Portable communications device with enhanced security
First Claim
1. A portable communications device, comprising:
- a host computerized device having an operating system;
a network communications interface adapted to communicate with a network and said host computerized device;
a security card adapted to be received at least partly within said host computerized device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users;
a first computer program adapted to dynamically obtain at least one identifier for said portable communications device when said communications interface is placed in data communication with said network;
a second computer program adapted to establish security association between said portable communications device and a security device on said network, said second computer program comprising a key exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic keys while establishing said association; and
a third computer program adapted to seal or encrypt data sent from said portable communications device using at least one of said cryptographic keys;
wherein said key exchange algorithm includes the generation and transmission of a random number by only one party to the security association.
2 Assignments
0 Petitions
Accused Products
Abstract
A portable communications device adapted to provide communications security and user identification, and authentication. In one embodiment, the device is useful with an untrusted network, and comprises security apparatus adapted to create associations with one or more security devices on the network. Traffic between the associated devices may be encrypted and residue-protected for e.g., data confidentiality and integrity protection. In one variant, the security apparatus comprises a software entity disposed at least partly within the software stack of a host. A security card may also be used as part of the security apparatus. The portable device may be untrusted (e.g., have an untrusted operating system) and also be physically unsecure. In one variant, the security apparatus is also agnostic to the portable device with which it is used.
99 Citations
61 Claims
-
1. A portable communications device, comprising:
-
a host computerized device having an operating system; a network communications interface adapted to communicate with a network and said host computerized device; a security card adapted to be received at least partly within said host computerized device, said security card having portions comprising user-specific and cryptographic data stored therein, at least said portions being protected against access by unauthorized users; a first computer program adapted to dynamically obtain at least one identifier for said portable communications device when said communications interface is placed in data communication with said network; a second computer program adapted to establish security association between said portable communications device and a security device on said network, said second computer program comprising a key exchange algorithm adapted to cause said portable communications device and said security device to exchange cryptographic keys while establishing said association; and a third computer program adapted to seal or encrypt data sent from said portable communications device using at least one of said cryptographic keys; wherein said key exchange algorithm includes the generation and transmission of a random number by only one party to the security association. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 34)
-
-
22. A portable communications device adapted to provide security functions, comprising:
-
a physically unsecure and untrusted host device having an unfrosted operating system; a communications stack operative to run on said host device; a communications interface adapted to establish temporary two-way communications with an untrusted multi-user network, said interface being driven at least in part by said stack; and a security apparatus for use with said stack, said security apparatus comprising a removable and substantially user-specific security card received at least party within a card reading apparatus of said portable, said security apparatus adapted to; verify the identity of a user of said portable communications device before further access is permitted; physically secure cryptographic elements uniquely associated with said physically unsecure and untrusted host device or a user thereof; exchange security information with said physically unsecure and untrusted host device before further processing of a user transaction or message is permitted; and generate a request message for transmission to a network security device, said request message initiating an authentication procedure and comprising at least cryptographic information generated by said portable communications device, said cryptographic information comprising a cryptographic key that is part of a public/private key pair; wherein said security apparatus further facilitates the review of a user session audit trail. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A portable communications device adapted to provide security functions, comprising:
-
a physically unsecure and untrusted host device having an untrusted operating system; a communications stack operative to run on said host device; a communications interface adapted to establish temporary two-way communications with an untrusted multi-user network, said interface being driven at least in part by said stack; and a security apparatus for use with said stack, said security apparatus comprising; (i) a removable and substantially user-specific security card received at least party within a card reading apparatus of said portable device; and (ii) a security stack operable to interface with one or more layers of said communications stack; wherein said security apparatus is adapted to; verify the identity of said user of said portable communications device before further access to said network via said communications stack is permitted; physically secure security data elements uniquely associated with said user thereof; and exchange security information with said physically unsecure and untrusted host device before further processing of a user transaction or message is permitted; wherein said exchange of security information includes a unidirectional transmission of a random number; wherein said security card is substantially platform agnostic such that it may be removed from and inserted into another portable physically unsecure and untrusted communications device while;
(i) providing similar user-specific security functionality to that of said portable communications device; and
(ii) substantially preventing compromise of said security data elements.
-
-
35. A portable communications device adapted to provide network security functions, comprising:
-
a host computerized device comprising an operating system and hardware; a communications stack operative to run on said host computerized device; a communications interface adapted to establish a communications link with an untrusted network; and a first security apparatus for use with said stack, said first security apparatus adapted to communicate data with a second security apparatus on said untrusted network by establishing a security association, said establishment of a security association including the generation and transmission of a random number by only one party to the security association, and where said first security apparatus is configured to; verify the identity of a user of said portable communications device before further access is permitted; receive data sent from a higher layer process in said host computerized device for transmission over said network; encrypt at least a portion of said data using at least one cryptographic key; transmit said at least portion to said second security apparatus; dynamically generate at least one encryption key for each association, said act of generating not requiring intervention by a user of said portable communications device; and enable the review of a user session audit trail.
-
-
36. A portable communications device adapted to provide network security functions, said portable communications device comprising:
-
a host computerized device comprising an operating system and hardware; a communications stack operative to run on said host computerized device; a communications interface adapted to establish an ad hoc communications link with an untrusted network having an auditor function adapted to facilitate audit or tracking of unauthorized security events or attempted accesses; and a first security apparatus for use with said stack, said first security apparatus adapted to communicate data with a second security apparatus on said untrusted network by establishing a security association, and where said first security apparatus is configured to; verify the identity of a user of said portable device before further access is permitted; receive data sent from a higher layer process in said host computer for transmission over said network; determine whether an association between said first security apparatus and said second security apparatus exists; encrypt at least a portion of said data using at least one cryptographic key; transmit said at least portion to said other security apparatus when said association does exist; and dynamically generate at least one encryption key for each association, said act of generating not requiring intervention by a user of said portable communications device. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
-
-
61. A portable communications device adapted to provide network security functions, said portable communications device comprising:
-
a computerized host device comprising an operating system and hardware; a communications stack operative to run on said host computerized device; a communications interface adapted to establish an ad hoc communications link with an untrusted network; and a first security apparatus for use with said stack, said first security apparatus adapted to communicate data with a second security apparatus on said untrusted network by establishing a security association, and where said first security apparatus is configured to; verify the identity of a user of said portable device before further access is permitted; receive data sent from a higher layer process in said host computer for transmission over said network; determine whether an association between said first security apparatus and said second security apparatus exists; encrypt at least a portion of said data using at least one cryptographic key; transmit said at least portion to said other security apparatus when said association does exist; dynamically generate at least one encryption key for each association, said act of generating not requiring intervention by a user of said portable communications device; wherein at least a portion of said transmitted at least portion is evaluated by said second security apparatus using a first cryptographic residue generated at said second security apparatus using at least locally stored information, and a second residue of said transmitted message to determine if said first and second residues match; and if said first and second residues do not match, invoke a network audit function.
-
Specification