Trusted storage and display

US 8,914,901 B2
Filed: 01/11/2008
Issued: 12/16/2014
Est. Priority Date: 01/11/2008
Status: Active Grant

First Claim

Patent Images

1. A storage token comprising:

a first bus;

a port configured to connect the storage token to a computer via the first bus, the port supporting bi-directional data communication with the computer over the first bus;

a memory configured to store a hierarchical file system of the storage token;

a display;

an input;

a processor executing a token operating system configured to;

receive, from the computer, a request for access to a hierarchical memory location within the hierarchical file system of the storage token;

present, on the display;

the request for access received from the computer on the display of the storage token, the request being displayed with a depiction of the hierarchical memory location within the hierarchical file system of the storage token;

a confirmation message that the request for access to the hierarchical memory location is verified; and

an instruction for a user to approve or deny the request for access to the hierarchical memory location within the hierarchical file system of the storage token; and

a second bus separate from the first bus, the second bus being configured to connect the display, the input, and the processor executing the token operating system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage token has a display and a keyboard, or other input device, that allows a user to view a request to access a memory location and enter a response to the request. The display allows presentation of details of the request, such as a pathname to a requested memory location, metadata describing a cryptographic key for use in a transaction confirmation, and/or transaction details which are awaiting verification by a credential stored on the token. The storage token may also include a cryptographic engine and a secure memory allowing signing data returned in response to the request.

9 Citations

27 Claims

1. A storage token comprising:
- a first bus;
  
  a port configured to connect the storage token to a computer via the first bus, the port supporting bi-directional data communication with the computer over the first bus;
  
  a memory configured to store a hierarchical file system of the storage token;
  
  a display;
  
  an input;
  
  a processor executing a token operating system configured to;
  
  receive, from the computer, a request for access to a hierarchical memory location within the hierarchical file system of the storage token;
  
  present, on the display;
  
  the request for access received from the computer on the display of the storage token, the request being displayed with a depiction of the hierarchical memory location within the hierarchical file system of the storage token;
  
  a confirmation message that the request for access to the hierarchical memory location is verified; and
  
  an instruction for a user to approve or deny the request for access to the hierarchical memory location within the hierarchical file system of the storage token; and
  
  a second bus separate from the first bus, the second bus being configured to connect the display, the input, and the processor executing the token operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The storage token of claim 1, wherein the hierarchical memory location contains a computer operating system element and the token operating system is configured to send the computer operating system element from the storage token to the computer via the port.
  - 3. The storage token of claim 2, wherein the computer operating system element comprises a signed version of an operating system function that is loaded from the storage token by the computer over another version of the operating system function existing on the computer.
  - 4. The storage token of claim 1, wherein the hierarchical memory location contains a cryptographic key.
  - 5. The storage token of claim 1, wherein the port is a wireless port.
  - 6. The storage token of claim 1, wherein the display is a bitmapped display configured to support graphical images.
  - 7. The storage token of claim 1, further comprising a cryptographic engine that is configured to perform at least one of a hash, an encryption, and a decryption.
  - 8. The storage token of claim 1, further comprising an energy device for operation of the display and the input while the storage token is removed from the computer.
  - 9. The storage token of claim 8, wherein the energy device is one or more of a battery, a capacitor, or a solar energy device.
  - 10. The storage token of claim 1, wherein the depiction displayed on the display comprises a pathname of the hierarchical memory location.

