Data enclave and trusted path system

US 5,502,766 A
Filed: 10/26/1993
Issued: 03/26/1996
Est. Priority Date: 04/17/1992
Status: Expired due to Term

First Claim

Patent Images

1. A data enclave for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising:

protected storage in the server and in each of the workstations;

a crypto media controller in each Workstation that can be used to read the fixed media and the removable media;

a personal keying device assigned to each user in the enclave;

an enclave key, a copy held in the protected storage in the server and in each of the workstations and used to protect other keys stored or transmitted on the network;

a personal identification number (PIN) for each user in the enclave;

an access vector associated with each media key to form media key/access vector pairs, the pairs stored in the personal keying devices, and used to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs;

the media key/access vector pairs stored in the personal keying devices enciphered with a combined key including the user'"'"'s PIN and the enclave key;

device attributes assigned to each Workstation, and used to represent the security attributes of the workstations; and

each crypto media controller including logic for (i) reading a unit of media using the media key received from the personal keying device of the user seeking access to the data, (ii) decrypting a media key/access vector pair received from a personal keying device using the enclave key stored in the controller and the user PIN entered by a user in the personal keying device used by the user seeking access to the data, (iii) decrypting the data on the media using the media key, and (iv) restricting access to the decrypted data based on the access vector and the device attributes for the Workstation from which access is attempted.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data communication system providing for the secure transfer and sharing of data via a local area network and/or a wide area network. The system includes a secure processing unit which communicates with a personal keying device and a crypto media controller attached to a user'"'"'s Workstation. The communication between these processing elements generates a variety of data elements including keys, identifiers, and attributes. The data elements are used to identify and authenticate the user, assign user security access rights and privileges, and assign media and device attributes to a data access device according to a predefined security policy. The data elements are manipulated, combined, protected, and distributed through the network to the appropriate data access devices, which prevents the user from obtaining unauthorized data.

Citations

11 Claims

1. A data enclave for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising:
- protected storage in the server and in each of the workstations;
  
  a crypto media controller in each Workstation that can be used to read the fixed media and the removable media;
  
  a personal keying device assigned to each user in the enclave;
  
  an enclave key, a copy held in the protected storage in the server and in each of the workstations and used to protect other keys stored or transmitted on the network;
  
  a personal identification number (PIN) for each user in the enclave;
  
  an access vector associated with each media key to form media key/access vector pairs, the pairs stored in the personal keying devices, and used to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs;
  
  the media key/access vector pairs stored in the personal keying devices enciphered with a combined key including the user'"'"'s PIN and the enclave key;
  
  device attributes assigned to each Workstation, and used to represent the security attributes of the workstations; and
  
  each crypto media controller including logic for (i) reading a unit of media using the media key received from the personal keying device of the user seeking access to the data, (ii) decrypting a media key/access vector pair received from a personal keying device using the enclave key stored in the controller and the user PIN entered by a user in the personal keying device used by the user seeking access to the data, (iii) decrypting the data on the media using the media key, and (iv) restricting access to the decrypted data based on the access vector and the device attributes for the Workstation from which access is attempted.

2. A data enclave method for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising the steps of:
- (a) providing protected storage in the server and in each of the workstations;
  
  (b) providing a crypto media controller in each Workstation that can be used to read the fixed media and the removable media;
  
  (c) providing a personal keying device assigned to each user in the enclave;
  
  (d) providing an enclave key and storing a copy in the protected storage in the server and in each of the workstations and using it to protect other keys stored or transmitted on the network;
  
  (e) providing each user in the enclave a personal identification number (PIN);
  
  (f) providing an access vector associated with each media key to form media key/access vector pairs, storing the pairs in the personal keying devices, and using them to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs;
  
  storing the media key/access vector pairs in the personal keying devices enciphered with a combined key including the user'"'"'s PIN and the enclave key;
  
  providing device attributes assigned for each Workstation to represent the security attributes of the workstations; and
  
  using the crypto media controller for (i) reading a unit of media using the media key received from the personal keying device of the user seeking access to the data, (ii) decrypting a media key/access vector pair received from a personal keying device using the enclave key stored in the controller and the user PIN entered by a user in the personal keying device used by the user seeking access to the data, (iii) decrypting the data on the media using the media key, and (iv) restricting access to the decrypted data based on the access vector and the device attributes for the Workstation from which access is attempted.

