Expandable modular secure network system, architecture, and secure network modules therefor

The modular network security system addresses vulnerabilities in existing secure network systems by using cryptographic processors for secure communication and expansion, enhancing security and scalability.

JP2026520138APending Publication Date: 2026-06-22CRYPTO4A TECHNOLOGIES INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
CRYPTO4A TECHNOLOGIES INC
Filing Date
2024-05-30
Publication Date
2026-06-22

AI Technical Summary

Technical Problem

Existing secure network systems face challenges in providing extensible, modular, and secure architectures due to vulnerabilities from physical tampering and misconfiguration in both physical and virtual network zoning architectures.

Method used

A modular network security system comprising a cradle with network module slots and modules equipped with cryptographic processors that securely interface via a cradle communication network, enabling secure communication and modular expansion within a compact footprint.

Benefits of technology

The system enhances security and scalability by ensuring secure communication and modular expansion, reducing physical footprint, and minimizing vulnerabilities through cryptographic protection and self-organization of network modules.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026520138000001_ABST
    Figure 2026520138000001_ABST
Patent Text Reader

Abstract

Various embodiments of an expandable modular secure network system, architecture, and secure network modules therefor are disclosed. In one example, the modular network security system comprises a cradle defining a plurality of juxtaposed network module slots having cradle slot interfaces to an integrated cradle communication network, and a plurality of network modules, each having a corresponding cradle network interface. At least one of the network modules includes a wired cryptographic processor operably interfaced with the corresponding cradle network interface to cryptographically secure communications between at least some of the modules over the integrated cradle communication network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to a secure network system, and more particularly to an extensible modular secure network system, an architecture, and a secure network module therefor.

Background Art

[0002] The provision, customization, and management of secure network infrastructure are ongoing challenges in the provision of secure, accurate, and reliable network services and resources, for example, because there is a continuously increasing demand for such services and resources.

[0003] As an example, a hardware security module (HSM) that provides a physical computing device for protecting and managing digital keys for digital system authentication and cryptographic processing is known. For example, HSMs are routinely part of mission-critical infrastructure such as public key infrastructures or online banking applications. These modules have conventionally been provided in the form of plug-in cards or external devices that connect directly to a computer or network server.

[0004] In the implementation of external devices, hardware processors and memory devices are housed inside tamper-proof enclosures or similar structures to minimize unauthorized access and hardware tampering, and to provide logging of evidence of tampering as needed. External input / output interfaces may be design-specific and are provided via PCMCIA (Personal Computer Memory Card International Association), PC card interfaces, smart card interfaces, USB ports, or any other communication interface that works with internal memory used to store private keys and similar data in the associated key space, and with a cryptographic engine that processes these keys for intended purposes (authentication and / or authorization, encryption / decryption, etc.). PCI or PCIe (Peripheral Component Interconnect Express) interfaces may also be provided as alternatives to achieve similar implementations.

[0005] In network implementations, a network-attached HSM can take the form of a standard HSM linked to an appliance server, which can interface the same network-attached HSM with separate services by mediating access to the HSM (for example, an integrated HSM PCIe card can internally interface to an appliance server via an application layer interface). For instance, HSM access software running on an appliance server can sort various incoming requests received from separate network-accessible sources and channels and manage the processing of those requests by the HSM on a single server-HSM channel. Ultimately, since the HSM runs in response to the appliance server, it generally does not need to be aware of the appliance server's sorting and management functions.

[0006] The SafeNet Luna SA / Network HSM (Gemalto, Belcamp, MD; see, for example, Non-Patent Document 1) provides an example of a network HSM in which multiple HSM hardware storage partitions are defined to protect corresponding cryptographic keys. These keys are stored to serve corresponding network applications via onboard access software, which provides network link services to the appliance, and the appliance executes programmed logic to interface with various network applications on the one hand with the partitioned key space and on the other hand with the corresponding protected network connection (i.e., SSL). This allows for simultaneous service to various network applications or clients over their respective secure network connections, and furthermore, a common HSM network interface can be used to provide partitioned storage means to store application-specific keys in separate storage partitions.

[0007] Some HSMs available on the market today have the ability to run specially developed modules within the secure enclosure of the HSM. Such a capability is useful, for example, when special algorithms or business logic must be executed in a protected and controlled environment. For example, the HSM offered by Thales e-Security (Plantation, FL, see, e.g., Non-Patent Document 2) facilitates the ability to host critical applications within the security boundary of the HSM to establish tamper-proof business processing (i.e., those that are generally executed within a tamper-proof execution environment) in addition to protecting cryptographic operations.

[0008] Patent Document 1 describes "Cloud-Based Hardware Security Modules" that provide core security functions for physically controlled HSMs such as USB HSMs, while simultaneously enabling cloud-based HSMs to be accessed by users in the cloud from user devices, such as user devices without input ports that allow direct connection to the HSM. The HSM can connect to a multi-HSM appliance on the organization or user side in the cloud network, or on the cloud provider side in the cloud network. The HSM can support multiple users, and the multi-HSM appliance can support multiple organizations.

[0009] Patent Document 2 describes "Systems and Methods for Using Extended Hardware Security Modules," which provides additional security features for conventional HSMs and methods for initializing, deploying, and managing the extended HSM in a networked environment. The extended HSM is described as generally including additional hardware and software components configured to run sensitive client tasks on demand within a tamper-proof HSM enclosure hosted in the cloud, ensuring that sensitive data is encrypted when stored or processed outside the enclosure. By deploying virtualization technology within the extended HSM, the virtual HSM can be implemented as a virtual machine or a more efficient, lightweight operating system-level virtualized container. Thus, a single extended HSM host can run one or more virtualized extended HSM guests in their respective virtualization spaces. That is, the host HSM can provide guests with virtual network interfaces that implement the network interface functionality provided, using its underlying hardware network interfaces.

[0010] Furthermore, multilevel network architectures are commonly deployed when heterogeneous network resources are required to establish specific network data paths across network zones and / or interfaces, and especially between them, in order to deliver a particular service or application. Physical isolation between network resources is also common in high-security implementations, for example, when physically isolated network security zones may be required to protect backend resources deployed in high-security zones from public and / or low-security authenticated user zones. In some high-security installations, establishing physically isolated network devices / appliances is actually a requirement to meet security compliance standards that go beyond the basic commercial network standards described above, for example, in the Federal Information Processing Standards (FIPS 140-2) document issued by the National Institute of Standards and Technology (NIST). This may trigger a network security zoning architecture that physically separates a high-security zone where confidential, access-restricted databases or application servers are implemented from a public access zone operating under lower access security standards, in order to enable more user access and operation.

[0011] Generally, multilevel network architectures, such as network security zoning architectures, take the form of a stack of separate network-enabled devices interconnected according to a specified operational network design via a series of corresponding physical network interface controllers and wiring, relaying data, commands, and instructions over a set of established (protected) data channels. In doing so, a reasonable level of security can be achieved through the physical segmentation of each externally interconnected network device. Nevertheless, network tampering can still occur, for example, through physical reconnection of target devices, unauthorized local access via external physical connections to one or more target devices, introduction of unauthorized hacking devices, or unauthorized reassignment of ports and / or data channels by software-defined means on tampered or compromised devices. Therefore, ensuring the physical security of such architectures is also considered important.

[0012] An alternative solution to physically isolated network devices may involve virtualizing specific network resources through software, combining multiple such resources on the same network device or appliance. This allows a set of virtual network interface controllers to be configured in software to define appropriate virtual interfaces between various virtualized network components on the same physical device, rather than physically interconnecting network devices as described above. In the context of network security zoning, system designers will consider at least partially decomposing a given network zoning architecture into one or more virtualization zones (e.g., physically isolated zone-by-zone virtualization or physically integrated zone virtualization—see, for example, Non-Patent Document 3). Contrary to its physical implementation, a virtualization zoning architecture reduces the required hardware by interconnecting virtualization servers via virtual switches, network interface controllers, etc. While this makes the system easier to implement and customize through software management applications, it also makes it more vulnerable to misconfiguration or tampering with virtualization system components, potentially leading to loss of zone isolation and / or data leakage.

[0013] This background information is provided to clarify information that the applicant considers to be relevant. It is not necessarily intended, nor should it be interpreted, that any of the aforementioned pieces of information constitutes prior art or forms part of common sense in the relevant art. [Prior art documents] [Patent Documents]

[0014] [Patent Document 1] U.S. Patent Application Publication No. 2013 / 0219164 [Patent Document 2] International Publication No. 2016 / 099644 [Non-patent literature]

[0015] [Non-Patent Document 1] https: / / safenet.gemalto.com / data-encryption / hardware-security-modules-hsms / safenet-network-hsm / [Non-Patent Document 2] https: / / www.thales-esecurity.com / products-and-services / products-and-services / hardware-security-modules [Non-Patent Document 3] Network Segmentation in Virtualized Environments by vmware:https: / / www.vmware.com / content / dam / digitalmarketing / vmware / en / pdf / techpaper / network_segmentation.pdf [Overview of the project]

[0016] The following provides a simplified overview of the general concepts of the inventions described herein to give a basic understanding of some aspects of this disclosure. This overview is not an exhaustive overview of this disclosure. It does not limit the main or important elements of the embodiments of this disclosure, nor does it limit the scope beyond what is explicitly or implicitly described by the following detailed description and claims.

[0017] There is a need for extensible, modular, and secure network systems, architectures, and secure network modules therefor that overcome some of the shortcomings of known technologies, or at least provide useful alternatives thereto. Some aspects of this disclosure provide examples of such systems, devices, modules, and associated processes.

[0018] According to one embodiment, a modular network security system is provided, comprising: a cradle sized to define a plurality of juxtaposed network module slots, each network module slot having a cradle slot interface to an integrated cradle communication network at its terminal end; and a plurality of network modules sized to be mounted juxtaposed within each network module slot, each network module having a corresponding cradle network interface such that, when a given network module is mounted within a given network cradle slot, the corresponding cradle network interface physically engages with the cradle slot interface to interface the given network module with the integrated cradle communication network, wherein each network module includes a cryptographic processor that operably interfaces with the corresponding cradle network interface and cryptographically protects intermodule communication over the integrated cradle communication network.

[0019] According to one embodiment, a modular network security system is provided, comprising: a cradle sized to define a plurality of juxtaposed network module slots, each network module slot having a cradle slot interface to an integrated cradle communication network at its terminal end; and a plurality of network modules sized to be mounted juxtaposed within each network module slot, each network module having a corresponding cradle network interface such that, when a given network module is mounted in a given network cradle slot, the corresponding cradle network interface physically engages with the cradle slot interface to interface the given network module with the integrated cradle communication network, wherein at least one of the network modules includes a wired cryptographic processor internally that is operably interfaced with the corresponding cradle network interface to securely encrypt communications between at least a portion of the modules over the integrated cradle communication network.

