System and method for performing secure device communications in a peer-to-peer bus architecture

US 6,061,794 A
Filed: 09/30/1997
Issued: 05/09/2000
Est. Priority Date: 09/30/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for protecting a first device coupled to an input/output (I/O) bus from being accessed in an unauthorized manner by a second device coupled to the I/O bus, the method comprising:

transmitting to the first device a request to perform a peer-to-peer operation across the I/O bus without intervention from an operating system;

determining if said request is authentic as being dispatched from the second device;

determining if the second device is authorized to request the first device to perform said peer-to-peer operation; and

performing said peer-to-peer operation by said first device, without intervention from the operating system, if said request is authentic from the second device and if the second device is authorized to request said peer-to-peer operation.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for performing secure peer-to-peer device communications on an I/O bus, such as a PCI bus, a Fiber Channel bus, an IEEE, 1394 bus or a Universal Serial Bus. The system includes a plurality of intelligent I/O devices, such as intelligent storage devices and/or controllers, communications devices, video devices and audio devices. The I/O devices perform peer-to-peer message and data transfers, thereby bypassing the operating system running on the computer'"'"'s CPU. The intelligent I/O devices encrypt messages and data before transmitting them on the I/O bus and conversely decrypt the messages and data upon reception. The encryption provides secrecy and/or authentication of the sender. The devices use keys or passwords to encrypt/decrypt the data. The keys are stored in non-volatile memory in the devices and are distributed to the devices by the system BIOS at initialization time. The devices perform access authorization validation using rule sets also distributed by the BIOS at initialization time. The rule sets specify which I/O operations are valid for a peer I/O device to request of a respective I/O device based, preferably, upon the device class/subclasses of the requesting device. In another embodiment, one of the intelligent I/O devices may be a communications device which serves as a firewall for the I/O bus. In this embodiment, the rule set further includes identification information of the remote machines/devices.

Citations

34 Claims

1. A method for protecting a first device coupled to an input/output (I/O) bus from being accessed in an unauthorized manner by a second device coupled to the I/O bus, the method comprising:
- transmitting to the first device a request to perform a peer-to-peer operation across the I/O bus without intervention from an operating system;
  
  determining if said request is authentic as being dispatched from the second device;
  
  determining if the second device is authorized to request the first device to perform said peer-to-peer operation; and
  
  performing said peer-to-peer operation by said first device, without intervention from the operating system, if said request is authentic from the second device and if the second device is authorized to request said peer-to-peer operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the second device belongs to one of a set of I/O device classes, the method further comprising:
    - receiving a rule set by the first device which identifies a set of peer-to-peer operations which the second device is authorized to request the first device to perform based upon the I/O device class of the second device; and
      
      determining if the second device is authorized to request the first device to perform said peer-to-peer operation and determining if the second device is authorized to request said first device to perform said peer-to-peer operation based upon said rule set and said I/O device class of the second device.
  - 3. The method of claim 2, wherein at least a portion of said rule set is received via user input.
  - 4. The method of claim 2, wherein at least a portion of said rule set is based upon a predetermined rule set.
  - 5. The method of claim 1, further comprising:
    - encrypting by the second device said request prior to said second device transmitting to the first device; and
      
      decrypting by the first device the encrypted said request prior to performing said peer-to-peer operation.
  - 6. The method of claim 5, wherein said encrypting is performed using a private key and said decrypting is performed using a public key.
  - 7. The method of claim 5, wherein said encrypting is authorized based on a digital signature comprising a hash which is encrypted by an originating said second device with a private key of the originating second device and then validated by a receiving said second device by recalculating the hash and then decrypting the transmitted hash and comparing the two values.
  - 8. The method of claim 7, wherein the two values comprise the recalculated said hash and the decrypted hash.
  - 9. The method of claim 1, wherein said peer-to-peer operation is a read operation, and wherein said performing said peer-to-peer operation comprises:
    - retrieving by the first device data specified in said peer-to-peer operation; and
      
