is created when the CAcertificate request is generated to contain the required information and when theCA certificate request is signed by the corresponding private key of theencrypted CA key-pair described above. The request may be a manual requestfrom an appropriate casino employee, may be an automated request, or may be arequest from a gaming device or security element of the securegaming systemenvironment 10. Returning to the illustrated example above (using OpenSSLsoftware), in response to the request for a CA certificate, a new digital certificateis generated and signed with the private key of the encrypted CA key-pairdescribed above (e.g., an X.509 certificate). The new CA digital certificateincludes the number of days that the certificate is valid, the public key of key-pairfile to be used, the country and state of origin, an organization name (e.g., acompany), etc. and the filename (e.g., ca.crt) where the new digital certificate isto reside.

In cases where the CA and the RA are controlled or managed by differententities (i.e., CA controlled by casino entity and RA controlled by a jurisdictionentity), in response to a request to generate the CA certificate request (e.g.,which, in this case, is the completed CA certificate just prior to signing by theCA), the unsigned CA certificate request is forwarded to the RA (block 358).Any action of approval or disapproval (due to incorrect or incomplete data, etc.)is performed by the RA. Upon approval (block 359), the RA forwards theunsigned, but RA approved CA certificate request back to the CA where it isreviewed for policy approval and finally signed (block 362). Subsequent tosigning, the signed CA certificate request, referred to herein as the CA digitalcertificate, is forwarded to a predetermine file location (e.g., the ca.crt). Thesigned CA digital certificate is now available for use upon request.

b_(2). Gaming Terminal/Server Key Generation and Signing Routine

FIG. 3D is a flowchart of a gaming terminal/server key generation andsigning routine 370 that, in one embodiment, may be performed by acontroller200 of one or more of the security elements or gaming devices of FIG. 1, forexample by acontroller 200 of thesecure gaming terminal 12. Of course, as willbe appreciated by those of ordinary skill in the art, variations of the gamingterminal/server key generation and signing routine 370 may be performed,depending on ownership and/or control of the signed-CA-certificate file. Thus,the gaming terminal/server key generation and signing routine 370 may beperformed by one or more of the gaming devices or security elements of thesecuregaming system environment 10, and result in a gaming terminal orgaming server digital certificate. During construction, the gaming terminal orserver digital certificate is linked back to a CA digital certificate via the privatekey of the CA digital certificate to ensure its authenticity.

Referring to FIG. 3D, the gaming terminal/server key generation andsigning routine 370 begins operation in response to a request (block 371) for agaming terminal/server (GT/server) key-pair. The request may be a manualrequest from an appropriate casino employee, may be an automated request, ormay be a request from a gaming device of the securegaming systemenvironment 10. In response, the CA server, again utilizing a certificategeneration tool such as OpenSSL software, generates, encrypts, and stores theGT/server public-private key-pair (GT/server key-pair). For example, much likethe CA key-pair, using a randomly generated password, the certificate generationtool generates (block 372) an RSA key-pair for the gaming terminal/server, inone embodiment. Using a cryptographic algorithm such as triple-DES, thecertificate generation tool encrypts (block 373) the public key and the privatekey of the key-pair. The encrypted key-pair for the gaming terminal/server isthen stored in specified file, for example in a usr.key file stored in the CA server(or on another secure server), in one embodiment. An encrypted GT/server key-pairis now available for use with the GT/server digital certificate.

In response to a request to generate a GT/server digital certificate, the CAserver provides an unsigned certificate request, or CSR (block 374). The requestmay be a manual request from an appropriate casino employee, may be anautomated request, or may be a request from a gaming device of the securegaming system environment 10. Returning to the illustrated example above(using OpenSSL software), in response to the request for the GT/server digitalcertificate, a new digital certificate request (CSR) is generated. The new digitalcertificate request includes, in one embodiment, the public key of the GT/serverkey-pair file to be used, the country (e.g., U.S.), state (e.g., Nevada) and locality(e.g., Las Vegas) of origin, an organization name (e.g., Harrah's), anorganization unit name (e.g., Harrah's 1), a common name (e.g., Harrah'sgaming terminal #1), and a filename of the new unsigned GT/server digitalcertificate (e.g., file user.csr). The unsigned GT/server certificate request is nowready for signature by the CA.

In response to receipt (block 376) of the unsigned GT/server certificaterequest forwarded by the CA server, the CA reviews (block 377) the certificaterequest to determine if the certificate complies with CA policies and whether theparty who generated the certificate is trustworthy, in one embodiment.Alternatively, in another embodiment, in response to receipt of the unsignedGT/server certificate request, the CA forwards the unsigned GT/server certificaterequest to an RA. Upon approved by the RA, the unsigned GT/server certificaterequest is forwarded back to the CA for signature. If it is determined that thecertificate complies with CA policies and that the party who generated thecertificate is trustworthy, the CA signs (block 378) the public key of theGT/server certificate with a CA private key associated with a particular CAdigital certificate, thereby forming a signed GT/server digital certificate.Signing the GT/server certificate public key with the CA private key provides a"link" back to the trusted certification authority. The signed GT/server digitalcertificate includes, in one embodiment, the key-pair file to be used, the country(e.g., US), state (e.g., Nevada) and locality (e.g., Las Vegas) of origin, anorganization name (e.g., Harrah's), an organization unit name (e.g., Harrah's 1), a common name (e.g., Harrah's gaming terminal #1), plus the number of daysthat the certificate is valid (e.g., 365 days). In addition, a CA certificateidentifier number associated with the CA private key used to sign the GT/serverdigital certificate's public key, is included in the signed certificate, in oneembodiment. A filename of the signed certificate is (e.g., file user.crt) is alsoincluded. Thus, the GT/server key generation and signing routine 370 provides asigned and authenticated GT/server digital certificate that includes a key-pairhaving a public key signed by a CA private-key, thereby linking, or chaining theGT/server certificate to the CA. The gaming terminal/server digital certificate isnow ready for installation in any of the gaming device of the securegamingsystem environment 10, and can provide authentication, privacy, contentintegrity, and non-repudiation of gaming software/data, both installed andtransmitted, between the gaming devices of the securegaming systemenvironment 10.

Use of the gaming terminal/server digital certificate may provideauthentication, privacy, content integrity, and non-repudiation of gamingsoftware/data, both installed and transmitted, between the gaming devices of thesecuregaming system environment 10. For example, thesecure gaming server14 may want to access a gaming terminal's digital certificate to authenticate thesecure gaming terminal 12.

b_(3). Authentication Routine Using Digital Certificates

FIGs. 3E-3G are flowcharts of embodiments of an authentication routineusing digital certificates. In one embodiment, the authentication routine may beperformed by acontroller 200 of one or more of the security elements or gamingdevices of FIG. 1. The authentication routine provides a method of controllinggaming software/data access, including non-repudiation, authentication, privacy,and content integrity, to the gaming devices using GT/server digital certificates.The authentication routine also provides a method of authenticating the gamingdevices of the securegaming system environment 10, in one embodiment.

The GT/server digital certificates may be stored in any number of gamingdevices or security elements within the securegaming system environment 10,depending on the access control desired. Installation of the digital certificates inthe gaming devices or security elements may be manual or may be automaticusing an appropriate Certificate Management protocol (described below). Forexample, a GT digital certificate may be installed on thesecure gaming terminal12 and a server digital certificate may be installed on thesecure gaming server14 using a PKI Certificate Management Protocol, in one embodiment.

Referring to FIG. 3E, anauthentication routine 380 begins operationwhen gaming software/data attempts access to thesecure gaming terminal 12 orthesecure gaming server 14 from another gaming device, in one embodiment.For example, theauthentication routine 380 begins operation when thesecuregaming terminal 12 requests a gaming software download (e.g., a video slotgame, newly approved by jurisdictional regulators) from asecure gaming server14. Using a communication protocol such as the Secure Socket Layer (S SL)protocol, which utilizes a combination of public key and symmetric keyencryption, thesecure gaming server 14 and thesecure gaming terminal 12 areeach authenticated via a "handshake" procedure prior to the gaming softwaredownload, in one embodiment. As will be appreciated by those of ordinary skillin the art, theauthentication routine 380 may begin operation when thesecuregaming server 14, thegaming terminal 22, thegaming server 28, the firstsecurecommunication apparatus 24, the secondsecure communication apparatus 30,thefirst integrity apparatus 26, thesecond integrity apparatus 32, or anappropriate person initiates gaming software/data transfer or gamingsoftware/data authentication, in various embodiments.

The handshake procedure begins whensecure gaming terminal 12transmits to thesecure gaming server 14 its SSL version number, availablecryptographic algorithms, and data needed to allow the secure gaming sever 14to communicate with the secure gaming terminal 12 (block 382), in oneembodiment. In response, thesecure gaming server 14 transmits to thesecuregaming terminal 12 its SSL version number, available cryptographic algorithms, and data needed to allow thesecure gaming terminal 12 to communicate with thesecure gaming server 14 (block 383), in one embodiment. Thesecure gamingserver 14 also transmits its server digital certificate, and if thesecure gamingterminal 12 is requesting a server resource (e.g., gaming software or data) thatrequires gaming terminal authentication, thesecure gaming server 14 requeststhe secure gaming terminal's 12 gaming terminal digital certificate.

Referring to FIG. 3F (server validation and authentication routine 384),thesecure gaming terminal 12 uses information received from thesecuregaming server 14 to authenticate binding between the public key of the gamingserver's digital certificate and thesecure gaming server 14, in one embodiment.First, thesecure gaming terminal 12 checks the server's digital certificate'svalidity period (block 385). If the current date and time is outside a valid range,the authentication process is terminated (block 386). If the current date and timeis inside the valid range, thesecure gaming terminal 12 compares a distinguishedname (DN) of the CA that issued the server's digital certificate to a list of trustedCAs held by thesecure gaming terminal 12, in one embodiment. The list oftrusted CAs determines which digital certificates thesecure gaming terminal 12will accept. If the DN of the CA that issued the server's digital certificatematches a DN of a CA on the list of trusted CAs held by thesecure gamingterminal 12, thesecure gaming terminal 12 uses a public key (found in the list ofit's trusted CA's) to validate the CA's digital signature on the gaming server'sdigital certificate (block 388), in one embodiment. If the information in thegaming server's digital certificate changed since it was signed by the trusted CA,thesecure gaming terminal 12 will not authenticate the gaming server's identityand the authentication process is terminated (block 386). Similarly, if the CA'spublic key in the gaming server's digital certificate does not correspond to theprivate key used by the CA to sign the gaming server's digital certificate, thesecure gaming terminal 12 will not authenticate the server's identity and theauthentication process is terminated (block 386). If all the criteria are met, thegaming server's digital certificate is considered valid by the secure gamingterminal 12 (block 389), in one embodiment.

