TRUSTED HOST PLATFORM

US 20070204153A1
Filed: 01/04/2007
Published: 08/30/2007
Est. Priority Date: 01/04/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing access from a trusted host platform to a first secured network and from the trusted host platform to a second secured network, the first secured network operating in a first security domain, the second secured network operation in a second security domain, the first security domain separate and distinct from the second security domain, the trusted host platform unsecure from both the first secure network and the second secure network, the method comprising:

instantiating, on the trusted host platform, a first virtual machine associated with the first secured network;

instantiating, on the trusted host platform, a second virtual machine associated with the second secured network;

establishing a first connection between the first virtual machine on the trusted host platform and the first secured network using at least a first virtual secure storage device;

establishing a second connection between the second virtual machine on the trusted host platform and the second secured network using at least a second virtual secure storage device; and

controlling movement of information from within the first security domain to the second security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides methods and apparatus, including computer program products, implementing and using techniques for providing access from a trusted host platform to a first secured network operating on a first security domain and a second secured network operating on a second security domain. In some embodiments, a first virtual machine associated with the first secured network is instantiated on the trusted host platform. A second virtual machine associated with the second secured network is also instantiated on the trusted host platform. A first connection is established between the first virtual machine on the trusted host platform and the first secured network using at least a first virtual secure storage device. A second connection also established between the second virtual machine on the trusted host platform and the second secured network using at least a second virtual secure storage device. Furthermore, movement of information from within the first security domain to the second security domain is controlled.

208 Citations

35 Claims

1. A method for providing access from a trusted host platform to a first secured network and from the trusted host platform to a second secured network, the first secured network operating in a first security domain, the second secured network operation in a second security domain, the first security domain separate and distinct from the second security domain, the trusted host platform unsecure from both the first secure network and the second secure network, the method comprising:
- instantiating, on the trusted host platform, a first virtual machine associated with the first secured network;
  
  instantiating, on the trusted host platform, a second virtual machine associated with the second secured network;
  
  establishing a first connection between the first virtual machine on the trusted host platform and the first secured network using at least a first virtual secure storage device;
  
  establishing a second connection between the second virtual machine on the trusted host platform and the second secured network using at least a second virtual secure storage device; and
  
  controlling movement of information from within the first security domain to the second security domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, further comprising:
    - unlocking a secure storage device presented by an authenticated user, wherein the secure storage device includes a plurality of authentication materials and a plurality of authorization materials.
  - 3. The method of claim 2, further comprising:
    - creating the first virtual secure storage device from the secure storage device; and
      
      creating the second virtual secure storage device from the secure storage device.
  - 4. The method of claim 1, wherein the first virtual machine is associated with the first secured network using information stored within the first virtual machine.
  - 5. The method of claim 2, wherein the first virtual machine is associated with the first secured network using information from the secure storage device.
  - 6. The method of claim 1, wherein the first virtual machine is associated with the first secured network using information from configuration materials associated with the first virtual machine.
  - 7. The method of claim 1, wherein the first virtual machine is associated with the first secured network using associations stored within the trusted host platform.
  - 8. The method of claim 1, further comprising associating the first virtual secure storage device with a secure storage device reader associated with the first virtual machine.
  - 9. The method of claim 8, wherein the first virtual secure storage device with a secure storage device reader associated with the first virtual machine comprises associating the first virtual secure storage device with a virtual secure storage device reader associated with the first virtual machine.
  - 10. The method of claim 8, wherein associating the first virtual secure storage device with a secure storage device reader associated with the first virtual machine comprises associating the first virtual secure storage device with a physical secure storage device reader associated with the first virtual machine.
  - 11. The method of claim 2, further comprising:
    - assigning at least a portion of the plurality of authorization materials to the first virtual secure storage device; and
      
      assigning at least a portion of the plurality of authorization materials to the second virtual secure storage device.
  - 12. The method of claim 2, further comprising:
    - determining a plurality of secured networks the user is authorized to access based in part upon the plurality of authorization materials from the secure storage device, the plurality of secured networks including at least the first secured network and the second secured network;
      
      presenting the authenticated user with a plurality of selections, each of the plurality of selections corresponding to one of the plurality of secured networks; and
      
