USOO7765399B2
`
`(12) United States Patent
`O’Brien
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,765,399 B2
`*Jul. 27, 2010
`
`(54) COMPUTER ARCHITECTURE FOR A
`HAND HELD ELECTRONIC DEVICE
`
`(75) Inventor: Terence W. O'Brien, Webster, NY (US)
`(73) Assignee: Harris Corporation, Melbourne, FL
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1192 days.
`
`(*) Notice:
`
`This patent is Subject to a terminal dis-
`claimer.
`
`7,028, 149 B2 * 4/2006 Grawrocket al. ........... T11 156
`7,047.405 B2 * 5/2006 Mauro ........................ T13,166
`2006/0105740 A1* 5/2006 Puranik ...................... 455,410
`
`FOREIGN PATENT DOCUMENTS
`2336005. A * 10, 1999
`
`GB
`
`* cited by examiner
`y
`Primary Examiner Pramila Parthasarathy
`(74) Attorney, Agent, or Firm—Fox Rothschild, LLP; Robert
`J. Sacco
`
`(21) Appl. No.: 11/359,224
`
`(57)
`
`ABSTRACT
`
`(22) Filed:
`(65)
`
`Feb. 22, 2006
`Prior Publication Data
`US 2007/O199046A1
`Aug. 23, 2007
`
`(51) Int. Cl.
`(2006.01)
`H04L 29/06
`(52) U.S. Cl. ......................................... 713/164; 726/16
`
`Mobile PDA computer system (300) includes a non-secure
`processor (306), comprising an untrusted microprocessor and
`an untrusted operating system executing on the untrusted
`microprocessor. The system also includes a secure processor
`(302), comprising a trusted microprocessor and a trusted
`operating system executing on the trusted microprocessor. A
`cryptographic engine (304) is provided for encrypting and
`- 0
`decrypting data. A first data communication link (303) com
`(58) Field of Classification Search - - - - - - - - - - - - - - - - - 7389, municates data between the secure processor and the crypto
`graphic engine. A second data communication link (305)
`713/164, 176, 181: 726/1, 36, 26. 380/49,
`380/4, 9, 25, 30, 40-60; 455/410
`communicates databetween the non-secure processor and the
`See application file for complete search history.
`cryptographic engine. In this way, the cryptographic engine
`References Cited
`forms a bridge between the secure user processor and the
`non-secure user processor.
`
`(56)
`
`U.S. PATENT DOCUMENTS
`
`6,092,202 A * 7/2000 Veil et al. - - - - - - - - - - - - - - - - - - - - - 726/27
`
`19 Claims, 4 Drawing Sheets
`
`O- 316
`(3
`
`-318
`
`g
`
`e1
`so-Y
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Secure
`Processor
`Trusted (HMISW)
`
`Cryptographic
`Engine
`Trusted (HWISW)
`
`Non-Secure
`Processor
`(Untrusted HVW/SW)
`
`Secure
`HumaniMachine
`Interface
`(Trusted HVV)
`
`Non-Secure
`Human Machine
`Interface
`(Untrusted HVN)
`
`
`
`USB
`
`APPLE 1001
`
`1
`
`

`

`U.S. Patent
`
`Jul. 27, 2010
`
`Sheet 1 of 4
`
`US 7,765,399 B2
`
`Fig. 1
`
`(Prior Art)
`
`Secure processor
`(Trusted HMISW)
`
`Cryptographic
`Engine
`(Trusted HMISW)
`
`
`
`Secure
`Human/Machine
`Interface
`(Trusted HMV)
`
`106
`
`Secure PDA (no I/O)
`
`
`
`Non-Secure
`Processor
`(Un-trusted HMVISW)
`
`
`
`Non-Secure
`Human/Machine
`Interface
`(Untrusted HMW)
`
`
`
`Fig. 2
`
`(Prior Art)
`
`2
`
`

`

`U.S. Patent
`
`Jul. 27, 2010
`
`Sheet 2 of 4
`
`US 7,765,399 B2
`
`
`
`Secure
`Processor
`Trusted (HW/SW)
`
`Cryptographic
`Engine
`Trusted (HWISW)
`
`Non-Secure
`Processor
`(Untrusted HMV/SW)
`
`Secure
`Human/Machine
`Interface
`(Trusted HVV)
`
`Non-Secure
`Human/Machine
`Interface
`(Untrusted HMV)
`
`USB
`
`3
`
`

