PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

US 20080010461A1
Filed: 07/11/2007
Published: 01/10/2008
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. A portable communications device adapted to provide network security functions, comprising:

a host computerized device comprising an untrusted operating system and untrusted hardware;

a communications stack operative to run on said host computerized device;

a communications interface adapted to establish an ad hoc communications link with an untrusted network; and

security apparatus for use with said stack, said security apparatus adapted to communicate data with other security apparatus on said untrusted network by establishing a security association, and where said security apparatus is configured to;

verify the identity of a user of said portable device before further access is permitted;

receive data sent from a higher layer process in said host computer for transmission over said network;

determine whether an association between said security apparatus and said other security apparatus exists;

encrypt at least a portion of said data using at least one cryptographic key; and

transmit said at least portion to said other security apparatus when said association does exist.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A portable communications device adapted to provide communications security and user identification, and authentication. In one embodiment, the device is useful with an untrusted network, and comprises security apparatus adapted to create associations with one or more security devices on the network. Traffic between the associated devices may be encrypted and residue-protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus comprises a software entity disposed at least partly within the software stack of a host. A security card may also be used as part of the security apparatus. The portable device may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure. In one variant, the security apparatus is also agnostic to the portable device with which it is used.

103 Citations

View as Search Results

79 Claims

1. A portable communications device adapted to provide network security functions, comprising:
- a host computerized device comprising an untrusted operating system and untrusted hardware;
  
  a communications stack operative to run on said host computerized device;
  
  a communications interface adapted to establish an ad hoc communications link with an untrusted network; and
  
  security apparatus for use with said stack, said security apparatus adapted to communicate data with other security apparatus on said untrusted network by establishing a security association, and where said security apparatus is configured to;
  
  verify the identity of a user of said portable device before further access is permitted;
  
  receive data sent from a higher layer process in said host computer for transmission over said network;
  
  determine whether an association between said security apparatus and said other security apparatus exists;
  
  encrypt at least a portion of said data using at least one cryptographic key; and
  