Thesecure gaming terminal 12 confirms that thesecure gaming server 14is actually located at a network address specified by a domain name in thegaming server's digital certificate (block 390). This prevents an attackcommonly referred to as a Man-in-the-Middle attack where a rogue programintercepts communication between thesecure gaming terminal 12 andsecuregaming server 14 and as a result, substitutes its own key-pair so that thesecuregaming server 14 "thinks" that it is properly communicating with thesecuregaming terminal 12, and vice versa. If thesecure gaming terminal 12 determinesthat thesecure gaming server 14 is not located at the network address specifiedby a domain name in the gaming server's digital certificate, thesecure gamingserver 14 is not authenticated by the secure gaming terminal 12 (block 386), inone embodiment. As a result, thesecure gaming terminal 12 refuses to establisha connection with thesecure gaming server 14. If thesecure gaming terminal 12determines that thesecure gaming server 14 is actually located at a networkaddress specified by a domain name in the gaming server's digital certificate, thesecure gaming server 14 is authenticated, in one embodiment.

Using all of the data generated (up to step 389), thesecure gamingterminal 12 may create a "premaster secret" for the session, and encrypt thepremaster secret with the gaming server's public key obtained from the gamingserver's digital certificate. Thesecure gaming terminal 12 may then send theencrypted premaster secret to thesecure gaming server 14.

The server validation and authentication routine (384) is competed.Referring again to FIG. 3E, the gaming validation and authentication routing(391) is then performed. This routine is described in more detail in conjunctionwith FIG. 3G. If thesecure gaming terminal 12 determines that the gamingserver's digital certificate is valid and that the gaming server is authentic, thesecure gaming server 14 authenticates thesecure gaming terminal 12, in oneembodiment. Thesecure gaming server 14 begins the authentication process byrequesting (block 392) that thesecure gaming terminal 12 transmit the gamingterminal's digital certificate and a separate piece of digitally signed data (e.g.,signed using the public key of private-public key-pair noted in the gaming server's digital certificate). The separate piece of digitally signed data utilizes adigital signature. The digital signature is generated by creating a one-way hashfrom data randomly generated during the handshake procedure and known onlyto thesecure gaming terminal 12 and thesecure gaming server 14, in oneembodiment. The one-way hash of the random data may be encrypted with theprivate key that corresponds to the public key in the gaming terminal's digitalcertificate.

Using the gaming terminal's digital certificate and the separate piece ofdigitally signed data, thesecure gaming server 14 determines whether thegaming terminal's public key validates the gaming terminal's digital signature(block 393). Therefore, upon receipt, thesecure gaming server 14 uses thedigitally signed data to validate the public key in the gaming terminal's digitalcertificate and to authenticate the gaming terminal's identity the gamingterminal's digital certificate claims to represent. If the digital signature isvalidated with the public key in the gaming terminal's digital certificate, thesecure gaming server 14 determines, in one embodiment, that the public key inthe gaming terminal's digital certificate matches the private key used to createthe digital signature and that the separate piece of digitally signed data has notbeen tampered with (by an attacker) since the time it was digitally signed.

Thesecure gaming server 14 checks the gaming terminal's digitalcertificate's validity period (block 394). If the current date and time is outside avalid range, the authentication process is terminated (block 386). If the currentdate and time is inside the valid range, the gaming server compares adistinguished name (DN) of the CA that issued the gaming terminal's digitalcertificate to a list of trusted CAs held by the gaming server, in one embodiment.The list of trusted CAs determines which digital certificates thesecure gamingserver 14 will accept. If the DN of the CA that issued the gaming terminal'sdigital certificate matches a DN of a CA on the list of trusted CAs held by thesecure gaming server 14, thesecure gaming server 14 uses a public key (found inthe trusted CA list) to validate the CA's digital signature on the gamingterminal's digital certificate (block 396), in one embodiment. If the information in the gaming terminal's digital certificate changed since it was signed by thetrusted CA, thesecure gaming server 14 will not authenticate the gamingterminal's identity and the authentication process is terminated (block 386).Similarly, if the CA's public key in the gaming terminal's digital certificatedoesn't correspond to the private key used by the CA to sign the gamingterminal's digital certificate, thesecure gaming server 14 will not authenticatethe terminal's identity and the authentication process is terminated (block 386),in one embodiment.

The gaming terminal validation and authentication routine (391) is thencompleted. Referring again to FIG. 3E, if all the criteria are met, both thesecuregaming terminal 12 and the gaming terminal's digital certificate are consideredvalid and authenticated by the secure gaming server 14 (block 397). Therefore,using the handshake procedure, thesecure gaming terminal 12 has determinedthat both thesecure gaming server 14 and the gaming server's digital certificateare valid and authentic and that a man-in-the middle attack has not occurred.Likewise, using the handshake procedure, thesecure gaming server 14 hasdetermined that both thesecure gaming terminal 12 and the gaming terminal'sdigital certificate are valid and authentic.

Prior to the gaming software download from thesecure gaming server 14to thesecure gaming terminal 12, thesecure gaming server 14 determineswhether thesecure gaming terminal 12 is authorized to access the requestedgaming software (block 398). Thesecure gaming server 14 may determinewhether thesecure gaming terminal 12 has approved access in any number ofways. For example, thesecure gaming server 14 may determine whether thesecure gaming terminal 12 has approved access to the gaming software bychecking its access control lists (ALCs) stored in one of the memories of thecontroller of FIG. 2. If thesecure gaming server 14 determines that thesecuregaming terminal 12 has access to the requested gaming software, thesecuregaming server 14 establishes a connection to the location of the gamingsoftware, in one embodiment.

When thesecure gaming terminal 12 is successfully authenticated by thesecure gaming server 14, thesecure gaming server 14 may use its private key todecrypt the encrypted premaster secret. Using the premaster secret, both thesecure gaming server 14 and thesecure gaming terminal 12 generate a "mastersecret". Using the master secret, both thesecure gaming server 14 andsecuregaming terminal 12 generate a one-time session key for encrypting anddecrypting. In addition to symmetrically encrypting and decrypting the gamingsoftware and gaming data exchanged between thesecure gaming server 14 andthesecure gaming terminal 12, in one embodiment, the one-time session keyprovides integrity verification (i.e., it detects any changes occurring in thegaming software/data between the time it was sent and received).

Finally, thesecure gaming terminal 12 transmits a message to thesecuregaming server 14 indicating that future transmissions from thesecure gamingterminal 12 will be encrypted with the session key. It then sends a separate,encrypted message indicating that its portion of the handshake procedure iscomplete, in one embodiment. Similarly, thesecure gaming server 14 transmitsa message to thesecure gaming terminal 12 indicating that future transmissionsfrom the gaming server will be encrypted with the session key. It then sends aseparate, encrypted message indicating that its portion of the handshakeprocedure is complete, in one embodiment. The gaming software is thenencrypted with the one-time session key and downloaded to the secure gamingterminal 12 (block 399). In this way, authentication of gaming software/datatransmitted between, or located within the gaming devices and security elementsof the securegaming system environment 10 is provided.

As will be appreciated by those of ordinary skill in the art, in addition toSSL, other suitable communication protocols may be used in theauthenticationroutine 380.

III. THE DETAILED SECURE GAMING SYSTEM

Fig. 4 illustrates one possible embodiment of a detailedsecure gamingsystem 400 in accordance with an embodiment of the invention. Referring to FIGs. 4A and 4B, in addition to the elements network and systems discussedbelow, the detailedsecure gaming system 400 includes the gaming devices (e.g.,secure gaming terminals, secure gaming servers, gaming routers, etc.) and thesecurity elements (e.g., intrusion detection systems, firewalls, etc.) discussed inconnection with FIG. 1. The detailedsecure gaming system 400 is configuredwith one ormore customer networks 420, 422, and 424 communicativelycoupled to a public communication network such as theInternet 416, a customercorporate center 426 communicatively coupled to theInternet 416, and a gameproviderdata center network 428 communicatively coupled to theInternet 416.In addition, the detailedsecure gaming system 400 includes ajurisdiction datacenter 430. Although only one gaming system environment is illustrated, it iscontemplated that there may be more or fewer customer networks, customercorporate centers, game provider data centers, and jurisdiction data centerswithin the network.

In general, thecustomer networks 420, 422, 424 may be located in thesame or different geographic regions. For example, thecustomer network 420may be provided in a first casino, thecustomer network 422 may be provided ina second casino, and the customer network 424 may be provided in a third casinolocated in a separate geographic region than the first and/or second casino.Alternatively, each of thecustomer networks 420, 422, 424 may be provided in aboat, an airplane, a store, a race track (e.g., a "racino"), etc.

In general, the customercorporate center 426, which may be operated byor for a gaming proprietor (e.g., Harrah's, a State operating lottery gamingterminals, an Indian tribe, etc.), administers operation of the gaming deviceswithin itscustomer networks 420, 422, 424. Administration at the customercorporate level may include, inter alia, securing gaming licenses from the gameproviderdata center network 428, ensuring compliance of its gaming hardwareand software with jurisdiction regulations, ensuring the integrity and security ofgaming software/data operating its gaming terminals, enabling appropriatecommunication between its gaming devices and the game providerdata centernetwork 428, etc.

