• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A wireless network interface device, WNID device (20), is provided for establishing a wireless connection (16) between a host computer device (10) and at least one other computer device. The WNID device includes a first circuit (21) for handling the communication with the host computer device, a second circuit (22) separate from the first circuit and arranged for handling the communication over the wireless connection, and a secure communication link (23). to connect the first circuit and the second circuit. Data communicated by the host computer device over the wireless connection is transmitted between the first circuit and the second circuit exclusively through the secure communication link. The WNID device of the present invention is advantageous because it provides improved intrusion protection by using a shared architecture that separates the core (12) of the host operating system (11) from the parts of the WNID device that handle communication over the wireless connection.
    公开号:SE1150995A1
    申请号:SE1150995
    申请日:2009-03-26
    公开日:2011-10-26
    发明作者:Andre Rickardsson
    申请人:Bitsec Ab;
    IPC主号:
    专利说明:

    2, the device vendor is forced to continuously update drivers for existing interface devices as new types of attacks emerge.
    SUMMARY OF THE INVENTION It is an object of the present invention to obviate these problems and to provide an interface device for wireless networks, which device has an improved intrusion protection.
    This is achieved by means of an interface device for wireless networks, which device has the features defined in independent claims 1.
    Embodiments of the invention are characterized by the dependent claims.
    According to one aspect of the invention, therefore, there is provided an interface device for wireless networks, for establishing a wireless connection between a host computer device and at least one other computer device. The network interface device includes a first circuit, a second circuit, and a secure communication link. The first circuit is arranged to handle the communication with the host computer device. The second circuit is separate from the first circuit and is arranged for handling the communication over the wireless connection. The secure communication link is arranged to connect the first circuit and the second circuit. Data communicated by the host computer device over the wireless connection is transmitted between the first circuit and the second circuit exclusively through the secure communication link. A computer device may be any device capable of establishing a connection with another computer device for data transmission purposes, e.g. a computer, computer accessory, a network printer, a network drive, a wireless access point in a WLAN, a mobile phone or a PDA.
    The present invention is based on the realization that the core of the host operating system can be protected from attacks over a wireless connection by using a shared network interface device architecture that separates the core and the host operating system driver from the parts of the network interface device that handle the communication over the wireless connection. 10 15 20 25 30 3 For this purpose, the core of the operating system communicates only with the first circuit. The communication between the host and the first circuit is similar to that between a host and a conventional network interface device, and is performed by a driver run by the host core. However, the driver-controlled circuit does not handle the wireless communication but only the communication with the other circuit through the secure communication link. The communication over the secure link is performed using a protocol that is less vulnerable to attacks than the wireless protocols used for the communication over the wireless connection.
    The present invention is advantageous because the effects of an attack exploiting any weaknesses of the wireless protocol used for communication over the wireless connection cannot spread into the core of the host operating system. The fact that the wireless communication is handled exclusively by the second circuit, and that data communicated over the wireless connection is received from or transmitted to the host core exclusively through the secure communication link and the first circuit, makes the core less vulnerable to attacks. In other words, the effects of an attack are limited to the other circuit, and therefore the security of the core is not compromised.
    Thus, a network interface device for wireless networks is provided, which device has an improved protection against attacks directed at the operating system core of the computer device hosting the network interface device.
    According to an embodiment of the invention, the communication is performed through the secure link using a non-wireless protocol. This is advantageous because non-wireless protocols are usually less complex than wireless protocols, resulting in fewer parameters that can possibly be manipulated, and are therefore more difficult to use for attacks.
    According to another embodiment of the invention, the communication is performed through the secure link using the third layer or a higher layer in the seven-layer OSI model. This is advantageous because the higher layers of the OSI model are less susceptible to attack than the first and second layers.
    According to a further embodiment of the invention, the secure communication link is an Ethernet connection. In this case, the first circuit is essentially a conventional Ethernet interface device. According to an embodiment of the invention, the second circuit comprises processor means for handling the communication over the wireless connection, e.g. a processor that executes appropriate software.
