Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: A communication network (22) includes a central node (30) loaded with a trusted key (26) and key material (56) corresponding to an asymmetric key agreement protocol (48). The network (22) further includes vulnerable nodes (32) loaded with key material (69) corresponding to the protocol (48). Successive secure connections (68, 70) are established between the central node (30) and the vulnerable nodes (32) using the key material (56, 69) to generate a distinct session key (52) for each of the secure connections (68, 70). The trusted key (26) and one of the session keys (52) are utilized to produce a mission key (39). The mission key (39) is transferred from the central node (30) to each of the vulnerable nodes (32) via each of the secure connections (68, 70) using the corresponding current session key (52). The mission key (39) functions for secure communication within the communication network (22).

Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: Controllable functions (210, 220, 230) and controllable connection managers (212, 222, 216, 226) are used to provide a fail-safe security system implemented on a single processor (200). Red subsystems, black subsystems and clear bypass subsystems ensure separation between red data and black data. Connection managers (212, 222, 216, 226) are used to isolate and control red data ports (214), black data ports (224), red crypto ports (218), and black crypto ports (228). Subsystems are configured to control data flow, provide data separation, access control and prevent single failures from compromising security system (200). Each subsystem is managed separately, and each subsystem has unique access protection provided by controller (202). Within security system (200), the subsystems are kept separate. Functional separation of the red data memory and black data memory is maintained to provide fail-safe data isolation.

Abstract: A device driver (104) is used to provide a fail-safe interface between a plurality of client applications and a cryptographic card. Device driver (104) ensures separation between red data, black data, and command data. Device driver (104) uses objects and object handles to control data flow. Device driver (104) uses several simplex channels to control data flow. Each channel is managed separately using its own object, and each channel has unique access protection through the object handles. Within device driver (104), the simplex channel interfaces are kept separate and functional separation of the data and command memory is maintained to provide fail-safe data isolation.