Cryptographic device with detachable data planes

US 9,942,033 B2
Filed: 10/31/2016
Issued: 04/10/2018
Est. Priority Date: 08/30/2013
Status: Active Grant

First Claim

Patent Images

1. A cryptographic configuration device configured to load one or more cryptographic keys onto one or more removeable encryption/decryption (E/D) devices, the cryptographic configuration device comprising:

one or more child interfaces, wherein each child interface is configured to allow one or more removeable E/D devices to be physically connected to the cryptographic configuration device during the configuration of the one or more removeable E/D devices to perform one or more data plane cryptographic functions;

secure tamper memory, wherein the secure tamper memory is configured to store one or more secret keys, and clear memory contents based on operating without power for more than a configured amount of time; and

a microprocessor configured to;

perform one or more control plane cryptographic functions for the one or more secret keys, the one or more control plane cryptographic functions comprising a fail-safe key management function,derive one or more session keys based on the one or more secrets keys using one or more of a one-way function or internally generated random data bits, andload the one or more session keys onto the one or more removeable E/D devices while the one or more removeable E/D devices are physically connected to the cryptographic configuration device via the one or more child interfaces.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

33 Citations

View as Search Results

19 Claims

1. A cryptographic configuration device configured to load one or more cryptographic keys onto one or more removeable encryption/decryption (E/D) devices, the cryptographic configuration device comprising:
- one or more child interfaces, wherein each child interface is configured to allow one or more removeable E/D devices to be physically connected to the cryptographic configuration device during the configuration of the one or more removeable E/D devices to perform one or more data plane cryptographic functions;
  
  secure tamper memory, wherein the secure tamper memory is configured to store one or more secret keys, and clear memory contents based on operating without power for more than a configured amount of time; and
  
  a microprocessor configured to;
  
  perform one or more control plane cryptographic functions for the one or more secret keys, the one or more control plane cryptographic functions comprising a fail-safe key management function,derive one or more session keys based on the one or more secrets keys using one or more of a one-way function or internally generated random data bits, andload the one or more session keys onto the one or more removeable E/D devices while the one or more removeable E/D devices are physically connected to the cryptographic configuration device via the one or more child interfaces.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The cryptographic configuration device as in claim 1, further comprising an operator interface configured to receive inputs and present outputs, wherein the microprocessor is configured to configure the one or more removeable E/D devices based on inputs received from the operator interface.
  - 3. The cryptographic configuration device as in claim 2, wherein the operator interface is configured to receive an input that is indicative of a type of encryption to be performed by the at least one of the one or more removeable E/D devices, and the microprocessor is configured to configure the at least one of the one or more removeable E/D devices to implement the type of encryption indicated.
  - 4. The cryptographic configuration device as in claim 1, further comprising a serial interface configured to be connected to a deployed removeable E/D device while the deployed removeable E/D device is connected to a communication system for performing at least one of encryption or decryption.
  - 5. The cryptographic configuration device as in claim 4, wherein the microprocessor is configured to rekey the deployed removeable E/D device using the serial interface while the deployed removeable E/D device is connected to the communication system.
  - 6. The cryptographic configuration device as in claim 5, wherein the microprocessor is configured to rekey a second removeable E/D device via the deployed removeable E/D device using the serial interface, wherein the cryptographic configuration device is configured to use the deployed removeable E/D device as a relay for configuring the second removeable E/D device over the air.
  - 7. The cryptographic configuration device as in claim 1, wherein the microprocessor is configured to generate at least one session key using a random number generator.

8. A method implemented by a cryptographic configuration device for loading one or more cryptographic keys onto one or more removeable encryption/decryption (E/D) devices the method comprising:
- the cryptographic configuration device connecting to one or more removeable E/D devices via one or more child interfaces, wherein the one or more removeable E/D devices are physically connected to the cryptographic configuration device via the one or more child interfaces and the one or more removeable E/D devices are configured by the cryptographic configuration device to perform one or more data plane cryptographic functions while physically connected to the cryptographic configuration device;
  
  the cryptographic configuration device storing one or more secret keys in secure tamper memory, wherein the secure tamper memory is cleared on condition that power is not supplied to the secure tamper memory for more than a configured amount of time;
  
  the cryptographic configuration device performing one or more control plane cryptographic functions for the one or more secret keys, the one or more control plane cryptographic functions comprising a fail-safe key management function;
  
  the cryptographic configuration device deriving one or more session keys based on the one or more secrets keys using one or more of a one-way function or internally generated random data bits; and
  
