Universal serial bus selective encryption

US 8,984,580 B2
Filed: 08/01/2008
Issued: 03/17/2015
Est. Priority Date: 10/05/2007
Status: Active Grant

First Claim

Patent Images

1. A server configured to interact with a remote USB device comprising:

an interface to receive an identifying message from a remote client associated with the remote USB device to a security policy engine, wherein the identifying message includes a USB transfer descriptor associated with the remote USB device;

the security policy engine, configured to;

identify the remote USB device based at least in part on the USB transfer descriptor provided in the received identifying message; and

determine a security policy for the remote USB device based at least in part on the identity of the remote USB device; and

the interface, further configured to transmit a policy message comprising the determined security policy from the security policy engine to the remote client,wherein USB data traffic between the remote client and the server is selectively encrypted by the remote client based at least in part on the security policy,wherein the server transmits an instruction comprising a set of parameters which includes at least one of a width of a data bus, an analog or digital overcurrent detection, and a device-specific hardware configuration, to a host controller of the remote client for initializing the host controller before the remote USB device is detected, andwherein the security policy engine is a hardware processor.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to interact with a remote USB device is disclosed. An identifying message is received from a remote client associated with the remote USB device. The remote USB device is identified based at least in part on the identifying message from the remote client. A security policy is determined for the remote USB device. A policy message is transmitted to the remote client for selectively implementing the security policy of the remote USB device. A method to interact with a local USB device is disclosed. An identifying message is determined by performing a host controller service for the local USB device. The identifying message is transmitted to a server. A policy message is received from the server for selectively implementing a security policy on the local USB device. The security policy is regarded and configuring the host controller service.

Citations

42 Claims

1. A server configured to interact with a remote USB device comprising:
- an interface to receive an identifying message from a remote client associated with the remote USB device to a security policy engine, wherein the identifying message includes a USB transfer descriptor associated with the remote USB device;
  
  the security policy engine, configured to;
  
  identify the remote USB device based at least in part on the USB transfer descriptor provided in the received identifying message; and
  
  determine a security policy for the remote USB device based at least in part on the identity of the remote USB device; and
  
  the interface, further configured to transmit a policy message comprising the determined security policy from the security policy engine to the remote client,wherein USB data traffic between the remote client and the server is selectively encrypted by the remote client based at least in part on the security policy,wherein the server transmits an instruction comprising a set of parameters which includes at least one of a width of a data bus, an analog or digital overcurrent detection, and a device-specific hardware configuration, to a host controller of the remote client for initializing the host controller before the remote USB device is detected, andwherein the security policy engine is a hardware processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A server as recited in claim 1, wherein the security policy is refined on a transaction by transaction basis.
  - 3. A server as recited in claim 1, wherein the security policy includes a policy to determine which messages to encrypt.
  - 4. A server as recited in claim 1, wherein the security policy includes a policy to determine which unencrypted messages to reject.
  - 5. A server as recited in claim 1, wherein the security policy includes an encryption scheme.
  - 6. A server as recited in claim 1, wherein the security policy includes a public key encryption scheme.
  - 7. A server as recited in claim 1, wherein the security policy includes a symmetric key encryption scheme.
  - 8. A server as recited in claim 1, wherein the policy message selectively implements the security policy for a remote USB device with a specified transfer descriptor index.
  - 9. A server as recited in claim 1, wherein the interface is further configured to selectively not implement the security policy on the remote USB device.
  - 10. A server as recited in claim 1, wherein the security policy is selectively not implemented for a USB configuration of the remote USB device.
  - 11. A server as recited in claim 1, wherein the remote USB device includes a keyboard.
  - 12. A server as recited in claim 1, wherein the remote USB device includes a keyboard and wherein the security policy is selectively not implemented for a keyboard configuration for predetermination of extracted information of a keyboard transfer descriptor.
  - 13. A server as recited in claim 1, wherein the remote USB device includes a mass storage device.
  - 14. A server as recited in claim 1, wherein the remote USB device includes a mass storage device, and wherein the security policy is selectively implemented for a subset of files on the mass storage device.
  - 15. A server as recited in claim 1, wherein the remote USB device includes a mass storage device, and wherein the security policy is selectively not implemented for a subset of directories on the mass storage device.
  - 16. A server as recited in claim 1, wherein the remote USB device includes a mass storage device, and wherein the security policy is selectively not implemented for a subset of operations on the mass storage device.
  - 17. The server as recited in claim 1, wherein the security policy engine selects the security policy from at least two security policies based on a type of the USB transfer descriptor.
  - 18. The server as recited in claim 1, wherein the security policy engine further identifies a state of the remote USB device based on the received identifying message and wherein the security policy engine selects the security policy from at least two security policies further based on the identified state of the remote USB device.
  - 19. The server as recited in claim 1, wherein the security policy identifies type of access to encrypt for the same remote USB device such that a first transaction between the remote server and the remote client, which is a first type of access, is encrypted and a second transaction between the same remote server and the same remote client, which is a second type of access different from the first type of access, is not encrypted.
  - 20. The server as recited in claim 1, wherein prior to the host controller detecting the remote USB device, the server transmits a series of instructions to the host controller for initializing a USB bus to which the remote USB device can be connected.
  - 21. The server as recited in claim 1, wherein the security policy comprises identifying memory space access to which is to be encrypted and a particular type of USB transfer to be encrypted.

