Trusted security zone communication addressing on an electronic device

US 9,191,388 B1
Filed: 03/15/2013
Issued: 11/17/2015
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method of communicating with a computing device having a trusted security zone, the method comprising:

mapping a unique identifier for a computing device with a trust zone access control address, wherein the computing device comprises a normal security zone and a trusted security zone providing hardware assisted security that is separate from the normal security zone, wherein the trust zone access control address is unique to a hardware component of the trusted security zone within the computing device, and wherein when an application executes in the trusted security zone of the computing device, applications that are configured to execute in the normal security zone are prevented from executing on the computing device;

composing, by a source external to the computing device, a message comprising the trust zone access control address, wherein the trust zone access control address is not discoverable from the computing device, and wherein the trusted zone access control address is different from the unique identifier;

routing the message to the computing device based on the unique identifier, wherein the message is internally routed to the trusted security zone within the computing device using the trust zone access control address, and wherein the message is received by an application executing in the trusted security zone of the computing device;

providing a second message to a second application on the computing device executing in the trusted security zone subsequent to routing;

obtaining a response from the second application on computing device; and

determining that the message was routed to the trusted security zone based on the response obtained from the second application.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of communicating with a computing device having a trusted security zone comprises mapping a unique identifier for a computing device with a trust zone access control (TZAC) address, composing a message comprising the trust zone access control address, and routing the message to the computing device based on the unique identifier. The computing device comprises a normal security zone and a trusted security zone that is separate from the normal security zone, and the trust zone access control address is a unique identifier associated with a hardware component of the trusted security zone within the computing device. The message is internally routed to the trusted security zone within the computing device using on the trust zone access control address.

425 Citations

19 Claims

1. A method of communicating with a computing device having a trusted security zone, the method comprising:
- mapping a unique identifier for a computing device with a trust zone access control address, wherein the computing device comprises a normal security zone and a trusted security zone providing hardware assisted security that is separate from the normal security zone, wherein the trust zone access control address is unique to a hardware component of the trusted security zone within the computing device, and wherein when an application executes in the trusted security zone of the computing device, applications that are configured to execute in the normal security zone are prevented from executing on the computing device;
  
  composing, by a source external to the computing device, a message comprising the trust zone access control address, wherein the trust zone access control address is not discoverable from the computing device, and wherein the trusted zone access control address is different from the unique identifier;
  
  routing the message to the computing device based on the unique identifier, wherein the message is internally routed to the trusted security zone within the computing device using the trust zone access control address, and wherein the message is received by an application executing in the trusted security zone of the computing device;
  
  providing a second message to a second application on the computing device executing in the trusted security zone subsequent to routing;
  
  obtaining a response from the second application on computing device; and
  
  determining that the message was routed to the trusted security zone based on the response obtained from the second application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the computing device further comprises a plurality of trusted security zones and a plurality of trust zone access control addresses corresponding to each of the plurality of trusted security zones.
  - 3. The method of claim 1, further comprising:
    - receiving a request to send a message to the trusted security zone on the computing device, wherein the request comprises the unique identifier for the computing device; and
      
      verifying the request as being authorized to send to the computing device.
  - 4. The method of claim 1, wherein mapping the unique identifier with a trust zone access control address comprises:
    - sending the unique identifier to a data store;
      
      correlating the unique identifier with the trust zone access control address; and
      
      receiving a response comprising the trust zone access control address.
  - 5. The method of claim 1, wherein the unique identifier comprises at least one of:
    - the MAC address of a modem or radio transceiver on the device, a mobile equipment identifier, a mobile station identifier, a mobile directory number, a network access identifier, an electronic serial number, an international mobile equipment identity, a private IP address, a link layer address on a local area network, or any combination thereof.
  - 6. The method of claim 1, further comprising:
    - mapping the unique identifier with a public reference for the computing device, wherein the message further comprises the public reference, and where the message is routed to the computing device using the public reference.
  - 7. The method of claim 1, further comprising:
    - mapping the unique identifier with a private IP address for the computing device, wherein the message further comprises the private IP address, and where the message is routed to the computing device using the private IP address.
  - 8. The method of claim 1, further comprising:
    - mapping the unique identifier with a link layer address for the computing device, wherein the message further comprises the link layer address, and where the message is routed to the computing device using the link layer address.
  - 9. The method of claim 1, wherein the message further comprises a key, and wherein the method further comprises:
    - obtaining access to the trusted security zone using the key;
      
      composing a second message comprising the trust zone access control address and data;
      
      routing the second message to the computing device based on the unique identifier, wherein the second message is internally routed to the trusted security zone using the trust zone access control address, and wherein the data is provided to the trusted security zone based on the access to the trusted security zone.
  - 10. The method of claim 1, wherein the application executing in the trusted security zone configures the processor to perform one or more of:
    - provisioning a new application in the trusted security zone, changing a setting in the trusted security zone, storing information in the trusted security zone, restoring one or more components from the trusted security zone, replacing one or more components from the trusted security zone, or removing one or more components from the trusted security zone.

