Methods and systems for protecting data in USB systems

US 7,478,235 B2
Filed: 06/28/2002
Issued: 01/13/2009
Est. Priority Date: 06/28/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A system comprising:

a memory;

a processor coupled to the memory;

a USB security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;

an encryptor associated with the module and configured to encrypt data from one or more USB devices; and

a decryptor associated with the module and configured to decrypt encrypted data that is intended for us by a USB device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.

40 Citations

View as Search Results

46 Claims

1. A system comprising:
- a memory;
  
  a processor coupled to the memory;
  
  a USB security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;
  
  an encryptor associated with the module and configured to encrypt data from one or more USB devices; and
  
  a decryptor associated with the module and configured to decrypt encrypted data that is intended for us by a USB device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the security module is located at a point in a USB system where there is no programmatic access to USB data in an unencrypted form.
  - 3. The system of claim 1, wherein the security module is configured to apply encryption and decryption on a device-by-device basis.
  - 4. The system of claim 1, wherein the security module is configured to apply encryption and decryption on a device-by-device basis, and further comprising a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied.
  - 5. The system of claim 1 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor.
  - 6. The system of claim 1 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor, the key service processor comprising a callable interface that can be called to set up which devices are to be secured through encryption and decryption.
  - 7. One or more computer-readable media having computer-executable instructions embodying the USB security module of claim 1.
  - 8. An in-line device embodying the USB security module of claim 1.
  - 9. A USB hub embodying the USB security module of claim 1.
  - 10. A USB host controller embodying the USB security module of claim 1.
  - 11. The system of claim 1, wherein the security module is configured to produce authentication data which can be associated with and used to authenticate the data that the security module processes.

12. A system comprising:
- a memory;
  
  a processor coupled to the memory;
  
  a USB security module configured to process data associated with the USB transfers;
  
  an encryptor associated with the module and configured to encrypt data from one or more USB devices that have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; and
  
  a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a seized USB device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the security module is located at a point in a USB system where there is no programmatic access to USB data in an unencrypted form.
  - 14. The system of claim 12, wherein the security module is configured to apply encryption and decryption on a device-by-device basis.
  - 15. The system of claim 12, wherein the security module is configured to apply encryption and decryption on a device-by-device basis, and further comprising a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied.
  - 16. The system of claim 12 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor.
  - 17. The system of claim 12 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor, the key service processor comprising a callable interface that can be called to set up which devices are to be secured through encryption and decryption.
  - 18. One or more computer-readable media having computer-executable instructions embodying the USB security module of claim 12.
  - 19. An in-line device embodying the USB security module of claim 12.
  - 20. A USB hub embodying the USB security module of claim 12.
  - 21. A USB host controller embodying the USB security module of claim 12.
  - 22. The system of claim 12, wherein the security module is configured to produce authentication data which can be associated with and used to authenticate the data that the security module processes.

23. A USB Host Controller comprising:
- a memory;
  
  a processor coupled to the memory;
  
  a security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;
  
  an encryptor associated with the module and configured to encrypt data from one or more USB devices;
  
  a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and
  
  a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The USB Host Controller of claim 23 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor.
  - 25. The USB Host Controller of claim 23 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor, the key service processor comprising a callable interface that can be called to set up which devices are to be secured through encryption and decryption.
  - 26. The USB Host Controller of claim 23, wherein the security module is configured to apply encryption and decryption using at least one stream cipher.
  - 27. The USB Host Controller of claim 23, wherein the security module is configured to produce authentication data which can be associated with and used to authenticate the data that the security module processes.

28. A USB Hub comprising:
- a memory;
  
  a processor coupled to the memory;
  
  a security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;
  
  an encryptor associated with the module and configured to encrypt data from one or more USB devices;
  
  a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and
  
  a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The USB Hub of claim 28 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor.
  - 30. The USB Hub of claim 28 further comprising a key service processor associated with the security module and configured to provide one or more keys for the encryptor and/or decryptor, the key service processor comprising a callable interface that can be called to set up which devices are to be secured through encryption and decryption.
  - 31. The USB Hub of claim 28, wherein the security module is configured to apply encryption and decryption using at least one stream cipher.
  - 32. The USB Hub of claim 28, wherein the security module is configured to produce authentication data which can be associated with and used to authenticate the data that the security module processes.

33. A method comprising:
- receiving data that is associated with a USB hardware device;
  
  determining whether the received data is associated with a USB hardware device that is intended to be secure, wherein said determining includes determining if the USB hardware device has been seized, and wherein seizing indicates that data traffic associated with the USB hardware device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB hardware device and interaction between the USB hardware device and a user; and
  
  if the USB hardware device is intended to be secure, then encrypting or decrypting the data as appropriate.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. The method of claim 33, wherein the act of receiving is performed by an entity at which there is no programmatic access to the data by a client application executing on a host computer system.
  - 35. The method of claim 33, wherein the act of determining is performed by accessing a table that contains entries that identify, on a device-by-device basis, which devices are to be secure.
  - 36. The method of claim 33, wherein the acts of encrypting or decrypting are performed by a USB host controller.
  - 37. The method of claim 33, wherein the acts of encrypting or decrypting are performed by one or more interfaces on said USB device.
  - 38. The method of claim 33, wherein the acts of encrypting or decrypting are performed by a USB in-line device.
  - 39. The method of claim 33, wherein the acts of encrypting or decrypting are performed by a USB hub.
  - 40. The method of claim 33, wherein the acts of encrypting or decrypting are performed using a stream cipher.
  - 41. The method of claim 33 further comprising producing authentication data for the data that is received, and associating the authentication data with the received data.
  - 42. One or more computer-readable media having computer-readable instructions which, when executed by one or more processors, cause the one or more processors to implement the method of claim 33.

43. A system comprising:
- a memory;
  
  a processor coupled to the memory;
  
  means for processing data associated with USB transfers;
  
  means for determining if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;
  
  means for encrypting data from one or more USB devices and being employable on a device-by-device basis;
  
  means for decrypting data that is intended for use by a USB device and being employable on a device-by-device basis; and
  
  said means for encrypting and means for decrypting being disposed at a location where there is no direct programmatic access by applications executing on a host computer.
- View Dependent Claims (44, 45, 46)
- - 44. The system of claim 43 further comprising means for determining whether encryption or decryption is to be applied to a particular device.
  - 45. The system of claim 43 further comprising means for authenticating data that is processed for the USB transfers.
  - 46. The system of claim 43, wherein all of said recited means are embodied in a USB Host Controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Slick, Glen, Dunn, John C., England, Paul, Ray, Kenneth D., Peinado, Marcus, Willman, Bryan
Primary Examiner(s)
Brown; Christopher J

Application Number

US10/187,259
Publication Number

US 20040003262A1
Time in Patent Office

2,391 Days
Field of Search

713/189, 713/153, 726/12
US Class Current

713/153
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 13/28   using burst mode transfer, ...

G06F 13/362   with centralised access con...

G06F 13/4282   on a serial bus, e.g. I2C b...

G06F 21/1011   to devices

G06F 21/606   by securing the transmissio...

G06F 21/72   in cryptographic circuits

G06F 21/73   by creating or determining ...

G06F 21/78   to assure secure storage of...

G06F 21/85   interconnection devices, e....

G06F 2212/1052   Security improvement

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2129   Authenticate client device ...

G06F 2221/2147   Locking files

G06F 2221/2153   Using hardware token as a s...

G06F 3/065   Replication mechanisms

Methods and systems for protecting data in USB systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for protecting data in USB systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links