Cryptographic manager tool system

US 8,316,232 B1
Filed: 07/18/2012
Issued: 11/20/2012
Est. Priority Date: 07/18/2012
Status: Active Grant

First Claim

Patent Images

1. A cryptographic manager tool system that configures and maintains an auditable cryptographic communication system over a network for a plurality of industrial devices each having messaging protocols, wherein the cryptographic manager tool system comprises:

a. a server with a processor in communication with data storage having a plurality of input/output ports for communication with an industrial device;

b. a plurality of virtual cryptographic modules in the data storage, wherein each virtual cryptographic module comprises;

(i) computer instructions to receive plain text commands from the enterprise server to start at least one virtual cryptographic module of the plurality of virtual cryptographic modules and provide routine commands to the at least one virtual cryptographic module during operation;

(ii) computer instructions to receive plain text setting commands from the cryptographic manager tool;

(iii) computer instructions to transmit plain text setting information to the cryptographic manager tool;

(iv) computer instructions to transmit in-band plain text commands during start up to a physical cryptographic module;

(v) computer instructions to transmit out-of-band plain text commands during start up to the physical cryptographic module;

(vi) computer instructions to receive in-band plain text and status and measurement data from the physical cryptographic module during start up;

(vii) computer instructions to receive out-of-band plain text messages from the physical cryptographic module during start up;

(viii) computer instructions to receive out-of-band encrypted log information with status and measurement data from the physical cryptographic module;

(ix) computer instructions to receive out-of-band alarm messages from the physical cryptographic module;

(x) computer instructions to transmit out-of-band encrypted commands to the physical cryptographic module;

(xi) computer instructions to receive in-band encrypted status and measurement data from the physical cryptographic module;

(xii) computer instructions to transmit in-band encrypted commands to the physical cryptographic module;

(xiii) computer instructions to transmit encrypted collected log information to the enterprise server;

(xiv) computer instructions to transmit decrypted status and measurement data in the messaging protocol of the industrial device from the industrial device to the enterprise server;

(xv) computer instructions to monitor, configure and reconfigure online and on demand, continuously, the plurality of cryptographic pipes simultaneously;

(xvi) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously;

(xvii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of virtual cryptographic modules simultaneously;

(xviii) computer instructions to generate cryptographic keys for;

1. digital signatures in authentication certificates;

2. cryptographic key exchange; and

3. cryptographic communication sessions between the plurality of virtual cryptographic modules and the plurality of physical cryptographic modules, without human intervention, allowing online encryption and decryption of plain text commands, status and measurement data, messages, log information, and alarm messages without turning off any operating industrial devices, and without turning off the enterprise server and while creating an auditable communication pathway from the enterprise server to operating industrial devices;

(xix) computer instructions to transmit plain text setting information to the cryptographic pipes;

(xx) computer instructions to receive plain text setting information from at least one cryptographic pipe of the plurality of cryptographic pipes;

(xxi) a library of virtual cryptographic module settings;

(xxii) a library of physical cryptographic module settings;

(xxiii) computer instructions to schedule generation of cryptographic keys by the virtual cryptographic module, by the physical cryptographic module, or combinations thereof, using cryptographic time outs; and

c. wherein each cryptographic pipe of the plurality of cryptographic pipes communicates with one of the virtual cryptographic modules, enabling each industrial device to receive encrypted commands and transmit encrypted status and measurement data to the enterprise server using each industrial device messaging protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cryptographic manager tool for providing encrypted communication between an enterprise server and a plurality of industrial devices using messaging protocols for each industrial device, enabling the industrial devices to receive commands and transmit status and measurement data to the enterprise server in out of band encrypted and decrypted messaging, simultaneously, using the individual device messaging protocols over a network.

35 Citations

View as Search Results

11 Claims

1. A cryptographic manager tool system that configures and maintains an auditable cryptographic communication system over a network for a plurality of industrial devices each having messaging protocols, wherein the cryptographic manager tool system comprises:
- a. a server with a processor in communication with data storage having a plurality of input/output ports for communication with an industrial device;
  
  b. a plurality of virtual cryptographic modules in the data storage, wherein each virtual cryptographic module comprises;
  
  (i) computer instructions to receive plain text commands from the enterprise server to start at least one virtual cryptographic module of the plurality of virtual cryptographic modules and provide routine commands to the at least one virtual cryptographic module during operation;
  
  (ii) computer instructions to receive plain text setting commands from the cryptographic manager tool;
  
  (iii) computer instructions to transmit plain text setting information to the cryptographic manager tool;
  
  (iv) computer instructions to transmit in-band plain text commands during start up to a physical cryptographic module;
  
  (v) computer instructions to transmit out-of-band plain text commands during start up to the physical cryptographic module;
  
  (vi) computer instructions to receive in-band plain text and status and measurement data from the physical cryptographic module during start up;
  
  (vii) computer instructions to receive out-of-band plain text messages from the physical cryptographic module during start up;
  
  (viii) computer instructions to receive out-of-band encrypted log information with status and measurement data from the physical cryptographic module;
  
  (ix) computer instructions to receive out-of-band alarm messages from the physical cryptographic module;
  
  (x) computer instructions to transmit out-of-band encrypted commands to the physical cryptographic module;
  
  (xi) computer instructions to receive in-band encrypted status and measurement data from the physical cryptographic module;
  
  (xii) computer instructions to transmit in-band encrypted commands to the physical cryptographic module;
  