[0020] According to one embodiment, at least one of the network modules includes a network module processing engine that performs dedicated module-specific processing, and its cryptographic processor operably interfaces between the network module processing engine and a corresponding cradle network interface so as to cryptographically protect the dedicated module-specific processing from separate network module processing.

[0021] According to one embodiment, at least one of the network modules includes an external network interface and an external network module processing engine, which are capable of performing external network interface processing to exchange external network communications with a cryptographic processor for cryptographic processing before engaging with an integrated cradle network.

[0022] According to one embodiment, the integrated cradle network includes a cradle agent operable to monitor the operation of each of the network modules via each cradle slot interface.

[0023] According to one embodiment, in response to mounting a new network module that interfaces with the integrated cradle network, the cryptographic processor of the new network module is operable to communicate with the cryptographic processors of other network modules that interface with the integrated cradle network to establish secure communication therewith.

[0024] According to one embodiment, secure communication is established with the new network module in response to at least one of the other network modules having cryptographically authenticated the new network module.

[0025] According to one embodiment, the new network module performs a cryptographic self-identification process with the other network modules.

[0026] According to one embodiment, each of the modules is further powered via the cradle slot interface.

[0027] According to one embodiment, the cradle is configured to hold a horizontal stack of vertical network modules, and the horizontal stack is dimensioned to correspond to two or more network rack units.

[0028] According to one embodiment, the horizontal stack is dimensioned to correspond to three network rack units.

[0029] In one embodiment, the cradle is mountable to or within a rack or cabinet of a communication network.

[0030] According to one embodiment, the cradle is configured to hold a lateral stack of juxtaposed lateral network modules, the lateral stack being sized to accommodate one or more network rack units.

[0031] In one embodiment, the cradle is configured to hold a lateral stack of vertical network modules and to further hold one or more lateral network modules positioned laterally above or below the lateral stack.

[0032] In one embodiment, the multiple network modules consist of separate network module types, each wired to provide distinct dedicated functions during operation, and when combined, the multiple network modules cooperate by communicating via a cradle communication network to perform a common network solution.

[0033] In one embodiment, at least one network module equipped with a cryptographic processor defines a network security module, while at least one of a separate network module type defines a network computing module that performs dedicated module-specific processing, which relies on the implementation of the cryptographic processor by the network security module via an integrated cradle communication network to perform cryptographic processing necessary for module-specific processing.

[0034] In one embodiment, at least one of the network modules is wired to define a time synchronization module comprising a precision timing device integrated therein and a given cryptographic processor capable of securely providing digitally trusted time resources to at least one other network module via a cradle network.

[0035] In one embodiment, at least one of the network modules is wired to define a geolocation module comprising a global positioning system component integrated therein and a given cryptographic processor capable of operating to securely provide digitally trusted geolocation to a modular network security system.

[0036] In one embodiment, the cryptographic processor is operablely coupled to at least one of the network modules via a hardware-integrated PCIe card.

[0037] In one embodiment, the system further comprises a management module having a management engine that is wired to its internal location and a cradle network interface that operably interfaces with a plurality of network modules via a cradle communication network.

[0038] In one embodiment, the system comprises two management modules, each management module defining a control plane and a data plane, respectively, and further comprising an external network interface defining a restricted plane for communication between multiple network modules via a cradle network.

[0039] In another embodiment, a modular network security system is provided, comprising: a cradle sized to define a plurality of side-by-side network module slots; and a plurality of network modules sized to be mounted (vertically and) side-by-side within each network module slot, wherein at least two of the network modules are equipped with a network interface, an integrated processing engine, and an integrated cryptographic processor capable of performing cryptographic processing on communications exchanged with the integrated processing engine.

[0040] According to one embodiment, the multiple network modules are sized to accommodate two or more network rack units when mounted vertically and side by side within the cradle.

[0041] According to one embodiment, the multiple network modules are sized to accommodate three network rack units when mounted vertically and side by side within the cradle.

[0042] According to one embodiment, the cradle further comprises an integrated physical cradle network, and each network module is capable of operating to communicate digitally with one another on the cradle network.

[0043] According to one embodiment, the network modules communicate with each other encrypted via their respective cryptographic processors on the cradle network.

[0044] According to one embodiment, at least one integrated processing engine performs network-connected host processing.

[0045] According to one embodiment, the cryptographic processor includes a hardware security module.

[0046] In another embodiment, a secure network module is provided, comprising: a chassis that can be mounted laterally alongside other corresponding network modules operably mounted in a common server rack within the same rack unit; a network interface operably positioned on the front of the chassis and interfaceing with an internal external network wiring connector; an integrated processing engine operably mounted within the chassis and interfaced via the network interface to process external network communications; and an integrated cryptographic processor operably mounted within the chassis to interface with the integrated processing engine and perform cryptographic processing on internal communications exchanged with the integrated processing engine.

[0047] According to one embodiment, the secure network module is sized to accommodate two or more network rack units when mounted vertically in a common server rack.

[0048] According to one embodiment, the secure network module is sized to accommodate three network rack units when mounted vertically in a common server rack.

[0049] According to one embodiment, the secure network module further comprises a rack network interface operably located on the rear of the chassis to interface with a corresponding secure wired rack network when operably mounted to communicate digitally with other corresponding network modules.

[0050] According to one embodiment, the cryptographic processor can operate to communicate encrypted with other network modules on a secure wired rack network.

[0051] According to one embodiment, the integrated processing engine performs network-connected host processing.

[0052] According to one embodiment, the cryptographic processor includes a hardware security module.

[0053] According to one embodiment, the secure network module further comprises a GPS chip which is operably wired to a processing engine and is operable to provide the trusted location of the module and / or other network modules.

[0054] According to one embodiment, the secure network module further comprises a secure timing device which is operably wired to a processing engine and is operable to provide reliable time to the module and / or other network modules.

[0055] According to one embodiment, the enclosure consists of an enclosure that can be mounted vertically and is mounted in the vertical direction.

[0056] Other aspects, features and / or advantageous effects will become more apparent from the following non-limiting description of specific embodiments given only as examples with reference to the accompanying drawings.

[0057] Several embodiments of the present disclosure are provided for illustrative purposes only with reference to the accompanying drawings. [Brief explanation of the drawing]

[0058] [Figure 1] This is a schematic diagram of a secure network module capable of interfacing with an external network, according to one embodiment. [Figure 2] Figure 1 is a schematic diagram of a secure network module adapted for internal operation without direct external network access, according to one embodiment. [Figure 3] This is a schematic diagram of an exemplary hardware security module (HSM) capable of operating as a security processor in the secure network module shown in Figure 1 or 2, according to one embodiment. [Figure 4] This is a schematic diagram of an alternative hardware security module (HSM) capable of operating as a security processor in the secure network module shown in Figure 1 or 2, according to one embodiment. [Figure 5] Figure 1 is a schematic diagram of an expandable assembly of secure network modules, each capable of operating to interface with each external network connection, according to one embodiment. [Figure 6]Figures 1 and 2 show a schematic diagram of an expandable assembly of secure network modules according to one embodiment, in which only the first module is capable of directly interfacing with the external network, while the downstream modules are isolated from this external network by the first module. [Figure 7] This is a schematic diagram of a cradle that, according to one embodiment, interconnects multiple secure network modules and operates to simultaneously provide access to an integrated, separately network-interfaceable cradle agent. [Figure 8] This is a schematic diagram of an expandable assembly of the secure network module shown in Figure 5, which is operably mounted on the cradle shown in Figure 7, according to one embodiment. [Figure 9] This is a schematic diagram of an expandable assembly of the secure network module shown in Figure 6, which is operably mounted on the cradle shown in Figure 7, according to one embodiment. [Figure 10] This is a top-level schematic diagram of a cross-domain solution (CDS) assembled from a series of secure network modules, such as those exemplified in Figures 1 and 2, which are operablely mounted within a cradle, including the one exemplified in Figure 7, according to one embodiment. [Figure 11A] This is a perspective view of a secure network module according to one embodiment. [Figure 11B] This is a top view of a secure network module according to one embodiment. [Figure 11C] This is a side view of a secure network module according to one embodiment. [Figure 11D] This is a front elevation view of a secure network module according to one embodiment. [Figure 11E] This is a rear elevation view of a secure network module according to one embodiment. [Figure 12] Figure 11A is a schematic perspective view of the internal structure of the secure network module according to one embodiment. [Figure 13A]This is a front perspective view of a single-module desktop chassis having a single secure network module operably housed inside, according to one embodiment. [Figure 13B] This is a rear perspective view of a single-module desktop chassis having a single secure network module operably housed inside, according to one embodiment. [Figure 13C] Figures 13A and 13B are top views of a single modular desktop chassis. [Figure 13D] Figures 13A and 13B are side views of a single-module desktop chassis. [Figure 13E] Figures 13A and 13B are front elevation views of a single-module desktop chassis. [Figure 13F] Figures 13A and 13B are rear elevation views of a single modular desktop chassis. [Figure 14] This is a perspective view of a 10-module chassis according to one embodiment, which has a set of 10 secure network modules that are operably mounted inside and operably interface with its integrated cradle, and which can be operably mounted or assembled to correspond to a 3-rack unit (3RU) space in a standard server rack. [Figure 15] This is a perspective view of a 12-module chassis having a set of 12 secure network modules that are operably mounted inside and operably interface with its integrated cradle, which can be operably mounted or assembled to accommodate a 3 open rack U (3OU) space in a larger server rack, according to one embodiment. [Figure 16A] This is a perspective view of a 3-module chassis according to one embodiment, which has a set of three laterally arranged secure network modules that are operably mounted inside and operably interface with its integrated cradle, and which can be operably mounted or assembled to correspond to a 1 rack unit (1RU) space in a standard server rack. [Figure 16B]This is a front and side view of a three-module chassis according to one embodiment, which has a set of three laterally arranged secure network modules that are operably mounted inside and operably interface with its integrated cradle, and which can be operably mounted or assembled to correspond to a single rack unit (1RU) space in a standard server rack. [Figure 17A] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module that includes a dual quantum guaranteed security blade module. [Figure 17B] In one embodiment, for example, the dual quantum guaranteed security blade module shown in Figure 17A is a schematic diagram of an expandable assembly in which it is combined with a secure network module that can operate to interface with an external network, for example, the one shown in Figure 1. [Figure 17C] This is a schematic diagram of an expandable assembly of the secure network module shown in Figure 17B, which is operably mounted on the cradle shown in Figure 7, according to one embodiment. [Figure 18] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module that includes a time-synchronized blade module. [Figure 19] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module that includes a geolocation synchronization blade module. [Figure 20] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module that includes a network switch blade module. [Figure 21] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module, which includes a network blade module integrating a processing engine and a Peripheral Component Interconnect Express (PCIe) card. [Figure 22]A schematic diagram of an expandable assembly of a secure network module, according to one embodiment, in this example, comprising a network blade module integrating two PCIe cards interconnected by a PCIe bridge. [Figure 23] In one embodiment, this example is a schematic diagram of an expandable assembly of a secure network module comprising a dual computing blade module with two hardware integration and isolation processing engines. [Figure 24] This is a schematic diagram of a secure network module that can operate as a smart chassis management module and has an integrated management engine, according to one embodiment. [Figure 25A] This is a schematic diagram of another secure network module capable of operating as a smart chassis management module, which in this embodiment combines an integrated and communication link type management engine and a network switch processor. [Figure 25B] This is a schematic diagram of a pair of smart chassis management modules shown in Figure 25A, which are operably mounted in the cradle shown in Figure 7, according to one embodiment. [Figure 25C] Figure 25B is a schematic diagram of a pair of smart chassis management modules operably mounted on a cradle according to one embodiment, and further illustrates the operable mounting of an expandable assembly of secure network modules, such as those shown in Figure 5. [Figure 26] This is a schematic diagram of a smart chassis assembly that maintains an isolated control plane and data plane according to one embodiment. [Modes for carrying out the invention]

[0059] Some elements in the drawings are illustrated for simplification and clarity and are not necessarily drawn to scale. For example, the dimensions of some elements in the drawings may be emphasized relative to others to facilitate understanding of the various embodiments disclosed herein. Also, common but well-understood elements that are useful or necessary in commercially viable embodiments are often omitted to facilitate less obtrusive illustrations of these various embodiments of the disclosure.