22. A client configured to interact with a local USB device comprising:
- a host controller, coupled to the local USB device, configured to be initialized upon receiving an instruction comprising a set of parameters which includes at least one of a width of a data bus, an analog or digital overcurrent detection, and a device-specific hardware configuration from a server before the local USB device is detected;
  
  a security policy engine, coupled to the host controller;
  
  an interface, configured to;
  
  send an identifying message to the server, the identifying message includes a USB transfer descriptor associated with the local USB device; and
  
  receive a policy message comprising a security policy from the server, the security policy being determined by the server based on the USB transfer descriptor;
  
  wherein the security policy engine is configured to;
  
  regard the policy message and configure the host controller; and
  
  selectively encrypt USB data traffic between the remote client and the server based at least in part on the security policy.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 23. A client as recited in claim 22, wherein the host controller includes a memory protected by the security policy.
  - 24. A client as recited in claim 22, wherein the host controller includes a memory protected by the security policy based on the memory address.
  - 25. A client as recited in claim 22, wherein the security policy is refined on a transaction by transaction basis.
  - 26. A client as recited in claim 22, wherein the security policy includes a policy to determine which messages to encrypt.
  - 27. A client as recited in claim 22, wherein the security policy includes a policy to determine which unencrypted messages to reject.
  - 28. A client as recited in claim 22, wherein the security policy includes an encryption scheme.
  - 29. A client as recited in claim 22, wherein the security policy includes a public key encryption scheme.
  - 30. A client as recited in claim 22, wherein the security policy includes a symmetric key encryption scheme.
  - 31. A client as recited in claim 22, wherein the policy message selectively implements the security policy for the local USB device with a specified transfer descriptor index.
  - 32. A client as recited in claim 22, wherein the security policy is selectively not implemented for a USB configuration of the local USB device.
  - 33. A client as recited in claim 22, wherein the local USB device includes a keyboard.
  - 34. A client as recited in claim 22, wherein the local USB device includes a keyboard and wherein the security policy is selectively not implemented for a keyboard configuration for predetermination of extracted information of a keyboard transfer descriptor.
  - 35. A client as recited in claim 22, wherein the local USB device includes a mass storage device.
  - 36. A client as recited in claim 22, wherein the local USB device includes a mass storage device, and wherein the security policy is selectively implemented for a subset of files on the mass storage device.
  - 37. A client as recited in claim 22, wherein the local USB device includes a mass storage device, and wherein the security policy is selectively not implemented for a subset of directories on the mass storage device.
  - 38. A client as recited in claim 22, wherein the local USB device includes a mass storage device, and wherein the security policy is selectively not implemented for a subset of operations on the mass storage device.
  - 39. A client as recited in claim 22, wherein the security policy engine configures the host controller to interact with the local USB device if and only if the local USB device regards the security policy and otherwise reject interaction.