3. A data enclave for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising:
- protected storage in the server and in each of the workstations;
  
  a crypto media controller in each Workstation that can be used to read the fixed media and the removable media;
  
  a personal keying device assigned to each user in the enclave;
  
  an enclave key, a copy held in the protected storage in the server and in each of the workstations and used to protect other keys stored or transmitted on the network;
  
  a personal identification number (PIN) for each user in the enclave;
  
  a user unique identifier (user UID) assigned to each user in the enclave and stored in the user'"'"'s personal keying device encrypted with the enclave key;
  
  user attributes associated with each user to which a user UID has been assigned, and used to represent the privileges and other security related information that pertains to that user;
  
  a media key for each unit of media, and used to encrypt and protect data carried on the media, the media keys stored in the personal keying devices;
  
  a media unique identifier (media UID) for each unit of media, stored on the media, and used to identify the corresponding media key for the unit of media stored in a personal keying device, and to identify media attributes assigned to the unit of media;
  
  media attributes associated with each unit of media to which a media UID has been assigned, and used to represent the sensitivity or other security related information that may pertain to the data carried on that unit of media;
  
  an access vector associated with each media key to form media key/access vector pairs, stored in the personal keying devices, and used to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs, each access vector formed using the corresponding media attributes and user attributes, and a set of access rules;
  
  the media key/access vector pairs stored in the personal keying devices enciphered with a combined key including the user'"'"'s UID, the user'"'"'s PIN and the enclave key;
  
  device attributes assigned to each Workstation, and used to represent the security attributes of the workstations;
  
  each crypto media controller including access control logic for restricting access to the data on the media based on the user'"'"'s PIN, the access vector and the device attributes for the Workstation from which access is attempted.
- View Dependent Claims (4, 5, 6)
- - 4. A system according to claim 3 further comprising:
    - key management crypto logic in each crypto media controller for (i) receiving a requesting user'"'"'s PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) forming a first packet including the requesting user'"'"'s PIN, the user UID and a request for initialization of a new unit of media, the request including the media attributes for the new unit of media;
      
      key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server;
      
      storage search logic in the server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user'"'"'s PIN received in the first packet matches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization if the requesting user'"'"'s PIN in not valid, (iv) extracting the media attributes from the request and commanding a media attribute data base stored in the server to make an entry for the new unit of media, and to create a new media UID for the new unit of media, and (v) indexing the user attribute data base with the user UID to extract the set of security attributes pertaining to the requesting user and passing the security attributes to security policy logic in the server;
      
      the security policy logic for accepting the media attributes and the requesting user'"'"'s security attributes and, using a set of rules and/or under the direction of a system administrator, computing a new access vector which defines limits on the access the requesting user will have to the new unit of media;
      
      the key management crypto in the server also for (i) generating, with the optional aid of a system administrator, a new media key for the new unit of media, and (ii) and enciphering the new media key/access vector pair formed with the new media key and new access vector with a combined key including the user UID, the user PIN and the enclave key, to form a second packet;
      
      the storage search logic also for storing the enciphered second packet in a crypto key data base stored in the server, the second packet indexed according to the requesting user'"'"'s user UID and the new media UID;
      
      the server further including logic for sending the new media UID and the second packet to the Workstation from which the first packet was received; and
      
      the crypto media controller including storage search logic for (i) receiving the new media UID and writing it to an appropriate location on the new unit of media and (ii) storing the second packet containing the new media key/access vector pair in the personal keying device attached to the Workstation using the new media UID as an index.
  - 5. A system according to claim 3 further comprising:
    - key management crypto logic in each crypto media controller for (i) receiving a requesting user'"'"'s PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) reading the media UID off an initialized unit of media and searching the personal keying device for a media key/access vector pair for the initialized unit of media for the requesting user using the user'"'"'s PIN as an index, and (iv) if no pair is found generating a request for a key assignment;
      
      the key management crypto logic further for (i) forming a first packet including the requesting user'"'"'s PIN and user UID, the media UID for the initialized unit of media, and the request for key assignment, (ii) encrypting the first packet with the enclave key, and (iii) sending the packet to the security server over the network;
      
