Trusted data relay

US 9,235,731 B2
Filed: 10/16/2013
Issued: 01/12/2016
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A secure communication system comprising:

an input apparatus configured to receive at least partially encrypted data from an endpoint device, the at least partially encrypted data including an identifier of the endpoint device;

a key storage including decryption keys stored in association with device identifiers;

decryption/authentication logic configured to decrypt the at least partially encrypted data to a decrypted output, using a decryption key retrieved from the key storage, the retrieval using the identifier of the endpoint device;

a remote service connector configured to forward the decrypted output to a remote computing system, and to receive a communication from the remote computing system, the received communication being in response to the forwarded decrypted output; and

an endpoint connector configured to forward the received communication from the remote computing system to a less secure part of the endpoint device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication of user inputs is achieved by isolating part of an endpoint device such that certificates and encryption keys are protected from corruption by malware. Further, the communication is passed through a trusted data relay that is configured to decrypt and/or certify the user inputs encrypted by the isolated part of the endpoint device. The trusted data relay can determine that the user inputs were encrypted or certified by the protected certificates and encryption keys, thus authenticating their origin within the endpoint device. The trusted data relay then forwards the inputs to an intended destination. In some embodiments, the isolated part of the endpoint device is configured to detect input created by auto-completion logic and/or spell checking logic.

Citations

22 Claims

1. A secure communication system comprising:
- an input apparatus configured to receive at least partially encrypted data from an endpoint device, the at least partially encrypted data including an identifier of the endpoint device;
  
  a key storage including decryption keys stored in association with device identifiers;
  
  decryption/authentication logic configured to decrypt the at least partially encrypted data to a decrypted output, using a decryption key retrieved from the key storage, the retrieval using the identifier of the endpoint device;
  
  a remote service connector configured to forward the decrypted output to a remote computing system, and to receive a communication from the remote computing system, the received communication being in response to the forwarded decrypted output; and
  
  an endpoint connector configured to forward the received communication from the remote computing system to a less secure part of the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, further comprising encryption logic configured to encrypt the received communication forwarded by the endpoint connector.
  - 3. The system of claim 1, wherein the at least partially encrypted data includes encrypted metadata and certified input data.
  - 4. The system of claim 1, wherein the at least partially encrypted data includes encrypted metadata and includes encrypted data resulting from user input.
  - 5. The system of claim 1, wherein the decryption/authentication logic is configured to authenticate a non-encrypted part of the at least partially encrypted data.
  - 6. The system of claim 1, wherein the decryption/authentication logic is configured to authenticate that the at least partially encrypted data was encrypted in a secure part of the endpoint device.
  - 7. The system of claim 1, wherein the at least partially encrypted data includes encrypted input data.
  - 8. The system of claim 1, wherein the decryption/authentication logic is configured to block the forwarding of the decrypted output if the at least partially encrypted data is not authenticated to have been encrypted in a secure part of the endpoint device.
  - 9. The system of claim 1, wherein the decryption/authentication logic is configured to block the forwarding of the decrypted output if the at least partially encrypted data is not authenticated to have been certified in a secure part of the endpoint device.
  - 10. The system of claim 1, wherein the decryption/authentication logic is configured to block forwarding of a non-encrypted part of the at least partially encrypted input, if the non-encrypted part of does not include a digital signature of a secure part of the endpoint device.
  - 11. The system of claim 1, wherein the decryption/authentication logic is configured to retrieve an account status associated with the endpoint device and to control the forwarding of the received communication based on the account status.
  - 12. The system of claim 1, further comprising account storage configured to store an identifier of the remote computing system in association with an identifier of the endpoint device.
  - 13. The system of claim 1, further comprising account storage configured to store a plurality of identifiers of different endpoint devices, the identifiers being stored in association with an identifier of the remote computing system.
  - 14. The system of claim 1, further comprising account storage configured to store login information configured for accessing the remote computing system, the login information being stored in association with an identifier of the endpoint device.
  - 15. The system of claim 1, further comprising account storage configured to store a plurality of identifiers of different endpoint devices, the identifiers being stored in association with an identifier of the remote computing system.
  - 16. The system of claim 1, further comprising device data storage configured to store data configured to verify a digital signature of a certificate included in a secure portion of the endpoint device.

17. A secure communication system comprising:
- a first I/O configured in hardware and configured to receive at least partially encrypted or at least partially certified data from a secure portion of a computing system, the at least partially encrypted or certified data including an identifier of the computing device and including a user input to the computing system;
  
  a storage including decryption keys or certification data stored in association with device identifiers;
  
  encryption/authentication logic configured to decrypt or authenticate the at least partially encrypted or certified data using a decryption key or certification data retrieved from the storage, the retrieval using the identifier of the computing system; and
  
  a second I/O configured in hardware and configured to forward the decrypted output to a remote computing system.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The secure communication system of claim 17, wherein the second I/O is further configured:
    - to receive a communication from the remote computing system, the received communication being in response to the forwarded decrypted input; and
      
      logic configured to forward the received communication from the remote computing system to a less secure portion of the computing system, using the first I/O.
  - 19. The secure communication system of claim 17, wherein the at least partially encrypted or at least partially certified data includes metadata configured to identify a form field and the metadata is associated with an input to the form field.
  - 20. The secure communication system of claim 19, wherein the metadata is encrypted.
  - 21. The secure communication system of claim 19, wherein the input to the form field is encrypted.
  - 22. The secure communication system of claim 17, further including information configured for logging into the remote computing system, the information configured for logging into the remote computing system being stored in association with the identifier of the computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Truedata Systems Incorporated
Original Assignee
Truedata Systems Incorporated
Inventors
Lloyd, James, Eynon, Michael, Sinclair, Peter
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/055,861
Publication Number

US 20140108821A1
Time in Patent Office

818 Days
Field of Search

713/189
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/602   Providing cryptographic fac...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/3247   involving digital signatures

Trusted data relay

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted data relay

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links