`
`Unltad Sun: of America
`Utheklstn
`Vb: Nun
`
`Petitioner Apple Inc. - Ex. 1025, p. 1001
`
`A1’
`AU
`IE
`IS
`I’
`I0
`I]
`II
`IY
`CA
`
`GWC
`
`l
`
`Coda used to Identify Sm: party to the PC!‘ on the front pages of pamphlet: publishing international
`applications under the PCI‘.
`
`l
`
`§§,',§'¢'EF=EE5‘-6-"5'=‘999‘23
`
`00
`
`|Q(
`
`5
`C1
`III
`II
`
`3F
`
`Petitioner Apple Inc. - Ex. 1025, p. 1001
`
`
`
`wo 94/o1s2|
`
`:
`
`PCT/US93/06511
`.
`.._)
`
`TRUSTED PAIH SUBSYSTEM FOR WORKSTATIONS
`
`1
`
`5
`
`Background of the Invention
`Field of the Invention
`
`The present invention relates to an apparatus
`and method for providing a trusted computer system based
`
`10
`
`on untrusted computers, and more particularly to an
`apparatus and method for providing a trusted path
`mechanism between a user node based on an untrusted
`
`computer or workstation and a trusted subsystem.
`
`Background Information
`
`15
`
`Advances in computer and communications
`
`technology have increased the free flow of information
`
`within networked computer systems. While a boon to
`many, such a free flow of information can be disastrous
`
`to those systems which process sensitive or classified
`
`20
`
`information.
`
`In response to this threat, trusted
`
`computing systems have been proposed for limiting access
`to classified information to those who have a sufficient
`
`Such systems depend on identifying
`level of clearance.
`the user, authenticating (through password, biometrics,
`25 etc.) the user's identity and limiting that user's
`
`access to files to those files over which he or she has
`
`access rights.
`
`In addition, a trusted path mechanism is
`
`provided which guarantees that a communication path
`
`30
`
`established between the Trusted Computer Base (TCB) and
`the user cannot be emulated or listened to by malicious
`hardware or software.
`Such a system is described in
`
`0.5. Patent Nos. 4,621,321; 4,713,753; and 4,701,840
`
`granted to Boebert et al. and assigned to the present
`
`the entire disclosures of which are hereby '
`assignee,
`incorporated by reference.
`
`35
`
`The last decade has marked a shift in the
`
`distributing of computational resources.
`
`Instead of
`
`connecting a large number of relatively "dumb" terminals
`to a mainframe computer,
`the automatic data processing
`
`Petitioner Apple Inc. - Ex. 1025, p. 1002
`
`Petitioner Apple Inc. - Ex. 1025, p. 1002
`
`
`
`W0 94/0182!
`
`PCT/US93/06511
`
`._
`
`2
`
`,
`
`.
`
`environment has gradually shifted to where a large
`
`number of current systems are file server systems.
`
`In a
`
`file server system, relatively low cost computers are
`
`placed at each user's desk while printers and high
`
`5
`
`capacity data storage devices are located near the
`
`server or servers. Files stored in the high capacity
`
`data storage devices are transferred to the user's
`
`computer for processing and then either saved in local
`
`storage or transferred back to the storage devices.
`10 Documents to be printed are transferred as files to a
`
`print server; the print server then manages the printing
`of the document.
`
`An even more loosely coupled distributed
`
`computing approach is based on the client-server
`
`15
`
`paradigm. Under the client-server paradigm, one or more
`
`client processes operating on a user*s workstation gain
`
`access to one or more server processes operating on the
`
`network. As in file server systems,
`
`the client
`
`processes handle the user interface while the server
`
`20 processes handle storage and printing of files.
`
`In
`
`contrast with file server systems, however,
`
`the client
`
`processes and the server processes share data processing
`
`responsibilities.
`
`A more complete discussion of
`
`distributed computing is contained in "Client-Server
`25 Computing” by Alok Sinha, published in the July 1992
`
`issue of Communications of the ACH.
`Both the file server and the client—server
`
`paradigms depend heavily upon the availability of low-
`
`cost computer systems which can be placed at each user's
`
`30 desk. The 1ow—cost systems are then connected through a
`
`network such as a LAN or a WAN to the server systems.
`
`Such a networked system is illustrated in the block
`
`diagram shown in Fig. 1.