      key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server to obtain the requesting user'"'"'s PIN and user UID, and the media UID and the request;
      
      storage search logic in the security server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user'"'"'s PIN received in the first packet matches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization set forth in the first packet if the requesting user'"'"'s PIN in not valid, (iv) reading the user attribute data base using the user'"'"'s PIN as an index and extracting the security attributes of the requesting user, and (v) passing the security attributes to security policy logic in the server;
      
      the security policy logic receiving the security attributes and computing a new access vector which defines limits on the access the user may have to the initialized unit of media, the new access vector computed using a set of rules and/or with the intervention of a system administrator;
      
      the storage search logic also for (i) finding an enciphered key packet in a crypto key data base held in the security server which has been previously stored and which contains the media key for the initialized unit of media, (ii) when a packet is found extracting the media key from it, and (iii) forming a new media key/access vector pair with the extracted media key and the new access vector, and a new key packet including the new media key/access vector pair, the user UID, and the media UID, and placing the new key packet in the crypto key data base for archival purposes;
      
      the crypto key logic also for enciphering the new media key/access vector pair with a combined key including the user UID, the user'"'"'s PIN, and the enclave key, and transmitting the enciphered packet along the network to the crypto media controller; and
      
      the crypto media controller using the media UID as an index to store the new media key/access vector pair in the personal keying device from which the user'"'"'s PIN was entered whereby the personal keying device contains a media key which can only be used by someone who has physical possession of that personal keying device, knows the user PIN associated with the media key, and has physical possession of the unit of media controlled by a crypto media controller containing the enclave key, the access of the user further being restricted by the access vector paired with the media key.
  - 6. A system according to claim 3 further comprising:
    - the crypto media controller also for (i) receiving a user PIN from a personal keying device from a user seeking access to an initialized unit of media under control of the crypto media controller;
      
      storage search logic in the crypto media controller for (i) reading the initialized unit of media and extracting the media UID, (ii) searching the storage in the personal keying device and extracting the enciphered media key/access vector pair for the media UID and passing it to a key management crypto in the crypto media controller;
      
      the key management crypto for (i) fetching the user UID from the personal keying device and deciphering it using the enclave key, (ii) combining the user UID, the user PIN, and the enclave key to form a combined key to decrypt the media key/access vector pair, and passing the extracted media key to a data crypto and the access vector to the access control logic;
      
      the data crypto for deciphering data on a unit of media using the media key and passing it to the access control logic, the data deciphered in response to a read or write request for the data by the Workstation;
      
      the access control logic for controlling whether the desired mode of access is permitted based on the access vector and the device attributes contained within the crypto media controller, and aborting the attempted access to the data if the access is not permitted and otherwise permitting the access whereby data is transferred to a Workstation for processing; and
      
      the crypto media controller including logic for causing a complete reset of the crypto media controller and requiring the keying process to be started from the beginning in the event that the personal keying device is uncoupled or the unit of media is removed from the Workstation.

7. A data enclave method for securing data carried on physical units of fixed and removable media in a network including a server and one or more workstations, one or more of the workstations including the physical units of fixed media, comprising the steps of:
- (a) providing protected storage in the server and in each of the workstations;
  
  (b) providing a crypto media controller in each Workstation and using it to read the fixed media and the removable media;
  
  (c) providing a personal keying device for each user in the enclave;
  
  (d) providing an enclave key, a copy held in the protected storage in the server and in each of the workstations, and using it to protect other keys stored or transmitted on the network;
  
  (e) providing a personal identification number (PIN) for each user in the enclave;
  
  (f) providing a user unique identifier (user UID) for each user in the enclave and storing it in the user'"'"'s personal keying device encrypted with the enclave key;
  
  (g) providing user attributes for each user to which a user UID has been assigned, and using them represent the privileges and other security related information that pertains to each user;
  
  (h) providing a media key for each unit of media, and using it to encrypt and protect data carried on the media, and storing the media keys in the personal keying devices;
  
  (i) providing a media unique identifier (media UID) for each unit of media, and storing it on the associated media, and using them to identify the corresponding media key for the unit of media stored in a personal keying device, and to identify media attributes assigned to the unit of media;
  
