METHOD AND SYSTEM FOR COMMUNICATION BETWEEN A USB DEVICE AND A USB HOST

US 20100146279A1
Filed: 02/01/2008
Published: 06/10/2010
Est. Priority Date: 02/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method for providing efficient communication between a computer and a plug-and-play secure token connected to the computer, comprising:

upon establishing a physical connection between the computer and the plug-and-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;

launching on the computer a host agent stored on the secure token;

operating the computer according to instructions of a driver for devices of the first type to receive messages communicated in a protocol associated with devices of the first type from the secure token;

operating the computer according to instructions of a driver of devices of the second type to review messages communicated in a protocol associated with devices of the second type from the secure token;

operating the computer according to instructions stored in the host agent to;

receive messages of a first type from the secure token communicated in a protocol associated with messages of the first type via the driver for devices of the first type;

received messages of a second type from the secure token communicated in a protocol associated with messages of the second type via the driver for devices of the second type; and

in response to detecting that message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token; and

operating the secure token according to instructions of a card-agent program including instructions to;

write data to a second data buffer of the secure token;

upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;

upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure portable electronic device for providing secure services when used in conjunction with a host computer having a central processing unit use two hardware device protocols readily supported by computer operating systems. Other systems and methods are disclosed.

56 Citations

View as Search Results

18 Claims

1. A method for providing efficient communication between a computer and a plug-and-play secure token connected to the computer, comprising:
- upon establishing a physical connection between the computer and the plug-and-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;
  
  launching on the computer a host agent stored on the secure token;
  
  operating the computer according to instructions of a driver for devices of the first type to receive messages communicated in a protocol associated with devices of the first type from the secure token;
  
  operating the computer according to instructions of a driver of devices of the second type to review messages communicated in a protocol associated with devices of the second type from the secure token;
  
  operating the computer according to instructions stored in the host agent to;
  
  receive messages of a first type from the secure token communicated in a protocol associated with messages of the first type via the driver for devices of the first type;
  
  received messages of a second type from the secure token communicated in a protocol associated with messages of the second type via the driver for devices of the second type; and
  
  in response to detecting that message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token; and
  
  operating the secure token according to instructions of a card-agent program including instructions to;
  
  write data to a second data buffer of the secure token;
  
  upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;
  
  upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - transmitting messages from the computer to the secure token by writing data to a second data buffer of the secure token using the protocol associated with messages of the second type;
      
      embedding the messages from the computer to the secure token messages of an application layer protocol having at least one security level wherein messages embed therein security credentials permitting the computer to perform restricted actions on the secure token.
  - 3. The method and claim 2 further comprising:
    - operating the secure token to restrict token updates in encrypted and authenticated sessions;
      
      transmitting a message to request initialization of an update session from a source computer to the secure token wherein the message to request initialization of an update session includes information authenticating the source computer to the secure token and includes an encrypted shared secret;
      
      upon receiving the message to request initialization of an update session operating the secure token to decrypt the shared secret and verifying the information authenticating the source computer as authorized to perform volume updates.
  - 4. The method of claim 3 wherein the information authenticating the source computer is a cryptographic signature of the computer.
  - 5. The method of claim 3 further comprisingupon authenticating the computer to perform volume updates, initiating a secure session for updates by encapsulating authenticating information corresponding to the source computer in a command to the secure token.
  - 6. The method of claim 3, wherein the source computer is one selected from group consisting of a local host computer and a remote computer connected to the secure token over a network via the local host computer.
  - 7. The method of claim 1 wherein devices of the first type are typically devices for providing user input to a computer and wherein devices of the second type are typically devices for storing or retrieving a computer data files to or from a token.
  - 8. The method of claim 1, wherein devices of the first type are USB human-interface devices, wherein the step of enumerating the secure token as a device of a first type comprises enumerating the secure token as USB human-interface device, wherein devices of the second type are USB mass storage devices and wherein the step of enumerating the secure token as a device of a second type comprises enumerating the secure token as USB mass storage device.
  - 9. The method of claim 8 wherein the step operating the secure token to transmit a message of the first type indicative of the availability of data in a data buffer comprises a USB HID in report message.

