Apparatus and method for sharing a hardware security module interface in a collaborative network

US 9,344,455 B2
Filed: 07/30/2014
Issued: 05/17/2016
Est. Priority Date: 07/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

establishing a collaborative network, at a first communication device having a secure access to a security module, by forming a collaborative security association between the first communication device and a second communication device, wherein the first communication device and the second communication device are associated with a user;

at least one of;

sending, by the first communication device to the second communication device, an advertisement of services associated with the security module and receiving an advertisement response from the second communication device, andreceiving, by the first communication device from the second communication device, a solicitation request for services associated with the security module;

responsive to receiving one of the advertisement response and the solicitation request determining, by the first communication device, whether the second communication device is authorized to access the security module;

establishing, by the first communication device, a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request, wherein the session is established by providing activation data;

using, by the first communication device, activation data policy provided by the security module to one of store and discard the activation data; and

forwarding, by the first communication device, security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first communication device having a secure access to a security module establishes a collaborative network by forming a collaborative security association with a second communication device associated with a user of the first communication device. The first communication device (a) sends an advertisement of services associated with the security module to the second communication device and receives an advertisement response from the second communication device or (b) receives a solicitation request for services associated with the security module from the second communication device. Responsive to receiving one of the advertisement response and the solicitation request, the first communication device determines whether the second communication device is authorized to access the security module. The first communication device processes and forwards security service messages between the second communication device and the security module, in response to determining that the second communication device is authorized to access the security module.

40 Citations

View as Search Results

23 Claims

1. A method, comprising:
- establishing a collaborative network, at a first communication device having a secure access to a security module, by forming a collaborative security association between the first communication device and a second communication device, wherein the first communication device and the second communication device are associated with a user;
  
  at least one of;
  
  sending, by the first communication device to the second communication device, an advertisement of services associated with the security module and receiving an advertisement response from the second communication device, andreceiving, by the first communication device from the second communication device, a solicitation request for services associated with the security module;
  
  responsive to receiving one of the advertisement response and the solicitation request determining, by the first communication device, whether the second communication device is authorized to access the security module;
  
  establishing, by the first communication device, a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request, wherein the session is established by providing activation data;
  
  using, by the first communication device, activation data policy provided by the security module to one of store and discard the activation data; and
  
  forwarding, by the first communication device, security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, where one of the advertisement response and the solicitation request includes data representing a PKCS11 function and associated arguments.
  - 3. The method of claim 1 where the determining further comprises verifying that credentials used by the second communication device in establishing the collaborative security association are appropriate for accessing the security module.
  - 4. The method of claim 3 wherein the determining further comprises obtaining the credentials of the second communication device from a third device in the collaborative network.
  - 5. The method of claim 1 wherein the processing further comprises decrypting and encrypting messages between the second communication device and the security module and enforcing access control.
  - 6. The method of claim 1, wherein the session is established in one of a proxy mode or a tunnel mode, wherein in the proxy mode, communication between the second communication device and the service module is transmitted through the first communication device.
  - 7. The method of claim 6, wherein the session is established in the proxy mode and the first communication device one or more of:
    - enforces access control for a key to be used by the second communication device; and
      
      forwards cryptographic operations requested by the second communication device to the security module.
  - 8. The method of claim 6, wherein the session is established in the tunnel mode and wherein, when in the tunnel mode,the first communication device introduces the second communication device to the security module,the second communication device establishes an independent session with the security module, andthe first communication device routes traffic between the second communication device and the security module and is unable to decipher cryptographic information transmitted between the second communication device and the security module.
  - 9. The method of claim 6, wherein the session is established in the tunnel mode and wherein, when in the tunnel mode:
    - the security module enforces access control for a key to be used by the second communication device,activation data provided by the second communication device for activating the key in the security module is known to the second communication device, andone of the first communication device and the second communication is configured to deactivate the key and close the session.
  - 10. The method of claim 1, wherein the advertisement includes at least one of:
    - information about the capabilities of the security module,access restrictions associated with accessing the security module,a list of the types of credential to be used by the second communication devices, andan access restrictions associated with each of the credentials.
  - 11. The method of claim 1, wherein the connection between the first communication device and the security module is by one of a first security association between the first communication device and the security module, an internal communication bus on the first communication device, and a network connection outside of the collaborative network.
  - 12. The method of claim 1, further comprising advertising, by the second communication device, services associated with the security module in a service advertisement.