    According to an embodiment of the invention, the encryption of data originating from hosts and to be transmitted over the wireless connection, and the decryption of data received over the wireless connection and to be hosted, is performed by an additional cryptography module through which data communicated over the secure link passes. The cryptography module is preferably realized by a circuit which is separate from the first circuit and the second circuit.
    According to another embodiment of the invention, authentication of a connection between the host and another computer device is performed by an additional authentication module through which data communicated over the secure link passes. The authentication module is preferably realized by a circuit which is separate from the first circuit and the second circuit.
    An advantage of having separate circuits and modules is that their functionality can be tested and certified separately.
    According to an embodiment of the invention, the second circuit is arranged for communication over more than one wireless connection. This is advantageous because the host can communicate over multiple connections. Values can e.g. communicate using different network standards or radio technologies, or values can be a node in more than one network. The second circuit may be arranged to perform the various communications simultaneously. As an alternative, the second circuit can also be arranged to perform one communication at a time. For example, the second circuit may be configured to establish a wireless connection, and communicate over that connection, according to a predetermined set of rules, such as selecting the connection with the highest received signal strength or the highest transmission rate of the connection.
    According to one embodiment of the invention, the communication over the wireless connection is performed using any or a combination of a plurality of network structuring techniques for wireless networks, including WLAN, Bluetooth, GSM, GPRS, UMTS, LTE and WiMAX.
    According to an embodiment of the invention, the network interface device further comprises a one-way communication link for transmitting configuration data from the host to the second circuit.
    Configuration data can e.g. apply the settings required for the wireless connection, or any other parameters needed to perform the wireless communication.
    Additional objects, features and advantages of the present invention will become apparent from the following detailed description, drawings, and appended claims. It will be appreciated that various features of the present invention may be combined to create other embodiments than those described below.
    Brief Description of the Drawings The above features and advantages of the present invention will become apparent from the following illustrative and non-limiting detailed description of embodiments of the invention, taken in conjunction with the accompanying drawings.
    Fig. 1 shows an architecture of a host with a conventional wireless network interface device.
    Fig. 2 shows an architecture of a host with an interface device for wireless networks according to an embodiment of the invention.
    Fig. 3 shows an interface device for wireless networks with an additional cryptography module. 10 15 20 25 30 6 Fig. 4 shows an interface device for network structuring techniques of several kinds for wireless networks.
    Fig. 5 shows a wireless device interface device with an additional one-way communication link for transmitting configuration data.
    All figures are schematic, not necessarily to scale, and generally show only parts which are necessary for the clarification of the invention, other parts being omitted or only hinted at.
    Detailed Description Fig. 1 shows the architecture of a host computer device 10 provided with a conventional wireless network interface device 14 (WNID device). The host 10 may be any type of computer device equipped with a processor on which an operating system 11 comprising a core 12 may be executed, e.g. a computer, computer accessory, a network printer, a network drive, a wireless access point in a WLAN, a mobile phone or a PDA. The purpose of the WNID device 14 is to enable the host 10 to establish a wireless connection 16 with at least one other computer device and to communicate over the wireless connection 16, i.e. sending data to another computer device or receiving data from another computer device.
    By establishing a wireless connection, the host can become a node in a wireless network.
    The wireless communication 16 can be performed using any of the radio networking techniques for wireless networks and standards, such as WLAN (IEEE 802.11), Bluetooth (IEEE 802.15), GSM / GPRS / UMTS / LTE (3rd Generation Partnership Project, 3GPP), and WiMAX ( IEEE 802.16). The WNID device 14 is configured with a radio transceiver (not shown in Fig. 1) to perform the communication over the wireless connection 16.
    As an example, the host 10 may be a laptop connected to an in-house network or the Internet through a connection point in a WLAN.
    As another example, a laptop can communicate via Bluetooth with a mobile telephone, which in turn communicates with the Internet over a mobile telephone network such as GSM / GPRS, UMTS, or LTE.
    Laptops are often equipped with a built-in special WLAN module, while desktops can be equipped with an expansion card. A WNID device can also be connected to a computer through an external input / output interface such as USB, FireWire, or PCMCIA.