`
`In Fig. 1, a workstation processing unit 40 is
`connected through a network 50 to a host computer 60.
`
`35
`
`workstation unit 40 is also connected through video port
`
`Petitioner Apple Inc. - Ex. 1025, p. 1003
`
`Petitioner Apple Inc. - Ex. 1025, p. 1003
`
`
`
`W0 94/01821
`
`,
`
`PCT/US93/065ll
`
`.._
`
`3
`
`,
`
`'
`
`-3
`
`44 and keyboard port 46 to display unit 10 and keyboard
`
`20, respectively.
`
`In a typical distributed computer system,
`
`the
`
`workstations 40, the host computers 60 and the
`
`5
`
`connecting networks 50 are all at great risk of a
`
`security breach. Trusted computer systems based on host
`computers such as the Multilevel Secure (MLS) Computer
`60 shown in Fig.
`1 make security breaches at the host
`
`computer more difficult by partitioning the system to
`
`10
`
`isolate security critical (trusted) subsystems from
`
`Such
`nonsecurity critical (untrusted) subsystems.
`computers do little, however,
`to prevent security
`breaches on network 50 or at user workstation 40.
`
`A nulti-Level Secure (MLS) Computer such as is
`
`15
`
`shown in Pig.
`
`1 is capable of recognizing data of
`
`varying sensitivity and users of varying authorizations
`
`and ensuring that users gain access to only that data to
`
`which they are authorized.
`
`For example, an MLS computer
`
`can recognize the difference between company proprietary
`
`20
`
`and public data.
`
`It can also distinguish between users
`
`who are company employees and those who are customers.
`
`The MLS computer can therefore be used to ensure that
`
`company proprietary data is available only to users who
`
`are company employees.
`
`25
`
`Designers of MLS computers assume that
`
`unauthorized individuals will use a variety of means,
`
`such as malicious code and active and passive wiretaps,
`to circumvent its controls.
`The trusted subsystem of an
`
`MLS computer must therefore be designed to withstand
`30 malicious software executing on the untrusted subsystem,
`to confine the actions of malicious software and render
`
`them harmless.
`
`one mechanism for avoiding malicious
`
`software is to invoke a trusted path, a secure
`
`communications path between the user and the trusted
`
`35
`
`subsystem.
`
`A properly designed trusted path ensures
`
`that information viewed or sent to the trusted subsystem
`
`is not copied or modified along the way.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1004
`
`Petitioner Apple Inc. - Ex. 1025, p. 1004
`
`
`
`W0 94/01821
`
`_
`
`PCT/US93/0651]
`
`.._
`
`4
`
`,
`
`7)
`
`Extension of the trusted path through the network to the
`
`user is, however, difficult. As is described in a
`
`previously filed, commonly owned U.S. patent application
`
`entitled "Secure Computer Interface" (U.S. Patent
`
`5 Application No. 07/676,885 filed March 28, 1991 by
`
`William E. Boebert), "active" and "passive" network
`
`attacks can be used to breach network security. Active
`
`attacks are those in which masquerading "imposter"
`hardware or software is inserted into the network
`
`For example, hardware might be
`10 "communications link.
`inserted that emulates a user with extensive access
`
`privileges in order to access sensitive information.
`
`"Passive" network attacks include those in which a
`
`device listens to data on the link, copies that data and
`
`15
`
`A system for ensuring secure
`sends it to another user.
`data communications over an unsecured network is
`
`described in the above-identified patent application.
`
`That application is hereby incorporated by reference.
`
`Active and passive attacks can also be used to
`
`20 breach computer security through software running on an
`untrusted user computer, an untrusted host or in the
`
`untrusted subsystem of a Multilevel Secure Computer.
`
`For example, malicious software running in the
`
`workstation could present itself to an authorized user
`
`25
`
`as the trusted subsystem, and cause that user to enter
`
`highly sensitive data, such as a password.
`
`The data is
`
`then captured and given to the attacker. Under a
`
`passive software attack, data which is intended for one
`
`user could be copied and sent to a user who is not
`
`30
`
`authorized to work with it.
`
`‘
`
`Systems for ensuring secure communications over
`an unsecured network have been limited to date to
`
`scrambling devices which encrypt data written to the
`
`network and decrypt data received from the network.
