Secure networking using a resource-constrained device

US 7,509,487 B2
Filed: 05/19/2004
Issued: 03/24/2009
Est. Priority Date: 09/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method of secure communication between a smart card and remote network nodes over a network wherein the smart card acts as a standalone network node and the remote network nodes communicate with the smart card using un-modified network clients and servers and wherein the smart card has a central processing unit, a random access memory, a non-volatile memory, a read-only memory, and an input and output component, comprising:

using a physical link selected from one of several physical link methods;

assigning a unique network address to the smart card thereby enabling the smart card to act as a standalone network node;

executing on the smart card a communications module implementing networking protocols and one or more link layer communication protocols, operable to communicate with a host computer, operable to communicate with remote network nodes using the networking protocols and operable to implement network security protocols thereby setting a security boundary inside the smart card;

implementing an execution model, wherein the communication module is driven by input events and by the applications and wherein the smart card optimized memory usage by sharing data buffers between one or more communications protocol layers or security protocol layers;

executing on the host computer one or more communication and networking protocols operable to communicate with the smart card and operable to communicate with the remote network nodes; and

executing one or more secure network applications on the smart card wherein the network applications call upon the communication module of the smart card to communicate with the host computer or the remote network node using the networking protocols and network security protocols and wherein the secure network applications are securely accessible by the remote network nodes using un-modified network clients and servers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communication between a resource-constrained device and remote network nodes over a network with the resource-constrained acting as a network node. The remote network nodes communicate with the resource-constrained device using un-modified network clients and servers. Executing on the resource-constrained device, a communications module implements one or more link layer communication protocols, operable to communicate with a host computer, operable to communicate with remote network nodes and operable to implement network security protocols thereby setting a security boundary inside the resource-constrained device.

Citations

68 Claims

1. A method of secure communication between a smart card and remote network nodes over a network wherein the smart card acts as a standalone network node and the remote network nodes communicate with the smart card using un-modified network clients and servers and wherein the smart card has a central processing unit, a random access memory, a non-volatile memory, a read-only memory, and an input and output component, comprising:
- using a physical link selected from one of several physical link methods;
  
  assigning a unique network address to the smart card thereby enabling the smart card to act as a standalone network node;
  
  executing on the smart card a communications module implementing networking protocols and one or more link layer communication protocols, operable to communicate with a host computer, operable to communicate with remote network nodes using the networking protocols and operable to implement network security protocols thereby setting a security boundary inside the smart card;
  
  implementing an execution model, wherein the communication module is driven by input events and by the applications and wherein the smart card optimized memory usage by sharing data buffers between one or more communications protocol layers or security protocol layers;
  
  executing on the host computer one or more communication and networking protocols operable to communicate with the smart card and operable to communicate with the remote network nodes; and
  
  executing one or more secure network applications on the smart card wherein the network applications call upon the communication module of the smart card to communicate with the host computer or the remote network node using the networking protocols and network security protocols and wherein the secure network applications are securely accessible by the remote network nodes using un-modified network clients and servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 wherein the physical link is selected from the set including full-duplex serial connection and half-duplex serial connection.
  - 3. The method of claim 2 wherein the physical link is a full-duplex serial connection using the serial peripheral interface protocol.
  - 4. The method of claim 1 further comprising connecting an interface device between the smart card and the host computer using a physical link that is a serial connection having half-duplex between the smart card and the interface device and full-duplex between the interface device and the host computer.
  - 5. The method of claim 4 further comprising operating the interface device to perform a bridging function between the half-duplex connection and the full-duplex connection.
  - 6. The method of claim 5 wherein the step of performing a bridging function further comprises providing at least one of function selected from:
    - enabling a smart card operating in a command/response mode to communicate with network nodes as a peer;
      
      enabling a smart card operating in half-duplex communication mode to handle full-duplex communication traffic;
      
      encapsulating upper layer protocol frames;
      
      enabling transportation of upper layer protocol frames exceeding a frame size limit of the lower link layer; and
      
