Methods and systems for protecting data in USB systems
First Claim
1. A system comprising:
- a USB security module configured to process data associated with USB transfers;
an encryptor associated with the module and configured to encrypt data from one or more USB devices; and
a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device.
2 Assignments
0 Petitions
Accused Products
Abstract
The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.
179 Citations
95 Claims
-
1. A system comprising:
-
a USB security module configured to process data associated with USB transfers;
an encryptor associated with the module and configured to encrypt data from one or more USB devices; and
a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a USB security module configured to process data associated with USB transfers;
an encryptor associated with the module and configured to encrypt data from one or more USB devices that have been seized; and
a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a seized USB device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A USB Host Controller comprising:
-
a security module configured to process data associated with USB transfers;
an encryptor associated with the module and configured to encrypt data from one or more USB devices;
a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and
a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A USB Hub comprising:
-
a security module configured to process data associated with USB transfers;
an encryptor associated with the module and configured to encrypt data from one or more USB devices;
a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and
a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied. - View Dependent Claims (29, 30, 31, 32)
-
-
33. A method comprising:
-
receiving data that is associated with a USB device;
determining whether the received data is associated with a USB device that is intended to be secure; and
if the USB device is intended to be secure, then encrypting or decrypting the data as appropriate. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A system comprising:
-
means for processing data associated with USB transfers;
means for encrypting data from one or more USB devices and being employable on a device-by-device basis;
means for decrypting data that is intended for use by a USB device and being employable on a device-by-device basis; and
said means for encrypting and means for decrypting being disposed at a location where there is no direct programmatic access by applications executing on a host computer. - View Dependent Claims (44, 45, 46)
-
-
47. A system comprising:
-
one or more unsecure client applications;
one or more secure client applications;
an unsecure software stack comprising at least one driver that is not secure;
a secure software stack comprising at least one driver that is secure;
a USB host controller driver associated with the secure and unsecure software stack;
the host controller driver being programmable to;
route data to and from unsecure USB devices through the unsecure software stack for use by the one or more unsecure client applications; and
route data to and from secure USB devices through the secure software stack for use by the one or more secure client applications. - View Dependent Claims (48, 49)
-
-
50. A method comprising:
-
determining whether an unsecure client application has focus;
receiving encrypted data that is intended for use by a client application; and
if the received data is intended for use by the unsecure client application and the unsecure client application has focus, then decrypting the encrypted data. - View Dependent Claims (51, 52, 53)
-
-
54. A method comprising:
-
determining whether a secure or an unsecure client application has focus;
if a secure client application has focus, instructing a USB host controller to apply encryption/decryption protection to data associated with the secure client application; and
if an unsecure client application has focus, instructing the USB host controller to not apply encryption/decryption protection to data that is associated with the unsecure client application. - View Dependent Claims (55)
-
-
56. A method comprising:
-
partitioning memory into protected and unprotected memory on a host computer;
for USB devices that are secure, writing and reading data associated with such USB devices to and from the protected memory; and
for USB devices that are not secure, writing and reading data associated with such USB devices to and from the unprotected memory. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63)
-
-
64. A method comprising:
-
maintaining a table that indicates whether one or more USB devices are secure; and
if a USB device is indicated as secure, copying data into and out of protected portions of memory that are associated with that USB device. - View Dependent Claims (65, 66, 67, 68, 69)
-
-
70. A method comprising:
-
associating at least one portion of protected memory with at least one secure USB device; and
copying data associated with the one secure USB device to and from the associated portion of protected memory. - View Dependent Claims (71, 72, 73, 74, 75)
-
-
76. A system comprising:
-
a USB host controller;
a table associated with the host controller and which indicates whether one or more USB devices are secure; and
the host controller being configured to use the table and, if a USB device is indicated by the table as secure, copy data into and out of protected portions of memory that are associated with that USB device. - View Dependent Claims (77, 78)
-
-
79. A system comprising:
-
protected memory that is configured to be used in connection with secure USB devices;
unprotected memory that is configured to be used with USB devices that are not secure;
a USB host controller associated with the protected and unprotected memory;
the host controller being configured to write and read data associated with secure USB devices to and from the protected memory; and
the host controller further being configured to write and read data for USB devices that are not secure to and from the unprotected memory. - View Dependent Claims (80, 81, 82)
-
-
83. A method comprising:
-
receiving a request from an application for a USB transaction;
querying the application for a memory location that is to be the subject of the transaction;
receiving a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory;
processing the memory location indication into a transaction description (TD); and
processing the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication. - View Dependent Claims (84, 85, 86, 87, 88, 89, 90)
-
-
91. A system comprising:
a USB component assembly configured to;
receive a request from an application for a USB transaction;
query the application for a memory location that is to be the subject of the transaction;
receive a memory location indication from the application, the memory location indication comprising, in an event that the application is a secure application, an indication associated with protected memory;
process the memory location indication into a transaction description (TD);
process the TD with a host controller effective to either copy in or copy out data relative to the protected memory location associated with the memory location indication. - View Dependent Claims (92, 93, 94, 95)
Specification