`
`35 Such systems are limited in that they provide no
`
`assurance that the user's computer is secure or that the
`
`user has,
`
`in fact, established a trusted path to the
`
`Petitioner Apple Inc. - Ex. 1025, p. 1005
`
`Petitioner Apple Inc. - Ex. 1025, p. 1005
`
`
`
`W0 94/0182]
`
`»
`
`PCT/U593/06511
`
`—~_.
`
`5
`
`"'>
`
`trusted subsystem. Therefore, despite the fact that the
`
`communications link is secure, it is possible for a user
`
`on the computer to be misled into believing that a
`
`program executing on his computer is actually running on
`
`5
`
`the host computer.
`
`What is needed is a mechanism for extending the
`
`trusted path from the trusted subsystem of the host
`
`computer to the user of an untrusted computer or
`
`workstation.
`
`Such a method should provide access to the
`
`10 workstation for normal workstation activities while
`
`shielding confidential data so that it cannot be read by
`
`software executing on the unsecured workstation.
`
`Summary of the Invention
`
`15
`
`The present invention provides a method and
`
`apparatus for ensuring secure communication over an
`
`unsecured communications medium between a user working
`
`on an unsecured workstation or computer and a host
`
`20
`
`computer.
`A secure user interface is created by
`inserting a trusted path subsystem between input/output
`devices to the workstation and the workstation itself.
`Data transferred from the input/output devices is
`
`intercepted, encrypted and transmitted in packets to the
`
`host computer. Packets of screen display data from the
`
`25 host computer are decrypted and presented within a user-
`
`defined screen overlay.
`
`According to another aspect of the present
`
`invention, a method is disclosed for ensuring secure’
`file transfers between an unsecured workstation and a
`
`30 host computer.
`
`A file to be transferred is downloaded
`
`to a trusted path subsystem inserted between the
`workstation and its keyboard and display device.’ The
`
`trusted path subsystem presents a representation of the
`
`file on the display device where the user can verify
`
`35
`
`that the file is as expected. The verified file is then
`
`encrypted and transferred as packets to the host
`
`computer.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1006
`
`Petitioner Apple Inc. - Ex. 1025, p. 1006
`
`
`
`W0 94/01821
`
`g
`
`PCT/US93/06511
`H’
`
`Brief Description of the Drawings
`
`FIG.
`
`1 is a system level block diagram
`
`representation of a networked computer system.
`
`5
`
`FIG. 2 is a system level block diagram
`
`representation of a secure networked computer system
`according to the present invention.
`
`10
`
`FIG. 3 is a block diagram representation of a
`
`user node including a trusted path subsystem according
`
`to the present invention.
`
`FIG. 4 is a block diagram representation of a
`
`15 user node including a different embodiment of a trusted
`
`path subsystem according to the present invention.
`
`FIG. 5 is an electrical block diagram
`
`representation of one embodiment of the trusted path
`
`20
`
`subsystem according to the present invention.
`
`FIG. 6 is a representation of a secure window
`
`overlay according to the present invention.
`
`25
`
`Detailed Description of the
`Preferred Embodiments
`
`In the following Detailed Description of the
`
`Preferred Embodiments, reference is made to the
`
`gaccompanying Drawings which form a part hereof, and in
`
`30 which are shown by way of illustration specific
`
`embodiments in which the invention may be practiced.
`
`It
`
`is to be understood that other embodiments may be
`
`utilized and structural changes may be made without
`
`departing from the scope of the present invention.
`
`35
`
`The present invention provides a method and
`
`apparatus for ensuring secure communication over an
`
`unsecured communications medium between a user working
`
`on an unsecured workstation or-computer and a host
`
`Petitioner Apple Inc. - Ex. 1025, p. 1007
`
`Petitioner Apple Inc. - Ex. 1025, p. 1007
`
`
`
`W0 94/ 01821
`
`A
`
`PCl'/US93/065l1
`
`._
`
`,7
`
`V»
`
`computer.
`
`A secure user interface is created by
`
`inserting a trusted path subsystem between input/output
`devices to the workstation and the workstation itself.
`
`Data transferred from the input/output devices is
`
`5
`
`intercepted, encrypted and transmitted in packets
`
`through the workstation to the host computer. Packets
`
`of screen display data from the host computer are
`
`decrypted and presented within a user-defined screen
`
`overlay.
