Methods of operating a portable communications device with enhanced security

US 8,028,067 B2
Filed: 07/11/2007
Issued: 09/27/2011
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;

wherein said portable device is configured to operate according to the method comprising;

verifying the identity of a user of said portable device before further access is permitted;

receiving data sent from a higher layer process of said host computerized device for transmission over a network;

determining whether an association between said security apparatus and at least one other security apparatus exists, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data;

encrypting at least a portion of said data using at least one cryptographic key;

transmitting said at least portion to said at least one other security apparatus when said association does exist; and

facilitating the review of a user session audit trail.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of operating a portable communications device so as to provide communications security and user identification and authentication. In one embodiment, the method comprises placing the device in communication with an untrusted network, and using its security apparatus for creating associations with one or more security devices on the network. Traffic between the associated devices may be encrypted and protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus comprises a software entity disposed at least partly within the software stack of a host, and a removable security card. The portable device may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure.

Citations

64 Claims

1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;
- wherein said portable device is configured to operate according to the method comprising;
  
  verifying the identity of a user of said portable device before further access is permitted;
  
  receiving data sent from a higher layer process of said host computerized device for transmission over a network;
  
  determining whether an association between said security apparatus and at least one other security apparatus exists, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data;
  
  encrypting at least a portion of said data using at least one cryptographic key;
  
  transmitting said at least portion to said at least one other security apparatus when said association does exist; and
  
  facilitating the review of a user session audit trail.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 2. The method of claim 1, wherein said security apparatus comprises a removable and substantially user- or device-specific security card received at least partly within a card reading apparatus of said portable device.
  - 3. The method of claim 2, wherein at least portions of said card are physically secure and protected from unauthorized access.
  - 4. The method of claim 2, further comprising exchanging security information between said card and said host device before further processing of a user transaction or message is permitted.
  - 5. The method of claim 4, wherein said exchanged security information comprises security information that is unique and specific to said card.
  - 6. The method of claim 2, further comprising generating said at least one cryptographic key at least in part using security information disposed on said security card.
  - 7. The method of claim 1, wherein said determining comprises determining whether an association exists with a substantially fixed and at least partly physically secure network access control device.
  - 8. The method of claim 7, wherein said network access control device further comprises an interface providing direct or indirect data communication to another network.
  - 9. The method of claim 1, wherein said at least one other security apparatus comprises an at least partly physically secure network gateway.
  - 10. The method of claim 9, wherein said gateway comprises an interface to a second network, said second network having other security apparatus associated therewith, said method further comprising establishing security associations between at least said gateway within said untrusted network and said other security apparatus of said second network.
  - 11. The method of claim 1, wherein said act of verifying further comprises verifying via a unique name or identification associated with said user.
  - 12. The method of claim 1, wherein said act of verifying further comprises verifying via a password associated with said user.
  - 13. The method of claim 1, wherein said act of verifying further comprises verifying via a key associated with said host computerized device.
  - 14. The method of claim 1, wherein said portable computing device further comprises a network protocol, and said method further comprises using said protocol to resolve an IP address from a given hardware or network address.
  - 15. The method of claim 1, wherein said portable computing device further comprises a network protocol, and said method further comprises using said protocol to resolve a given hardware or network address from an IP address.