11. A method performed by a storage token having a processor and a user interface integral to the storage token, the method comprising:
- detecting that the storage token is connected to a host at a first time;
  
  while the storage token is connected to the host at the first time, accepting a request for access to the storage token from the host;
  
  displaying the request for access to the storage token on the user interface, including displaying a reference to a type of the request;
  
  detecting that the storage token has been disconnected from the host;
  
  while the storage token is disconnected from the host, receiving an instruction via the user interface of the storage token, the instruction corresponding to the request;
  
  detecting that the storage token is connected to the host at a second time after receiving the instruction; and
  
  providing, to the host, a signed response to the request for access.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein accepting the request for access comprises accepting the request for access to a cryptographic key for digitally signing the request.
  - 13. The method of claim 11, wherein accepting the request for access comprises accepting the request for access to a hierarchical memory location.
  - 14. The method of claim 13, wherein providing the signed response to the host comprises:
    - retrieving a content of the hierarchical memory location;
      
      signing the content to form a signed content; and
      
      returning the signed content.
  - 15. The method of claim 11, further comprising:
    - when the instruction is to deny a transaction with the host, indicating via the signed response that the transaction is denied.
  - 16. The method of claim 11, wherein displaying the request for access including the reference to the type comprises displaying a pathname to a file location within a hierarchical file system of the storage token.
  - 17. The method according to claim 11, further comprising:
    - while the storage token is connected to the host at the first time, causing the host to display an instruction for the user to disconnect the storage token from the host.
  - 18. The method of claim 11, wherein the storage token is physically connected to the host at the first time and the second time.
  - 19. The method of claim 11, wherein the storage token is wirelessly connected to the host at the first time and the second time.

20. A storage token comprising:
- a processor;
  
  computer-readable storage storing executable instructions and a plurality of cryptographic keys;
  
  a display; and
  
  a cryptographic unit,wherein the executable instructions cause the processor to;
  
  create a session when the storage token is coupled to a computer;
  
  receive a request via the session for access to the computer-readable storage, the request identifying an individual cryptographic key stored on the computer-readable storage of the storage token;
  
  display the request, including an identifier of the individual cryptographic key identified by the request for access to the computer-readable storage of the storage token;
  
  receive a personal identification number (PIN);
  
  verify that the PIN corresponds to an authorized entity;
  
  retrieve data corresponding to the request when the PIN is verified;
  
  cause the cryptographic unit to sign the data to form signed data; and
  
  respond to the request with the signed data.
- View Dependent Claims (21, 22)
- - 21. The storage token of claim 20, wherein the executable instructions further cause the processor to:
    - store session authentication data in an instance when the storage token is coupled to the computer; and
      
      after the storage token is decoupled from the computer and then recoupled to the computer, reestablish the session using the session authentication data.
  - 22. The storage token of claim 20, wherein the executable instructions further cause the processor to cause the cryptographic unit to sign the data with the individual cryptographic key identified by the request.

23. A storage token comprising:
- a user interface;
  
  a processor; and
  
  computer-readable storage storing executable instructions that cause the processor to;
  
  detect that the storage token is connected to a host at a first time;
  
  while the storage token is connected to the host at the first time, accept a request for access to the storage token from the host;
  
  display the request for access to the storage token on the user interface;
  
  detect that the storage token has been disconnected from the host;
  
  while the storage token is disconnected from the host, receive an instruction via the user interface of the storage token, the instruction corresponding to the request;
  
  detect that the storage token is connected to the host at a second time after receiving the instruction; and
  
  provide, to the host, a signed response to the request for access.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The storage token of claim 23, wherein the computer-readable storage comprises a storage memory and a separate secure memory storing cryptographic keys.
  - 25. The storage token of claim 24, wherein the executable instructions cause the processor to use an individual cryptographic key from the secure memory to create the signed response.
  - 26. The storage token of claim 23, further comprising a wired communication port configured to physically connect to the host.
  - 27. The storage token of claim 23, further comprising a wireless communication port configured to wirelessly connect to the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Steeves, David, Carpenter, Todd L., Abzarian, David, Hartrell, Gregory, Myers, Mark
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US11/972,620
Publication Number

US 20090183249A1
Time in Patent Office

2,531 Days
Field of Search

726/28
US Class Current

726/28
CPC Class Codes

G06F 21/79   in semiconductor storage me...

G06F 2221/2153   Using hardware token as a s...

Y04S 40/20   Information technology spec...

Trusted storage and display

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted storage and display

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links