`
`10
`
`Cryptographic entities in the trusted path
`
`subsystem and the host computer apply end-to-end
`
`encryption to confidential data transferred to and from
`
`the network. End-to-end encryption is a technique
`
`whereby data is encrypted as close to its source as
`
`15 possible and decrypted only at its ultimate destination.
`
`in which
`This technique differs from link encryption,
`data is decrypted,
`then encrypted again as it moves from
`the sender to the receiver.
`
`The present invention extends the notion of
`
`20
`
`end-to-end encryption by performing the
`
`encryption/decryption closer to the originator and
`
`In the present invention,
`receiver than prior systems.
`the encryption/decryption is performed as the data
`
`enters and leaves the input/output device.
`
`The data is
`
`25
`
`therefore protected from malicious software which might
`be operating on the workstation and from active or
`
`passive attacks on the network.
`
`A secure networked computer system constructed
`
`according to the present invention is illustrated
`
`30 generally in Pig. 2.
`
`In Fig. 2, a workstation
`
`processing unit 40 is connected through a network 50 to
`
`a host computer 60. Workstation 40 can be any computer,
`
`workstation or X terminal which has a separate data path
`
`for comunication between a trusted path subsystem 30
`
`35
`
`and the workstation.
`For instance, workstation 40 can
`be a comercially available workstation such as the UNIX
`
`workstations manufactured by Sun nicrosystems, Mountain
`
`Petitioner Apple Inc. - Ex. 1025, p. 1008
`
`Petitioner Apple Inc. - Ex. 1025, p. 1008
`
`
`
`W0 94/0182]
`
`PCT/US93/0651]
`
`._
`
`8
`
`‘:,
`
`View, California, an IBM PC compatible such as those
`
`available from Compaq, Houston, Texas or an X terminal
`
`such as Model NCD19g from Network Computing Devices,
`
`Inc, Mountain View, California.
`
`5
`
`Trusted path subsystem 30 is connected to
`
`workstation 40 (through auxiliary data port 42),
`
`keyboard 20 and display 10. Trusted path subsystem 30
`
`includes cryptographic entity 35 for encrypting and
`
`decrypting information transferred between display 10,
`
`10
`
`keyboard 20 and workstation 40.
`
`Host computer 60 is a Multi—Level Secure
`
`computer which includes a trusted subsystem 67 and an
`
`untrusted subsystem 63. Trusted subsystem 67 includes a
`
`cryptographic entity 69 for encrypting and decrypting
`
`15 data transferred between trusted subsystem 67, untrusted
`
`subsystem 63, and network 50.
`
`In another embodiment of
`
`the present invention, host computer 60 is a computer
`
`running a trusted subsystem software package.
`
`In that
`
`embodiment, cryptographic entity 69 would be implemented
`in software.
`
`20
`
`In the embodiment shown in Pig. 2, all
`
`communication between trusted path subsystem 30 and host
`computer 60 is done via workstation 40.
`In one such
`embodiment, auxiliary data port 42 is an RS-232 line
`
`25
`
`connecting workstation 40 and subsystem 30.
`
`comunications software running on workstation 40
`
`receives encrypted packets from the trusted path
`
`subsystem and sends them to the host computer.’
`
`In a
`
`like manner, encrypted packets from host computer 60 are
`
`30
`
`received by workstation 40 and transferred to subsystem
`
`30 for decrypting. This type of interface is
`
`advantageous since a standard comunications protocol
`
`can be defined for transfers between subsystem 30 and
`
`host computer 60. workstation 40 then implements the
`
`35
`
`standard protocol for the comunications media
`
`connecting it to host computer 60.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1009
`
`Petitioner Apple Inc. - Ex. 1025, p. 1009
`
`
`
`W0 94/01821
`
`9
`
`PCT/US93/0651]
`.. V‘
`
`Network 50 can be implemented in a wide range
`
`from FDDI to a simple
`of comunications protocols,
`telecommunications line between two modems.
`In a
`
`network implementation, subsystem 30 provides only the
`
`5
`
`encrypted file; workstation 40 provides the layers of
`
`protocol needed for reliable communication on network
`50.