      supporting multiple logical connections of upper layer protocols.
  - 7. The method of claim 4 of operating a software module on the interface device according to a finite state machine permitting the interface device to forward messages between the smart card and the network wherein the interface device is in one of the at least one states permitting the smart card to initiate and send messages.
  - 8. The method of claim 7 wherein the at least one state is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 9. The method of claim 4 of operating a software module on the host computer according to a finite state machine having at least one state permitting the smart card to transmit messages to the network wherein the software module is in one of the at least one states permitting the smart card to initiate and send messages.
  - 10. The method of claim 9 wherein the at least one state permitting the smart card to transmit messages to the network is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 11. The method of claim 9 comprising the step of operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message from the host computer indicating that the smart card may transmit a message.
  - 12. The method of claim 4 further comprising:
    - operating the smart card according to a finite state machine whereby the smart card uses the response status at the end of the response to the command sent by the host computer or an intermediate device to indicate that the smart card wants to transmit information to the host computer or to the network.
  - 13. The method of claim 12 where in the step of operating the smart card comprises operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message indicating to the smart card that the smart card may transmit information to the host.
  - 14. The method of claim 13 further comprising operating the smart card to transition among the states of the finite state machine.
  - 15. The method of claim 12 further comprising:
    - operating the host computer or an intermediate device connected between the host computer and the smart card according to a finite state machine to transmit a polling message to the smart card checking if the smart card may want to transmit information to the host computer.
  - 16. The method of claim 15 wherein the host computer or intermediate device includes a Remote Access Server (RAS) and wherein the step of operating the host computer or intermediate device comprises operating the host computer or intermediate device according to a finite state machine having a Polling state in which the host computer or intermediate device polls the smart card, a Get-from-card state in which the host computer or intermediate device obtains packets of data from the smart card, a Putting-to-card state in which the host computer or intermediate device transmits data to the smart card, and a Checking Remote Access Server(RAS) state in which the host computer or intermediate device checks whether Remote Access Server (RAS) has any data to transmit to the smart card.
  - 17. The method of claim 16 further comprising operating the host computer or the intermediate device to transition among the states of the finite state machine.

18. A system providing secure communication between a smart card and remote network nodes over a network wherein the remote network nodes communicate with the smart card using un-modified network clients and sewers and wherein the smart card has a central processing unit, a random access memory, a non-volatile memory, a read-only memory, and an input and output component, the system comprising:
- a physical link connecting the smart card and a host computer, the physical link selected from one of several physical link methods;
  
  logic to assign a unique network address to the smart card thereby enabling the smart card to act as a standalone network node;
  
  the smart card comprising a communications module implementing networking protocols and one or more link layer communication protocols, operable to communicate with the host computer, operable to communicate with remote network nodes using the networking protocols and operable to implement network security protocols thereby setting a security boundary inside the smart card, wherein the communication module is driven by input events and by the applications and wherein the smart card optimizes memory usage by sharing data buffers between one or more communications protocol layers or security protocol layers;
  
  the host computer comprising logic implementing one or more communication networking protocols operable to communicate with the smart card and operable to communicate with the remote network nodes; and
  
  the smart card further comprising one or more secure network applications wherein the network applications call upon the communication module of the smart card to communicate with the host computer or the remote network node using the networking protocols and network security protocols and wherein the secure network applications are securely accessible by the host computer or the remote network nodes using un-modified network clients or servers.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The system of claim 18 wherein the physical link is selected from the set including full-duplex serial connection and half-duplex serial connection.
  - 20. The system of claim 19 wherein the physical link is a full-duplex serial connection using the serial peripheral interface protocol.
  - 21. The system of claim 18 further comprising an interface device between the smart card and the host computer, the interface device using a physical link that is a serial connection having half-duplex between the smart card and the interface device and full-duplex between the interface device and the host computer.
  - 22. The system of claim 21 further wherein the interface device comprises logic to perform a bridging function between the half-duplex connection and the full-duplex connection.
  - 23. The system of claim 22 wherein the logic to perform a bridging function further comprises logic to provide at least one of function selected from:
    - enabling a smart card operating in a command/response mode to communicate with network nodes as a peer;
      
      enabling a smart card operating in half-duplex communication mode to handle full-duplex communication traffic;
      
      encapsulating upper layer protocol frames;
      
      enabling transportation of upper layer protocol frames exceeding a frame size limit of the lower link layer; and
      
