METHODS OF OPERATING A PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

US 20080016343A1
Filed: 07/11/2007
Published: 01/17/2008
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;

wherein said portable device is configured to operate according to the method comprising;

verifying the identity of a user of said portable device before further access is permitted;

receiving data sent from a higher layer process of said host computerized device for transmission over a network;

determining whether an association between said security apparatus and at least one other security apparatus exists;

encrypting at least a portion of said data using at least one cryptographic key; and

transmitting said at least portion to said at least one other security apparatus when said association does exist.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of operating a portable communications device so as to provide communications security and user identification and authentication. In one embodiment, the method comprises placing the device in communication with an untrusted network, and using its security apparatus for creating associations with one or more security devices on the network. Traffic between the associated devices may be encrypted and protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus comprises a software entity disposed at least partly within the software stack of a host, and a removable security card. The portable device may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure.

39 Citations

View as Search Results

79 Claims

1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;
- wherein said portable device is configured to operate according to the method comprising;
  
  verifying the identity of a user of said portable device before further access is permitted;
  
  receiving data sent from a higher layer process of said host computerized device for transmission over a network;
  
  determining whether an association between said security apparatus and at least one other security apparatus exists;
  
  encrypting at least a portion of said data using at least one cryptographic key; and
  
  transmitting said at least portion to said at least one other security apparatus when said association does exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 2. The method of claim 1, wherein said security apparatus comprises a removable and substantially user- or device-specific security card received at least party within a card reading apparatus of said portable device.
  - 3. The method of claim 2, wherein at least portions of said card are physically secure and protected from unauthorized access.
  - 4. The method of claim 2, further comprising exchanging security information between said card and said host device before further processing of a user transaction or message is permitted.
  - 5. The method of claim 4, wherein said exchanged security information comprises security information that is unique and specific to said card.
  - 6. The method of claim 2, further comprising generating said at least one cryptographic key at least in part using security information disposed on said security card.
  - 7. The method of claim 1, wherein said determining comprises determining whether an association exists with a substantially fixed and at least partly physically secure network access control device.
  - 8. The method of claim 7, wherein said network access control device further comprise an interface providing direct or indirect data communication to another network.
  - 9. The method of claim 1, wherein said at least one other security apparatus comprises an at least partly physically secure network gateway.
  - 10. The method of claim 9, wherein said gateway comprises an interface to a second network, said second network having other security apparatus associated therewith, said method further comprising establishing security associations between at least said gateway within said untrusted network and said other security apparatus of said second network.
  - 11. The method of claim 1, wherein said act of verifying further comprises verifying via a unique name or identification associated with said user.
  - 12. The method of claim 1, wherein said act of verifying further comprises verifying via a password associated with said user.
  - 13. The method of claim 1, wherein said act of verifying further comprises verifying via a key associated with said host computerized device.
  - 14. The method of claim 1, wherein said portable computing device further comprises a network protocol, and said method further comprises using said protocol to resolve an IP address from a given hardware or network address.
  - 15. The method of claim 1, wherein said portable computing device further comprises a network protocol, and said method further comprises using said protocol to resolve a given hardware or network address from an IP address.
  - 16. The method of claim 1, further comprising authenticating said at least one other security apparatus using a key-exchange algorithm.
  - 17. The method of claim 1, further comprising authenticating at least one network security device from which said security apparatus has first requested authentication.
  - 18. The method of claim 1, wherein said security apparatus comprises software disposed substantially within said communications stack above the Physical Layer thereof.
  - 19. The method of claim 10, wherein said security apparatus comprises software disposed substantially within said communications stack above the Link Layer thereof.
  - 20. The method of claim 10, wherein at least portions of said security apparatus comprises software disposed substantially within said communications stack below the Transport Layer thereof.
  - 21. The method of claim 1, wherein said encrypting using at least one cryptographic key comprises encrypting using at least one key of a public/private key pair.
  - 22. The method of claim 2, wherein said card further comprises a device driver.
  - 23. The method of claim 22, wherein said driver comprises an application programming interface (API).
  - 24. The method of claim 1, wherein said determining whether an association exists comprises determining whether a non-permanent trusted communications channel between and unique to said security apparatus and said at least one other security apparatus exists.
  - 25. The method of claim 24, wherein said at least one other security apparatus comprises a fixed, substantially stand-alone device.
  - 26. The method of claim 1, wherein said network further comprises an auditor function in data communication therewith, and said method further comprises using said auditor to facilitate audit or tracking of unauthorized security events or attempted accesses.
  - 27. The method of claim 1, wherein said at least one other security apparatus comprises at least one interface port, and said method further comprises arbitrating access to said at least one port based at least in part on identification of a user of said portable communications device.
  - 28. The method of claim 1, further comprising generating at least one encryption key for each association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable communications device.
  - 29. The method of claim 1, further comprising generating said at least one encryption key dynamically by said security apparatus pursuant to establishing an association with said at least one other security apparatus, said at least one key being specific to a particular session between said security device and said at least one other security device.
  - 30. The method of claim 1, wherein said act of encrypting at least portions of said data is performed using a block cipher.
  - 31. The method of claim 1, further comprising generating using at least said security apparatus at least one encryption key for said act of encrypting at least portions of said data, said at least one encryption key comprising at least a portion of a public/private key pair.
  - 32. The method of claim 1, further comprising generating at least one encryption key for use in encrypting said data, said at least one encryption key comprising a symmetric encryption key.
  - 33. The method of claim 1, further comprising generating at least one encryption key, and said at least one encryption key providing confidentiality and integrity of user datagrams during a particular session or association between said security apparatus and said at least one other security apparatus.
  - 34. The method of claim 1, further comprising generating a request message for transmission to at least said at least one other security apparatus, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 35. The method of claim 34, wherein said cryptographic information comprises a cryptographic vector.
  - 36. The method of claim 35, wherein said cryptographic vector comprises a vector used by said at least one other security apparatus as part of a mutual authentication procedure between said portable device and said at least one other security apparatus.
  - 37. The method of claim 34, wherein said cryptographic information comprises a cryptographic key.
  - 38. The method of claim 1, wherein said act of establishing said association further comprises utilizing random data that is transmitted from said at least one other security apparatus.
  - 39. The method of claim 1, wherein said at least one other security apparatus comprises a cryptographic element exchange algorithm, and said method further comprises generating and transmitting random data to said security apparatus as part of a mutual authentication.
  - 40. The method of claim 1, wherein at least a portion of said transmitted at least portion is evaluated by said at least one other security apparatus using a first cryptographic residue generated at said at least one other network security apparatus using at least locally stored information, and a second residue of said transmitted message.
  - 41. The method of claim 40, wherein said act of evaluating said first and second residues comprises comparing said residues to see if they match.
  - 42. The method of claim 41, wherein if said first and second residue does not match, a change in the operation of said at least one other security apparatus is invoked.
  - 43. The method of claim 42, wherein said change in the operation comprises performing a network audit function.