`
`Fig. 3 provides more detail of trusted path
`
`subsystem 30. Trusted path subsystem 30 consists of a
`
`10 processor 31 connected to a keyboard manager 37, a video
`
`manager 38 and cryptographic entity 35. Trusted path
`
`subsystem 30 operates in normal mode and in trusted path
`
`mode. when in normal mode, workstation trusted path
`
`subsystem 30 is transparent to workstation 40. Logical
`
`15
`
`switches 37 and 38 are in the UP position, connecting
`
`workstation processor 40 directly to keyboard 20 and
`
`display 10. This permits the free transfer of
`
`information from keyboard 20 to workstation 40 and from
`
`workstation 40 to display 10.
`
`In normal mode,
`
`20 wbrkstation processor 40 runs software and communicates
`
`with host computer 60 via network 50.
`
`when the user invokes trusted path mode,
`
`however, workstation processor 40 is disconnected from
`
`keyboard 20 and display 10 by logical switches 37 and
`
`25
`
`38, respectively. Keyoard 20 and display 10 are then
`
`connected to their respective managers in workstation
`
`trusted path subsystem 30.
`
`As is shown in Pig. 6, while in trusted path
`
`mode, video manager 34 creates a trusted window 82 which
`
`30
`
`is overlaid on the screen display 80 generated by
`workstation 40 for display 10.
`Since window 82 is
`
`created outside of workstation 40, by trusted elements,
`'it is not possible for malicious software in workstation
`
`40 to control any of the video in trusted window 82.
`
`In
`
`35
`
`the preferred embodiment the size of trusted window 82
`
`can vary; if sufficient video RAM is present, window 82
`
`may be as large as the entire display screen.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1010
`
`Petitioner Apple Inc. - Ex. 1025, p. 1010
`
`
`
`wo 94/01821
`
`_
`
`PCl'/ US93/06511
`
`1o
`
`' *
`
`In a like manner, while in trusted path mode,
`
`keyboard manager 36 intercepts keyboard data intended
`for workstation 40.
`The data is then routed to
`
`cryptographic entity 35, where it is encrypted before
`
`5
`
`being passed over auxiliary port 42 to workstation
`
`processing unit 40. Thus, keyboard inputs are protected
`
`from eavesdropping and undetected modification until
`
`they are decrypted by cryptographic entity 69 on host
`
`computer 60.
`
`10
`
`In one embodiment of the trusted path subsystem
`
`of Fig. 3, cryptographic entity 35 uses a pair-wise key
`
`to encrypt data to be transmitted from keyboard 20 to
`
`host computer 60. At the same time, cryptographic
`
`entity 35 decrypts data transmitted from host computer
`
`15
`
`60 to display 10.
`
`The encryption and integrity
`
`mechanisms protect the data from eavesdropping and
`
`undetected modification as it is passed through
`
`workstation processor 40, network 50 and host computer
`
`untrusted subsystem 63. other types of symmetric
`
`20
`
`encryption algorithms such as the Data Encryption
`
`Standard (DES) and asymmetric cryptographic techniques
`
`such as public key can also be used. Furthermore,
`
`the
`
`encryption algorithm can either be implemented in
`
`software, programmable hardware, or custom hardware.
`
`25
`
`Trusted path mode can be invoked in a number of
`
`ways.
`
`In one embodiment, a switch on trusted path
`
`subsystem 30 can be used to manually activate trusted
`
`. path mode.
`
`A second method would be to invoke trusted
`
`path mode by a combination of keys pressed
`
`30
`
`simultaneously on keyboard 20 (like the
`
`control/alt/delete key sequence on a PC-compatible
`
`computer).
`
`A third embodiment would require that the
`
`user insert some sort of token device into subsystem 30.
`
`A token device might range from a smart card to a
`
`35 cryptoignition key.
`
`In the preferred embodiment,
`
`subsystem 30 would also have a feedback mechanism such
`
`Petitioner Apple inc. - Ex. 1025, p. 1011
`
`Petitioner Apple Inc. - Ex. 1025, p. 1011
`
`
`
`W0 94/01821
`
`A
`
`"_
`
`11
`
`I
`
`PCT/US93/06511
`' L
`
`as a light to notify the user that subsystem 30 was in
`
`trusted path mode.
`
`_
`
`The trusted path mode, used in conjunction with
`
`cryptographic entity 69 on host computer 60, provides
`
`5
`
`security services such as user authentication, data
`
`10
`
`15
`
`confidentiality, data integrity and data origin
`authentication and confinement of malicious software.
