Secure island computing system and method
First Claim
1. A method comprising:
- receiving, by a secure containment device (SCD), a request to decrypt data, wherein the request is sent from an application executing on a host system over a first input/output (I/O) interface;
disabling the first I/O interface after receiving the request from the host system;
after disabling the first I/O interface;
obtaining, by the SCD, a user credential from a user, wherein the user credential is input by the user using a user interface on the SCD;
obtaining, by the SCD, an encrypted secrets file from secure storage;
decrypting, by the SCD, the secrets file using a secrets file encryption key to obtain a decrypted secrets file, wherein the secrets file encryption key is derived using the user credential;
enabling the first I/O interface after the decrypted secrets file is obtained; and
after enabling the first I/O interface;
providing the decrypted secrets file to the application over the first I/O interface.
1 Assignment
0 Petitions
Accused Products
Abstract
A mobile computing device includes a secure token, having an embedded processor, a secure persistent storage medium, and a read only memory; and, an application processor and application memory separate from the embedded processor, the secure persistent storage medium, and the read only memory. The application memory stores application instructions for execution by the application processor. The secure persistent storage medium is configured by the embedded processor to store a master secret for an application executing on a remote host. The read only memory stores a security application for receiving, from the remote host, an identifier associated with the master secret; generating, using at least the identifier, a decryption key; obtaining, using the decryption key, from the secure persistent storage medium the master secret; constructing, using the master secret as an input, a pseudorandom result of a cryptographic operation; and returning it to the application executing at the remote host.
-
Citations
21 Claims
-
1. A method comprising:
-
receiving, by a secure containment device (SCD), a request to decrypt data, wherein the request is sent from an application executing on a host system over a first input/output (I/O) interface; disabling the first I/O interface after receiving the request from the host system; after disabling the first I/O interface; obtaining, by the SCD, a user credential from a user, wherein the user credential is input by the user using a user interface on the SCD; obtaining, by the SCD, an encrypted secrets file from secure storage; decrypting, by the SCD, the secrets file using a secrets file encryption key to obtain a decrypted secrets file, wherein the secrets file encryption key is derived using the user credential; enabling the first I/O interface after the decrypted secrets file is obtained; and after enabling the first I/O interface; providing the decrypted secrets file to the application over the first I/O interface. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
receiving, by a secure containment device (SCD), a request to encrypt data, wherein the request is sent from an application executing on a host system over a first input/output (I/O) interface and wherein the request includes a first data to be encrypted; disabling the first I/O interface after receiving the request from the host system; after disabling the first I/O interface; obtaining, by the SCD, a user credential from a user, wherein the user credential is input by the user using a user interface on the SCD; obtaining, by the SCD, the first data; encrypting, by the SCD, the first data using a secrets file encryption key to obtain an encrypted secrets file, wherein the secrets file encryption key is derived using the user credential; storing, by the SCD, the encrypted secrets file in secure storage; and enabling the first I/O interface. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system comprising:
-
a host system for executing at least one application; a secure containment device for performing cryptographic operations in support of the at least one application; a first I/O interface for selective communication between said host system and said secure containment device, said first I/O interface capable of being selectively disabled through an interrupt-driven process; and a user interface for user communication directly with said secure containment device without using said first I/O interface; wherein said first I/O interface is configured to be selectively disabled to prevent communication between said host system and said secure containment device while said secure containment device is performing cryptographic operations; and wherein said user interface is capable of selectively communicating with said secure containment device while said first I/O interface is disabled. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A method comprising:
-
receiving, by a secure containment device (SCD), a request to decrypt data, wherein the request is sent from an application executing on a host system over a first input/output (I/O) interface; disabling the first I/O interface after receiving the request from the host system; after disabling the first I/O interface; obtaining, by the SCD, a token activation code from a secured hardware token, wherein the token activation code is provided as a result user interaction with a secured hardware token interface on the secured hardware token; obtaining, by the SCD, an encrypted secrets file from secure storage; decrypting, by the SCD, the secrets file using a secrets file encryption key to obtain a decrypted secrets file, wherein the secrets file encryption key is derived using the token activation code; enabling the first I/O interface after the decrypted secrets file is obtained; and after enabling the first I/O interface; providing the decrypted secrets file to the application over the first I/O interface. - View Dependent Claims (19)
-
-
20. A method comprising:
-
receiving, by a secure containment device (SCD), a request to encrypt data, wherein the request is sent from an application executing on a host system over a first input/output (I/O) interface and wherein the request includes a first data to be encrypted; disabling the first I/O interface after receiving the request from the host system; after disabling the first I/O interface; obtaining, by the SCD, a token activation code from a secured hardware token, wherein the token activation code is provided as a result user interaction with a secured hardware token interface on the secured hardware token; obtaining, by the SCD, the first data; encrypting, by the SCD, the first data using a secrets file encryption key to obtain an encrypted secrets file, wherein the secrets file encryption key is derived using the token activation code; storing, by the SCD, the encrypted secrets file in secure storage; and enabling the first I/O interface. - View Dependent Claims (21)
-
Specification