End-to-End Trusted Communications Infrastructure

US 20160142396A1
Filed: 01/25/2016
Published: 05/19/2016
Est. Priority Date: 06/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method establishing a trusted end-to-end communication link to provide secure access to information, the method comprising:

receiving an input by a processor executing in a trusted security zone of a mobile access terminal, wherein the trusted security zone includes a hardware root of trust and a secure partition that receives the input;

preventing, by execution of the processor in the trusted security zone, applications outside of the trusted security zone from executing on the mobile access terminal, wherein applications that execute outside of the trusted security zone are blocked from accessing the secure partition that received the input;

generating, by a secure application stored in the secure partition and executing on the processor in the trusted security zone of the mobile access terminal, a message and a trust token for transmission via a trusted end-to-end communication link, wherein the trusted end-to-end communication link comprises a plurality of network nodes and provides handling of the message in a corresponding trusted security zone of each network node along the trusted end-to-end communication link; and

transmitting, by the mobile access terminal, the message and trust token along the trusted end-to-end communication link to a trusted cloudlet executing in a trusted security zone of a cloud based server, wherein the cloud based server is one endpoint in the trusted end-to-end communication link with the mobile access terminal.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method establishing a trusted end-to-end communication link is disclosed. The method comprises executing a communication application in a trusted security zone of a mobile access terminal. The method also comprises sending a message from the mobile access terminal to a trusted communication application executing in a trusted security zone of a trusted enterprise edge node. The method further comprises sending the message from the trusted enterprise edge node to a trusted cloudlet executing in a trusted security zone of a cloud based server.

42 Citations

20 Claims

1. A method establishing a trusted end-to-end communication link to provide secure access to information, the method comprising:
- receiving an input by a processor executing in a trusted security zone of a mobile access terminal, wherein the trusted security zone includes a hardware root of trust and a secure partition that receives the input;
  
  preventing, by execution of the processor in the trusted security zone, applications outside of the trusted security zone from executing on the mobile access terminal, wherein applications that execute outside of the trusted security zone are blocked from accessing the secure partition that received the input;
  
  generating, by a secure application stored in the secure partition and executing on the processor in the trusted security zone of the mobile access terminal, a message and a trust token for transmission via a trusted end-to-end communication link, wherein the trusted end-to-end communication link comprises a plurality of network nodes and provides handling of the message in a corresponding trusted security zone of each network node along the trusted end-to-end communication link; and
  
  transmitting, by the mobile access terminal, the message and trust token along the trusted end-to-end communication link to a trusted cloudlet executing in a trusted security zone of a cloud based server, wherein the cloud based server is one endpoint in the trusted end-to-end communication link with the mobile access terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the trust token is associated with the trusted security zone of the mobile access terminal.
  - 3. The method of claim 1, wherein the trust token is verified by a trusted security zone of each network node in the trusted end-to-end communication link prior to being received by the cloud based server, and wherein the trust token validates the trust level of the trusted end-to-end communication link.
  - 4. The method of claim 1, wherein the trust token is encapsulated within the message prior to transmitting the message to the cloud based server via the trusted end-to-end communication link.
  - 5. The method of claim 1, wherein the trust token is comprised within or appended to the message prior to the transmitting.
  - 6. The method of claim 5, wherein each trusted security zone disables execution of applications, that are outside the trusted security zone, during execution of the trusted security zone.
  - 7. The method of claim 6, wherein each trusted security zone comprises at least one of a virtual processor, a physical processor, or a combination thereof.

