Secure communication architecture including video sniffer

US 9,454,677 B1
Filed: 11/14/2014
Issued: 09/27/2016
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

an input apparatus configured to receive an input from a user;

a display configured to display the input;

a bus configured to communicate the input to the display;

a processing unit configured to process data and commands received via the bus;

an input capture module isolated from a less secure part of the computing system, the isolation configured to prevent corruption of the input capture module by computing instructions received from outside of the input capture module, wherein the isolation of the input capture module from the less secure part of the computing system is achieved by limiting external control of the secure input module to no more than setting of one or more flags, the input capture module comprising;

storage configured to store an encryption key or certificate such that the encryption key or certificate cannot be read from outside the input capture module,means for receiving image data resulting from the input apparatus, andlogic configured to encrypt or certify the data resulting from the input apparatus, the encryption or certification using the encryption key or certificate and occurring within the input capture module; and

communication logic configured to communicate an output of the logic to a communication network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication of user inputs is achieved by isolating part of an endpoint device such that certificates and encryption keys are protected from corruption by malware. Further, the communication is passed through a trusted data relay that is configured to decrypt and/or certify the user inputs encrypted by the isolated part of the endpoint device. The trusted data relay can determine that the user inputs were encrypted or certified by the protected certificates and encryption keys, thus authenticating their origin within the endpoint device. The trusted data relay then forwards the inputs to an intended destination. In some embodiments, the isolated part of the endpoint device is configured to detect input created by auto-completion logic and/or spell checking logic.

22 Citations

View as Search Results

30 Claims

1. A computing system comprising:
- an input apparatus configured to receive an input from a user;
  
  a display configured to display the input;
  
  a bus configured to communicate the input to the display;
  
  a processing unit configured to process data and commands received via the bus;
  
  an input capture module isolated from a less secure part of the computing system, the isolation configured to prevent corruption of the input capture module by computing instructions received from outside of the input capture module, wherein the isolation of the input capture module from the less secure part of the computing system is achieved by limiting external control of the secure input module to no more than setting of one or more flags, the input capture module comprising;
  
  storage configured to store an encryption key or certificate such that the encryption key or certificate cannot be read from outside the input capture module,means for receiving image data resulting from the input apparatus, andlogic configured to encrypt or certify the data resulting from the input apparatus, the encryption or certification using the encryption key or certificate and occurring within the input capture module; and
  
  communication logic configured to communicate an output of the logic to a communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 30)
- - 2. The system of claim 1, wherein the input apparatus includes a keyboard.
  - 3. The system of claim 1, wherein the input capture module is isolated from the less secure part of the computing system by limiting external control of the input capture module to setting of one or more flags.
  - 4. The system of claim 3, wherein at least one of the one or more flags is a change focus flag, a new-screen flag or a submit flag.
  - 5. The system of claim 1, wherein the input capture module is configured to sniff the bus to capture communications to the display in order to capture the image data resulting from the input apparatus.
  - 6. The system of claim 5, wherein the input capture module is configured to capture characters generated by mouse click or screen touches.
  - 7. The system of claim 5, wherein the input capture module is configured to capture characters generated by auto-complete logic.
  - 8. The system of claim 5, wherein the input capture module is configured to capture characters generated by voice to text logic.
  - 9. The system of claim 5, wherein the input capture module is configured to capture an authentication image.
  - 10. The system of claim 1, wherein the input capture module is configured to capture the image data resulting from the input apparatus, from a video output of the computing system.
  - 11. The system of claim 1, wherein the input capture module further comprises image recognition logic configured to authenticate the input from the user by comparing an image generated using the input from the user to the image data resulting from the input apparatus.
  - 12. The system of claim 1, wherein an output of the input capture module includes a unique identifier configured to confirm that the encryption or certification was performed by the logic.
  - 13. The system of claim 1, wherein the communication logic is configured to communicate the output of the logic to a fixed location on a network.
  - 30. The system of claim 1, wherein the image data includes images of characters typed into the input apparatus.