11. A method of communicating over a network, the method comprising:
- receiving, from an external device, a message at a computing device, wherein the message comprises a routing address, a trust zone access control address, and a key, wherein the computing device comprises a normal security zone and a trusted security zone providing hardware assisted security that is separate from the normal security zone, wherein the routing address comprises information configured to route the message to the computing device, wherein the trust zone access control address is unique to a hardware component of the trusted security zone within the computing device, and wherein when an application executes in the trusted security zone of the computing device, applications that are configured to execute in the normal security zone are prevented from executing on the computing device;
  
  internally providing the message to the trusted security zone based on the trust zone access control address, wherein the trust zone access control address is not discoverable from the computing device, and wherein the trust zone access control address is different from the routing address;
  
  initiating an execution of an application within the trusted security zone of the computing device using the key;
  
  preventing the execution of any applications in the normal security zone in response to initiating the application within the trusted security zone;
  
  receiving a second message comprise the trust zone access control address and data;
  
  internally providing the second message to the trusted security zone based on the trust zone access control address in the second message while the application is executing in the trusted security zone;
  
  processing the data in the second message within the trusted security zone;
  
  performing an action within the trusted security zone based on processing the data; and
  
  providing a third message to the external device from a second application executing in the trusted security zone, wherein the third message comprises information indicating that the second massage was routed to the trusted security zone.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the message received at the computing device is encapsulated using one or more tokens or encryption keys.
  - 13. The method of claim 11, wherein the computing device comprises a modem, wherein the message is received by the modem, and wherein internally providing the message to the trusted security zone comprises:
    - extracting the trust zone access control address from the message, and internally routing the message to the trusted security zone using the extracted trust zone access control address.
  - 14. The method of claim 11, wherein performing the action within the trusted security zone comprises at least one of:
    - provisioning a new application in the trusted security zone, changing a setting in the trusted security zone, storing information in the trusted security zone, restoring information in the trusted security zone, replacing information in the trusted security zone, or removing information from the trusted security zone.

15. A computing device comprising:
- a modem;
  
  a processor, wherein the processor comprises a trusted security zone and a normal security zone, wherein the trusted security zone provides hardware assisted security;
  
  a memory comprising non-transitory storage;
  
  a trusted security zone application stored in the memory, that upon execution on the processor, configures at least the processor to;
  
  block access by other applications executing in the normal security zone of the processor from accessing the memory, reading inputs, and writing outputs while the trusted security zone application executes in the trusted security zone,accept a massage comprising a trust zone access control address from a source external to the computing device, wherein the trust zone access control address is not discoverable from the computing device,process the massage within the trusted security zone, and change information within the trusted security zone based on processing the massage within the trusted security zone; and
  
  the trust zone access control address encoded into at least one of the trusted security zone of the processor or a secure partition in the memory, wherein the trust zone access control address is unique to the at least one of the trusted security zone of the processor or the secure partition in the memory; and
  
  a first application stored in the memory, that upon execution by the processor, configures at least the processor to;
  
  receive a second massage from the source external to the computing device, invoke the first application in response to reception of the massage, wherein the first application executes in the trusted security zone, andprovide a response massage to the source subsequent to invocation of the trusted security zone, wherein the response massage comprises information that indicates that the information within the trusted security zone changed after the massage comprising the trust zone access control address is accepted.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The device of claim 15, further comprising:
    - a plurality of processors, wherein each processor of the plurality of processors comprises a trusted security zone and a normal security zone; and
      
      a plurality of trust zone access control addresses, wherein each trust zone access control address of the plurality of trust zone access control addresses is encoded in a corresponding processor of the plurality of processors.
  - 17. The device of claim 15, wherein the trust zone access control address is not capable of being changed.
  - 18. The device of claim 15, wherein the modem is configured to route a message received at the modem to the trusted security zone using the trust zone access control address contained in the message.
  - 19. The device of claim 15, wherein the trusted security zone application configures the processor to change the information within the trusted security zone by at least one of:
    - provisioning a new application in the trusted security zone, changing a setting in the trusted security zone, storing information in the trusted security zone based on the trust zone access control address, restoring one or more components from the trusted security zone, replacing one or more components from the trusted security zone, or removing one or more components from the trusted security zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Paczkowski, Lyle W., Parsel, William M., Schlesener, Matthew C.
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
Jamshidi, Ghodrat

Application Number

US13/844,145
Time in Patent Office

977 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/303   Terminal profiles

H04L 67/63   Routing a service request d...

H04W 12/086   using security domains

H04W 12/128   Anti-malware arrangements, ...

H04W 12/71   Hardware identity

Trusted security zone communication addressing on an electronic device

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

425 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted security zone communication addressing on an electronic device

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

425 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links