Secure data communication over a memory-mapped serial communications interface utilizing a distributed firewall
DCFirst Claim
1. A data processing system, comprising:
- (a) a plurality of nodes including at least first and second nodes;
(b) a memory-mapped serial communications interface coupled between the plurality of nodes and supporting peer-to-peer communication therebetween; and
(c) a distributed firewall including first and second security managers respectively disposed in the first and second nodes, the first and second security managers respectively configured to control access to the first and second nodes from the communications interface, and wherein the first security manager is configured to locally generate for the first node an authorization list of authorized nodes with which communication is authorized for the first node.
7 Assignments
Litigations
1 Petition
Accused Products
Abstract
A distributed firewall is utilized in conjunction with a memory-mapped serial communications interface such as that defined by the IEEE 1394 specification to permit secure data transmission between selected nodes over the interface. The distributed firewall incorporates security managers in the selected nodes that are respectively configured to control access to their associated nodes, thereby restricting access to such nodes to only authorized entities. Furthermore, encrypted transmissions may be supported to restrict unauthorized viewing of data transmitted between the selected nodes over the interface. Implementation of the distributed firewall does not modify any critical specifications for the memory-mapped communications interface that would prevent the selected nodes from residing on the same interface as other nodes that adhere to such specifications but that do not support secure data transmission.
302 Citations
36 Claims
-
1. A data processing system, comprising:
-
(a) a plurality of nodes including at least first and second nodes;
(b) a memory-mapped serial communications interface coupled between the plurality of nodes and supporting peer-to-peer communication therebetween; and
(c) a distributed firewall including first and second security managers respectively disposed in the first and second nodes, the first and second security managers respectively configured to control access to the first and second nodes from the communications interface, and wherein the first security manager is configured to locally generate for the first node an authorization list of authorized nodes with which communication is authorized for the first node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
(a) an authorization list of authorized nodes from the plurality of nodes for which communication therewith is authorized; and
(b) a key exchange engine configured to generate a session key for the node associated therewith.
-
-
8. The data processing system of claim 7, wherein the authorization list is dynamically generated, and wherein each security manager is configured to transmit the session key therefor to each authorized node.
-
9. The data processing system of claim 6, wherein the first node is assigned a segment of memory addresses for the communications interface, the segment of memory addresses including secure and unsecure portions thereof, and wherein the first security manager is configured to control access only to the secure portion of the segment of memory addresses for the first node.
-
10. The data processing system of claim 1, wherein the communications interface is an IEEE 1394-compatible interface.
-
11. The data processing system of claim 1, wherein the first node is a self-directed node, and wherein the first security manager is configured to dynamically generate the authorization list for the first node using a third party certification.
-
12. The data processing system of claim 1, wherein the first node is an interactive node, and wherein the first security manager is configured to generate the authorization list for the first node by requesting authorization for given nodes using an external resource.
-
13. The data processing system of claim 1, wherein the first node is a trusted node and the second node is a directed node, and wherein the second security manager is configured to generate an authorization list of authorized nodes with which communication is authorized for the second node by retrieving at least one authorized node from the trusted node.
-
14. A circuit arrangement for interfacing an electronic device to a memory-mapped serial communications interface of the type that supports peer-to-peer communications between a plurality of nodes, the circuit arrangement comprising:
-
(a) a communications port configured to couple a local node in the electronic device to the communications interface; and
(b) a security manager configured to control access to the local node through the communications port to restrict communication with the local node to only authorized nodes from the plurality of nodes, the first security manager further configured to locally generate for the local node an authorization list of authorized nodes with which communication is authorized for the local node. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
(a) a hardware definition program that defines the circuit arrangement of claim 14; and
(b) a signal bearing media bearing the hardware definition program.
-
-
27. The program product of claim 26, wherein the signal bearing media is transmission type media.
-
28. The program product of claim 26, wherein the signal bearing media is recordable media.
-
29. A method of controlling access to first and second nodes from a plurality of nodes coupled to one another over a memory-mapped serial communications interface of the type supporting peer-to-peer communications between the plurality of nodes, the method comprising:
-
(a) controlling access to the first node using a first security manager disposed in the first node;
(b) controlling access to the second node using a second security manager disposed in the second node, wherein the first and second security managers define a distributed firewall for the communications interface;
(c) generating for the first node a first authorization list of authorized nodes from the plurality of nodes for which communication with the first node is authorized;
(d) generating for the second node a second authorization list of authorized nodes from the plurality of nodes for which communication with the second node is authorized; and
(e) updating the first and second authorization lists in response to at least one of adding a node to and removing a node from the communications interface. - View Dependent Claims (30, 31)
(a) generating a session key for the first node, the session key for use by an encryption engine at an authorized node from the first authorization list when encrypting data to be transmitted to the first node; and
(b) transmitting the session key to an authorized node in the first authorization list.
-
-
32. A method of controlling access to first and second nodes from a plurality of nodes coupled to one another over a memory-mapped serial communications interface of the type supporting peer-to-peer communications between the plurality of nodes, the method comprising:
-
(a) controlling access to the first node using a first security manager disposed in the first node;
(b) controlling access to the second node using a second security manager disposed in the second node, wherein the first and second security managers define a distributed firewall for the communications interface;
(c) generating for the first node a first authorization list of authorized nodes from the plurality of nodes for which communication with the first node is authorized;
(d) obtaining an isochronous channel for the first node;
(e) generating a isochronous session key in the first node; and
(f) transmitting the isochronous session key to the authorized nodes in the first authorization list that are configured to receive the isochronous channel. - View Dependent Claims (33)
-
-
34. A data processing system, comprising:
-
(a) a plurality of nodes including at least first and second nodes;
(b) a memory-mapped serial communications interface coupled between the plurality of nodes and supporting peer-to-peer communication therebetween; and
(c) a distributed firewall including first and second security managers respectively disposed in the first and second nodes, the first and second security managers respectively configured to control access to the first and second nodes from the communications interface, wherein the first node is assigned a segment of memory addresses for the communications interface, the segment of memory addresses including secure and unsecure portions thereof, and wherein the first security manager is configured to control access only to the secure portion of the segment of memory addresses for the first node.
-
-
35. A circuit arrangement for interfacing an electronic device to a memory-mapped serial communications interface of the type that supports peer-to-peer communications between a plurality of nodes, the circuit arrangement comprising:
-
(a) a communications port configured to couple a local node in the electronic device to the communications interface; and
(b) a security manager configured to control access to the local node through the communications port to restrict communication with the local node to only authorized nodes from the plurality of nodes, wherein the local node is assigned a segment of memory addresses for the communications interface, the segment of memory addresses including secure and unsecure portions thereof, and wherein the security manager is configured to control access only to the secure portion of the segment of memory addresses for the local node.
-
-
36. A method of controlling access to first and second nodes from a plurality of nodes coupled to one another over a memory-mapped serial communications interface of the type supporting peer-to-peer communications between the plurality of nodes, the method comprising:
-
(a) controlling access to the first node using a first security manager disposed in the first node, wherein the first node is assigned a segment of memory addresses for the communications interface, the segment of memory addresses including secure and unsecure portions thereof, and wherein the first security manager is configured to control access only to the secure portion of the segment of memory addresses for the first node; and
(b) controlling access to the second node using a second security manager disposed in the second node, wherein the first and second security managers define a distributed firewall for the communications interface.
-
Specification