Abstract: A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

Abstract: Methods for configuring and utilizing a configurable data guard (CDG) implemented on a hardware-based programmable logic device are disclosed. The CDG may include integrated circuit portions comprising a plurality of arrays of generic comparison operations and a plurality of arrays of generic action operations. The CDG may receive a data guard configuration. The CDG may perform an authentication and integrity check procedure on the received data guard configuration. The CDG may configure a plurality of guard primitives based on the data guard configuration. Each guard primitive may be configured from at least one generic comparison operation and at least one generic action operation. The guard primitives may be used to enforce the complex data guard rules that correspond to the data guard configuration.

Abstract: Methods for configuring and utilizing a configurable data guard (CDG) implemented on a hardware-based programmable logic device are disclosed. The CDG may include integrated circuit portions comprising a plurality of arrays of generic comparison operations and a plurality of arrays of generic action operations. The CDG may receive a data guard configuration. The CDG may perform an authentication and integrity check procedure on the received data guard configuration. The CDG may configure a plurality of guard primitives based on the data guard configuration. Each guard primitive may be configured from at least one generic comparison operation and at least one generic action operation. The guard primitives may be used to enforce the complex data guard rules that correspond to the data guard configuration.

Abstract: Disclosed herein are methods and systems for configuring and using one or more block ciphering techniques in order to encrypt/decrypt serial data streams while maintaining cryptographic synchronization and attempting to minimize the amount of overhead introduced into the stream. The techniques disclosed herein may be used to encrypt and decrypt serial data streams using a block cipher in a manner that can be substantially transparent to the devices involved in the serial communication session. For example, the serial user data may be left unframed by the encryption device while monitoring for opportunistic times to transmit framed cryptographic synchronization information during periods of relative inactivity in an asynchronous serial data stream. A cryptographic device implementing the techniques described herein may be configured to implement one or more of an encryption device or a decryption device.

Abstract: A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

Abstract: A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

Abstract: A system for performing encryption and/or decryption may include a parent cryptographic device. The parent cryptographic device may be configured to receive a first cryptographic key. The parent cryptographic device may be configured to determine one or more session keys based on the first cryptographic key and/or internally generated random data bits. The parent cryptographic device may be configured to insert the one or more session keys onto one or more child cryptographic devices that are operably connected to the parent cryptographic device. The one or more child cryptographic devices may be configured to receive the one or more session keys from the parent cryptographic device, and perform one or more of encryption or decryption of communications exchanged with another child cryptographic device of the one or more child cryptographic devices. The one or more child cryptographic devices may perform encryption/decryption after separation from the parent cryptographic device.

Abstract: Disclosed herein are methods and systems for configuring and using one or more block ciphering techniques in order to encrypt/decrypt serial data streams while maintaining cryptographic synchronization and attempting to minimize the amount of overhead introduced into the stream. The techniques disclosed herein may be used to encrypt and decrypt serial data streams using a block cipher in a manner that can be substantially transparent to the devices involved in the serial communication session. For example, the serial user data may be left unframed by the encryption device while monitoring for opportunistic times to transmit framed cryptographic synchronization information during periods of relative inactivity in an asynchronous serial data stream. A cryptographic device implementing the techniques described herein may be configured to implement one or more of an encryption device or a decryption device.

Abstract: Disclosed is a cryptographic device that may automatically configure its traffic interfaces and cryptographic modes when it is inserted into an electrically keyed receptacle in a host system. Such automatic configuration may enable a single cryptographic module to support a range of input/output interfaces, such as SPI, Ethernet, RS-232 Serial, and RS-485 Serial, for example, and also to support a range of cryptographic modes, such as Cipher Block Chaining, Galois Counter Mode, or Long Cycle Mode, for Communications Security (COMSEC) and Transmission Security (TRANSEC) purposes. In addition, such automatic configuration may include parameters that affect power consumption, such as device clock rate or other power management features.

