Auditable cryptographic protected cloud computing communications system

US 8,898,481 B1
Filed: 03/04/2014
Issued: 11/25/2014
Est. Priority Date: 07/18/2012
Status: Active Grant

First Claim

Patent Images

1. An auditable cryptographic protected cloud computing communication system comprising:

a. a plurality of industrial devices, wherein each industrial device has an individualized messaging protocol enabling each industrial device to receive commands and transmit status and measurement data using the individualized messaging protocol for each industrial device;

b. a computing cloud in communication with the plurality of industrial devices, wherein the computing cloud provides at least one data storage service, shared hardware resources, and shared software applications to each of the plurality of industrial devices, and wherein the shared hardware resources comprise;

(i) one or more data storages;

(ii) one or more processors; and

(iii) one or more enterprise servers having an enterprise processor, wherein the enterprise processor is in communication with an enterprise data storage, one or more data storages in the computing cloud, or combinations thereof, wherein the enterprise server communicates in each individualized messaging protocol of each industrial device using in-band and out-of-band messages; and

c. a plurality of physical cryptographic modules, each physical cryptographic module comprising;

(i) a physical cryptographic module processor;

(ii) a physical cryptographic module data storage; and

(iii) at least one of;

a non-removable, non-over-writable public key installed in the physical cryptographic module data storage, and a non-removable, non-over-writable digest of a public key installed in the physical cryptographic module data storage;

wherein the plurality of physical cryptographic modules are disposed between the enterprise server in the computing cloud and each industrial device for communicating in-band messages to each industrial device using the messaging protocol of each industrial device; and

further wherein each physical cryptographic module will, for each industrial device;

1. authenticate individual unique digital signatures resident in each of;

a boot loader, an operating system, and an applicational firmware, wherein the boot loader, the operating system, and the applicational firmware are resident in one or more data storages in the computing cloud;

2. compute a digest for each of the boot loader, the operating system, and the applicational firmware by using a hash function, thereby creating a computed digest;

3. decrypt the digital signature resident in each of the boot loader, the operating system, and the applicational firmware to produce a second digest by using the non-removable, non-over-writable public electronic key for each of the boot loader, the operating system, and the applicational firmware respectively;

4. compare each second digest of the boot loader, the operating system and the applicational firmware to each computed digest of the boot loader, the operating system and the applicational firmware respectively;

5. allow the boot loader to run on one of the processors in the computing cloud if the computed digest for the boot loader and the second digest for the boot loader match;

6. allow the operating system to run on one of the processors in the computing cloud if the computed digest for the operating system and the second digest for the operating system match;

7. allow the applicational firmware to run on one of the processors in the computing cloud if the computed digest for the applicational firmware and the second digest for the applicational firmware match; and

8. terminate cloud computing processes associated with the boot loader, the operating system and the applicational firmware respectively when any computed digest does not match the second digest for the boot loader, the operating system and the applicational firmware respectively;

(iv) wherein each physical cryptographic module comprises;

1. computer instructions to receive in-band plain text status and measurement data in the individualized messaging protocol of the industrial device in communication therewith;

2. computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith;

3. computer instructions for providing encrypted messaging both in-band and out-of-band from the industrial device, in communication therewith, using the individualized messaging protocol of the industrial device; and

4. computer instructions to generate cryptographic keys; and

d. a plurality of virtual cryptographic modules resident in one of the processors of the computing cloud, each virtual cryptographic module comprising;

(i) computer instructions for receiving bidirectional out-of-band plain text commands during start up to the physical cryptographic module;

(ii) computer instructions for sending bidirectional in-band plain text and status and measurement data during start up from the physical cryptographic module;

(iii) computer instructions for receiving bidirectional out-of-band encrypted commands to the physical cryptographic module;

(iv) computer instructions for sending bidirectional in-band encrypted status and measurement data from the physical cryptographic module;

(v) computer instructions to transmit encrypted collected log information to the enterprise server;

(vi) computer instructions to transmit decrypted status and measurement data in the messaging protocol of the industrial device from the industrial device to the enterprise server;

(vii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously;

(viii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, at least one of the plurality of virtual cryptographic modules, simultaneously;

(ix) computer instructions to generate cryptographic keys for;

digital signatures in authentication certificates and cryptographic key exchanges;

(x) computer instructions to create cryptographic communication sessions between the plurality of virtual cryptographic modules and the plurality of physical cryptographic modules, without human intervention, allowing cloud computing based encryption and decryption of plain text commands, status and measurement data, messages, log information, and alarm messages without turning off any operating industrial devices, and without turning off the enterprise server in the computing cloud, and while creating an auditable communication pathway from the enterprise server in the computing cloud to operating industrial devices;