      transmitting said data from the first device to the second device.
  - 10. The method of claim 9, further comprising:
    - the second device determining if said data is authentic as transmitted by the first device;
      
      the second device storing said data only if said data is authentic.
  - 11. The method of claim 10, further comprising:
    - the first device encrypting the data prior to said transmitting said data to the second device;
      
      the second device decrypting said data prior to said storing said data.
  - 12. The method of claim 1, wherein said peer-to-peer operation is a write operation, wherein data is included in said request, and wherein said performing said peer-to-peer operation comprises:
    - the first device storing said data as specified in said request only if said data is authentically transmitted by the second device.
  - 13. The method of claim 12, further comprising:
    - the first device encrypting a reply message including a status of the requested peer-to-peer operation and transmitting said reply message to the second device after the storing of said data;
      
      the second device receiving said reply message and determining if said reply message is authentic from the first device.
  - 14. The method of claim 1, wherein said determining if said request is authentic comprises verifying an authenticator appended to said request.
  - 15. The method of claim 14, wherein said authenticator includes a digital signature.
  - 16. The method of claim 15, further comprising the second device encrypting said request prior to said second device transmitting on the I/O bus said encrypted request, wherein said encrypted request is said authenticator.
  - 17. The method of claim 14, wherein said authenticator includes a hash value.
  - 18. The method of claim 1, further comprising:
    - the second device receiving a packet from a first computer system coupled to the second device, wherein said packet includes said request, wherein the first computer system is dissimilar from a second computer system in which the first and second devices are embodied;
      
      the second device forwarding said request to the first device in response to said receiving said packet from the first computer system and prior to said second device transmitting on the I/O bus to the first device said request.
  - 19. The method of claim 18, further comprising:
    - the second device determining if said packet is authentic from said first computer system; and
      
      the second device forwarding said request to the first device only if said packet is authentic from said first computer system.
  - 20. The method of claim 19, further comprising:
    - the second device determining if the first computer system is authorized to request said peer-to-peer operation; and
      
      the second device forwarding said request to the first device only if the first computer system is authorized to request said peer-to-peer operation.
  - 21. The method of claim 20, wherein said packet includes identification information associated with the first computer system, the method further comprising:
    - the second device receiving a rule set, wherein said rule set identifies a set of peer-to-peer operations which the first computer system is authorized to request the first device to perform based upon the identification information of the first computer system; and
      
      wherein said second device determining if the first computer system is authorized to request said peer-to-peer operation comprises the second device determining if the first computer system is authorized to request said peer-to-peer operation based upon said rule set and said first computer system identification information.

22. A computer system, comprising:
- an input/output (I/O) bus;
  
  first and second devices coupled to the I/O bus,wherein the second device is operable to transmit on the I/O bus to the first device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system;
  
  wherein the first device is operable to receive said message and determine if said message is authentically derived from the second device;
  
  wherein the first device is operable to determine if the second device is authorized to request the first device to perform said peer-to-peer I/O operation; and
  
  wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically derived from the second device and if the second device is authorized to request said peer-to-peer I/O operation.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The computer system of claim 22, wherein the second device belongs to one of a set of I/O device classes, wherein the first device is operable to receive a rule set, wherein said rule set identifies a set of peer-to-peer I/O operations which the second device is authorized to request the first device to perform based upon the I/O device class of the second device, wherein said first device determines if the second device is authorized to request said first device to perform said peer-to-peer I/O operation based upon said rule set and said I/O device class of the second device.
  - 24. The computer system of claim 22, further comprising:
    - a system BIOS and a processor operable to execute said system BIOS, wherein said system BIOS is operable to provide said rule set to said first device; and
      
