View All Documents & Correspondence
System And Method For Providing Platform Independent Plug And Play Secure Communication Over A Cellular Network
Abstract: A system and method for providing a platform independent plug-and-play device for secure communication over a cellular network, is provided. The method includes providing data and communication security between the hardware security engines connected over the cellular network by a pluggable hardware security engine. Further, it includes initializing and configuring one or more keys for the hardware security engines in the cellular network by a centralized key server.
Notices, Deadlines & Correspondence
Patent Information
Applicants
BHARAT ELECTRONICS LIMITED
Inventors
1. MUKHERJEE, Snigdha
2. KONDAPALLE, Bhanusree
3. BUYYA, Shivakumar
4. SUBRAMANIAN, Saravanan
5. SANGIAH, Umamaheswaran
Specification
DESC:FIELD OF INVENTION
[0001] The present disclosure relates generally to systems and methods for secure transmission of data across cellular network. The disclosure, more particularly, relates to a system and a method for providing a platform independent plug-and-play device for secure communication over a cellular network.
BACKGROUND
[0002] Electronic devices, for example, mobile devices, etc. are the most widely used devices for communication and sharing voice, video and various kinds of media across devices and from a server to mobile devices. Daily new features and services are being added that expand the usage of the devices beyond the traditional usage for voice and messaging. The electronic devices are becoming sophisticated and an operating system and applications keeps updating regularly for security updates and new feature addition. Security of the data shared between devices and between server and devices is indispensable. The communication network that facilitates communication is widespread and spans across huge area. Huge investments have been made to deploy the network. To add a new feature, a service or hardware in the already deployed network involves huge changes and additional investment by the network service providers. Commercially-off the-self mobile devices cannot be used for scenarios that require strict security measures for communication and data sharing. Various security threats exist that requires all the secret data and communication to be encrypted before being transmitted in the commercially deployed device Internet.
[0003] Encryption is the process by which sensitive information is transformed using a key that is secret. Confidentiality is a cryptographic service that is achieved using encryption and ensures that only pre-determined set of entities can read the communicated message encrypted under the parameter called a key. To add confidentiality to the already deployed mobile network will involve huge investment and manpower by the service provider. Also, it may not be possible to add strategic or an unconventional encryption process in the commercial networks. Electronic devices are also user dependent. Different users may like different type of electronic devices based on features and price. Providing common software based encryption solution to facilitate secure communication between different types of user devices and between user device and the server may not be feasible.
[0004] WO2007/089379 A2 titled “Pluggable transceiver module with encryption capability” discloses a pluggable module for insertion into the port of a network device which includes an onboard encryption engine to provide for the use of secure links in networks having legacy switches or routers not including an encryption facility.
[0005] US 7,366,900 B2 titled “Platform-Neutral System and Method for Providing Secure Remote Operations Over an Insecure Computer Network” discloses a method, system and computer program product for enhancing the security of a message sent through a network server from a client computer to a destination server running any computer platform. Credentials for authorizing a principal are obtained by the client computer from a validation center. The principal authentication information is transmitted to the network server. The network server may use the principal-authenticating information to obtain permission data from the validation center for use in accessing the destination server. Also described is a method of providing a remote interactive login connection using the same method.
[0006] US 2010/0217967 A1 titled “Real-time communication security publication classification for automation networks” discloses a framework, device and method for providing broadcast communication security over Ethernet within an automation system, wherein a security plug provides secure working of the automation system. The security plug can be implemented using ASIC/FPGA technology to provide compatibility with existing systems and an intuitive plug-and-play model. An exemplary system can address jitter-sensitivity by providing a real-time architecture, with minimal transmission latencies. The security plug can have separate security and communication modules that make provisions for protocol independent working of the security plug, within these networks. The method can include bootstrapping, secret key establishment and secure communication, for providing real-time guarantees.
[0007] IN1750/MUM/2008 titled “System for Securing Mobile Devices” discloses a solution using cryptography along with SMS based access control as one of the mechanisms to secure mobile devices in hostile environments. The SMS message as referred herein relates to a message sent to a crypto token resident on the mobile device in accordance with this invention. It is distinct from the message sent to a SIM card of the mobile phone. Said crypto token is adapted to be powered on a minimalist power source. Also, even if the main battery which powers the mobile device is removed, the crypto token and its functionalities are persisted.
[0008] Therefore, there is still a need of an invention which solves the above defined problems and provides a method and system for increasing security of sensitive data, voice and video involving user devices in already deployed mobile network, and for increasing security of communication involving a client that sends data to secure servers over a non-secure network such as the Internet.
[0009] There is also a need for a method of and system for increasing security of sensitive data, voice and video involving a client, and or a server, where the client is not restricted to one of a limited subset of devices or operating systems because of interoperability or administration concerns.
[0010] There is also a need to allow different varieties of client devices to communicate with destination sensitive servers over an insecure network connection using secure communication and to allow different varieties of client devices to communicate with other client devices over an insecure network connection using secure communication.
[0011] Another need is for a system and method to allow sensitive information to pass through the network that the destination server may receive or send to the client.
SUMMARY
[0012] This summary is provided to introduce concepts related a system and a method for providing a platform independent plug-and-play device for secure communication over a cellular network. This summary is neither intended to identify essential features of the present invention nor is it intended for use in determining or limiting the scope of the present invention.
[0013] In an embodiment of the present invention, a method for providing a platform independent plug-and-play device for secure communication over a cellular network is disclosed. The method includes providing data and communication security between the hardware security engines connected over the cellular network by a pluggable hardware security engine. Further, it includes initializing and configuring one or more keys for the hardware security engines in the cellular network by a centralized key server.