`

`U.S. Patent
`
`Jul. 27, 2010
`
`Sheet 3 of 4
`
`US 7,765,399 B2
`
`Non-Secure
`Processor
`306
`
`
`
`(Un-trusted
`Processor
`Hardware,
`Un-trusted
`Operating
`System)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EE PROM :
`404
`
`
`
`
`
`
`
`Wired
`Connectivity
`4O6
`
`Wireless
`connectivity
`408
`
`
`
`
`
`Audio
`Interface
`410
`
`Microphone
`
`Headphone
`
`Keypad/pointing
`device
`412
`
`Touch Screen
`Controller
`414
`
`Color Display
`416
`
`: Non-Secure Human/Machine Interface
`
`Engine
`
`
`
`
`
`
`
`
`
`
`
`
`
`Flash/ROM?
`DRAM
`502
`
`
`
`
`
`EE PROM
`504
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Secure
`Processor
`302
`
`(Trusted
`HMW and
`Trused SW)
`
`
`
`
`
`
`
`
`
`
`
`TO
`Cryptographic
`Engine
`304
`
`Audio
`Interface
`506
`
`Microphone
`
`Headphone
`
`Keypad/pointing
`device
`508
`
`Touch screen
`Controller
`510
`
`Color Display
`512
`
`
`
`Secure Human/Machine Interface
`
`4
`
`

`

`U.S. Patent
`
`Jul. 27, 2010
`
`Sheet 4 of 4
`
`US 7,765,399 B2
`
`Crypto
`Ignition
`Key
`
`Key &
`Certificate
`Fi Port
`
`Zeroize
`SWitch
`
`SW
`Load
`Port
`(Crypto Processor
`& Secure Processor)
`
`
`
`
`
`
`
`
`
`
`
`Processor
`
`602
`
`DRAM
`603
`EEPROM 604
`605
`
`
`
`304
`Encryption/Decryption w? Header Bypass
`
`
`
`
`
`Cryptographic Bypass
`--
`Crypto Control
`
`
`
`
`
`
`
`
`
`
`
`Secure
`Processor
`Crypto
`Interface
`
`606
`
`Non-Secure
`Processor
`Crypto
`interface
`
`608
`
`F
`I9.
`
`5
`
`