8. A method establishing a trusted end-to-end communication link to provide secure access to information, the method comprising:
- receiving, by a trusted cloudlet executing in a trusted security zone of a cloud based server, a message and a trust token sent from a mobile access terminal;
  
  determining, by the trusted cloudlet while preventing execution of applications that execute outside of the trusted security zone of the cloud based server, that the message was generated in a trusted security zone of the mobile access terminal based on the trust token;
  
  verifying, by the trusted cloudlet in the trusted security zone of the cloud based server, that the message was handled in trusted security zones along a trusted end-to-end communication link, wherein each trusted security zone includes a hardware root of trust and a secure partition; and
  
  based on the verification, executing the message in the trusted security zone of the cloud based server while preventing execution of applications that execute outside of the trusted security zone of the cloud based server.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein executing the message in the trusted security zone of the cloud based server maintains continuity of the trusted end-to-end communication link.
  - 10. The method of claim 8, wherein the trusted end-to-end communication link comprises a plurality of network nodes that each handle the message in a corresponding trusted security zone.
  - 11. The method of claim 10, wherein each of the plurality of network nodes generate an additional trust token or append the trust token generated in the trusted security zone of the mobile access terminal.
  - 12. The method of claim 8, further comprising:
    - prior to receiving the message by the trusted cloudlet in the trusted security zone of the cloud based server, responding to a request from a network node of the trusted end-to-end communication link to validate a trusted status of the cloud based server.
  - 13. The method of claim 8, wherein each trusted security zone comprises at least one of a virtual processor, a physical processor, or a combination thereof.

14. A method establishing a trusted end-to-end communication link to provide secure access to information, the method comprising:
- receiving, by a trusted communication application executing in a trusted security zone of a trusted enterprise edge node, a message via a trusted end-to-end communication link from a communication application executing in a trusted security zone of a mobile access terminal;
  
  determining, by the trusted communication application of the trusted enterprise edge node while preventing execution of applications that execute outside of the trusted security zone of the trusted enterprise edge node, that the message was handled in the trusted security zone of the mobile access terminal, wherein each trusted security zone includes a hardware root of trust and a secure partition; and
  
  in response to the determining, sending the message, from the trusted security zone of the trusted enterprise edge node, to a trusted cloudlet executing in a trusted security zone of a cloud based server, wherein sending the message to the trusted security zone of the cloud based server maintains continuity of the trusted end-to-end communication link.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the trusted enterprise edge node comprises at least one of a firewall server or a multi-protocol label switching (MPLS) port on a router.
  - 16. The method of claim 14, wherein the trusted security zone of the trusted enterprise edge node includes a processor blocking applications executing in a normal partition outside of the trusted security zone from accessing memory, reading inputs, and writing outputs while the trusted communication application executes in the trusted security zone of the trusted enterprise edge node.
  - 17. The method of claim 14, wherein the trusted security zone of the trusted enterprise edge node is provided by a first virtual processor, and wherein a normal partition of the trusted enterprise edge node is provided by a second virtual processor, and while the first virtual processor is executing, the second virtual processor does not execute instructions.
  - 18. The method of claim 14, wherein at least one trust token is included with the message sent from the trusted security zone of the mobile access terminal via the trusted end-to-end communication link.
  - 19. The method of claim 18, wherein a portion of the trusted end-to-end communication link comprises a cellular wireless communication link.
  - 20. The method of claim 19, wherein the cellular wireless communication link is provided based on at least one of a code division multiple access (CDMA) protocol, a global system for mobile communication (GSM) protocol, a long-term evolution (LTE) protocol, or a worldwide interoperability for microwave access (WiMAX) communication protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
McRoberts, Leo Michael, Paczkowski, Lyle W., Rondeau, David E.

Granted Patent

US 10,154,019 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

A61B 5/0022   Monitoring a patient using ...

A61B 5/01   Measuring temperature of bo...

A61B 5/021   Measuring pressure in heart...

A61B 5/024   Detecting, measuring or rec...

A61B 5/145   Measuring characteristics o...

A61B 5/1455   using optical sensors, e.g....

G06F 21/32   using biometric data, e.g. ...

G16H 40/67   for remote operation

G16Z 99/00   Subject matter not provided...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 67/141   Setup of application sessio...

H04W 12/06   Authentication

End-to-End Trusted Communications Infrastructure

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

End-to-End Trusted Communications Infrastructure

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others