    Referring to Fig. 1, data originating from the host 10 to be transmitted over the wireless connection 16, as well as data received over the wireless connection 16 and going to the host 10, are communicated between the host 10 and the WNID device 14 using of a driver 13 executed by a core 12 of the host operating system 11. Malicious data received over the wireless connection 16, e.g. data intended for an attack attempt may spread through the driver 13 into the host core 12 where it may be executed and potentially cause a crash.
    Referring to Fig. 2, a WNID device 20 according to an embodiment of the invention is described. The WNID device 20 is formed by a shared architecture which separates a first circuit 21, which communicates with the core 12 of the host operating system 11, from a second circuit 22, which handles the wireless communication 16. The communication between the two circuits is performed over a secure communication link 23. Thus, the core 12 of the host operating system 11, by means of a driver 13 ', communicates only with the first circuit 21 of the WNID device 20. Data communicated by the host 10 over the wireless connection 16 is transmitted between the first circuit 21 and the second circuit 22 exclusively over the secure link. 23. Data received by the WNID device 20 over the wireless connection 16 is processed in the second circuit 22 and transmitted to the first circuit 21 over the secure link 23. Thus, malicious data received by the WNID device 20 and which are intended to exploit a potential weakness in the protocol used for communication over the wireless connection 16, over d a secure link 23 and therefore does not spread to the core 12 of the host operating system 11. The communication over the secure link 23 can be performed using any protocol that is less vulnerable than the wireless protocol used for the wireless communication 16.
    Preferably a standardized protocol is used.
    According to one embodiment of the invention, the secure link 23 is an Ethernet connection, as described by the IEEE 802.3 standard. In this case, a standard Ethernet circuit can be used for realizing the secure link 23 between the first circuit 21 and the second circuit 22. The first circuit 21 is, in this case, essentially an Ethernet interface device.Using a standardized technique for the secure link 23 is advantageous because readily available stocked components can be used.
    Referring to Figure 2, the second circuit 22 may include processor means for handling the communication over the wireless connection 16. The processor means may e.g. realized by a processor (not shown in Fig. 2), an operating system 24 which is executed on the processor, and a driver 26 which is executed by the core 25 of the operating system 24 and which controls the second circuit 22.
    Referring to Fig. 3, an alternative embodiment of a WNID device is described.
    The WNID device 30 is similar to the WNID device 20, which was described with reference to Fig. 2, and includes a first circuit 31 for handling the communication with the host, and a second circuit 32 for handling the communication over the wireless connection 16. The secure link in the present embodiment, however, is provided for encrypting data transmitted by hosts over the wireless connection (not shown in Fig. 3), and decrypting data received by hosts over the wireless connection. The encryption and decryption can e.g. is performed by arranging the secure link with a cryptography module 34 between the first circuit 31 and the second circuit 32, so that the secure link is divided into two separate parts 33 'and 33 ".
    The cryptography module 34 can e.g. realized by a circuit, a processor running a suitable software, or a combination thereof. Preferably, the cryptography module is a standard cryptography chip. The two secure links 33 'and 33 "can be realized in the same way as described with reference to Fig. 2, eg as an Ethernet connection. In this case, a standard Ethernet circuit can be used to cooperate with the As an alternative, the realization of the secure links 33 'and 33 "may be adapted to fit the input data interface of the cryptography module 34.
    It will be appreciated that, although the introduction of a cryptography module 34 has been described with reference to Fig. 3, other types of modules may be introduced instead. For example, according to another embodiment of the invention, an authentication module may be introduced for the purpose of authenticating the connection between the host and another computer device with which the host communicates.
    Fig. 4 shows another embodiment of the WNID device. The WNID device 40 is arranged to establish several wireless connections 16116 "- 16" ', over which values can communicate. For example, the 16'-16 "-16" 'wireless connections can be established using various network structuring techniques for wireless networks such as WLAN, Bluetooth, GSM / GPRS, UMTS, LTE, or WiMAX. In this case, the second circuit 42 fl includes separate circuits 45'-45 "-45" ', at least one circuit for each type of network structuring technique required. For example, 45 'can be a WLAN circuit, 45' a Bluetooth circuit, and 45 '' a UMTS circuit. The circuits 45'-45 "-45" 'may also include other circuits necessary for establishing a wireless connection and transmitting and receiving data according to the respective network structuring technique, e.g. a radio transmitter, a radio receiver, or a built-in antenna (not shown in Fig. 4). The circuits can also share components and / or antennas.