[0014] In another embodiment, the method includes the pluggable hardware security engine configured as a SIM based device. This pluggable hardware security engine configured as the SIM based device further includes inserting the pluggable hardware security engine in one of a user devices. Further, configuring the hardware security engine to the SIM based device configuration by a security configuration module. Further, the method includes configuring the SIM interface and a modem interface of the pluggable hardware security engine by a SIM and modem configuration module. Then, disabling the SIM interface and the modem interface of the user devices by a host communication module. Further, enabling the SIM interface and the modem interface of the pluggable hardware security engine by the SIM and modem configuration module. Furthermore, disabling a media side ethernet interface by a media communication module to ensure that all the data flows through the SIM interface and modem interface of the pluggable hardware security engine and enabling the security settings of the hardware security engine by a security module.
[0015] In another embodiment, the method includes the pluggable hardware security engine configured as a non-SIM based device. This pluggable hardware security engine configured as the non-SIM based device further includes inserting the pluggable hardware security engine in one of a user devices. Further, configuring the hardware security engine to the non-SIM based device configuration by the security configuration module. The method further includes configuring the SIM interface and a modem interface of the pluggable hardware security engine by the SIM and modem configuration module. Then, disabling the SIM interface and the modem interface of the user devices by the host communication module. Further, disabling the SIM interface and the modem interface of the pluggable hardware security engine by the SIM and modem configuration module. Furthermore, enabling a media side ethernet interface by the media communication module to ensure that all the data flows through the media side ethernet interface of the pluggable hardware security engine, and enabling the security settings of the hardware security engine by the security module.
[0016] In another embodiment, the method includes receiving and configuring the one or more keys by the centralized key server upon deployment for pluggable hardware security engine during SIM based and non-SIM based configured device. This receiving and configuring of the one or more keys includes connecting to the centralized key server and sending the key request to the centralized key server by a manufacturer key. Further, receiving the encrypted key from the centralized key server by the user device and decrypting the received encrypted key by the manufacturer key. Furthermore, it includes removing the manufacturer key from a key storage, storing the decrypted key in the key storage, and configuring the key in the security module for encryption and decryption.
[0017] In another embodiment, the method includes receiving and configuring the one or more keys by the centralized key server during runtime for a pluggable hardware security engine during SIM based and Non-SIM based configured device. This receiving and configuring of the one or more keys includes connecting to the centralized key server and sending the key request to the centralized key server by a current working key. Further, receiving the encrypted key from the centralized key server by the user device and decrypting the received encrypted key by the current working key. Furthermore, it includes removing the current working key from the key storage, storing the decrypted key in the key storage, and configuring the key in the security module for encryption and decryption.
[0018] In another embodiment, the method includes receiving and sending the one or more keys by the centralized key server. This receiving and sending of the one or more keys further includes receiving the key request from a plurality of key devices and processing the key request by the centralized key server. Further, determining whether the key request is using the manufacturer key or the previous working key by the centralized key server. Further, encrypting the new working key with the manufacturer key by the centralized key server if the key request received is with manufacturer key. This encrypted working key encrypted is sent to the requester. Further, encrypting the new working key with the previous working key by the centralized key server if the key request received is with previous working key. This encrypted working key is sent to the requester.
[0019] In another embodiment, a system for providing a platform independent plug-and-play device for secure communication over a cellular network is provided. This system further includes a pluggable hardware security engine configured to provide data and communication security between the plurality of hardware security engines connected over the cellular network and a centralized key server configured to initialize and configure one or more keys for the hardware security engines in the cellular network.
[0020] In another embodiment, the system includes the pluggable hardware security engine configured as a SIM based device upon inserting the pluggable hardware security engine in one of a user devices by a user. This SIM based device further includes a security configuration module configured to configure the pluggable hardware security engine to the SIM based device configuration. Further, a SIM and modem configuration module is configured to configure the SIM interface and a modem interface of the pluggable hardware security engine. This SIM and modem configuration module is further configured to enable the SIM interface and the modem interface of the pluggable hardware security engine. Further, the system includes a host communication module configured to disable the SIM interface and the modem interface of the user devices. Further, a media communication module is configured to disable a media side ethernet interface to ensure that all the data flows through the SIM interface and modem interface of the pluggable hardware security engine and a security module is configured to disable the security settings of the hardware security engine.
[0021] In another embodiment, the system includes the pluggable hardware security engine configured as a non-SIM based device upon inserting the pluggable hardware security engine in one of a user devices by a user. This non-SIM based device further includes the security configuration module configured to configure the hardware security engine to the non-SIM based device configuration. Further, the SIM and modem configuration module is configured to configure the SIM interface and a modem interface of the pluggable hardware security engine. This SIM and modem configuration module is further configured to enable the SIM interface and the modem interface of the pluggable hardware security engine. Further, the system includes the host communication module is configured to disable the SIM interface and the modem interface of the user devices. Further, the media communication module is configured to enable a media side ethernet interface to ensure that all the data flows through the media side ethernet interface of the pluggable hardware security engine and the security module is configured to enable the security settings of the hardware security engine.
[0022] In another embodiment, the system includes the centralized key server which is configured to receive and send the one or more keys. This centralized key server is further configured to receive the key request from a plurality of key devices and process the key request. Further it is configured to determine if the key request is using the manufacturer key or the previous working key and encrypt the new working key with the manufacture key if the key request received is with manufacturer key. This encrypted working key is sent to the requester. Further, the centralized key server is configured to encrypt the new working key with the previous working key if the key request received is with previous working key. This encrypted working key is sent to the requester.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
[0023] The detailed description is described with reference to the accompanying figures.
[0024] Figure 1 illustrates a block diagram depicting an overall architecture of a system, in accordance with an embodiment of the present invention.