40. A method to interact with a remote USB device comprising:
- receiving an identifying message from a remote client associated with the remote USB device, wherein the identifying message includes a USB transfer descriptor associated with the remote USB device;
  
  identifying the remote USB device based at least in part on the USB transfer descriptor provided in the received identifying message;
  
  determining a security policy for the remote USB device based at least in part on the identity of the remote USB device; and
  
  transmitting a policy message comprising the determined security policy to the remote clientwherein USB data traffic between the remote client and a server is selectively encrypted by the remote client based at least in part on the security policy, andwherein the server transmits an instruction comprising a set of parameters which includes at least one of a width of a data bus, an analog or digital overcurrent detection, and a device-specific hardware configuration, to a host controller of the remote client for initializing the host controller before the remote USB device is detected.

41. A method to interact with a local USB device comprising:
- initializing a host controller upon receiving an instruction comprising a set of parameters which includes at least one of a width of a data bus, an analog or digital overcurrent detection, and a device-specific hardware configuration, from a server before the local USB device is detected;
  
  determining an identifying message by performing a host controller service for the local USB device, wherein the identifying message includes a USB transfer descriptor associated with the local USB device;
  
  transmitting the identifying message to a server;
  
  receiving a policy message comprising a security policy from the server, the security policy being determined by the server based on the USB transfer descriptor; and
  
  configuring the host controller service; and
  
  selectively encrypting USB data traffic to and from the server based at least in part on the security policy.

42. A server configured to interact with a remote USB device comprising:
- an interface to receive an identifying message from a remote client associated with the remote USB device to a security policy engine, wherein the identifying message includes a USB transfer descriptor associated with the remote USB device;
  
  the security policy engine, configured to;
  
  identify the remote USB device based at least in part on the USB transfer descriptor provided in the received identifying message; and
  
  determine a security policy for the remote USB device based at least in part on the identity of the remote USB device; and
  
  the interface, further configured to transmit a policy message comprising the determined security policy from the security policy engine to the remote client, wherein the remote client is configured to;
  
  implement the received security policy on the remote USB device; and
  
  selectively encrypt USB data traffic from the remote client to the server based at least in part on the security policy,wherein the security policy engine determines the security policy from among at least two security policies,wherein the at least two security policies comprise a plurality of stored registers comprising;
  
  a first register to flag whether a particular isochronous USB transfer is to be encrypted;
  
  a second register to flag whether a particular interrupt USB transfer is to be encrypted;
  
  a third register to flag whether a particular bulk or Asynchronous Transfer List is to be encrypted; and
  
  a fourth register to select when access of registers and memory space of the remote client is to be encrypted, andwherein the security policy further comprises type of access to be protected, andwherein the security policy engine is a hardware processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Bunger, Nils, Orady, Aly E., Debski, Matthew B., Garg, Pankaj, Kilani, Dali, Khubchandani, Teju, Choudhury, Himadri
Primary Examiner(s)
LE, CHAU D

Application Number

US12/221,403
Publication Number

US 20090094672A1
Time in Patent Office

2,419 Days
Field of Search

726/1, 726/2, 726/4
US Class Current

726/1
CPC Class Codes

G06F 13/102   where the programme perform...

G06F 21/606   by securing the transmissio...

G06F 3/038   Control and interface arran...

H04L 69/18   Multiprotocol handlers, e.g...

Y02D 10/00   Energy efficient computing,...

Universal serial bus selective encryption

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Universal serial bus selective encryption

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links