13. A method, comprising:
- establishing a collaborative network, at a first communication device having a secure access to a security module, by forming a collaborative security association between the first communication device and a second communication device, wherein the first communication device and the second communication device are associated with a user;
  
  at least one of;
  
  sending, by the first communication device to the second communication device, an advertisement of services associated with the security module and receiving an advertisement response from the second communication device, andreceiving, by the first communication device from the second communication device, a solicitation request for services associated with the security module;
  
  responsive to receiving one of the advertisement response and the solicitation request determining, by the first communication device, whether the second communication device is authorized to access the security module;
  
  establishing, by the first communication device, a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request, wherein the session is established by providing activation data;
  
  verifying, by the first communication device, that session attributes for an existing session are suitable for fulfilling one of the advertisement response and the solicitation request and modifying the session attributes if the session attributes are determined to be unsuitable; and
  
  forwarding, by the first communication device, security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the session is established in one of a proxy mode or a tunnel mode, wherein in the proxy mode, communication between the second communication device and the service module is transmitted through the first communication device.
  - 15. The method of claim 14, wherein the session is established in the proxy mode and the first communication device one or more of:
    - enforces access control for a key to be used by the second communication device; and
      
      forwards cryptographic operations requested by the second communication device to the security module.
  - 16. The method of claim 14, wherein the session is established in the tunnel mode and wherein, when in the tunnel mode:
    - the security module enforces access control for a key to be used by the second communication device,activation data provided by the second communication device for activating the key in the security module is known to the second communication device, andone of the first communication device and the second communication is configured to deactivate the key and close the session.

17. An apparatus capable of operating in a collaborative network formed between at least two communication devices associated with a user, the apparatus comprising:
- a first communication device comprising;
  
  one or more memory devices;
  
  a transceiver; and
  
  a processor configured to;
  
  form a connection with a security module;
  
  form at least one security association with a second communication device in the collaborative network;
  
  one or more of;
  
  transmit, via the transceiver, an advertisement of services offered by the security module to the second communication device and receive a response to the advertisement from the second communication device, andreceive, via the transceiver, a solicitation request for services offered by the security module from the second communication device;
  
  responsive to receiving one of the advertisement response and the solicitation request, determine whether the second communication device is authorized to access the security module;
  
  process and forward security service messages between the second communication device and the security module, responsive to determining that the second communication device is authorized to access the security module;
  
  and wherein the processor further is configured to;
  
  establish a session with the security module to provide security services offered by the security module to the second communication device according to one of the advertisement response and the solicitation request;
  
  provide activation data associated with required credentials in the security module when establishing the session; and
  
  use activation data policy provided by the security module to one of store and discard the activation data.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The apparatus of claim 17, wherein the processor is configured to:
    - verify that session attributes for an existing session are suitable for fulfilling one of the advertisement response and the solicitation request and modify the session attributes if the session attributes are determined to be unsuitable.
  - 19. The apparatus of claim 17, wherein the session is established in one of a proxy mode or a tunnel mode and wherein, when in the proxy mode, the processor is configured to relay communications between the second communication device and the service module.
  - 20. The apparatus of claim 19, wherein when the session is established in the proxy mode, the processor is configured to at least one of enforce access control for a key to be used by the second communication device and forward cryptographic operations requested by the second communication device to the security module.
  - 21. The apparatus of claim 19, wherein the apparatus further comprises the second communication device and wherein when the session is established in the tunnel mode:
    - the processor is configured to introduce the second communication device to the security module;
      
      the second communication device is configured to establish an independent session with the security module; and
      
      the processor is configured to route traffic between the second communication device and the security module without deciphering cryptographic information transmitted between the second communication device and the security module.
  - 22. The apparatus of claim 19, wherein the apparatus further comprises the second communication device and the security module and wherein when the session is established in the tunnel mode:
    - the security module is configured to enforce access control for a key to be used by the second communication device; and
      
      the second communication device is configured to provide activation data for activating the key in the security module and one of the first communication device and the second communication device is configured to deactivate the key and close the session.
  - 23. The apparatus of claim 17, wherein processor is configured to establish the connection between the first communication device and the security module by one of a first security association between the first communication device and the security module, an internal communication bus on the first communication device, and a network connection outside of the collaborative network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola Solutions, Inc.
Original Assignee
Motorola Solutions, Inc.
Inventors
Metke, Anthony R, Thomas, Shanthi E, Himawan, Erwin, Popovich, George
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US14/447,257
Publication Number

US 20160036854A1
Time in Patent Office

657 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/104   Grouping of entities

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/3234   involving additional secure...

Apparatus and method for sharing a hardware security module interface in a collaborative network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and method for sharing a hardware security module interface in a collaborative network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others