`

`US 7,765,399 B2
`
`1.
`COMPUTER ARCHITECTURE FORA
`HAND HELD ELECTRONIC DEVICE
`
`BACKGROUND OF THE INVENTION
`
`2
`In order to address some of the foregoing problems, per
`sonal electronic devices have been developed that are specifi
`cally designed to allow for transport of classified data, for
`example encryption keys. However, these devices are not
`generally designed to accommodate data processing or wire
`less communications of classified information. Secure PDA
`devices are also known in the art. These devices utilize a
`trusted operating system, trusted microprocessors, and a
`trusted human/machine interface. However, they generally do
`not include wireless communications capabilities.
`Trusted operating systems and applications are generally
`designed to more rigorously address the problem of computer
`security. Trusted operating systems undergo evaluation of
`their overall design, verification of the integrity and reliability
`of their source code, and systematic, independent penetration
`evaluation. In contrast, non-trusted COTS operating systems
`are generally not designed to an equally high level with regard
`to security precautions.
`
`10
`
`15
`
`1. Statement of the Technical Field
`The inventive arrangements relate to personal electronic
`devices, and more particularly to personal digital assistant
`devices for storing, processing and communicating classified
`as well as unclassified data.
`2. Description of the Related Art
`Mobile computers, which are sometimes called personal
`digital assistants or PDAs, have the ability to store, process
`and communicate data. PDAs generally fall into one of sev
`eral categories which can include handheld PCs, palm size
`PCs, Smart phones, and handheld instruments. PDAs typi
`cally include Some kind of microprocessor with a commer
`cially available operating system such as Linux, Palm OS, or
`Widows CE (Pocket PC). Many PDAs also have built in LCD
`displays, touch sensitive screens, and keypads for the human/
`machine interface. Some PDAs also include wireless net
`working capabilities. For example, many such devices can
`communicate with other devices using well known wireless
`networking standards such as the IEEE 802.11 family of
`standards. The foregoing capabilities make these compact
`devices highly useful for a various business and personal
`applications.
`Currently, there exist a wide variety of PDA devices with
`conventional operating systems and architectures. These
`commercially available PDAs with commercial-off-the-shelf
`(COTS) operating systems and COTS application programs
`generally satisfy the processing and communications require
`ments of most users. For example, they include applications
`for word processing, data storage, spreadsheets, email, inter
`net browsing, time management, contact management, net
`work communications, and Voice communications. These
`applications generally function quite well and have interfaces
`that are familiar to many users. The familiarity of these appli
`cations to users, and the relatively low cost of COTS software
`are considered advantageous for a variety of reasons.
`Some commercially available PDA devices and/or soft
`ware applications incorporate various security measures in an
`effort to protect data which is stored, processed or communi
`cated using the device. For example, encryption technology
`and password protection features are known in the art. Still,
`this level of security can be inadequate for managing infor
`mation that is of a Confidential, Secret, or Top Secret nature,
`particularly when such information relates to matters of
`national Security. For example, COTS operating systems and
`applications may not be sufficiently trustworthy for handling
`this type of information. Such programs can be susceptible to
`being compromised by various means including hacker
`attacks, viruses, worms, Trojan horses, and a wide variety of
`other means that are known to those skilled in the art.
`Finally, notwithstanding the security limitations of COTS
`operating systems and applications, the basic architecture and
`interface systems of many commercial PDA devices may
`leave these devices vulnerable to intrusion. For example,
`COTS devices do not employ trusted microprocessors, do not
`employ physical separation of classified and unclassified data
`processing, nor do they employ physical tamper detection and
`Subsequent memory Zeroization. They may also lack the
`capability of wireless communications for classified data.
`Consequently, transport, processing or communication of
`classified data using a commercial PDA is not generally per
`mitted.
`
`SUMMARY OF THE INVENTION
`
`The invention concerns a mobile PDA computer system.
`The mobile PDA computer system consists of a non-secure
`user processor, a secure user processor, and a cryptographic
`engine. The non-secure processor is comprised of non-trusted
`COTS microprocessor hardware (HW), a non-trusted COTS
`operating system, and non-trusted COTS application soft
`ware. The secure processor is comprised of trusted micropro
`cessor HW, a trusted operating system and trusted application
`Software. The cryptographic engine is comprised of trusted
`hardware and trusted software. In addition to providing
`encryption and decryption services, the cryptographic engine
`provides a first data communication link that communicates
`data between the secure processor and the cryptographic
`engine and a second data communication link that commu
`nicates data between the non-secure processor and the cryp
`tographic engine. In this way, the cryptographic engine forms
`a bridge between the secure processing side of the PDA and
`the non-secure processing side of the PDA.
`According to one aspect of the invention, the non-secure
`processor can have a wired communication transceiver and/or
`a wireless communications transceiver. These communica
`tion transceivers can be used to communicate unclassified
`data and Voice transmissions. In addition these transceivers
`can be used to communicate encrypted classified data. The
`secure processor can communicate encrypted classified data
`files from the secure processor's file system to the non-secure
`processor. The encrypted files can then be communicated
`using the wired or wireless transceiver circuitry associated
`with the non-secure processor. Similarly, classified real time
`Voice communications originating on the secure processing
`side of the device can be encrypted and communicated to the
`non-secure processor. The non-secure processor can utilize
`the wired or wireless transceiver to communicate Such
`encrypted Voice information.
`The invention can also concern a method for managing
`classified and unclassified on a mobile PDA computer sys
`tem. The method can include processing classified data exclu
`sively using a secure processor. The method can also include
`processing unclassified data exclusively using a non-secure
`processor. Classified data for encryption and classified
`decrypted data can be communicated between the secure
`processor via the cryptographic engine using a first data com
`munication link. Further classified data from the secure pro
`cessor via the cryptographic engine can be communicated to
`the non-secure processor exclusively in an encrypted form.
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`
`