      wherein the first device comprises a memory for storing said rule set received from said system BIOS.
  - 25. The system of claim 22, wherein the second device is operable to encrypt said message prior to said second device transmitting to the first device said message and the first device is operable to decrypt said message prior to performing said peer-to-peer I/O operation.
  - 26. The computer system of claim 25, wherein said second device memory is operable to store a key received from said system BIOS, wherein said second device uses said key to decrypt said message.
  - 27. The computer system of claim 22, wherein the second device is operable to receive a packet from a remote computer system coupled to the second device, wherein said packet includes said request to perform said peer-to-peer I/O operation, wherein the second device is operable to create said message including said request to perform said peer-to-peer I/O operation in response to receiving said packet from the remote computer system.
  - 28. The computer system of claim 27, wherein the second device is operable to determine if said packet is authentically derived from the remote computer system, wherein the second device transmits said message to the first device only if said packet is authentically derived from the remote computer system.
  - 29. The computer system of claim 27, wherein the second device is operable to determine if the remote computer system is authorized to request said peer-to-peer I/O operation and the second device creates said message including said request to perform said peer-to-peer I/O operation only if the remote computer system is authorized to request said peer-to-peer I/O operation.
  - 30. The computer system of claim 22, wherein said I/O bus is a bus selected from the list comprising:
    - Peripheral Component Interconnect (PCI) bus, Fibre Channel bus, IEEE 1394 bus, Universal Serial Bus (USB).

31. An I/O device for coupling to an I/O bus, comprising:
- a processor for performing security services;
  
  a memory coupled to the processor for storing a rule set and a key;
  
  wherein the I/O device is operable to receive on the I/O bus from a peer I/O device a message including a request to perform a peer-to-peer I/O operation without intervention from an operating system;
  
  wherein the I/O device is operable to receive said message and determine if said message is authentically from the peer I/O device using said key stored in said memory;
  
  wherein the I/O device is operable to determine if the peer I/O device is authorized to request the I/O device to perform said peer-to-peer I/O operation based upon said rule set stored in said memory; and
  
  wherein the first device performs said peer-to-peer I/O operation, without intervention from the operating system, only if said peer-to-peer I/O operation request is authentically from the peer I/O device based upon said key and if the peer I/O device is authorized to request said peer-to-peer I/O operation based upon said rule set.
- View Dependent Claims (32, 33)
- - 32. The I/O device of claim 31, wherein the peer I/O device belongs to one of a set of I/O device classes, wherein said rule set identifies a set of peer-to-peer I/O operations which the peer I/O device is authorized to request the I/O device to perform based upon the I/O device class of the peer I/O device, wherein said I/O device determines if said peer I/O device is authorized to request said I/O device to perform said peer-to-peer I/O operation based upon said rule set and said I/O device class of said peer I/O device.
  - 33. The I/O device of claim 31, wherein the message is an encrypted message, wherein the I/O device is operable to decrypt said message using said key.

34. An I/O device for coupling to an I/O bus, comprising:
- a processor for performing security services;
  
  a memory coupled to the processor for storing a rule set and a key;
  
  wherein the I/O device is operable to receive from a remote computer a packet including a request for a peer I/O device also coupled to the I/O bus to perform an I/O operation without intervention from an operating system;
  
  wherein the I/O device is operable to determine if said packet is authentic from the remote computer using said key stored in said memory;
  
  wherein the I/O device is operable to determine if the remote computer is authorized to request the peer I/O device to perform said I/O operation based upon said rule set stored in said memory; and
  
  wherein the I/O device forwards said I/O operation request to said peer I/O device only if said packet is authentically from the remote computer based upon said key and if the remote computer is authorized to request said I/O operation based upon said rule set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Compaq Computer Corporation (HP Inc.)
Inventors
Driscoll, Dan J., Wooten, David R., Angelo, Michael F., Olarig, Sompong P.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
HAMDAN, WASSEEM H

Application Number

US08/940,551
Time in Patent Office

952 Days
Field of Search

713/200, 713/201, 709/225, 380/23, 380/25, 380/4
US Class Current

726/3
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6218   to a system of files or obj...

G06F 21/85   interconnection devices, e....

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2141   Access rights, e.g. capabil...

System and method for performing secure device communications in a peer-to-peer bus architecture

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for performing secure device communications in a peer-to-peer bus architecture

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links