SYSTEM FOR PROVIDING SECURITY IN A NETWORK COMPRISING COMMUNICATIONS DEVICES
First Claim
1. A system for providing secure communications between a plurality of devices, comprising:
- a first, substantially portable device comprising a host computer running an untrusted operating system and untrusted hardware, a communications stack operative to run on said host computer, a first security apparatus adapted to establish a security association, and a communications interface adapted to establish a communications link with at least one other device;
a second computerized device comprising a second security apparatus;
a first computer program operative to run on said first portable device and adapted to verify the identify of a user of said first portable device before further access is permitted;
a second computer program operative to run on said first portable device and adapted to receive data sent from a higher layer process in said host computer for transmission over said communications link;
a third computer program operative to run on said first portable device and adapted to determine whether said security association exists with said second security apparatus of said second computerized device;
a fourth computer program operative to run on said first portable device and adapted to encrypt at least a portion of said data using at least one cryptographic key; and
a fifth computer program operative to run on said first portable device and adapted to transmit said at least portion to said second security apparatus when said security association does exist.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for providing communications security and authentication to a plurality of computerized devices is disclosed. In one embodiment, the system is useful with an untrusted network, and comprises security apparatus adapted to create associations with a plurality of security devices on the network. Traffic between the associated devices may be encrypted and residue-protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus of the system comprises a software entity disposed at least partly within the software stack of a host. A security card may also be used as part of the security apparatus system. The computerized devices of the system may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure.
107 Citations
78 Claims
-
1. A system for providing secure communications between a plurality of devices, comprising:
-
a first, substantially portable device comprising a host computer running an untrusted operating system and untrusted hardware, a communications stack operative to run on said host computer, a first security apparatus adapted to establish a security association, and a communications interface adapted to establish a communications link with at least one other device;
a second computerized device comprising a second security apparatus;
a first computer program operative to run on said first portable device and adapted to verify the identify of a user of said first portable device before further access is permitted;
a second computer program operative to run on said first portable device and adapted to receive data sent from a higher layer process in said host computer for transmission over said communications link;
a third computer program operative to run on said first portable device and adapted to determine whether said security association exists with said second security apparatus of said second computerized device;
a fourth computer program operative to run on said first portable device and adapted to encrypt at least a portion of said data using at least one cryptographic key; and
a fifth computer program operative to run on said first portable device and adapted to transmit said at least portion to said second security apparatus when said security association does exist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A system for providing secure communications between two or more devices on a communications network, comprising:
-
a first, substantially portable communications device comprising a host computerized device running an untrusted operating system and a network communications interface adapted to communicate with said network and said host computerized device;
a remote security device in communication with said network;
a security card adapted to be received at least partly within said first substantially portable communications device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
a first computer program operative to run on said first substantially portable communications device adapted to dynamically obtain at least one identifier for said portable communications device when said network communications interface is placed in data communication with said network;
a second computer program operative to run on said first substantially portable communications device adapted to establish a security association between said portable communications device and said remote security device, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said portable communications device and said remote security device to exchange cryptographic information while establishing said security association; and
a third computer program operative to run on said first substantially portable communications device adapted to seal or encrypt data sent from said portable device using at least said cryptographic information. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
-
65. A security system, comprising:
-
a portable communications device, said portable communications device comprising a host computerized device adapted to run an untrusted operating system;
a security card adapted to be received at least partly within said host device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
a card interface apparatus adapted to receive said security card at least partly within said host device;
a communications interface of said portable communications device adapted for data communication with an untrusted network;
software adapted to verify a user of said portable device using at least a portion of one of said user-specific and cryptographic data and an input supplied by a user via a user interface of said portable device;
software adapted to exchange at least a portion of said cryptographic data between said card and host device;
software adapted to establish a security association between said portable communications device and a security device on said network, said establishment comprising use of a cryptographic data exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic data while establishing said association so as to enable at least ciphering or encrypting using one or more cryptographic keys; and
software adapted to cipher or encrypt data sent from said portable device using at least one of said cryptographic keys. - View Dependent Claims (66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
-
-
78. A system for providing security to a plurality of portable communications devices, said system comprising:
-
a first portable communications device adapted to provide a plurality of security functions, comprising;
a physically unsecure and untrusted host device having an untrusted operating system;
a communications stack operative to run on said host device;
a communications interface adapted to establish temporary two-way communications with an untrusted multi-user network, said interface being driven at least in part by said stack; and
a card reading apparatus; and
security apparatus for use with said communications stack of said first portable communications device, said security apparatus comprising;
(i) a removable and substantially user-specific security card adapted to be received at least party within said card reading apparatus of said portable device; and
(ii) a security stack operable to interface with one or more layers of said communications stack;
wherein said security apparatus is adapted to;
verify the identity of said user of said portable device before further access to said network via said communications stack is permitted;
physically secure security data elements uniquely associated with said user thereof; and
exchange security information with said physically unsecure and untrusted host device before further processing of a user transaction or message is permitted;
wherein said security card is substantially platform agnostic such that it may be removed from and inserted into another portable physically unsecure and untrusted communications device while;
(i) providing similar user-specific security functionality to that of said portable device; and
(ii) substantially preventing compromise of said security data elements.
-
Specification