      receiving a selection from the authenticated user corresponding to the first secured network.
  - 13. The method of claim 12, further comprising:
    - establishing a connection between the trusted host platform and the first secured network.
  - 14. The method of claim 1, wherein establishing a first connection between the first virtual machine on the trusted host platform and the first secured network comprises establishing a VPN connection between the first virtual machine on the trusted host platform and the first secured network.
  - 15. The method of claim 2, further comprising associating the first virtual secure storage device with a virtual secure storage device reader associated with the first virtual machine by partitioning the secure storage device within a physical secure device storage reader to provide a first view of the secure storage device relevant to the first virtual machine.
  - 16. The method of claim 2, further comprising mapping a first of the plurality of authentication materials from the secured storage device to the first virtual machine.
  - 17. The method of claim 16, wherein mapping a first of the plurality of authentication materials from the secured storage device to the first virtual machine comprises mapping a first certificate from the secured storage device to the first virtual machine based on a tag within the first certificate.
  - 18. The method of claim 16, wherein mapping the first certificate from the secured storage device to the first virtual machine comprises mapping the first certificate from the secured storage device to the first virtual machine based on a security domain identified within the first certificate.
  - 19. The method of claim 1, wherein controlling movement of information from within the first security domain to the second security domain comprises preventing migration of information from the first security domain to the second security domain.
  - 20. The method of claim 1, further comprising controlling movement of information from within the first security domain to any other security domain.
  - 21. The method of claim 1, wherein controlling movement of information from within the first security domain to the second security domain comprises:
    - preventing migration of information from within the first security domain to the second security domain; and
      
      permitting migration of information from within the second security domain to the first security domain.
  - 22. The method of claim 1, wherein controlling movement of information from within the first security domain to the second security domain comprises controlling movement of information from within the first security domain to the second security domain based upon a security policy stored in the trusted host platform.
  - 23. The method of claim 1, wherein controlling movement of information from within the first security domain to the second security domain comprises permitting migration of information from within the first security domain to the second security domain when a classification level of the first security domain is less than a classification level of the second security domain.
  - 24. The method of claim 23, wherein controlling movement of information from within the first security domain to the second security domain further comprises permitting migration of information from within the first security domain to the second security domain when a classification level of the information to be migrated to the second security domain is less than a classification level of the second security domain.
  - 25. The method of claim 1, further comprising cryptographically assuring the trusted host platform.
  - 26. The method of claim 25, further comprising:
    - cryptographically assuring the first virtual machine; and
      
      cryptographically assuring the second virtual machine.

27. A system for providing access from a trusted host platform to a first secured network and from the trusted host platform to a second secured network, the first secured network operating in a first security domain, the second secured network operation in a second security domain, the first security domain separate and distinct from the second security domain, the trusted host platform unsecure from both the first secure network and the second secure network, the system comprising:
- a first virtual machine instantiated on the trusted host platform, that is associated with the first secured network;
  
  a second virtual machine instantiated on the trusted host platform, that is associated with the second secured network;
  
  a first virtual secure storage device that establishes a first connection between the first virtual machine on the trusted host platform and the first secured network;
  
  a second virtual secure storage device that establishes a second connection between the second virtual machine on the trusted host platform and the second secured network; and
  
  wherein movement of information from within the first security domain to the second security domain is controlled using the trusted host platform.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The system of claim 27, further comprising:
    - a secure storage device that includes a plurality of authentication materials and a plurality of authorization materials, wherein the secure storage device is unlocked by an authenticated user.
  - 29. The system of claim 28, wherein the first virtual secure storage device is created from the secure storage device, and wherein the second virtual secure storage device is created from the secure storage device.
  - 30. The system of claim 28, wherein the secure storage device within a physical secure device storage reader is partitioned to provide a first view of the secure storage device relevant to the first virtual machine.
  - 31. The system of claim 27, wherein movement of information from within the first security domain to the second security domain is controlled by preventing migration of information from within the first security domain to the second security domain, and permitting migration of information from within the second security domain to the first security domain.
  - 32. The system of claim 27, wherein movement of information from within the first security domain to the second security domain is controlled by permitting migration of information from within the first security domain to the second security domain when a classification level of the first security domain is less than a classification level of the second security domain.
  - 33. The method of claim 32, wherein movement of information from within the first security domain to the second security domain further is controlled by permitting migration of information from within the first security domain to the second security domain when a classification level of the information to be migrated to the second security domain is less than a classification level of the second security domain.
  - 34. The system of claim 27, wherein the trusted host platform is cryptographically assured.
  - 35. The system of claim 34, wherein the first virtual machine is cryptographically assured and the second virtual machine is cryptographically assured.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nytor, Inc. (Widearea Systems, Inc.)
Original Assignee
Nytor, Inc. (Widearea Systems, Inc.)
Inventors
Ginter, Karl, Ruof, Kenneth, Tome, Agustin, Smalser, Paul, Riddock, Cary

Application Number

US11/620,008
Publication Number

US 20070204153A1
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

TRUSTED HOST PLATFORM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

208 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED HOST PLATFORM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

208 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links