`
`The user is authenticated to trusted path subsystem 30
`and this authentication is securely passed to trusted
`subsystem 67 in MLS computer 60. Data passed between
`
`cryptographic entities 35 and 69 is protected from
`unauthorized disclosure and undetected modification.
`
`Cryptographic entities 35 and 69 also assure that the
`data was sent from one cryptographic entity to its peer
`cryptographic device.
`In addition, malicious software
`
`on workstation 40, network 50 or untrusted subsystem 63
`
`is confined so that it cannot dupe the user or trusted
`subsystem 67 into performing an insecure action.
`The user can be authenticated to the trusted
`
`20
`
`computing system by either authenticating himself
`
`directly to trusted path subsystem 30 or by going
`
`through subsystem 30 to host computer 60.
`
`In the first
`
`method, the user can authenticate himself to subsystem
`
`30 via such means as a personal identification number
`
`25
`
`(PIN), a password, biometrics or a token device such as
`
`a smart card or a cryptographic ignition key. Once the
`user has authenticated himself to subsystem 30,
`I
`
`subsystem 30 relays the authentication to trusted
`
`subsystem 65.
`
`The step of relaying authentication can
`
`30
`
`be done by either automatically entering trusted path
`mode as part of the authentication process or by having
`subsystem 30 relay the authentication data at a later
`time.
`
`A second method for authenticating a user would
`
`35
`
`be to first enter trusted path mode and then
`
`authenticate the user directly to host computer 60.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1012
`
`Petitioner Apple Inc. - Ex. 1025, p. 1012
`
`
`
`W0 94/01821
`
`v_
`
`“‘
`
`12
`
`PCT/U593/06511
`' >
`
`This approach would reduce the processing power needed
`
`on subsystem 30.
`
`In its simplest form, trusted path subsystem
`
`30,
`
`in conjunction with workstation 40, display 10 and
`
`5
`
`keyboard 20,
`
`forms an assured terminal. Data typed on
`
`keyboard 20 or extracted from a pointing device such as
`
`a mouse is encrypted and transferred over network 50 to
`
`host computer 60.
`
`Screen display data transferred from
`
`host computer 60 is decrypted and displayed within
`
`10
`
`trusted window 82.
`
`Such a terminal might be implemented
`
`as a relatively dumb terminal such as a VT100, or it
`
`could be implemented as a X Windows terminal. The X
`
`Window embodiment would be useful since it would allow
`
`the creation of multiple trusted windows 82 and would
`
`15 permit the assigning of a different security level to
`
`Such a mechanism would permit qualified
`each window.
`users to out information from a document of one
`
`sensitivity and paste it into a document of a different
`
`sensitivity.
`
`20
`
`»
`
`An assured terminal is especially useful in an
`
`environment where you are trying to maintain a number of
`security levels despite having a workstation which will
`
`only operate at one level.
`
`An example is a trusted
`
`computing system mixing single level secure workstations
`25 with a multi-level computer with three security levels:
`
`unclassified (least sensitive), secret (much more
`
`sensitive), and top secret
`
`(most sensitive). Trusted
`
`path subsystem 30 can be used to expand the capabilities
`
`of the single level workstation since subsystem 30
`
`30
`
`allows the user to essentially disable subsystem 30, do
`all his work at the level permitted by the workstation
`(say, secret) using all the capabilities of his
`
`workstation and whatever facilities are available on the
`
`multilevel computer. Then, if the user has a small)
`
`35
`
`amount of work that he or she needs to do at top secret,
`
`the user can invoke trusted mode in subsystem 30,
`
`isolate their workstation, its processor memory and
`
`Petitioner Apple Inc. - Ex. 1025, p. 1013
`
`Petitioner Apple Inc. - Ex. 1025, p. 1013
`
`
`
`wo 94/01821
`
`_
`
`'
`
`'
`
`13
`
`Pcr/U593/06511
`
`‘
`
`storage devices, and he has,
`
`in effect, a keyboard and a
`
`terminal connected to a secure communications device
`
`through a multilevel host.
`
`The user can then do the
`
`operations required at top secret.
`
`5
`
`The cryptographic techniques applied in
`subsystem 30 will ensure that none of the top secret
`
`information going to or from the multilevel secure
`
`computer is linked to files within workstation 40 or is
`
`captured and copied on the network.