(xi) computer instructions for bidirectional plain text setting information to at least one cryptographic pipe of the plurality of the cryptographic pipes;

(xii) a library of virtual and physical cryptographic module settings; and

(xiii) computer instructions to schedule generation of cryptographic keys by the virtual cryptographic module, by the physical cryptographic module, or combinations thereof, using cryptographic time outs; and

wherein at least one cryptographic pipe of the plurality of cryptographic pipes communicates with at least one virtual cryptographic module of the plurality of virtual cryptographic modules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An auditable cryptographic protected cloud computing communication system, wherein the system can include a plurality of industrial devices. Each industrial device can have an individualized messaging protocol enabling each industrial device to receive commands and transmit status and measurement data using the individualized messaging protocol for each industrial device. At least one industrial device is in communication with a computing cloud, wherein the computing cloud is configured to provide at least one service and shared hardware and software resources.

Citations

11 Claims

1. An auditable cryptographic protected cloud computing communication system comprising:
- a. a plurality of industrial devices, wherein each industrial device has an individualized messaging protocol enabling each industrial device to receive commands and transmit status and measurement data using the individualized messaging protocol for each industrial device;
  
  b. a computing cloud in communication with the plurality of industrial devices, wherein the computing cloud provides at least one data storage service, shared hardware resources, and shared software applications to each of the plurality of industrial devices, and wherein the shared hardware resources comprise;
  
  (i) one or more data storages;
  
  (ii) one or more processors; and
  
  (iii) one or more enterprise servers having an enterprise processor, wherein the enterprise processor is in communication with an enterprise data storage, one or more data storages in the computing cloud, or combinations thereof, wherein the enterprise server communicates in each individualized messaging protocol of each industrial device using in-band and out-of-band messages; and
  
  c. a plurality of physical cryptographic modules, each physical cryptographic module comprising;
  
  (i) a physical cryptographic module processor;
  
  (ii) a physical cryptographic module data storage; and
  
  (iii) at least one of;
  
  a non-removable, non-over-writable public key installed in the physical cryptographic module data storage, and a non-removable, non-over-writable digest of a public key installed in the physical cryptographic module data storage;
  
  wherein the plurality of physical cryptographic modules are disposed between the enterprise server in the computing cloud and each industrial device for communicating in-band messages to each industrial device using the messaging protocol of each industrial device; and
  
  further wherein each physical cryptographic module will, for each industrial device;
  
  1. authenticate individual unique digital signatures resident in each of;
  
  a boot loader, an operating system, and an applicational firmware, wherein the boot loader, the operating system, and the applicational firmware are resident in one or more data storages in the computing cloud;
  
  2. compute a digest for each of the boot loader, the operating system, and the applicational firmware by using a hash function, thereby creating a computed digest;
  
  3. decrypt the digital signature resident in each of the boot loader, the operating system, and the applicational firmware to produce a second digest by using the non-removable, non-over-writable public electronic key for each of the boot loader, the operating system, and the applicational firmware respectively;
  
  4. compare each second digest of the boot loader, the operating system and the applicational firmware to each computed digest of the boot loader, the operating system and the applicational firmware respectively;
  
  5. allow the boot loader to run on one of the processors in the computing cloud if the computed digest for the boot loader and the second digest for the boot loader match;
  
  6. allow the operating system to run on one of the processors in the computing cloud if the computed digest for the operating system and the second digest for the operating system match;
  
  7. allow the applicational firmware to run on one of the processors in the computing cloud if the computed digest for the applicational firmware and the second digest for the applicational firmware match; and
  
  8. terminate cloud computing processes associated with the boot loader, the operating system and the applicational firmware respectively when any computed digest does not match the second digest for the boot loader, the operating system and the applicational firmware respectively;
  
  (iv) wherein each physical cryptographic module comprises;
  
  1. computer instructions to receive in-band plain text status and measurement data in the individualized messaging protocol of the industrial device in communication therewith;
  
  2. computer instructions to transmit in-band decrypted commands to the industrial device, in communication therewith;
  
  3. computer instructions for providing encrypted messaging both in-band and out-of-band from the industrial device, in communication therewith, using the individualized messaging protocol of the industrial device; and
  
  4. computer instructions to generate cryptographic keys; and
  
  d. a plurality of virtual cryptographic modules resident in one of the processors of the computing cloud, each virtual cryptographic module comprising;
  
  (i) computer instructions for receiving bidirectional out-of-band plain text commands during start up to the physical cryptographic module;
  
  (ii) computer instructions for sending bidirectional in-band plain text and status and measurement data during start up from the physical cryptographic module;
  
  (iii) computer instructions for receiving bidirectional out-of-band encrypted commands to the physical cryptographic module;
  
