Method and system for communication between a USB device and a USB host

US 8,560,852 B2
Filed: 02/01/2008
Issued: 10/15/2013
Est. Priority Date: 02/05/2007
Status: Active Grant

First Claim

Patent Images

1. A method for providing efficient communication between a computer and a plug-and-play secure token connected to the computer, comprising:

upon establishing a physical connection between the computer and the plug-and-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;

launching on the computer a host agent stored on the secure token;

operating the computer according to instructions of a driver for devices of the first type to receive messages communicated in a first protocol associated with devices of the first type from the secure token;

operating the computer according to instructions of a driver of devices of the second type to receive messages communicated in a second protocol associated with devices of the second type from the secure token;

operating the computer according to instructions stored in the host agent to;

receive messages of a first type from the secure token communicated in the first protocol associated with messages of the first type via the driver for devices of the first type;

receive messages of a second type from the secure token communicated in the second protocol associated with messages of the second type via the driver for devices of the second type; and

in response to detecting a message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token;

operating the secure token according to instructions of a card-agent program including instructions to;

write data to a second data buffer of the secure token;

upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;

upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type; and

operating the computer according to instructions stored in the host agent to;

transmit messages from the computer to the secure token by writing data to a second data buffer of the secure token using the protocol associated with messages of the second type; and

embed in the messages from the computer to the secure token messages of an application layer protocol having at least one security level wherein messages embed therein security credentials permitting the computer to perform restricted actions on the secure token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure portable electronic device for providing secure services when used in conjunction with a host computer having a central processing unit use two hardware device protocols readily supported by computer operating systems. Other systems and methods are disclosed.

20 Citations

View as Search Results

16 Claims

1. A method for providing efficient communication between a computer and a plug-and-play secure token connected to the computer, comprising:
- upon establishing a physical connection between the computer and the plug-and-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;
  
  launching on the computer a host agent stored on the secure token;
  
  operating the computer according to instructions of a driver for devices of the first type to receive messages communicated in a first protocol associated with devices of the first type from the secure token;
  
  operating the computer according to instructions of a driver of devices of the second type to receive messages communicated in a second protocol associated with devices of the second type from the secure token;
  
  operating the computer according to instructions stored in the host agent to;
  
  receive messages of a first type from the secure token communicated in the first protocol associated with messages of the first type via the driver for devices of the first type;
  
  receive messages of a second type from the secure token communicated in the second protocol associated with messages of the second type via the driver for devices of the second type; and
  
  in response to detecting a message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token;
  
  operating the secure token according to instructions of a card-agent program including instructions to;
  
  write data to a second data buffer of the secure token;
  
  upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;
  
  upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type; and
  
  operating the computer according to instructions stored in the host agent to;
  
  transmit messages from the computer to the secure token by writing data to a second data buffer of the secure token using the protocol associated with messages of the second type; and
  
  embed in the messages from the computer to the secure token messages of an application layer protocol having at least one security level wherein messages embed therein security credentials permitting the computer to perform restricted actions on the secure token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - operating the secure token to restrict token updates in encrypted and authenticated sessions;
      
      transmitting a message to request initialization of an update session from a source computer to the secure token wherein the message to request initialization of an update session includes information authenticating the source computer to the secure token and includes an encrypted shared secret;
      
      upon receiving the message to request initialization of an update session operating the secure token to decrypt the shared secret and verifying the information authenticating the source computer as authorized to perform volume updates.
  - 3. The method of claim 2 wherein the information authenticating the source computer is a cryptographic signature of the computer.
  - 4. The method of claim 2 further comprisingupon authenticating the computer to perform volume updates, initiating a secure session for updates by encapsulating authenticating information corresponding to the source computer in a command to the secure token.
  - 5. The method of claim 2 wherein the source computer is one selected from group consisting of a local host computer and a remote computer connected to the secure token over a network via the local host computer.
  - 6. The method of claim 1 wherein the first type is a category of devices for providing user input to a computer and wherein the second type is a category of devices for storing or retrieving a computer data files to or from a token.
  - 7. The method of claim 1, wherein devices of the first type are USB human-interface devices, wherein the step of enumerating the secure token as a device of a first type comprises enumerating the secure token as USB human-interface device, wherein devices of the second type are USB mass storage devices and wherein the step of enumerating the secure token as a device of a second type comprises enumerating the secure token as USB mass storage device.
  - 8. The method of claim 7 wherein the step of operating the secure token to transmit a message of the first type indicative of the availability of data in a data buffer comprises a USB HID in report message.