44. A method of operating a portable communications device, comprising:
- providing a portable communications device, said portable communications device comprising a host computerized device adapted to run an untrusted operating system, and further comprising a security card adapted to be received at least partly within said host device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  dynamically obtaining at least one identifier for said portable communications device when a communications interface of said portable communications device is placed in data communication with an untrusted network;
  
  establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising utilizing an algorithm adapted to cause said portable communications device and said security device to establish cryptographic keys while establishing said association; and
  
  sealing or encrypting data sent from said portable device using at least one of said cryptographic keys.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 45. The method of claim 44, further comprising dynamically generating at least one encryption key for each security association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable device.
  - 46. The method of claim 44, wherein said card further comprises a device driver having an application programming interface (API).
  - 47. The method of claim 44, wherein said act of establishing a security association further comprises generating a request message for transmission to at least said security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 48. The method of claim 47, wherein said cryptographic information comprises a cryptographic vector.
  - 49. The method of claim 48, wherein said cryptographic vector comprises a vector used by said security device as part of a mutual authentication procedure between said portable device and said security device.
  - 50. The method of claim 47, wherein said cryptographic information comprises a cryptographic key.
  - 51. The method of claim 50, wherein said cryptographic key comprises a key that is part of a public/private key pair.
  - 52. The method of claim 47, wherein said cryptographic information comprises a digital signature, and said method comprises generating said signature based at least in part on said cryptographic data stored in said card.
  - 53. The method of claim 44, wherein said identifier comprises an IP address.
  - 54. The method of claim 53, wherein said act of dynamically obtaining at least one identifier further comprises:
    - (i) obtaining an IP address for said security device based on a hardware address thereof;
      