  the cryptographic configuration device loading the one or more session keys onto the one or more removeable E/D devices while the one or more removeable E/D devices are physically connected to the cryptographic configuration device via the one or more child interfaces.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as in claim 8, further comprising:
    - the cryptographic configuration device receiving one or more inputs via an operator interface;
      
      the cryptographic configuration device outputting one or more outputs via the operator interface; and
      
      the cryptographic configuration device configuring one or more aspects of the one or more removeable E/D devices in accordance with the one or more inputs received via the operator interface.
  - 10. The method as in claim 9, wherein the cryptographic configuration device receives an input that is indicative of a type of encryption to be performed by each of the one or more removeable E/D devices via the operator interface, and the one or more data plane cryptographic functions that the cryptographic configuration device configures the one or more removeable E/D devices to perform comprises implementing the type of encryption indicated.
  - 11. The method as in claim 8, further comprising:
    - the cryptographic configuration device physically connecting to a deployed removeable E/D device while the deployed removeable E/D device is connected to a communication system for performing at least one of encryption or decryption, wherein the cryptographic configuration device is physically connected to the deployed removeable E/D device via a serial interface.
  - 12. The method as in claim 11, further comprising:
    - the cryptographic configuration device rekeying the deployed removeable E/D device using the serial interface while the deployed removeable E/D device is connected to the communication system.
  - 13. The method as in claim 12, further comprising:
    - the cryptographic configuration device rekeying a second removeable E/D device via the deployed removeable E/D device using the serial interface, wherein the cryptographic configuration device uses the deployed removeable E/D device as a relay for configuring the second removeable E/D device over the air.
  - 14. The method as in claim 8, wherein the cryptographic configuration device generates at least one session key using a random number generator.

15. A cryptographic configuration device configured to load one or more cryptographic keys onto one or more removeable encryption/decryption (E/D) devices, the cryptographic configuration device comprising:
- one or more child interfaces configured to connect to one or more removeable E/D devices, wherein the one or more child interfaces are configured to allow a physical connection between the one or more removeable E/D devices and the cryptographic configuration device;
  
  secure tamper memory configured to store one or more secret keys and to erase the one or more secret keys on condition that power is not supplied to the secure tamper memory for more than a configured amount of time;
  
  an operator interface configured to receive an input that indicates whether the one or more removeable E/D devices should be configured to perform encryption or should be configured to perform decryption; and
  
  a processor configured to;
  
  perform one or more control plane cryptographic functions for the one or more secret keys, the one or more control plane cryptographic functions comprising one or more fail safe key management functions,derive one or more session keys based on the one or more secrets keys using one or more of a one-way function or internally generated random data bits, andconfigure the one or more removeable E/D devices to perform one or more data plane cryptographic functions by loading the one or more session keys onto the one or more removeable E/D devices while the one or more removeable E/D devices are physically connected to the cryptographic configuration device via the one or more child interfaces.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The cryptographic configuration device as in claim 15, wherein the one or more child interfaces comprise a plurality of child interfaces, the plurality of child interfaces are configured to connect to a plurality of removeable E/D devices simultaneously, and the processor is configured to configure the plurality of removeable E/D devices simultaneously.
  - 17. The cryptographic configuration device as in claim 15,further comprising a key fill port configured to receive the one or more secret keys.
  - 18. The cryptographic configuration device as in claim 15, further comprising a crypto-ignition key (CIK) interface configured to receive a CIK, wherein the processor is configured to authenticate an operator of the cryptographic configuration device using the CIK.
  - 19. The cryptographic configuration device as in claim 15, further comprising a Key Management Infrastructure (KMI) network interface configured to interface the cryptographic configuration device with a KMI network, wherein the processor is configured to perform fail-safe key management for the one or more secret keys by communicating over the KMI network via the KMI network interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
L3 Technologies, Inc. (L3Harris Technologies, Inc.)
Original Assignee
L3 Technologies, Inc. (L3Harris Technologies, Inc.)
Inventors
Winslow, Richard Norman, Costantini, Frank A.
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US15/338,550
Publication Number

US 20170048214A1
Time in Patent Office

526 Days
Field of Search
US Class Current
CPC Class Codes

H04B 7/18506   Communications with or from...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0618   Block ciphers, i.e. encrypt...

H04L 9/083   involving central third par...

H04L 9/0869   involving random numbers or...

H04L 9/0891   Revocation or update of sec...

H04L 9/0897   involving additional device...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

Cryptographic device with detachable data planes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Cryptographic device with detachable data planes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others