`

`US 7,765,399 B2
`
`3
`Such communications can be performed using a second data
`communication link between the cryptographic engine and
`the non-secure processor.
`The method can include communicating classified data to
`and from the secure processor exclusively using a secure
`human/machine interface. Further, the method can include
`controlling the secure processor exclusively using the secure
`human/machine interface. Classified information can be pro
`vided to the user from the secure processor exclusively using
`the secure human/machine interface.
`The non-secure processor can be controlled exclusively
`using a non-secure human/machine interface. Further,
`unclassified information can be provided to the user by the
`non-secure processor exclusively using the non-secure
`human/machine interface. A wireless communications trans
`ceiver can be used for communicating wireless unclassified
`data from the non-secure processor. The method can further
`include communicating encrypted classified data provided
`from the secure processor using the wireless communications
`transceiver. According to one aspect of the invention, the
`wireless communications transceiver can be selected from the
`group consisting of a wireless LAN transceiver and a cellular
`telephone transceiver. According to yet another aspect, the
`method can include communicating classified audio informa
`tion to and from the secure processor with a first audio inter
`face, and communicating audio information to and from the
`non-secure processor with a second audio interface distinct
`from the first audio interface.
`
`10
`
`15
`
`25
`
`4
`for securing data that is stored on the device. A user secure file
`system 103 is provided for storing classified data. A crypto
`graphic engine 104 is provided with trusted hardware and
`trusted Software for providing encryption and decryption Ser
`vices. A crypto secure file system 105 is used to store classi
`fied data and files used by the cryptographic engine 104. A
`secure human/machine interface (HMI) 106 is also provided.
`However, for security reasons, PDA devices of this type gen
`erally do not include machine input/output (I/O) facilities.
`Thus PDA 100 does not have a USB port, wireless network
`ing, or cellular telephone communications capabilities. PDA
`100 can generally satisfy the requirements for accessing
`secure file systems. However, the operating system and appli
`cations can be expensive and unfamiliar to many users who
`more often utilize commercial-off-the-shelf (COTS) systems.
`In contrast to the secure PDA in FIG. 1, a commercial
`PDA/phone architecture is shown in FIG. 2. The commercial
`PDA/phone 200 can include a non-secure processor 202 com
`prised of untrusted COTS microprocessor hardware and
`untrusted COTS software. A user non-secure file system 203
`can be used for storing unclassified user files and data. The
`commercial PDA/phone will make use of COTS hardware
`and Software to satisfy the processing and communications
`requirements of users. The commercial PDA/phone will
`make use of a conventional non-secure HMI 206, and can
`include non-secure I/O circuitry 204. The I/O circuitry 204
`can include wired and/or wireless LAN transceivers, and
`cellular telephone transceiver circuitry. A suitable antenna or
`antennas 210 can be provided for any wireless applications.
`Audio interface circuitry can also be provided for headset
`208. Significantly, PDA 200 will not generally satisfy the
`requirements for accessing secure file systems. However,
`commercial PDA 200 benefits from the economy associated
`with use of COTS applications and a COTS operating system.
`Another advantage is that users tend to be well familiar with
`Such operating systems and applications.
`Turning now to FIG. 3, there is shown an architecture for a
`mobile PDA computer system 300 that offers the combined
`advantages of secure PDA 100 and commercial PDA 200.
`The architecture in FIG.3 can include a secure processor 302
`composed of trusted microprocessor hardware executing
`trusted operating system software and trusted application
`software. Secure processor 302 can have access to a secure
`file system 314. Secure processor 302 receives user inputs and
`provides information to users through a secure HMI 308.
`Secure processor 302 can also communicate audio informa
`tion to and from headset 316.
`Non-secure processor 306 is also provided as part of PDA
`300. Non-secure processor 306 is composed of untrusted
`microprocessor hardware executing an untrusted operating
`system and untrusted application Software. Non-secure pro
`cessor 306 can store unclassified user files and data in a user
`non-secure file system 319. Non-secure processor 306 is
`capable of receiving and transmitting data through I/O inter
`face 312, which can include wired and/or wireless LAN trans
`ceivers, cellular telephone transceiver circuitry and any other
`conventional data communication service. A Suitable antenna
`or antennas 320 can be provided for any wireless applica
`tions. A user audio interface can be provided for audio com
`munications, audio recording and listening to audio files.
`Non-secure processor 306 receives user inputs and provides
`information to users through a non-secure HMI 310.
`PDA 300 also includes a cryptographic engine 304. The
`cryptographic engine is implemented with trusted Software
`(operating system and application software) and trusted
`microprocessor hardware. The cryptographic engine is pro
`vided for encrypting and decrypting classified data. A crypto
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`30
`
`FIG. 1 is block diagram that is useful for understanding an
`architecture of a secure PDA
`FIG. 2 is a block diagram that is useful for understanding
`an architecture of a non-secure commercial PDA/Phone.
`FIG. 3 is a block diagram that is useful for understanding
`an architecture of a PDA that can be used for classified and
`unclassified data.
`FIG. 4 is a more detailed block diagram showing the non
`secure processor portion of the PDA architecture in FIG. 3.
`40
`FIG.5 is a more detailed block diagram showing the secure
`processor portion of the PDA architecture in FIG. 3.
`FIG. 6 is a more detailed block diagram of the crypto
`graphic engine in FIG. 3.
`
`35
`
`DETAILED DESCRIPTION OF THE PREFERRED
`EMBODIMENTS
`
`45
`
`50
`
`The invention concerns a computer architecture for a
`mobile PDA computer system. FIG. 1 shows a simplified
`block diagram of a secure PDA of the prior art that includes
`trusted hardware and trusted Software (operating system and
`application software). As used herein, the term “trusted' is
`used with reference to computer hardware, operating sys
`tems, and/or Software applications that have been designed to
`ensure secure storage, processing and communication of
`data. Trusted hardware and trusted software can be combined
`to provide secure data processing. Trusted hardware and soft
`ware are generally designed and tested to ensure the integrity
`and reliability of their source code, and their resistance to
`penetration. In contrast, untrusted hardware and untrusted
`Software are generally not designed to an equally high level
`with regard to security precautions. Accordingly, when inte
`grated into a computer system, those systems are often
`referred to as non-secure.
`65
`Secure PDA 100 utilizes secure user processor 102 com
`prised of trusted hardware (HW) and trusted software (SW)
`
`55
`
`60
`
`7
`
`