[0060] Various embodiments and aspects of this specification will be described below with reference to the details set forth below. The following description and drawings are for illustrative purposes only and should not be construed as limiting this specification. Numerous specific details are provided to give a complete understanding of the various embodiments of this specification. However, in certain cases, well-known or conventional details are omitted in order to give a concise description of the embodiments of this specification.

[0061] Various apparatuses and processes are described below to give examples of implementations of the system disclosed herein. None of the embodiments described below are intended to limit the claimed embodiments, and any claimed embodiment may encompass processes or apparatuses different from those described below. The claimed embodiments are not limited to apparatuses or processes having all of the features of any one of the apparatuses or processes described below, nor are they limited to features common to some or all of the apparatuses or processes described below. The apparatuses or processes described below may not be embodiments of the claimed subject matter.

[0062] Furthermore, numerous specific details are provided to give a complete understanding of the embodiments described herein. However, it should be understood by those skilled in the art that the embodiments described herein can be carried out without these specific details. In other cases, well-known methods, procedures, and components are not described in detail so as not to obscure the embodiments described herein.

[0063] In this specification, elements may be described as "configured to perform" or "configured for" one or more functions. Generally, elements configured to perform or configured for a function are capable of performing that function, suitable for performing that function, adapted to perform that function, operable to perform that function, or capable of performing that function.

[0064] For the purposes of this specification, it is understood that the phrases "at least one of X, Y, and Z" and "one or more of X, Y, and Z" may be interpreted as X only, Y only, Z only, or any two or more combinations of items X, Y, and Z (e.g., XYZ, XY, YZ, ZZ, etc.). A similar theory may apply to two or more items in the appearance of the phrases "at least one..." and "one or more...".

[0065] The systems, devices, and methods described herein provide a variety of scalable, modular secure network systems, architectures, and secure network modules therefor, depending on the various embodiments. As will be further detailed below, the set of secure network modules described herein provides a customizable and scalable secure network architecture and can be assembled to reduce the overall hardware footprint and / or increase the overall security of the assembled network services. For example, while a standard secure network architecture typically involves stacking multiple rack unit appliances vertically within a standard server rack and interconnecting them via standard network cabling, the solutions provided herein enable a more compact arrangement of secure server modules that can be optionally combined and provided as a secure and compact network architecture using standard server racks and associated onboard equipment.

[0066] For example, according to some embodiments, one or more secure network modules can be arranged vertically within a server rack-mounted cradle, so that each of the arranged secure network modules or blades can optionally interface with an external network or component via standard network cabling, while simultaneously securely interfaceing with each other through internal backend cradle connector arrangements. This allows multiple vertically arranged secure network modules or blades to be assembled scalably within a secure network architecture while simultaneously minimizing their physical footprint (e.g., two, three or more standard rack unit (RU) spaces encompassed by a set of six, eight, ten, twelve or more vertically arranged blade modules). In other embodiments, a set of adjacently arranged horizontally arranged network blade modules may be assembled in the secure network architecture, for example, to fill a single rack unit, while simultaneously providing further modularity and scalability of larger vertical embodiments. Furthermore, each blade module can be used interchangeably in a vertical or horizontal configuration depending on the network cradle used for a particular purpose. As will be immediately apparent to those skilled in the art upon reading the following detailed description, the modular design provided by the embodiments described herein further enhances greater system compatibility, upgradeability, scalability, and serviceability, to name a few.

[0067] Furthermore, a set of network modules residing within a single cradle chassis, connected via a backend cradle network, possesses the ability to self-organize and operate as a single digital entity. Various network modules may be capable of operating to perform common digital tasks, while each module is responsible for performing individual components of those common digital tasks. Existing network modules leverage their ability to discover new network modules and work collaboratively to achieve common digital tasks.

[0068] Referring to Figure 1, a secure network module, generally referred to by reference numeral 100, is described here according to one embodiment. In the illustrated embodiment, the module 100 comprises, as will be described in more detail below, a processing engine 102 that can be operated to perform one or more digital processes relating to or providing services to a target network architecture, and a security processor 104 that can be operated to perform one or more related network security processes. For example, the processing engine 102 may include, but is not limited to, a processor such as a 4-core or 16-core Intel processor running Linux® or a similar operating system. On the other hand, the security processor 104 may, according to one embodiment and as will be described further below, include a cryptographic processing complex 106, such as one provided by a hardware security module (HSM), and a wired interconnection matrix 108 that includes, for example, a set of embedded wired channel resources 110. The illustrated module 100 further includes, as will be described later, an external network interface / connector 112 configurably positioned to interface with, for example, the network interface of the processing engine 102, and a backend power and input / output interface / connector 114 configurably positioned to interface with an internal network such as a cradle network.

[0069] As described above, the secure network architecture may be assembled using a number of secure network modules, such as module 100 in Figure 1, to provide a set of network-related services and functions, such as those provided by the processing engine 102, and to simultaneously leverage the cryptographic functions of the integrated security processor 104 of each module. Figure 5 provides an example of a stacked architecture 500 comprising a set of modules 100, where all or some of the set of modules 100 may be interfaced to an external network or component (including unprotected module interconnections) via their integrated network interface 112, while all or some may be more securely interconnected via their respective backend (cradle) interfaces 114.

[0070] In some assemblies, a given network module may, advantageously, operate at a higher security level even without a direct external network interface. For example, referring further to Figure 2, a similar secure network module 200 also comprises a processing engine 202 and a security processor 204, the latter again including an interconnection matrix 208 incorporating a cryptographic processing complex 206 and one or more hardware channel resources 210, but in this embodiment, it (actively) includes only a backend power and input / output cradle interface 214. That is, the module 200 may be manufactured to exclude all external network ports collectively, or, again, may be internally wired or configured to remove or avoid any operational links or interfaces with the included network ports (for example, each module may be manufactured to include hardware network ports in bulk, although some modules may be specifically internally designed or customized to disable their hardware network ports). Figure 6 provides an example of a stacked architecture 600 comprising a set of network-isolated modules 200 followed by a first network interface module 100. For example, external connectivity may be activated through the network interface 112 of the first module 100, allowing for the relaying of secure network processing requests via an external communication network. In this example, the processing engine of the first module 100 may perform standard network server functions when managing incoming and outgoing network communications. Meanwhile, the security processing of the first module 100 performs one or more cryptographic processes to securely transmit incoming and outgoing communications through the first module 100, and simultaneously interfaces with one or more downstream network-blocking modules 200 via a backend connector. Each of the network-blocking modules 200 itself securely interfaces with the internal (cradle) network via its integrated security processor 204 and delivers protected network-related resources or services via its integrated and network-blocking processing engine 202.In this embodiment, the processing engine 202 of the network-isolated module may operate as a confidential computing engine, with the processor and its memory operating in an enhanced network security environment. This confidential resource may provide direct services for a specific application or, again, act as a centralized network resource for other modules. For example, a given module may include a high-precision timekeeping device, such as an atomic clock, and be configured to securely provide a trusted time resource for all other modules in its cluster and / or adjacent clusters (see, for example, Figure 18). This means the network-isolated module is servicing other modules that utilize the enhanced security environment of the network-isolated module. As will be apparent to those skilled in the art, alternative embodiments may include a stacked architecture, which consists exclusively of, for example, a set of network-isolated modules 200 in a dedicated local facility, or, again, for example, provided in the background of a multi-cradle facility deploying secure inter-cradle communication.

[0071] In these examples, the external network-isolated computing blade can operate as a confidential computing blade even without a security processor. For example, a simplified confidential computing blade can be used to ensure the confidential execution of a software load. Because the network port on the front of the module is removed / disabled, all communication must be conducted through the backplane connector from another blade housing the security processor, and the network port will communicate securely through quantum-secure HSM-to-HSM communication. The single-board computer (SBC) in this configuration does not have an available external network interface, and its internal network interface may be exposed through the backplane connector, for example, solely for administrative purposes.

[0072] Referring here to Figure 7, an example of the cradle 700 is described in one embodiment. In the illustrated embodiment, the cradle 700 schematically comprises a wired input / output and power interface 715 for a set of module interfaces, each physically positioned to operably engage with a respective secure network module, such as module 100 and / or 200 in Figures 1 and 2, respectively. As described above, these cradle interfaces 715 enable secure interconnection between the mounted modules. The cradle 700 also exemplary comprises an internally operably mounted cradle agent 716, which in this embodiment provides its own external wired network interface 712. In some embodiments, this interface may provide a restricted external connection to the mounted modules through the cradle interface 715 to, for example, grant operable management access to the cradle 700 and its mounted modules. For example, a cradle agent 716 for an external network interface may be wired within the cradle 700 and provide a communication interface to a corresponding wired management or administrative port available on each module cradle interface 715. For example, the cradle agent 716 may restrict communication and operational access to each module via its dedicated hardware isolation port, thereby making operational management resources (such as cooling fans, power, operating temperature, network communication capabilities, and tamper-proof sensors) available, for example, via the external cradle interface 712, without compromising any security protocols or processes implemented by and / or between the modules.