  transmit said at least portion to said other security apparatus when said association does exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 2. The device of claim 1, wherein said security apparatus comprises a removable and substantially user- or device-specific security card received at least party within a card reading apparatus of said portable device.
  - 3. The device of claim 2, wherein at least portions of said card are physically secure and protected from unauthorized access.
  - 4. The device of claim 2, wherein said card must exchange security information with said host device before further processing of a user transaction or message is permitted.
  - 5. The device of claim 4, wherein said exchanged security information comprises security information that is unique and specific to said card.
  - 6. The device of claim 2, wherein said at least one cryptographic key is generated at least in part based on security information disposed on said security card.
  - 7. The device of claim 1, wherein said other security apparatus comprises a substantially fixed and at least partly physically secure network access control device.
  - 8. The device of claim 7, wherein said network access control device further comprise an interface providing direct or indirect data communication to another network.
  - 9. The device of claim 1, wherein said other security apparatus comprises an at least partly physically secure network gateway.
  - 10. The device of claim 9, wherein said gateway comprises an interface to a second network, said second network having other security apparatus associated therewith, said other security apparatus of said second network being configured to establish security associations with at least said gateway within said untrusted network.
  - 11. The device of claim 1, wherein said verification of the identity of said user of said portable device comprises verification via a unique name or identification associated with said user.
  - 12. The device of claim 1, wherein said verification of the identity of said user of said portable device comprises verification via a password associated with said user.
  - 13. The device of claim 1, wherein said verification of the identity of said user of said portable device comprises verification via a key associated with said host computerized device.
  - 14. The device of claim 1, wherein said portable computing device further comprises a network protocol used to resolve an IP address from a given hardware or network address.
  - 15. The device of claim 1, wherein said portable computing device further comprises a network protocol used to resolve a given hardware or network address from an IP address.
  - 16. The device of claim 1, wherein said security apparatus is further adapted to authenticate said other security apparatus using a key-exchange algorithm.
  - 17. The device of claim 1, wherein said security apparatus is further adapted to authenticate at least one network security device from which said security apparatus has first requested authentication.
  - 18. The device of claim 1, wherein said security apparatus is disposed substantially within said software stack above the Physical Layer thereof.
  - 19. The device of claim 10, wherein said security apparatus is disposed substantially within said software stack above the Link Layer thereof.
  - 20. The device of claim 10, wherein at least portions of said security apparatus is disposed substantially within said software stack below the Transport Layer thereof.
  - 21. The device of claim 1, wherein said at least one key comprises at least one key of a public/private key pair.
  - 22. The device of claim 2, wherein said card further comprises a device driver.
  - 23. The device of claim 22, wherein said driver comprises an application programming interface (API).
  - 24. The device of claim 1, wherein said association comprises a non-permanent trusted communications channel between and unique to said security apparatus and said other security apparatus.
  - 25. The device of claim 24, wherein said other security apparatus comprises a fixed, substantially stand-alone device.
  - 26. The device of claim 1, wherein said network further comprises an auditor function in data communication therewith, said auditor function adapted to facilitate audit or tracking of unauthorized security events or attempted accesses.
  - 27. The device of claim 1, wherein said other security apparatus comprises at least one interface port, access to which is based at least in part on identification of a user of said portable communications device.
  - 28. The device of claim 1, wherein said security apparatus is adapted to dynamically generate at least one encryption key for each association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable communications device.
  - 29. The device of claim 1, wherein at least one encryption key is dynamically generated by said security apparatus pursuant to establishing an association with said other security apparatus, said at least one key being specific to a particular session between said security device and said other security device.
  - 30. The device of claim 1, wherein said security apparatus is adapted to encrypt at least portions of said message using a block cipher.
  - 31. The device of claim 1, wherein said security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises at least a portion of a public/private key pair.
  - 32. The device of claim 1, wherein said network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises a symmetric encryption key.
  - 33. The device of claim 1, wherein said network security apparatus generates at least one encryption key, and said at least one encryption key provides confidentiality and integrity of user datagrams during a particular session or association between said security apparatus and said other security apparatus.
  - 34. The device of claim 1, wherein, said security apparatus is further adapted to generate a request message for transmission to at least said other security apparatus, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 35. The device of claim 34, wherein, said cryptographic information comprises a cryptographic vector.
  - 36. The device of claim 35, wherein, said cryptographic vector comprises a vector used by said other security apparatus as part of a mutual authentication procedure between said portable device and said other security apparatus.
  - 37. The device of claim 34, wherein, said cryptographic information comprises a cryptographic key.
  - 38. The device of claim 1, wherein said security apparatus, as part of establishing said association, utilizes random data that is transmitted from said other security apparatus.
  - 39. The device of claim 1, wherein said another security apparatus comprises a cryptographic element exchange algorithm adapted to generate and transmit random data to said security apparatus as part of a mutual authentication.
  - 40. The device of claim 1, wherein at least a portion of said transmitted at least portion is evaluated by said other security apparatus using a first cryptographic residue generated at said other network security apparatus using at least locally stored information, and a second residue of said transmitted message.
  - 41. The device of claim 40, wherein said evaluation of said first and second residues comprises comparing said residues to see if they match.
  - 42. The device of claim 41, wherein if said first and second residue does not match, a change in the operation of said other security apparatus is invoked.
  - 43. The device of claim 42, wherein said change in the operation comprises performing a network audit function.

44. A portable communications device, comprising:
- a host computerized device having an untrusted operating system;
  
  a network communications interface adapted to communicate with an untrusted network and said host computer;
  
  a security card adapted to be received at least partly within said host computerized device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  a first computer program adapted to dynamically obtain at least one identifier for said communications device when said communications interface is placed in data communication with said network;
  
  a second computer program adapted to establish security association between said portable communications device and a security device on said network, said second computer program comprising a key exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic keys while establishing said association; and
  
  a third computer program adapted to seal or encrypt data sent from said portable device using at least one of said cryptographic keys.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 45. The device of claim 44, wherein said portable device is adapted to dynamically generate at least one encryption key for each security association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable computerized device.
  - 46. The device of claim 44, wherein said card further comprises a device driver having an application programming interface (API).
  - 47. The device of claim 44, wherein, said second program is further adapted to generate a request message for transmission to at least said security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 48. The device of claim 47, wherein, said cryptographic information comprises a cryptographic vector.
  - 49. The device of claim 48, wherein, said cryptographic vector comprises a vector used by said security device as part of a mutual authentication procedure between said portable device and said security device.
  - 50. The device of claim 47, wherein, said cryptographic information comprises a cryptographic key.
  - 51. The device of claim 50, wherein, said cryptographic key comprises a key that is part of a public/private key pair.
  - 52. The device of claim 47, wherein, said cryptographic information comprises a digital signature generated based at least in part on said cryptographic data stored in said card.
  - 53. The device of claim 44, wherein said identifier comprises an IP address.
  - 54. The device of claim 53, wherein said first program is further adapted to:
    - (i) obtain an IP address for said another device based on a hardware address thereof;
      