      supporting multiple logical connections of upper layer protocols.
  - 24. The system of claim 21 wherein the interface device further comprises logic to operate the interface device according to a finite state machine permitting the interface device to forward messages between the smart card and the network wherein the interface device is in one of the at least one states permitting the smart card to initiate and send messages.
  - 25. The system of claim 24 wherein the at least one state permitting the smart card to transmit messages to the network is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 26. The system of claim 21 of wherein the host computer further comprises logic to operate the host computer according to a finite state machine having at least one state permitting the smart card to transmit messages to the network wherein the software module is in one of the at least one states permitting the smart card to initiate and send messages.
  - 27. The system of claim 26 wherein the at least one state is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 28. The system of claim 26 wherein the smart card comprises logic to operate the smart card according to a finite state machine having at least one state in which the smart card waits for a message from the host computer indicating that the smart card may transmit a message.
  - 29. The system of claim 21 wherein the smart card further comprises logic to operate the smart card according to a finite state machine whereby smart card uses the response status at the end of the response to the command sent by the host computer or an intermediate device to indicate that the smart card wants to transmit information to the host computer or to the network.
  - 30. The system of claim 29 wherein the logic to operate the smart card according to a finite state machine further comprises logic to operate the smart card according to a finite state machine having at least one state in which the smart card waits for a message indicating to the smart card that the smart card may transmit information to the host.
  - 31. The system of claim 30 further the logic to operate the smart card according to a finite state machine further comprises logic to operate the smart card to transition among the states of the finite state machine.
  - 32. The system of claim 29 further comprising:
    - logic in the host computer or an intermediate device connected between the host computer and the smart card to operate according to a finite state machine to transmit a polling message to the smart card checking if the smart card may want to transmit information to the host computer.
  - 33. The system of claim 32 wherein the host computer or intermediate device includes a Remote Access Server (RAS) and wherein the logic to operate the host computer or intermediate device comprises logic to operate the host computer or intermediate device according to a finite state machine having a Polling state in which the host computer or intermediate device polls the smart card, a Get-from-card state in which the host computer or intermediate device obtains packets of data from the smart card, a Putting-to-card state in which the host computer or intermediate device transmits data to the smart card, and a Checking Remote Access Server RAS state in which the host computer or intermediate device checks whether Remote Access Server RAS has any data to transmit to the smart card.
  - 34. The system of claim 33 further comprising logic to operate the host computer or the intermediate device to transition among the states of the finite state machine.

35. A method of secure communication between a MultiMediaCard (MMC) and remote network nodes over a network wherein the MultiMediaCard (MMC) acts as a standalone network node and the remote network nodes communicate with the MultiMediaCard (MMC) using un-modified network clients and servers and wherein the MultiMediaCard (MMC) has a central processing unit, a random access memory, a non-volatile memory, a read-only memory, and an input and output component, comprising:
- using a physical link selected from one of several physical link methods;
  
  assigning a unique network address to the MultiMediaCard (MMC) thereby enabling the MultiMediaCard (MMC) to act as a standalone network node;
  
  executing on the MultiMediaCard (MMC) a communications module implementing networking protocols and one or more link layer communication protocols, operable to communicate with a host computer, operable to communicate with remote network nodes using the networking protocols and operable to implement network security protocols thereby setting a security boundary inside MultiMediaCard (MMC);
  
  implementing an execution model, wherein the communication module is driven by input events and by the applications and wherein the MultiMediaCard (MMC) optimized memory usage by sharing data buffers between one or more communications protocol layers or security protocol layers;
  
  executing on the host computer one or more communication and networking protocols operable to communicate with the MultiMediaCard (MMC) and operable to communicate with the remote network nodes; and
  