14. A computing system comprising:
- an input apparatus configured to receive an input from a user;
  
  a display configured to display the input;
  
  a processing unit configured to process commands received from the user;
  
  an input capture module isolated from a less secure part of the computing system, the isolation configured to prevent corruption of the input capture module by computing instructions from outside of the input capture module, wherein the isolation of the input capture module from the less secure part of the computing system is achieved by limiting external control of the secure input module to no more than setting of one or more flags, the input capture module comprising;
  
  storage configured to store a one or more encryption keys and/or certificates, means for capturing image data sent to the display, andlogic configured to encrypt or certify the captured data, the encryption or certification using the one or more encryption keys and/or certificates and occurring within the input capture module; and
  
  communication logic configured to communicate the encrypted or certified data to a communication network.
- View Dependent Claims (15, 16, 17)
- - 15. The computing system of claim 14, wherein the input apparatus, display, processing unit, input capture module and communication logic are disposed within a single housing.
  - 16. The computing system of claim 14, wherein the logic includes image recognition logic configured to compare the image data to an image generated based on the input received from the user.
  - 17. The computing system of claim 14, wherein the means for capturing image data includes a sniffer configured to detect communication of image data on a data bus of the computing system.

18. A secure communication system comprising:
- an endpoint system including an input capture module isolated from a less secure part of the endpoint system, the isolation configured to prevent corruption of the input capture module by computing instructions from outside of the input capture module, wherein the isolation of the input capture module from the less secure part of the endpoint system is achieved by limiting external control of the secure input module to no more than setting of one or more flags, the input capture module comprising;
  
  storage configured to store a one or more encryption keys and/or certificates, means for capturing image data sent to the display, andlogic configured to at least partially encrypt or certify the captured data, the encryption or certification using the one or more encryption keys and/or certificates and occurring within the input capture module;
  
  an input configured to receive at the least partially encrypted or certified data from the endpoint system, the at least partially encrypted or certified data including an identifier of the endpoint system, an image and a user input;
  
  a key storage including decryption keys or certification signatures stored in association with identifiers of endpoint systems;
  
  decryption/authentication logic configured to decrypt or authenticate the at least partially encrypted or certified data to a secure output, using a decryption or authentication key retrieved from the key storage, the retrieval using the identifier of the endpoint system;
  
  image recognition logic configured to generate a reference image using the user input and to compare the reference image to the image included in the at least partially encrypted or certified data, and to authenticate the user input based on a match in the comparison; and
  
  a remote service connector configured to forward the secure output to a remote computing system.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The system of claim 18, wherein the at least partially encrypted data includes encrypted metadata and certified image data.
  - 20. The system of claim 18, wherein the at least partially encrypted data includes encrypted metadata and includes encrypted data resulting from user input.
  - 21. The system of claim 18, wherein the decryption/authentication logic is configured to authenticate a non-encrypted part of the at least partially encrypted data.
  - 22. The system of claim 18, wherein the decryption/authentication logic is configured to block the forwarding of the secure output if the reference image does not match the image included in the at least partially encrypted or certified data.
  - 23. The system of claim 18, further comprising account storage configured to store login information configured for accessing the remote computing system, the login information being stored in association with an identifier of the endpoint system.
  - 24. The system of claim 18, further comprising account storage configured to store a plurality of identifiers of different endpoint systems, the identifiers being stored in association with authentication or decryption keys.
  - 25. The system of claim 18, wherein the image recognition logic is configured to generate the reference image to include the user input having a font and a size received in the at least partially encrypted or certified data.
  - 26. The system of claim 18, wherein the image included in the at least partially encrypted or certified data includes an image of a form field.
  - 27. The system of claim 18, wherein the image included in the at least partially encrypted or certified data includes an authentication image.
  - 28. The system of claim 18, wherein the image included in the at least partially encrypted or certified data includes a character string.
  - 29. The system of claim 18, wherein the remote service connector is further configured to receive a communication from the remote computing system, the received communication being in response to the forwarded secure output;
    - and further comprising an endpoint connector configured to forward the received communication from the remote computing system to a less secure part of the endpoint system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Truedata Systems Incorporated
Original Assignee
Truedata Systems Incorporated
Inventors
Sinclair, Peter, Lloyd, James, Eynon, Michael
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/542,380
Time in Patent Office

683 Days
Field of Search
US Class Current

1/1
CPC Class Codes

F01P 7/16   by thermostatic control

G06F 21/554   involving event detection a...

G06F 21/602   Providing cryptographic fac...

G06F 21/6272   by registering files or doc...

G06F 21/64   Protecting data integrity, ...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

G06F 2221/2115   Third party

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Secure communication architecture including video sniffer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication architecture including video sniffer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links