Methods of operating a portable communications device with enhanced security
First Claim
1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;
- wherein said portable device is configured to operate according to the method comprising;
verifying the identity of a user of said portable device before further access is permitted;
receiving data sent from a higher layer process of said host computerized device for transmission over a network;
determining whether an association between said security apparatus and at least one other security apparatus exists, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data;
encrypting at least a portion of said data using at least one cryptographic key;
transmitting said at least portion to said at least one other security apparatus when said association does exist; and
facilitating the review of a user session audit trail.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods of operating a portable communications device so as to provide communications security and user identification and authentication. In one embodiment, the method comprises placing the device in communication with an untrusted network, and using its security apparatus for creating associations with one or more security devices on the network. Traffic between the associated devices may be encrypted and protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus comprises a software entity disposed at least partly within the software stack of a host, and a removable security card. The portable device may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure.
-
Citations
64 Claims
-
1. A method of operating a portable communications device, said portable communications device comprising a host computerized device having an untrusted operating system, at least some untrusted hardware, and a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack;
wherein said portable device is configured to operate according to the method comprising; verifying the identity of a user of said portable device before further access is permitted; receiving data sent from a higher layer process of said host computerized device for transmission over a network; determining whether an association between said security apparatus and at least one other security apparatus exists, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data; encrypting at least a portion of said data using at least one cryptographic key; transmitting said at least portion to said at least one other security apparatus when said association does exist; and facilitating the review of a user session audit trail. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
43. A method of operating a portable communications device, comprising:
-
providing a portable communications device, said portable communications device comprising a host computerized device adapted to run an untrusted operating system; providing a security card adapted to be received at least partly within said host device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users; inserting said security card at least partly within said host device; placing a communications interface of said portable communications device in data communication with an untrusted network; verifying a user of said portable device using at least a portion of one of said user-specific and cryptographic data and an input supplied by a user via a user interface of said portable device; exchanging at least a portion of said cryptographic data between said card and host device; establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising utilizing a cryptographic data exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic data while establishing said association so as to enable at least ciphering or encrypting using one or more cryptographic keys; and ciphering or encrypting data sent from said portable device using at least one of said cryptographic keys; wherein said cryptographic data exchange algorithm includes the generation and transmission of a random number by only one party to the security association. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A method of operating a portable communications device, said device comprising:
-
an at least partly untrusted host computerized device adapted to run an untrusted operating system and a software stack; a security card interface apparatus; a security card adapted to be received at least partly within said card interface apparatus, said security card having portions comprising cryptographic data stored therein, at least said portions being protected against access by unauthorized users; a communications interface; and a user interface; wherein said method comprises; placing said communications interface in data communication with an untrusted network; verifying a user of said portable device using an input supplied by a user via said user interface of said portable device and security software operative to communicate with said software stack; exchanging at least a portion of said cryptographic data between said card and said host device; and establishing a security association between said portable communications device and a security device on said network, said act of establishing comprising; utilizing said cryptographic data to provide a cipher key; generating a request message including said cipher key; performing a mutual authentication based at least in part on said cipher key; and facilitating the review of a user session audit trail. - View Dependent Claims (57)
-
-
58. A method of operating a portable communications device, said portable communications device comprising a host computerized device having a communications software stack operative to run on said host device, said portable communications device further comprising security apparatus for use with said stack, said security apparatus comprising a removable and substantially user- or device-specific security card received at least partly within a card reading apparatus of said portable device;
-
wherein said portable device is configured to operate according to the method comprising; verifying the identity of a user of said portable device before further access is permitted via a key associated with said host computerized device; receiving data sent from a higher layer process of said host computerized device for transmission over a network; generating a request message for transmission to a network security apparatus, said request message initiating an authentication procedure, said procedure resulting in generation of a cryptographic vector; establishing an association between said security apparatus and said network security apparatus utilizing a unidirectional transmission of random data that is transmitted from said network security apparatus, said association comprising a cryptographic data exchange algorithm adapted to cause said portable communications device to exchange cryptographic data; authenticating the network security apparatus from which said security apparatus has first requested authentication; encrypting at least a portion of said data using at least one cryptographic key of a public/private key pair, wherein said act of encrypting is performed using a block cipher; and transmitting said at least portion of said data to said network security apparatus when said association does exist. - View Dependent Claims (59, 60, 61, 62, 63, 64)
-
Specification