[0073] Figure 8 shows one cradle-mounted architecture in which a pair of external network interface modules 100 are operably mounted on an integrated cradle interface 715 via their respective cradle interfaces 114, and optionally securely interface with each other via dedicated wired inter-module ports and channels, and / or with a cradle agent 716 via dedicated wired inter-cradle ports and channels. Similarly, Figure 9 shows another cradle-mounted architecture in which the first external network interface module 100 is operably mounted on an integrated cradle interface 714 via its corresponding cradle interface, and securely interface with one or more downstream network isolation modules 200 via dedicated wired inter-module ports and channels, and / or with a cradle agent 716 via dedicated wired inter-cradle ports and channels. For example, in some embodiments, a (proprietary) backend module cradle connector may include a number of port pins that can be configured to interface with downstream and / or upstream modules via their respective hardware cradle network channels. In practice, the cradle network and associated connectors and hardware-defined communication channels may be distributed such that critical communication paths (e.g., secure inter-module communication) are restricted to a specific set of hardware channels, while other less critical channels (maintenance, monitoring, operational status, environmental sensors, etc.) are relayed and restricted to other hardware channels, such as those interfacing with cradle agents.

[0074] Referring to Figure 10, a top-level schematic diagram of a cross-domain solution (CDS) 1000 employing multiple secure network modules 1001 described herein is described hereby in one embodiment. In this example, multiple domains are operationally connected to corresponding secure network modules, thereby enabling cross-domain implementation points to be securely implemented, for example, via a backend cradle connector network that forms a secure cross-domain network in this embodiment. This type of cross-domain implementation and service deployment is described exemplary in U.S. Patent No. 11310198 issued by the applicant on April 19, 2022, the entire disclosure of which is incorporated herein by reference. In that example, two or more security processing appliances (SPAs) are deployed, interfaced with each other via an "elevator network" which acts as an interconnection point, each forwarding encrypted data to the SPA that can only be delivered to specific destination security domains specific to its own particular corresponding security domain. In other words, an elevator network can function as an "elevator shaft" where domain-specific data, encrypted according to domain specificity, enters a specific floor (i.e., a security domain), can ascend or descend to other specific destination floors, and can only be successfully decrypted (processed) based on that domain-specific encryption.

[0075] In Figure 10, three secure network modules 1001A, 1001B, and 1001C are configured and operationally mounted within the same cradle 1013 via their respective backend I / O ports / interfaces 1014A, 1014B, and 1014C and their respective cradle ports 1015A, 1015B, and 1015C, respectively, to securely transmit communication between two separate network security domains, each typically accessible communicably via their respective external network interfaces 1012A and 1012C. In particular, in this embodiment, assembly 1000 comprises two secure network modules 1001A and 1001C, each having its own external network interface, and one secure network module 1001B that is inaccessible from the outside (in hardware, i.e., in hardware without a physical external network port / interface, or in firmware / software where the included physical external network port / interface is inoperable and / or inaccessible by communication).

[0076] In the illustrated embodiment, the secure "elevator network" is effectively deployed via a cradle network deployed in hardware between each network module through its respective secure cradle interface.

[0077] In the first network module, the processing engine 1002A is configured to operate as a protocol adapter 1003A for interface with the communication protocol of the first (lower) network security domain at the network interface 1012A. For example, the protocol adapter may be responsible for providing appropriate protocol handoffs for information (e.g., lower security domain requests) that arrives at the network interface 1012A. When the protocol adapter 1003A extracts a complete or partial unit of information that is deemed sufficient to be filtered and forwarded to other domains, this extracted information is relayed in hardware to an integrated security processor 1004A configured via its embedded HSM (not shown) to securely relay the extracted information for cross-domain processing. For example, the security processor 1004A may be configured in hardware to implement a one-way channel (OWC) 1018A, which is implemented by an embedded trusted communication matrix and inter-module encryption 1020A, for example, using data diodes, before being sent to a cradle elevator network for further downstream processing. As shown in the diagram, incoming security domain information can be preliminarily processed and protected by the first secure network module 1001A and securely relayed between secure network modules via built-in cryptographic resources.

[0078] Encrypted information output from the first network module 1001A can be securely received from the cradle elevator network to the second network module 1001B via the backend cradle network channel port, which first interfaces with the module's embedded security processor 1004B, and the information extracted and encrypted by the embedded cryptographic resource (inter-module decryption 1022B) can be decrypted for further processing. For example, the second network module 1001B, which interfaces with other network modules only via a secure backend cradle elevator network and has no external network interface, provides an exclusive and secure information processing path to its embedded processing engine 1002B, which in this embodiment operates as a data orchestrator 1003B. For example, when a unit of information is received by the data orchestrator 1003B, it can operate to identify, for example, an appropriate filter or set of filtering functions that may need to be applied to a particular type of information. The data orchestrator 1003B then proceeds to integrate appropriate filtering steps, as will be readily understood by those skilled in the art. A data orchestrator may perform one or more filtering functions based on a wide range of criteria. For example, filtering functions may be applied based on the content of the data being transferred, based on the metadata of the data being transferred (e.g., headers or tags containing information about the data), based on a time window (e.g., from a start date to an end date), or based on the measurement of a data transaction (e.g., applying a filter to only the first 1000 units of the information received). In some embodiments, the data orchestrator may take the form of a cross-domain data validation engine capable of verifying authorization to advance a data transaction to the next domain, and therefore approving (denying) or requesting it.

[0079] Once the data orchestrator has completed the necessary application of filters to a particular unit of information, it relays the filtered output back through the embedded security processor 1004B and its integrated inter-module encryption engine 1020B via a separate integrated hardware port of the embedded HSM for further inter-module encryption and deployment over a secure cradle network, for example, for further processing by the subsequent network module 1001C.

[0080] Similar to the above, between the first two modules 1001A and 1001B, the filtered information output from the data orchestrator 1003B can be securely encrypted and relayed to the third network module 1001C via a secure cradle network, and is first received through the security processor 1004C and its inter-module decryption resource 1022C. The security processor 1004C can then proceed to encrypt the filtered information (domain-level encryption engine 1026C) for processing by the protocol adapter 1003C, which is executed by the processing engine 1002C of the third module for deployment in the second (higher) security domain.

[0081] In the reverse order, incoming communications from a second security domain via module 1001C (e.g., incoming responses from a higher security domain) are processed by the embedded protocol adapter 1003C and relayed by the embedded one-way channel 1018C and encryption resource 1020C of the integrated security processor 1004C to interface with the first network module 1001A through the cradle network. Here, the extracted and encrypted information (response) is decrypted by the embedded inter-module decryption resource 1022A, and the embedded information (response) from the second (higher) security domain is further decrypted via the embedded domain-specific decryption resource 1028A before being handed off to the first domain protocol adapter 1003A for communication at the first network security domain level.

[0082] As explained, communications can be securely associated between network security domains while performing inter-domain processing by, for example, executing secure inter-module encryption / decryption for all communications relayed via the backend cradle network. Furthermore, using the network security module stack described herein, cross-domain solutions can be implemented with minimal customization, and each module processing engine and security processor can be easily adapted for its intended purpose by integrated cross-domain and inter-module cryptographic resources available and operable in their respective secure hardware integration environments.

[0083] Those skilled in the art will understand that in some embodiments, different numbers of independent secure network modules may be used to extend or diversify the cross-domain solution or alternatives shown in Figure 10. Similarly, other solutions may be assembled from a number of secure network modules, so that inter-module communication can be securely relayed over a cradle network, with each module's security processor providing internally integrated encryption / decryption resources to protect its communications. Inter-module communication of these encryption modules via a hardware-integrated cradle network and dedicated module-specific cradle port channel connectors enables the assembly of a variety of secure network solutions.

[0084] In practice, different network blade modules may be provided and / or combined to assemble a particular network architecture and / or implement a particular assembled modular network solution.

[0085] Referring to Figure 17A, a schematic diagram of an expandable assembly of a secure network module 1700 is given, which in this example comprises a dual quantum guaranteed security blade module 1701 integrating a pair of security processors 1704A and 1704B, each possibly comprising a cryptographic processing complex 1706, such as one provided by a hardware security module (HSM), and a wired interconnect matrix 1708, such as a set of embedded wired channel resources 1710. The blade module 1701 further comprises a backend power and input / output interface / connector 1714 configurably positioned to interface with an internal network such as a cradle network, but in this embodiment, it does not have an external network interface / connector, thereby entrusting all module input / output communication to the cradle network connector.

[0086] In the illustrated embodiment, an additional security processor may act as a coprocessor for other cryptographic blades operating within the modular assembly, thereby enabling an increase in overall cryptographic performance. While the cryptographic accelerator blade is illustrated as having two security processors, it should be noted that other embodiments may include only a single security processor, or, in more complex embodiments, three or more.

[0087] Figure 17B provides a schematic diagram of an expandable assembly according to one embodiment, in which, for example, a dual quantum guaranteed security blade module 1700, as shown in Figure 17A, is combined with a secure network module 100, which can operate to interface with an external network, as shown in Figure 1. In the illustrated assembly, the accelerator blade 1700 can act as an internal network-isolated coprocessor to the internal security processor of the secure network module itself. As shown in Figure 17C, the expandable assembly can be operably mounted on a cradle 700, such as the one shown in Figure 7, thereby isolating communication between the secure network module 100 and the accelerator blade 1700 to an integrated cradle network.

[0088] Referring to Figure 18, this example provides a schematic diagram of an expandable assembly of a secure network module comprising a time-synchronized blade module 1800. Similar to the secure network module 100 in Figure 1, the time-synchronized module comprises a processing engine 1802, a security processor 1804, an external network interface 1812, and a cradle network input / output interface 1814. Furthermore, module 1800 further comprises a chip-scale atomic clock (CSAC) 1822, a Global Positioning System (GPS) chip 1820, and an external GPS interface (antenna) 1815. In one example, the time-synchronized module 1800 can, for example, provide precise time recording to all or some of other modules in the same chassis and simultaneously apply precise time recording to external network devices in the data center. For example, software load may include additional applications that enable the blade to provide precision to other blades in the chassis within the HSM cluster or to external network devices in the data center.

[0089] Referring to Figure 19, this example provides a schematic diagram of an expandable assembly of a secure network module comprising a geolocation synchronization blade module 1900. Similar to the secure network module 100 in Figure 1, the geolocation synchronization module comprises a processing engine 1902, a security processor 1904, an external network interface 1912, and a cradle network input / output interface 1914. Furthermore, module 1900 further comprises a GPS chip 1920 and an external GPS interface (antenna) 1915. In general, the module may be configured to securely record / track / report the precise location of itself and its associated adjacent modules / chassis. For example, it may also be operable to restrict and / or enable location-dependent functions that act in a sense as a geo-lock blade. For example, it may include internal features that perform certain location-based actions or deny certain functions, such as warnings or zeroing.

