System and method for a secure I/O interface

US 20050076228A1
Filed: 07/30/2004
Published: 04/07/2005
Est. Priority Date: 10/02/2003
Status: Active Grant

First Claim

Patent Images

1. A security processor to process incoming and outgoing packets, the security processor comprising:

a switching system to send and receive packets;

a packet engine, coupled to the switching system, to handle classification processing for the incoming and outgoing packets; and

a cryptographic core, coupled to the packet engine, to provide encryption and decryption processing for packets received from the packet engine.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security processor performs all or substantially all security and network processing to provide a secure I/O interface system to protect computing hardware from unauthorized access or attack. The security processor sends and receives all incoming and outgoing data packets for a host device and includes a packet engine, coupled to a local data bus, to process the incoming and outgoing packets. The processor further comprises a cryptographic core coupled to the packet engine to provide encryption and decryption processing for packets processed by the packet engine. The packet engine also handles classification processing for the incoming and outgoing packets. A modulo engine may be coupled to the local data bus.

Citations

29 Claims

1. A security processor to process incoming and outgoing packets, the security processor comprising:
- a switching system to send and receive packets;
  
  a packet engine, coupled to the switching system, to handle classification processing for the incoming and outgoing packets; and
  
  a cryptographic core, coupled to the packet engine, to provide encryption and decryption processing for packets received from the packet engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The security processor of claim 1 wherein the packet engine is further operable to handle security context management processing for the incoming and outgoing packets.
  - 3. The security processor of claim 1 further comprising:
    - a local data bus coupled to the switching system; and
      
      a modulo engine coupled to the local data bus.
  - 4. The security processor of claim 1 wherein the packet engine is one of a plurality of packet engines and substantially all of the incoming and outgoing packets to the security processor transit one of the plurality of packet engines.
  - 5. The security processor of claim 4 wherein the cryptographic core is one of a plurality of cryptographic cores coupled one-to-one to the plurality of packet engines and substantially all of the incoming and outgoing packets to the security processor transit a corresponding one of the plurality of cryptographic cores after transiting one of the plurality of packet engines.
  - 6. The security processor of claim 4 wherein the incoming and outgoing packets are provided with a tag upon ingress to one of the plurality of packet engines and the tag determines the egress path within the security processor upon exit from the corresponding one of the plurality of cryptographic cores.
  - 7. The security processor of claim 3 wherein the packet engine, the cryptographic core, and the modulo engine are formed on a single chip.
  - 8. The security processor of claim 7 further comprising a control processor, coupled to the local data bus, for exception handling of the incoming and outgoing packets.
  - 9. The security processor of claim 7 further comprising a key management engine coupled to the local data bus.
  - 10. The security processor of claim 1 further comprising an intrusion detection system coupled between the cryptographic core and the packet engine.
  - 11. The security processor of claim 7 wherein the security processor handles substantially all security processing for the incoming and outgoing packets.
  - 12. The security processor of claim 11 wherein the security processor further handles substantially all network processing for the incoming and outgoing packets.
  - 13. The security processor of claim 1 further comprising an intrusion detection system coupled between the cryptographic core and the packet engine.

14. A security processing system comprising:
- (a) a security processor comprising;
  
  a switching system to send outgoing and to receive incoming packets;
  
  a packet engine, coupled to the switching system, to handle classification processing for the incoming and outgoing packets;
  
  a cryptographic core, coupled to the packet engine, to provide encryption and decryption processing for packets received from the packet engine; and
  
  a local data bus coupled to the switching system; and
  
  (b) a memory coupled to the local data bus.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The security processing system of claim 14 further comprising a modulo engine coupled to the local data bus.
  - 16. The security processing system of claim 15 further comprising a key management engine coupled to the local data bus.
  - 17. The security processing system of claim 14 wherein the memory and the security processor are within the same cryptographic boundary.
  - 18. The security processing system of claim 14 wherein the security processor is formed on a single chip.
  - 19. The security processing system of claim 14 further comprising:
    - a memory interface coupled to the local data bus, wherein the memory is coupled to the local data bus using the memory interface; and
      
      a translator coupled to the memory interface to perform translation of data received by the memory interface from the memory.
  - 20. The security processing system of claim 19 wherein the translator performs steganographic translation of the received data.
  - 21. The security processing system of claim 19 wherein the translator performs encryption translation of the received data.
  - 22. The security processing system of claim 14 wherein the security processor is operable to (i) execute boot code to load firmware for execution by the security processor and (ii) authenticate the boot code using a mechanism internal to the security processor prior to operation of the security processor.

23. A security processor to connect a trusted network to an un-trusted network for data packet communication, the security processor comprising:
- a first interface to couple to the trusted network and to the un-trusted network;
  
  a second interface to couple to a host processor;
  
  a switching system operable to selectively couple to the first interface or the second interface;
  
  a local data bus, coupled to the switching system;
  
  a plurality of packet engines coupled to the switching system;
  
  a plurality of cryptographic cores each coupled to one of the plurality of packet engines; and
  
  a control processor, coupled to the local data bus, to control data packet flow within the security processor.
- View Dependent Claims (24, 25)
- - 24. The security processor of claim 23 wherein the security processor is operable to act as a firewall to deny or accept a data packet and to implement a secure communication channel with another computing device in the un-trusted network.
  - 25. The security processor of claim 24 wherein the security processor implements data packet security and authentication functions to support the secure communication channel.

26. A communication system comprising:
- a trusted network; and
  
  a secure interface coupled to the trusted network to carry all incoming and outgoing communications of the trusted network, wherein the secure interface comprises a security processor to handle substantially all security processing for the incoming and outgoing communications.
- View Dependent Claims (27, 28, 29)
- - 27. The communication system of claim 26 wherein the security processor performs substantially all network processing for data packet communications traveling to and from the trusted network.
  - 28. The communication system of claim 27 wherein the secure interface handles substantially all security processing for the incoming and outgoing communications.
  - 29. The communication system of claim 28 wherein the information security processing comprises IPSec processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lionra Technologies Limited (Atlantic IP Services Limited)
Original Assignee
ITT Manufacturing Enterprises, Inc. (ITT, Inc.)
Inventors
Davis, John M., Takahashi, Richard J.

Granted Patent

US 7,685,436 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/188
CPC Class Codes

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/82   Protecting input, output or...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

System and method for a secure I/O interface

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for a secure I/O interface

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links