  - 16. The method of claim 1, further comprising authenticating said at least one other security apparatus using a key-exchange algorithm.
  - 17. The method of claim 1, further comprising authenticating at least one network security device from which said security apparatus has first requested authentication.
  - 18. The method of claim 1, wherein said security apparatus comprises software disposed substantially within said communications stack above the Physical Layer thereof.
  - 19. The method of claim 10, wherein said security apparatus comprises software disposed substantially within said communications stack above the Link Layer thereof.
  - 20. The method of claim 10, wherein at least portions of said security apparatus comprises software disposed substantially within said communications stack below the Transport Layer thereof.
  - 21. The method of claim 1, wherein said encrypting using at least one cryptographic key comprises encrypting using at least one key of a public/private key pair.
  - 22. The method of claim 2, wherein said card further comprises a device driver.
  - 23. The method of claim 22, wherein said driver comprises an application programming interface (API).
  - 24. The method of claim 1, wherein said determining whether an association exists comprises determining whether a non-permanent trusted communications channel between and unique to said security apparatus and said at least one other security apparatus exists.
  - 25. The method of claim 24, wherein said at least one other security apparatus comprises a fixed, substantially stand-alone device.
  - 26. The method of claim 1, wherein said at least one other security apparatus comprises at least one interface port, and said method further comprises arbitrating access to said at least one port based at least in part on identification of a user of said portable communications device.
  - 27. The method of claim 1, further comprising generating at least one encryption key for each association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable communications device.
  - 28. The method of claim 1, further comprising generating said at least one encryption key dynamically by said security apparatus pursuant to establishing an association with said at least one other security apparatus, said at least one key being specific to a particular session between said security device and said at least one other security device.
  - 29. The method of claim 1, wherein said act of encrypting at least portions of said data is performed using a block cipher.
  - 30. The method of claim 1, further comprising generating using at least said security apparatus at least one encryption key for said act of encrypting at least portions of said data, said at least one encryption key comprising at least a portion of a public/private key pair.
  - 31. The method of claim 1, further comprising generating at least one encryption key for use in encrypting said data, said at least one encryption key comprising a symmetric encryption key.
  - 32. The method of claim 1, further comprising generating at least one encryption key, and said at least one encryption key providing confidentiality and integrity of user datagrams during a particular session or association between said security apparatus and said at least one other security apparatus.
  - 33. The method of claim 1, further comprising generating a request message for transmission to at least said at least one other security apparatus, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 34. The method of claim 33, wherein said cryptographic information comprises a cryptographic vector.
  - 35. The method of claim 34, wherein said cryptographic vector comprises a vector used by said at least one other security apparatus as part of a mutual authentication procedure between said portable device and said at least one other security apparatus.
  - 36. The method of claim 33, wherein said cryptographic information comprises a cryptographic key.
  - 37. The method of claim 1, wherein said act of establishing said association further comprises utilizing random data that is transmitted from said at least one other security apparatus.
  - 38. The method of claim 1, wherein said method further comprises generating and transmitting random data to said security apparatus as part of a mutual authentication.
  - 39. The method of claim 1, wherein at least a portion of said transmitted at least portion is evaluated by said at least one other security apparatus using a first cryptographic residue generated at said at least one other network security apparatus using at least locally stored information, and a second residue of said transmitted message.
  - 40. The method of claim 39, wherein said act of evaluating said first and second residues comprises comparing said residues to see if they match.
  - 41. The method of claim 40, wherein if said first and second residue does not match, a change in the operation of said at least one other security apparatus is invoked.
  - 42. The method of claim 41, wherein said change in the operation comprises performing a network audit function.