[0090] Figure 20 shows a schematic diagram of an expandable assembly of a secure network module, in this example, comprising a network switch blade module 2000. In this example, module 2000 comprises a processing engine 2002 operably coupled between a cradle network coupler 2014 and a network switch processor 2040, which is operably connected by itself to an external network interface 2012 and a pair of local area network (LAN) interfaces (connectors) 2013. This allows the module to be provided for multiple network connections to the network module assembly. The blade may include any number of LAN ports, such as four or eight, and / or other network ports, such as Gigabit Ethernet ports or small form factor (SFP), enhanced SFP (SFP+), and / or quad SFP (QSFP) ports.

[0091] Figure 21 is a schematic diagram of an expandable assembly of a secure network module according to one embodiment, which in this example comprises a network blade module 2100 integrating a processing engine 2102 and a Peripheral Component Interconnect Express (PCIe) interface 2130. This embodiment allows for the integration of third-party PCI cards, for example, when further customizing the network architecture and providing access to PCI card functionality locally and via the integrated processing engine 2102 and cradle network interface 2114. For example, a third-party HSM may be integrated for this purpose. In some examples, the PCIe blade may require a larger footprint (e.g., twice the width) to accommodate a wider variety of larger PCIe cards and may include a serviceable lid to enable card installation. This may allow the PCIe blade to further include connectors that integrate into tamper-proof sensor headers in existing PCIe-based HSMs, such as LunaHSM PCIe.

[0092] Similarly, Figure 22 provides a schematic diagram of an expandable assembly of a secure network module according to one embodiment, which in this case comprises dual PCIe interfaces 2230A (primary) and 2230B (secondary) interconnected to a cradle interface 2214 by a PCIe bridge 2232, thereby enabling hardware integration and assembly implementation of two third-party PCI cards. In this embodiment, the dual PCIe blades may be configured to communicate only on a restricted plane (cradle network) and may be paired with other blade modules, including SBCs such as compute blades.

[0093] Figure 23 shows a schematic diagram of an expandable assembly of a secure network module according to one embodiment, which in this example comprises a dual compute blade module 2300 having two hardware integration and isolation processing engines 2302A and 2302B, each having independent network interfaces 2312A and 2312B and cradle interfaces 2314A and 2314B. In this example, the dual compute blade module, when implemented in conjunction with an adjacent blade security processor, can constitute a data safeguard by allowing data to flow in only one specific direction (e.g., inbound versus outbound). In practice, the dual compute blade, together with an adjacent security blade, forms a data diode / data guard where the two front Ethernet ports are physically separated and the actual data diode function is performed on the adjacent blade housing the HSM. Modifications of this blade that can be used in a secure compute configuration without front Ethernet ports may also be provided.

[0094] As those skilled in the art will see, various combinations of blade modules and module types can be considered to provide various network architectures and solutions. Furthermore, a set of secure network modules with variable functionality may be assembled to provide a customizable network architecture, and certain embodiments of the network modules may optionally allow for additional user hardware connection ports, further enabling additional customizable hardware.

[0095] According to some embodiments, the chassis / cradle may have further functionality in the form of a smart or intelligent chassis. For example, some simplified chassis embodiments may have limited functionality, and some embodiments may even delegate cooling functionality to the blades rather than providing it at the chassis level. On the other hand, reinforced or upgradeable chassis that enhance the capabilities of the chassis are also conceivable.

[0096] For example, an embodiment of a smart chassis may include self-contained modules that can be plugged into a smart / intelligent-enabled chassis. If none of these modules are detected in the chassis, the chassis functions exactly like an existing standard / simple chassis. However, when one or more of these modules are inserted, additional capabilities are given to the blade modules from the chassis. These modules will have connectors on their rear that interface with receptors in the chassis slots. These modules, like the blade modules, can be added to the chassis by the customer.

[0097] Figure 24 provides an example of a further secure network module that can operate as a smart chassis management module (SCMM), for example, comprising an integrated management engine 2450, an external network connector 2412, and a cradle network interface 2414.

[0098] In a similar embodiment, as shown in Figure 25A, the SCMM2500 may further include a network switch processor 2522, along with its management engine 2550 and external (2512) and cradle (2514) network interfaces. Using this configuration, the SCMM2500 can be used to interconnect various integrated network modules and, at the same time, enable the SCMM to connect directly to a TopOfRack (TOR) network switch, eliminating the need for each network module to be connected individually. Furthermore, when two or more SCMMs are connected to the chassis, each network module gains the ability to separate the control plane from the data plane, enabling various channels for communication between various network modules, users, and applications. In addition, chassis functionality can be expanded through additional chassis updates. These modular chassis upgrades increase the chassis's backplane communication and its ability to communicate with various network modules and other network-connected devices.

[0099] Figure 25B shows the assembly of two SCMM2500s within the chassis 700, while Figure 25C shows further integration of the network module 500 assembly, such as that shown in Figure 5.

[0100] In the illustrated example, the SCMM includes a network switch that allows connection to all blade modules housed within the chassis via a backplane connector, and QSFP ports on the front of the modules that allow connection to the LAN. In this example, each network security blade does not need to be individually connected to a TopOfRack (TOR) network switch; the chassis itself is connected to the TOR switch by one or two network cables, reducing the number of TOR switch ports that need to be consumed for the security blades. When two SCMMs are installed within the chassis, plane isolation features are enabled, similar to having separate Ethernet cables plugged into two existing Ethernet ports, allowing each blade module to separate the control plane from the data plane.

[0101] Figure 26 provides a more detailed diagram of the above integration of two SCMMs having a set of secure network modules. For example, this option can be deployed in a cloud-scale data center connected to a modern fiber optic network infrastructure while simultaneously achieving sufficient separation of the control plane and data plane. In the illustrated embodiment, two SCMMs (2500A and 2500B), such as those shown in Figure 25A, interface with the control plane 2560 and data plane 2570, respectively, via their respective external network interfaces. Using their respective integrated network switch processors and integrated cradle networks, data can be securely communicated in a restricted plane 2690 within the assembly of the integrated network module 2600 to achieve the intended functionality of the assembled network architecture.

[0102] For example, in one embodiment, the proposed assembly enables the maintenance of separation between user and management functions in the deployed network architecture. For instance, it may be deployed to define three main planes: a control plane (including the optical output interface), a data plane, and a restricted plane (defined, for example, by a backplane connector or cradle network). In operation, the control plane on the hardware security module (HSM) is connected on the IT management network, the data plane resides on a separate network where applications that need to consume the HSM reside and the users who consume those application services. Finally, the restricted plane resides on each physical chassis for communication between the blade module and the chassis itself. This is not directly exposed to either the control plane or the data plane, but is managed and configured through the control plane.

[0103] The above describes specific exemplary embodiments, but other embodiments may also be considered within this context. For example, in one embodiment, a particular network module may be programmed to securely record and store the activity of an adjacent network module. These blades may be compatible with other network blades and may be temporarily or permanently removed for inspection or check. For example, a data recorder blade of this nature may log from other blades in the system for recording purposes and securely store them for later inspection by an inspector. This blade may have, for example, increased storage capacity, but otherwise may maintain similar hardware attributes to other standard network security blades that integrate security processors (HSMs), etc. For example, this blade may log HSM events such as key generation, key usage, user events, and network configuration changes, but is not limited to these. The blade may be pulled out of the chassis and replaced with other security inspection blades and taken out for, for example, analysis or archiving. Furthermore, in self-organizing embodiments, inspection blades inserted into a smart-enabled chassis may be automatically recognized and identifiable, and other data security blades may be configured to automatically send necessary inspection logs to this inspection blade.

[0104] In other examples, simplified computing blades may be provided to host typical software applications that do not require cryptographic capabilities. In these situations, security processors may not be necessary. Similarly, storage blades may be provided to host applications that require increased physical storage capacity but do not require cryptographic capabilities, such as large databases.

[0105] Other examples may include an inline encryption blade configured to encrypt network traffic at line speed as it passes from one network to the other.

[0106] In yet another example, a settlement blade may be provided that implements cryptographic algorithms compliant with PCI testing and standards such as PCI-HSM and PCI-DSS, as required by the Payment Card Industry (PCI). In other embodiments, this functionality may not require a blade specific to its use, but may be included in the same firmware and software load as, for example, a general-purpose HSM blade.

[0107] In yet another embodiment, the network module may be configured to operate as a single unidirectional data diode blade to ensure that data can flow only in one direction, from the lower-level network to the upper-level network. Data guards and filters may be implemented to operate on the SBC, and the data diode blades typically operate in pairs, one on the lower-level network and the other on the upper-level network.

[0108] Referring here to Figures 11A to 11E, a secure network module, generally referred to by reference numeral 1100, is illustrated, comprising a casing (or housing) 1120 sized to be vertically mounted and fitted into a standard server rack or similar structure, so that a series of these modules can be arranged to occupy three vertical rack unit spaces. Externally, the secure network module includes, for example, two network (Ethernet) connector interfaces 1112 providing redundant external network connectivity, front and rear ventilation sections 1122, and a proprietary backend cradle network connector 1114. As described above, the cradle network connector generally provides multi-channel or multi-port connectivity to adjacent modules and / or cradle agents via an integrated wired cradle network.

[0109] Referring further to Figure 12, a schematic perspective view of the internal structure of the secure network module 1100 of Figure 11A is given. In this embodiment, a module comprising an internal integrated processing engine 1102 and a security processor 1104 is shown, the former operationally interfaced with an external network connector 1112 and relaying external network traffic to and from the security processor 1104 via an integrated wired port interconnect, and the latter providing network security resources (e.g., encryption / decryption, inline security channel resources, etc.) for this external network traffic via a secure cradle network port / channel 1114 and / or protecting the interface with other network modules. In the illustrated embodiment, the processing engine is shown as a network-attached host such as a single-board computer (SBC). In other embodiments, the processing engine may comprise, for example, a sensitive computing engine that performs sensitive calculations that otherwise require an enhanced network security environment. For example, as described above, incoming traffic from an external network connection 1112 can be fed to a security processor for cryptographic processing in a given module, but in other configurations, protected communications can be relayed to a given module's confidential computing engine via the module's secure cradle network connector and security processor, thereby defining a cryptographically secure processing environment. By deactivating the external network connection, this cryptographically isolated processing engine can process confidential information / data in a secure hardware-isolated environment. As described above with reference to the example in Figure 10, various computing configurations and / or applications can be applied to secure data processing using an external network connection and / or to scale, level, increase or diversify compatible and customizable confidential computing resources using a set of network modules illustrated herein.Other network module components, such as heatsinks, fans, digital storage media, hardware links or relays, power units, and motion sensors / indicators, may also be included without departing from the general scope and nature of this disclosure, as will be immediately apparent to those skilled in the art.

[0110] Figures 13A to 13F show a single-module desktop chassis 1300 having a single secure network module that is operably housed internally, according to one embodiment. For example, a given network module may first operate within one of these desktop configurations to be configured for a subsequent modular assembly. For example, each given module can be manufactured to include general-purpose components in the form of an integrated processing engine and a security processor, so that they can be customized and adapted in-house or for distribution based on specific user requirements and particular use cases. This allows the single-module chassis to provide a power-ready platform, enable users to customize modules for specific uses, and also enable module upgrades, updates and / or service provision as needed.