  (xiii) computer instructions to transmit encrypted collected log information to the enterprise server;
  
  (xiv) computer instructions to transmit decrypted status and measurement data in the messaging protocol of the industrial device from the industrial device to the enterprise server;
  
  (xv) computer instructions to monitor, configure and reconfigure online and on demand, continuously, the plurality of cryptographic pipes simultaneously;
  
  (xvi) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously;
  
  (xvii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of virtual cryptographic modules simultaneously;
  
  (xviii) computer instructions to generate cryptographic keys for;
  
  1. digital signatures in authentication certificates;
  
  2. cryptographic key exchange; and
  
  3. cryptographic communication sessions between the plurality of virtual cryptographic modules and the plurality of physical cryptographic modules, without human intervention, allowing online encryption and decryption of plain text commands, status and measurement data, messages, log information, and alarm messages without turning off any operating industrial devices, and without turning off the enterprise server and while creating an auditable communication pathway from the enterprise server to operating industrial devices;
  
  (xix) computer instructions to transmit plain text setting information to the cryptographic pipes;
  
  (xx) computer instructions to receive plain text setting information from at least one cryptographic pipe of the plurality of cryptographic pipes;
  
  (xxi) a library of virtual cryptographic module settings;
  
  (xxii) a library of physical cryptographic module settings;
  
  (xxiii) computer instructions to schedule generation of cryptographic keys by the virtual cryptographic module, by the physical cryptographic module, or combinations thereof, using cryptographic time outs; and
  
  c. wherein each cryptographic pipe of the plurality of cryptographic pipes communicates with one of the virtual cryptographic modules, enabling each industrial device to receive encrypted commands and transmit encrypted status and measurement data to the enterprise server using each industrial device messaging protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The cryptographic manager tool of claim 1, wherein the library of virtual cryptographic module settings includes a member of the group consisting of:
    - a pipe local IP address, pipe time outs;
      
      a pipe remote IP address;
      
      a pipe buffer size;
      
      a pipe listen IP address;
      
      a local port;
      
      a remote port;
      
      a pipe protocol, a pipe auto-enable, and combinations thereof.
  - 3. The cryptographic manager tool of claim 1, wherein the library of physical cryptographic module settings includes a member of the group consisting of:
    - a tag, a mac address, a lock status, a host port, a device port, closed connection time outs, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, number of synchronization, a serial number, a status flag, a status string, notes, and combinations thereof.
  - 4. The cryptographic manager tool of claim 3, wherein the host port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network.
  - 5. The cryptographic manager tool of claim 3, wherein the device port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network.
  - 6. The cryptographic manager tool of claim 1, wherein each cryptographic pipe comprises:
    - a. computer instructions to provide encrypted messaging both in-band and out-of-band from the cryptographic manager tool to the physical cryptographic modules using messaging protocols of each industrial device; and
      
      b. computer instructions to provide decrypted messaging both in-band and out-of-band, from the physical cryptographic modules using messaging protocol to the cryptographic manager tool.
  - 7. The cryptographic manager tool of claim 1, wherein the out-of-band encrypted log information with status and measurement data from the physical cryptographic module comprises performance information and information that can indicate a breach of security simultaneously.
  - 8. The cryptographic manager tool of claim 1, wherein the cryptographic manager tool communicates with a plurality of physical cryptographic modules over a plurality of different networks simultaneously, consecutively, or combinations thereof.
  - 9. The cryptographic manager tool of claim 8, wherein the plurality of different networks simultaneously, consecutively, or combinations thereof comprise a member of the group consisting of:
    - a radio/cellular network, a world-wide network, a corporate network, a local area control network.
  - 10. The cryptographic manager tool of claim 1, wherein the cryptographic manager tool communicates to the physical cryptographic module disposed between the enterprise server and each industrial device for communicating in-band messages to each industrial device using the messaging protocol of each industrial device and wherein the physical cryptographic module comprises:
    - a. a physical cryptographic module processor;
      
      b. a physical cryptographic module data storage in communication with the physical cryptographic module processor, wherein the physical cryptographic module data storage comprises;
      
      (i) computer instructions to receive in-band plain text status and measurement data in the messaging protocol of the industrial device in communication therewith;
      
      (ii) computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith;
      
      (iii) computer instructions for providing encrypted messaging both in-band and out-of-band from the industrial device, in communication therewith, using the messaging protocol of the industrial device;
      
      (iv) computer instructions to generate cryptographic keys for;
      
      1. digital signatures in authentication certificates;
      
      2. cryptographic key exchanges; and
      
      3. cryptographic communication sessions between the plurality of physical cryptographic modules and a cryptographic manager tool without human intervention, allowing online encryption and decryption of plain text commands, status and measurement data, messages, log information, and alarm messages, without turning off any operating industrial devices, and without turning off the enterprise server and while creating an auditable communication pathway from enterprise server to operating industrial devices.
  - 11. The cryptographic manager tool of claim 1, wherein the cryptographic manager tool resides in a data storage of the enterprise server or a second server on the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DJ Osburn Management LLC
Original Assignee
DJ Inventions, LLC
Inventors
Osburn, Douglas C. III
Primary Examiner(s)
LOUIE, OSCAR A

Application Number

US13/552,434
Time in Patent Office

125 Days
Field of Search

713/164
US Class Current

713/164
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 67/12   specially adapted for propr...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0861   Generation of secret inform...

H04L 9/3247   involving digital signatures

Cryptographic manager tool system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic manager tool system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links