      or (ii) obtaining a hardware address for said security device based on an IP address thereof.
  - 55. The method of claim 44, further comprising evaluating at least a portion of said data sent by said portable device using a first cryptographic residue generated at said security device using at least locally stored information, and a second residue of said sent data.
  - 56. The method of claim 44, wherein said protection against access by unauthorized users comprises at least physical protection for said at least portions.
  - 57. The method of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a unique name or identification associated with a valid user.
  - 58. The method of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a password associated with a valid user.
  - 59. The method of claim 44, wherein said protection against access by unauthorized users comprises verification of prospective users via a key associated with said host user device.
  - 60. The method of claim 44, wherein said portable computerized device is physically non-secure.
  - 61. The method of claim 44, wherein said security device comprises a gateway, said gateway being in direct or indirect data communication with a second network.
  - 62. The method of claim 61, wherein said second network comprises the Internet, and said second network is in data communication with a website.
  - 63. The method of claim 44, wherein said portable device comprises an encryption algorithm, and said method comprises initializing said algorithm at least in part using a cryptographic vector.
  - 64. The method of claim 63, wherein said portable device generates a new vector for each encryption event.

65. A method of operating a portable communications device, comprising:
- providing a portable communications device, said portable communications device comprising a host computerized device adapted to run an untrusted operating system;
  
  providing a security card adapted to be received at least partly within said host device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  inserting said security card at least partly within said host device;
  
  placing a communications interface of said portable communications device in data communication with an untrusted network;
  
  verifying a user of said portable device using at least a portion of one of said user-specific and cryptographic data and an input supplied by a user via a user interface of said portable device;
  
  exchanging at least a portion of said cryptographic data between said card and host device;
  
  establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising utilizing a cryptographic data exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic data while establishing said association so as to enable at least ciphering or encrypting using one or more cryptographic keys; and
  
  ciphering or encrypting data sent from said portable device using at least one of said cryptographic keys.
- View Dependent Claims (66, 67, 70, 71, 72, 73, 74, 75, 76, 77)
- - 66. The method of claim 65, wherein said providing a card comprises providing a card having a device driver with application programming interface (API).
  - 67. The method of claim 65, further comprising generating a request message for transmission to a security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 70. The method of claim 67, wherein said cryptographic information comprises a cryptographic key.
  - 71. The method of claim 70, wherein said cryptographic key comprises a key that is part of a public/private key pair.
  - 72. The method of claim 67, wherein said cryptographic information comprises a digital signature, and said method further comprises generating said signature based at least in part on cryptographic data stored in said card.
  - 73. The method of claim 65, wherein said providing a security card comprises providing a security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  - 74. The method of claim 73, wherein said protection against access by unauthorized users comprises at least physical protection for said at least portions.
  - 75. The method of claim 73, wherein said protection against access by unauthorized users comprises verification of prospective users via a unique name or identification associated with a valid user.
  - 76. The method of claim 73, wherein said protection against access by unauthorized users comprises verification of prospective users via a password associated with a valid user.
  - 77. The method of claim 73, wherein said protection against access by unauthorized users comprises verification of prospective users via a key associated with said host user device.

68. The method of claim 68, wherein said cryptographic information comprises a cryptographic vector.
- View Dependent Claims (69)
- - 69. The method of claim 68, wherein said cryptographic vector comprises a vector used by said network security device as part of a mutual authentication procedure between said portable device and said security device.

78. A method of operating a portable communications device, said device comprising:
- an at least partly untrusted host computerized device adapted to run an untrusted operating system and a software stack;
  
  a security card interface apparatus;
  
  a security card adapted to be received at least partly within said card interface apparatus, said security card having portions comprising cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  a communications interface; and
  
  a user interface;
  
  wherein said method comprises;
  
  placing said communications interface in data communication with an untrusted network;
  
  verifying a user of said portable device using an input supplied by a user via said user interface of said portable device and security software operative to communicate with said software stack;
  
  exchanging at least a portion of said cryptographic data between said card and said host device; and
  
  establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising;
  
  utilizing said cryptographic data to provide a cipher key;
  
  generating a request message including said cipher key;
  
  performing a mutual authentication based at least in part on said cipher key.
- View Dependent Claims (79)
- - 79. The method of claim 78, wherein said placing comprising dynamically obtaining at least one identifier for said portable communications device when said communications interface is placed in data communication with said untrusted network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Holden, James, Levin, Stephen, Wrench, Edwin, Nickel, James

Granted Patent

US 8,028,067 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

METHODS OF OPERATING A PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

79 Claims

Specification

Use Cases

Quick Links

Others

METHODS OF OPERATING A PORTABLE COMMUNICATIONS DEVICE WITH ENHANCED SECURITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

79 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others