[0111] In practice, currently available network appliances commonly require the complete replacement of internal processing cards or resources when faced with updates, or provide a small, cumbersome onboard screen for handling updates and parameter adjustments. In contrast, the secure network module described herein can be pulled out of its cradle, updated via a desktop chassis, or its operating resources can be accessed again via an external network connector.

[0112] Figure 14 shows a 10-module chassis 1400 according to one embodiment, which has a set of 10 secure network modules 1402 operably mounted inside and operably interfaced with its integrated cradle 1404, and is operably mounted or assembled to accommodate 3 rack unit (3RU) space in a standard server rack. This embodiment provides linear expandability and high-density resource assembly.

[0113] Similarly, Figure 15 shows a 12-module chassis 1500 according to another embodiment, which has a set of 12 secure network modules 1502 operably mounted internally and operably interfaced with its integrated cradle 1504, and is operably mounted or assembled to accommodate a 3-OpenRackU (3OU) space within a standard server rack. This embodiment further provides linear expandability and high-density resource assembly.

[0114] Referring to Figures 16A and 16B, another embodiment shows a transverse 3-module chassis 1600, which has a set of three secure network modules 1602 operably mounted internally and operably interfaced with its integrated cradle 1604, and which is operably mounted or assembled in a corresponding 1RU space within a standard server rack. As described above, sets of adjacently arranged transverse network blade modules may be assembled in a secure network architecture to fill, for example, a single rack unit and further provide the modularity and expandability of larger vertical embodiments. Furthermore, each blade module may be used interchangeably in a vertical or transverse configuration depending on the purpose for which the network cradle is used. Furthermore, multiple cradle network arrangements may be combined using network module blades arranged vertically and / or transversely in various configurations and their corresponding cradles. That is, the same blades used in a vertical 3RU cradle may, in some embodiments, be used in a correspondingly dimensioned 1RU transverse cradle. In this regard, a set of modular network blades can be assembled according to a customized network architecture, whether horizontally or vertically arranged in some embodiments, while simultaneously reducing the hardware footprint that would otherwise be required, thereby enhancing greater in-network architectural security, integrity, and manageability.

[0115] In a further example, the chassis may be extended to encompass a 4RU footprint that accommodates, for example, 10 blade modules installed vertically, and simultaneously two SCMMs as described above in relation to the embodiment shown in Figure 26. For example, this option may be deployed in a cloud-scale data center connecting to a modern fiber optic network infrastructure while simultaneously implementing complete control plane and data plane separation. While a 4RU chassis is certainly conceivable, the embodiment is not limited thereto and may be extended to accommodate a larger number of blade modules and / or more than two additional SCMM slots within the chassis, for example, by increasing the rack unit height.

[0116] As illustrated and described above, the secure network module can provide enhanced functionality, scalability, and space efficiency, among other possible advantages. For example, in the basic configuration, the modular network architecture may include a basic cradle dimensioned to define a plurality of juxtaposed network module slots, each of which optionally, in some embodiments, has a cradle slot interface at its termination to an integrated cradle communication network. For example, in some embodiments, the cradle slot interface may supply power to the onboard network module and / or further provide communication access to the cradle network, which in some embodiments may be used for secure inter-module communication and / or communicate with a cradle agent, etc., for management and / or monitoring purposes. As will be apparent to those skilled in the art, the term cradle in this background is broadly defined to include various structural housing mechanisms, mounting mechanisms, and / or engagement mechanisms that enable one or more modules to be fixed to and / or inside it. As described above descriptively, the enclosure may be mounted on or fixed to a network rack or cabinet by itself for use in, for example, a standard server room, data center, etc. Thus, while the embodiments described herein show a fully enclosed and structurally integrated cradle, other structural configurations, including greater or lesser structural complexity and / or integrity, may be considered without departing from the general scope and nature of this disclosure. For example, in fully enclosed embodiments including a complete cabinet configuration, the cradle network may be more structurally integrated within the cradle to automatically structurally engage each cradle network connector to the corresponding network module cradle connector as such network modules are inserted or mounted. However, a structurally simpler cradle may include, for example, a rack shelf or mounting bracket that can still provide cradle network interconnectivity and / or the respective module power supply resources.

[0117] In any of these embodiments, the cradle allows multiple network modules to be mounted side-by-side within their respective network module slots. For example, the network modules may be sized to be mounted side-by-side vertically and horizontally to fill the rack space allocated to them via the cradle. In some of the embodiments described above, this rack space may include the height of two or more standard rack units, such as three rack units, as shown in the disclosed embodiments.

[0118] Furthermore, although the embodiments are shown herein to ultimately assemble a modular network architecture, each module may, in some embodiments, provide, for example, a standalone network solution while simultaneously encompassing a smaller footprint than conventional security network appliances. In practice, rather than occupying an entire rack unit on its own, as is common with current network appliances, the secure network modules described herein can effectively occupy one-third or one-quarter of the rack space by sharing it with other standalone or pre-assembled network modules mounted alongside it within the same cradle. This allows a network-attached HSM to be deployed in this form factor, for example, thereby enabling the module's processing engine to operate through it as an integrated security processor and embedded cryptographic resources, in other words, an engine for an SBC or other external network interface, while simultaneously providing cryptographic services through a combined autonomous integrated server and HSM resources. In this embodiment, a standalone network blade-shaped module can omit the backend cradle network connector shown in other embodiments described herein and provide direct standalone network resources within this reduced footprint without limiting the operation of other blade-shaped modules mounted alongside it in an operable manner. The advantages of a form factor can sometimes be seen in the reduction of footprint by omitting other components common to standard server architectures, such as adapters and ports for Super Video Graphics Array (SVGA) and High-Definition Multimedia Interface (HDMI®). On the other hand, a modular, self-contained form factor can enable greater versatility and flexibility in system deployment.For example, each module may be configured to include, as a self-contained unit, a power interface (e.g., via a multi-purpose cradle port connector), temperature control (e.g., ventilation fan, heat sink, etc.), and resources for the network interface.

[0119] Naturally, multiple such standalone network security modules can also be deployed and used in parallel with the above configuration as a composite of standalone and composite modular network resources. On the other hand, other embodiments and examples combine the server-connected HSM capability of the first module with a second network-isolated module that causes its onboard HSM to act as a cryptographic hardware gatekeeper, and an onboard confidential computing engine that operates securely in association with it.

[0120] In more complex architectures, a set of secure network modules can be deployed and operated in a synchronized manner to provide a set of secure network services, such as those exemplified above, with the network modules acting in parallel and / or series according to their intended applications. In this complex configuration, at least some of the modules may be pre-configured to automate some of the deployment and inter-module communication tasks required during system initialization, or again during service updates, maintenance, or replacement. For example, each module, upon power-up, may be configured to self-identify and / or self-authenticate with the clustering module, for example, through their respective security processors / HSMs, to automatically establish a secure communication path with and between them, and optionally then proceed to self-configure to effectively cooperate with or between other network modules. Thus, this self-initialization and authentication facilitates the construction, maintenance, and upgrade of the system, thereby enabling new or replacement modules to be automatically integrated into the operational cluster to expand, extend, update, or hot-swap the operational cluster. This system is significantly enhanced by interfacing each module with one another on the cradle network using, in some embodiments, their respective HSM-embedded security processors. In practice, modules can be automatically configured to initiate a secure handshake process between onboard HSMs using a subsequent quantum algorithm with injected cryptographic data (keys, certificates). For example, a first module automatically assumes the role of a master module, and subsequent modules securely interface with this master, authenticate and configure themselves, and interface within the cluster.As a result, as described above, modules may have the ability to operate as a single, self-organizing, customizable, and scalable digital entity, thereby enabling an assembly or group of blade modules to operate to perform a common digital task or function, while each component module may simultaneously be responsible for performing an individual component of the overall task. In practice, in some embodiments, existing modules may be configured to automatically detect and leverage the capabilities of new network modules when working together to achieve a common overall function.

[0121] Thus, a group of blade modules can be defined as an assembly or group of self-organizing blade modules that reside within a single chassis / cradle and communicate with each other through a restricted plane (backplane connector). Externally, the group presents itself as behaving as a single entity, but internally, it consists of multiple blade modules working together to achieve a common task.

[0122] As described above, the systems and devices described herein also provide various examples, according to different embodiments, in which a hardware security module (HSM) can operate to simultaneously serve multiple applications and / or functions, for example, through an intermediary HSM access appliance, application layer, or HSM access software, and further minimize the system security risks that may be introduced when interfacing with conventional (external) HSMs.

[0123] For example, in some embodiments, each security processor's HSM may have multiple hardware ports, each configured or reconfigurable to perform specified cryptographic processing within the HSM when receiving input (e.g., public data, public keys, etc.) to it and providing specific arithmetic operations, applications, or functions. Generally, incoming input data is port-specific, ensuring that only input cryptographic data specific to the port receiving it can be successfully processed. To this end, each hardware port typically defines a corresponding hardware link or channel (e.g., static and / or reconfigurable hardware links, channels, and / or switches) to an isolated hardware storage medium that stores therein exclusively obtainable, protected port-specific cryptographic data for processing in accordance with incoming input data specific to that hardware port. For example, separate embedded storage resources may have their respective hardware data links to their corresponding ports, and similarly, separate storage partitions and / or zones may be defined within the same embedded memory storage resource and accessible via dedicated hardware logic, etc. In other words, a separate embedded storage space or resource may contain a hardware storage space that is physically isolated, separated, and / or defined from one or more hardware storage devices (i.e., memory boards, chips, components, etc.) that are physically paired with, allocated to, and / or associated with a given port-specific cryptographic process. Each storage space may be designated or adapted to store one or more cryptographic keys and / or similar cryptographic data that can be used when calling and / or executing a given port-specific process. Thus, in some embodiments, a dedicated memory space may define a secure key space for a given cryptographic process and / or contain storage capacity for other types of cryptographic data and / or other related data. An integrated cryptographic engine, executed by an embedded or hardware-linked processor, can then call upon the acquired protected cryptographic data to internally process it, for example, together with input data, to produce a desired computation result.

[0124] Therefore, the entire process can be entrusted to hardware space without calling software or application layers, and thus without exposing the HSM to opportunities for tampering that may arise in conventional HSMs. Conversely, the embodiments of the HSM described herein enable a complete, in some embodiments, single-chip (i.e., static or reconfigurable (e.g., FPGA)) hardware solution that can be used to service multiple applications and / or processes simultaneously from the same tamper-proof environment. As a result, the solutions provided herein enable a significant increase in security protocol ratings and, in some embodiments, can significantly reduce the hardware footprint required to implement complex network security architectures.