[0025] Figure 2 illustrates a block diagram depicting a system of a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0026] Figure 3 illustrates a block diagram depicting functional modules of the pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0027] Figure 4A illustrates a flow diagram depicting configuring the pluggable hardware security engine as a SIM based device with a modem and SIM interface enabled, in accordance with an embodiment of the present invention.
[0028] Figure 4B illustrates a flow diagram depicting configuring the pluggable hardware security engine as a Non-SIM based device with a modem and SIM interface disabled, in accordance with an embodiment of the present invention.
[0029] Figure 5A illustrates a flow diagram depicting receiving and configuring the working keys for first time after deployment for a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0030] Figure 5B illustrates a flow diagram depicting receiving and configuring the working keys during runtime for a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0031] Figure 5C illustrates a flow diagram depicting receiving a key request and sending the working keys by a centralized key server, in accordance with an embodiment of the present invention.
[0032] Figure 6A illustrates a flow diagram depicting encrypting the host data while configured as a SIM based device for a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0033] Figure 6B illustrates a flow diagram depicting decrypting the received data for a host while configured as a SIM based device for a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0034] Figure 7A illustrates a flow diagram depicting encrypting the host data while configured as a Non-SIM based device for pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0035] Figure 7B illustrates a flow diagram depicting decrypting the received data for host while configured as a Non-SIM based device for a pluggable hardware security engine, in accordance with an embodiment of the present invention.
[0036] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems embodying the principles of the present invention. Similarly, it will be appreciated that any flow chart, flow diagram, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION
[0037] The various embodiments of the present invention provides a system and method for providing platform independent plug-and-play device for secure communication over a cellular network. It further provides an improved system and method for use in an industrial environment.
[0038] In the following description, for purpose of explanation, specific details are set forth in order to provide an understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these details.
[0039] One skilled in the art will recognize that embodiments of the present invention, some of which are described below, may be incorporated into a number of systems.
[0040] However, the device is not limited to the specific embodiments described herein. Further, structures and devices shown in the figures are illustrative of exemplary embodiments of the present invention and are meant to avoid obscuring of the present invention.
[0041] Furthermore, connections between components and/or modules within the figures are not intended to be limited to direct connections. Rather, these components and modules may be modified, re-formatted or otherwise changed by intermediary components and modules.
[0042] The appearances of the phrase “in an embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
[0043] In an exemplary embodiment, the present disclosure relates a field of secure transmission of data across mobile network. More particularly, the present disclosure provides platform independent systems and methods for securely transmitting data content including voice and video data over mobile network.
[0044] In an exemplary embodiment, the present disclosure provides systems and methods for providing platform independent plug and play secure communication for voice, video, data services over a network. Secure communication is provided between two or more user devices and between user devices and backend server in an insecure network.
[0045] In an exemplary embodiment, the system and method secure all types of communication plug and play device containing a hardware security engine without changing the already deployed network infrastructure. The network infrastructure is hugely invested and widely deployed. Security requirements keep changing regularly because of new vulnerabilities discovered. This requires multiple changes in the already deployed network which is difficult. The present disclosure provides systems and methods for increasing the security of data including voice and video without changing the already deployed network infrastructure.
[0046] In an exemplary embodiment, the system and method that provide secure communication without depending on the type of user device platform. A security mechanism provided depends on the hardware of user device, platform of user device and types of application it, platform of user device and types of application it runs. The present disclosure provides secure communication for client and server using plug and play hardware security engine that can be connected and removed with ease and does not depend on device.
[0047] In an exemplary embodiment, the system and method that provide hardware security engine configured as SIM or non-Sim based device for connecting to network.
[0048] In an exemplary embodiment, the system provides a centralized key server for initializing and distributing working keys periodically.
[0049] In an exemplary embodiment, the object of the present disclosure is to provide systems and methods for protection of data including voice and video between user devices and between user devices and backend server in an insecure network.
[0050] In an exemplary embodiment, another object of the present disclosure is to secure all type of communication without changing the already deployed network infrastructure and a user device and a server.
[0051] In an exemplary embodiment, another object of the present disclosure is to provide secure communication using a plug and play device containing a hardware security engine that can be connected and removed with ease.
[0052] In an exemplary embodiment, the present disclosure pertains to a plug and play module which is inserted into a computing device including a security module and a modem to provide security for data in transit. The present disclosure provides methods for protection of data including voice and video between user devices and between user devices and backend server in an insecure network. The present disclosure also provides a system for secure communication using a plug and play hardware security engine. It secures all type of communication including but not limited to voice, video and data. The pluggable hardware security engine that can be connected and removed with ease without changing the already deployed network infrastructure, a user device and a server.
[0053] In an exemplary implementation of the present disclosure, a system for providing communication and data security over network, the system includes a pluggable hardware security engine for providing data and communication security between a set of hardware security engines connected over mobile network; and a centralized key server for initializing and synchronizing keys for the hardware security engines in the mobile network.
[0054] In an exemplary implementation of the present disclosure, the at least one or more user devices includes a USB or ethernet port to connect to hardware security engine to configure, to receive encrypted data and send plain data.
[0055] In an exemplary implementation of the present disclosure, pluggable hardware security engine comprises of a host side interface for receiving user data and configuration data from user host device and a media side interface to connect to the network.
[0056] In an exemplary implementation of the present disclosure, the pluggable hardware security engine contains a configuration module which configures the engine to work as SIM based device or a non-SIM based device. When it configured as a SIM based device, modem and SIM interface will be enabled and Media side Ethernet interface will be disabled. When it configured as Non-SIM based device the media side ethernet interface will be enabled, and modem and SIM interface will be disabled.
[0057] In an exemplary implementation of the present disclosure, the pluggable hardware security engine comprises a key storage which stores the manufacturers key during manufacturing process and replaces the manufacturers key with working key after receiving working key from centralized key server.