In general, the game providerdata center network 428, operated by or fora game provider such as WMS Gaming, Inc. (Illinois), administers operation ofits gaming devices within a detailed secure gaming system (e.g., system 400).Administration at the game provider level may include, inter alia, administeringand coordinating licenses to the customercorporate center 426, ensuringappropriate gaming hardware and software compliance with the variousjurisdiction regulations, administering gaming software integrity verification,providing gaming software/data downloads or revoking software downloadswhen appropriate, and/or general gaming device monitoring functions. Althoughonly one game provider data center is shown as representative of the gameproviderdata center network 428, it is contemplated that there may be additionalgame provider data centers, co-located or remotely located from each other,provided within the game providerdata center network 428, depending on thesecure gaming system environment configuration. For example, there may beone corporate-level game provider data center with authority and coordinationresponsibility for a number of regional-level game provider data centers. Eachregional-level game provider data center may then have authority andcoordination responsibility for customer corporate centers and customernetworks m its region. As will be appreciated by one of ordinary skill in the art,the functions provided by the gameprovider data center 428 may also beprovided by the customercorporate center 426.

In general, thejurisdiction data center 430, which may also operated byor for a casino game provider, generally tracks and administers data associatedwith the operation of gaming terminals in a particular jurisdiction region. Eachparticular gaming jurisdiction determines methods and procedures for operationof thejurisdiction data center 430. Therefore, because individual gamingjurisdictions have varied regulatory restrictions regarding gaming terminaloperation, the level of tracking and administration required may vary fromjurisdiction data center tojurisdiction data center 430.

Referring again to FIGs. 4A and 4B, the detailedsecure gaming system400 includes the secure communication elements, the access control elements, and the integrity elements discussed in connection with FIG. 1. For example, inone embodiment, each of the gaming terminals, routers, and servers aremonitored by a data integrity assurance system ("DIA"). Additionally, therouters and servers may include intrusion detection systems ("ID") and/ornetwork vulnerability scanners ("NVA"), in various embodiments. Further, theservers include antivirus scanners ("AV") , in one embodiment. Although notillustrated by individual icons, additional the secure communication elements,the access control elements, and the integrity elements may be included in thedetailedsecure gaming system 400, in another embodiment.

Referring again to Fig. 4, the detailedsecure gaming system 400 utilizesone or more virtual private network (VPN) configurations, forexample VPNs412 and 414, in one embodiment. TheVPNs 412, 414 provide a secureconnection over a public communication network such as theInternet 416 forgaming devices communicatively coupled to the VPN. Use ofsuch VPNconfigurations 412, 414 may partially or wholly reduce the need for costlydedicated communication networks between and/or among the various gamingdevices of the detailedsecure gaming system 400. As will be appreciated bythose of ordinary skill in the art, additional VPNs may be implemented withinthe detailedsecure gaming system 400. For example, a VPN may be utilized toenable secure communication between thejurisdiction data center 430 and thegame providerdata center network 428.

Secure access within theVPNs 412, 414 is maintained using one of anynumber of tunneling protocols. In addition, a number of other security measures(discussed in connection with FIG. 1) can be implemented to ensure the integrityof gaming data traversing theVPNs 412, 414. In vanous embodiments, thegaming data transmitted via theVPNs 412, 414 may include new or modifiedgaming software for game play, bonus game play, tournament play, progressivelottery game play, etc., on the gaming terminals. In other embodiments, thegaming data may also include gaming terminal game performance data,maintenance information or instructions, security data, maintenance data, player data, accounting data, game outcomes (for systems having centraldetermination), gaming device software (OS, peripherals, etc.), etc.

In addition, although not shown, the detailedsecure gaming system 400may include one or more dedicated communication network segmentsconfigured as an intranet, in one embodiment. Such an intranet configurationmay be included in a server-based gaming system having one or more centralserver(s) interconnected to a number of gaming terminals. The intranet may beconfigured to enable downloading of (software) games, game configuration data,game outcomes, etc. from the central server(s) to the gaming terminals, and toenable uploading of marketing and operations data from the gaming terminals tothe central server, in one embodiment. The server and the gaming terminals maybe interconnected via private leased phone lines, private microwave or satellitelinks, dedicated hardwire, wireless links, etc.

The dedicated communication network segments may include securityelements such as (1) authentication capability for gaming software before andafter installation including on-demand authentication; (2) authentication,authorization, and accounting of gaming sessions; (3) DIA of designatedsoftware files in the central server and the gaming terminals; (4) gamingsoftware VA; (5) security information management; and/or (6) proactive andreactive intrusion detection (ID) systems, to name a few.

At a top level, each of the subsystems of the detailed secure gamingsystem 400 (e.g., thecustomer networks 420, 422, 424, the customercorporatedata center 426, thejurisdiction data center 430, and the game provider datacenter network 428) operate both independently and together to provide asophisticated gaming environment while, at the same time, ensuring gamingdevice compliance with the various jurisdictional regulatory restrictions, in oneembodiment. For example, if gaming data gathered and data mined (i.e., thegaming data is sorted to identify patterns and establish relationships) at thecustomercorporate center 426 indicates a very popular game, for example, aMonopoly bonus game manufactured by WMS Gaming, Inc., the customer maydesire to purchase 50 additional Monopoly bonus game licenses from the game provider, in one embodiment. The request for the 50 additional licenses by thecustomercorporate center 426 can be made via theVPN 414. Similarly,payment for the 50 additional Monopoly bonus game licenses can be made viatheVPN 414. In addition, thejurisdictional data center 30 can verifycompliance of the Monopoly game with the local regional jurisdictionregulations (discussed below).

Upon receipt of payment for the 50 additional licenses, the customer candownload 50 Monopoly bonus games, either from its own database or from thegame provider's data base, into their servers or into 50 of their gaming terminals,in one embodiment. TheVPN 412 may be used to download Monopoly gamesoftware packets, which may or may not be encrypted to prevent unauthorizedreading during transit, into the selected customer gaming terminals. Afterdownloading, immediate authentication of the Monopoly game software packetswill then ensure that no unauthorized data packets were inserted and/or that noMonopoly game software packets were deleted or modified, in one embodiment.

In various embodiments, authentication of the Monopoly game softwarepackets by the detailedsecure gaming system 400 can be achieved in anynumber of ways, including, for example, using MACs, one-way hash algorithms,public-key cryptography, digital signature schemes using a pair of keys - apublic key and a private key, symmetric encryption, random number generatorsto generate random numbers for keys, unique values in protocols, protocolsusing more than one of the above-mentioned authentication techniques, and soon. For example, authentication of the Monopoly bonus game software can beverified by sending randomly generated seed data with the Monopoly softwaredata block, running it through a secure hash algorithm such as SHA-1, andverifying the resulting message digest at the receiving end. Subsequent "spot-checks"of the downloaded Monopoly bonus game may ensure continuedauthentication of the software. Similarly, other game software, updates to thegame software, firmware updates to gaming terminal peripherals, softwaremaintenance patches, and other data can be downloaded to the gaming terminals using the communication links provided in the detailedsecure gaming system400.

IIIa. Customer Networks

Each of thecustomer networks 420, 422, 424 may include a number ofgaming terminals interconnected to one or more servers via a property local areanetwork (LAN), in one embodiment. Each of the gaming terminals may beconfigured as a client that relies on the server(s) for resources (i.e., aclient/server architecture), in one embodiment. In an alternate embodiment, eachof the gaming terminals may be configured with capability equivalent to theserver(s) (i.e., a peer-to-peer architecture). Thecustomer networks 420, 422,424 may also include one or more controllers and/or switches to accommodatevariations in the network interfaces due to varied network protocols (e.g.,RS232, RS485, Ethernet, wireless, etc.) utilized to communicate between thegaming devices.

Thecustomer network 420 includesgaming terminals 432 and 434interconnected to aserver 436 via aproperty LAN 438, in one embodiment.Similarly, thecustomer network 422 includes thegaming terminals 440, 442,and 444 interconnected to aserver 446 via aproperty LAN 448, and thecustomer network 424 includes thegaming terminals 450, 452, and 454interconnected to aserver 456 via aproperty LAN 458. Other servers orcomputers (not shown) may be included within thecustomer networks 420, 422,424 to manage customer network resources (e.g., files, databases, storage,application programs, printers and other devices). For example, the customernetwork 424 may include a network computer for managing network traffic, aproxy server for improving network performance, etc.

The gaming terminals of thecustomer networks 420, 422, 424 may beconfigured in any number of ways. For example, in one embodiment, instead ofutilizing several EPROMs programmed with individual games, a gamingterminal may be configured with only one EPROM which administersauthentication algorithms and boot-up the software for the gaming terminal (BIOS), etc. Thus, in one embodiment, instead of residing directly on theEPROM, gaming software can be downloaded from a remote gaming device,such as a server, via either a VPN (Internet) or a dedication communication link(intranet), and the authentication algorithm(s) programmed on the singleEPROM can ensure the authentication of the downloaded software. In variousembodiments, the gaming software can also be downloaded from high capacitystorage devices such as CD ROMs, DVDs, hard drives, compact flash memory,etc., and authenticated using an authentication algorithm stored on the oneEPROM. In this way, manual authentication of one EPROM replaces manualauthentication of the several EPROMs typical of traditional gaming terminals,and therefore translates into a savings of memory resources and/or manpower.In addition, using this approach may preclude a need for manufacturers ofgaming terminals and gaming software to develop one large multi-jurisdictionalgaming software version. As will be appreciated by those of ordinary skill in theart, additional EPROMs programmed with additional security elements may beincluded in the gaming terminals.

Once networked to other gaming devices, the gaming terminals may bemore susceptible to security breaches originating elsewhere in the detailedsecure gaming system 400, for example, at the network or Intranet level.Methods discussed above in connection with FIG.1 for securing gaming terminalsoftware, hardware and firmware may be implemented at the server, gamingterminal, LAN and/or network level of the detailedsecure gaming system 400, invarious embodiments.