10. A plug-and-play secure token with means for being connected to a computer, wherein the improvement comprises:
- a card-agent program that upon establishing a physical connection between the computer and the plug-an-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;
  
  a host agent stored on the secure token for execution on the host computer, the host agent comprising;
  
  a driver for devices of the first type to receive messages communicated in a protocol associated with devices of the first type from the secure token, anda driver of devices of the second type to receive messages communicated in a protocol associated with devices of the second type from the secure token;
  
  logic to receive messages of a first type from the secure token communicated in a protocol associated with messages of the first type via the driver for devices of the first type;
  
  logic to receive messages of a second type from the secure token communicated in a protocol associated with messages of the second type via the driver for devices of the second type; and
  
  logic to in response to detecting that message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token; and
  
  the card-agent further comprising instructions to cause the secure token to;
  
  write data to a second data buffer of the secure token;
  
  upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;
  
  upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The plug-and-play secure token of claim 10 wherein the host-agent further comprises logic to cause the computer to:
    - transmit messages from the computer to the secure token by writing data to a second data buffer of the secure token using the protocol associated with messages of the second type;
      
      embed in the messages from the computer to the secure token messages of an application layer protocol having at least one security level wherein messages embed therein security credentials permitting the computer to perform restricted actions on the secure token.
  - 12. The plug-and-play secure token of claim 11 wherein the card-agent further comprising logic to cause the secure token to:
    - operate the secure token to restrict token updates in encrypted and authenticated sessions;
      
      wherein the host-agent further comprises logic to transmit a message to request initialization of an update session from a source computer to the secure token wherein the message to request initialization of an update session includes information authenticating the source computer to the secure token and includes an encrypted shared secret;
      
      wherein the card-agent further comprises logic to, upon receiving the message to request initialization of an update session, operate the secure token to decrypt the shared secret and verifying the information authenticating the source computer as authorized to perform volume updates.
  - 13. The plug-and-play secure token of claim 12 wherein the information authenticating the source computer is a cryptographic signature of the computer.
  - 14. The plug-and-play secure token of claim 12 wherein the card-agent further comprises instructions to:
    - upon authenticating the computer to perform volume updates, initiate a secure session for updates by encapsulating authenticating information corresponding to the source computer in a command to the secure token.
  - 15. The plug-and-play secure token to claim 10 wherein the source computer is a local host computer or a remote computer connected to the secure token over a network via a local host computer.
  - 16. The plug-and-play secure token of claim 10 wherein devices of the first type are typically devices for providing user input to a computer and wherein devices of the second type are typically devices for storing or retrieving a computer data files to or from a token.
  - 17. The plug-and-play secure token of any of claims 10 wherein devices of the first type are USB human-interface devices, wherein the step of enumerating the secure token as a device of a first type comprises enumerating the secure token as USB human-interface device, wherein devices of the second type are USB mass storage devices and wherein the logic to enumerate the secure token as a device of a second type comprises logic to enumerate the secure token as USB mass storage device.
  - 18. The plug-and-play secure token of claim 17 wherein the logic to operate the secure token to transmit a message of the first type indicative of the availability of data in a data buffer comprises a USB HID in report message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto SA (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Durand, Stephane, Lu, HongQian Karen, Ali, Asad, Dolph, Ed, Castillo, Laurent

Granted Patent

US 8,560,852 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

G06F 13/10   Program control for periphe...

G06F 21/34   involving the use of extern...

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

METHOD AND SYSTEM FOR COMMUNICATION BETWEEN A USB DEVICE AND A USB HOST

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR COMMUNICATION BETWEEN A USB DEVICE AND A USB HOST

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links