    The embodiment of the WNID device 40 described with reference to Fig. 4 is advantageous because hosts can communicate over different types of wireless connections 16'-16 "-16 '". For example, the WNID device 40 may be configured to select a connection among the available connections 16'-16 "-16 '" according to a set of rules. For example, the WNID device 40 may be configured to communicate over the connection that provides the highest transmission rate. As an alternative, the compound that results in the lowest energy consumption may be preferred. The WNID device 40 may also be arranged to communicate simultaneously over your wireless connections 16'-16 "-16 '". This is advantageous because the host can take part in several communications. For example, hosts can communicate with the Internet over WLAN while synchronizing a PDA's address book over Bluetooth.
    Referring to Fig. 5, another embodiment of the invention is described.
    The WNID device 50 includes a one-way communication link 56 for transmitting configuration data from the first circuit 51 to the second circuit 52. Hosts may e.g. send settings regarding the wireless connection 16 to the second circuit 52. The host 10 may also send a set of rules that can be used to determine which connection of a number of wireless connections is to be used for communication, as described with reference to Fig. 4. As another example, hosts can send WEP / WPA keys needed to encrypt / decrypt a WLAN connection. Using a one-way link 56 is advantageous because data can only be sent from the first circuit 51 to the second circuit 52, and not vice versa. Thus, data cannot be sent from the second circuit 52 over the one-way link 56 to the first circuit 51 in the event of an attack.
    The data paths in the WNID device 50 are separated so that data communicated over the wireless connection 16 is transmitted over the secure link 53, while data regarding the configuration of the second circuit 52 is sent over the one-way link 56. The one-way link 56 may e.g. realized by an optical communication link having an optical transmitter at the first module 51 and an optical receiver at the second module 52.
    The circuits, modules, and links described above can be realized by electronic components, integrated circuits (IC circuits), application specific integrated circuits (ASIC circuits), electrically programmable gate arrays (FPGA arrays), and / or complex programmable logic devices (CPLDs). devices), or a combination thereof. It will also be appreciated that a circuit may, at least in part, be replaced by processor means, e.g. a processor executing appropriate software. One skilled in the art will appreciate that the present invention is in no way limited to the embodiments described above. On the contrary, many modifications and variations are possible within the scope of the appended claims. For example, the WNID device 40 described with reference to Fig. 4 may be provided for communication over a different number of connections than the three exemplified. It will also be appreciated that, despite the fact that separate circuits and modules are described above, any combination of circuits and / or modules, as well as the links, may be realized as integrated circuits. Thus, an embodiment of the invention may comprise any combination of standard components and components specially designed for the forthcoming application, e.g. ASIC circuits.
    权利要求:
    Claims (11)
    [1]
    A network interface device (20, 30, 40, 50) for establishing a wireless connection (16, 16 ', 16 ", 16'") between a host computer device (10) and at least one other computer device, said network interface device comprising: a first circuit (21, 31, 41, 51) arranged to handle the communication with the host computer device, a second circuit (22, 32, 42, 52) separate from said first circuit, said second circuit being arranged to handle the communication over the wireless connection using a wireless protocol, and a secure communication link (23, 33'-33 ", 43, 53) arranged to connect said first circuit and said second circuit, the data being communicated by the host computer device over the wireless the connection is transmitted between said first circuit and said second circuit exclusively through said secure communication link, and data received by the network interface device over the wireless connection being processed in the second circuit so that malicious data received by the network interface device and intended to exploit a potential vulnerability in the wireless protocol is not transmitted over the secure link.
    [2]
    The network interface device according to claim 1, wherein the communication through said secure communication link is performed using a non-wireless protocol.
    [3]
    The network interface device according to claim 1, wherein the communication through said secure communication link is performed using the third layer or a higher layer in the OSI model.