[0058] In an exemplary implementation of the present disclosure, the pluggable hardware security engine comprises a key establishment module which creates secure connection with the centralized key server, receives working key from the centralized key server, stores the working key in key storage, reads the working key from the key storage and sends the working key to crypto module for secure communication and data security.
[0059] In an exemplary implementation of the present disclosure, the pluggable hardware security engine comprises a crypto module, which receives the working key from key establishment module, configures the crypto module to use the working key for encrypting the data to be sent over modem and SIM interface, if configured as SIM based device and over Media side Ethernet interface if configured as non-SIM based device.
[0060] In an exemplary implementation of the present disclosure, the pluggable hardware security engine comprises a flow control module for managing the flow of data between host side Ethernet interface and modem and SIM interface when configured as SIM based device, and managing the flow of data between host side ethernet interface and media side ethernet interface when configured as non-SIM based device.
[0061] In an exemplary implementation of the present disclosure, the pluggable hardware security engine registers itself with the centralized key server when first deployed in the network and all pluggable hardware security engines forms a closed group to prevent DoS and DDoS type attacks.
[0062] In an exemplary implementation of the present disclosure, the centralized key server identifies a new deployed pluggable hardware security engine and sends working key by encrypting using a manufacturer’s key.
[0063] In an exemplary implementation of the present disclosure, the centralized key server generates a working key periodically and distributes it securely to all deployed pluggable hardware security engines.
[0064] In an exemplary implementation of the present disclosure, the centralized key server encrypts the future working key with current working key for secure distribution to all deployed pluggable hardware security engine.
[0065] In an exemplary implementation of the present disclosure, the centralized key server distributes encrypted working key over Transport Layer Security (TLS) protocol to prevent unauthorized access.
[0066] In an exemplary implementation of the present disclosure, the secure communication is provided for voice, video, and data services over mobile network for client and server using plug and play hardware security engine that can be connected and removed with ease.
[0067] Figure 1 illustrates a block diagram depicting an overall architecture of a system, according to an embodiment of the present disclosure. Figure 1 indicates a network implementation of a system for securing all type of communication using a plug and play device containing the hardware security engine without changing the already deployed network infrastructure. Multiple users (111-1, 111-2…111-N) (collectively referred to as users/clients/hosts 111 and individually referred to as the user/client/host 111 hereinafter) can communicate with the system through one or more user devices (103-1, 103-2…103-N) (collectively referred to as user devices /host devices 103 hereinafter) that can be communicatively coupled to the end servers (104, 105, 106, 107) through a cellular network (104).The user devices (103) can includes variety of computing systems, such as but not limited to, a laptop computer, a desktop computer, a notebook, a workstation, a portable computer, a personal digital assistant, a handheld device and a mobile device. The user devices connect to the network (104) using cellular network connection like LTE, CDMA, GSM, and the like. Further, the network (104) can be a wireless network, a wired network or a combination thereof. The network (104) can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the internet, Wi-Fi, LTE network, CDMA network, and the like. Further, the network (104) can either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), wireless protocols and the like, to communicate with one another. Further the network (104) can include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
[0068] In an embodiment, a Hardware Security Engine (101-1, 101-2, …, 101-N) is configured as a SIM based device and connected to the user devices over Ethernet or Ethernet over USB connection and to Network over Modem and SIM interface. In another embodiment, the Hardware Security Engine (101-11, 101-12, …, 101-1N) is configured as a Non-SIM based device and connected to the server systems over Ethernet or Ethernet over USB connection and to the network over Ethernet. In another aspect the hardware security engine may connect to the network (104) using a Mobile Switching Center (108) of an already present deployed cellular network like LTE, CDMA, GSM, and the like. The network (104) can be a secure network or an insecure network connecting the user devices to backend servers. The Hardware Security Engines (101) are being placed to provide secure communication between user devices and between user devices and backend server. Minimum two hardware security engines are needed in the network to enable communication between two user devices or between one user device and one server. In an aspect, a centralized Key Server (105) is present to distribute the working keys to all the Hardware Security Engines deployed in the network. All the hardware security engines form a closed group and use a packet format that can be understood only by hardware security engines. Any packet that does not follow by hardware security engines packet format will be dropped. This prevents Denial of Service (DoS) and Distributed Denial of Service (DDoS) type of attacks on the hardware security engines.
[0069] Figure 2 illustrates a block diagram depicting a system of a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0070] Figure 2 illustrates an exemplary module diagram for the system of the platform independent pluggable hardware security engine for secure communication, in accordance with embodiments of the present disclosure. In an embodiment, the system (200) comprises one or more microcontroller (202) operable to execute one or more subroutines configured in a non-transitory Internal Storage (206). In another embodiment, the system (200) further comprises of memory (205), battery (207), Key storage (203), Host side Ethernet (204), Media Side Ethernet (208), Modem (209), SIM Interface (210) and Antenna (211). In another embodiment, the system (200) can include a boot loader; an operating system; and a file system. Host side Ethernet (204) is connected to the host / user device /server. Media side Ethernet (208) connects to the network.
[0071] Figure 3 illustrates a block diagram depicting functional modules of the pluggable hardware security engine, according to an embodiment of the present disclosure.