Theservers 436, 446, 456 of thecustomer networks 420, 422, 424,respectively, are utilized to accumulate and analyze data relating to the operationof the gaming terminals (e.g., data indicative of dollar amounts or numbers ofwagers on each of the gaming terminals), in one embodiment. Theservers 436,446, 456 may also be utilized to provide distinct types of network gamingservices, in various embodiments, including, for example, wide area progressive(WAP) capability that allows multiple gaming terminals to contribute to andcompete for system-wide jackpots; slot tracking and accounting capability; cashless gaming management and validation; player tracking capability;interactive linked gaming capability; bonussing capability; central determination;gaming software/data downloading capability, etc. In addition, theservers 436,446, 456 may also provide control and interface functions for the gaming deviceswithin thecustomer networks 420, 422, 424, in various embodiments.

In some cases, the gaming software/data may be compiled by theservers436, 446, 456 and may, therefore, be gaming terminal independent. Whenproperly authenticated by a gaming terminal configured to receive encrypted etc.game data files (resulting from compiling the gaming software/data), the gamedata files can direct the gaming terminal to execute the corresponding game andoperate the associated devices (i.e., currency printer, buttons, etc.), in oneembodiment. As will be appreciated by those of ordinary skill in the art, inaddition to theservers 436, 446, 456, the gaming software/data may be compiledon any suitable server in the detailedsecure gaming system 400, in variousembodiments. In this way, gaming software/data may be efficiently designed,updated, and verified, and in conjunction with the security elements of thedetailedsecure gaming system 400, may allow "on demand" game play atremotely located gaming terminals.

Theproperty LANs 438, 448, 458 may be any type of suitable propertyLAN configuration including, for example, a dedicated hardwired property LANor a wireless property LAN. Further, theproperty LANs 438, 448, 458, may beconfigured in a bus topology, a star topology, a ring topology, a tree topology, afull or partial mesh topology, etc., and may therefore include a single customernetwork data link or multiple customer network data links. Although theproperty LANs 438, 448, 458, are shown coupled to two or three gamingterminals and one server, it should be understood that different numbers ofgaming terminals and servers may be used. For example, thecustomer network422 may include a plurality of servers and tens and/or hundreds of gamingterminals, all of which may be interconnected via theproperty LAN 448.

Referring tocustomer networks 420, 422, 424, each of thepropertyLANs 438, 448, 458 is communicatively coupled to theInternet 416 via arouter 460, 462, and 464, respectively. Therouters 460, 462, 464 which may behardware, software or combinations of both, enable transmission ofpacketizedgaming data to an appropriate destination within the detailedsecure gamingsystem 400. Using the addresses on each of the packets, therouters 460, 462,464, send the packets toward their destination. Although only one router isshown associated with each of thecustomer networks 420, 422, 424, additionalrouters may be included, depending on the desired network configuration.Additional routers (not shown) may also be located at various points within thedetailedsecure gaming system 400.

As illustrated by FIGs. 4A and 4B, each of the private subsystems of thedetailed secure gaming system 400 (e.g., thecustomer networks 420, 422, 424,the customercorporate data center 426, thejurisdiction data center 430, and thegame provider data center network 428) includes a firewall to protect gamingdevices within the private subsystems from intrusions via theInternet 416, inone embodiment. Thus, thefirewalls 491, 493, 495 are configured to preventsuspect software from entering thecustomer networks 420, 422, 424,respectively, thefirewall 489 is configured to prevent suspect software fromentering the game providerdata center network 428, thefirewall 499 isconfigured to prevent suspect software from entering thejurisdiction data center430, and thefirewall 497 is configured to prevent suspect software from enteringthe customercorporate data center 426. In addition, the firewalls may beimplemented via traditional router-based firewalls, software-based firewalls,ASICs, network processors, adaptive computing integrated circuits, etc. As aresult, each of the firewalls may be configured differently or the same,depending on the security threshold desired.

Although only one firewall per private subsystem is shown in FIGs. 4Aand 4B, additional firewalls may be used. For example, a proxy firewall or twological firewalls may be used to build a safety buffer around one or more of theprivate subsystems. The buffer zone may be used to isolate a Web server in oneor more of the private networks from other gaming devices within the privatenetwork. One firewall may be used to protect the buffer zone itself (i.e., placed between the Web server and the public network), while a second firewallconfigured with more restrictions, and placed interior to the first (i.e., placedbetween the Web server and the other gaming devices), protects the gamingdevices within the private customer networks.

IIIb. Communication Network

As previously mentioned, theVPN 412 provides secure access betweenthe gaming devices communicatively coupled to theVPN 412. The gamingdevices may be located over a geographically small or large area and thereforemay be in close proximity to each other or may be remotely located from eachother. For example, theVPN 412 provides secure access between the gamingdevices at the customercorporate center 426 and each of itscustomer networks420, 422, 424. Similarly, theVPN 414 provides secure access between thegaming devices at the customercorporate center 426 and the gameprovider datacenter 428.

TheVPNs 412, 414 may include one or more types of electro-magneticlinks, herein referred to as wireless (e.g., radio links, microwaves, etc.) orwireline (dial-up, fiber optic, wires, etc) network links. For example, in theillustrated embodiment, asatellite link 466 forms a portion of theVPN 412 thatcommunicatively couples thecustomer network 420 to theInternet 416. Withinthecustomer network 420, one or more gaming devices may be directly coupledto asatellite dish 467 via suitable cabling and network interfaces. Thus, gamingdata may be transmitted from thecustomer network 420 to the customercorporate center 426 via thesatellite dish 467, thesatellite link 466, and theInternet 416, and vice versa.

Similarly, a radio frequency (RF) link 468 forms a portion of theVPN412 that communicatively couples the customer network 424 to theInternet 416.The RF link 468 is configured to enable transmission from, or reception to, fixedor mobile gaming devices (e.g.,gaming terminal 454,server 456. etc.) of thecustomer network 424 using any one of a number of well-known RFtechnologies including, for example, a wireless cellular technology available from Motorola, Inc., or an IEEE 802.11 technology available from CiscoSystems, etc. Thus, if the wireless cellular technology is used to link thecustomer network 424 with theInternet 416, gaming data may be transmittedfrom the customer network 424 to the customercorporate center 426 via one ormore radio tower(s) 469, one or more base transceiver stations, etc., (notseparately illustrated), a central switching office 470 (e.g., PSTN), and theInternet 416, and vice versa.

Awireline link 474 forms another portion of theVPN 412 thatcommunicatively couples thecustomer network 422 to other elements of thedetailedsecure gaming system 400 via theInternet 416. Thewireline link 474may include any number of standard wireline connections, for example, acoaxial cable connection, a phone line connection, wireline frame relayconnection, a wireline ATM connection, a wireline Ethernet connection, etc.Thus, gaming data may be transmitted from thecustomer network 422 to thecustomercorporate center 426 via the wireline, orwireline link 474, and viceversa. Additional other network links may be established between thecustomernetworks 420, 422, 424 and/or the customercorporate center 426. For example,thecustomer network 422 may be communicatively coupled to the customercorporate center 426 via a number of routers (e.g., the router 462) and a localInternet Service Provider (ISP) using one of the wireline or wireless technologiesdiscussed above. Further, although not specifically illustrated in FIGs. 4A and4B, thejurisdiction data center 430 may be communicatively coupled to theInternet 416 via any of the above-mentioned methods.

IIIc. Customer Corporate Center

As depicted in FIGs. 4A and 4B, the customercorporate center 426includes a customerdata integrity server 476, a customercorporate server 478,and a customer license server 480 interconnected via theproperty LAN 482.The customercorporate center 426 may additionally include any number ofclient computers to provide support for gaming terminal operation.

The customer, or gaming proprietor, may own one gaming establishmenthaving a few gaming terminals, may own a large casino network havingthousands of gaming terminals, or may own a gaming establishment sizedsomewhere between the two extremes. In the case of a large casino companysuch as Harrah's, it may be desirable to operate a customercorporate center 426to configure, coordinate, maintain, and monitor all of the gaming devicesassociated with the large casino company. A large casino company may, forexample, operate 30 casinos averaging 3000 gaming terminals per casino, in 14different jurisdictions. In addition, a state run gaming operation such as NewYork state's video lottery terminal network may also require a central functionsimilar to that provided by the customercorporate center 428. The level ofcomplexity of the customercorporate center 428 may vary, depending onnumerous factors.

In general, configuration, coordination, maintenance, and monitoringoperations performed by the customercorporate center 428 include, inter alia,knowledge and control of what types of gaming terminals are installed in thevarious casinos, which versions of gaming software are being run on the gamingterminals, which software gaming components make-up those versions, whattypes of peripheral devices (e.g., bill validators) are associated with the gamingterminals, which version of a particular type of peripheral devices is being used,what version of peripheral software is being run on the peripheral devices, etc.Accordingly, the customercorporate server 478 performs the "master" casinofloor management tasks associated with configuring, operating, maintaining, andmonitoring the gaming devices operated by the customer.

The customer license server 480 maintains a database of all gaminglicense information required by the customer. This may include what licenseswere purchased by the customer, what licenses have been revoked, what gamingsoftware is currently approved for licensing, the locations of the licensed games,non-available but pending licenses, and all other license information and details.

The customerdata integrity server 476 is configured to maintain a currentdatabase of all information associated with approved, rejected, or withdrawn gaming software associated with its gaming terminals, including gamingsoftware components, signatures for authentication purposes, etc. The customerdata integrity server 476 is also configured to authenticate and verify gamingterminal software components in the customer's gaming terminals, and tocoordinate the steps necessary to shut down a gaming terminal that has beendetermined to be running unapproved or unauthentic software. Further, thecustomerdata integrity server 476 is configured to collect revenue data fromany the individual gaming terminals operating within the networks maintainedby the customer. For redundancy and fault tolerance reasons, some or all of thetasks performed by customerdata integrity server 476 may also be performed byany suitable servers in the customercorporate center 426.

As will be appreciated by those of ordinary skill in the art, there may bemore or less servers provided in the customercorporate center 426, dependingon the level of configuring, operating, maintaining, and monitoring required.