  executing one or more secure network applications on the MultiMediaCard (MMC) wherein the network applications call upon the communication module of the MultiMediaCard (MMC) to communicate with the host computer or the remote network node using the networking protocols and network security protocols and wherein the secure network applications are securely accessible by the remote network nodes using un-modified network clients and servers.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 37. The method of claim 35 wherein the physical link is selected from the set including full-duplex serial connection and half-duplex serial connection.
  - 38. The method of claim 37 wherein the physical link is a full-duplex serial connection using the serial peripheral interface protocol.
  - 39. The method of claim 35 further comprising connecting an interface device between the smart card and the host computer using a physical link that is a serial connection having half-duplex between the smart card and the interface device and full-duplex between the interface device and the host computer.
  - 40. The method of claim 39 further comprising operating the interface device to perform a bridging function between the half-duplex connection and the full-duplex connection.
  - 41. The method of claim 40 wherein the step of performing a bridging function further comprises providing at least one of function selected from:
    - enabling a smart card operating in a command/response mode to communicate with network nodes as a peer;
      
      enabling a smart card operating in half-duplex communication mode to handle full-duplex communication traffic;
      
      encapsulating upper layer protocol frames;
      
      enabling transportation of upper layer protocol frames exceeding a frame size limit of the lower link layer; and
      
      supporting multiple logical connections of upper layer protocols.
  - 42. The method of claim 39 of operating a software module on the interface device according to a finite state machine permitting the interface device to forward messages between the smart card and the network wherein the interface device is in one of the at least one states permitting the smart card to initiate and send messages.
  - 43. The method of claim 42 wherein the at least one state is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 44. The method of claim 39 of operating a software module on the host computer according to a finite state machine having at least one state permitting the smart card to transmit messages to the network wherein the software module is in one of the at least one states permitting the smart card to initiate and send messages.
  - 45. The method of claim 44 wherein the at least one state permitting the smart card to transmit messages to the network is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 46. The method of claim 44 comprising the step of operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message from the host computer indicating that the smart card may transmit a message.
  - 47. The method of claim 39 further comprising:
    - operating the smart card according to a finite state machine whereby the smart card uses the response status at the end of the response to the command sent by the host computer or an intermediate device to indicate that the smart card wants to transmit information to the host computer or to the network.
  - 48. The method of claim 47 wherein the step of operating the smart card comprises operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message indicating to the smart card that the smart card may transmit information to the host.
  - 49. The method of claim 48 further comprising operating the smart card to transition among the states of the finite state machine.
  - 50. The method of claim 47 further comprising:
    - operating the host computer or an intermediate device connected between the host computer and the smart card according to a finite state machine to transmit a polling message to the smart card checking if the smart card may want to transmit information to the host computer.
  - 51. The method of claim 50 wherein the host computer or intermediate device includes a Remote Access Server (RAS) and wherein the step of operating the host computer or intermediate device comprises operating the host computer or intermediate device according to a finite state machine having a Polling state in which the host computer or intermediate device polls the smart card, a Get-from-card state in which the host computer or intermediate device obtains packets of data from the smart card, a Putting-to-card state in which the host computer or intermediate device transmits data to the smart card, and a Checking Remote Access Server (RAS) state in which the host computer or intermediate device checks whether Remote Access Server (RAS) has any data to transmit to the smart card.
  - 52. The method of claim 51 further comprising operating the host computer or the intermediate device to transition among the states of the finite state machine.

36. A system providing secure communication between a MultiMediaCard (MMC) and remote network nodes over a network wherein the remote network nodes communicate with the MultiMediaCard (MMC) using un-modified network clients and servers and wherein the MultiMediaCard (MMC) has a central processing unit, a random access memory, a non-volatile memory, a read-only memory, and an input and output component, the system comprising:
- a physical link connecting the MultiMediaCard (MMC) and a host computer, the physical link selected from one of several physical link methods;
  
  logic to assign a unique network address to the MultiMediaCard (MMC) thereby enabling the MultiMediaCard (MMC) to act as a standalone network node;
  
  the MultiMediaCard (MMC) comprising a communications module implementing networking protocols and one or more link layer communication protocols, operable to communicate with the host computer, operable to communicate with remote network nodes using the networking protocols and operable to implement network security protocols thereby setting a security boundary inside the MultiMediaCard (MMC), wherein the communication module is driven by input events and by the applications and wherein the MultiMediaCard (MMC) optimizes memory usage by sharing data buffers between one or more communications protocol layers or security protocol layers;
  
  the host computer comprising logic implementing one or more communication networking protocols operable to communicate with the MultiMediaCard (MMC) and operable to communicate with the remote network nodes; and
  