      or (ii) obtain a hardware address for said another device based on an IP address thereof.
  - 55. The device of claim 44, wherein at least a portion of said data sent is evaluated by said security device using a first cryptographic residue generated at said another device using at least locally stored information, and a second residue of said sent data.
  - 56. The device of claim 44, wherein said protection against access by unauthorized users comprises at least physical protection for said at least portions.
  - 57. The device of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a unique name or identification associated with a valid user.
  - 58. The device of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a password associated with a valid user.
  - 59. The device of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a key associated with said host user device.
  - 60. The device of claim 44, wherein said portable computerized device is physically non-secure.
  - 61. The device of claim 44, wherein said security device comprises a gateway, said gateway being in direct or indirect data communication with a second network.
  - 62. The device of claim 61, wherein said second network comprises the Internet, and said second network is in data communication with a website.
  - 63. The device of claim 44, wherein said portable device comprises an encryption algorithm that is initialized at least in part using a cryptographic vector.
  - 64. The device of claim 63, wherein said portable device is adapted to generate a new vector for each encryption event.

65. A portable communications device adapted to provide security functions, comprising:
- a physically unsecure and untrusted host device having an untrusted operating system;
  
  a communications stack operative to run on said host device;
  
  a communications interface adapted to establish temporary two-way communications with an untrusted multi-user network, said interface being driven at least in part by said stack; and
  
  security apparatus for use with said stack, said security apparatus comprising a removable and substantially user-specific security card received at least party within a card reading apparatus of said portable device, said security apparatus adapted to;
  
  verify the identity of a user of said portable device before further access is permitted;
  
  physically secure cryptographic elements uniquely associated with said physically unsecure and untrusted host device or a user thereof; and
  
  exchange security information with said physically unsecure and untrusted host device before further processing of a user transaction or message is permitted.
- View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78)
- - 66. The device of claim 65, wherein said card further comprises a device driver having an application programming interface (API).
  - 67. The device of claim 65, wherein, said security apparatus is further adapted to generate a request message for transmission to a network security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 68. The device of claim 67, wherein, said cryptographic information comprises a cryptographic vector.
  - 69. The device of claim 68, wherein, said cryptographic vector comprises a vector used by said network security device as part of a mutual authentication procedure between said portable device and said security device.
  - 70. The device of claim 67, wherein, said cryptographic information comprises a cryptographic key.
  - 71. The device of claim 70, wherein, said cryptographic key comprises a key that is part of a public/private key pair.
  - 72. The device of claim 67, wherein, said cryptographic information comprises a digital signature generated based at least in part on cryptographic data stored in said card.
  - 73. The device of claim 65, wherein said security card comprises portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  - 74. The device of claim 72, wherein said protection against access by unauthorized users comprises at least physical protection for said at least portions.
  - 75. The device of claim 72, wherein said protection against access by unauthorized users comprises verification of prospective users via a unique name or identification associated with a valid user.
  - 76. The device of claim 72, wherein said protection against access by unauthorized users comprises verification of prospective users via a password associated with a valid user.
  - 77. The device of claim 72, wherein said protection against access by unauthorized users comprises verification of prospective users via a key associated with said host user device.
  - 78. The device of claim 65, wherein said portable device sends data evaluated by a network security device using a first cryptographic residue generated at said network security device using at least locally stored information, and a second residue of said sent data.

79. A portable communications device adapted to provide security functions, comprising:
- a physically unsecure and untrusted host device having an untrusted operating system;
  
  a communications stack operative to run on said host device;
  
  a communications interface adapted to establish temporary two-way communications with an untrusted multi-user network, said interface being driven at least in part by said stack; and
  
  security apparatus for use with said stack, said security apparatus comprising;
  
  (i) a removable and substantially user-specific security card received at least party within a card reading apparatus of said portable device; and
  
  (ii) a security stack operable to interface with one or more layers of said communications stack;
  
  wherein said security apparatus is adapted to;
  
  verify the identity of said user of said portable device before further access to said network via said communications stack is permitted;
  
  physically secure security data elements uniquely associated with said user thereof; and
  
  exchange security information with said physically unsecure and untrusted host device before further processing of a user transaction or message is permitted. wherein said security card is substantially platform agnostic such that it may be removed from and inserted into another portable physically unsecure and untrusted communications device while;
  
  (i) providing similar user-specific security functionality to that of said portable device; and
  
  (ii) substantially preventing compromise of said security data elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Holden, James, Levin, Stephen, Wrench, Edwin, Nickel, James

Granted Patent

US 7,831,722 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

79 Claims

Specification

Solutions

Use Cases

Quick Links

PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

79 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links