`

`15
`
`5
`secure file system 317 is provided for storing classified data
`and files used by cryptographic engine 304. A first data com
`munication link303 is provided for communicating classified
`data between the secure processor 302 and the cryptographic
`engine 304. A second data communication link 305 is pro
`vided for communicating encrypted classified data between
`the non-secure processor 306 and the cryptographic engine.
`Data communicated between secure processor 302 and cryp
`tographic engine 304 will be encrypted before being passed to
`the non-secure processor 306. In contrast, data communi
`cated between non-secure processor 306 and cryptographic
`engine 304 can be unencrypted unclassified data in some
`instances and encrypted classified data in other instances.
`Still, the invention is not limited with regard to the specific
`type of data that is communicated on the first and second data
`links.
`The first and second data communication links can be any
`suitable type serial or parallel type data channels. For
`example, if the communication link is a parallel type data link
`then it can conform to any of a number of well known bus
`standards, including without limitation ISA, EISA, VESA,
`PCI, EMIF and so on. Alternatively, if a serial data channel is
`used, then it can be an 12C, SPI, Microwire, Maxim or other
`type serial data bus.
`APDA computer architecture as show in FIG. 3 can offer
`several important advantages. One basic advantage of the
`foregoing arrangement is that it overcomes some limitations
`of conventional secure and non-secure PDAS. For example,
`the system can still offer all of the benefits of conventional
`commercial PDA devices. Such features can include familiar
`and inexpensive COTS operating systems and applications.
`Such COTS operating systems and applications can be used
`with the non-secure processor 306. The PDA300 also offers
`the benefit of wired and wireless LAN communication ser
`vices, cellular telephone services and so on. In addition to
`these features, the PDA architecture shown in FIG. 3 can
`permit users to access to a secure file system. The file system
`can be maintained by secure processor 302 in a data store.
`Referring now to FIG. 4, there is shown a more detailed
`block diagram of a portion of the PDA 300 that includes
`non-secure processor 306. As noted above, non-secure pro
`cessor 306 can be comprised of untrusted processor hard
`ware. For example, the untrusted processor hardware can be
`any one of a variety of well known COTS processors that are
`widely available. For example, the un-trusted processor hard
`ware can be selected from the Strong ARM or XScale proces
`sors (e.g., SA-110 or PXA270) available from Intel Corp. of
`Santa Clara, Calif., the i.MX or Dragonball family of proces
`sors available from Freescale Semiconductor, Inc. of Austin,
`Tex., or the OMAP family of processors offered for sale by
`Texas Instruments of Dallas, Tex.
`According to one embodiment, non-secure processor 306
`can also be comprised of an untrusted COTS operating sys
`tem. For example any of a variety of well known COTS
`operating systems suitable for use in a PDA can be used for
`this purpose. According to one embodiment, the non-secure
`processor 306 can utilize the Windows CE operating system
`that is made available by Microsoft Corporation of Redmond,
`Wash. However, the invention is not limited in this regard and
`other types of untrusted operating systems can also be used.
`Non-secure processor 306 can communicate with one or
`more Subsystem components including data store 402. Data
`store 402 can include flash memory, read-only memory
`(ROM), dynamic random access memory (DRAM). The un
`65
`trusted operating system for the non-secure processor can be
`stored in non-volatile memory in data store 402 or flash EE
`
`40
`
`45
`
`50
`
`55
`
`60
`
`US 7,765,399 B2
`
`5
`
`10