[0072] Figure 3 illustrates exemplary functional modules of the pluggable hardware security engine in accordance with an exemplary embodiment of the present disclosure. In an embodiment, the pluggable hardware security engine (301) can include host communication module (302), media communication module (303), flow control module (304), security module (305), Key management module (306), security configuration module (307), SIM and Modem Configuration Module (308). A Host Communication module (302) receives data from the user device/ server, sends it to Security module (304) for processing. A Media communication module receives the processed data from the security module and sends it to the network. Media Communication module (303) after receiving data from the network, sends it to the Security module (304) for processing. The host communication module after receiving the processed data from the security module and sends it to the user device / server. Flow control module (304) manages the flow of data between Host communication module (302) and Media Communication module (303). The flow control module (304) maintains buffer to handle overflow and underflow of data between host and media communication module. Security module (305) when receives data from the host communication module encrypts it and sends to media communication module. Security module after receiving data from the media communication module decrypts it and sends to host communication module. Key Management module (306) receives the key from the Centralized Key Server, stores the key in the key storage, reads the key from the key storage and sends the key to the security module 305 for usage. Security configuration module (307) configures the security module settings like type of algorithm, key size, etc. SIM and Modem Configuration module 308 configures the pluggable hardware security engine to work as a SIM based device or Non-SIM based device. SIM and Modem Configuration module (308) also configures SIM interface with the SIM inserted and registers the SIM with the service provider.
[0073] Figure 4A illustrates a flow diagram depicting configuring the pluggable hardware security engine as a SIM based device with a modem and SIM interface enabled, according to an embodiment of the present disclosure.
[0074] Figure 4A illustrates an exemplary flow diagram for configuring the pluggable hardware security engine as a SIM based device with modem and SIM interface enabled. In an embodiment, the method can include a step of inserting the pluggable hardware security engine to the user device / host device /server (401). The proposed method then configures the hardware security engine using security configuration (402) stored in the internal storage. The security configuration is set to SIM based device configuration. The Security Configuration also contains the configuration for Crypto engine like algorithm to use, key size, etc. The SIM and Modem interfaces are configured (403). The host devices SIM and modem are disabled (404). The SIM and Modem of Pluggable hardware security engine is enabled (405) with the configurations. Media side Ethernet Interface is disabled (406). Disabling the Media side Ethernet ensures that all the data flows through Modem and SIM interface only and not via Media Side Ethernet Interface. The security settings are enabled in the hardware security engine (407). This will enable the Security module, Key management module, flow control module (304), host communication module (302) and media communication module (303).
[0075] Figure 4B illustrates a flow diagram depicting configuring the pluggable hardware security engine as a Non-SIM based device with a modem and SIM interface disabled, according to an embodiment of the present disclosure.
[0076] Figure 4B illustrates an exemplary flow diagram for configuring the pluggable hardware security engine as a Non-SIM based device with modem and SIM interface disabled. In an embodiment, the method can include a step of inserting the pluggable hardware security engine to the user device / host device /server (411). The method then configures the hardware security engine using security configuration (412) stored in the internal storage. The security configuration is set to Non-SIM based device configuration. The Security Configuration also contains the configuration for Crypto engine like algorithm to use, key size, etc. The SIM and Modem interfaces are configured (413). The host devices SIM and modem are disabled (414). The SIM and Modem of Pluggable hardware security engine is disabled (415) with the configurations. Media side Ethernet Interface is enabled (406). Enabling the Media side Ethernet ensures that all the data flows through Media Side Ethernet Interface only and not via Modem and SIM interface. The security settings are enabled in the hardware security engine (417). This will enable the Security module, Key management module, flow control module (304), host communication module (302) and media communication module (303).
[0077] Figure 5A illustrates a flow diagram depicting receiving and configuring the working keys for first time after deployment for a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0078] Figure 5A illustrates an exemplary flow diagram for receiving and configuring the working keys for first time after deployment for pluggable hardware security engine during SIM based and Non-SIM based configured device. In an aspect, the method can include a step of connecting to the centralized key server (501). The key requests are protected using a Transport Layer Security (TLS). The TLS prevents unauthorized access to a centralized key server. The key request is sent to a centralized key server using a manufacturer key (502). An encrypted working key is received by the device from the centralized key server (503). The working key is decrypted using the manufacturer key (504). The manufacturer key is removed from the key storage (505). A decrypted working key is stored in a key storage (506). The working key is configured in a security module (507). The security module may subsequently use the set working key for encryption and decryption.
[0079] Figure 5B illustrates a flow diagram depicting receiving and configuring the working keys during runtime for a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0080] Figure 5B illustrates an exemplary flow diagram for receiving and configuring the working keys during runtime for pluggable hardware security engine during SIM based and Non-SIM based configured device. In an aspect, the proposed method can include a step of connecting to a centralized key server (511). A key request is sent to the centralized key server using a current working key. The key requests are protected using a Transport Layer Security (TLS) (512). An encrypted new working key is received by the device from the centralized key server (513). The received encrypted working key is decrypted using a current working Key (514). The current working key is removed from a key storage (515). A decrypted received working key is stored in a key storage (516). The working key is configured in a security module (517). The security module may subsequently use the set working key for encryption and decryption.
[0081] Figure 5C illustrates a flow diagram depicting receiving a key request and sending the working keys by a centralized key server, according to an embodiment of the present disclosure.
[0082] Figure 5C illustrates an exemplary flow diagram for receiving key request and sending the working keys by a centralized key server. The centralized key server receives the key request from all the key devices (521). The key requests are protected using a Transport Layer Security (TLS). The centralized key server processes the request and determines if the key request is using manufacturer key or previous working key (522). If the key request received is with manufacturer key then a new working key that has to be sent is encrypted with the manufacturers key (523). The encrypted working key is encrypted using the manufacturers key (523) is sent to the requester (524). If the key request received is with previous working key then a new working key that has to be sent is encrypted with the previous working key (525). The encrypted working key encrypted using previous working key is sent to the requester (526).