`
`10
`
`Likewise, if a user had to do a small amount of
`
`unclassified work, he could put the workstation into
`
`trusted path mode using subsystem 30.
`
`The user could,
`
`through a trusted path,
`
`invoke an unclassified level and
`
`15
`
`again the cryptographic techniques applied at each end
`of the link would prevent secret information from being
`mixed in with the unclassified information.
`The system
`
`essentially provides a pipe to keep data from one
`
`security level from being mixed into data at a different
`
`security level.
`
`20
`
`Trusted subsystem 30 is not, however,
`
`limited
`
`to a role as an assured terminal.
`
`In a file server
`
`application, files stored at host computer 60 or within
`
`workstation 40 could be transferred to subsystem 30 for
`
`data processing tasks such as editing, reviewing the
`
`25
`
`file or transferring it as electronic mail.
`
`In a client
`
`server application, processor 31 could execute one or
`
`more client processes such as an editor or a
`
`comunications process. Software and firmware which
`
`could be implemented inside trusted path subsystem 30
`
`30 would be limited only by the amount of storage within
`
`subsystem 30 and the review and approval process
`
`required to provide clean software.
`
`Trusted path subsystem 30 has access not only
`
`to files on host computer 60 but also on workstation 40.
`
`35 Files transferred from either computer 60 or workstation
`
`40 can be manipulated and transferred to other computers
`
`or workstations. »Por example, a secure electronic mail
`
`Petitioner Apple Inc. - Ex. 1025, p. 1014
`
`Petitioner Apple Inc. - Ex. 1025, p. 1014
`
`
`
`W0 94/01821
`
`A
`
`"_
`
`14
`
`PCT/US93/0651 I
`"vs
`
`system could be implemented in which trusted path
`
`subsystem 30 is used for reviewing, reclassifying, and
`
`electronically signing messages.
`
`A document file from
`
`computer 60 or workstation 40 can be displayed and
`
`5
`
`reviewed.
`
`If appropriate,
`
`the user may downgrade its
`
`sensitivity level by attaching a different security
`
`The finished file can then be
`level to the document.
`sent via electronic mail to other users.
`
`In one embodiment of such an electronic mail
`
`10
`
`function, subsystem 30 would go out on the network to
`
`the directory server to retrieve the names, electronic
`
`mail addresses and public key information of the
`
`intended recipients.
`
`The directory server could be
`
`implemented as either a trusted or an untrusted process
`
`15
`
`on host computer 60 or on another network computer.
`
`Subsystem 30 would then attach the addresses to the
`
`file, affix a digital signature, encrypt the final
`
`product and send it through host computer 60 to the
`
`designated addresses.
`
`’
`
`20
`
`'
`
`In another embodiment of such a function,
`
`in a
`
`system without a MLS computer, secure electronic mail is
`
`possible by first establishing a trusted path from the
`
`user to processor 31.
`
`The user then accesses files of
`
`workstation 40 (or on other network computers), displays
`
`25
`
`and reviews the file, accesses an unsecured directory
`
`server to retrieve the names, electronic mail addresses
`
`and public key information and sends the encrypted
`
`message via electronic mail to its recipient.
`
`Processor 31 can also be used to control video
`
`30 manager 34 in order to implement and control the user
`
`Such an approach would permit the use of a
`interface.
`graphical user interface (GUI) within trusted window 82
`that would reduce the amount of screen information
`
`transferred by host computer 60. This approach also
`
`35 permits the user to implement,
`
`through processor 31,
`
`multiple trusted windows 82 at the user node in order to
`
`perform the cut-and-paste function referred to above.
`
`Petitioner Apple Inc. - Ex. 1025, p. 1015
`
`Petitioner Apple Inc. - Ex. 1025, p. 1015
`
`
`
`W0 94/01821
`
`_
`
`PCT/US93/06511
`
`"'
`
`15
`
`‘N’
`
`In the preferred embodiment, subsystem 30 is a
`
`modular design in which processor 31 and cryptographic
`
`entity 35 are kept constant and video manager 34 and
`
`keyboard manager 36 are designed so that_they can be
`
`5
`
`replaced easily to handle different displays and
`
`keyboards.
`
`In one embodiment, subsystem 30 is designed
`
`to be portable.
`
`A portable subsystem 30 can be used to
`
`turn any modem equipped computer with the requisite
`
`auxiliary data port into a secure data terminal or
`
`10
`
`computer.