    [4]
    The network interface device of claim 1, wherein said secure communication link is an Ethernet connection. 10 15 20 25 2
    [5]
    The network interface device according to claim 1, wherein said second circuit comprises processor means (24, 25, 26) for handling the communication over the wireless connection.
    [6]
    The network interface device of claim 1, wherein said secure communication link comprises a third circuit (34) separate from said first circuit and said second circuit, said third circuit being arranged to encrypt data transmitted from said first circuit to said second circuit. and for decrypting data transmitted from said second circuit to said first circuit.
    [7]
    The network interface device of claim 1, wherein said secure communication link further comprises a third circuit (34) separate from said first circuit and said second circuit, said third circuit being arranged to authenticate data communicated over the wireless connection.
    [8]
    The network interface device according to claim 1, wherein said second circuit is arranged for communication over a number of wireless connections (16 ', 16 ", 16'").
    [9]
    The network interface device of claim 1 or 8, wherein said at least one wireless connection is established using any or a combination of wireless network structuring techniques, including WLAN, Bluetooth, GSM, GPRS, UMTS, LTE and WiMAX.
    [10]
    The network interface device of claim 1, further comprising a one-way communication link (56) arranged to transmit configuration data from said first circuit to said second circuit.
    [11]
    A computer device comprising the network interface device according to any one of the preceding claims.
    类似技术:
    公开号 | 公开日 | 专利标题
    US8010801B2|2011-08-30|Multi-data rate security architecture for network security
    US8112622B2|2012-02-07|Chaining port scheme for network security
    EP2007110B1|2013-05-15|Apparatus and methods for negotiating a capability in establishing a peer-to-peer communication link
    Haataja et al.2008|Man-in-the-middle attacks on bluetooth: a comparative analysis, a novel attack, and countermeasures
    US11263352B2|2022-03-01|Security plugin for a system-on-a-chip platform
    US7886143B2|2011-02-08|Multi-data rate cryptography architecture for network security
    KR100920216B1|2009-10-05|Authentication when reconfiguring a wired or wireless communication apparatus
    WO2016003311A1|2016-01-07|Device bootstrap to wireless network
    KR101615289B1|2016-04-25|Message authentication using a universal hash function computed with carryless multiplication
    US11177902B2|2021-11-16|Physical gate based preamble obfuscation for securing wireless communication
    SE1150995A1|2011-10-26|Network interface with shared architecture
    Liu et al.2020|P4NIS: Improving network immunity against eavesdropping with programmable data planes
    CN110999253B|2021-03-05|Mesh device, method thereof, computer-readable medium, and electronic apparatus
    TWI418177B|2013-12-01|Random network security routing method
    Shrivastava2012|Analysis of security risks in Bluetooth
    Cuthbert et al.2011|A bluetooth keyboard attack
    Abbood et al.2020|Intelligent Hybrid Technique to Secure Bluetooth Communications
    WO2016003310A1|2016-01-07|Bootstrapping a device to a wireless network
    Duan et al.2017|An Efficient and Secure Authentication Scheme for In-vehicle Networks in Connected Vehicle
    Čiča2013|AES implementation with TDM multiplexing for Internet routers
    CN108924024A|2018-11-30|A kind of novel encrypting and decrypting communication system and its encrypting and decrypting method
    US9065807B2|2015-06-23|Ad-Hoc radio communications system
    同族专利:
    公开号 | 公开日
    WO2010108513A1|2010-09-30|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7711963B2|2004-03-23|2010-05-04|Harris Corporation|Modular cryptographic device providing enhanced interface protocol features and related methods|
    US7984293B2|2007-07-13|2011-07-19|L3 Communications Corporation|Secure host network address configuration|
    US8826384B2|2007-07-13|2014-09-02|L-3 Communications Corporation|Assent to conditions for network access|US9398448B2|2012-12-14|2016-07-19|Intel Corporation|Enhanced wireless communication security|
    法律状态:
    2013-11-12| REJA| Rejection of a published patent application|
    优先权:
    申请号 | 申请日 | 专利标题
    PCT/EP2009/002207|WO2010108513A1|2009-03-26|2009-03-26|Wireless-network interface with split architecture|
    [返回顶部]