IIId. Jurisdiction Data Center

Some jurisdictions may require that a data center be located within theirjurisdiction. For example, some jurisdictions such as New Jersey mandate that ajurisdiction data center be maintained by the game providers to oversee widearea gaming networks delivering progressive games. The jurisdiction data centermay be required to gather gaming data, to track the configuration of gamingdevices, to monitor compliances with jurisdictional regulations, to query gamingdevices such as servers and gaming terminals, and to generally have an ability toprovide real-time information of the detailedsecure gaming system 400 to ajurisdiction user. In addition, the level of oversight required by each of theindividual jurisdiction data centers may vary. For example, in New Jerseymanual authentication of gaming software in each and every machine may berequired, while in Nevada only spot-audit authentication of gamingsoftware/data may be required. In this way, the gaming regulators in a particularjurisdiction can maintain oversight of gaming devices in its jurisdiction.

A jurisdictiondata integrity server 487 within thejurisdiction data center430 is configured to maintain a current database of all information associatedwith approved, rejected, or withdrawn gaming software in the jurisdiction,including gaming software components, signatures for authentication purposes,etc. The jurisdictiondata integrity server 487 may also be utilized toauthenticate and verify gaming terminal software components approved for useby gaming terminals in the particular jurisdiction, to coordinate the stepsnecessary to shut down a gaming terminal that has been determined to berunning unapproved or unauthentic software, and to collect revenue data fromany number of sources including the individual gaming terminals, thegamingterminal servers 436, 446, 456, the customer corporate center(s) 426, and thegame provider data center(s) 428.

d_(1). Remote Authentication Routine

For example, the jurisdictiondata integrity server 487 may be configuredto perform remote authentication of gaming software/data in a gaming terminallocated in thecustomer network 420. FIG. 5 is a flowchart of anauthenticationroutine 500 that may be performed by a server such as thejurisdiction integrityserver 487. Although theauthentication routine 500 is performed using the seedvalues and hashing techniques discussed above, any number of other suitableauthentication routines may be executed by the jurisdictiondata integrity server487.

Prior to beginning theauthentication routine 500, an approved gamingsoftware/data component having an assigned program number is selected forauthentication. The gaming terminals having or receiving (via a download) theapproved gaming software/data components are identified by their machine ID.After identifying the machine IDs and the program numbers, the jurisdictiondataintegrity server 487 authenticates the selected gaming software/data componentsusing one of a number of authentication techniques, in various embodiments.First, the jurisdictiondata integrity server 487 selects (block 502) a seed valuegenerated via a random number generator. The approved gaming software/data component version selected for authentication is stored in its jurisdictiondataintegrity server 487. The seed value is appended (block 504) to the approvedsoftware component version to be authenticated. The combination of theapproved software component version and the appended seed value ismanipulated via a cryptographic algorithm such as a SHA-1 algorithm toproduce a first message digest (block 506). The addition of the randomlygenerated seed value prevents a would-be attacker (who managed to discover themessage digest expected from the particular gaming software/data component)from manipulating the authentication process by deceiving the jurisdictiondataintegrity server 487 into believing that an unauthentic gaming software/datacomponent installed on the gaming terminal is authentic. The same seed value istransmitted or downloaded (block 508) to the gaming terminal(s) whose gamingsoftware/data components were selected for authentication. Secure transmissionof the seed value may occur via theVPN 414 to the customercorporate centerrouter 479, and via theVPN 412 to the identified gaming terminals.

Upon receipt, the gaming terminal performs a similar routine: it appendsthe seed value to the corresponding gaming software/data component (block510), performs the same calculation to yield a second message digest (block512), and then transmits the second message digest to the jurisdictiondataintegrity server 487. The jurisdictiondata integrity server 487 compares (block514) the received message digest calculated by the gaming terminal (the secondmessage digest) to the message digest it previously generated (the first messagedigest). A match between the first and second message digests indicates that thegaming software/data component installed on the gaming terminal(s) is authentic(block 516). If the first and second message digests do not match, the gamingsoftware/data is not authentic (block 518) and the jurisdictiondata integrityserver 487 can execute the steps necessary to take the gaming terminal out ofservice (block 520) using a suitable fail-safe method. In this way, in oneembodiment, gaming terminal software can be authenticated and controlled froma remote location such as the jurisdiction data center. This method ofauthentication can be similarly executed by other gaming devices within the detailedsecure gaming system 400. Additional methods of authentication aredescribed in United States Patent Application Serial No. 10/119,663, entitled"Gaming Software Authentication", naming Gadzic et al. as inventors, filedApril 10, 2002, and herein incorporated by reference in its entirety.

Referring again to FIGs. 4A and 4B, thejurisdiction data center 430 mayalso includejurisdiction test lab 485 configured to test hardware and softwareaspects of gaming terminals and gaming software/data components. In additionto gaming terminals and servers, the lab may include a variety of equipment anddiagnostic tools for testing the gaming terminals and associated gamingsoftware/data components.

IIIe. Game Provider Data Center Network

In the illustrated example, the game providerdata center network 428includes an operation and maintenance (O&M)server 484, alicense server 486,aregional game server 483, aglobal game server 490, and an accounting,authentication, and authorization (AAA)server 492. As will be appreciated bythose of ordinary skill in the art, more or fewer servers, configured in anotherarrangement, may be included in the game providerdata center network 428.Although not shown, the game providerregional data center 428 may alsoinclude one or more client computers, for example, a game service managementclient used to access and manage all game provider services.

As previously mentioned, the game providerdata center network 428 isowned and operated by or for a provider of casino gaming terminals, associatedgaming software, and gaming infrastructure. In general, the game providerregional data center 428 utilizes a VPN with a client-server arrangement tosecurely authorize, coordinate, enable, monitor, manage, and/or administer thetransfer of game software and associated other software (e.g., licenses) betweenand among the devices of the detailedsecure gaming system 400, in oneembodiment.

The game providerdata center network 428 may be provided at theregional level (e.g., the west region including the areas of Oregon, California, Arizona, New Mexico, Colorado), at the corporate global level, or at multiplelevels to provide the safety afforded by redundancy and single, double, etc., faulttolerance.

Within the game providerdata center network 428 of FIGs. 4A and 4B,theglobal game server 490 is configured to maintain a complete database of allgame provider products distributed within the detailedsecure gaming system400, in one embodiment. The database of game provider products may includedata regarding both hardware and software, their configurations, the status oftheir gaming software (approved, rejected by a jurisdiction, withdrawn from ajurisdiction and therefore should not be in the field), peripherals associated withits products, versions of the peripherals and their software (e.g., versions of billvalidators and versions of bill validation software currently in the field), etc. Inaddition, the complete database may be used for any number of purposes, forexample, to determine whether a particular gaming device in the field requires asoftware download (e.g., based on its database, theglobal game server 490 coulddetermine which bill validators need to be updated with a current version of billvalidation software).

Theglobal game server 490 provides a root distribution point for gamesoftware including handling secure downloading of game software to both gameclients (e.g.,gaming terminals 450, 452, etc.) and game servers (e.g., server456), in one embodiment. Secure downloading of game software between thevarious gaming devices (i.e., between servers, or between a server and a gamingterminal) requires approval by theAAA server 492.

Thelicense server 486, which may be a regional-level server or a global-levelserver, is configured to handle the management and distribution of gamingterminal licenses to a customer(s). A gaming terminal license allows a particulargame in the form of game software to be downloaded to, and/or played on, oneor more gaming terminals in the detailedsecure gaming system 400. Thelicenseserver 486 also maintains database of significant license information. This mayinclude what licenses were purchased by what customers, what licenses havebeen revoked, what gaming software is currently approved for licensing, the locations of the licensed games, non-available but pending licenses, and all otherlicense information and details. Thelicense server 486 may also be configuredto perform all activities associated with game licensing.

TheAAA server 492 is configured to provide accounting, authentication,and authorization functions for the game provider, in one embodiment. Theaccounting function provides an accounting capability to the game provider forany games that the game provider has "on participation" (i.e., the game providershares in the revenue generated by a game terminal placed in a customernetwork) or was sold to a customer outright. The accounting capability providedby theAAA server 492 enables the game provider to account for and collect therevenues generated by the gaming terminal. In addition, accounting and/or othermetrics information collected from the gaming terminals by theAAA server 492also may be used to assist in the development of marketing and sales strategies.For example, using data mining or other data correlation techniques, a gameprovider may be able to determine the popularity of a particular game based onthe game's revenue and direct its sale force, accordingly. TheAAA server 492can also be used to account for and generate billing information associated withgaming license sales.

The authentication function of theAAA server 492 provides dataintegrity capability much like thedata integrity servers 476 and 487, describedabove. Thus, in one embodiment, theAAA server 492 maintains a currentdatabase (master list) of all information associated with approved, rejected, orwithdrawn gaming software provided by the game provider, including gamingsoftware components, jurisdiction, signatures for authentication purposes, etc.;provides authentication and verification capability of gaming terminal softwarecomponents approved for use by gaming terminals; coordinates the stepsnecessary to shut down a gaming terminal that has been determined to berunning unapproved, unauthentic, or illegal software; and collects revenue datafrom any number of sources including the individual gaming terminals, thegaming terminal servers 436, 446, 456, the customer corporate center(s) 426, andthe game provider data center network(s) 428. TheAAA server 492 may also be capable of ensuring that databases maintained by other servers in the gamingsystem network environment 400 are current, in one embodiment.

Although not shown, a separate data integrity server may be included inthe game providerdata center network 428 or the functionality of the dataintegrity server (discussed above) may be included in another server within thegame providerdata center network 428.

The authorization function of theAAA server 492 provides authorizationcapability to the gameprovider data center 428 for any number of gamingrelated activities, in one embodiment. For example, theAAA server 492 mayauthorize or deny a gaming license request from the customercorporate center426 based on a number of factors such as general jurisdiction information (fromthe jurisdiction data center 430), whether the game associated with the gaminglicense has been approved for a particular jurisdiction (from the license server486), credit worthiness of the requesting customer (from the AAA server 492),etc.

e_(1). Gaming Software Approval Routine

FIG. 6 is a high level flowchart of an embodiment of a gamingsoftwareapproval routine 600 that may be performed by one or more gaming devices andthe security elements of the secure gaming system environment 100 and/or thedetailedsecure gaming system 400. As will be appreciated by those of ordinaryskill in the art, the steps of the gamingsoftware approval routine 600 may varyand may be executed in any number of the servers illustrated in FIG.4 or FIG.1.