[0125] For example, in some cases, an HSM provided as part of each module security processor may interface separately with different components or processors of the system that constitute part of it, thereby enabling hardware isolation of the processing when enhancing the overall security rating of the system. For example, the security processor of a given module may be given a hardware port dedicated to interface with the onboard processing engine, while other hardware ports of the given module are entrusted with interface with the backend cradle network via the integrated module cradle interface and port-specific channels provided in hardware. In practice, the security processor may, for example, activate its multiple hardware ports to communicate with different cradle ports or channels, and perform different port-specific communications with, for example, separate secure network modules. This can be illustrated in the example in Figure 9, where port-specific communications are hardware-isolated for each illustrated data communication path, and therefore can be isolated incoming and outgoing communications when entering and leaving each module and when module-specific hardware communication channels are established between them.

[0126] As those skilled in the art will see, complex multi-module solutions will refer to and greatly benefit from the multi-port HSM solutions described herein, while other, simpler solutions can be implemented without the hardware port-specific complexity and still benefit from some of the other attributes and advantageous effects of the solutions described herein in various embodiments.

[0127] Referring to Figure 3, a multiport hardware security module (HSM), generally referred to by reference numeral 300, is described here by an exemplary embodiment. In the illustrated embodiment, the HSM 300 comprises, schematically, a plurality of hardware ports 302, each of which is operationally linked through hardware, for example, via a direct hardware link or channel logic 308, to a corresponding port-specific hardware storage resource and key space 304 (e.g., a separate embedded memory storage device, hardware memory storage partition and / or zone). Each storage resource 304 can be configured to store protected port-specific cryptographic data (e.g., secret encryption / decryption key 312) that can only be retrieved in response to the input of corresponding input cryptographic data from the corresponding port. On other ports, the protected data may be further protected by the specificity of the hardware port, so that input data received on an incorrect hardware port cannot access the corresponding protected data linked to that incorrect port, nor can it access the protected data linked to any other port.

[0128] Upon successful input of external data via the appropriate hardware port 302, the corresponding protected data (e.g., key 312) becomes available for internal acquisition and processing by the integrated engine (i.e., cryptographic engine 310) to achieve the desired result.

[0129] In this embodiment, the provision of hardware-linked HSM ports and isolated storage resources enhances the overall system integrity and resilience against external tampering, while also providing the additional benefits of HSM multiplexing within a general tamper-proof solution. In fact, certain embodiments can efficiently double HSM resource allocation in a single-chip embodiment with embedded memory, processor, and hardware logic, and can also take advantage of both the additional security of separately isolated hardware-linked storage resource interfaces and the option to share internal hardware resources, such as a common integrated cryptographic engine 310 that can be invoked to process protected data from multiple isolated key spaces 304 simultaneously or at least sequentially. As will be described in more detail below, this embodiment of integrated hardware can further benefit the deployment of secure system architectures as described above.

[0130] Referring to Figure 3, in this embodiment, at least a portion of the hardware port 202 can be linked through hardware to interface with a separate storage resource 304 and / or port 302 and / or associated processing / data, thereby defining a trusted communications (e.g., wired port interconnection) matrix 314 that can be utilized in more complex system embodiments to benefit from protected common location of separate resources on the same hardware implementation (e.g., the same hardware chip) without exposing the HSM 300 to the risk of external or software-related tampering. In other words, port specificity can be maintained to govern access to protected data when performing selected cryptographic processing, but can be further enhanced by leveraging a predefined hardware interconnection (i.e., data channel) between port specific resources and / or data allocations. The trusted communications matrix 314 can be dynamically implemented as a set of static hardware relays and / or logic, and / or can be implemented by reconfigurable hardware logic and / or relays. This allows specific port-specific processing invoked by input data received through a particular port interface to be configured to depend on upstream cryptographic processing performed on encrypted data received on other hardware ports, which can then be used to retrieve separately stored and maintained confidential data. Naturally, specific cryptographic processing can similarly be supplied to downstream processing performed on separate port-specific data resources. Considering the hardware embodiment of matrix 314, the system security logic and complex data channels can be wired within the HSM 300 to minimize external exposure to tampering. Given the above, some ports 302 may be associated with corresponding storage resources 304 in a one-to-one manner, but other port interconnection scenarios may be invoked to logically associate the same port with separate storage resources, and similarly, separate storage resources can be logically associated with the same hardware port.Similarly, for example, additional hardware port interfaces may be specified to perform a specific channel interconnection configuration without necessarily configuring a direct link to a particular storage resource.

[0131] As described in more detail below, such versatility and customizability can enable the deployment and execution of various trusted hardware network interconnection solutions, for example, by linearly channeling port-specific data transactions between hardware ports in one or more one-to-one hardware port interconnection configurations (e.g., to provide a (cryptographically) secure / trusted hardware-isolated port-specific processing path); by determining / merging / multiplexing separate data channels arriving through separate hardware ports in a many-to-one configuration (e.g., to provide a (cryptographically) secure / trusted data / transaction convergence processing path); and by distributing and / or demultiplexing a single network source in a one-to-many configuration across numerous port-specific resources, services, and / or data communication paths (e.g., to provide (cryptographically) secure / trusted data / transaction distribution / propagation across multiple data channels from a trusted / reliable source).

[0132] Various non-limiting examples of single-chip hardware solutions can be considered according to various descriptive embodiments. In some embodiments, Xilinx system-on-a-chip (SoC) or general-purpose SoC (MPSoC) products such as Zynq® and Zynq® UltraScale+® are used, respectively. The Zynq® product line is known to include two ARM processors, a memory component, and a field-programmable gate array (FPGA), while Zynq® UltraScale+® has six ARM processors, a memory component, and an FPGA. In the first exemplary embodiment, a Zynq® device is used, in which one of the two ARM processors implements the cryptographic engine (CE) 310, the second ARM processor handles all memory access, and the FPGA implements a trusted communication matrix 314 between the external communication port, internal memory, and cryptographic engine functions. In a second exemplary embodiment, Zynq® UltraScale+® is used, with five of the six ARM processors used as independent CEs, a sixth processor used to handle all memory accesses, and an FPGA implementing a trusted communication matrix 314 between external communication ports, internal memory, and cryptographic engine functions. In a third exemplary embodiment, Zynq® UltraScale+® is used, with all six ARM processors used as independent CEs managing their own memory spaces, and an FPGA implementing a trusted communication matrix 314 between external communication ports, internal memory, and cryptographic engine functions. Other well-known and future technologies, hardware configurations, and products may also be considered without departing from the overall scope and nature of this disclosure, as will be immediately apparent to those skilled in the art.

[0133] Continuing to refer to Figure 3, in this embodiment, the matrix 314 may further invoke specific embedded channel resources 316 to enable the integration of embedded security logic within the HSM's integrated hardware architecture by further enhancing the interconnection logic between ports and port-related processing. These channel resources 316 may be invoked in a one-to-one manner with integrated port specificity to fully maximize secure processing isolation, or again, they may be invoked and performed for different port-specific processing, but provided as shared resources (one-to-many and / or many-to-one) that do not expose such processing to the risk of undue external tampering.

[0134] In the illustrated embodiment, various channel resources are schematically shown, including a data channel diode 318 (i.e., for restricting data flow on a defined channel in a specified direction), a data channel filter 320 (i.e., for filtering channel data, for example, to restrict throughput data to a specific subset of acquired data, or to systematically reconfigure or exchange specified data elements on a given channel data path), a channel comparator 322 (i.e., for calling channel logic between channels based on a comparison of the data channeled therein, for example, to enable processing throughput only for matching channel data), an inline encryption function 324 (for example, for executing an inline IPSEC or TLS protocol, for example, and / or for implementing an inline VPN or similar communication tunnel), or a sniffer function (325).

[0135] For example, in some embodiments, inline cryptographic functions may be invoked to facilitate specific encrypted exchanges with end clients or applications that do not necessarily require access to the cryptographic engine and associated higher-level security protocols. For instance, critical private key management processes (e.g., control plane processes such as user / client authentication / authorization, authenticated session initiation and configuration, private key generation and management, and system administration functions) may be strictly entrusted to the cryptographic engine and a defined secure key space, while less critical processes (e.g., communication plane processes such as authenticated data access transactions, updates, and edits) performed on symmetric and / or temporary (e.g., session) keys used to expedite processing and communication may be performed by the inline channel cryptographic resource 324. To do this, the HSM300 may integrate and combine enhanced control plane cryptographic services and inline cryptographic services, all within the same hardware design and configuration, as described above. This could immediately enable a single hardware design to replace other common network (e.g., banking) architectures, as described herein. In this architecture, control plane functions and processing are traditionally delegated to separate HSMs for network interfaces, while session-based cryptographic functions are later channeled through downstream network services. The integrated configuration described herein further or alternatively enables the integrated execution of virtual private networks (VPNs) or even nested VPNs to achieve a layered architecture within a single hardware design, rather than initiating a distributed network architecture where security protocols run on higher network (e.g., TCP / IP) layers, making it more vulnerable to physical or external tampering.

[0136] As described above, the sniffer or similar functionality may be further or alternatively deployed as an integrated and / or customizable channel resource to provide visibility into network channel communications, for example, by offering implicit, unbypassable logging or network / channel eavesdropping capabilities. For example, such a channel resource may be used without interference to monitor channel communications and, upon identifying suspicious or anomalous channel activity, to flag or alert, otherwise to block communications on that channel until corrective action is taken.

[0137] As described above, a trusted comparator or similar function may be included to merge or compare data streams in each hardware channel to increase their security and / or reliability. Similarly, as further described above, demultiplexing or multiport distribution functions (e.g., trusted extensions) may be implemented to securely distribute the same data stream or transaction across multiple hardware port-specific channels. For example, various applications may require the same data to be distributed in parallel across data channels while simultaneously ensuring the accuracy and reliability of the data source. This ensures that such data is generated from or as a result of secure processing within the hardware interconnect device and / or integrated HSM, thereby enabling secure replication and parallel distribution of such data across multiple embedded hardware data channels, as described herein.

[0138] Other channel resources may include, but are not limited to, multi-port distribution capabilities, gating capabilities, reliable measurement capabilities, and reliable, controllable event counters. Further details and examples can be found, for example, in the applicant's U.S. Patent No. 11310198. Some, all, or even more diverse channel resources may provide various interconnection logic and functions between port-specific processing, thereby being integrated to enhance the complexity and flexibility of internal processing available when providing an integrated solution built into a single HSM chip implementation in some embodiments.