  (j) providing media attributes associated with each unit of media to which a media UID has been assigned, and using them to represent the sensitivity or other security related information that may pertain to the data carried on the units of media;
  
  (k) providing an access vector associated with each media key to form media key/access vector pairs, storing them in the personal keying devices, and using them to represent the possible conditions of access to the data encrypted on the media for the user assigned to the personal keying device holding the media key/access vector pair or pairs, and forming the access vector using the corresponding media attributes and user attributes, and a set of access rules;
  
  (l) storing the media key/access vector pairs in the personal keying devices enciphered with a combined key including the user'"'"'s UID, the user'"'"'s PIN and the enclave key;
  
  (m) providing device attributes for each Workstation, and using them to represent the security attributes of the workstations; and
  
  (n) providing access control logic in each crypto media controller for restricting access to the data on the media based on the user'"'"'s PIN, the access vector and the device attributes for the Workstation from which access is attempted.
- View Dependent Claims (8, 9, 10)
- - 8. A method according to claim 7 further comprising the steps of:
    - (a) providing key management crypto logic in each crypto media controller for (i) receiving a requesting user'"'"'s PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) forming a first packet including the requesting user'"'"'s PIN, the user UID and a request for initialization of a new unit of media, the request including the media attributes for the new unit of media;
      
      (b) providing key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server;
      
      (c) providing storage search logic in the server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user'"'"'s PIN received in the first packet matches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization if the requesting user'"'"'s PIN in not valid, (iv) extracting the media attributes from the request and commanding a media attribute data base stored in the server to make an entry for the new unit of media, and to create a new media UID for the new unit of media, and (v) indexing the user attribute data base with the user UID to extract the set of security attributes pertaining to the requesting user and passing the security attributes to security policy logic in the server;
      
      (d) the security policy logic accepting the media attributes and the requesting user'"'"'s security attributes and, using a set of rules and/or under the direction of a system administrator, computing a new access vector which defines limits on the access the requesting user will have to the new unit of media;
      
      (e) the key management crypto in the server also (i) generating, with the optional aid of a system administrator, a new media key for the new unit of media, and (ii) and enciphering the new media key/access vector pair formed with the new media key and new access vector with a combined key including the user UID, the user PIN and the enclave key, to form a second packet;
      
      (f) the storage search logic also storing the enciphered second packet in a crypto key data base stored in the server, the second packet indexed according to the requesting user'"'"'s user UID and the new media UID;
      
      (g) providing further logic for sending the new media UID and the second packet to the Workstation from which the first packet was received; and
      
      (h) providing storage search logic in the crypto media controller for (i) receiving the new media UID and writing it to an appropriate location on the new unit of media and (ii) storing the second packet containing the new media key/access vector pair in the personal keying device attached to the Workstation using the new media UID as an index.
  - 9. A method according to claim 7 further comprising the steps of:
    - (a) providing key management crypto logic in each crypto media controller for (i) receiving a requesting user'"'"'s PIN from a personal keying device, (ii) receiving an encrypted user UID from the personal keying device and decrypting the user UID using the enclave key, and (iii) reading the media UID off an initialized unit of media and searching the personal keying device for a media key/access vector pair for the initialized unit of media for the requesting user using the user'"'"'s PIN as an index, and (iv) if no pair is found generating a request for a key assignment;
      
      (b) the key management crypto logic in the workstations further (i) forming a first packet including the requesting user'"'"'s PIN and user UID, the media UID for the initialized unit of media, and the request for key assignment, (ii) encrypting the first packet with the enclave key, and (iii) sending the packet to the security server over the network;
      
      (c) providing key management crypto logic in the server for decrypting the first packet using the enclave key stored in the server to obtain the requesting user'"'"'s PIN and user UID, and the media UID and the request;
      
      (d) providing storage search logic in the security server for (i) reading a user attribute data base stored in the server using the user UID as an index, (ii) returning a pass value if the requesting user'"'"'s PIN received in the first packet matches a valid PIN stored in the user attribute data base, (iii) aborting the request for initialization set forth in the first packet if the requesting user'"'"'s PIN in not valid, (iv) reading the user attribute data base using the user'"'"'s PIN as an index and extracting the security attributes of the requesting user, and (v) passing the security attributes to security policy logic in the server;
      
