Secure remote desktop

US 9,369,446 B2
Filed: 07/30/2015
Issued: 06/14/2016
Est. Priority Date: 10/19/2014
Status: Active Grant

First Claim

Patent Images

1. A method for communication, comprising:

receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key;

decoding the encrypted stream of symbols in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols;

inputting the clear stream of symbols via a first one-way link to a processor in the secure installation;

using a computer program running on the processor in the secure installation, processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols; and

outputting the graphical output from the secure installation via a second one-way link to the network in an unencrypted format for display on the remote user terminal,wherein an input path for conveying the stream of symbols from the remote user terminal to the processor and an output path for conveying the graphical output from the processor to a display on the remote user terminal are separate and independent paths, without any electronic interaction between the input and output paths within the remote user terminal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for communication includes receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key. The encrypted stream of symbols is decoded in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols. A computer program running on a processor in the secure installation is used in processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols. The graphical output is outputted from the secure installation to the network in an unencrypted format for display on the remote user terminal.

206 Citations

20 Claims

1. A method for communication, comprising:
- receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key;
  
  decoding the encrypted stream of symbols in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols;
  
  inputting the clear stream of symbols via a first one-way link to a processor in the secure installation;
  
  using a computer program running on the processor in the secure installation, processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols; and
  
  outputting the graphical output from the secure installation via a second one-way link to the network in an unencrypted format for display on the remote user terminal,wherein an input path for conveying the stream of symbols from the remote user terminal to the processor and an output path for conveying the graphical output from the processor to a display on the remote user terminal are separate and independent paths, without any electronic interaction between the input and output paths within the remote user terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, and comprising generating the encrypted stream at the remote user terminal by applying the preselected encryption key using an encoder in a secure input device of the remote user terminal such that the encryption key is inaccessible to a central processing unit of the terminal.
  - 3. The method according to claim 1, wherein outputting the graphical output comprises replicating a local display of the processor in the secure installation on the display at the remote user terminal.
  - 4. The method according to claim 3, wherein receiving the encrypted stream of symbols and generating the graphical output provide a remote desktop functionality at the remote user terminal for controlling predefined functions of the secure installation.
  - 5. The method according to claim 1, wherein the symbols in the stream are alphanumeric characters.
  - 6. The method according to claim 1, wherein the secure installation comprises an industrial control system, and wherein the input from the remote user terminal is configured to control an operating configuration of the industrial control system.
  - 7. The method according to claim 4, wherein replicating the local display comprises encapsulating and transmitting a sequence of screen shots of the local display.
  - 8. The method according to claim 1, wherein the processor is accessible to communications to and from the network only through the first and second one-way links.

9. Communication apparatus for deployment in a secure installation, the apparatus comprising:
- an input interface, which is configured to receive via a network from a remote user terminal outside the secure installation an input comprising a stream of symbols that has been encrypted using a preselected encryption key;
  
  a decoder, which is coupled to receive the encrypted stream of symbols from the interface and configured to decrypt the encrypted stream using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols;
  
  a computer, which is configured to run a software program that causes the computer to process the symbols in the clear stream and to generate a graphical output in a predefined display format in response to processing the symbols;
  
  a first one-way link, coupled to convey the clear stream of symbols from the decoder to the computer;
  
  an output interface, which is configured to convey the graphical output to the network in an unencrypted format for display on the remote user terminal; and
  
  a second one-way link, coupled to convey the graphical output from the computer to the output interface,wherein an input path for conveying the stream of symbols from the remote user terminal to the processor and an output path for conveying the graphical output from the processor to a display on the remote user terminal are separate and independent paths, without any electronic interaction between the input and output paths within the remote user terminal.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus according to claim 9, wherein the graphical output is configured to replicate a local display of the computer in the secure installation on the display at the remote user terminal.
  - 11. The apparatus according to claim 10, wherein the software program running on the computer provides a remote desktop functionality at the remote user terminal for controlling predefined functions of the secure installation.
  - 12. The apparatus according to claim 9, wherein the symbols in the stream are alphanumeric characters.
  - 13. The apparatus according to claim 9, wherein the secure installation comprises an industrial control system, and wherein the input from the remote user terminal is configured to control an operating configuration of the industrial control system.
  - 14. The apparatus according to claim 9, and comprising the remote user terminal, wherein the terminal comprises a secure input device that encrypts the stream of symbols using an encryption key that is inaccessible to a central processing unit of the terminal.

15. A method for communication, comprising:
- receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key;
  
  decoding the encrypted stream of symbols in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols;
  
  inputting the clear stream of symbols via a first one-way link to a processor in the secure installation;
  
  using a computer program running on the processor in the secure installation, processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols; and
  
  outputting the graphical output from the secure installation via a second one-way link to the network for display on the remote user terminal,wherein an input path for conveying the stream of symbols from the remote user terminal to the processor and an output path for conveying the graphical output from the processor to a display on the remote user terminal are separate and independent paths, without any electronic interaction between the input and output paths within the remote user terminal.
- View Dependent Claims (16, 17)
- - 16. The method according to claim 15, wherein outputting the graphical output comprises receiving the graphical output in an encoder from the processor via the second one-way link, encrypting the graphical output in the encoder, and transmitting only the encrypted graphical output to the network.
  - 17. The method according to claim 16, wherein the graphical output is received and decrypted at the remote user terminal so as to replicate a local display of the processor in the secure installation on the display at the remote user terminal and to provide a remote desktop functionality at the remote user terminal for controlling predefined functions of the secure installation.

18. Communication apparatus for deployment in a secure installation, the apparatus comprising:
- an input interface, which is configured to receive via a network from a remote user terminal outside the secure installation an input comprising a stream of symbols that has been encrypted using a preselected encryption key;
  
  a decoder, which is coupled to receive the encrypted stream of symbols from the interface and configured to decrypt the encrypted stream using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols;
  
  a computer, which is configured to run a software program that causes the computer to process the symbols in the clear stream and to generate a graphical output in a predefined display format in response to processing the symbols;
  
  a first one-way link, coupled to convey the clear stream of symbols from the decoder to the computer;
  
  an output interface, which is configured to convey the graphical output to the network for display on the remote user terminal; and
  
  a second one-way link, coupled to convey the graphical output from the computer to the output interface,wherein an input path for conveying the stream of symbols from the remote user terminal to the processor and an output path for conveying the graphical output from the processor to a display on the remote user terminal are separate and independent paths, without any electronic interaction between the input and output paths within the remote user terminal.
- View Dependent Claims (19, 20)
- - 19. The apparatus according to claim 18, and comprising an encoder, which is coupled to receive the graphical output from the computer via the second one-way link and is configured to encrypt the graphical output from the computer and convey the encrypted graphical output to the output interface for transmission over the network.
  - 20. The apparatus according to claim 19, wherein the graphical output is received and decrypted at the remote user terminal so as to replicate a local display of the processor in the secure installation on the display at the remote user terminal and to provide a remote desktop functionality at the remote user terminal for controlling predefined functions of the secure installation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Waterfall Security Solutions Ltd.
Original Assignee
Waterfall Security Solutions Ltd.
Inventors
Frenkel, Lior, Ginter, Andrew
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
DO, KHANG D

Application Number

US14/813,144
Publication Number

US 20160112384A1
Time in Patent Office

320 Days
Field of Search

726/26
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0457   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

Secure remote desktop

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

206 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure remote desktop

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links