Secure communication architecture

US 9,275,257 B2
Filed: 10/16/2013
Issued: 03/01/2016
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

an input apparatus configured to receive an input from a user;

a display configured to display the input;

a bus configured to communicate the input to the display;

a processing unit configured to process data and commands received via the bus;

an input capture module including physical isolation from a less secure part of the computing system, the physical isolation being achieved by limiting external control of the input capture module to no more than setting of one or more flags and being configured to prevent corruption of the input capture module by computing instructions received from outside of the input capture module, the input capture module comprising;

storage configured to store an encryption key or certificate such that the encryption key or certificate cannot be read from outside the input capture module,a data input in communication with the input apparatus, the input module being disposed between the input apparatus and the less secure part of the computing system such that input at the input apparatus goes through the capture module prior to being received by the less secure part, andlogic configured to encrypt or certify the data resulting from the input apparatus, the encryption or certification using the encryption key or certificate and occurring within the input capture module; and

communication logic configured to communicate an output of the logic to a communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication of user inputs is achieved by isolating part of an endpoint device such that certificates and encryption keys are protected from corruption by malware. Further, the communication is passed through a trusted data relay that is configured to decrypt and/or certify the user inputs encrypted by the isolated part of the endpoint device. The trusted data relay can determine that the user inputs were encrypted or certified by the protected certificates and encryption keys, thus authenticating their origin within the endpoint device. The trusted data relay then forwards the inputs to an intended destination. In some embodiments, the isolated part of the endpoint device is configured to detect input created by auto-completion logic and/or spell checking logic.

13 Citations

26 Claims

1. A computing system comprising:
- an input apparatus configured to receive an input from a user;
  
  a display configured to display the input;
  
  a bus configured to communicate the input to the display;
  
  a processing unit configured to process data and commands received via the bus;
  
  an input capture module including physical isolation from a less secure part of the computing system, the physical isolation being achieved by limiting external control of the input capture module to no more than setting of one or more flags and being configured to prevent corruption of the input capture module by computing instructions received from outside of the input capture module, the input capture module comprising;
  
  storage configured to store an encryption key or certificate such that the encryption key or certificate cannot be read from outside the input capture module,a data input in communication with the input apparatus, the input module being disposed between the input apparatus and the less secure part of the computing system such that input at the input apparatus goes through the capture module prior to being received by the less secure part, andlogic configured to encrypt or certify the data resulting from the input apparatus, the encryption or certification using the encryption key or certificate and occurring within the input capture module; and
  
  communication logic configured to communicate an output of the logic to a communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The system of claim 1, wherein the input apparatus includes a keyboard.
  - 3. The system of claim 1, wherein the input capture module is isolated from any external control of the input capture module.
  - 4. The system of claim 1, wherein at least one of the one or more flags is an encryption key selection flag.
  - 5. The system of claim 1, wherein at least one of the one or more flags is a certificate selection flag.
  - 6. The system of claim 1, wherein at least one of the one or more flags is a reset flag configured to cause resetting of the input capture module.
  - 7. The system of claim 1, wherein at least one of the one or more flags is a change focus flag, a new-screen flag or a submit flag.
  - 8. The system of claim 1, wherein at least one of the one or more flags is a disable flag configured to temporally disable a function of the input capture module.
  - 9. The system of claim 1, wherein the input capture module is configured to sniff the bus for communications to the display in order to capture at least part of the data resulting from the input apparatus.
  - 10. The system of claim 9, wherein the communications that the input capture module is configured to sniff includes video data.
  - 11. The system of claim 9, wherein the input capture module further comprises character recognition logic configured to identify characters in the communications to the display.
  - 12. The system of claim 9, wherein the input capture module is configured to recognize characters generated by mouse click or screen touches.
  - 13. The system of claim 9, wherein the input capture module is configured to recognize characters generated by auto-complete logic.
  - 14. The system of claim 9, wherein the input capture module is configured to recognize characters generated by voice to text logic.
  - 15. The system of claim 9, wherein the input capture module is configured to recognize characters generated by spell checking logic.
  - 16. The system of claim 1, wherein an output of the input capture module includes a unique identifier configured to confirm that the encryption or certification was performed within a particular input capture module.
  - 17. The system of claim 1, wherein the storage includes memory configured to be written to no more than once.
  - 18. The system of claim 1, wherein the storage is configured to store a plurality of encryption keys, the plurality of encryption keys being individually selectable from outside the input capture module.
  - 19. The system of claim 1, wherein the storage is configured to store a plurality of certificates, the plurality of certificates being individually selectable from outside the input capture module.
  - 20. The system of claim 1, wherein the communication logic is configured to communicate the output of the logic to a fixed location on a network.
  - 21. The system of claim 1, further comprising substitution logic configured to replace contents of a data packet generated within the less secure part of the computing system with the output of the logic.
  - 22. The system of claim 1, wherein the communication logic is configured to communicate the output of the logic after applying an additional layer of encryption to the output.
  - 23. The system of claim 1, wherein the certificate is a private certificate.

24. A computing system comprising:
- an input apparatus configured to receive an input from a user;
  
  a display configured to display the input;
  
  a processing unit configured to process commands received from the user;
  
  an input capture module including physical isolation from a less secure part of the computing system, the physical isolation being achieved by limiting external control of the input capture module to setting of one or more flags and being configured to prevent corruption of the input capture module by computing instructions from outside of the input capture module, the input capture module comprising;
  
  storage configured to store a plurality of encryption keys and/or certificates,means for capturing data from the less secure part of the computing system,a flag input configured to select from among the plurality of encryption keys and/ or certificates, the flag input being a member of the one or more flags, andlogic configured to encrypt or certify the captured data, the encryption or certification using the selected encryption key or certificate and occurring within the input capture module; and
  
  communication logic configured to communicate the encrypted or certified data to a communication network.
- View Dependent Claims (25, 26)
- - 25. The computing system of claim 24, wherein the input apparatus, display, processing unit, input capture module and communication logic are disposed within a single housing.
  - 26. The computing system of claim 24, wherein the logic is configured to both encrypt and certify the captured data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Truedata Systems Incorporated
Original Assignee
Truedata Systems Incorporated
Inventors
Eynon, Michael, Sinclair, Peter, Lloyd, James
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/055,706
Publication Number

US 20140108820A1
Time in Patent Office

867 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/602   Providing cryptographic fac...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/3247   involving digital signatures

Secure communication architecture

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Secure communication architecture

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others