Physical layer security manager for memory-mapped serial communications interface

US 6,134,662 A
Filed: 06/26/1998
Issued: 10/17/2000
Est. Priority Date: 06/26/1998
Status: Expired due to Term

First Claim

Patent Images

1. A physical layer circuit arrangement for interfacing a local node in an electronic device to a memory-mapped serial communications interface of the type that supports peer-to-peer communications between a plurality of nodes, the circuit arrangement comprising:

(a) a link layer interface coupled to a link layer defined in the electronic device, the link layer interface configured to transmit data to and receive data from the link layer; and

(b) a security manager coupled to the link layer interface and configured to modify a data packet received over the communications interface from an unauthorized node prior to transmission of the data packet over the link layer interface to inhibit acceptance of the modified data packet by the link layer.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed firewall is utilized in conjunction with a memory-mapped serial communications interface such as that defined by the IEEE 1394 specification to permit secure data transmission between selected nodes over the interface. The distributed firewall incorporates security managers in the selected nodes that are respectively configured to control access to their associated nodes, thereby restricting access to such nodes to only authorized entities. The security manager in at least one of the nodes is implemented in the physical (PHY) layer for the communications interface. The security manager controls access to its associated node by selectively modifying data packets received from unauthorized entities in such a manner that acceptance of the modified data packets by the link layer is inhibited, e.g., by modifying the checksum in a data packet so that, upon receipt by the link layer of the associated node, the data packet is determined to be invalid by the link layer. As a result, the link layer may disregard the data packet so that effectively the unauthorized attempt to access the node is ignored.

113 Citations

25 Claims

1. A physical layer circuit arrangement for interfacing a local node in an electronic device to a memory-mapped serial communications interface of the type that supports peer-to-peer communications between a plurality of nodes, the circuit arrangement comprising:
- (a) a link layer interface coupled to a link layer defined in the electronic device, the link layer interface configured to transmit data to and receive data from the link layer; and
  
  (b) a security manager coupled to the link layer interface and configured to modify a data packet received over the communications interface from an unauthorized node prior to transmission of the data packet over the link layer interface to inhibit acceptance of the modified data packet by the link layer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 23, 24)
- - 2. The circuit arrangement of claim 1, wherein the circuit arrangement is disposed in a separate integrated circuit device from the link layer in the electronic device.
  - 3. The circuit arrangement of claim 1, wherein the data packet includes a checksum, wherein the link layer is of the type that discards a data packets having an invalid checksum, and wherein the security manager is configured to modify the data packet by modifying the checksum therefor.
  - 4. The circuit arrangement of claim 1, wherein the security manager is further configured to transmit an acknowledgment over the communications interface to the unauthorized node.
  - 5. The circuit arrangement of claim 4, wherein the acknowledgment transmitted by the security manager indicates that data requested by the unauthorized node is unavailable.
  - 6. The circuit arrangement of claim 1, wherein the security manager includes an encryption engine configured to selectively encrypt data received through the link layer interface, and to selectively decrypt data received from authorized nodes over the communications interface.
  - 7. The circuit arrangement of claim 6, wherein the link layer defines a local node for the electronic device, and wherein the security manager further includes:
    - (a) an authorization list of authorized nodes from the plurality of nodes for which communication therewith is authorized; and
      
      (b) a key exchange engine configured to generate a session key for the local node.
  - 8. The circuit arrangement of claim 1, wherein the security manager is further configured to, in response to transmission of a transmit data packet from the link layer to the unauthorized node, notify the link layer via the link layer interface that the unauthorized node is unavailable.
  - 9. The circuit arrangement of claim 1, wherein the communications interface is an IEEE 1394-compatible interface.
  - 10. The circuit arrangement of claim 9, wherein the link layer is of the type supporting unsecured IEEE 1394-compatible communications.
  - 11. An electronic device including the circuit arrangement of claim 1.
  - 12. A data processing system including a plurality of nodes, at least one node including the circuit arrangement of claim 1.
  - 23. The method of claim 1, wherein the communications interface is an IEEE 1394-compatible interface.
  - 24. The method of claim 23, wherein the link layer is of the type supporting unsecured IEEE 1394-compatible communications.