`
`Fig. 4 is a block diagram representation of an
`
`alternate embodiment of trusted path subsystem 30.
`
`In
`
`Fig. 4, processor 31 is connected through network
`
`interface 39 to network 50 and through communication
`
`15 port 48 to workstation 40.
`
`In the embodiment shown in
`
`Pig. 4, workstation processing unit 40 is isolated from
`
`the network. This approach allows the encryption of all
`
`network traffic associated with the user node.
`
`In the
`
`embodiment shown in Pig. 4, communication port 48 can be
`
`20
`
`a communication medium ranging from Rs0232 to an
`unsecured Ethernet.
`
`A more detailed representation of one
`
`embodiment of trusted path subsystem 30 is shown in Fig.
`
`5.
`
`In Fig. 5, keyboard logical switch 37 receives data
`
`25
`
`from keyboard 20 and routes it to processor 31. During
`normal mode, processor 31 then sends the received
`
`keyboard data directly over keyboard port 46 to
`workstation 40.
`
`In contrast,
`
`in trusted path mode, processor 31
`
`30
`
`captures the received keyboard data and sends it to
`
`cryptographic entity 35 for encrypting.
`
`No information
`
`is sent over keyboard port 46 to workstation 40.
`
`The
`
`resulting encrypted keyboard data is instead sent
`
`through auxiliary data port 42 to workstation 40 and
`
`35
`
`from there to computer 60.
`
`Video data from workstation 40 is transmitted
`
`from video port 44 to video manager 34. During normal
`
`Petitioner Apple Inc. - Ex. 1025, p. 1016
`
`Petitioner Apple Inc. - Ex. 1025, p. 1016
`
`
`
`W0 94/0182]
`
`'
`
`"“
`
`16
`
`PC!‘/US93/0651 I
`1 n
`
`mode,
`
`the video data is sent through to display 10
`
`without modification. During trusted path mode,
`
`however,
`
`the video data transferred from video port 44
`
`is overlaid, at least in some part, by video data
`
`5
`
`generated by video manager 34.
`
`A representative video manager 34 is shown
`
`generally in Fig. 5. Video manager 34 consists of video
`
`synchronization hardware 72, video RAM 74, video driver
`
`78 and video multiplexer 76. Video synchronization
`
`10
`
`hardware 72'receives synchronization signals from video
`
`port 44 and uses the signals to coordinate the display
`
`of data from video RAM 74 with the display generated by
`
`workstation 40. During normal mode data from video RAM
`74 is not used; video is transferred directly from
`
`15 workstation 40 through video multiplexer 76 to display
`
`10. When, however, trusted path subsystem 30 is placed
`
`into trusted path mode, video data stored in video RAM
`
`74 is used instead of the normal video stream to create
`
`trusted window 82.
`
`20
`
`In one embodiment synchronization hardware 72
`
`uses the synchronization signals received from
`
`workstation 40 to control the reading of data from video
`RAM 74 and the conversion of that data into a video
`
`signal by video driver 78.
`
`The output of video driver
`
`25
`
`78 is then used to drive video multiplexer 76.
`
`Synchronization hardware 72 controls video multiplexer
`
`76 in order to switch between the video generated by
`
`workstation 40 and the video being read from video RAH
`
`74.
`
`The output of video multiplexer 76 is driven
`
`30
`
`through video amplifiers to display 10.
`
`The design of the video hardware needed to
`overlay one display on top of another is well known in
`the art. Window 82 can be synched up to the video going
`
`to display 10. Typically, if window 82 is not full
`
`35
`
`screen, video synchronization hardware 72 counts the
`
`number of lines to the first line of window 82, counts
`in the number of pixels, and inserts the video at that
`
`Petitioner Apple Inc. - Ex. 1025, p. 1017
`
`Petitioner Apple Inc. - Ex. 1025, p. 1017
`
`
`
`W0 94/01821
`
`_
`
`I
`
`PCT/US93/0651]
`
`"‘
`
`17
`
`3
`
`“
`
`point. Trusted path video data is then written for the
`
`desired number of pixels and video multiplexer 76 is
`
`switched back to normal video for the remainder of the
`
`video line. This mechanism provides flexibility in
`
`5
`
`placement and sizing of window 82 on screen 80.
`
`Video multiplexer 76 c