Once designed, compiled, and tested by a game provider, gamingsoftware (e.g., software components for a slot game) retains a status of"unapproved" until it has been reviewed, tested, and "accepted" by a jurisdictionregulator. In the illustrated example, the unapproved gaming software ismaintained in theglobal game server 490. The unapproved gaming software isforwarded (block 602) from theglobal game server 490 to thejurisdiction testlab 485 where lab testing and review is performed (block 604) by jurisdictionregulators. The lab testing may include verifying the gaming software, reviewing the pay tables associated with the gaming software, etc., in order toensure that the gaming terminal complies with jurisdiction regulations andpolicies. When approval is granted by the jurisdiction regulators, notification ofthe approval is received by the global game server 490 (block 606). Uponnotification of approval, the status of gaming software is changed (block 608)from the unapproved state to an "approved" state, and an approval number isassigned to the gaming software by theglobal game server 490. The approvalnumber may come from a jurisdictional authority or it may come from aninternally controlled approval database. The "approved" status indicates that thegame associated with the approved gaming software is approved for use in theregion represented by thejurisdiction data center 430.

After the approval process is complete, licenses associated with theapproved new game are made available for purchase to customers in thejurisdiction. Typically, a separate license is required for every gaming terminalrunning the approved new game. The approved gaming software mayadditionally be downloaded to theregional game server 483.

A request to purchase a license(s) for the approved new game may comefrom theindividual customer network 420, 422, 424 or the customercorporatecenter 426. The request may be made via a secure communication path such astheVPN 414. Upon payment (that may be delivered via theVPNs 412, 414), therequest for the license is processed and accepted using suitable procedures(block 610). Upon completion of the purchase on behalf of theindividualcustomer networks 420, 422, 424 or the customercorporate center 426, theapproved new game is downloaded (block 612) from the regional orglobal gameservers 483, 490, either directly to the individualcustomer network servers 436,446, 456 for subsequent downloading to the gaming terminals, or to a server(e.g., customer data integrity server 476) in the customercorporate center 426.If delivered to the server in the customercorporate center 426, the approved newgame can subsequently be downloaded to a gaming terminal(s) anytimethereafter, depending on the needs of thecustomer networks 420, 422, 424.

The operations and maintenance (O&M)server 484 is configured toprovide operations, administration, maintenance, and provisioning functions fordesignated gaming devices and associated hardware/software of the detailedsecure gaming system 400, in one embodiment. The level of operations,administration, and maintenance performed by theO&M server 484 variesdepending on complexity of the detailedsecure gaming system 400. Forexample, diagnostic tools provided by theO&M server 484 may be enhanced bythe addition of corresponding diagnostic tools in the gaming terminals or in thegaming software. Tasks performed by theO&M server 484 may also beperformed in other servers of the detailedsecure gaming system 400 to ensureredundancy.

Although too numerous to mention, some of tasks required foroperations, administration, and maintenance functions by theO&M server 484can include monitoring service data such as hopper empty indicators fromgaming terminals, remotely diagnosing software and hardware anomaliesassociated with the gaming devices, performing automated fixes to the gamingdevices, automatically facilitating gaming device part ordering and delivery,coordinating and instructing individual field operation technicians or crews,analyzing gaming data to identify recurring problems and patterns (i.e., datamining) in the gaming devices, responding to manual requests for operations andservice, automating coordinating gaming software downloads, etc.

Arouter 494 is provided to route gaming data from the game providerregional data center 428 to other devices within the detailedsecure gamingsystem 400, and vice versa.

IV. GAMING TERMINAL

Fig. 7 is a perspective view of one possible embodiment of agamingterminal 750. Thegaming terminal 750 may be any type of casino gamingterminal and may have varying structures and methods of operation. Forexample, thegaming terminal 750 may be a mechanical gaming terminalconfigured to play mechanical slot, or it may be an electromechanical or video gaming terminal configured to play a video casino game such as blackjack, slots,keno, poker, a video lottery game, any number of class II or class III gamesdefined by the Indian Gaming Regulatory Act (IRGA), and so on. Forexemplary purposes, various elements of thegaming terminal 750 are describedbelow, but it should be understood that numerous other elements may exist andmay be utilized in any number of combinations to create a variety of gamingterminal types.

Referring to Fig. 7, thecasino gaming terminal 750 may include acabinet 712 that includes adoor 714 on the front of thegaming terminal 750.Thedoor 714 provides access to the interior of thegaming terminal 750.Attached to thedoor 714 are audio speaker(s) 717 andbelly glass 718 thatenable auditory and visual effects to add to the excitement of the gamingexperience. For example, the audio speaker(s) 717 may generate audiorepresenting sounds such as the noise of spinning slot machine reels, a dealer'svoice, music, announcements or any other audio related to a casino game.Visual effects, including flashing or other patterns displayed from lights behindthebelly glass 718, may attract a player to the game and may enhance playerexcitement.

Also attached to thedoor 714 are a number of value input devices(discussed below). The value input devices may include acoin slot acceptor 720or anote acceptor 722 to input value to thegaming terminal 750. Thenoteacceptor 722 may accept value in any number of forms, including currency or acurrency-sized paper ticket voucher inscribed with information such as a barcode representing value, the name of the casino, the date, etc. A value inputdevice may include any device that can accept value from a customer. As usedherein, the term "value" may encompass gaming tokens, coins, paper currency,ticket vouchers, credit or debit cards, smart cards, and any other objectrepresentative of value.

Thegaming terminal 750 also includes aplayer tracking area 723 havingacard reader 724, akeypad 725 and adisplay 726. As will be appreciated bythose of ordinary skill in the art, theplayer tracking area 723 may be located in any number of areas of thegaming terminal 750. Thedisplay 726 may beconfigured using a vacuum fluorescent display (VFD), a liquid crystal display(LCD), and/or a touch screen, and may be used to display simple information toa game player or casino employee. Thecard reader 724 may include any type ofcard reading device, such as a magnetic card reader, smart card reader or anoptical card reader. Thecard reader 724 may be used to read data from a card(e.g., a credit card, a player tracking card, or a smart card) offered by a player. Ifprovided for player tracking purposes, thecard reader 724 may be used to readdata from, and/or write data to, player tracking cards capable of storing data.Such data may include the identity of a player, the identity of a casino, theplayer's gaming habits, etc. Once gathered, the data may be "mined" (i.e., thedata is sorted to identify patterns and establish relationships) for any number ofpurposes including administering player awards, distinguishing playerpreferences and habits, accounting, etc.

Thecard reader 724 may also be used by casino personnel (e.g., a slottechnician) to gain access to the gaming terminal in order to perform tasks suchas coin collection, hopper filling, etc. In that case, the casino employee may alsobe required to enter an identifying code, for example a PIN number, via thekeypad 725. The keypad may also be used by the casino employee to enteradditional information regarding the task. In this way, access to the interior ofthegaming terminal 750 is restricted.

If provided on thegaming terminal 750, aticket printer 729 may be usedto print or otherwise encodeticket vouchers 730 with the casino name, the typeof ticket voucher, a validation number, a bar code with control and/or securitydata, the date and time of issuance of the ticket voucher, redemption instructionsand restrictions, a description of an award, and/or any other information that maybe necessary or desirable. A variety of types ofticket vouchers 730 could beused, such as casino chip ticket vouchers, cash-redemption ticket vouchers,bonus ticket vouchers, extra game play ticket vouchers, merchandise ticketvouchers, restaurant ticket vouchers, show ticket vouchers, etc.

Thegaming terminal 750 may also include avideo display 731 fordisplaying images relating to the game or games provided by thegaming unit750, and an information table (not shown) viewable through thedoor 714. Thevideo display 731 may be a cathode ray tube (CRT), a high resolution LCDincluding an LCD-TFT display, a plasma display, or any other type of videodisplay suitable for use in a gaming terminal. Thevideo display 731 may beconfigured to provide animation, 2-D or 3-D images, digital video playback, andor any number of other suitable displays. The information table typicallyincludes general game information such as game denominations (e.g., $0.25, $1,$5) and payline options. In the alternative, thegaming terminal 750 may alsoinclude a number of mechanical reels and an information table (not shown)viewable through thedoor 714.

Thegaming terminal 750 may also include abox top 734 configured tointensify player excitement through the use of additional speaker(s) 736, a bonusvideo display screen 738, and an optional microphone (not shown) and camera(not shown). The bonusvideo display screen 738, configured as a backlit silkscreen panel, an LCD screen, or a video monitor, can enable a number of gameenhancements such as bonus games, tournament games, progressive jackpotgames, etc. In addition, a tower light orcandle 742 mounted atop thegamingterminal 750 may be included to provide a quick visual indication of the status ofthegaming terminal 750. Thecandle 742 can have any number ofconfigurations and purposes. For example, thecandle 742 may be constructed asa clear tube structure containing a variety of staggered color inserts, which whenilluminated in predetermined patterns, indicates a status of thegaming terminal750 to a player (e.g., money denomination indicator, jackpot winner indicator) orto casino personnel (e.g., maintenance problem). Thecandle 742 may alsoprovide a location for additional peripheral devices.

