Methods and systems for protecting data in USB systems
First Claim
1. A system comprising:
- a memory;
a processor coupled to the memory;
a USB security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user;
an encryptor associated with the module and configured to encrypt data from one or more USB devices; and
a decryptor associated with the module and configured to decrypt encrypted data that is intended for us by a USB device.
2 Assignments
0 Petitions
Accused Products
Abstract
The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.
40 Citations
46 Claims
-
1. A system comprising:
-
a memory; a processor coupled to the memory; a USB security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; an encryptor associated with the module and configured to encrypt data from one or more USB devices; and a decryptor associated with the module and configured to decrypt encrypted data that is intended for us by a USB device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a memory; a processor coupled to the memory; a USB security module configured to process data associated with the USB transfers; an encryptor associated with the module and configured to encrypt data from one or more USB devices that have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; and a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a seized USB device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A USB Host Controller comprising:
-
a memory; a processor coupled to the memory; a security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; an encryptor associated with the module and configured to encrypt data from one or more USB devices; a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A USB Hub comprising:
-
a memory; a processor coupled to the memory; a security module configured to process data associated with USB transfers and to determine if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; an encryptor associated with the module and configured to encrypt data from one or more USB devices; a decryptor associated with the module and configured to decrypt encrypted data that is intended for use by a USB device; and a table having entries that indicate, on a device-by-device basis, where encryption and decryption is to be applied. - View Dependent Claims (29, 30, 31, 32)
-
-
33. A method comprising:
-
receiving data that is associated with a USB hardware device; determining whether the received data is associated with a USB hardware device that is intended to be secure, wherein said determining includes determining if the USB hardware device has been seized, and wherein seizing indicates that data traffic associated with the USB hardware device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB hardware device and interaction between the USB hardware device and a user; and if the USB hardware device is intended to be secure, then encrypting or decrypting the data as appropriate. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A system comprising:
-
a memory; a processor coupled to the memory; means for processing data associated with USB transfers; means for determining if one or more USB devices have been seized, wherein seizing indicates that data traffic associated with a USB device must be associated with trusted software and establishing a secure tunnel to send the data traffic to and from the one or more USB devices, and wherein steps utilized to seize the one or more USB devices comprise at least seizing an address for the USB device and interaction between the USB device and a user; means for encrypting data from one or more USB devices and being employable on a device-by-device basis; means for decrypting data that is intended for use by a USB device and being employable on a device-by-device basis; and said means for encrypting and means for decrypting being disposed at a location where there is no direct programmatic access by applications executing on a host computer. - View Dependent Claims (44, 45, 46)
-
Specification