[0083] Figure 6A illustrates a flow diagram depicting encrypting the host data while configured as a SIM based device for a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0084] Figure 6A illustrates an exemplary flow diagram for encrypting the host data while configured as SIM based device for pluggable hardware security engine. All the data that the user device is sending to another user device or server is sent to a host side Ethernet (607) of pluggable hardware security engine. The host side Ethernet (607) may handle the data in a host communication module (602). The host communication module (602) may forward the data to a flow control module (609). The flow control module (609) may send the data for encryption to a security module (603).The security module (603) may encrypt the data based on a working key (605) received from a key management module (306) and a security configuration set by a security configuration module (606). After the data is encrypted, it is sent back to the flow control module (609) from the security module (603). The flow control module (609) may forward the data to a media communication module (604). The media communication module (604) is interfaced with a modem (608) to send the data to the network. The flow control module (609) also handles the buffer management between a host communication module (602) and the media communication module (604). If the host side Ethernet (607) is receiving data faster than processing capacity of the security module (603) than the flow control module (609) may buffer the data till the security module (603) can process new data. Also, if host side Ethernet (607) is receiving data faster than sending capacity of the media communication module (604) than the flow control module (609) may buffer the data till the media communication module (604) can send next data.
[0085] Figure 6B illustrates a flow diagram depicting decrypting the received data for a host while configured as a SIM based device for a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0086] Figure 6B illustrates an exemplary flow diagram for decrypting the received data for host while configured as SIM based device for pluggable hardware security engine. All the data that the hardware security engine receives for the user device from another user device or server is received at a modem (628). The modem (628) may handle the data in a media communication module (624). The media communication module (624) may forward the data to the flow control module (629). The flow control module (629) may send the data for decryption to the security module (623). The security module (623) may decrypt the data based on a working key (625) received from a key management module (306) and the security configuration set by a security configuration module (626). After the data is decrypted, it is sent back to the flow control module (629) from the security module (623). The flow control module (629) may forward the data to the host communication module (622). The host communication module (622) is interfaced with the host side Ethernet (627) to send the data to the user device / server. The flow control module (629) also handles the buffer management between the media communication module (624) and the host communication module (622). If the modem (628) is receiving data faster than processing capacity of the security module (623) than the flow control module (629) may buffer the data till the security module (623) can process new data. Also, if the modem (628) is receiving data faster than sending capacity of the host communication module (622) than the flow control module (629) may buffer the data till the host communication module (622) can send next data.
[0087] Figure 7A illustrates a flow diagram depicting encrypting the host data while configured as a Non-SIM based device for pluggable hardware security engine, according to an embodiment of the present disclosure.
[0088] Figure 7A illustrates an exemplary flow diagram for encrypting the host data while configured as Non-SIM based device for pluggable hardware security engine. All the data that the user device is sending to another user device or server is sent to the host side Ethernet (707) of pluggable hardware security engine. The host side Ethernet (707) may handle the data in the host communication module (702). The host communication module (702) may forward the data to a flow control module (709). The flow control module (709) may send the data for encryption to a security module (703). The security module (703) may encrypt the data based on a working key (705) received from a key management module (306) and the security configuration set by a security configuration module (706). After the data is encrypted, it is sent back to the flow control module (709) from the security module (703). The flow control module (709) may forward the data to a media communication module (704). The media communication module (704) is interfaced with a media side Ethernet (708) to send the data to the network. The flow control module (709) also handles the buffer management between the host communication module (702) and the media communication module (704). If the host side Ethernet (707) is receiving data faster than processing capacity of the security module (703) than the flow control module (709) may buffer the data till the security module (703) can process new data. Also, if the host side Ethernet (707) is receiving data faster than sending capacity of the media communication module (704) than the Flow control module (709) may buffer the data till the media communication module (704) can send next data via the media side Ethernet (708).
[0089] Figure 7B illustrates a flow diagram depicting decrypting the received data for host while configured as a non-SIM based device for a pluggable hardware security engine, according to an embodiment of the present disclosure.
[0090] Figure 7B illustrates an exemplary flow diagram for decrypting the received data for host while configured as non-SIM based device for pluggable hardware security engine. All the data that the hardware security engine receives for the user device from another user device or server is received at a media side Ethernet (728). The media side Ethernet (728) may handle the data in a media communication module (724). The media communication module (724) may forward the data to a Flow control module (729). The flow control module (729) may send the data for decryption to a security module (723). The security module (723) may decrypt the data based on a working key (725) received from a key management module and the security configuration set by a security configuration module (726). After the data is decrypted, it is sent back to the flow control module (729) from the security module (723). The flow control module (729) may forward the data to a host communication module (722). The host communication module (722) is interfaced with a host side Ethernet (727) to send the data to the user device / server. The flow control module (729) also handles the buffer management between the media communication module (724) and the host communication module (722). If the media side Ethernet (728) is receiving data faster than processing capacity of the security module (723) than the flow control module (729) may buffer the data till the security module (723) can process new data. Also, if the media side Ethernet (728) is receiving data faster than sending capacity of the host communication module (722) than the flow control module (729) may buffer the data till the host communication module (722) can send next data.
[0091] The foregoing description of the invention has been set merely to illustrate the invention and is not intended to be limiting. Since modifications of the disclosed embodiments incorporating the spirit and substance of the invention may occur to person skilled in the art, the invention should be construed to include everything within the scope of the invention.
,CLAIMS:
1. A method for providing a platform independent plug-and-play device for secure communication over a cellular network, said method comprising:
providing, by one of a plurality of pluggable hardware security engine, data and communication security between the plurality of hardware security engines connected over the cellular network, and
initializing and configuring, by a centralized key server, one or more keys for the hardware security engines in the cellular network.
2. The method as claimed in claim 1, wherein the pluggable hardware security engine is configured as a SIM based device, said pluggable hardware security engine configured as the SIM based device comprising:
inserting the pluggable hardware security engine one of a user devices;
configuring, by a security configuration module (307), the hardware security engine to the SIM based device configuration;
configuring, by a SIM and modem configuration module (308), the SIM interface and a modem interface of the pluggable hardware security engine;
disabling, by a host communication module (302), the SIM interface and the modem interface of the user devices;
enabling, by the SIM and modem configuration module (308), the SIM interface and the modem interface of the pluggable hardware security engine;
disabling, by a media communication module (303), a media side ethernet interface to ensure that all the data flows through the SIM interface and modem interface of the pluggable hardware security engine, and
enabling, by a security module (305), the security settings of the hardware security engine.