Thegaming terminal 750 may also includes aplayer control panel 744.Theplayer control panel 744 may be provided with a number of pushbuttons ortouch-sensitive areas (i.e., touch screen) that may be pressed by a player to selectgames, make wagers, make gaming decisions, etc. As used herein, the term "button" is intended to encompass any device that allows a player to make aninput, such as a mechanical input device that must be depressed to make an inputselection or a display area that a player may simply touch. The number ofpushbuttons may include one or more "Bet" buttons for wagering, a "Max Bet"button for making the maximum wager allowable for the game, a "Play" buttonfor beginning pay, a "Repeat" button for repeating the previous wageringselection, a "Collect" button for terminating play and cashing out of the game, a"Help" button for viewing a help screen, a "Pay Table" button for viewing thepay tables, a "See Pays" button for causing thevideo display 731 to generate oneor more display screens showing the odds or payout information for the game orgames provided by thegaming terminal 750, and a "Call Attendant" button forcalling an attendant. In addition, if thegaming terminal 750 provides a slotgame having a plurality of reels (video or electro-mechanical), theplayer controlpanel 744 may be provided with a number of wager selection buttons, each ofwhich allows a player to specify a wager amount for each pay line selected (viaselecting multiple amounts of the smallest wager accepted). Additional gamespecific buttons may also be provided on theplayer control panel 744 orelsewhere on thegaming terminal 750 to facilitate play of a specific gameexecuting on thegaming terminal 750.

If thegaming terminal 750 is configured as a mechanical slot gamehaving a number of reels and a number of selectable pay lines which definewinning combinations of reel symbols, thecontrol panel 744 also includes anumber of selection buttons. The selection buttons allow the player to select oneof a number of possible of pay lines prior to spinning the reels. For example,five selection buttons may be provided to allow a player to select between one,three, five, seven or nine pay lines prior to each reel spin.

As will be understood by those of ordinary skill in the art, the term"control panel" should not be construed to imply that a panel separate from thehousing 712 of thegaming terminal 750 is required, and the term "control panel"may encompass a plurality or grouping of player activatable buttons. Further,although thecontrol panel 744 is shown to be separate from thevideo display 731, it should be understood that thecontrol panel 744 could be generated by thevideo display 731 as a touch-sensitive screen.

Although not separately illustrated, thegaming terminal 750 includes anumber of universal asynchronous receiver/transmitter ports to facilitate theaddition of auxiliary components such as the ticket printer, the touchscreen, thebill validator, etc. Universal asynchronous receiver/transmitter ports may alsobe included ongaming terminal 750 to enable progressive jackpot capability,diagnostic capability, jurisdiction system capability, server system capability,etc.

FIG. 8 is a flowchart of an embodiment of a main routine 800 that maybe performed during operation of one or more of the gaming terminals of FIG. 1and FIG 4. The main routine 800 may be stored in one or more of the memoriesof thecontroller 200, or it may be stored remotely outside of thegaming terminal750.

Referring to FIG. 8, themain operating routine 800 may begin operationwhen thecontroller 200 detects a value input from a game player (block 802).Thecontroller 200 may detect the value input in any number of ways. Forexample, thecontroller 200 may detect the value input if the player depositedone or more coins, paper currency, a card, or a voucher into thegaming terminal750. Alternatively, thecontroller 200 may simply detect a player in the vicinityof thegaming terminal 750, either by well known detection methods (e.g.,motion detectors, IR sensors) or by the player pressing any button on thegamingterminal 750, and respond accordingly.

Upon detection of the value input, thegaming terminal 750 mayterminate its attraction sequence (i.e., a visual and/or audio display designed toattract a player to that particular gaming terminal), if provided, and display abase game list generated (block 804) by thecontroller 200. The base game listallows the player to view and select from among games available for play on thegaming terminal 750. In addition, thecontroller 200 may also display playerinstructions, odds of winning, etc., to the player. Alternatively, in the case of a single-game machine such as a mechanical slot game, upon detection of thevalue input, thegaming terminal 750 may generate only a single-game routine.

Upon base game selection by the player (block 806), thecontroller 200causes one of the number of base game routines to be performed to allow gameplay (block 808). For example, the base game routines could include a videoslot routine, a video poker routine, a video blackjack routine, a video bingoroutine, a video keno routine, etc. Upon winning the base game, the controllermay dispense credit to the player. If no base game selection is made by theplayer within a predetermined time period, thegaming terminal 750 may revertback to the beginning of themain routine 800 and, optionally, display anattraction sequence.

After one of the base game routines (e.g., video slot routine, a videopoker routine, a video blackjack routine, a video bingo routine, a video kenoroutine, etc.) has been performed to allow base game play, thecontroller 200determines if the player is entitled to an award and/or a bonus game play award(block 810). If an award is due, thecontroller 200 dispenses credit to the playeras discussed above in connection with FIG. 7.

The bonus game play award may include providing specialty games suchas Hollywood Squares, Reel 'Em In, Monopoly etc., or may include providingfree additional base game play, for example, free spins in the case of a slot game.Awarding bonus game play is typically triggered by one of a number ofpredetermined results such as player winning via a particular combination of reelsymbols, selecting a particular symbol, etc. If thecontroller 200 determines thatthe player is entitled to bonus game play, thecontroller 200 enables bonus gameplay (block 812).

Upon completion of the bonus game play by the player, thecontroller200 determines (block 814) whether the player wishes to continue play (viaselecting the "Repeat" button) or wishes to terminate the game and cash out (viaselecting the "Collect" button). If the player selects to terminate the game andhas a credit balance, thecontroller 200 may dispense (block 816) the creditbalance to the player in any number of forms discussed above in connection with FIG. 7. If the player wishes to continue, thecontroller 200 may again generatethe base game selection display, enable base game option selections, or in thecase of a single-game machine, may enable the player to select the appropriategame parameters.

If thecontroller 200 determines that the player is not entitled to bonusgame play, it enables additional base game play for the player as discussedabove. If the player does not want to continue play, thecontroller 200 alsoenables a cash-out option (block 816) to dispense remaining credit to the player.

Slots:

FIG. 9 is an exemplaryvisual display 900 that may be displayed on thevideo display 731 during performance of a slot routine. In the illustratedexample, the exemplaryvisual display 900 includevideo images 902 of five slotmachine reels, each of the five reels having a number ofreel symbols 904disposed thereon. Although the exemplaryvisual display 900 shows five reelimages with three reel symbols visible per reel, other reel configurations may beutilized.

The exemplaryvisual display 900 also includes a number of buttons toenable slot game play by a player. In the illustrated example, selection of a"Collect"button 914 allows the player to collect winnings at the completion ofthe slot game; selection of the "Pay Table"button 916 allows the player to viewthe pay table associated with the slot game; selection of the "Select Lines"button 917 allows the player to select the number of line to be bet; selection ofthe "Bet Per Line"button 918 allows the player to change the amount of creditsbet on each line; selection of the "Spin Reels"button 920 allows the player tospin thereel images 902; selection of the "Max Bet Spin"button 922 allows theplayer to bet maximum credits instantly. A "Help" button may also be includedto allow the player to get instruction on the slot game play.

FIG. 10 is a flowchart of an embodiment of theslot routine 1000 thatmay be performed by one or more of the gaming terminals. Theslot routine1000 may be stored in one or more of the memories of thecontroller 200, or it may be stored remotely outside of thegaming terminals 22. For example, theslot routine 1000 may be stored in theserver 28.

Referring to FIG. 10, theslot routine 1000 may begin operation when thecontroller 200 detects a value input from a game player (block 1002). Thecontroller 200 detects the value input if a player deposited one or more coins,paper currency, a card, or a voucher into thegaming terminal 22. Upondetection of the value input, thecontroller 200 enables a base game to be played.In the illustrated example, the base game comprises a slot game. However, thebase game may also comprise any number of other "traditional" casino gamessuch as video poker, video blackjack, video keno, video bingo, video pachinko,video lottery, etc, as discussed in connection with FIG. 8.

After value input detection, thecontroller 200 enables a payline selection(block 1004) and a bet-per-payline selection (block 1006) as follows. First, theplayer may either depress a button such as a "Select Lines" pushbutton providedon the on theplayer control panel 744 to make a payline selection or depress avideo display button provided by a touch screen on thegaming terminal 22. Thepayline selection causes one or more paylines to be activated. For example, inthe illustrated example, the player may select 3 horizontal paylines, a "V"shaped payline, an inverted "V" shaped payline, etc. across 5 reels. Second, theplayer may either depress a button such as a "Bet Per Line" pushbutton providedon theplayer control panel 744 to make a bet per payline selection or depress abutton provided by a touch screen on thegaming terminal 22. The bet-per-paylineselection causes an amount per payline to be wagered with the totalwager divided equally between each selected payline. In addition, thecontroller200 enables the player to select a maximum bet (via a "Max Bet Spin" button).Thus, the player may chose maximum bet option causing maximum paylineselection and maximum credits (block 1010) rather than the payline selection(block 1004) and the bet per payline selection (block 1006).

After receiving the value input and detecting a payline and bet-per-payline,thecontroller 200 enables play of the base game (block 1008). Forexample, in the illustrated example, the player may spin the reels by depressing a button such as a "Spin Reels" pushbutton provided on the on theplayer controlpanel 744 or depressing a video display button provided by a touch screen on thegaming terminal 22. Alternatively, if the slot game is a mechanical slot gamecomprising a number of mechanical reels having reels symbols disposed thereon,the player may pull a handle provided on thegaming terminal 22 to initiate thereel spin.

Upon completion of the base game, thecontroller 200 determineswhether the player has won (block 1012). A paytable, typically displayed on thegaming terminal 22, displays the winning combinations of reel symbols. If theplayer has won, thecontroller 200 credits the player's value input based on thepaylines and the bet-per-payline selected (block 1014). If thecontroller 200determines that the player has not won, thegaming terminal 22 enablesadditional slot game play for the player (block 1024). Thecontroller 200 alsoenables a cash-out option (block 1026) via a cash-out button, for example, a"Collect" button provided on thegaming terminal 22. Upon selection of thecash-out button, the gaming terminal dispenses value (block 1028) to the player.The value may be dispensed as coins, paper currency, a credit on a card, or avoucher indicating credit.

In some cases, thecontroller 200 determines that the player is entitled toan optional bonus game award (block 1016) and enables bonus game play (block1018). If thecontroller 200 determines that the player is not entitled to bonusgame play, it enables additional slot game play for the player (block 1024). Theplayer may then play again if value input remains (block 1002) or, if no valueinput remains, the player may deposit additional value input. If additional slotgame play is not desired, a cash-out option (block 1026) via the cash-out buttonis available to the player. Upon selection of the cash-out button, the gamingterminal dispenses value (block 1028) to the player.