  (iv) computer instructions for sending bidirectional in-band encrypted status and measurement data from the physical cryptographic module;
  
  (v) computer instructions to transmit encrypted collected log information to the enterprise server;
  
  (vi) computer instructions to transmit decrypted status and measurement data in the messaging protocol of the industrial device from the industrial device to the enterprise server;
  
  (vii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, the plurality of physical cryptographic modules, simultaneously;
  
  (viii) computer instructions to monitor, configure, reconfigure online and on demand, continuously, at least one of the plurality of virtual cryptographic modules, simultaneously;
  
  (ix) computer instructions to generate cryptographic keys for;
  
  digital signatures in authentication certificates and cryptographic key exchanges;
  
  (x) computer instructions to create cryptographic communication sessions between the plurality of virtual cryptographic modules and the plurality of physical cryptographic modules, without human intervention, allowing cloud computing based encryption and decryption of plain text commands, status and measurement data, messages, log information, and alarm messages without turning off any operating industrial devices, and without turning off the enterprise server in the computing cloud, and while creating an auditable communication pathway from the enterprise server in the computing cloud to operating industrial devices;
  
  (xi) computer instructions for bidirectional plain text setting information to at least one cryptographic pipe of the plurality of the cryptographic pipes;
  
  (xii) a library of virtual and physical cryptographic module settings; and
  
  (xiii) computer instructions to schedule generation of cryptographic keys by the virtual cryptographic module, by the physical cryptographic module, or combinations thereof, using cryptographic time outs; and
  
  wherein at least one cryptographic pipe of the plurality of cryptographic pipes communicates with at least one virtual cryptographic module of the plurality of virtual cryptographic modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The auditable cryptographic protected cloud computing communication system of claim 1, wherein each physical cryptographic modules comprises computer instructions to only allow an individual boot loader, and operating System version and an applicational firmware to run on a particular physical cryptographic module.
  - 3. The auditable cryptographic protected cloud computing communication system of claim 1, wherein the enterprise server in the computing cloud comprises a library of cryptographic module protocols for out-of-band communication with the cryptographic manager tool.
  - 4. The auditable cryptographic protected cloud computing communication system of claim 1, wherein the library of virtual cryptographic module settings includes a member of the group consisting of:
    - a pipe local IP address, pipe time outs, a pipe remote IP address, a pipe buffer size, a pipe listen IP address, a local port, a remote port, a pipe protocol, a pipe auto-enable, and combinations thereof.
  - 5. The auditable cryptographic protected cloud computing communication system of claim 1, wherein the library of physical cryptographic module settings includes a member of the group consisting of:
    - a tag, a mac address, a lock status, a host port, a device port, closed connection time outs, inter-character time outs, a graphic user ID (GUID), a date created, a date last synched, a number of synchronization, a serial number, a status flag, a status string, a note, and combinations thereof.
  - 6. The auditable cryptographic protected cloud computing communication system of claim 5, wherein the host port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
  - 7. The auditable cryptographic protected cloud computing communication system of claim 5, wherein the device port is an RS232 port, an RS485 port, an RS422 port, an Ethernet port, a TCPIP port, or a mesh radio network port.
  - 8. The auditable cryptographic protected communication system of claim 1,wherein each cryptographic pipe comprises:
    - a. computer instructions to provide encrypted messaging both in-band and out-of-band from the cryptographic manager tool to the physical cryptographic modules using individualized messaging protocols of each industrial device; and
      
      b. computer instructions to provide decrypted messaging both in-band and out-of-band, from the physical cryptographic modules to the cryptographic manager tool.
  - 9. The auditable cryptographic protected cloud computing communication system of claim 1, wherein the out-of-band encrypted log information with status and measurement data from the physical cryptographic module comprises performance information and information that indicates a breach of security simultaneously.
  - 10. The auditable cryptographic protected cloud computing communication system of claim 1, wherein the enterprise server in the computing cloud communicates with the plurality of industrial devices over a plurality of different networks simultaneously, consecutively, or combinations thereof.
  - 11. The auditable cryptographic protected cloud computing communication system of claim 10, wherein the plurality of different networks simultaneously, consecutively or combinations thereof comprise:
    - a radio/cellular network, a worldwide network, a corporate network, and a local area control network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DJ Osburn Management LLC
Original Assignee
DJ Inventions, LLC
Inventors
Osburn, Douglas C. III, Rabadi, Nader M.
Primary Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US14/197,023
Time in Patent Office

266 Days
Field of Search

713/176
US Class Current

713/192
CPC Class Codes

G05B 2219/25205   Encrypt communication

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 67/12   specially adapted for propr...

H04L 9/3247   involving digital signatures

Auditable cryptographic protected cloud computing communications system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Auditable cryptographic protected cloud computing communications system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links