9. A plug-and-play secure token with means for being connected to a host computer, comprising:
- a memory,a card-agent program that upon establishing a physical connection between the host computer and the plug-and-play secure token, enumerating the secure token as a device of a first type and as a device of a second type;
  
  a host agent stored in the memory of the secure token for execution on the host computer, the host agent comprising;
  
  a driver for devices of the first type to receive messages communicated in a first protocol associated with devices of the first type from the secure token, anda driver of devices of the second type to receive messages communicated in a second protocol associated with devices of the second type from the secure token;
  
  logic to receive messages of a first type from the secure token communicated in the first protocol associated with messages of the first type via the driver for devices of the first type;
  
  logic to receive messages of a second type from the secure token communicated in the second protocol associated with messages of the second type via the driver for devices of the second type; and
  
  logic to in response to detecting that message of the first type indicative of an availability of a data in a data buffer, retrieving the available data from the data buffer by sending a message of the second type to the secure token;
  
  the card-agent further comprising instructions to cause the secure token to;
  
  write data to a second data buffer of the secure token;
  
  upon having written data to the second data buffer, sending a message of the first type indicative of the availability of data in the second data buffer;
  
  upon receiving a message of the second type requesting access to the data buffer, transmitting the contents of the second data buffer using the protocol associated with messages of the second type andthe host-agent further comprising instructions to cause the host computer to;
  
  transmit messages from the computer to the secure token by writing data to a second data buffer of the secure token using the protocol associated with messages of the second type;
  
  embed in the messages from the host computer to the secure token messages of an application layer protocol having at least one security level wherein messages embed therein security credentials permitting the computer to perform restricted actions on the secure token.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The plug-and-play secure token of claim 9 wherein the card-agent further comprising logic to cause the secure token to:
    - operate the secure token to restrict token updates in encrypted and authenticated sessions;
      
      wherein the host-agent further comprises logic to transmit a message to request initialization of an update session from a source computer to the secure token wherein the message to request initialization of an update session includes information authenticating the source computer to the secure token and includes an encrypted shared secret;
      
      wherein the card-agent further comprises logic to, upon receiving the message to request initialization of an update session, operate the secure token to decrypt the shared secret and verifying the information authenticating the source computer as authorized to perform volume updates.
  - 11. The plug-and-play secure token of claim 10 wherein the information authenticating the source computer is a cryptographic signature of the computer.
  - 12. The plug-and-play secure token of claim 10 wherein the card-agent further comprises instructions to:
    - upon authenticating the computer to perform volume updates, initiate a secure session for updates by encapsulating authenticating information corresponding to the source computer in a command to the secure token.
  - 13. The plug-and-play secure token of claim 9 wherein the host computer is a local host computer or a remote computer connected to the secure token over a network via a local host computer.
  - 14. The plug-and-play secure token of claim 9 wherein the first type is a category of devices for providing user input to a computer and wherein devices of the second type are typically devices for storing or retrieving a computer data files to or from a token.
  - 15. The plug-and-play secure token of any of claim 9 wherein devices of the first type are USB human-interface devices, wherein the step of enumerating the secure token as a device of a first type comprises enumerating the secure token as USB human-interface device, wherein devices of the second type are USB mass storage devices and wherein the logic to enumerate the secure token as a device of a second type comprises logic to enumerate the secure token as USB mass storage device.
  - 16. The plug-and-play secure token of claim 15 wherein the logic to operate the secure token to transmit a message of the first type indicative of the availability of data in a data buffer comprises a USB HID in report message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gemalto SA (Thales SA)
Original Assignee
Gemalto SA (Thales SA)
Inventors
Durand, Stephane, Castillo, Laurent, Ali, Asad, Dolph, Ed, HongQian, Lu Karen
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US12/525,625
Publication Number

US 20100146279A1
Time in Patent Office

2,083 Days
Field of Search

713/172
US Class Current

713/172
CPC Class Codes

G06F 13/10   Program control for periphe...

G06F 21/34   involving the use of extern...

H04L 9/0877   using additional device, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

Method and system for communication between a USB device and a USB host

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for communication between a USB device and a USB host

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links