[0139] In this particular embodiment, the HSM300 may further include, for example, an optional external sensor monitor 326, which may take the form of various sensors and / or monitors used to detect and report unauthorized intrusion or tampering with the system. For example, sensors may include, but are not limited to, an integrated sound sensor capable of detecting collision or destruction of the shell; an inclinometer or 3D accelerometer for detecting displacement or physical reorientation of the shell (e.g., a network module); smoke, heat and / or water sensors for detecting environmental issues and / or tampering (e.g., multiple temperature sensors may be used to detect tampering by differential internal temperature measurement); proximity or motion sensors for detecting the presence of an unauthorized person; location or geofencing sensors for detecting unauthorized transport of an HSM (module) beyond a designated security zone; and other sensors as will be apparent to those skilled in the art.

[0140] The HSM300 may further include a management port 338 interface to enable secure administrative access to the HSM300 and to allow system maintenance and reconfiguration as needed or desired from time to time. For example, if the HSM300 is implemented as a reconfigurable chip (e.g., FPGA), certain hardware resources and / or logic may be reallocated or reconfigured to accommodate changes or improvements to the system or security protocol. For example, the trusted communications matrix may be adjusted to reflect new port allocations or to further enhance security protocols by leveraging new or existing channel resources, to introduce new security levels or system integrations, or to improve existing protocols with further enhanced processing and functionality.

[0141] Using various aspects of the above embodiments, complex system architectures may be deployed on a single chip as described above, or even on the same integrated board design, i.e., a module-embedded multiport HSM can be integrated with the processing engine of modules on the same or interconnected circuit boards to deliver complex (e.g., multipurpose, multilevel, multilayer, multiuser, etc.) cryptographic services and systems as a whole, in several embodiments, all within the same tamper-proof shell.

[0142] Referring to Figure 4, in yet another embodiment, the alternative HSM configuration 300' is designed to define a separate cryptographic engine 310' for each of the protected key spaces 304'. By duplicating the cryptographic resources, further hardware isolation (e.g., separate firmware resources and / or firmware running on separate embedded processor cores) becomes achievable, thereby enhancing the tamper resistance of the HSM. Further alternatives should be immediately apparent to those skilled in the art without departing from the overall scope and nature of this disclosure.

[0143] This disclosure describes various embodiments for illustrative purposes, but is not limited to those embodiments. Conversely, the applicant's teachings described and illustrated herein encompass various alternatives, modifications, and equivalents without departing from the embodiments, the overall scope of which is defined in the subsequent claims. Except to the extent necessary or inherent in the process itself, there is no particular order intended or suggested for the methods or steps or stages of the process described herein. In many cases, the order of the processing steps may vary without altering the purpose, effect, or importance of the method described.

[0144] The information illustrated and described herein in detail is sufficient to fully achieve the above-mentioned problems of this disclosure, and therefore, the currently preferred embodiments of this disclosure represent the subject matter extensively considered herein. The scope of this disclosure fully encompasses other embodiments that may be apparent to those skilled in the art and is therefore not limited by any means other than the subsequent claims. Any reference to an element made in the singular means "one or more" and not "one and only" unless otherwise expressly stated. All structural and functional equivalents to the elements of the above-mentioned preferred embodiments and additional embodiments that are apparent to those skilled in the art are expressly incorporated herein by reference and are encompassed by the claims. Furthermore, there is no requirement that any system or method for addressing each and all of the problems that this disclosure aims to solve exist and be encompassed by the claims. Moreover, none of the elements, components or method steps of this disclosure, whether or not they are expressly described in the claims, are intended to be made available to the public. However, as will be apparent to those skilled in the art, various changes and modifications to the form, materials, workpiece and manufacturing material details can also be made without departing from the spirit and scope of this disclosure as described in the subsequent claims, and these are also included in this disclosure.

Claims

1. A modular network security system, A cradle sized to define multiple juxtaposed network module slots, wherein each network module slot has a cradle slot interface to an integrated cradle communication network at its terminal end; A plurality of network modules, each sized to be mounted side-by-side within a network module slot, wherein each network module is equipped with a corresponding cradle network interface such that, when a given network module is mounted within a given network cradle slot, the corresponding cradle network interface physically engages with the cradle slot interface, thereby interfaceing the given network module with the integrated cradle communication network. Equipped with, A modular network security system comprising, at least one of the network modules, internally comprising a wired cryptographic processor operably interfaced with the corresponding cradle network interface to encrypt communications between at least some of the network modules on the integrated cradle communication network.

2. The modular network security system according to claim 1, wherein at least one of the network modules comprises a network module processing engine that performs dedicated module-specific processing, and the cryptographic processor therein interfaces operably between the network module processing engine and the corresponding cradle network interface so as to cryptographically protect the dedicated module-specific processing from separate network module processing.

3. The modular network security system according to claim 1, wherein at least one of the network modules comprises an external network interface and an external network module processing engine, which are operable to perform external network interface processing that exchanges external network communications with the cryptographic processor for cryptographic processing before engaging with the integrated cradle communication network.

4. The modular network security system according to any one of claims 1 to 3, wherein the integrated cradle communication network comprises a cradle agent capable of operating to monitor the operation of each of the network modules via each of the cradle slot interfaces.

5. A modular network security system according to any one of claims 1 to 4, wherein a new network module is equipped with a new cryptographic processor that interfaces with the integrated cradle communication network, and the new cryptographic processor of the new network module is operable to communicate with the cryptographic processor of another network module that interfaces with the integrated cradle communication network and establishes secure communication with it.

6. The modular network security system according to claim 5, wherein the secure communication is established with the new network module in response to at least one of the other network modules cryptographically authenticating the new network module.

7. The modular network security system according to claim 5 or 6, wherein the new network module performs cryptographic self-identification processing together with the other network modules.

8. Each of the network modules is further powered via the cradle slot interface, the modular network security system according to any one of claims 1 to 7.

9. The modular network security system according to any one of claims 1 to 8, wherein the cradle is configured to hold a lateral stack of vertical network modules, and the lateral stack is sized to accommodate two or more network rack units.

10. The modular network security system according to claim 9, wherein the lateral stack is sized to accommodate three network rack units.

11. The modular network security system according to any one of claims 1 to 8, wherein the cradle is configured to hold a lateral stack of juxtaposed lateral network modules, and the lateral stack is sized to correspond to one or more network rack units.

12. The modular network security system according to any one of claims 1 to 8, wherein the cradle is configured to hold a horizontal stack of vertical network modules and to further hold one or more horizontal network modules arranged horizontally above or below the horizontal stack.

13. The modular network security system according to any one of claims 1 to 12, wherein the cradle can be mounted in or inside a rack or cabinet of a communication network.

14. The modular network security system according to claim 1, wherein the plurality of network modules consist of separate network module types, each wired to provide separate dedicated functions during operation, and when combined, the plurality of network modules cooperate by communicating via the integrated cradle communication network to perform a common network solution.

15. The modular network security system according to claim 14, wherein at least one of the network modules comprising the cryptographic processor defines a network security module, while at least one of the separate network module types comprises a network module processing engine that performs dedicated module-specific processing, the dedicated module-specific processing defines a network computing module that relies on the implementation of the cryptographic processor by the network security module via the integrated cradle communication network to perform cryptographic processing necessary for the dedicated module-specific processing.

16. The modular network security system according to claim 1, wherein at least one of the network modules is wired to define a time synchronization module comprising a precision timing device integrated therein and a given cryptographic processor capable of securely providing digitally trusted time resources to at least one of the other network modules via the integrated cradle communication network.

17. The modular network security system according to claim 1, wherein at least one of the network modules is wired to define a geolocation module comprising a global positioning system component integrated therein and a given cryptographic processor capable of operating to securely provide digitally trusted geolocation to the modular network security system.

18. The modular network security system according to claim 1, wherein the cryptographic processor is operably coupled to at least one of the network modules via a hardware-integrated PCIe card.

19. The modular network security system according to claim 1, further comprising a management module having a management engine connected internally by a wire and a cradle network interface that operably interfaces with the plurality of network modules via the integrated cradle communication network.

20. The modular network security system according to claim 19, comprising two management modules, each management module defining a control plane and a data plane, and further comprising an external network interface defining a restricted plane for communication between the plurality of network modules via the integrated cradle communication network.

21. A modular network security system, A cradle sized to define multiple side-by-side network module slots, Multiple network modules, each sized to be mounted side-by-side within a network module slot, wherein at least two of the network modules include a network interface, an integrated processing engine, and an integrated cryptographic processor capable of performing cryptographic processing on communications exchanged with the integrated processing engine. A modular network security system equipped with the following features.

22. The modular network security system according to claim 21, wherein the plurality of network modules are sized to accommodate two or more network rack units when mounted vertically and side by side within the cradle.

23. The modular network security system according to claim 22, wherein the plurality of network modules are sized to correspond to three network rack units when mounted vertically and side by side within the cradle.

24. The modular network security system according to any one of claims 21 to 23, wherein the cradle further comprises an integrated physical cradle network, and each of the network modules is operable to communicate digitally with one another on the integrated physical cradle network.

25. The modular network security system according to claim 24, wherein the network modules communicate with each other encrypted via their respective integrated cryptographic processors on the integrated physical cradle network.

26. The modular network security system according to claim 21, wherein at least one of the integrated processing engines performs network-connected host processing.

27. The modular network security system according to any one of claims 1 to 26, wherein the integrated cryptographic processor comprises a hardware security module.

28. A secure network module, A chassis that can be mounted side-by-side in the lateral direction with other compatible network modules that are operable in the same rack unit and common server rack, A network interface is operably positioned on the front of the aforementioned enclosure and interfaces with an external network wiring connector inside it, An integrated processing engine is operably mounted within the aforementioned enclosure and processes external network communications via the aforementioned network interface, An integrated cryptographic processor interfaced with the integrated processing engine and operably mounted within the enclosure to perform cryptographic processing on internal communications exchanged with the integrated processing engine, A secure network module equipped with [features / equipment].

29. The secure network module according to claim 28, which is sized to accommodate two or more network rack units when mounted vertically in the aforementioned common server rack.

30. The secure network module according to claim 29, which is sized to accommodate three network rack units when mounted vertically in the aforementioned common server rack.

31. The secure network module according to any one of claims 28 to 30, further comprising a rack network interface operably located on the rear of the enclosure to interface with a corresponding secure wired rack network when operably mounted to communicate digitally with the other corresponding network module.

32. The secure network module according to claim 31, wherein the integrated cryptographic processor is capable of operating to communicate encrypted with the other network modules on the secure wired rack network.

33. The integrated processing engine performs network-connected host processing, as described in claim 28, for the secure network module.

34. The secure network module according to any one of claims 28 to 33, wherein the integrated cryptographic processor comprises a hardware security module.

35. The secure network module according to claim 31 or 32, further comprising a GPS chip operably wired to the processing engine and operable to provide the trusted location of the module and / or the other network module.

36. The secure network module according to claim 31 or 32, further comprising a secure timing device operably wired to the processing engine and operable to provide reliable time to the module and / or other network modules.

37. The housing is a housing that can be mounted vertically and is a secure network module according to any one of claims 31 to 36.