3. The method as claimed in claim 1, wherein the pluggable hardware security engine is configured as a non-SIM based device, said pluggable hardware security engine configured as the non-SIM based device comprising:
inserting the pluggable hardware security engine one of a user devices;
configuring, by the security configuration module (307), the hardware security engine to the non-SIM based device configuration;
configuring, by the SIM and modem configuration module (308), the SIM interface and a modem interface of the pluggable hardware security engine;
disabling, by the host communication module (302), the SIM interface and the modem interface of the user devices;
disabling, by the SIM and modem configuration module (308), the SIM interface and the modem interface of the pluggable hardware security engine;
enabling, by the media communication module (303), a media side ethernet interface to ensure that all the data flows through the media side ethernet interface of the pluggable hardware security engine, and
enabling, by the security module (305), the security settings of the hardware security engine.
4. The method as claimed in claims 1-3, said method comprising:
receiving and configuring, by the centralized key server, the one or more keys upon deployment for pluggable hardware security engine during SIM based and non-SIM based configured device, said receiving and configuring of the one or more keys comprises:
connecting to the centralized key server;
sending, by a manufacturer key, the key request to the centralized key server;
receiving, by the user device, the encrypted key from the centralized key server;
decrypting, by the manufacturer key, the received encrypted key;
removing the manufacturer key from a key storage;
storing the decrypted key in the key storage, and
configuring the key in the security module for encryption and decryption.
5. The method as claimed in claims 1-3, said method comprising:
receiving and configuring, by the centralized key server, the one or more keys during runtime for a pluggable hardware security engine during SIM based and Non-SIM based configured device, said receiving and configuring of the one or more keys comprises:
connecting to the centralized key server;
sending, by a current working key, the key request to the centralized key server;
receiving, by the user device, the encrypted key from the centralized key server;
decrypting, by the current working key, the received encrypted key;
removing the current working key from the key storage;
storing the decrypted key in the key storage, and
configuring the key in the security module for encryption and decryption.
6. The method as claimed in claims 1-3, said method comprising:
receiving and sending, by the centralized key server, the one or more keys, said receiving and sending of the one or more keys comprises:
receiving, by the centralized key server, the key request from a plurality of key devices;
processing, by the centralized key server, the key request;
determining, by the centralized key server, if the key request is using the manufacturer key or the previous working key;
encrypting, by the centralized key server, the new working key with the manufacturer key if the key request received is with manufacturer key, wherein the encrypted working key is sent to the requester, and
encrypting, by the centralized key server, the new working key with the previous working key if the key request received is with previous working key, wherein the encrypted working key is sent to the requester.
7. The method as claimed in claim 1-3, said method comprises:
managing, by a flow control module, the flow of data between the user side ethernet interface and modem and SIM interface when configured as SIM based device and to manage the flow of data between the user side ethernet interface and media side ethernet interface when configured as non-SIM based device.
8. The method as claimed in claim 1, said method comprises:
registering the pluggable hardware security engine with the centralized key server upon deployment in the network.
9. A system for providing a platform independent plug-and-play device for secure communication over a cellular network, said system comprising:
one of a plurality of pluggable hardware security engine configured to provide data and communication security between the plurality of hardware security engines connected over the cellular network, and
a centralized key server configured to initialize and configure one or more keys for the hardware security engines in the cellular network.
10. The system as claimed in claim 9, wherein the pluggable hardware security engine is configured as a SIM based device upon inserting the pluggable hardware security engine in one of a user devices by a user, wherein the SIM based device comprises;
a security configuration module (307) configured to configure the pluggable hardware security engine to the SIM based device configuration;
a SIM and modem configuration module (308) configured to configure the SIM interface and a modem interface of the pluggable hardware security engine, wherein the SIM and modem configuration module (308) is further configured to enable the SIM interface and the modem interface of the pluggable hardware security engine;
a host communication module (302) configured to disable the SIM interface and the modem interface of the user devices;
a media communication module (303) configured to disable a media side ethernet interface to ensure that all the data flows through the SIM interface and modem interface of the pluggable hardware security engine, and
a security module (305) configured to disable the security settings of the hardware security engine.
11. The system as claimed in claim 9, wherein the pluggable hardware security engine is configured as a non-SIM based device upon inserting the pluggable hardware security engine in one of a user devices by a user, wherein the non-SIM based device comprises:
the security configuration module (307) configured to configure the hardware security engine to the non-SIM based device configuration;
the SIM and modem configuration module (308) configured to configure the SIM interface and a modem interface of the pluggable hardware security engine, wherein the SIM and modem configuration module (308) is further configured to enable the SIM interface and the modem interface of the pluggable hardware security engine;
the host communication module (302) configured to disable the SIM interface and the modem interface of the user devices;
the media communication module (303) configured to enable a media side ethernet interface to ensure that all the data flows through the media side ethernet interface of the pluggable hardware security engine, and
the security module (305) configured to enable the security settings of the hardware security engine.
12. The system as claimed in claims 9-11, wherein the centralized key server is configured to receive and send the one or more keys, said centralized key server is further configured to:
receive the key request from a plurality of key devices;
process the key request;
determine if the key request is using the manufacturer key or the previous working key;
encrypt the new working key with the manufacture key if the key request received is with manufacturer key, wherein the encrypted working key is sent to the requester, and
encrypt the new working key with the previous working key if the key request received is with previous working key, wherein the encrypted working key is sent to the requester.
