Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-07-06
2001-05-01
Swann, Tod (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
Reexamination Certificate
active
06226749
ABSTRACT:
FIELD OF THE INVENTION
This invention relates generally to secure data processing systems which utilize a security module to control access to a set of secured resources such as a keyboard and a display. This invention also relates generally to secure processing systems which are secure by the nature of their location, e.g. personal computer in a private home or office.
BACKGROUND OF THE INVENTION
Encryption security is a well known feature of modern data processing systems. The general features of encryption security for data transmissions and PIN codes are described in many prior art references such as Atalla U.S. Pat. Nos. 4,268,715, 4,283,599, and 4,288,659.
It is also well known in the art to protect certain critical portions of data processing systems and real time control systems by placing security critical resources under the control of a security module which, as is well known, may include various levels of physical and logical security.
Some examples of logical and physical security features for security modules are discussed in the following references:
Levien U.S. Pat. No. 4,523,271
Double U.S. Pat. No. 5,027,397
Unsworth U.S. Pat. No. 5,353,350
IBM U.S. Pat. No. 5,388,156
Gilbarco U.S. Pat. No. 5,448,638
NCR U.S. Pat. No. 4,593,384
UK patent 1,248,763,
FIG. 1
illustrates one type of security module system. Security module
10
is protected by physical security features
23
and controls a set of security module resources
24
,
25
,
26
and
27
. These resources may be internal or external to the security module, but typically only resources which themselves require physical security due to their nature and function, e.g. encryption using stored keys and algorithms, are located within the security module to save costs.
Application processing unit
20
communicates with security module
10
over command and data bus
21
and directly controls operation of non-secured resources
28
. A secured application program
40
is stored in security module
10
. An application software program
30
is stored in and executed in application processing unit
20
. Program
20
includes security module commands which invoke the fixed secured application program in the security module.
This secured application program may be a single application program module or a plurality of application program modules, each of which may be invoked with a specific different security module command. It will be apparent that this prior art approach only allows the application software programmer to operate the secured resources using fixed program resources having predefined functionality. If the application software programmer want to do other functions with the secured resources, a custom security module with additional secured application program modules would be required. In most cases the cost of such a customized security module would not be warranted by the added value that can be achieved. The application software programmer must utilize duplicate resources (e.g. a second display or keypad) and control them directly by application processing unit
20
. It is apparent that there is a need for a method and apparatus for operating a security module and associated resources in a more flexible and effective manner that allows an application software program running outside the security module to access critical resources controlled by the security module in a secured manner.
OBJECTS OF THIS INVENTION
It is a principal object of this invention to provide an improved method and apparatus for operating resources under the control of a security module or other secure processor.
It is another object of this invention to provide a method and apparatus for operating a security module or other secure processor which allows an external application software program to access critical resources in a secured manner.
It is another object of this invention to provide a method and apparatus for operating a security module or other secure processor in which all of the application software program resides in an external application processing unit.
It is another object of this invention to provide an apparatus and method for operating a security module or other secure processor using predefined commands which can be either secured or non-secured depending on the needs of the application and security considerations.
FEATURES AND ADVANTAGES OF THIS INVENTION
One aspect of this invention features a method for operating a set of resources under the control of a secure processor having a command authentication means involving providing in the security module a set of command primitives for functional control of the set of secured resources, each of the command primitives having an associated set of command data items.
A secured command format is defined for commands to invoke the command primitives, the secured command format including a command sequence ID, a command code, and a set of command data items. An application program is prepared comprising a sequence of secured commands each having the secured command format. The secured commands of the application software program are sent one at a time to the security module for execution.
The authenticity of each of the secured commands is tested by the security module based on the value of at least one element of the secured command using the command authentication means. The regularity of each of the secured commands is tested based on the value of the command sequence ID. The command primitive associated with the command code in each of the secured commands is then executed if and only if the secured command passes both the command sequence and the command authenticity testing steps. In one embodiment of the method of this invention, the sequence of commands in the application program are required to be executed by the security module in an ordered numerical sequence. In such an embodiment, the command sequence testing is carried out by testing whether the value of the command sequence ID is equal to the value of a next command sequence ID maintained in the security module, i.e. the Nxt_Seq_ID is incremented by 1 as each command is executed.
In another embodiment of the method of this invention, the command sequence ID in the secured command format is a current command sequence ID and the secured command format further includes a next command sequence ID. In this embodiment, the command sequence testing comprises testing whether the value of the current command sequence ID is equal to the value of the next command sequence ID obtained from the secured command just previously executed by the security module.
The step of executing the command primitive includes storing the next command sequence ID if the secured command passes the command authenticity testing step. In this embodiment. the application program may comprise a series of secured commands having a set of different execution path branches.
Preferably, the secured command format includes a message authentication code signature value calculated using an encryption key and at least a portion of the content of the secured command. Command authentication testing is carried out by first calculating a test message authentication code signature value using one of the same or a paired encryption key stored in the security module and the same portion of the content of the secured command received by the security module. Following this, the message authentication code signature value in the secured command is checked to determine if it matches the test message authentication code signature value. If it matches, the command is authenticated; and if not, the command is declared to be faulty.
A currently preferred embodiment of this invention incorporates a feature of a command set up table and associated elements which provide added flexibility in that each of the defined commands can be treated as either a secured command or a non-secured command. This embodiment involves a method for operating a set of resources under the control of a secure processor having a command authentication means and a command execution m
Carloganu Marius M.
Sheets John F.
Hewlett--Packard Company
Smithers Matthew
Swann Tod
LandOfFree
Method and apparatus for operating resources under control... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for operating resources under control..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for operating resources under control... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2455952