13. A method of controlling access to a local node in an electronic device from a memory-mapped serial communications interface of the type that supports peer-to-peer communications between a plurality of nodes, the method comprising:
- (a) receiving a data packet over the communications interface from an unauthorized node; and
  
  (b) modifying the data packet prior to transmitting the data packet over a link layer interface to a link layer in the electronic device to inhibit acceptance of the modified data packet by the link layer.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, further comprising generating an authorization list of authorized nodes from the plurality of nodes for which communication with the local node is authorized.
  - 15. The method of claim 14, wherein generating the authorization list is performed in response to a reset of the communications interface.
  - 16. The method of claim 14, further comprising:
    - (a) generating a session key for the local node, the session key for use by an encryption engine at an authorized node from the authorization list when encrypting data to be transmitted to the local node; and
      
      (b) transmitting the session key to each authorized node in the authorization list.
  - 17. The method of claim 16, further comprising:
    - (a) receiving a receive data packet over the communications interface from an authorized node;
      
      (b) decrypting the receive data packet to generate a decrypted data packet; and
      
      (c) transmitting the decrypted data packet over the link layer interface to the link layer.
  - 18. The method of claim 14, further comprising:
    - (a) receiving a transmit data packet over the link layer interface from the link layer, the transmit data packet including a target identifying at least one authorized node from the authorized list;
      
      (b) encrypting the transmit data packet to generate an encrypted data packet; and
      
      (c) transmitting the encrypted data packet over the communications interface to the authorized node identified by the target.
  - 19. The method of claim 14, further comprising:
    - (a) receiving a transmit data packet over the link layer interface from the link layer, the transmit data packet including a target identifying an unauthorized node absent from the authorized list; and
      
      (b) notifying the link layer via the link layer interface that the unauthorized node is unavailable.
  - 20. The method of claim 13, wherein the data packet includes a checksum, wherein the link layer is of the type that discards a data packets having an invalid checksum, and wherein modifying the data packet includes modifying the checksum therefor.
  - 21. The method of claim 13, further comprising transmitting an acknowledgment over the communications interface to the unauthorized node in response to receipt of the data packet.
  - 22. The method of claim 21, wherein the acknowledgment indicates that data requested by the unauthorized node is unavailable.

25. A method of implementing secure communications over a memory-mapped serial communications interface of the type that supports unsecured peer-to-peer communications between a plurality of nodes, wherein each node includes a link layer implemented in a first integrated circuit device, the link layer configured to communicate over the communications interface solely through an unsecured protocol, the method comprising:
- (a) installing, in at least first and second nodes from the plurality of nodes, a second integrated circuit device, the second integrated circuit device implementing a physical layer circuit arrangement that interfaces the link layer in the first integrated circuit device with the communications interface, the physical layer circuit arrangement including a security manager coupled between the link layer and the communications interface and configured to modify a data packet received over the communications interface from an unauthorized node prior to transmission of the data packet to the link layer to inhibit acceptance of the modified data packet by the link layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Future Link Systems, LLC (Vector Capital Corporation)
Original Assignee
VLSI Technology, Inc. (Koninklijke Philips N.V.)
Inventors
Levy, Paul S., Cornelius, Steve
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Weir, James G.

Application Number

US09/105,553
Time in Patent Office

844 Days
Field of Search

713/200, 713/201, 713/160, 713/161, 380/23, 380/25, 380/4
US Class Current

726/11
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 2211/008   Public Key, Asymmetric Key,...

H04L 63/0218   Distributed architectures, ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

Physical layer security manager for memory-mapped serial communications interface

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Physical layer security manager for memory-mapped serial communications interface

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links