`
`25
`
`30
`
`35
`
`6
`PROM 404. Application software can be loaded in flash
`memory or DRAM as needed.
`As shown in FIG. 4, I/O interface 312 can include wired
`connectivity block 406 for USB or other wired connectivity
`services. Wireless connectivity block 408 can include any
`wireless transceiver system now known or known in the
`future for communicating Voice and/or data. For example, the
`wireless connectivity block 408 can be any suitable wireless
`LAN transceiver system. According to one embodiment of
`the invention, wireless connectivity block 408 can be config
`ured for operation in accordance with any one of the 802.11
`family of wireless network standards. However the invention
`is not limited in this regard. Instead, any other wireless net
`working standard can also be implemented in accordance
`with the inventive arrangements. Further, wireless connectiv
`ity block 408 can also comprise cellular telephone transceiver
`circuitry. For example, the cellular telephone transceiver cir
`cuitry can be designed to operate using any one of a variety of
`well known cellular telephone transmission protocols such as
`TDM, GSM, or CDMA.
`Additional Sub-systems connected to non-secure processor
`306 can include audio interface 410. Audio interface 410 can
`include at least one Suitable audio codec, analog to digital and
`digital to analog conversion circuitry, as well as any necessary
`audio amplifier circuitry (not shown). Audio interface 410
`can also include any other circuitry necessary to allow PDA
`300 to output MP3 audio associated with the non-secure
`processor 306.
`In the event that wireless input/output subsystem 312
`includes cellular telephone transceiver circuitry, then the
`audio interface 410 can include a voice codec that can provide
`the user audio interface for that application. In particular, the
`Voice codec can code Voice signals received from a micro
`phone associated with headset 318. Similarly, the voice codec
`can decode Voice signals received via wireless connectivity
`block 408 and output such decoded audio to an earphone
`associated with headset 318. Still, it should be understood
`that the invention is not limited to any particular arrangement
`with regard to audio interface 410. Audio interfaces for cel
`lular telephones and MP3 audio playback are well known in
`the art and all such arrangements are contemplated for audio
`interface 410 within the scope of the present invention.
`Non-secure processor 306 can interface with a user
`through non-secure HMI 310. Non-secure HMI 310 can
`include a conventional color display 416 and touch screen
`controller 414. Non-secure HMI 206 can also include a key
`pad/pointing device 412. HMI interfaces of the type
`described herein are well known in the art. In this regard it
`should be understood that the non-secure HMI interface is not
`limited to the specific embodiments shown. Instead, any other
`suitable non-secure HMI interface can be used for this pur
`pose.
`Referring now to FIG. 5, there is shown a more detailed
`block diagram of the portion of PDA 300 including secure
`processor 302. Secure processor 302 can be custom-designed
`processor or can also be one of a variety of well known COTS
`processors that are widely available. Regardless of whether
`the secure processor 302 is comprised of custom components,
`COTS components, or a mixture of custom and COTS com
`ponents, the secure processor must be designed and devel
`oped utilizing trusted methods and techniques to ensure the
`integrity and reliability of the device, and its resistance to
`penetration. For example, the secure processor 302 can be
`housed inside a physical barrier that will detect any attempt to
`open the enclosure and automatically Zeroize any stored sen
`sitive/classified information contained within. The secure
`processor 302 can also be housed inside an enclosure that
`
`8
`
`

