MULTI-ENCLAVE TOKEN

US 20120198538A1
Filed: 01/27/2012
Published: 08/02/2012
Est. Priority Date: 01/27/2011
Status: Abandoned Application

First Claim

Patent Images

1. A token for use with an electronic system, comprising:

a processor;

non-volatile program storage memory; and

non-volatile data storage memory;

wherein the non-volatile program storage memory contains a single copy of an operating system;

wherein the non-volatile data storage memory comprises a plurality of enclaves each containing policy and setting data usable by the operating system;

wherein the non-volatile data storage memory comprises computer readable code operative to permit the processor to access a selected one of the enclaves of the data-storage memory, and to deny said processor access to all other of said enclaves, and to cause the processor to run the operating system using said policy and setting data contained by said one enclave.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security token has multiple independent application enclaves, on which different application providers can install encryption keys and/or other data to authenticate a user of the token to their respective applications.

42 Citations

View as Search Results

12 Claims

1. A token for use with an electronic system, comprising:
- a processor;
  
  non-volatile program storage memory; and
  
  non-volatile data storage memory;
  
  wherein the non-volatile program storage memory contains a single copy of an operating system;
  
  wherein the non-volatile data storage memory comprises a plurality of enclaves each containing policy and setting data usable by the operating system;
  
  wherein the non-volatile data storage memory comprises computer readable code operative to permit the processor to access a selected one of the enclaves of the data-storage memory, and to deny said processor access to all other of said enclaves, and to cause the processor to run the operating system using said policy and setting data contained by said one enclave.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A token according to claim 1, further comprising an external communication port;
    - wherein the non-volatile program storage memory contains computer readable code operative to cause the processor, on connection of the external communication port to a computer system, to;
      
      receive through the communication port an enclave query message;
      
      in response to the enclave query message, transmit through the communication port an enclave query response message identifying one or more said enclaves defined on the token;
      
      receive through the communication port an enclave select message specifying one of the enclaves identified in the enclave query response message; and
      
      in response to the enclave select message, permit the token to interact with the computer system using only the specified enclave of the non-volatile data storage memory.
  - 3. A token according to claim 2 operative, upon receiving an unrecognized message instead of said enclave query message, to permit the token to interact with the computer system using only a pre-defined default enclave.
  - 4. A token according to claim 1, wherein said operating system has a data address space smaller than said non-volatile data storage memory, and wherein permitting the processor to access only a selected enclave of the non-volatile data storage memory comprises relating a portion of the non-volatile data storage memory corresponding to the selected enclave to the data address space of the operating system.
  - 5. A token according to claim 4, wherein relating a portion of the non-volatile data storage memory to the data address space of the operating system comprises loading contents of only the respective enclave into volatile memory accessible to the operating system.
  - 6. A token according to claim 1, further comprising information identifying said enclaves, stored in a portion of said non-volatile data storage memory that is not accessible to said processor when said processor is permitted to access any said enclave.
  - 7. A token according to claim 1, wherein data in said non-volatile data storage memory is encrypted, and wherein permitting the processor to access only a selected enclave of the non-volatile data storage memory comprises providing a decryption key specific to the selected enclave.
  - 8. A token according to claim 1, wherein said single copy of the operating system comprises only code common to all of said enclaves, and operating system code that is different for different enclaves is contained for each enclave in the respective policy and setting data.
  - 9. A token according to claim 1, wherein said policy and setting data for each enclave comprises at least one of a registry, an applet, and a key object.

10. A computer system, comprising:
- a processor;
  
  a data communication port; and
  
  non-volatile storage containing computer readable code;
  
  wherein said computer readable code comprises middleware operative to interface with a token connected to said data communication port;
  
  wherein said middleware is operative to cause said processor to;
  
  send an enclave query message through said communication port;
  
  receive through said communication port in response to said enclave query message an enclave query response message identifying one or more enclaves;
  
  determine whether any of said one or more enclaves is an enclave associated with said middleware; and
  
  if sosend an enclave select message specifying said associated enclave through said communication port; and
  
  subsequently interact with said token as if said associated enclave were the only active enclave on said token.
- View Dependent Claims (11)
- - 11. A computer system according to claim 10, further comprising at least one said token that is a token comprising:
    - a processor;
      
      non-volatile program storage memory; and
      
      non-volatile data storage memory;
      
      wherein the non-volatile program storage memory contains a single copy of an operating system;
      
      wherein the non-volatile data storage memory comprises a plurality of enclaves each containing policy and setting data usable by the operating system;
      
      wherein the non-volatile data storage memory comprises computer readable code operative to permit the processor to access a selected one of the enclaves of the data-storage memory, and to deny said processor access to all other of said enclaves, and to cause the processor to run the operating system using said policy and setting data contained by said one enclave.

12. A method of securing data, comprising;
- connecting a token to a computer, the token comprising a processor, a single copy of an operating system, and non-volatile data storage memory divided into a plurality of enclaves;
  
  sending an enclave query message from middleware on the computer to the token;
  
  the token sending to the computer in response to said enclave query message an enclave query response message identifying one or more enclaves on the token;
  
  determining whether any of said one or more enclaves is an enclave associated with said middleware; and
  
  if sosending an enclave select message specifying said associated enclave from said computer to said token;
  
  the token accessing the specified one of the enclaves, running the single copy of the operating system using policy and setting data contained by said specified enclave, and denying access to all other of said enclaves;
  
  andsubsequently interacting with said token as if said associated enclave were the only active enclave on said token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SafeNet Incorporated (Thales SA)
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Spring, Kirk, Geraghty, Elizabeth, McKee, Dean

Application Number

US13/359,682
Publication Number

US 20120198538A1
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/78 to assure secure storage of...

MULTI-ENCLAVE TOKEN

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-ENCLAVE TOKEN

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links