13. The system as claimed in claim 9-11, wherein the pluggable hardware security engine comprises:
a flow control module (304) configured to manage the flow of data between the user side ethernet interface and modem and SIM interface when configured as SIM based device and to manage the flow of data between the user side ethernet interface and media side ethernet interface when configured as non-SIM based device.
14. The system as claimed in claim 9, wherein the pluggable hardware security engine is configured to register itself with the centralized key server upon deployment in the network.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 202041013537-PROVISIONAL SPECIFICATION [27-03-2020(online)].pdf | 2020-03-27 |
| 1 | 202041013537-Response to office action [01-11-2024(online)].pdf | 2024-11-01 |
| 2 | 202041013537-FORM 1 [27-03-2020(online)].pdf | 2020-03-27 |
| 2 | 202041013537-PROOF OF ALTERATION [04-10-2024(online)].pdf | 2024-10-04 |
| 3 | 202041013537-IntimationOfGrant07-02-2024.pdf | 2024-02-07 |
| 3 | 202041013537-DRAWINGS [27-03-2020(online)].pdf | 2020-03-27 |
| 4 | 202041013537-PatentCertificate07-02-2024.pdf | 2024-02-07 |
| 4 | 202041013537-FORM-26 [21-06-2020(online)].pdf | 2020-06-21 |
| 5 | 202041013537-FORM-26 [25-06-2020(online)].pdf | 2020-06-25 |
| 5 | 202041013537-ABSTRACT [03-04-2023(online)].pdf | 2023-04-03 |
| 6 | 202041013537-FORM 3 [29-06-2020(online)].pdf | 2020-06-29 |
| 6 | 202041013537-CLAIMS [03-04-2023(online)].pdf | 2023-04-03 |
| 7 | 202041013537-ENDORSEMENT BY INVENTORS [29-06-2020(online)].pdf | 2020-06-29 |
| 7 | 202041013537-COMPLETE SPECIFICATION [03-04-2023(online)].pdf | 2023-04-03 |
| 8 | 202041013537-FER_SER_REPLY [03-04-2023(online)].pdf | 2023-04-03 |
| 8 | 202041013537-DRAWING [29-06-2020(online)].pdf | 2020-06-29 |
| 9 | 202041013537-CORRESPONDENCE-OTHERS [29-06-2020(online)].pdf | 2020-06-29 |
| 9 | 202041013537-OTHERS [03-04-2023(online)].pdf | 2023-04-03 |
| 10 | 202041013537-COMPLETE SPECIFICATION [29-06-2020(online)].pdf | 2020-06-29 |
| 10 | 202041013537-FER.pdf | 2022-10-03 |
| 11 | 202041013537-FORM 18 [28-06-2022(online)].pdf | 2022-06-28 |
| 11 | 202041013537-Proof of Right [21-09-2020(online)].pdf | 2020-09-21 |
| 12 | 202041013537-Correspondence_05-10-2020.pdf | 2020-10-05 |
| 12 | 202041013537-Form1_Proof of Right_05-10-2020.pdf | 2020-10-05 |
| 13 | 202041013537-Correspondence_05-10-2020.pdf | 2020-10-05 |
| 13 | 202041013537-Form1_Proof of Right_05-10-2020.pdf | 2020-10-05 |
| 14 | 202041013537-FORM 18 [28-06-2022(online)].pdf | 2022-06-28 |
| 14 | 202041013537-Proof of Right [21-09-2020(online)].pdf | 2020-09-21 |
| 15 | 202041013537-COMPLETE SPECIFICATION [29-06-2020(online)].pdf | 2020-06-29 |
| 15 | 202041013537-FER.pdf | 2022-10-03 |
| 16 | 202041013537-CORRESPONDENCE-OTHERS [29-06-2020(online)].pdf | 2020-06-29 |
| 16 | 202041013537-OTHERS [03-04-2023(online)].pdf | 2023-04-03 |
| 17 | 202041013537-FER_SER_REPLY [03-04-2023(online)].pdf | 2023-04-03 |
| 17 | 202041013537-DRAWING [29-06-2020(online)].pdf | 2020-06-29 |
| 18 | 202041013537-ENDORSEMENT BY INVENTORS [29-06-2020(online)].pdf | 2020-06-29 |
| 18 | 202041013537-COMPLETE SPECIFICATION [03-04-2023(online)].pdf | 2023-04-03 |
| 19 | 202041013537-FORM 3 [29-06-2020(online)].pdf | 2020-06-29 |
| 19 | 202041013537-CLAIMS [03-04-2023(online)].pdf | 2023-04-03 |
| 20 | 202041013537-FORM-26 [25-06-2020(online)].pdf | 2020-06-25 |
| 20 | 202041013537-ABSTRACT [03-04-2023(online)].pdf | 2023-04-03 |
| 21 | 202041013537-PatentCertificate07-02-2024.pdf | 2024-02-07 |
| 21 | 202041013537-FORM-26 [21-06-2020(online)].pdf | 2020-06-21 |
| 22 | 202041013537-IntimationOfGrant07-02-2024.pdf | 2024-02-07 |
| 22 | 202041013537-DRAWINGS [27-03-2020(online)].pdf | 2020-03-27 |
| 23 | 202041013537-PROOF OF ALTERATION [04-10-2024(online)].pdf | 2024-10-04 |
| 23 | 202041013537-FORM 1 [27-03-2020(online)].pdf | 2020-03-27 |
| 24 | 202041013537-Response to office action [01-11-2024(online)].pdf | 2024-11-01 |
| 24 | 202041013537-PROVISIONAL SPECIFICATION [27-03-2020(online)].pdf | 2020-03-27 |
Search Strategy
| 1 | 202041013537E_30-09-2022.pdf |