`

`US 7,765,399 B2
`
`5
`
`7
`provides radio frequency (RF) shielding to guard against
`radiating sensitive/classified information.
`Secure processor 302 will also have trusted operating sys
`tem software and trusted application software. Trusted soft
`ware is designed and tested to ensure the integrity and reli
`ability of the code, and its resistance to penetration. For
`example, trusted software must be developed utilizing trusted
`techniques, which may include peer reviews, testing of all
`paths through the control logic, and in some cases, a math
`ematical proof of correctness.
`Secure processor 302 can communicate with one or more
`Subsystem components including data store 502. Data store
`502 can include flash memory, read-only memory (ROM),
`dynamic random access memory (DRAM). The trusted oper
`ating system used in secure processor 302 can be stored in
`15
`non-volatile memory in data store 502 or flash EE PROM
`504. Application software can be loaded in flash memory or
`DRAM as needed. Additional sub-systems connected to
`secure processor 302 can include audio interface 506.
`Audio interface 506 can include at least one suitable audio
`codec, analog to digital and digital to analog conversion cir
`cuitry, as well as any necessary audio amplifier circuitry (not
`shown). Audio interface 506 can also include any other cir
`cuitry necessary to allow PDA 300 to output MP3 audio
`associated with the secure processor 302. In the event that
`wireless input/output subsystem 312 includes cellular tele
`phone transceiver circuitry, then the audio interface 506 can
`include a Voice codec that can provide the user audio interface
`for that application. In particular, the Voice codec can code
`Voice signals received from a microphone associated with
`headset 316. Similarly, the voice codec can decode voice
`signals received via wireless connectivity block 408 and out
`put Such decoded audio to an earphone associated with head
`set 316. Still, it should be understood that the invention is not
`limited to any particular arrangement with regard to audio
`interface 506. Audio interfaces for cellular telephones and
`MP3 audio playback are well known in the art and all such
`arrangements are contemplated for audio interface 506 within
`the scope of the present invention.
`Secure processor 302 can also communicate with secure
`HMI 308. Secure HMI devices are known in the art and
`typically can include one or more features to ensure trusted
`communications between the user and the secure processor
`302. The secure HMI 308 can provide a trusted path to appli
`cations executing on secure processor 302. Consequently,
`secure HMI 308 can prevent invasive or unauthorized appli
`cations from monitoring user inputs and system outputs.
`According to one embodiment of the invention, the secure
`HMI 308 can be at least partially contained within a shielded
`enclosure. Moreover, the power supply lines for the secure
`HMI 308 can be filtered to ensure that signals associated with
`secure processor 302 are not communicated along the power
`supply lines back to the non-secure processor 306. The secure
`HMI 308 can also be designed to prevent a user from being
`misled about which application is actually in use. For
`example, this can be accomplished by means of highly dis
`tinctive and easily recognized visual display indications that
`cannot be obstructed. Such indicators can assure the user
`regarding the identity of the application with which the user is
`working. Secure HMI features of this type are implemented in
`a variety of ways that are known to those skilled in the art.
`Referring now to FIG. 5, it can be observed that the secure
`HMI 308 can be comprised of several components. For
`example, secure HMI 308 can include one or more input
`devices which allow a user to input control commands and
`input data. According to one embodiment, these input devices
`can include a pointing keypad/pointing device 508 and a
`
`25
`
`30
`
`35
`
`40
`
`45
`
`8
`touch screen controller 510. However, the invention is not
`limited in this regard. The secure HMI 308 can also include a
`display 512, which can present alphanumeric and graphical
`data. The display 512 can be a color or monochrome type
`display. Further, one or more data ports (not shown) can be
`provided as part of the human/machine interface. The data
`ports can be any type of wired data interface. According to
`one embodiment, the data ports can conform to the well
`known USB standard. The data ports can be used for input and
`output of data. The data ports can also be used for connecting
`certain peripheral devices to the PDA 300. For example, the
`data ports can be used for connecting an external keyboard to
`the PDA 300.
`Referring now to FIG. 6, there is shown a more detailed
`block diagram of cryptographic engine 304. Cryptographic
`engine 304 can include a cryptographic processor 602 and a
`cryptographic file system 604 maintained in a data store.
`Cryptographic engine 304 can be one of several available
`cryptographic engines. According to one embodiment, the
`cryptographic engine can be a Sierra II Crypto processor
`which is available from Harris Corporation of Melbourne,
`Fla. The cryptographic engine can include configurable key
`lengths and can be programmed with one or more encryption
`algorithms. As illustrated in FIG. 6, cryptographic engine 304
`can include several control and data ports including a crypto
`ignition key port, a key and certificate fill port, a Zeroi