Abstract: Methods and systems for increasing the security or trust associated with an untrusted device are provided. For example, a trusted hardware component may send a request to the untrusted device. The request may indicate one or more challenges to be performed by a secure application executing on the untrusted device. The trusted hardware component may determine an expected response to the one or more challenges. The expected response may be determined at the secure hardware component based on an expected configuration of the untrusted device. The trusted hardware component may receive a response to the request from the untrusted device. The trusted hardware component may determine a security status of the untrusted device based on the expected response and the received response.

Abstract: A device that includes a first processor, a second processor, and an encryption module in communication with the first processor and the second processor may be used to accept conditions for access to the network. The first processor may receive condition data, and in response, may send an acceptance signal via the encryption module to the second processor. The second processor may receive the acceptance signal and, in response, may send acceptance data to a gatekeeper. The encryption module may block unencrypted data other than the acceptance signal from being communicated from the first processor to the second processor. The encryption module may support type 1 encryption.

Abstract: A device having an encryption module in communication with first and second communication ports may facilitate connecting to an access network, without requiring a non-secure hard drive to initiate the network access. The encryption module may define a normal mode and a bypass mode. In normal mode, data from the first port may be sent encrypted to the second port, for communicating securely in an encrypted environment. In bypass mode, data from the first port may be sent unencrypted to the second port. The data being sent may be intercepted and presented to the user for approval in a human readable format. The user may confirm that the data is appropriate for being sent unencrypted. This data may be sent unencrypted in response to a request for information (e.g., an assent to terms and conditions) from the access network, such as at a hotel or public wireless hotspot, for example.

Abstract: A Personal Computer Memory Card International Association (PCMCIA) card may establish, via a non-secure network, a secure communications channel between a computer and a secure network. The non-secure network may define a first address space. The secure network may define a second address space. The PCMCIA card may include a cryptography module, a network adapter, and/or a processor. The cryptography module may provide Type 1 cryptography of data communicated between the computer and the secure network. The network adapter may be in communication with the non-secure network and may be associated with a first network address from the first address space. The processor may be in communication with the secure network via the cryptography module and the network adapter. The processor may identify a second network address for the computer from the second address space and may communicate the second network address to the computer, for example via dynamic host control protocol (DHCP).

Abstract: A device having an encryption module in communication with first and second communication ports may facilitate connecting to an access network, without requiring a non-secure hard drive to initiate the network access. The encryption module may define a normal mode and a bypass mode. In normal mode, data from the first port may be sent encrypted to the second port, for communicating securely in an encrypted environment. In bypass mode, data from the first port may be sent unencrypted to the second port. The data being sent may be intercepted and presented to the user for approval in a human readable format. The user may confirm that the data is appropriate for being sent unencrypted. This data may be sent unencrypted in response to a request for information (e.g., an assent to terms and conditions) from the access network, such as at a hotel or public wireless hotspot, for example.

Abstract: A Personal Computer Memory Card International Association (PCMCIA) card may establish, via a non-secure network, a secure communications channel between a computer and a secure network. The non-secure network may define a first address space. The secure network may define a second address space. The PCMCIA card may include a cryptography module, a network adapter, and/or a processor. The cryptography module may provide Type 1 cryptography of data communicated between the computer and the secure network. The network adapter may be in communication with the non-secure network and may be associated with a first network address from the first address space. The processor may be in communication with the secure network via the cryptography module and the network adapter. The processor may identify a second network address for the computer from the second address space and may communicate the second network address to the computer, for example via dynamic host control protocol (DHCP).

Abstract: A device that includes a first processor, a second processor, and an encryption module in communication with the first processor and the second processor may be used to accept conditions for access to the network. The first processor may receive condition data, and in response, may send an acceptance signal via the encryption module to the second processor. The second processor may receive the acceptance signal and, in response, may send acceptance data to a gatekeeper. The encryption module may block unencrypted data other than the acceptance signal from being communicated from the first processor to the second processor. The encryption module may support type 1 encryption.