      (f) the security policy logic receiving the security attributes and computing a new access vector which defines limits on the access the user may have to the initialized unit of media, the new access vector computed using a set of rules and/or with the intervention of a system administrator;
      
      (g) the storage search logic also (i) finding an enciphered key packet in a crypto key data base held in the security server which has been previously stored and which contains the media key for the initialized unit of media, (ii) when a packet is found extracting the media key from it, and (iii) forming a new media key/access vector pair with the extracted media key and the new access vector, and a new key packet including the new media key/access vector pair, the user UID, and the media UID, and placing the new key packet in the crypto key data base for archival purposes;
      
      (h) the crypto key logic also enciphering the new media key/access vector pair with a combined key including the user UID, the user'"'"'s PIN, and the enclave key, and transmitting the enciphered packet along the network to the crypto media controller; and
      
      (i) the crypto media controller using the media UID as an index to store the new media key/access vector pair in the personal keying device from which the user'"'"'s PIN was entered whereby the personal keying device contains a media key which can only be used by someone who has physical possession of that personal keying device, knows the user PIN associated with the media key, and has physical possession of the unit of media controlled by a crypto media controller containing the enclave key, the access of the user further being restricted by the access vector paired with the media key.
  - 10. A method according to claim 7 further comprising the steps of:
    - (a) the crypto media controller also (i) receiving a user PIN from a personal keying device from a user seeking access to an initialized unit of media under control of the crypto media controller;
      
      (b) providing storage search logic in the crypto media controller for (i) reading the initialized unit of media and extracting the media UID, (ii) searching the storage in the personal keying device and extracting the enciphered media key/access vector pair for the media UID and passing it to a key management crypto in the crypto media controller;
      
      (c) the key management crypto (i) fetching the user UID from the personal keying device and deciphering it using the enclave key, (ii) combining the user UID, the user PIN, and the enclave key to form a combined key to decrypt the media key/access vector pair, and passing the extracted media key to a data crypto and the access vector to the access control logic;
      
      (d) the data crypto deciphering data on a unit of media using the media key and passing it to the access control logic, the data deciphered in response to a read or write request for the data by the Workstation;
      
      (e) the access control logic controlling whether the desired mode of access is permitted based on the access vector and the device attributes contained within the crypto media controller, and aborting the attempted access to the data if the access is not permitted and otherwise permitting the access whereby data is transferred to a Workstation for processing; and
      
      (f) providing logic in the crypto media controller for causing a complete reset of the crypto media controller and requiring the keying process to be started from the beginning in the event that the personal keying device is uncoupled or the unit of media is removed from the Workstation.

11. A trusted path system for communication between a Workstation and a secure computer over a untrusted communication medium, comprising;
- a logic and control unit in the Workstation and in the secure computer;
  
  an end-to-end authentication token exchange protocol used to assure the logic and control unit in the Workstation is communicating with an authentic logic and control unit in the secure computer, and vice versa;
  
  the token exchange protocol operating by chaining transactions together so that a forged transaction entered into the interaction between Workstation and secure computer is detected the very next time a legitimate transaction is received by a logic and control unit;
  
  a cryptographic checksum protocol used to assure transactions between the logic and control units have not been tampered with, the checksum protocol authenticating single transactions between the Workstation and the secure computer rather than sequences of transactions; and
  
  an identification and authentication protocol invoked when a user wishes to interact with the secure computer for some period of time, using the keyboard and display of the Workstation and the untrusted communications medium, the period of interaction being a session, and the act of initiating a session called logon, and that of terminating one is called logout.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Olmsted, Robert A., Markham, Thomas R., Boebert, William E.
Primary Examiner(s)
Cain, David C.

Application Number

US08/142,904
Time in Patent Office

882 Days
Field of Search

380/21, 380/23, 380/24, 380/25, 380/49, 380/50, 380/3, 380/4
US Class Current

713/193
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/62   Protecting access to data v...

G06F 2211/009   Trust

H04L 63/0485   Networking architectures fo...

H04L 63/0853   using an additional device,...

H04L 63/102   Entity profiles

Data enclave and trusted path system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Data enclave and trusted path system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links