Upon completion of the bonus game (block 1018), thecontroller 200determines whether the player has won (block 1020). If the player has won, thecontroller 200 credits the player's value input based on a bonus game paytable(block 1022). If thecontroller 200 determines that the player has not won, thegaming terminal 22 enables additional slot game play for the player (block1024). If additional slot game play is not desired, a cash-out option (block 1026)via the cash-out button is available to the player. Upon selection of the cash-outbutton, the gaming terminal dispenses value (block 1028) to the player.

As may be apparent from the discussion above, embodiments of thepresent invention provide security methods and apparatus for a secure gamingsystem environment. The security methods and apparatus are configured in alayered fashion, in one embodiment, as described above to ensure software,hardware, and firmware integrity of the gaming devices, security elements andassociated communication networks of the secure gaming system environment.

The security methods and apparatus utilize a combination of perimeterdefenses, in one embodiment, such as firewalls, anti-virus software and anti-virusscanners; two factor authentication; authentication of gaming software/databefore and after installation including "on demand" authentication;authentication, authorization, and accounting of the gaming sessions; dataintegrity assurance of designated software files in designated gaming devices inthe secure gaming system environment including gaming devices at the networklevel, the server level and the gaming terminal level; gaming softwarevulnerability assessment (VA); network VA using network-based scanners andhost-based scanners; security information management including security policyimplementation, security teams, security reports, incident response, etc., andnetwork-based and host-based proactive and reactive intrusion detection (ID)systems.

For example, thesecure gaming apparatus 24, 30 provides access controlat the network level that enables secure communication between and among thegaming devices. Access control provided by thesecure gaming apparatus 24, 30is enabled via one or more of VPN application software, firewalls, VPNtunneling protocols, and cryptographic methods/protocols, in one embodiment.Theaccess control apparatus 25, 34 provides access control and authorizationdetermination at the gaming device level. Access control to the gaming devicesincluding software, peripherals, memory, etc. is enabled via access restriction methods provided by theaccess control apparatus 25, 34, in one embodiment.The access restriction methods include, in one embodiment, gaming devicespecific firewalls, usernames and passwords, biometric identifiers, access tokens,time-based access, and cryptographic methods/protocols.

Theintegrity apparatus 26, 32 provides access control at both thenetwork and gaming device levels, in one embodiment, to ensure integrity,authentication, and non-repudiation of gaming software programs received orresiding gaming software/data. Access control to the gaming devices includingsoftware, peripherals, memory, etc. by theintegrity apparatus 26, 32 is enabled,in one embodiment, using one or more individual authentication protocols, forexample, MACs, one-way hash algorithms, public-key cryptography (PKI),digital signature schemes or code signing, symmetric encryption, session keys,and random number generators, to name a few. Other advantages of theinventive subject matter may be further apparent to those of skill in the art.

The various procedures described herein can be implemented inhardware, firmware or software. A software implementation can use microcode,assembly language code, or a higher-level language code. The code may bestored on one or more volatile or non-volatile computer-readable media duringexecution or at other times. These computer-readable media may include harddisks, removable magnetic disks, removable optical disks, magnetic cassettes,flash memory cards, digital video disks, Bernoulli cartridges, RAMs, ROMs, andthe like. Accordingly, a computer-readable medium, including those listedabove, may store program instructions thereon to perform a method, which whenexecuted within an electronic device, result in embodiments of the inventivesubject matter to be carried out.

From the foregoing, it will be observed that numerous variations andmodifications may be affected without departing from the scope of the novelconcept of the inventive subject matter. It is to be understood that no limitationswith respect to the specific methods and apparatus illustrated herein is intendedor should be inferred. It is, of course, intended to cover by the appended claimsall such modifications as fall within the scope of the claims.

Claims (22)

1. A method, performed by a gaming system server, comprising:

   performing an authentication routine of an executable gaming softwareprogram, by exchanging messages with a gaming terminal over a communicationnetwork, wherein the authentication routine results in a determination of whethera copy of the executable gaming software program stored at a gaming terminal issubstantially identical to a copy of the executable gaming software programaccessible by the gaming system server.
2. The method of claim 1, wherein performing the authentication routinecomprises:

   forming a first message digest, which includes an encrypted version of afirst software program component combined with a seed value;

   transmitting the seed value over a communication network to a gamingterminal;

   receiving, from the gaming terminal, a second message digest, whichincludes an encrypted version of a second software program component and theseed value;

   comparing the second message digest to the first message digest; and

   authenticating the second software program component if the firstmessage digest is substantially identical to the second message digest.
3. The method of claim 2, wherein forming the first message digestcomprises:

   generating the seed value by a random number generator;

   appending the seed value to the first software program component toform a combined first software program, the first software program component assumed to be substantially equivalent to the second software programcomponent; and

   applying a cryptographic method to the combined first software programto form the first message digest.
4. The method of claim 2, wherein transmitting the seed value comprisestransmitting the seed value over a virtual private network.
5. A method, performed by a gaming terminal, comprising:

   receiving one or more authentication-related messages from a gamingsystem server over a communication network; and

   sending at least one responsive message to the gaming system server, inresponse to receiving the one or more authentication-related messages, in orderto enable the gaming system server to authenticate a copy of an executablegaming software program stored at the gaming terminal.
6. The method of claim 5, wherein receiving the one or moreauthentication-related messages comprises:

   receiving a seed value over the communication network from the gamingsystem server.
7. The method of claim 6, further comprising:

   forming a first message digest, which includes an encrypted version ofthe seed value combined with a first software program component within thegaming terminal; and

   wherein sending the at least one responsive message includestransmitting the first message digest over the communication network to thegaming system server.
8. The method of claim 7, wherein forming the first message digestcomprises:

   appending the seed value to the first software program component toform a combined first software program; and

   applying a cryptographic method to the combined first software programto form the first message digest.
9. The method of claim 7, wherein transmitting the first message digestcomprises transmitting the first message digest over a virtual private network.
10. A method comprising:

    a gaming system server forming a first message digest, which includes anencrypted version of a first software program component combined with a seedvalue;

    transmitting the seed value over a communication network to a gamingterminal;

    receiving, from the gaming terminal, a second message digest, whichincludes an encrypted version of a second software program component and theseed value;

    comparing the second message digest to the first message digest; and

    authenticating the second software program component if the firstmessage digest is substantially identical to the second message digest.
11. The method of claim 10, wherein forming the first message digestcomprises:

    generating the seed value by a random number generator;

    appending the seed value to the first software program component toform a combined first software program, the first software program componentassumed to be substantially equivalent to the second software programcomponent; and

    applying a cryptographic method to the combined first software programto form the first message digest.
12. The method of claim 10, wherein transmitting the seed value comprisestransmitting the seed value over a virtual private network.
13. The method of claim 10, wherein the gaming system server initiatestaking the gaming terminal out of service when the first message digest is notsubstantially identical to the second message digest.
14. A method comprising:

    receiving, by a gaming terminal, a seed value over a communicationnetwork from a gaming system server;

    forming a first message digest, which includes an encrypted version ofthe seed value combined with a first software program component within thegaming terminal; and

    transmitting the first message digest over the communication network tothe gaming system server.
15. The method of claim 14, wherein forming the first message digestcomprises:

    appending the seed value to the first software program component toform a combined first software program; and

    applying a cryptographic method to the combined first software programto form the first message digest.
16. The method of claim 14, wherein transmitting the first message digestcomprises transmitting the first message digest over a virtual private network.
17. In a gaming system having a plurality of gaming devices interconnectedby a communication network, a method comprising:

    a first gaming device remotely authenticating a first software programcomponent within a second gaming device that is remotely located from the firstgaming device, wherein remote authentication is performed by

    selecting a seed value generated by a random number generator;

    appending the seed value to a second software program component toform a combined second software program, the second software programcomponent substantially equivalent to the first software program component;

    applying a cryptographic method to the combined second softwareprogram to form a first message digest;

    transmitting the seed value to the second gaming device having the firstsoftware program component;

    receiving a second message digest from the second gaming device, thesecond message digest formed by applying the cryptographic method to acombined first software program component, the combined first softwareprogram component formed by appending the seed value to the first softwareprogram component;

    comparing the second message digest to the first message digest; and

    authenticating the first software program component if the first messagedigest is substantially identical to the second message digest.
18. The method of claim 17, wherein the first gaming device includes aserver in a jurisdictional data center, and wherein the second gaming deviceincludes a gaming terminal in a casino customer network.
19. The method of claim 17, wherein the first gaming device includes aserver in a casino customer corporate center, and wherein the second gamingdevice includes a gaming terminal in a casino customer network associated withthe casino customer corporate center.
20. A gaming system comprising:

    a gaming system server, which performs an authentication routine of anexecutable gaming software program, by exchanging messages with a gamingterminal over a communication network, wherein the authentication routineresults in a determination of whether a copy of the executable gaming software program stored at a gaming terminal is substantially identical to a copy of theexecutable gaming software program accessible by the gaming system server;and

    one or more gaming terminals, interconnected with the at least onegaming system server over the communication network.
21. A computer-readable medium having program instructions stored thereonto perform a method, which when executed within an electronic device, result in:

    a gaming system server performing an authentication routine of anexecutable gaming software program, by exchanging messages with a gamingterminal over a communication network, wherein the authentication routineresults in a determination of whether a copy of the executable gaming softwareprogram stored at a gaming terminal is substantially identical to a copy of theexecutable gaming software program accessible by the gaming system server.
22. A computer-readable medium having program instructions stored thereonto perform a method, which when executed within an electronic device, result in:

    a gaming terminal receiving one or more authentication-related messagesfrom a gaming system server over a communication network; and

    sending at least one responsive message to the gaming system server, inresponse to receiving the one or more authentication-related messages, in orderto enable the gaming system server to authenticate a copy of an executablegaming software program stored at the gaming terminal.

Images