43. A method of operating a portable communications device, comprising:
- providing a portable communications device, said portable communications device comprising a host computerized device adapted to run an untrusted operating system;
  
  providing a security card adapted to be received at least partly within said host device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  inserting said security card at least partly within said host device;
  
  placing a communications interface of said portable communications device in data communication with an untrusted network;
  
  verifying a user of said portable device using at least a portion of one of said user-specific and cryptographic data and an input supplied by a user via a user interface of said portable device;
  
  exchanging at least a portion of said cryptographic data between said card and host device;
  
  establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising utilizing a cryptographic data exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic data while establishing said association so as to enable at least ciphering or encrypting using one or more cryptographic keys; and
  
  ciphering or encrypting data sent from said portable device using at least one of said cryptographic keys;
  
  wherein said cryptographic data exchange algorithm includes the generation and transmission of a random number by only one party to the security association.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 44. The method of claim 43, wherein said providing a card comprises providing a card having a device driver with application programming interface (API).
  - 45. The method of claim 43, further comprising generating a request message for transmission to a security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable device.
  - 46. The method of claim 45, wherein said cryptographic information comprises a cryptographic vector.
  - 47. The method of claim 46, wherein said cryptographic vector comprises a vector used by said network security device as part of a mutual authentication procedure between said portable device and said security device.
  - 48. The method of claim 45, wherein said cryptographic information comprises a cryptographic key.
  - 49. The method of claim 48, wherein said cryptographic key comprises a key that is part of a public/private key pair.
  - 50. The method of claim 45, wherein said cryptographic information comprises a digital signature, and said method further comprises generating said signature based at least in part on cryptographic data stored in said card.
  - 51. The method of claim 43, wherein said providing a security card comprises providing a security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users.
  - 52. The method of claim 51, wherein said protection against access by unauthorized users comprises at least physical protection for said at least portions.
  - 53. The method of claim 51, wherein said protection against access by unauthorized users comprises verification of prospective users via a unique name or identification associated with a valid user.
  - 54. The method of claim 51, wherein said protection against access by unauthorized users comprises verification of prospective users via a password associated with a valid user.
  - 55. The method of claim 51, wherein said protection against access by unauthorized users comprises verification of prospective users via a key associated with said host user device.

56. A method of operating a portable communications device, said device comprising:
- an at least partly untrusted host computerized device adapted to run an untrusted operating system and a software stack;
  
  a security card interface apparatus;
  
  a security card adapted to be received at least partly within said card interface apparatus, said security card having portions comprising cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
  
  a communications interface; and
  
  a user interface;
  
  wherein said method comprises;
  
  placing said communications interface in data communication with an untrusted network;
  
  verifying a user of said portable device using an input supplied by a user via said user interface of said portable device and security software operative to communicate with said software stack;
  
  exchanging at least a portion of said cryptographic data between said card and said host device; and
  
  establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising;
  
  utilizing said cryptographic data to provide a cipher key;
  
  generating a request message including said cipher key;
  
  performing a mutual authentication based at least in part on said cipher key; and
  
  facilitating the review of a user session audit trail.
- View Dependent Claims (57)
- - 57. The method of claim 56, wherein said placing comprising dynamically obtaining at least one identifier for said portable communications device when said communications interface is placed in data communication with said untrusted network.

58. A method of operating a portable communications device, said portable communications device comprising a host computerized device having a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack, said security apparatus comprising a removable and substantially user- or device-specific security card received at least partly within a card reading apparatus of said portable device;
- wherein said portable device is configured to operate according to the method comprising;
  
  verifying the identity of a user of said portable device before further access is permitted via a key associated with said host computerized device;
  
  receiving data sent from a higher layer process of said host computerized device for transmission over a network;
  
  generating a request message for transmission to a network security apparatus, said request message initiating an authentication procedure, said procedure resulting in generation of a cryptographic vector;
  
  establishing an association between said security apparatus and said network security apparatus utilizing a unidirectional transmission of random data that is transmitted from said network security apparatus, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data;
  
  authenticating the network security apparatus from which said security apparatus has first requested authentication;
  
  encrypting at least a portion of said data using at least one cryptographic key of a public/private key pair, wherein said act of encrypting is performed using a block cipher; and
  
  transmitting said at least portion of said data to said network security apparatus when said association does exist.
- View Dependent Claims (59, 60, 61, 62, 63, 64)
- - 59. The method of claim 58, wherein said card comprises a card having a device driver with an application programming interface (API).
  - 60. The method of claim 58, further comprising generating said at least one encryption key for said association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by said user of said portable communications device.
  - 61. The method of claim 58, further comprising generating said at least one encryption key dynamically by said security apparatus pursuant to establishing an association with said at least one other security apparatus, said at least one key being specific to a particular session between said security device and said at least one other security device.
  - 62. The method of claim 58, wherein said cryptographic data comprises a cryptographic vector.
  - 63. The method of claim 58, wherein said cryptographic vector comprises a vector used by said at least one other security apparatus as part of a mutual authentication procedure between said portable device and said at least one other security apparatus.
  - 64. The method of claim 58, wherein said verifying the identity of said user comprises verification of prospective users via a unique name or identification associated with a valid user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Holden, James M, Levin, Stephen E, Nickel, James O, Wrench, Edwin H
Primary Examiner(s)
VU, VIET DUY

Application Number

US11/776,396
Publication Number

US 20080016343A1
Time in Patent Office

1,539 Days
Field of Search

709/223, 709/225, 709/227, 709/228, 709/229, 709/237, 709/250
US Class Current

709/225
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Methods of operating a portable communications device with enhanced security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

Methods of operating a portable communications device with enhanced security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links