Cryptographic Device with Detachable Data Planes

US 20160156462A1
Filed: 08/30/2013
Published: 06/02/2016
Est. Priority Date: 08/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for performing one or more of encryption and/or decryption, the system comprising:

a parent cryptographic device configured to receive a first cryptographic key, determine one or more session keys based on the first cryptographic key, and insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device; and

the one or more child cryptographic devices, wherein at least one of the one or more child cryptographic devices is configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

26 Citations

View as Search Results

20 Claims

1. A system for performing one or more of encryption and/or decryption, the system comprising:
- a parent cryptographic device configured to receive a first cryptographic key, determine one or more session keys based on the first cryptographic key, and insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device; and
  
  the one or more child cryptographic devices, wherein at least one of the one or more child cryptographic devices is configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as in claim 1, wherein the parent cryptographic device comprises a plurality of interfaces for configuring a plurality of child cryptographic devices at substantially the same time.
  - 3. The system as in claim 1, wherein the parent cryptographic device comprises one or more anti-tamper hardware mechanisms configured for storing the first cryptographic key.
  - 4. The system as in claim 3, wherein the parent cryptographic device is configured to perform fail-safe key management functions for the first cryptographic key.
  - 5. The system as in claim 4, wherein the fail-safe key management function comprises interfacing to a key fill device, authenticating to the key fill device, and receiving the first cryptographic key from the key fill device.
  - 6. The system as in claim 1, wherein each of the one or more child cryptographic devices are inserted with the same session key or keys.
  - 7. The system as in claim 1, wherein the parent cryptographic device is configured to determine that an authenticated cryptographic ignition key (CIK) is interfaced to the parent cryptographic device prior to inserting the one or more session keys onto one or more child cryptographic devices.

8. A cryptographic configuration device configured to load one or more cryptographic keys onto one or more configurable encryption/decryption (E/D) devices, the cryptographic configuration device comprising:
- one or more child interfaces, wherein each child interface is configured to interface with a respective configurable E/D device;
  
  secure tamper memory, wherein the secure tamper memory is configured to store one or more secret keys, and clear memory contents based on operating without power for more than a configured amount of time; and
  
  a microprocessor configured to;
  
  perform fail-safe key management for the one or more secret keys,derive one or more session keys based on the one or more secrets keys using a one-way function or by using internally generated random data bits, andload the one or more session keys onto at least one of the one or more configurable E/D devices using the one or more child interfaces.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The cryptographic configuration device as in claim 8, further comprising an operator interface configured to receive inputs and present outputs, wherein the microprocessor is configured to configure the one or more configurable E/D devices based on inputs received from the operator interface.
  - 10. The cryptographic configuration device as in claim 9, wherein the operator interface is configured to receive an input that is indicative of a type of encryption to be performed by the at least one of the one or more configurable E/D devices, and the microprocessor is configured to configure the at least one of the one or more configurable E/D devices to implement the type of encryption indicated.
  - 11. The cryptographic configuration device as in claim 8, further comprising a serial interface configured to be operably connected to a deployed configurable E/D device while the deployed configurable E/D device is operably connected to a communication system for performing at least one of encryption or decryption.
  - 12. The cryptographic configuration device as in claim 11, wherein the microprocessor is configured to rekey the deployed configurable E/D device using the serial interface while the deployed configurable E/D device is operably connected to the communication system.
  - 13. The cryptographic configuration device as in claim 12, wherein the microprocessor is configured to rekey a second configurable E/D device via the deployed configurable E/D device using the serial interface, wherein the cryptographic configuration device is configured to use the deployed configurable E/D device as a relay for configuring the second configurable E/D device over the air.
  - 14. The cryptographic configuration device as in claim 8, wherein the microprocessor is configured to generated at least one session key using a random number generator.

15. A configurable encryption/decryption (E/D) device comprising:
- an interface connector configured to interface with a cryptographic configuration device and a host communication system bus; and
  
  a programmable logic device comprising one or more logical processing cores and volatile memory, wherein the one or more logical processing cores are configured to;
  
  communicate with the cryptographic configuration device via the interface connector, wherein communicating with the cryptographic configuration device comprises receiving one or more session keys to be used for at least one of encryption or decryption from the cryptographic configuration device,communicate with a host communication system via the interface connector, wherein communicating with the host communication system comprises at least one of transmitting or receiving data over the host communication system bus using the interface connector,encrypt data that is received from a processing unit of the host communication system via a plaintext traffic interface of the interface connector using the one or more session keys, andsend encrypted data to a radio of the host communication system for transmission via a ciphertext traffic interface of the interface connector.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The configurable E/D device as in claim 15, wherein the one or more logical processing cores are further configured to:
    - decrypt data that is received from the radio of the host communication system via the cipherext traffic interface of the interface connector using the one or more session keys; and
      
      send decrypted data to the processing unit of the host communication system for processing via the plaintext interface of the interface connector.
  - 17. The configurable E/D device as in claim 15, further comprising one or more of a battery or a capacitor configured to act as a temporary power supply for a volatile memory region of the programmable logic device, wherein the volatile memory region is configured to erase data stored in the volatile memory region upon loss of power and the one or more of the battery or the capacitor is configured to provide power to the volatile memory region for a limited period of time.
  - 18. The configurable E/D device as in claim 15, further comprising a serial interface, wherein the configurable E/D device is configured to communicate with the cryptographic configuration device via the serial interface while being operably connected to the host communication system via the first interface.
  - 19. The configurable E/D device as in claim 18, wherein the configurable E/D device is configured to receive one or more new session keys via the serial interface while operably connected to the host communication system via the first interface and decrypt the one or more new session keys using a re-keying key provisioned by the cryptographic configuration device.
  - 20. The configurable E/D device as in claim 19, wherein the configurable E/D device is configured to communicate the one or more new session keys to another configurable E/D device via the radio of the host communication system, and to encrypt a message including the one or more new sessions keys using the one or more old session keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
L3 Technologies, Inc. (L3Harris Technologies, Inc.)
Original Assignee
L-3 Communications Corporation (L3Harris Technologies, Inc.)
Inventors
Costantini, Frank A., Winslow, Richard Norman

Granted Patent

US 9,515,823 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04B 7/18506   Communications with or from...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/083   involving central third par...

H04L 9/0869   involving random numbers or...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

Cryptographic Device with Detachable Data Planes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic Device with Detachable Data Planes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links