Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: A communication network (22) includes a central node (30) loaded with a trusted key (26) and key material (56) corresponding to an asymmetric key agreement protocol (48). The network (22) further includes vulnerable nodes (32) loaded with key material (69) corresponding to the protocol (48). Successive secure connections (68, 70) are established between the central node (30) and the vulnerable nodes (32) using the key material (56, 69) to generate a distinct session key (52) for each of the secure connections (68, 70). The trusted key (26) and one of the session keys (52) are utilized to produce a mission key (39). The mission key (39) is transferred from the central node (30) to each of the vulnerable nodes (32) via each of the secure connections (68, 70) using the corresponding current session key (52). The mission key (39) functions for secure communication within the communication network (22).

Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: Key escrow is achieved without a key escrow facility. An escrow key pair is generated and stored in the terminal. A key escrow field that includes a traffic key encrypted with the escrow key is provided before encrypted traffic is communicated. When access to the traffic key is authorized, the escrow key is extracted from the terminal and used to decrypt the traffic key. The private portion of the escrow key is covered in the terminal with an escrow key access number. The escrow key access number is preferably generated by the terminal manufacturer with a secret algorithm using the terminal serial number. Alternatively, the escrow key is stored within a user token, rather than the terminal.

Abstract: An interface between a digital communication system and a PSTN establishes a user configurable secure encrypted link to a digital subscriber unit through the digital communication system, and provides clear (unencrypted) voice to telephone sets through the PSTN. The interface includes a security module for encrypting and decrypting information with user specific algorithms and keys, a transcoder for converting modulated voice to digital voice and a modem for modulating and demodulating data and encrypted voice. Accordingly, the wireline interface allows for user specified security over a digital wireless portion of an end-to-end communication channel. The interface also provides for the communication of unencrypted voice followed by secure voice or secure data.

Abstract: A processor (22) of an encryption system (20) receives plain text (24) and operates an encryption algorithm to convert the plain text (24) to cipher text (26). A state monitor (30) confirms a conversion sequence within each of a plurality of conversion cycles performed by the encryption algorithm. The state monitor (30) produces a first enablement signal (38) when the conversion sequence is confirmed. An encryption activity monitor (34) determines a number of blocks of cipher text (24) that are not encrypted. The encryption activity monitor (34) produces a second enablement signal (42) when the number of unencrypted blocks of cipher text (26) is less than a predetermined failure threshold (86). A monitor gate (36) enables output of the cipher text (26) in response to the first and second enablement signals (38, 42).

Abstract: A secure terminal includes a host (105) and slaves (125) which send and receive messages via a peripheral component interconnect (PCI) bus (130). The host allows slaves to receive messages from the host and send messages to the host. The host prevents slave-to-slave communication of messages. The host and each slave include interface logic (120) coupled to the PCI bus and a memory (200) for coupling a processor (110) to the interface logic (120). Each dual-port RAM (200) includes a first memory portion for receiving messages from a sender and a second memory portion for storing messages to be transmitted to a receiver.

Abstract: Controllable functions (210, 220, 230) and controllable connection managers (212, 222, 216, 226) are used to provide a fail-safe security system implemented on a single processor (200). Red subsystems, black subsystems and clear bypass subsystems ensure separation between red data and black data. Connection managers (212, 222, 216, 226) are used to isolate and control red data ports (214), black data ports (224), red crypto ports (218), and black crypto ports (228). Subsystems are configured to control data flow, provide data separation, access control and prevent single failures from compromising security system (200). Each subsystem is managed separately, and each subsystem has unique access protection provided by controller (202). Within security system (200), the subsystems are kept separate. Functional separation of the red data memory and black data memory is maintained to provide fail-safe data isolation.