  the MultiMediaCard (MMC) further comprising one or more secure network applications wherein the network applications call upon the communication module of the MultiMediaCard (MMC) to communicate with the host computer or the remote network node using the networking protocols and network security protocols and wherein the secure network applications are securely accessible by the host computer or the remote network nodes using un-modified network clients or servers.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 53. The system of claim 36 wherein the physical link is selected from the set including full-duplex serial connection and half-duplex serial connection.
  - 54. The system of claim 53 wherein the physical link is a full-duplex serial connection using the serial peripheral interface protocol.
  - 55. The system of claim 36 further comprising connecting an interface device between the smart card and the host computer using a physical link that is a serial connection having half-duplex between the smart card and the interface device and full-duplex between the interface device and the host computer.
  - 56. The system of claim 55 further comprising operating the interface device to perform a bridging function between the half-duplex connection and the full-duplex connection.
  - 57. The system of claim 56 wherein the step of performing a bridging function further comprises providing at least one of function selected from:
    - enabling a smart card operating in a command/response mode to communicate with network nodes as a peer;
      
      enabling a smart card operating in half-duplex communication mode to handle full-duplex communication traffic;
      
      encapsulating upper layer protocol frames;
      
      enabling transportation of upper layer protocol frames exceeding a frame size limit of the lower link layer; and
      
      supporting multiple logical connections of upper layer protocols.
  - 58. The system of claim 55 of operating a software module on the interface device according to a finite state machine permitting the interface device to forward messages between the smart card and the network wherein the interface device is in one of the at least one states permitting the smart card to initiate and send messages.
  - 59. The system of claim 58 wherein the at least one state is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 60. The system of claim 55 of operating a software module on the host computer according to a finite state machine having at least one state permitting the smart card to transmit messages to the network wherein the software module is in one of the at least one states permitting the smart card to initiate and send messages.
  - 61. The system of claim 60 wherein the at least one state permitting the smart card to transmit messages to the network is selected from a set of states corresponding to the interface device transmitting a Send, a Put, and a Poll command, respectively.
  - 62. The system of claim 60 comprising the step of operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message from the host computer indicating that the smart card may transmit a message.
  - 63. The system of claim 55 further comprising:
    - operating the smart card according to a finite state machine whereby the smart card uses the response status at the end of the response to the command sent by the host computer or an intermediate device to indicate that the smart card wants to transmit information to the host computer or to the network.
  - 64. The system of claim 63 wherein the step of operating the smart card comprises operating the smart card according to a finite state machine having at least one state in which the smart card waits for a message indicating to the smart card that the smart card may transmit information to the host.
  - 65. The system of claim 64 further comprising operating the smart card to transition among the states of the finite state machine.
  - 66. The system of claim 63 further comprising:
    - operating the host computer or an intermediate device connected between the host computer and the smart card according to a finite state machine to transmit a polling message to the smart card checking if the smart card may want to transmit information to the host computer.
  - 67. The system of claim 66 wherein the host computer or intermediate device includes a Remote Access Server (RAS) and wherein the step of operating the host computer or intermediate device comprises operating the host computer or intermediate device according to a finite state machine having a Polling state in which the host computer or intermediate device polls the smart card, a Get-from-card state in which the host computer or intermediate device obtains packets of data from the smart card, a Putting-to-card state in which the host computer or intermediate device transmits data to the smart card, and a Checking Remote Access Server (RAS) state in which the host computer or intermediate device checks whether Remote Access Server (RAS) has any data to transmit to the smart card.
  - 68. The method of claim 67 further comprising operating the host computer or the intermediate device to transition among the states of the finite state machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS USA, Inc. (Thales SA)
Original Assignee
Gemalto, Inc. (Thales SA)
Inventors
Montgomery, Michael Andrew, Ali, Asad Mahboob, Lu, HongQian Karen
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US10/848,738
Publication Number

US 20050108571A1
Time in Patent Office

1,770 Days
Field of Search

713/151
US Class Current

713/151
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/166   at the transport layer

Secure networking using a resource-constrained device

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Secure networking using a resource-constrained device

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links